Auditors Guide to

IT Auditing
by Richard Cascarino
Part II: Information Technology Governance
IT Project Management
IS/IT Strategic Planning
IS/IT Management Issues
Support Tools and Frameworks
Governance Techniques


IT Project Management
Tasks include:
Aligning the development of the project strategy with the sponsors
(and other stakeholders) business strategy
Defining the requirements (in a testable manner)these lead to
specifications and solutions being designed and developed
Defining and managing the project scope, schedule, resource
requirements, and budget (ensuring this represents optimal financing)
Installing and progressing project control systems
Procuring/inducting resources into the project
Building effective project teams
Exercising leadership
Ensuring effective decisions and efficient communications

Project Life Cycle
Concept
Definition
Design
Development
Application
Post-completion
Archibald
Other Models
Waterfall Cycle
Iterative Spiral Model (Boehm)
Vee Cycle (Fish)
Easier to audit
Standards apply at each stage
Other quantitative models
GAANT charts
PERT charts
CPA
Project Quality Control
One of the most difficult areas to achieve
The totality of characteristics of a product or
service that bears on its ability to satisfy
stated or implied needs
International Organization of Standardization
(ISO)
Two main performance areas
Process quality
Product quality
Operations and Production
Day-to-day running of:
Information processing facility
Data Communications
Input and output controls
Output distribution
Backup and recovery
Disaster recovery plan
Technical Services
Include:
Operating system support
Network support
Technical database support
Hardware support
Performance Measurement
Balanced Scorecard
Developed by Kaplan and Norton
Emphasis on:
Client satisfaction
Business processes
Innovation / learning
Mapped onto:
Traditional organizational vision
Mission
Strategy
Measurement Implementation
Impact analysis
Organizational area
Financial impact
Functional impact
Based on the results: a pilot project
Helps create a strategy-focused organization
(SFO)
Avoids the use of performance indicators which
are tactical rather than strategic
Control Risks and Outsourcing
Areas frequently considered for outsourcing
include:
Project functions such as systems analysis,
design, and programming
Running of selected application systems such as
payroll
Data capture or transformation prior to
processing
Operation of the IT facility

Fundamental Reasons for
Contracts
To prepare for things not going well
Options and remedies in the event of partial
or complete failure of the agreement
Particularly because of the technical nature
of Services
The software itself may involve escrow
protection
Cloud Computing
Computing where massively scalable IT-
enabled capabilities are delivered as-a-
service via the Internet
May involve a third-party Cloud Provider
alternatively a Private Cloud
In either event, conversion involves multiple
risk factors
Auditing IT Management
Use of a standard set of indicators
Operational
Systems development
General management
Typically audited using conventional audit
techniques
Interviewing
Document review
Observation
IS/IT Strategic Planning
Using existing knowledge to forecast the
outcome of events and the extent
management can influence them
Use of qualitative and quantitative information
Under conditions of uncertainty
Integration of intuition and analysis
Adaptability to change a key element
Survival requires adaptive strategies

Strategic Drivers
Cost of hardware
Breadth of bandwidth
Power of software
Cloud computing
User confusion
Leveraging IT
Use of IT to support corporate strategic goals
Danger of over-extension
Stability and reliability required of new and
amended systems
Internal audits role
Comprehensive operational reviews
Understand business processes
Understand information flow
Assist in the Culture of Innovation
Re-engineering the Business
Radical redesign of business processes
BPR Motivations
Survival
Elimination of competitive disadvantage
Generating competitive advantage
Creating a business breakthrough
Breaking out of the mold
IT the enabler
System Models
Transaction Processing Systems
Business Process support systems
Decision support systems
Increasing degrees of sophistication
Penetrating all business areas
Information Resource
Management
The five fundamentals
1. Information management
2. Technology management
3. Distributed management
4. Functional management
5. Strategic management

Strategic Planning
A process of identifying long-term goals and
objectives
Selecting the most appropriate approach for
achieving the goals
The corporate plan
Top management responsibility
Shared vision of corporate intent
Execution framework for a specified period of
time
Impact on IT
The quality of the communication is critical
Misalignment can be fatal
IT strategy a dynamic process
Integration into other business processes
critical
Must be measurable and measured
Alignment of IT and organizational strategies
critical
IT Alignment
Duration of IT projects makes alignment
difficult
Life expectancy of the finished project means
key requirement flexibility
Within the development process
Within the execution phase
Value for money
Effectiveness of IT
Efficiency of IT
IT Objectives
Delivery of systems
Fully aligned
Flexible
High quality
Reliable
Lowest possible cost
IT Steering Committees
Expertise in multiple functional areas
Diverse skills and perspectives
Ensure alignment of the IT strategy with
corporate strategy
No rubber stamping
No talk shops
No evasion of accountability
Auditing Strategic Planning
Obtain a business understanding of
managements intentions
Deride the business objectives and control
objectives
Identify and evaluate critical
Controls
Processes
Apparent exposures
Design the appropriate audit procedures
Potential Audit Involvement
Planning
Organizing
Motivating
Staffing
Controlling
IS/IT Management Issues
Legal issues relating to the introduction of IT
to the enterprise
Intellectual property issues in cyberspace
Trademarks
Copyrights
Patents
Ethical issues
Rights to privacy
Implementation of effective IT governance
Cyberfraud
Major international growth industry
Creating a false identity on the Internet
Intercepting information sent over the Internet
Using the Internet to spread false information
Accessing in manipulating information in the
corporate information systems
Types of Crime
Identity theft
Phishing
Electronic eavesdropping
False rumors for financial gain
New laws may be required
Data Privacy
Personal information including:
First and last name
Residential mailing address
Web cookie
E-mail address
Telephone number
Biometric data
Sensitive information
Health records
Religious information, etc.
Copyrights, Trademarks, and
Patents
Illegal reproduction and distribution of
protected material
Protected by:
Cryptography
Effective access control
Permissions management
Biometric authentication
Digital signatures
Certification authorities

Business Ethics
Within the general dimensions of economic
activity (Rossouw):
Macro or systemic dimension
Meso or institutional dimension
Micro or intra-organizational dimension
Impact of ethics on decision-making
(Wheelwright):
Questions requiring reflective choice
Guides of right and wrong
Consequences of decisions
Corporate Codes of Conduct
Honesty
Integrity
Morality
Equity
Equality
Accountability
Loyalty
Respect
IT Governance
Match:
Business behavior
Management conduct
Organizational intentions
Organizational mission
Organizational objectives
IT Governance Responsibilities
Setting the strategy
Managing the risks
Delivering perceived value
Measuring achieve performance
Responsibility of:
Board of Directors
Executive management
Management Control
Continuous performance feedback
In person to objectives
Refinement of processes where necessary
Realignment of objectives where required
Sarbanes-Oxley Act
Suggested internal control framework
(COSO)
Addresses IT controls
Control objectives and related activities at
discretion of the organisation
Section 404
Management assess the effectiveness of internal
control over financial reporting and report
annually
Payment Card Industry Data
Security Standards
Encompass
Firewall
Changing default passwords and security parameters
Detecting stored cardholder data
Encrypting public transmission
Antivirus software
Secure systems and applications
Access on need-to-know
Unique ID for computer access
Restriction of physical access to data
Tracking the monitoring of all Access
Security System testing
Maintaining security policies
Support Tools and Frameworks
COBIT
COSO
BS 7799 and ISO 17799/27001 / 27002
CoCo
ISO/IEC 38508


COBIT
Encompasses the full range of IT activities
Focus on achievement of control objectives
Integrates and aligns IT practices with
organizational governance and strategic
requirements
Designed to be utilized at different levels of
management
Audit Use of COBIT
Evaluate the adequacy of controls
Design appropriate tests to measure
effectiveness
Provide management of appropriate advice
on the system of internal controls
Delivery and Support
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations

Monitoring and Evaluation
ME1 Monitor and Evaluate IT Performance
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance
COBIT Process Measurement
Metrics
Nonexistent
Initial / ad hoc
Repeatable but intuitive
Defined process
Managed and measurable
Optimized
COSO Internal Control
Standards
Three basic objectives
1. Economy and efficiency of operations,
including achievement of performance goals
and safeguarding of assets against loss
2. Reliable financial and operational data and
reports
3. Compliance with laws and regulations

Five Components
1. A sound control environment
2. A sound risk-assessment process
3. Sound operational-control activities
4. Sound information and communications
systems
5. Effective monitoring
BS 7799 and ISO 17799/27001 /
27002
BS 7799 and ISO 17799
Assist companies by ensuring security and
control within electronic trading systems
Facilitated the introduction of key controls
ISO 27001
Replaced BS 7799-2
A Certification Standard
Specification for an Information Security
Management System (ISMS)
Steps in the Process
Organizational decision to implement
Scoping the project
Risk assessment
Selection of appropriate controls (see ISO
27002)
Justification recorded in a Statement Of
Applicability (SOA)
Controls implemented as appropriate
ISO 27002
Code of practice for information security
Outlines hundreds of potential controls and
control mechanisms
Establishes guidelines and general principles
for:
Initiating
Implementing
Maintaining
Improving
Information security management
ISO 27001 Addresses
Structure
Risk Assessment and Treatment
Security Policy
Organization of Information Security
Asset Management
Human Resources Security
Physical Security
Communications and Ops Management
Access Control
Information Systems Acquisition, Development, Maintenance
Information Security Incident management
Business Continuity
Compliance

CoCo
Criteria of Control
Sponsored by the Canadian Institute of
Chartered Accountants
Three major control objectives
1. Effectiveness and efficiency of operations
2. Reliability of internal and external reporting
3. Compliance with applicable laws and regulations and internal policies

Controlled Defined as
Encompassing
Purpose
Commitment
Capability
Monitoring and learning
CoCo Promotes
Avoidance of risk
Reducing the likelihood of risk occurring
Reducing the impact should a risk occur
Transferring the risk to a third party
Accepting or retaining the risk

ISO/IEC 38508
Designed as a worldwide formal international IT
Governance Standard
Framework for the boards governance of
information and communications
Six principles for good corporate IT governance
Responsibility
Strategy
Acquisition
Performance
Conformance
Human behavior
CALDER-MOIR IT Governance
Framework
Six main segments
1. Business Strategy
2. Risk, Conformance, and Compliance
3. IT Strategy
4. Change
5. Information and Technology Balance Sheet
6. Operations
Each segment divided into three layers
Board
Executive management
IT-governance practitioners
Governance Techniques
Change control
Problem management
Operational reviews
Performance measurement
ISO 9000 reviews
Change Control
Change may occur as a result of:
Hardware changes
Hardware failures
Software error
Legislative changes
Changes to business operations
Change Control Objective
To ensure that:
All changes are authorized
All changes are specified
All changes of cost effective
All authorized changes are made
Only authorized changes are made
Change Control Committee
Evaluate change requests
Authorize change requests
Ensure testing carried out
Ensure documentation carried out
Authorize implementation
Changes Require
Prior approval
Independent testing
User / IT staff / auditors sign-off
Full documentation
Recovery procedures
Segregated Libraries
Common in mainframes
Production
Development
Rare in personal computers
Backups frequently not taken
Change-control process is may differ
Control procedures must be implemented
Problem Management
Used for unplanned changes
Urgent repairs
To control systems during emergency
situations
Normal control mechanisms may be
bypassed
Permissions sought retrospectively

Audit Requirements
Proof that:
Change request recorded and stored for
reference
Change is assessed prior to acceptance
Unauthorized changes limited by control
Problem management process in place
Change documentation up to date
All new software releases pass through Change
Control

Operational Reviews
Involves evaluation of:
Internal controls
Compliance with laws regulations and company
policies
Reliability and integrity of financial and operating
information
Efficient and effective use of resources
Review Standards
Comparison to standards
Management standards
COBIT
Use of objective criteria
Performance Measurement
Use of feedback mechanisms
Integrated performance-measurement
systems
Measuring activities of people and processes
Use of significant few measuring criteria
ISO 9000 Reviews
ISO:
National standard bodies of 91 countries
180 technical committees
Quality management and quality-assurance
system standards
Reviewing:
Methodology
Project / process