CIA_LS_P3_SE.9711040..
Download
Report
Transcript CIA_LS_P3_SE.9711040..
THE IIA’S CIA LEARNING SYSTEMTM
Section Topics
1. Control frameworks
2. Data and network
communications/connections
3. Electronic funds transfer (EFT)
4. E-commerce
5. Electronic data interchange
(EDI)
6. Functional areas of IT
operations
7. Encryption
8. Information protection
9. Evaluate investment in IT
www.LearnCia.com
10. Enterprise-wide
resource planning
(ERP) software
11. Operating systems
12. Application
development
13. Voice communications
14. Contingency planning
15. Systems security
16. Databases
17. Software licensing
18. Web infrastructure
Part 3, Section E
Part 3 E – 1
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Risks Specific to IT Environment
Physical audit trail replaced by data trail
Deliberate harmful acts
Hardware/software failure
Automated transaction
authorization
Systematic errors
Access authorization
Fewer human inputs
Less segregation of duties
www.LearnCia.com
Part 3, Section E, Introduction
Part 3 E – 2
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Pervasive and Specific Risks
Pervasive risks
• Affect whole
enterprise
• More costly
effects
www.LearnCia.com
Specific risks
• May be attributed
to specific
processes
Part 3, Section E, Introduction
Part 3 E – 3
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Challenges of IT Auditing
• Assessing effectiveness
• Controlling and monitoring
• Determining risk
• Assigning roles and responsibilities
• Appreciating their importance
• Understanding IT controls
www.LearnCia.com
Part 3, Section E, Introduction
Part 3 E – 4
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
CAE Role
Identify:
Organization’s IT control environment.
Legal and regulatory compliance requirements.
Roles and responsibilities throughout organization.
Risk assessment process.
Monitoring process.
Appropriate information and communication
processes.
www.LearnCia.com
Part 3, Section E, Introduction
Part 3 E – 5
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Goals of IT Controls and Control Frameworks
Provide:
• Compliance with laws
and regulations
• Consistency with
business objectives
• Continuity with
governance policies
and risk appetite
www.LearnCia.com
Part 3, Section E, Topic 1
Part 3 E – 6
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Specific IT Control Objectives
•
•
•
•
•
•
•
•
Protect assets/owners’ equity.
Data is available, reliable, and restricted.
Users accountable.
Protect privacy and identity.
Protect employees’ jobs.
Ensure system integrity.
Control automated processes.
Audit trail exists for all transactions.
www.LearnCia.com
Part 3, Section E, Topic 1
Part 3 E – 7
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
What is an example of an organizational activity that
would indicate that effective IT controls are in place?
Answers:
• Organization can plan and execute new work to support activities.
• Projects come in on time and within budget.
• Resources can be allocated predictably.
• Consistent information and service are available across the organization.
• Management knows when and what IT controls are in place.
• Organization can protect itself from attacks and recover quickly.
• Customer support and help desks are used efficiently.
• Entire organization is aware of security issues.
www.LearnCia.com
Part 3, Section E, Topic 1
Part 3 E – 8
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Control Classification
Source: Global Technology Audit Guide 1—Information Technology Controls.
www.LearnCia.com
Part 3, Section E, Topic 1
Part 3 E – 9
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IT Control Frameworks
Objectives
Overall
control
frameworks
and business
processes
Requirements
Actual performance
Set IT control
objectives and
logically group
IT processes
IT Control
Framework
Identifies need
for controls but
doesn’t show
how to apply
them
Business strategy
+
IT strategy
Align organizational structures
Performance goals and metrics
+ continuous assurance
www.LearnCia.com
Part 3, Section E, Topic 1
Part 3 E – 10
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
COSO Model for Internal Control Frameworks
EXAMPLES
Monthly metrics for technology
performance
IT and security training
Technology standards compliance
enforcement
IT internal audit assessment
Corporate Technology Governance
Committee
MONITORING
INFORMATION AND
COMMUNICATION
CONTROL ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
Source: Global Technology Audit Guide 1—Information Technology Controls.
www.LearnCia.com
Part 3, Section E, Topic 1
Part 3 E – 11
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
COBIT®
Control Objectives for Information and related Technology
Business
orientation
Control-driven
Measurementdriven
Business orientation is the primary driver:
• Business requirements drive IT needs.
• Management must understand IT.
• It defines primary and secondary
governance elements.
– Alignment to strategy
– Delivery of value
– Management of resources
– Management of risk
– Performance measures
www.LearnCia.com
Process-driven
Standard
350° =
Cake
temperature
Control
Part 3, Section E, Topic 1
Process
Measurement
system
Part 3 E – 12
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
COBIT—Process-Driven
• Focus less on execution, more on controls
• Standard terminology
• Standard methods
Plan and
organize
Monitor
and
evaluate
Acquire
34
and
processes
implement
Deliver
and
support
www.LearnCia.com
Part 3, Section E, Topic 1
Part 3 E – 13
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
COBIT—Process-Driven
• High-level control objective
• Detailed control objectives
• Management guidelines
– RACI chart
– Goals and metrics
Box 1: Activity goals
Box 2: Activity goal metrics
Box 3: Primary activities
Box 4: Primary activity metrics
Box 5: IT goals
Box 6: IT goal metrics
www.LearnCia.com
Part 3, Section E, Topic 1
Part 3 E – 14
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
A new organization decides to use the COBIT® control
framework. Which of the following is true of this
decision? The framework
A. is a best practice and should be used as is.
B. includes detailed implementation guidelines.
C. should be modified to reflect risk appetite and risk
tolerance.
D. includes overall organizational controls
in its guidance.
Answer: C. Frameworks should be adapted to
suit the needs of the organization.
www.LearnCia.com
Part 3, Section E, Topic 1
Part 3 E – 15
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Computers, Servers, Client/Server Architecture
• Servers fill specialized
needs, e.g., Web server
Server
Clients
PCs
• Mainframes primarily for
large amounts of data, many
concurrent users
Mainframe
Controls: Secure data center, HVAC,
electrostatic, trained personnel
www.LearnCia.com
Part 3, Section E, Topic 2
Dumb
terminals
No PCs or
PCs with
terminal
emulation
software
Part 3 E – 16
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Supply the proper term for each definition
listed below.
Answers:
Decentralized
processing
Geographical isolation of IT centers with no
communication among centers; harder to
control.
Centralized
processing
Commonly uses a mainframe computer;
provides the highest level of control.
Distributed
processing
Each region has its own data center but all
centers are networked together; provides some
redundancy against catastrophic events.
www.LearnCia.com
Part 3, Section E, Topic 2
Part 3 E – 17
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Network Types
PDN
VAN
WAN
LAN
PAN
Peer-topeer
MAN
Consortium networks
www.LearnCia.com
Part 3, Section E, Topic 2
Part 3 E – 18
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
All of the following are true regarding the Open
Systems Interconnection (OSI) reference model except
A. The first three layers are common to a network; the
last four are specific to a computer.
B. The first two layers are the only ones to contain
hardware; the rest are software.
C. Unrelated objects can communicate
using OSI protocols.
D. The first layer is the closest one to the user.
Answer: D. The last layer is closest to the user.
www.LearnCia.com
Part 3, Section E, Topic 2
Part 3 E – 19
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
OSI Reference Model
OSI Layer
Description
Related Controls
Layer 1: Physical
Electrical/mechanical
Wiring; physical protection
Layer 2: Data link
Synchronizes; compresses
Encryption
Layer 3: Network
Routes, forwards data
Track IP address; firewalls
Layer 4: Transport
End-to-end control, error
checking, e.g., TCP/IP and
IP networks
Logical control layer;
firewalls
Layer 5: Session
Starts, ends conversations
Layer 6: Presentation O/S; applies syntax, format
O/S controls
Layer 7: Application
Configurable data
constraints; intrusion
detection/prevention
www.LearnCia.com
Constraints on data, e.g.,
partner authentication
Part 3, Section E, Topic 2
Part 3 E – 20
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Network Hardware
OSI Layer
1 Port
Physical connection point
Router
From
external, e.g., ISP
Hub
From
internal
2 Switch
From
internal
3
1
To
internal (LAN)
To internal (sent to all ports)
Slower, congested
To internal (sent to address)
Fast, intelligent
3 Gateway Dissimilar network
Dissimilar network
Often integrated into a router
2
Bridge
www.LearnCia.com
Similar network
Similar network
Part 3, Section E, Topic 2
Multiplexer
• Time division
• Frequency division
R
E
P
E
A
T
E
R
Part 3 E – 21
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Network Hardware Example
Internet
Firewall/
gateway
Router/
gateway
Switch
LAN #2
Switch
Phone
company
Phone
system
Servers
LAN #1
Bridge
(wireless)
Workstations (PCs)
Hub
Printers
Wireless
network
Printer
www.LearnCia.com
Part 3, Section E, Topic 2
Part 3 E – 22
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Purpose of Firewalls
• Improve security by blocking
access from certain servers or
applications.
• Reduce vulnerability and ensure
efficiency by limiting user access
to certain sites.
• Support detection of internal
sabotage and external intrusion.
Internal
• Provide encryption internally.
Intruders
users
www.LearnCia.com
Part 3, Section E, Topic 2
Part 3 E – 23
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Firewalls
•
•
Hardware/software at OSI layers 3 (network), 4 (transport), and 7
(application)
Packet filtering
– Stateful inspection
– Network address translation (NAT)
•
Gateways
– Application gateway/proxy server
•
•
DMZs
Intrusion detection/prevention systems (IDS/IPS)
IDS/IPS
Access router
To Internet
Firewall
(DMZ)
Firewall
Web server (host
or proxy server)
www.LearnCia.com
Part 3, Section E, Topic 2
Private
network
areas
Part 3 E – 24
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Electronic Funds Transfer (EFT)
Bank-to-bank (only) transfer of value or financial data.
EFT risks and controls:
• FEDI (financial electronic data interchange) used to
initiate EFT.
–
–
–
–
Password and physical restriction of FEDI terminal
Dual approval, credit checking
Test keys or codes for validation, error catching
Encryption
• Prior consent by paying party, in writing if automatic.
EFT methods:
• Fedwire, TARGET, CHAPS.
• ACH for high-volume, low-value transfers.
www.LearnCia.com
Part 3, Section E, Topic 3
Part 3 E – 25
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Internal Auditing of EFT
IA must assess:
• Logic controls to restrict access to
system.
• Change management controls to ensure
that all program changes are approved.
• Physical controls to restrict access to
transactions.
• System data backup and recovery
controls to safeguard transaction
history.
• Operation controls to ensure that system
components operate as designed.
• Application controls to ensure
transaction accuracy.
www.LearnCia.com
Part 3, Section E, Topic 3
Part 3 E – 26
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
All of the following are true of e-commerce except
A. E-commerce risk analyses should be done
frequently, especially if operations change.
B. Mobile e-commerce, if properly encrypted, has no
other major control issues.
C. Evaluating middleware is a valid part of
an e-commerce risk analysis.
D. E-commerce may be defined as
“conducting commercial activities over the
Internet.”
Answer: B. Authentication of both parties is the second
major control issue for mobile e-commerce.
www.LearnCia.com
Part 3, Section E, Topic 4
Part 3 E – 27
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Factors Promoting E-Commerce
• Personalization: cookies, registration,
behavior tracking
• Customization: tailored products
• Lower cost per transaction
• XML: new tags, interactive, interapplication
communication
• ebXML: list services or needs on automated
directory, automated trading, collaboration
www.LearnCia.com
Part 3, Section E, Topic 4
Part 3 E – 28
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Factors Slowing Growth of E-Commerce
Costs
• Hardware, software, training, skilled labor.
• Mail still common payment method (mail float).
Risks
• Competitors could access valuable information.
• Exchange auctions go to lowest bidder, higher
quality ignored.
• Security is constantly threatened.
• Perception of security is even lower.
www.LearnCia.com
Part 3, Section E, Topic 4
Part 3 E – 29
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
E-Commerce Security Policy Goals
Authenticity
Availability
Continuous
auditing
Privacy
www.LearnCia.com
Integrity
Nonrepudiation
Confidentiality
Part 3, Section E, Topic 4
Part 3 E – 30
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Internal Auditing of E-Commerce
IA must assess:
• Network security controls.
• User ID systems.
• Privacy and confidentiality controls.
• Listing of all e-commerce applications.
• Maintenance activities.
• Automated failure detection and repair.
• Application change management
controls.
• Business continuity plans in the event of
failure.
www.LearnCia.com
Part 3, Section E, Topic 4
Part 3 E – 31
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Match each EDI risk with the proper control.
Answers:
EDI Risk
Internal Control
A. Unauthorized user access
B. Data integrity loss
C. Transactions incomplete
D. EDI system unavailable
E. Cannot transmit transactions
F. Lack of legal evidence
1.___
C Acknowledgment
D Fault-tolerant systems
2.___
A Access control
3.___
B Authentication
4.___
F Consensus on legal definitions,
5.___
responsibilities, obligations
E Standardized data format, use
6.___
of ANSI/EDIFACT protocol
www.LearnCia.com
Part 3, Section E, Topic 5
Part 3 E – 32
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
EDI Software
2. File Conversion
ERP System
For example,
send invoice
www.LearnCia.com
1. Initiation
EDI
Software
810 invoice
3. Destination
EDI
Software
Transmission, for
example, over WAN
Part 3, Section E, Topic 5
810 invoice
ERP System
Invoice
received and
acknowledged
Part 3 E – 33
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IT Organizational Chart
CEO
CIO
Security
& Quality
www.LearnCia.com
Apps &
Systems
Data
Tech
Support
Part 3, Section E, Topic 6
Ops
Part 3 E – 34
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Which of the following is responsible for
capacity planning and focuses on efficiency?
A. Technical support
B. Applications and systems
C. Operations
Answer: C. Operations supports all
business units, with a focus on efficiency.
www.LearnCia.com
Part 3, Section E, Topic 6
Part 3 E – 35
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Which of the following is true of IT operational roles?
A. Programmers should be the primary pool for testing
code, especially if they wrote it.
B. Data entry personnel minimize manual data entry by
capturing data at the point of transaction.
C. Systems developers develop end-user applications.
D. The chief technology officer develops
IT security policy, controls IT resources,
and oversees IT security.
Answer: B. Data entry personnel format data
for computer use.
www.LearnCia.com
Part 3, Section E, Topic 6
Part 3 E – 36
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Which of the following management roles has
oversight of the compliance aspects of IT?
A. Board of Directors
B. Chief Executive Officer
C. Chief Legal Counsel
D. Chief Information Officer
Answer: A. The Board of Directors is responsible
for governance, which includes compliance.
www.LearnCia.com
Part 3, Section E, Topic 6
Part 3 E – 37
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Private (Symmetric) Key Encryption
Firm A
Private key
Encryption
via algorithm
Firm B
Private key
1234
1234
#%*#
A sends private key to B
Advantages
• Simplicity
• Requires less processing power
• Difficult to crack
www.LearnCia.com
Risks
• Interception of private key
• Poor controls at receiver end
Part 3, Section E, Topic 7
Part 3 E – 38
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Public (Asymmetric) Key Encryption
B’s public key
B’s private key
Encryption
via algorithm
Firm A
Firm B
1234
1234
#%*#
A’s private key
Advantage
• High degree of security
www.LearnCia.com
A’s public key
Disadvantages
• Processing intensive
• Difficult to communicate changes
to all users
Part 3, Section E, Topic 7
Part 3 E – 39
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Other Encryption Tools
• Quantum cryptography
– Uses uncertainty
– Can detect eavesdropping
• Digital envelope
– Layers both symmetric and
asymmetric encryption
• Cryptographic module/system
– Packaged encryption application
www.LearnCia.com
Part 3, Section E, Topic 7
Part 3 E – 40
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Internal Auditing of Encryption
• Are physical controls over computers
with keys adequate?
• Are encryption policies being followed?
• Are logic controls implemented and
effective?
• Are domain internal directories secure?
• Are keys sufficiently complex?
• Are creation rules applied to passwords
used to create keys?
www.LearnCia.com
Part 3, Section E, Topic 7
Part 3 E – 41
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Information Protection
IT general controls,
e.g., segregation
of duties
Confidentiality
Information security
Data security
Infrastructure security
Integrity
www.LearnCia.com
IT application controls,
e.g., security software
sets terminalspecific
rights
Availability
Part 3, Section E, Topic 8
Part 3 E – 42
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Provide an example of a warning sign that
information in an IT system may be vulnerable.
Answer:
From GTAG 6: Managing and Auditing IT Vulnerabilities:
• Higher number of security incidents
• Inability to identify vulnerabilities systematically
• Inability to assess risks and prioritize mitigation efforts
• Poor working relations between IT management and IT security
• No asset management system
• No configuration management process
www.LearnCia.com
Part 3, Section E, Topic 8
Part 3 E – 43
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Managing IT Vulnerabilities
Enlist management support.
Inventory assets/vulnerabilities.
Prioritize mitigation/remediation.
Remediate vulnerabilities.
Automate patch
management
and ID of
vulnerabilities.
Continually update processes.
Source: Global Technology Audit Guide 6—Managing and Auditing IT Vulnerabilities.
www.LearnCia.com
Part 3, Section E, Topic 8
Part 3 E – 44
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Malware
• Lucrative, organized crime
• VirWare
– Viruses, e.g., macro
viruses
– Worms, e.g., IM worms
• Trojan horses
–
–
–
–
Bot nets
Key logger
Adware
Spyware
• Hackers/crackers
– Social engineering
– Require user to initiate, but
therefore smaller, easier to
transmit
– Types include Trojanclickers, banker programs,
backdoors, root kits,
piggybacking, logic bombs
www.LearnCia.com
• Other malware
–
–
–
–
–
Industrial espionage
Cyberterrorism
Phishing/pharming
Identity theft
Wardriving
Part 3, Section E, Topic 8
Part 3 E – 45
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Company executives are worried that data regarding their new
product launch currently on their intranet site could be
compromised by hackers or inadvertent errors. Assuming that the
site has appropriate information security controls, which of the
following would be the best course of action?
A. Make no changes and assure management that the data is safe.
B. Increase the level of intranet security through investments in
security software upgrades.
C. Remove the data from the intranet site until after the
launch goes public.
Answer: C. Taking sensitive data offline provides the best
assurance of security.
www.LearnCia.com
Part 3, Section E, Topic 8
Part 3 E – 46
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Privacy
Right to be left alone and free from surveillance by
individuals, organizations, or the government.
• Personal information is data that links back to
an individual.
• IT makes invasions of privacy easy and
inexpensive.
• Monitoring of employees:
– Control vs. morale.
– Clearly communicate privacy policy.
www.LearnCia.com
Part 3, Section E, Topic 8
Part 3 E – 47
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Privacy—Fair Information Practices (FIPs)
Notice
Enforcement
Organizations have
responsibilities over
collection and
use of data.
Choice
Individuals have
right to privacy
but must prove
identity.
Security
www.LearnCia.com
Access
Part 3, Section E, Topic 8
Part 3 E – 48
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
What is the longest-term estimate of ROI that can be made
given the following details on a CRM system project?
Tangible benefits (for next 3 years)
Tangible costs
Sales price increase from $5 to $6/unit
Software + installation = $200,000 in Y1
Expected sales increase from 50,000 to
60,000 units
Maintenance + ongoing training =
$10,000/year for 5 years
Intangible benefits (for next 4 years)
Intangible costs
Greater customer loyalty saves
$50,000/year in customer acquisition
Work disruption and learning curves =
$100,000 in Y1
Customer service time reduced, saving
$40,000/year
Opportunity costs of investment =
+10% of total cost per year
Answer: 3 years
Return = 3 [($6/unit 60,000) – ($5/unit 50,000)] + [3 ($50,000 + $40,000)] = $600,000
Investment = [$200,000 + ($10,000 3) + $100,000] 1.1 = $363,000
3-year ROI = $600,000/$363,000 = 1.65
www.LearnCia.com
Part 3, Section E, Topic 9
Part 3 E – 49
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Efficiency and Usefulness of IT Systems
• Use defined IT portfolio
selection process
– Must provide service at a
cost comparable to
alternatives
• Feasibility study
– Clear objectives linked to
outcome measures
– End-user interviews
– Users of system outputs
www.LearnCia.com
• Subdivisions
–
–
–
–
Scheduling feasibility
Operational feasibility
Technical feasibility
Economic feasibility
• Cost accounting
– Compare final budget
against actual costs
– Measure and transfer
costs to units
– Performance measure
Part 3, Section E, Topic 9
Part 3 E – 50
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
ERP Systems
• Single-repository modular suites of business
applications
• Batch processing vs. OLTP
• Core modules: transaction processing
systems (TPS) for finance, HR,
manufacturing, etc.
• Management information systems (MIS)
• Collaborative toolsets, e.g., customer
relationship management (CRM)
www.LearnCia.com
Part 3, Section E, Topic 10
Part 3 E – 51
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Internal Auditing for ERP
• Auditors should be involved in systems
development life cycle.
– For example, review implementation team credentials.
– Monitor conversion and implementation.
• Single point of entry for data, automated approvals.
– Focus audits on logic controls and any overrides.
• Configure rather than customize.
– Reengineer business processes and streamline first.
– Show cost of organizational resistance to change.
– Preserve vital controls.
www.LearnCia.com
Part 3, Section E, Topic 10
Part 3 E – 52
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Web-based Enterprise Management (WBEM)
WBEM: Browserbased formats, XML,
Java, and Web
services for universal
compatibility with
other WBEM systems
Collaboration
Supplier
WBEM
Wholesaler
WBEM
WBEM
Manufacturer
www.LearnCia.com
Part 3, Section E, Topic 10
Audit collaboration,
e.g., could a partner
plus an employee
collude to commit
fraud?
Part 3 E – 53
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
User
interface
System
recovery
Hardware
operation
Access
control
Communication
with apps
www.LearnCia.com
Networking
What does an O/S do?
Memory
management
Part 3, Section E, Topic 11
File
management
Resource
scheduling
Part 3 E – 54
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
A company used internal O/S programmers to make some
adjustments to their O/S. The system seemed to be working fine,
but when some computers are multiprogramming, one or more
applications sometimes fail. Auditing this issue should involve
all of the following EXCEPT
A. Audit should determine if O/S programmers have sufficient
training.
B. Audit should focus on memory management.
C. The auditor should be an IT specialist.
D. Audit should focus on job scheduling.
Answer: D. Job scheduling relates to batch processing,
not multiprogramming/multitasking.
www.LearnCia.com
Part 3, Section E, Topic 11
Part 3 E – 55
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IT Controls in Application Development
• Documentation of user requirements
and measurement of how well those
requirements have been met
• Use of a formal process to ensure
that user requirements and controls
are reflected in design and
development
• Testing with actual users
• Planned application maintenance
• Controlled change management
www.LearnCia.com
Part 3, Section E, Topic 12
GTAG 1:
IT Controls
Part 3 E – 56
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Systems Development Life Cycle (SDLC)
Systems planning
A formal process that involves
management and stakeholders
Systems analysis
Systems design
Programming
Systems selection
Customization/
configuration
Testing
Conversion and
implementation
Feedback
www.LearnCia.com
Part 3, Section E, Topic 12
Systems operation
and refinement
Part 3 E – 57
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Feasibility Studies
1. Identify needs of all related parties and develop
metrics for later use.
2. Analyze proposed system against needs,
resources, costs, technology trends, and
strategic alignment.
3. Perform cost-benefit analysis.
4. Identify best risk-based alternative.
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 58
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Which of the following is the result of the
systems analysis phase of the SDLC?
A. Long-term technology strategy
B. Detailed system blueprint
C. Written request for systems design
D. Unit testing and system testing
Answer: C. The result of systems
analysis is a written request for systems
design or selection.
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 59
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Systems Design/Selection: IA Concerns
• User approval
• Authorization procedures for program
changes and new code
• Software testing and quality control
• Staff proficiency
• Controls on selection criteria
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 60
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Overview of IT Application Controls
Input
controls
Output
controls
Processing
controls
SDLC Process
Integrity
controls
www.LearnCia.com
Audit
trail
Part 3, Section E, Topic 12
Part 3 E – 61
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IT Application Controls—Input Controls
•
•
•
•
Control data as it enters system
GIGO
Manual input controls, e.g., authorizations
Electronic aids for manual inputs
– Screen formats, entry fields, drop-down menus
– Keystroke verification
– Labeling conventions and completeness checks
• Batch controls for items that can be batched
• Visual verification for items that cannot be
batched
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 62
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IT Application Controls—Input Controls
• Format checks
• Edit checks
–
–
–
–
–
–
–
–
–
Control totals
Range tests
Numerical checks
Sequence checks
Limit checks
Check digits
Record count
Historical comparison
Overflow checking
www.LearnCia.com
• Reconciliation and
balancing
• Inquiry logs
• Automated inputs
–
–
–
–
–
OCR
MICR
Scanners
Bar codes
RFID
• Manual review
Part 3, Section E, Topic 12
Part 3 E – 63
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
All of the following are true of processing controls
except
A. Data center operators need to be able to override
file names or device errors.
B. Auditors should verify that reconstructed files have
accuracy checks.
C. Date and file total checks flag exact duplicate
entries as errors.
D. Control totals are gathered when an
application generates temporary files.
Answer: A. The opposite is true.
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 64
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IT Application Controls—Processing Controls
Automated controls
• Date and file total checks
• Completeness tests
• Control totals
www.LearnCia.com
Other processing controls
• Reasonableness checks
• Suspense file
• Activity logging
• Processing logic tests (e.g.,
cross-footing check)
• Run-to-run totals
• End-of-file procedures
• Primary and secondary key
integrity check
• Access control list (ACL)
Part 3, Section E, Topic 12
Part 3 E – 65
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IT Application Controls—Output Controls
•
•
•
•
•
•
•
•
•
Detective controls
Require users to review work immediately
Record retention
Error listings
Auditor’s control total samples
Reference documents
Spooling controls
Working documents
Reconcile
Reports
System inputs
System outputs
Exception reporting
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 66
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Online programming is performed at workstations and
has both advantages and risks. What are they?
Answer:
Advantages
Risks
Programmers can use
real code.
Programming is faster.
Multiple versions of
programs can be
created.
Unauthorized access to
program may be
allowed.
Valid code may be
overwritten.
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 67
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Programming Languages
Source code
#include <stdio.h>
main()
{
int fib[24];
int i;
Compiling
fib[0] = 0;
fib[1] = 1;
Object code
for(i = 2; i < 24; i++)
fib[i] = fib[i-1] + fib[i-2];
for (i = 0; i < 24; i++)
printf("%3d %6d\n", i, fib[i]);
}
110100101000111011010010
Computers read only object code
(binary)
Access to source = ability to change program
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 68
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Application Testing:
Fill in the blanks
Type of Test
Test Description
Sociability
testing
Testing system in its intended environment (same users,
hardware, concurrent applications)
Alpha test
Conducted by developers
Throughput
testing
Validates ability of system to process specified number of
transactions within specified time
Regression
testing
Confirms revisions have corrected problems and not
introduced new problems
Beta test
Conducted by users
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 69
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Documentation
• Document
– Software
– Related business processes
– Security features and backup procedures
• Clear and concise, structured methodology
• Early audit involvement and designated reviewer can ensure
that documentation duties are performed
Vast documentation
Project scope change,
e.g., from version 1.1 to
just released 1.2
Update documentation
or
freeze specifications
www.LearnCia.com
Part 3, Section E, Topic 12
Less-useful results
Part 3 E – 70
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Fill in the blanks:
High-performing organizations perform ______
fewer patches
than low-performing ones.
Change
management includes code revisions, system
__________________
upgrades, and infrastructure changes such as cabling.
The number of emergency or unauthorized changes
zero
allowed per year should be _____.
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 71
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Reducing Change Risks
• Adhere to development methodology (e.g., SDLC)
• Objective audit tasks: routine changes that have low
risk of management override
• Subjective audit tasks: e.g., software controls that
monitor if controls are overridden
• Development should report to high enough level to
avoid pet projects
• Supervisory controls
– Preventive (e.g., enforce change management policy)
– Detective (e.g., measuring and correcting performance)
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 72
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Change and Patch Management Metrics
Risk
Control
Metric
Unauthorized
changes
• Policy: 0 unplanned
changes
• Proactive management
• Detective software
•
•
•
•
Changes fail to
be implemented
or are late
• Change management
process
• > 70% change success rate
• New work created by
change
Unplanned work
displaces
planned work
• Perform triage
• Bundle planned changes
• Treat patches as a process
to expect
• < 5% work unplanned
• % of time on unplanned
work
• % of projects late
• % of patches as planned
release
www.LearnCia.com
# of unplanned changes
# of unplanned outages
# of changes authorized
# of changes implemented
Part 3, Section E, Topic 12
Part 3 E – 73
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Rapid Application Development (RAD)
Methodologies and tools for
fast development
• PERT
• Module-by-module
• Reusable code
• RAD
– Reduces documentation
– User participation
– Automated code generation
• JAD
• Agile development
• Object-oriented
development
• End-user self-development
www.LearnCia.com
Auditing RAD projects
• Emphasis on speed—lower
quality?
• Does it fulfill business
needs?
• Gold plating?
• Naming conventions?
• Scalability?
• Does project push harder
tasks toward last phase?
Part 3, Section E, Topic 12
Part 3 E – 74
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Application Development Terminology
•
•
•
•
•
Thin client
Fat client
Legacy systems
Data cleansing (Topic 16)
Debugging
Enterprise application integration (EAI)
– Middleware
– Web services (Topic 18)
– Business process management (BPM)
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 75
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Which of the following describes an advanced
application that is capable of reviewing every
receiving record, applying the same audit tests to
each record, and highlighting records that warrant
further scrutiny?
A. Decision support systems (DSS)
B. Expert systems
C. Cross-enterprise collaboration and
optimization tools
Answer: B. Expert systems use a series of
decision points.
www.LearnCia.com
Part 3, Section E, Topic 12
Part 3 E – 76
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Voice Communications
• Auditors: callback procedures
• Standard telephone systems
–
–
–
–
Automated voice mail
Inoperability has high opportunity cost
Should be part of contingency plan
Problems include wiretapping and third party fraudulently
representing self
• VoIP
– Encryption vs. backdoor for wiretapping
– Exploiting VoIP opens access to network overall
• Virtual private networks (VPNs)
www.LearnCia.com
Part 3, Section E, Topic 13
Part 3 E – 77
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Business Continuity Management
“process by which an organization
prepares for future incidents that
could jeopardize the organization’s
core mission and its long-term
viability”
Source: Global Technology Audit Guide 10—Business Continuity Management.
www.LearnCia.com
Part 3, Section E, Topic 14
Part 3 E – 78
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
BCM Process
Gain management commitment.
Conduct risk assessment and mitigation analysis.
Conduct business impact analysis.
Define recovery and
continuity strategies.
Establish disaster
recovery for IT.
Deploy, verify, and maintain program.
Source: Global Technology Audit Guide 10—Business Continuity Management.
www.LearnCia.com
Part 3, Section E, Topic 14
Part 3 E – 79
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Developing a Contingency Plan
• Planning team
– Team leader
– Delegate roles to those closest to each risk
• Can out-source forming and testing but not
incident handling
• Integrate with risk framework
• Educate management
www.LearnCia.com
Part 3, Section E, Topic 14
Part 3 E – 80
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Risk-based Priorities and Making a Plan
Determine order of restoration
of services:
• Categorize by severity +
likelihood + restoration
priority (each has
appropriate response)
• Evacuation plans
• Business interruption and
property insurance
• Recovery methods: off-site
facilities
–
–
–
–
www.LearnCia.com
Hot
Cold
Warm
Reciprocal agreements
Part 3, Section E, Topic 14
Part 3 E – 81
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Critical Systems for IT BCM
IT Systems
Data center
Applications and data
Servers and other hardware
Communication devices
Networks
IT infrastructure
Remote access services
Manufacturing process control
systems
Information Management Systems
File rooms
Document management systems
Source: Global Technology Audit Guide 10—Business Continuity Management.
www.LearnCia.com
Part 3, Section E, Topic 14
Part 3 E – 82
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Documenting and Testing the Plan
• Clear, simple introduction
• Team responsibilities,
emergency contact
information
• Backup schedules,
location of facilities
• Escalation procedure
• Action plans with recovery
time frames, strategy, and
subplans
• Insurance documentation
www.LearnCia.com
• Best evidence of plan
adequacy is testing the
plan (e.g., fire drill)
• Current disaster
recovery capacity
• Variance vs. internal
benchmarks
Part 3, Section E, Topic 14
Part 3 E – 83
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
BCM Plan Testing:
Fill in the blanks
Type of Test
Description
IT environment
walkthrough
Participants walk through announced or unannounced
simulation and execute system recovery procedures.
Orientation or plan
walkthrough
BCM team members meet to review their roles.
Tabletop
exercise
Team participates in brief simulation of a scenario.
Desk check or
plan audit
Written plan is reviewed and updated.
End-to-end testing
All stakeholders participate; demonstrates ability to perform
key processes at an agreed level.
www.LearnCia.com
Part 3, Section E, Topic 14
Part 3 E – 84
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
An IT auditor discovers a weakness in the general controls
that encompass more than just IT. The auditor should do
which of the following? (Select all that apply.)
I. Communicate the issue to management.
II. Explain the risk exposure created by the deficiency.
III. Recommend the best system to address the issue.
IV. Set a deadline for implementation of controls.
V. Oversee implementation of controls.
Answer: I, II, and III.
www.LearnCia.com
Part 3, Section E, Topic 15
Part 3 E – 85
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
COBIT System Security Objectives
1. Manage IT security.
2. Implement IT security
plan.
3. Implement identity
management processes.
4. Manage user accounts.
5. Ensure security testing.
6. Ensure security incident
definition.
www.LearnCia.com
7. Protect security
technology.
8. Manage the cryptographic
key.
9. Prevent, detect, and
correct malware.
10. Implement network
security to ensure
authorized access.
11. Ensure transmission of
sensitive data over
trusted paths or secure
media.
Part 3, Section E, Topic 15
Part 3 E – 86
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IT General Controls—Logic Controls
• Software-based rules for error checking or access
• Password authentication
– Digitally enforcing alphanumerics, regular changes,
provisioning, etc.
• Least privilege: are roles too broad?
• Audit trails
– Keep secure from as many users as possible
• Others
–
–
–
–
Automated log-off of inactive users
Monitoring computers with remote control privileges
Access logs
Contractor access codes that expire
www.LearnCia.com
Part 3, Section E, Topic 15
Part 3 E – 87
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IAM Process
Provisioning
Creating, changing, or terminating an identity
that grants access to a system
Identity Management
Strategies, policies, and processes for
monitoring, auditing, and reporting
Enforcement of Policies
Automatic processes or mechanisms
www.LearnCia.com
Part 3, Section E, Topic 15
Part 3 E – 88
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
IT General Controls—Physical Controls
• Physical access controls
–
–
–
–
Key card with security computer database
Role-based subdivisions within a building
Biometrics
Data centers: not on exterior wall; slab-to-slab construction
• Environmental hazard controls
– Surge suppression, grounding, UPSs
– HVAC, air cleaning
– Regular maintenance logs
• Fire and flood protection
– Fire alarms, moisture detectors
www.LearnCia.com
Part 3, Section E, Topic 15
Part 3 E – 89
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
General Controls—Hardware Controls
Detect and report hardware errors but need
process in place to fix errors
• Redundant character check
• Equipment check
• Duplicate process check
• TEMPEST
• Echo check
• Fault-tolerant components
www.LearnCia.com
Part 3, Section E, Topic 15
Part 3 E – 90
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Data Storage and Security
• Consistent data structure standards
• Data security controls
– While on site, in transmission, or stored in third-party
systems
– End-user training
– Physical and logical controls over data
• Backing up data
– Grandfather-father-son
– Off-site vaulting + electronic journaling = electronic vaulting
– Storage methodology and labeling
www.LearnCia.com
Part 3, Section E, Topic 15
Part 3 E – 91
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Backup Data Storage Media
• Hard drive
• RAID
• Storage area network
(SAN)
• Tape/tape libraries
• Magnetic disk
• Network-attached
storage (NAS)
www.LearnCia.com
•
•
•
•
Online (FTP) storage
CD-ROM
DVD
USB storage (small
amount of data only)
Part 3, Section E, Topic 15
Part 3 E – 92
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
General Controls—IT Operational Controls
• Planning controls
• Policies, standards, and procedures
– IT segregations: access only if job necessity
• Data security
– Minimize users with administrative privileges
– End-user training to reduce password risks, etc.
• Insurance and continuity planning
• External provider controls
www.LearnCia.com
Part 3, Section E, Topic 15
Part 3 E – 93
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Security Levels
Cost of security should be commensurate with level of
risk mitigation required.
Security Level
Impact
Example
Low
• Moderate impact on
reputation or productivity
• Still must be safeguarded
• Data on public servers such
as Web sites
Moderate
• Serious impact on firm’s
mission
• Potential market losses
• ERP data
• Data needed for government
agency reporting
• Medical records
High
• If compromised, could
destroy reputation,
productivity, market share
• Contingency plan with offsite storage locations
• Evidence for trial
www.LearnCia.com
Part 3, Section E, Topic 15
Part 3 E – 94
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Reinforcing Activity 3-11
Part 3, Section E, Topics 8, 12, and 15
Information Technology
www.LearnCia.com
Part 3, Section E, Topics 8, 12, and 15
Part 3 E – 95
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Which of the following is true of a centrally located,
multiple-application, relational database and database
management system (DBMS)?
A. Standards must be set up in several ways to
accommodate all attached applications.
B. The database is more expensive and complex and
could cause overall system failure.
C. File redundancies cannot be completely eliminated.
D. Applications are more difficult to program
but function better once made.
Answer: B. The answer lists some of the drawbacks/
risks involved with a centralized DBMS.
www.LearnCia.com
Part 3, Section E, Topic 16
Part 3 E – 96
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Database Terminology
ERP system
SUPPLIER_TABLE
Address
14 W. Addison St.
A
0 or 1
www.LearnCia.com
Database
File
Record
Field
Character
•
•
•
•
Data definition language
Schema and subschema
Data dictionary
Data manipulation
language
• Data query language,
e.g., SQL
Bit
Part 3, Section E, Topic 16
Part 3 E – 97
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Relational Databases
Attribute
(column)
CUSTOMER_TABLE
CUSTOMER_NO
Key
field
CUST_NAME
ADDRESS
ZIP
23423
Al’s Outfitters
14 Wallaby Way
33432
56456
Journeyman
42 Driftwood Rd.
39323
SALES_TABLE
Link
SALES_NO
CUSTOMER_NO
PART_NO
234
23423
A239-3
235
56456
B567-9
PARTS_TABLE
PART_NO
Entity
(row)
DESC
QTY
DATE
Piton
900
2/14/Y1
Carabineer
500
2/14/Y1
Link
DESC
To SUPPLIER Table
PRICE
TERMS
SUPPLIER_NO
SUPPLIER
A239-3
Piton
US $1.25
2/10 n30
983892
Steel, Inc.
B567-9
Carabineer
US $2.15
2/10 n30
394003
Alumco.
www.LearnCia.com
Part 3, Section E, Topic 16
Part 3 E – 98
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Database Controls
• Enforcing attribute standards and
ensuring accuracy of data elements
and relationships
• Managing concurrent access without
sacrificing data integrity or availability
• Protecting against data loss during
processing and restarts
• Protecting against loss of stored data
• Optimizing database size and
efficiency
• Managing access
• Monitoring and reporting on
performance
www.LearnCia.com
Part 3, Section E, Topic 16
Part 3 E – 99
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
A database manager suggests to an auditor that to
improve the security of the payroll area of the
database, it should have checkpoints and fine-grained
access control. The former restricts _____, while the
latter restricts _____.
A. access by job role; the data itself.
B. the data itself; access by job role.
C. access by key card; by unique ID.
D. by unique ID; access by key card.
Answer: A. Database areas can be segregated
by checkpoints based on job role; fine-grained
access control restricts the data itself.
www.LearnCia.com
Part 3, Section E, Topic 16
Part 3 E – 100
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Data Cleansing
•
•
•
•
•
•
•
Concatenation
Standardization
Taxonomy
Normalization
Deduping
Categorization
Enhancement
www.LearnCia.com
Part 3, Section E, Topic 16
Part 3 E – 101
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Data Warehouses, OLAP, Data Mining
Rotate
Actual
Planned
OLAP
Data
warehouse
Not real
time
Transactional,
real-time
databases
www.LearnCia.com
1
Sales items
2
A
B
Sales regions
Manipulate
results without
making new
query
Drill up,
drill down
Data mining
Hidden patterns
Part 3, Section E, Topic 16
Part 3 E – 102
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Software Copyright
• Software license agreement
– By server, computer, site, concurrent users, etc.
• Rights of organization
– Source code license
– Right to make backup copies?
• Software piracy
– Illegal copies
– Installation of more copies than agreed to
• Clearly communicate copyright policy
– Personal consequences
– Consequences to organization
www.LearnCia.com
Part 3, Section E, Topic 17
Part 3 E – 103
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Software Licensing Controls
• Implement copyright protection/piracy
policies.
• Review all software contracts and secure
site/concurrent user contracts if
possible.
• Compile list of all approved and licensed
applications (and allowable number of
copies).
• Prevent downloading illegal copies.
• Prevent installation from PC.
• Centralize software purchasing and
installation.
©
®
www.LearnCia.com
Part 3, Section E, Topic 17
Part 3 E – 104
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Which of the following is true of purchased software as
opposed to internally developed software? (Select all that
apply.)
I. The application is usually better documented.
II. A “patch deck” allows customization to migrate
between versions.
III. Purchased software often costs more than
internally developed software.
IV. Application testing is not as robust.
Answer: I and II.
www.LearnCia.com
Part 3, Section E, Topic 17
Part 3 E – 105
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Software Purchasing Steps
• Make or buy decision.
• Simple off-the-shelf applications use internal
evaluation.
• Complex systems involve RFQ or RFP:
– Get nondisclosure agreements before submitting.
– Review responses, invite some to make
presentation.
– Should see functioning model, preferably using
the organization’s data and volume levels.
– Primary factor: Does it meet requirements?
www.LearnCia.com
Part 3, Section E, Topic 17
Part 3 E – 106
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Web Terminology
• Internet: network of
networks
• WWW: largest subset
• Intranet
• Extranet
• HTTP/HTTPS
• Internet protocol (IP)
address
• Domain name system
(DNS)
• FTP
• Uniform Resource
Locator (URL)
http://www.theiia.org/itaudit/index.cfm?catid=29&iid=509
Protocol
www.LearnCia.com
Domain name Directory path
Document name
Part 3, Section E, Topic 18
Part 3 E – 107
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Internet Structure
Physical infrastructure owned by
network service providers (e.g.,
telecom companies, governments)
Internet backbone
Metropolitan access
points (MAPs)
Network access ISP or VPN
• TCP/IP
points (NAPs)
• Broadband/narrowband
Data on Internet neither owned nor managed
World Wide Web Consortium (W3C) sets protocols
www.LearnCia.com
Part 3, Section E, Topic 18
Part 3 E – 108
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Discussion Question
Which of the following would be the best policy for
safeguarding of a confidential e-mail once the user
has downloaded the message to their computer?
A. Permanently maintain copies on the server.
B. Maintain copies on the server for three years.
C. Automatically delete the message once
downloaded.
Answer: C. Prompt deletion of confidential e-mail
after downloading reduces the risk of compromise.
www.LearnCia.com
Part 3, Section E, Topic 18
Part 3 E – 109
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Browser Security
• Disable unnecessary features.
– Plain HTML best.
• ActiveX or Java could conceal malicious code.
– Java’s sandbox environment could be compromised.
•
•
•
•
Treat plug-ins with suspicion.
Disallow most cookies; allow for only trusted sites.
Pop-up blocker.
Browser security: set to “high.”
– Define “trusted” sites (HTTPS, SSL, or other verifiable
sites).
– Cross-site scripting: 3rd-party trusted sites compromised.
www.LearnCia.com
Part 3, Section E, Topic 18
Part 3 E – 110
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Web Services, Service-Oriented Architecture
SOA
2. Service consumer and
provider or UDDI registry
B?
Service A
SOAP wrapper
3. Service
provider
Service B
AB?
1. Service
consumer
4. Service AB
www.LearnCia.com
Message content
Loose coupling:
• Includes real dependencies,
omits artificial dependencies.
• Separates data from
application.
• Service request says what it
needs done, not how to do it.
Part 3, Section E, Topic 18
Part 3 E – 111
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
Audit Concerns with SOA
• All ERP modules such as
finance or A/R can be Web
services.
• SOA acts as trunk line for
service attached to Web.
• Direct link, automated
trading:
– Customer’s ERP system
becomes a service
consumer.
– Omits some segregation of
duties.
www.LearnCia.com
• Compensating controls:
– Make other ERP systems,
etc., users in own right.
– Actual persons logged in
also need verifying as
proper sub-users.
– Avoid port 80.
– Emphasize application level
controls.
– Implement in stages, with
nonfinancial modules first.
Part 3, Section E, Topic 18
Part 3 E – 112
V3.0
THE IIA’S CIA LEARNING SYSTEMTM
End of Section E
Questions?
www.LearnCia.com
Part 3, Section E
Part 3 E – 113
V3.0