Elements for IS Auditing
An information system is not just a computer. Today's information systems are complex and have many components that piece together to make a business solution. Assurances about an information system can be obtained only if all the components are evaluated and secured. The proverbial weakest link is the total strength of the chain. The major elements of IS audit can be broadly classified:
- Physical and environmental review—This includes physical security, power supply, air conditioning, humidity control and other environmental factors.
- System administration review—This includes security review of the operating systems, database management systems, all system administration procedures and compliance.
- Application software review—The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed.
- Network security review—Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.
- Business continuity review—This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.
- Data integrity review—The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques).
All these elements need to be addressed to present to management a clear assessment of the system. For example, application software may be well designed and implemented with all the security features, but the default super-user password in the operating system used on the server may not have been changed, thereby allowing someone to access the data files directly. Such a situation negates whatever security is built into the application. Likewise, firewalls and technical system security may have been implemented very well, but the role definitions and access controls within the application software may have been so poorly designed and implemented that by using their user IDs, employees may get to see critical and sensitive information far beyond their roles.
It is important to understand that each audit may consist of these elements in varying measures; some audits may scrutinize only one of these elements or drop some of these elements. While the fact remains that it is necessary to do all of them, it is not mandatory to do all of them in one assignment. The skill sets required for each of these are different. The results of each audit need to be seen in relation to the other. This will enable the auditor and management to get the total view of the issues and problems. This overview is critical.
IS audit should cover the below mentioned sections
1. Network, workstation, Internet, disaster recovery, and other IT security policies
2. Gramm-Leach-Bliley Act Section 501 (b)
3. Overall security procedures
4. Segregation of IT duties
5. Internal quality and integrity controls
6. Data communication security
7. User identification authorization
8. User level of accessibility
9. Restricted transactions
10. Activity and exception reports
11. Backup procedures
12. Other operational security controls
13. Insurance coverage
14. Network security, which includes the Internet
15. Internal auditing procedures
16. Contingency planning and disaster recovery
17. Internet security procedures
18. Vendor due diligence
19. Feedline Advantage security
20. Internet banking controls and procedures
21. Telephone banking
22. Internal procedures and controls around your core banking system, whether internal or external processing
IS audit should include the following IT security tests:
1. External VISTA penetration-vulnerability study
2. Domain server security settings
3. Virtual machine/guest security settings
4. Workstation security setting
5. Network user access
6. Core application access
7. Network topology security analysis
8. Systems security features and controls
9. Sampling for unauthorized software
10. Outsourcing/cloud activities
2. Domain server security settings
3. Virtual machine/guest security settings
4. Workstation security setting
5. Network user access
6. Core application access
7. Network topology security analysis
8. Systems security features and controls
9. Sampling for unauthorized software
10. Outsourcing/cloud activities
