Part 3 E – 1 V3.0 THE IIA’S CIA LEARNING SYSTEM TM Section Topics 1.Control frameworks 2.Data and network communications/connections 3.Electronic

Part 3 E – 1V3.0

THE IIA’S CIA LEARNING SYSTEMTM

www.LearnCia.com

Section Topics

1. Control frameworks2. Data and network

communications/connections 3. Electronic funds transfer (EFT)4. E-commerce5. Electronic data interchange

(EDI)6. Functional areas of IT

operations7. Encryption8. Information protection9. Evaluate investment in IT

10. Enterprise-wide resource planning (ERP) software

11. Operating systems12. Application

development13. Voice communications14. Contingency planning15. Systems security16. Databases17. Software licensing18. Web infrastructure

Part 3, Section E

Part 3 E – 2V3.0


www.LearnCia.com

Risks Specific to IT Environment

Physical audit trail replaced by data trail

Hardware/software failure

Systematic errors

Fewer human inputs

Less segregation of duties

Access authorization

Automated transaction authorization

Deliberate harmful acts

Part 3, Section E, Introduction

Part 3 E – 3V3.0


www.LearnCia.com

Pervasive and Specific Risks

Pervasive risks

• Affect whole enterprise

• More costly effects

Specific risks

• May be attributed to specific processes


Part 3 E – 4V3.0


www.LearnCia.com

Challenges of IT Auditing

• Appreciating their importance

• Assigning roles and responsibilities

• Determining risk

• Controlling and monitoring

• Assessing effectiveness

• Understanding IT controls


Part 3 E – 5V3.0


www.LearnCia.com

CAE Role

Identify: Organization’s IT control environment. Legal and regulatory compliance requirements. Roles and responsibilities throughout organization. Risk assessment process. Monitoring process. Appropriate information and communication

processes.


Part 3 E – 6V3.0


www.LearnCia.com

Provide:• Compliance with laws

and regulations• Consistency with

business objectives• Continuity with

governance policies and risk appetite

Goals of IT Controls and Control Frameworks

Part 3, Section E, Topic 1

Part 3 E – 7V3.0


www.LearnCia.com

• Protect assets/owners’ equity.• Data is available, reliable, and restricted.• Users accountable.• Protect privacy and identity.• Protect employees’ jobs.• Ensure system integrity.• Control automated processes.• Audit trail exists for all transactions.

Specific IT Control Objectives


Part 3 E – 8V3.0


www.LearnCia.com

What is an example of an organizational activity that would indicate that effective IT controls are in place?

Answers:

Discussion Question


• Projects come in on time and within budget.

• Organization can plan and execute new work to support activities.

• Resources can be allocated predictably.

• Consistent information and service are available across the organization.

• Management knows when and what IT controls are in place.

• Organization can protect itself from attacks and recover quickly.

• Customer support and help desks are used efficiently.

• Entire organization is aware of security issues.

Part 3 E – 9V3.0


www.LearnCia.com

Control Classification

Governance controlsManagement controlsTechnical controls

General

Application

Co

rrective con

trols

Detective co

ntro

ls

Preven

tive con

trols

controls

controls

Source: Global Technology Audit Guide 1—Information Technology Controls.


Part 3 E – 10V3.0


www.LearnCia.com

IT Control Frameworks

Set IT control objectives and logically group IT processes

Business strategy IT strategy

Performance goals and metrics + continuous assurance

Objectives Requirements Actual performance

Identifies need for controls but

doesn’t show how to apply

them

IT Control FrameworkOverall

control frameworks

and business processes

+

Align organizational structures


Part 3 E – 11V3.0


www.LearnCia.com

CONTROL ENVIRONMENT

RISK ASSESSMENT

CONTROL ACTIVITIES

COSO Model for Internal Control Frameworks

INFORMATION AND COMMUNICATION

MONITORING


Source: Global Technology Audit Guide 1—Information Technology Controls.

Monthly metrics for technology performance

EXAMPLES

IT and security training

Technology standards compliance enforcement

IT internal audit assessment

Corporate Technology Governance Committee

Part 3 E – 12V3.0


www.LearnCia.com

Control Objectives for Information and related Technology

COBIT®

Business orientation

Process-driven

Business orientation is the primary driver:• Business requirements drive IT needs.• Management must understand IT.• It defines primary and secondary

governance elements.– Alignment to strategy– Delivery of value– Management of resources– Management of risk– Performance measures

Standard

Measurement systemControl

350° = Cake

temperature

Process

Measurement-driven

Control-driven


Part 3 E – 13V3.0


www.LearnCia.com

• Focus less on execution, more on controls• Standard terminology• Standard methods

COBIT—Process-Driven

34 processes

Monitor and

evaluate

Acquire and

implement

Plan and organize

Deliver and

support


Part 3 E – 14V3.0


www.LearnCia.com

• High-level control objective• Detailed control objectives• Management guidelines

– RACI chart– Goals and metrics

COBIT—Process-Driven

Box 1: Activity goalsBox 1: Activity goals Box 2: Activity goal metricsBox 2: Activity goal metrics

Box 3: Primary activitiesBox 3: Primary activities Box 4: Primary activity metricsBox 4: Primary activity metrics

Box 5: IT goalsBox 5: IT goals Box 6: IT goal metricsBox 6: IT goal metrics


Part 3 E – 15V3.0


www.LearnCia.com

A new organization decides to use the COBIT® control framework. Which of the following is true of this decision? The frameworkA. is a best practice and should be used as is.B. includes detailed implementation guidelines.C. should be modified to reflect risk appetite and risk

tolerance.D. includes overall organizational controls

in its guidance.

Answer: C. Frameworks should be adapted to suit the needs of the organization.

Discussion Question


Part 3 E – 16V3.0


www.LearnCia.com

• Servers fill specialized needs, e.g., Web server

Controls: Secure data center, HVAC, electrostatic, trained personnel

Computers, Servers, Client/Server Architecture

• Mainframes primarily for large amounts of data, many concurrent users

ClientsServer

Dumb terminals

Mainframe

No PCs or PCs with terminal emulation software

PCs


Part 3 E – 17V3.0


www.LearnCia.com

Supply the proper term for each definition listed below.

Answers:

Discussion Question

Geographical isolation of IT centers with no communication among centers; harder to control.

Commonly uses a mainframe computer;provides the highest level of control.

Each region has its own data center but all centers are networked together; provides some redundancy against catastrophic events.

Decentralized processing

Centralized processing

Distributed processing


Part 3 E – 18V3.0


www.LearnCia.com

Network Types

Peer-to-peer

LANPAN

WAN

PDN

MAN

Consortium networks

VAN


Part 3 E – 19V3.0


www.LearnCia.com

All of the following are true regarding the Open Systems Interconnection (OSI) reference model exceptA. The first three layers are common to a network; the

last four are specific to a computer.B. The first two layers are the only ones to contain

hardware; the rest are software.C. Unrelated objects can communicate

using OSI protocols.D. The first layer is the closest one to the user.

Answer: D. The last layer is closest to the user.

Discussion Question


Part 3 E – 20V3.0


www.LearnCia.com

OSI Reference Model

OSI Layer Description Related Controls

Layer 1: Physical Electrical/mechanical Wiring; physical protection

Layer 2: Data link Synchronizes; compresses Encryption

Layer 3: Network Routes, forwards data Track IP address; firewalls

Layer 4: Transport End-to-end control, error checking, e.g., TCP/IP and IP networks

Logical control layer; firewalls

Layer 5: Session Starts, ends conversations

Layer 6: Presentation O/S; applies syntax, format O/S controls

Layer 7: Application Constraints on data, e.g., partner authentication

Configurable data constraints; intrusion detection/prevention


Part 3 E – 21V3.0


www.LearnCia.com

Network Hardware

Port

Hub

Switch

Router external, e.g., ISPinternal (LAN)

internalTo internal (sent to all ports)Slower, congested

internalTo internal (sent to address)Fast, intelligent

Gateway Dissimilar network Dissimilar network

Bridge Similar network Similar network

Often integrated into a router

Multiplexer• Time division• Frequency division

OSI Layer1

3

1

2

2

3

Physical connection point

From

From

From

To


REPEATER

Part 3 E – 22V3.0


www.LearnCia.com

Network Hardware Example

Router/gateway

Internet

Servers

Workstations (PCs)

Firewall/gateway

Switch LAN #2

LAN #1

Switch

Hub

Printer

Printers

Bridge (wireless)

Wireless network

Phone system

Phone company


Part 3 E – 23V3.0


www.LearnCia.com

• Improve security by blocking access from certain servers or applications.

• Reduce vulnerability and ensure efficiency by limiting user access to certain sites.

• Support detection of internal sabotage and external intrusion.

• Provide encryption internally.

Purpose of Firewalls

Internal users

Intruders


Part 3 E – 24V3.0


www.LearnCia.com

• Hardware/software at OSI layers 3 (network), 4 (transport), and 7 (application)

• Packet filtering– Stateful inspection– Network address translation (NAT)

• Gateways– Application gateway/proxy server

• DMZs

• Intrusion detection/prevention systems (IDS/IPS)

Firewalls

Private network

areas

Firewall (DMZ)

Access router

To Internet Firewall

Web server (host or proxy server)

IDS/IPS


Part 3 E – 25V3.0


www.LearnCia.com

Bank-to-bank (only) transfer of value or financial data.

EFT risks and controls:• FEDI (financial electronic data interchange) used to

initiate EFT.– Password and physical restriction of FEDI terminal– Dual approval, credit checking– Test keys or codes for validation, error catching– Encryption

• Prior consent by paying party, in writing if automatic.

EFT methods:• Fedwire, TARGET, CHAPS.• ACH for high-volume, low-value transfers.

Electronic Funds Transfer (EFT)


Part 3 E – 26V3.0


www.LearnCia.com

Internal Auditing of EFTIA must assess:• Logic controls to restrict access to

system.• Change management controls to ensure

that all program changes are approved.• Physical controls to restrict access to

transactions.• System data backup and recovery

controls to safeguard transaction history.

• Operation controls to ensure that system components operate as designed.

• Application controls to ensure transaction accuracy.


Part 3 E – 27V3.0


www.LearnCia.com

All of the following are true of e-commerce exceptA. E-commerce risk analyses should be done

frequently, especially if operations change.B. Mobile e-commerce, if properly encrypted, has no

other major control issues.C. Evaluating middleware is a valid part of

an e-commerce risk analysis.D. E-commerce may be defined as

“conducting commercial activities over the Internet.”

Answer: B. Authentication of both parties is the second major control issue for mobile e-commerce.

Discussion Question


Part 3 E – 28V3.0


www.LearnCia.com

• Personalization: cookies, registration, behavior tracking

• Customization: tailored products• Lower cost per transaction• XML: new tags, interactive, interapplication

communication• ebXML: list services or needs on automated

directory, automated trading, collaboration

Factors Promoting E-Commerce


Part 3 E – 29V3.0


www.LearnCia.com

Costs• Hardware, software, training, skilled labor.• Mail still common payment method (mail float).

Risks• Competitors could access valuable information.• Exchange auctions go to lowest bidder, higher

quality ignored.• Security is constantly threatened.• Perception of security is even lower.

Factors Slowing Growth of E-Commerce


Part 3 E – 30V3.0


www.LearnCia.com

E-Commerce Security Policy Goals

Authenticity Integrity

Nonrepudiation

ConfidentialityPrivacy

Availability Continuous auditing


Part 3 E – 31V3.0


www.LearnCia.com

Internal Auditing of E-CommerceIA must assess:• Network security controls.• User ID systems.• Privacy and confidentiality controls.• Listing of all e-commerce applications.• Maintenance activities.• Automated failure detection and repair.• Application change management

controls.• Business continuity plans in the event of

failure.


Part 3 E – 32V3.0


www.LearnCia.com

Match each EDI risk with the proper control.

Discussion Question

EDI Risk Internal Control

A. Unauthorized user access

B. Data integrity loss

C. Transactions incomplete

D. EDI system unavailable

E. Cannot transmit transactions

F. Lack of legal evidence

1.___ Acknowledgment

2.___ Fault-tolerant systems

3.___ Access control

4.___ Authentication

5.___ Consensus on legal definitions, responsibilities, obligations

6.___ Standardized data format, use of ANSI/EDIFACT protocol

CDABF

E


Answers:

Part 3 E – 33V3.0


www.LearnCia.com

EDI Software

2. File Conversion1. Initiation

3. Destination

For example, send invoice

810 invoice 810 invoiceTransmission, for example, over WAN

Invoice received and acknowledged

ERP SystemEDI

Software ERP SystemEDI

Software


Part 3 E – 34V3.0


www.LearnCia.com

IT Organizational Chart

CEO

CIO

Security & Quality

Apps & Systems

Data Tech Support

Ops


Part 3 E – 35V3.0


www.LearnCia.com

Which of the following is responsible for capacity planning and focuses on efficiency?

A. Technical support

B. Applications and systems

C. Operations

Answer: C. Operations supports all business units, with a focus on efficiency.

Discussion Question


Part 3 E – 36V3.0


www.LearnCia.com

Which of the following is true of IT operational roles?A. Programmers should be the primary pool for testing

code, especially if they wrote it.B. Data entry personnel minimize manual data entry by

capturing data at the point of transaction.C. Systems developers develop end-user applications.D. The chief technology officer develops

IT security policy, controls IT resources, and oversees IT security.

Answer: B. Data entry personnel format data for computer use.

Discussion Question


Part 3 E – 37V3.0


www.LearnCia.com

Which of the following management roles has oversight of the compliance aspects of IT?A. Board of DirectorsB. Chief Executive OfficerC. Chief Legal CounselD. Chief Information Officer

Answer: A. The Board of Directors is responsible for governance, which includes compliance.

Discussion Question


Part 3 E – 38V3.0


www.LearnCia.com

Private (Symmetric) Key Encryption

Advantages• Simplicity• Requires less processing power• Difficult to crack

A sends private key to B

Private keyPrivate key

Encryption via algorithm

#%*#1234

Firm A

1234

Firm B


Risks• Interception of private key• Poor controls at receiver end

Part 3 E – 39V3.0


www.LearnCia.com

Public (Asymmetric) Key Encryption

B’s public key

Encryption via algorithm

#%*#

B’s private key

1234

Firm A

1234

Firm B

A’s public keyA’s private key


Advantage• High degree of security

Disadvantages• Processing intensive• Difficult to communicate changes

to all users

Part 3 E – 40V3.0


www.LearnCia.com

Other Encryption Tools

• Quantum cryptography– Uses uncertainty– Can detect eavesdropping

• Digital envelope– Layers both symmetric and

asymmetric encryption

• Cryptographic module/system– Packaged encryption application


Part 3 E – 41V3.0


www.LearnCia.com

Internal Auditing of Encryption

• Are physical controls over computers with keys adequate?

• Are encryption policies being followed?

• Are logic controls implemented and effective?

• Are domain internal directories secure?

• Are keys sufficiently complex?

• Are creation rules applied to passwords used to create keys?


Part 3 E – 42V3.0


www.LearnCia.com

Information Protection

IT general controls,e.g., segregation of duties

IT application controls,e.g., security software

sets terminal-specific

rightsInformation security

Confidentiality

Integrity Availability

Data security Infrastructure security


Part 3 E – 43V3.0


www.LearnCia.com

Discussion Question

Provide an example of a warning sign that information in an IT system may be vulnerable.

From GTAG 6: Managing and Auditing IT Vulnerabilities:

• Higher number of security incidents

• Inability to identify vulnerabilities systematically

• Inability to assess risks and prioritize mitigation efforts

• Poor working relations between IT management and IT security

• No asset management system

• No configuration management process


Answer:

Part 3 E – 44V3.0


www.LearnCia.com

Managing IT Vulnerabilities

Enlist management support.

Inventory assets/vulnerabilities.

Prioritize mitigation/remediation.

Remediate vulnerabilities.

Continually update processes.

Automate patch management

and ID of vulnerabilities.


Source: Global Technology Audit Guide 6—Managing and Auditing IT Vulnerabilities.

Part 3 E – 45V3.0


www.LearnCia.com

• Lucrative, organized crime• VirWare

– Viruses, e.g., macro viruses

– Worms, e.g., IM worms

• Trojan horses– Social engineering– Require user to initiate, but

therefore smaller, easier to transmit

– Types include Trojan-clickers, banker programs, backdoors, root kits, piggybacking, logic bombs

• Other malware– Bot nets– Key logger– Adware– Spyware

• Hackers/crackers– Industrial espionage– Cyberterrorism– Phishing/pharming– Identity theft– Wardriving

Malware


Part 3 E – 46V3.0


www.LearnCia.com

Company executives are worried that data regarding their new product launch currently on their intranet site could be compromised by hackers or inadvertent errors. Assuming that the site has appropriate information security controls, which of the following would be the best course of action?

A. Make no changes and assure management that the data is safe.

B. Increase the level of intranet security through investments insecurity software upgrades.

C. Remove the data from the intranet site until after thelaunch goes public.

Answer: C. Taking sensitive data offline provides the best assurance of security.

Discussion Question


Part 3 E – 47V3.0


www.LearnCia.com

Right to be left alone and free from surveillance byindividuals, organizations, or the government.

• Personal information is data that links back to an individual.

• IT makes invasions of privacy easy and inexpensive.

• Monitoring of employees:– Control vs. morale.

– Clearly communicate privacy policy.

Privacy


Part 3 E – 48V3.0


www.LearnCia.com

Privacy—Fair Information Practices (FIPs)

Individuals have right to privacy but must prove identity.

Organizations have responsibilities over collection and use of data.

Notice

Choice

AccessSecurity

Enforcement


Part 3 E – 49V3.0


www.LearnCia.com

What is the longest-term estimate of ROI that can be made given the following details on a CRM system project?

Answer: 3 years

Return = 3 [($6/unit 60,000) – ($5/unit 50,000)] + [3 ($50,000 + $40,000)] = $600,000

Investment = [$200,000 + ($10,000 3) + $100,000] 1.1 = $363,000

3-year ROI = $600,000/$363,000 = 1.65

Discussion Question

Tangible benefits (for next 3 years) Tangible costs

Sales price increase from $5 to $6/unit Software + installation = $200,000 in Y1

Expected sales increase from 50,000 to 60,000 units

Maintenance + ongoing training = $10,000/year for 5 years

Intangible benefits (for next 4 years) Intangible costs

Greater customer loyalty saves $50,000/year in customer acquisition

Work disruption and learning curves = $100,000 in Y1

Customer service time reduced, saving $40,000/year

Opportunity costs of investment = +10% of total cost per year


Part 3 E – 50V3.0


www.LearnCia.com

• Use defined IT portfolio selection process– Must provide service at a

cost comparable to alternatives

• Feasibility study– Clear objectives linked to

outcome measures– End-user interviews– Users of system outputs

• Subdivisions– Scheduling feasibility – Operational feasibility– Technical feasibility– Economic feasibility

• Cost accounting– Compare final budget

against actual costs – Measure and transfer

costs to units– Performance measure

Efficiency and Usefulness of IT Systems


Part 3 E – 51V3.0


www.LearnCia.com

• Single-repository modular suites of business applications

• Batch processing vs. OLTP• Core modules: transaction processing

systems (TPS) for finance, HR, manufacturing, etc.

• Management information systems (MIS) • Collaborative toolsets, e.g., customer

relationship management (CRM)

ERP Systems


Part 3 E – 52V3.0


www.LearnCia.com

• Auditors should be involved in systems development life cycle.– For example, review implementation team credentials.– Monitor conversion and implementation.

• Single point of entry for data, automated approvals.– Focus audits on logic controls and any overrides.

• Configure rather than customize.– Reengineer business processes and streamline first.– Show cost of organizational resistance to change.– Preserve vital controls.

Internal Auditing for ERP


Part 3 E – 53V3.0


www.LearnCia.com

Web-based Enterprise Management (WBEM)

Supplier

Manufacturer

WholesalerCollaboration

WBEMWBEM

WBEM

Audit collaboration, e.g., could a partner plus an employee collude to commit fraud?

WBEM: Browser-based formats, XML, Java, and Web services for universal compatibility with other WBEM systems


Part 3 E – 54V3.0


www.LearnCia.com

What does an O/S do?

User interface

Hardware operation

System recovery

Access control

Communication with apps

Networking

Resource scheduling

Memory management

File management


Part 3 E – 55V3.0


www.LearnCia.com

A company used internal O/S programmers to make someadjustments to their O/S. The system seemed to be working fine,but when some computers are multiprogramming, one or moreapplications sometimes fail. Auditing this issue should involveall of the following EXCEPT

A. Audit should determine if O/S programmers have sufficienttraining.

B. Audit should focus on memory management.

C. The auditor should be an IT specialist.

D. Audit should focus on job scheduling.

Answer: D. Job scheduling relates to batch processing,

not multiprogramming/multitasking.

Discussion Question


Part 3 E – 56V3.0


www.LearnCia.com

• Documentation of user requirements and measurement of how well those requirements have been met

• Use of a formal process to ensure that user requirements and controls are reflected in design and development

• Testing with actual users• Planned application maintenance• Controlled change management

IT Controls in Application Development


GTAG 1:

IT Controls

Part 3 E – 57V3.0


www.LearnCia.com

Systems Development Life Cycle (SDLC)

Systems planning

Systems analysis

Systems design

Systems selection

Programming

Testing

Conversion and implementation

Systems operation and refinement

Customization/configuration

Feedback


A formal process that involves management and stakeholders

Part 3 E – 58V3.0


www.LearnCia.com

Feasibility Studies1. Identify needs of all related parties and develop

metrics for later use.

2. Analyze proposed system against needs, resources, costs, technology trends, and strategic alignment.

3. Perform cost-benefit analysis.

4. Identify best risk-based alternative.


Part 3 E – 59V3.0


www.LearnCia.com

Which of the following is the result of the systems analysis phase of the SDLC?

A. Long-term technology strategy

B. Detailed system blueprint

C. Written request for systems design

D. Unit testing and system testing

Answer: C. The result of systems analysis is a written request for systems design or selection.

Discussion Question


Part 3 E – 60V3.0


www.LearnCia.com

Systems Design/Selection: IA Concerns

• User approval• Authorization procedures for program

changes and new code • Software testing and quality control• Staff proficiency• Controls on selection criteria


Part 3 E – 61V3.0


www.LearnCia.com

Overview of IT Application Controls

SDLC Process

Input controls

Processing controls

Output controls

Integrity controls

Audit trail


Part 3 E – 62V3.0


www.LearnCia.com

• Control data as it enters system• GIGO• Manual input controls, e.g., authorizations• Electronic aids for manual inputs

– Screen formats, entry fields, drop-down menus– Keystroke verification– Labeling conventions and completeness checks

• Batch controls for items that can be batched• Visual verification for items that cannot be

batched

IT Application Controls—Input Controls


Part 3 E – 63V3.0


www.LearnCia.com

• Format checks• Edit checks

– Control totals– Range tests– Numerical checks– Sequence checks– Limit checks– Check digits– Record count– Historical comparison– Overflow checking

• Reconciliation and balancing

• Inquiry logs• Automated inputs

– OCR– MICR– Scanners– Bar codes– RFID

• Manual review

IT Application Controls—Input Controls


Part 3 E – 64V3.0


www.LearnCia.com

All of the following are true of processing controlsexceptA. Data center operators need to be able to override file names

or device errors.B. Auditors should verify that reconstructed files have accuracy

checks.C. Date and file total checks flag exact duplicate entries as

errors.D. Control totals are gathered when an

application generates temporary files.

Answer: A. The opposite is true.

Discussion Question


Part 3 E – 65V3.0


www.LearnCia.com

Automated controls• Date and file total checks• Completeness tests• Control totals

Other processing controls• Reasonableness checks• Suspense file• Activity logging• Processing logic tests (e.g.,

cross-footing check)• Run-to-run totals• End-of-file procedures• Primary and secondary key

integrity check• Access control list (ACL)

IT Application Controls—Processing Controls


Part 3 E – 66V3.0


www.LearnCia.com

• Detective controls• Require users to review work immediately• Record retention• Error listings• Reference documents• Spooling controls• Working documents• Reports• Exception reporting

IT Application Controls—Output Controls

System inputs System outputs

Auditor’s control total samples

Reconcile


Part 3 E – 67V3.0


www.LearnCia.com

Online programming is performed at workstations and has both advantages and risks. What are they?

Discussion Question


Advantages Risks

Programmers can use real code.

Programming is faster.

Multiple versions of programs can be created.

Unauthorized access to program may be allowed.

Valid code may be overwritten.

Answer:

Part 3 E – 68V3.0


www.LearnCia.com

Programming Languages

110100101000111011010010

Compiling

Computers read only object code (binary)

Source code

Access to source = ability to change program

#include <stdio.h> main() { int fib[24];

int i;

fib[0] = 0; fib[1] = 1;

for(i = 2; i < 24; i++) fib[i] = fib[i-1] + fib[i-2];

for (i = 0; i < 24; i++) printf("%3d %6d\n", i, fib[i]);

}

Object code


Part 3 E – 69V3.0


www.LearnCia.com

Application Testing:Fill in the blanks

Type of Test Test Description

Testing system in its intended environment (same users, hardware, concurrent applications)

Conducted by developers

Validates ability of system to process specified number of transactions within specified time

Confirms revisions have corrected problems and not introduced new problems

Conducted by users

Sociability testing

Throughput testing

Regression testing

Beta test

Alpha test


Part 3 E – 70V3.0


www.LearnCia.com

• Document– Software– Related business processes– Security features and backup procedures

• Clear and concise, structured methodology• Early audit involvement and designated reviewer can ensure

that documentation duties are performed

Documentation

Vast documentationProject scope change,

e.g., from version 1.1 to just released 1.2

Update documentation

freeze specifications Less-useful results

or


Part 3 E – 71V3.0


www.LearnCia.com

Fill in the blanks:

High-performing organizations perform ______ patches than low-performing ones.

__________________ includes code revisions, system upgrades, and infrastructure changes such as cabling.

The number of emergency or unauthorized changes allowed per year should be _____.

fewer

Discussion Question

Change management

zero


Part 3 E – 72V3.0


www.LearnCia.com

• Adhere to development methodology (e.g., SDLC)• Objective audit tasks: routine changes that have low

risk of management override• Subjective audit tasks: e.g., software controls that

monitor if controls are overridden• Development should report to high enough level to

avoid pet projects• Supervisory controls

– Preventive (e.g., enforce change management policy)– Detective (e.g., measuring and correcting performance)

Reducing Change Risks


Part 3 E – 73V3.0


www.LearnCia.com

Change and Patch Management MetricsRisk Control Metric

Unauthorized changes

• Policy: 0 unplanned changes

• Proactive management

• Detective software

• # of unplanned changes

• # of unplanned outages

• # of changes authorized

• # of changes implemented

Changes fail to be implemented or are late

• Change management process

• > 70% change success rate

• New work created by change

Unplanned work displaces planned work

• Perform triage

• Bundle planned changes

• Treat patches as a process to expect

• < 5% work unplanned

• % of time on unplanned work

• % of projects late

• % of patches as planned release


Part 3 E – 74V3.0


www.LearnCia.com

Methodologies and tools forfast development• PERT• Module-by-module • Reusable code• RAD

– Reduces documentation– User participation– Automated code generation

• JAD• Agile development• Object-oriented

development• End-user self-development

Auditing RAD projects• Emphasis on speed—lower

quality?• Does it fulfill business

needs?• Gold plating?• Naming conventions?• Scalability?• Does project push harder

tasks toward last phase?

Rapid Application Development (RAD)


Part 3 E – 75V3.0


www.LearnCia.com

• Thin client Fat client• Legacy systems• Data cleansing (Topic 16)• Debugging• Enterprise application integration (EAI)

– Middleware– Web services (Topic 18)– Business process management (BPM)

Application Development Terminology


Part 3 E – 76V3.0


www.LearnCia.com

Which of the following describes an advanced application that is capable of reviewing every receiving record, applying the same audit tests to each record, and highlighting records that warrant further scrutiny?A. Decision support systems (DSS)B. Expert systemsC. Cross-enterprise collaboration and

optimization tools

Answer: B. Expert systems use a series of decision points.

Discussion Question


Part 3 E – 77V3.0


www.LearnCia.com

• Auditors: callback procedures• Standard telephone systems

– Automated voice mail– Inoperability has high opportunity cost– Should be part of contingency plan– Problems include wiretapping and third party fraudulently

representing self

• VoIP– Encryption vs. backdoor for wiretapping– Exploiting VoIP opens access to network overall

• Virtual private networks (VPNs)

Voice Communications


Part 3 E – 78V3.0


www.LearnCia.com

Business Continuity Management

“process by which an organization prepares for future incidents that could jeopardize the organization’s core mission and its long-term viability”


Source: Global Technology Audit Guide 10—Business Continuity Management.

Part 3 E – 79V3.0


www.LearnCia.com

BCM Process

Gain management commitment.

Conduct risk assessment and mitigation analysis.

Conduct business impact analysis.

Define recovery and continuity strategies.

Deploy, verify, and maintain program.

Establish disaster recovery for IT.



Part 3 E – 80V3.0


www.LearnCia.com

• Planning team– Team leader– Delegate roles to those closest to each risk

• Can out-source forming and testing but not incident handling

• Integrate with risk framework• Educate management

Developing a Contingency Plan


Part 3 E – 81V3.0


www.LearnCia.com

Determine order of restoration of services:

• Categorize by severity + likelihood + restoration priority (each has appropriate response)

• Evacuation plans• Business interruption and

property insurance• Recovery methods: off-site

facilities– Hot– Cold– Warm– Reciprocal agreements

Risk-based Priorities and Making a Plan

Vital systems,

e.g., HR, budgeting

Sensitive systems,

Noncritical systems,

e.g., finance,

customer service

Critical

systems,

e.g.,

telecommunications,

shippinge.g., payroll, end-user data


Part 3 E – 82V3.0


www.LearnCia.com

Critical Systems for IT BCM

IT SystemsData center

Applications and data

Servers and other hardware

Communication devices

Networks

IT infrastructure

Remote access services

Manufacturing process control systems

Information Management SystemsFile rooms

Document management systems



Part 3 E – 83V3.0


www.LearnCia.com

• Clear, simple introduction• Team responsibilities,

emergency contact information

• Backup schedules, location of facilities

• Escalation procedure• Action plans with recovery

time frames, strategy, and subplans

• Insurance documentation

• Best evidence of plan adequacy is testing the plan (e.g., fire drill)

• Current disaster recovery capacity

• Variance vs. internal benchmarks

Documenting and Testing the Plan


Part 3 E – 84V3.0


www.LearnCia.com

BCM Plan Testing:Fill in the blanks

Type of Test Description

Participants walk through announced or unannounced simulation and execute system recovery procedures.

BCM team members meet to review their roles.

Team participates in brief simulation of a scenario.

Written plan is reviewed and updated.

All stakeholders participate; demonstrates ability to perform key processes at an agreed level.

IT environment walkthrough

Tabletop exercise

Desk check or plan audit

End-to-end testing

Orientation or plan walkthrough


Part 3 E – 85V3.0


www.LearnCia.com

An IT auditor discovers a weakness in the general controls that encompass more than just IT. The auditor should do which of the following? (Select all that apply.)

I. Communicate the issue to management.

II. Explain the risk exposure created by the deficiency.

III. Recommend the best system to address the issue.

IV. Set a deadline for implementation of controls.

V. Oversee implementation of controls.

Answer: I, II, and III.

Discussion Question


Part 3 E – 86V3.0


www.LearnCia.com

COBIT System Security Objectives

1. Manage IT security.

2. Implement IT security plan.

3. Implement identity management processes.

4. Manage user accounts.

5. Ensure security testing.

6. Ensure security incident definition.

7. Protect security technology.

8. Manage the cryptographic key.

9. Prevent, detect, and correct malware.

10. Implement network security to ensure authorized access.

11. Ensure transmission of sensitive data over trusted paths or secure media.


Part 3 E – 87V3.0


www.LearnCia.com

• Software-based rules for error checking or access • Password authentication

– Digitally enforcing alphanumerics, regular changes, provisioning, etc.

• Least privilege: are roles too broad?• Audit trails

– Keep secure from as many users as possible

• Others– Automated log-off of inactive users– Monitoring computers with remote control privileges– Access logs– Contractor access codes that expire

IT General Controls—Logic Controls


Part 3 E – 88V3.0


www.LearnCia.com

IAM ProcessProvisioning

Creating, changing, or terminating an identity that grants access to a system

Identity Management

Strategies, policies, and processes for monitoring, auditing, and reporting

Enforcement of Policies

Automatic processes or mechanisms


Part 3 E – 89V3.0


www.LearnCia.com

• Physical access controls– Key card with security computer database– Role-based subdivisions within a building– Biometrics– Data centers: not on exterior wall; slab-to-slab construction

• Environmental hazard controls– Surge suppression, grounding, UPSs– HVAC, air cleaning– Regular maintenance logs

• Fire and flood protection– Fire alarms, moisture detectors

IT General Controls—Physical Controls


Part 3 E – 90V3.0


www.LearnCia.com

Detect and report hardware errors but need process in place to fix errors• Redundant character check• Equipment check• Duplicate process check• TEMPEST• Echo check• Fault-tolerant components

General Controls—Hardware Controls


Part 3 E – 91V3.0


www.LearnCia.com

• Consistent data structure standards• Data security controls

– While on site, in transmission, or stored in third-party systems

– End-user training – Physical and logical controls over data

• Backing up data– Grandfather-father-son– Off-site vaulting + electronic journaling = electronic vaulting– Storage methodology and labeling

Data Storage and Security


Part 3 E – 92V3.0


www.LearnCia.com

• Hard drive• RAID• Storage area network

(SAN)• Tape/tape libraries• Magnetic disk• Network-attached

storage (NAS)

• Online (FTP) storage• CD-ROM• DVD• USB storage (small

amount of data only)

Backup Data Storage Media


Part 3 E – 93V3.0


www.LearnCia.com

• Planning controls• Policies, standards, and procedures

– IT segregations: access only if job necessity

• Data security– Minimize users with administrative privileges– End-user training to reduce password risks, etc.

• Insurance and continuity planning• External provider controls

General Controls—IT Operational Controls


Part 3 E – 94V3.0


www.LearnCia.com

Cost of security should be commensurate with level of risk mitigation required.

Security Levels

Security Level Impact Example

Low • Moderate impact on reputation or productivity

• Still must be safeguarded

• Data on public servers such as Web sites

Moderate • Serious impact on firm’s mission

• Potential market losses

• ERP data

• Data needed for government agency reporting

• Medical records

High • If compromised, could destroy reputation, productivity, market share

• Contingency plan with off-site storage locations

• Evidence for trial


Part 3 E – 95V3.0


www.LearnCia.com

Reinforcing Activity 3-11Part 3, Section E, Topics 8, 12, and 15

Information Technology

Part 3, Section E, Topics 8, 12, and 15

Part 3 E – 96V3.0


www.LearnCia.com

Which of the following is true of a centrally located, multiple-application, relational database and database management system (DBMS)?A. Standards must be set up in several ways to

accommodate all attached applications.B. The database is more expensive and complex and

could cause overall system failure.C. File redundancies cannot be completely eliminated.D. Applications are more difficult to program

but function better once made.

Answer: B. The answer lists some of the drawbacks/ risks involved with a centralized DBMS.

Discussion Question


Part 3 E – 97V3.0


www.LearnCia.com

• Data definition language

• Schema and subschema

• Data dictionary

• Data manipulation language

• Data query language, e.g., SQL

Database Terminology

Bit0 or 1

CharacterA

RecordAddress

FileSUPPLIER_TABLE

DatabaseERP system

14 W. Addison St. Field


Part 3 E – 98V3.0


www.LearnCia.com

Relational Databases

CUSTOMER_NO CUST_NAME ADDRESS ZIP

23423 Al’s Outfitters 14 Wallaby Way 33432

56456 Journeyman 42 Driftwood Rd. 39323

SALES_NO CUSTOMER_NO PART_NO DESC QTY DATE

234 23423 A239-3 Piton 900 2/14/Y1

235 56456 B567-9 Carabineer 500 2/14/Y1

PART_NO DESC PRICE TERMS SUPPLIER_NO SUPPLIER

A239-3 Piton US $1.25 2/10 n30 983892 Steel, Inc.

B567-9 Carabineer US $2.15 2/10 n30 394003 Alumco.

CUSTOMER_TABLE

PARTS_TABLE

SALES_TABLE

To SUPPLIER Table

Link

Link

Entity (row)

Attribute (column)

Key field


Part 3 E – 99V3.0


www.LearnCia.com

Database Controls• Enforcing attribute standards and

ensuring accuracy of data elements and relationships

• Managing concurrent access without sacrificing data integrity or availability

• Protecting against data loss during processing and restarts

• Protecting against loss of stored data• Optimizing database size and

efficiency• Managing access• Monitoring and reporting on

performance


Part 3 E – 100V3.0


www.LearnCia.com

A database manager suggests to an auditor that to improve the security of the payroll area of the database, it should have checkpoints and fine-grained access control. The former restricts _____, while the latter restricts _____.A. access by job role; the data itself.B. the data itself; access by job role.C. access by key card; by unique ID.D. by unique ID; access by key card.

Answer: A. Database areas can be segregated by checkpoints based on job role; fine-grained access control restricts the data itself.

Discussion Question


Part 3 E – 101V3.0


www.LearnCia.com

• Concatenation• Standardization• Taxonomy• Normalization• Deduping• Categorization• Enhancement

Data Cleansing


Part 3 E – 102V3.0


www.LearnCia.com

Data Warehouses, OLAP, Data Mining

Transactional, real-time

databases

Data warehouse

Not real time Data mining

OLAP Manipulate results without

making new query

Sales items

ActualPlanned

Sales regions

2

1

A B

Hidden patterns

Rotate

Drill up, drill down


Part 3 E – 103V3.0


www.LearnCia.com

• Software license agreement– By server, computer, site, concurrent users, etc.

• Rights of organization– Source code license – Right to make backup copies?

• Software piracy– Illegal copies– Installation of more copies than agreed to

• Clearly communicate copyright policy– Personal consequences– Consequences to organization

Software Copyright


Part 3 E – 104V3.0


www.LearnCia.com

Software Licensing Controls• Implement copyright protection/piracy

policies.• Review all software contracts and secure

site/concurrent user contracts if possible.

• Compile list of all approved and licensed applications (and allowable number of copies).

• Prevent downloading illegal copies.• Prevent installation from PC.• Centralize software purchasing and

installation.

®

©


Part 3 E – 105V3.0


www.LearnCia.com

Which of the following is true of purchased software as opposed to internally developed software? (Select all that apply.)I. The application is usually better documented.II. A “patch deck” allows customization to migrate

between versions.III. Purchased software often costs more than

internally developed software. IV. Application testing is not as robust.

Answer: I and II.

Discussion Question


Part 3 E – 106V3.0


www.LearnCia.com

• Make or buy decision.• Simple off-the-shelf applications use internal

evaluation.• Complex systems involve RFQ or RFP:

– Get nondisclosure agreements before submitting.– Review responses, invite some to make

presentation.– Should see functioning model, preferably using

the organization’s data and volume levels.– Primary factor: Does it meet requirements?

Software Purchasing Steps


Part 3 E – 107V3.0


www.LearnCia.com

• Internet: network of networks

• WWW: largest subset• Intranet• Extranet• HTTP/HTTPS

• Internet protocol (IP) address

• Domain name system (DNS)

• FTP• Uniform Resource

Locator (URL)

Web Terminology

http://www.theiia.org/itaudit/index.cfm?catid=29&iid=509

Protocol Domain name Directory path Document name


Part 3 E – 108V3.0


www.LearnCia.com

Internet Structure

Internet backbonePhysical infrastructure owned by network service providers (e.g., telecom companies, governments)

Network access points (NAPs)

Metropolitan access points (MAPs)

Data on Internet neither owned nor managed

World Wide Web Consortium (W3C) sets protocols

ISP or VPN

• TCP/IP• Broadband/narrowband


Part 3 E – 109V3.0


www.LearnCia.com

Which of the following would be the best policy for safeguarding of a confidential e-mail once the user has downloaded the message to their computer?A. Permanently maintain copies on the server.B. Maintain copies on the server for three years.C. Automatically delete the message once

downloaded.

Answer: C. Prompt deletion of confidential e-mail after downloading reduces the risk of compromise.

Discussion Question


Part 3 E – 110V3.0


www.LearnCia.com

• Disable unnecessary features.– Plain HTML best.

• ActiveX or Java could conceal malicious code.– Java’s sandbox environment could be compromised.

• Treat plug-ins with suspicion.• Disallow most cookies; allow for only trusted sites.• Pop-up blocker.• Browser security: set to “high.”

– Define “trusted” sites (HTTPS, SSL, or other verifiable sites).

– Cross-site scripting: 3rd-party trusted sites compromised.

Browser Security


Part 3 E – 111V3.0


www.LearnCia.com

Loose coupling: • Includes real dependencies,

omits artificial dependencies.• Separates data from

application.• Service request says what it

needs done, not how to do it.

Web Services, Service-Oriented Architecture

Message content

SOAP wrapperSOA

Service A Service B

4. Service AB

1. Service consumer

2. Service consumer and provider or UDDI registry 3. Service

provider

AB?

B? Web service


Part 3 E – 112V3.0


www.LearnCia.com

• All ERP modules such as finance or A/R can be Web services.

• SOA acts as trunk line for service attached to Web.

• Direct link, automated trading:– Customer’s ERP system

becomes a service consumer.

– Omits some segregation of duties.

• Compensating controls:– Make other ERP systems,

etc., users in own right.

– Actual persons logged in also need verifying as proper sub-users.

– Avoid port 80.

– Emphasize application level controls.

– Implement in stages, with nonfinancial modules first.

Audit Concerns with SOA


Part 3 E – 113V3.0


www.LearnCia.com

Questions?

End of Section E

Part 3, Section E

Documents

Part 3 E – 1 V3.0 THE IIA’S CIA LEARNING SYSTEM TM Section Topics 1.Control frameworks 2.Data and network communications/connections 3.Electronic