Ravenswood Consultants Ltd What to Audit & Why Derek J. Oliver Ravenswood Consultants Ltd

RavenswoodConsultants Ltd

What to Audit & Why

Derek J. OliverRavenswood Consultants Ltd

Derek J. Oliver


Derek J. Oliver

20+ years in IS Audit & Security Former Head of UK Internal Audit, FDC

Certified Information Systems Auditor Certified Information Security Manager Certified Fraud Examiner Fellow of the British Computer Society Fellow of the Institution of Analysts &

Programmers Past President, ISACA, London Chapter

Why me ?

Derek J. Oliver


Programme

The Failsafe Approach Essential Audits “Nobody ever got the sack. . . . .”

The Real Life Approach Risk-based auditing

What could go wrong? Would it matter if it did? What can we do about it

WHOCARES?


The Failsafe Approach

Nobody ever got the sack for scheduling these audits

Derek J. Oliver


The Annual Audit Plan #1

Transaction Processing Trace key transactions through the process

from document receipt to final print Input Controls

Validation; credibility etc Processing Controls

Run-to-run totals; check pointing etc Output Controls

System Balancing; Report Distribution etc

Derek J. Oliver



Logical Security Access Control Hierarchic restrictions Access to Source Code Access to Production Systems Access to Operating Systems Access to Utilities

Derek J. Oliver



Change Management Access to Source Code Development Libraries Testing Quality Assurance Transfer to Production Implementation Control Division of Duties

Derek J. Oliver



Physical Security

Derek J. Oliver


Justification

#1: Is the computer system working? Are all the controls working?

#2: Is essential data secure? Are programs secure?

#3: Can unknown changes be made to programs? Are all changes properly tested & authorized

#4: Can strangers or unauthorised people disrupt your

systems

But this only needs to be doneonce because systems cannot

change themselves

But what if confidentiality is notA Business Risk in your

Organization?

Do you needSophisticated

Change management?

Probably a likely annual auditBut how do you know what’sImportant to your business?

Risk Based Audit Planning!


The “Real Life” Approach

Risk Based AuditingOr

Meeting the Business Needs!

Derek J. Oliver


The Risk-Based Approach

MUST address BUSINESS risk No other risk is relevant For every audit, you should ask:“How will this audit help my company

to achieve it’s stated business objectives”

If you can’s answer this, then . . . .

Why are you conducting the audit?

Derek J. Oliver


Why did the Auditor cross the road ?

It’s the old, old question . . . . .

Because according to the audit file, that’s what theydid three years ago !

Derek J. Oliver


Why is RISK important ?

Business must take risks !Business must live with risks !Business must understand risks !Business must control risks !

BUSINESS !

Derek J. Oliver


How can RISK be identified ?

Work backwards . . . . . . What could happen to the business ?

Fail to comply with legislation Lose business to competitors Lose customer / public confidence

How could it happen ? Are there controls to prevent it happening ? Are there controls to minimise the effect ?

What do we need to know?

Derek J. Oliver


Core Businesses and Critical Support Units

An Inventory of Core Businesses Should Be Made Has this been done? What are they? Why are they core?

When these have been established then we can further analyze the situation.

Derek J. Oliver


What constitutes a core business operation for an organization? a. Revenue

b. Net incomec. Cash flow


Derek J. Oliver


What constitutes a critical business unit within core business? What criteria would you use? Would you make any classifications by type?

Productive Operations Support Operations

How would you define them? Function Product line Department


Derek J. Oliver


What is the importance of making these determinations?

What critical computer application systems support these operations or departments?

What is the importance of knowing this? Are they in a state of transition?


Derek J. Oliver


Why analyse RISK ?

Enable risks to be compared Using a standard approach !

Enable risks to be addressed By an appropriate parameter

By the most serious effect By the easiest / cheapest / quickest to control According to Business objectives / strategy

Enable a business decision on Risk strategy

Derek J. Oliver


What is RISK Strategy ?

Linking Risk to Business ObjectivesBalancing cost of control against

potential losse.g. Disaster Recovery :

Derek J. Oliver


Managing & Controlling RISK

1. Identify the THREATS2. Assess the level of RISK3. Establish the EXPOSURE4. Design & Implement CONTROL

Derek J. Oliver


Managing Risk

PREVENTION : Remove the THREAT

DETERRENCE : Minimise the RISK

DETECTION : Minimise the EXPOSURE

Derek J. Oliver


Managing Risk ?

Nothing new :

Consider the

Caveman . . . ?

Not forgetting the Merchant Navy . . . . !

What about the

Romans . . . !

Derek J. Oliver


Preventive Control

Early Man feared attack from animals so lived in a cave : Most armies fought with the protection of armour.

We may identify confidentiality as a risk so implement strict logical access control

Derek J. Oliver


Deterrent Control

The Romans feared insurgence so

maintained a big, well-trained army

We may identify information theft as

a risk so log all user online activity

Derek J. Oliver


Detective Control

Ships were sinking through being overloaded so the Plimsoll Line was introduced

We may identify fraud as a risk and implement balancing controls & management checks

Derek J. Oliver


Risk - Summary

RISK must be Managed

RISK must be Controlled

RISK must be Understood

CONTROL must reflect BUSINESS needs

CONTROL must be appropriate

CONTROL must be reasonable

Derek J. Oliver


So, the WHY is likely to be

What represents RISK to the BUSINESS Losing Money

Theft Fraud

Losing Market Share Losing Customers Losing out to Competition Failing to achieve objectives Failing to achieve growth

Derek J. Oliver


That’s the why, but HOW

Loss of: Money –

Poor management controls = opportunity? Poor logical security = fraud? abuse? Poor physical security = theft? vandalism? Incorrect data processing = disappearing money? Late or over budget projects = disappearing

money!!! Information –

Poor logical security = espionage? legislation? Poor management controls = legislation? Poor physical security = errors? fraud? Poor availability = lost or corrupted data?

Derek J. Oliver


Resulting in . . . apart from the obvious

Lost money = lost cash flow = poor performance = lost market share = shareholder concern

Released data = public humiliation = lost confidence = lost market share = shareholder concern

Lost/bad data = lost business = lost money = lost market share = shareholder concern

Derek J. Oliver


Then, to get to the audit plan

WHERE can this go wrong? Logical Security Physical Security Transaction Control Change Management & QA Project Management Disruption

#1

#2

#3

#4

#5

#6

Derek J. Oliver


Which gives us our Annual Audit Plan . . .

1. Transaction Processing Management

2. Logical Security3. Change Management4. Physical Security5. Project Management & QA6. Disaster Recovery Planning

Derek J. Oliver


So lets start to reach the conclusion

The Audit Plan must be based on ‘What Could Go Wrong?’ ‘What would be the effect if it did?’ ‘How could it happen?’ ‘Can we prevent it by removing the

risk?’ ‘Can we minimise the effect by control?’ What risk are we living with?’

Derek J. Oliver


And of course, we now have

Is about Risk Management Identify the inherent risk Quantify the risk Control the risk Assess the residual risk Evaluate controls Regularly assess & report residual risk

Derek J. Oliver


Conclusion

It’s the

BUSINESS NEEDS

that count !

When considering how to manage Risk . . . .

Derek J. Oliver


Questions Questions ??Derek J. Oliver CISA, CFE

Ravenswood Consultants Limited

What to Audit & Why?

Documents

Ravenswood Consultants Ltd What to Audit & Why Derek J. Oliver Ravenswood Consultants Ltd