IT Audit - IT Environment
IT Audit - IT Environment
IT Audit - IT Environment
Risk Services
Session 2
IT Environment
!@ #
Learning objectives
!@ #
Technology and Security
Risk Services
!@ #
Examples of IT in the business
• Accounting systems
• Payroll systems
• Production planning systems
• Inventory management systems
• Network
• Document scanning, printing, digital storing
• Email, Internet
!@ #
Examples of IT in the business
!@ #
Elements of Information Technology
• Software
– Business applications
– Office applications
– Spreadsheets, databases, etc.
• Hardware
– PC’s/workstations
– Terminals
– Servers
– Network equipment (hub, switch, router, etc.)
– Printers, scanners, etc.
!@ #
Elements of Information Technology
• Support tools
– System development tools
– Change Management tools
– Helpdesk software
– Security software (firewall, anti-virus software, etc.)
!@ #
What Matters to CEOs?
1. Maximizing shareholder value
2. Protecting the market position of the company
!@ #
CFO IT Perspectives
!@ #
Changing Role of CFOs
Increased
other
Expanded interaction with
leadership and departments
Other/don't 16%
know management
5% role
14%
!@ #
IT Priorities for CFOs
80
A. Identifying appropriate level of IT
70
investment 61.2%
60
B. Prioritizing technology investments
50 55.3%
2001
40
2000 C. Identifying how IT can improve or
30 1999 influence business processes
20 53.3%
10 D. Determining appropriate use of
0 eCommerce 32.4%
A B C D
!@ #
Management Challenges
!@ #
Business Requirements on IT
• Confidentiality
• Integrity and Reliability
• Availability
• Effectiveness and Efficiency
• Compliance
!@ #
Impact of IT on the Business
!@ #
Possible Results
• Restatement of accounts
• Bankruptcy
• Falling share price
• Poor financial performance
• Bad publicity
• Customer dissatisfaction
!@ #
Top 10 IT Issues
1. Strategy – prioritizing technology investments
2. Budgeting – identifying appropriate investment level
3. Efficiency – evaluating/measuring return on technology
4. Security – confidentiality/integrity/reliability of data
5. Continuity – securing the availability of information
6. eCommerce – re-volution to e-volution
7. Project Management – high price of implementation failure
8. ERP – pros and cons of integrated software
9. Outsourcing – trusting your business to third parties
10. Regulation – legislation compliance (e.g., data privacy)
!@ #
Technology and Security
Risk Services
!@ #
Responsibility of IT Management
!@ #
Responsibilities in IT Management
• System development
Development and implementation of new
information systems
• Application management
• Network Management
• Helpdesk/user support
• Project management
!@ #
Types of IT organizations
Small IT organization (1-5 people)
CEO/PresDir
Head of IT
!@ #
Types of IT organizations
Medium size IT organization (5 - 50 staff)
CEO/PresDir
Marketing
Finance
Production
IT Department
!@ #
Organizational requirements for IT
departments
• Position in the organization
• Segregation of duties
• Screening and hiring
• Staff skills and development (training)
!@ #
Technology and Security
Risk Services
Hardware
!@ #
Hardware (Content)
• Hardware architecture
• Hardware components
• Risks and Controls
• Hardware Review/audit techniques
!@ #
Hardware …
Hardware architecture
Classes
• Large (mainframe)
– IBM S-360/370, S390, z900
– Unisys NX4801-21
– Bull, Fujitsu
• Medium (mini computer)
– IBM S/36, S/38, AS/400 (i-series), RISC 6000
– DEC VAX
– HP3000 series, Bull
• Small (microcomputer)
– IBM PC Compatible
!@ #
!@ #
Hardware …
Hardware components
Devices
Processors
Storage
FDD, Hard disk, CD-ROM, Magnetic Tape, Micro film
Input/output devices
Keyboard, POS terminals, Barcode readers, Mouse,
Stylus, scanner
Printer, Monitor, Plotter
Communication and networking devices
Modems, routers, switches & hubs, NIC
!@ #
Hardware …
Risks and controls
Risks Controls
Failures • Environmental controls (humidifiers,
AC, UPS, surge protector)
• Monitoring and Maintenance
Theft, vandalism Physical access
!@ #
Hardware …
Hardware review/audit techniques
• Physical controls
• Environmental controls
• Hardware capacity management
– CPU, I/O, terminal, telecommunication, bandwidth and storage utilization
– Number of users
– New technologies, applications
– Service level agreements
• Hardware monitoring
– Hardware error reports
– Availability reports
– Utilization reports
• Hardware acquisition plan & maintenance
– Information processing requirements, Hardware requirements, System software requirements,
Support and maintenance requirements.
!@ #
Technology and Security
Risk Services
Operating Systems
!@ #
Operating Systems
!@ #
Operating Systems …
Operating systems task
• Permits users to share hardware, data
• Schedules resources among users
• Informs users of any errors that occur with the
processor, I/O or programs
• Recovery from system errors
• Communication between the O/S and application
programs, allocating memory to processors, and
making the memory available upon the completion of a
process
• System file and system accounting management
!@ #
Operating Systems …
Major Operating systems
• Mainframe
– MVS, Unisys, etc
• Midrange/Minicomputers
– OS/400, VMS, Unix, SunOS, etc
• Micro computers
– Unix, Windows NT, Windows2000, Novell Netware, OS/2, MacOS,
DOS, Linux
!@ #
Operating Systems …
Risks and Controls
Risks Controls
Unauthorized access •Strong security management
(including user rights and password
controls management)
•Separation of duties
Poor logging and audit trails •Auditor’s involvement in requirement
and design phase
•Periodic review of log
Incompatibility with Change management
applications
!@ #
Operating Systems …
Review/Audit techniques
• System software selection procedures
– Address IS and business plan, meet control requirement, feasibility study, cost benefit analysis
• Installation controls
– Written plan for installation, documentations, identification before being placed to production
• Maintenance activities
• Change controls for system software
– Access limitation to library, changes are documented and tested
• Systems documentation
• Licensing
– protect against the possibility of penalties
– protect from public embarrassment
• Security parameters (special functions, passwords)
• Audit and logging
!@ #
Operating Systems …
O/S Audit tools
• AS/400
– PentaSafe
• Windows NT
– Systems Scanner, Kane Security Analyst (KSA), NMAP for NT,
Retina, BindView
• UNIX
– COPS (Computer Oracle and Password System), Tripwire, NMAP,
PC-Unix Audit
!@ #
Technology and Security
Risk Services
Network
!@ #
Network & telecommunication
infrastructure
• Network Eras
• Network architecture
• Data Communication
• Network Protocols
• Transmission media
• Local area network and Wide Area Network
• Risks and controls
• Audit and Evaluation Techniques
!@ #
Network infrastructure…
Network Eras
• ERA 1: Mainframe Networks (1965 - 1975)
• ERA 2: Minicomputer Networks (1975 - 1985)
• ERA 3: Shared-bandwidth LANs (1985 - 1995)
• ERA 4: Switching LANs (1995 - )
!@ #
Network Eras …
Mainframe Networks
• Groups of terminals
attached to cluster
controllers
• Controllers were
connected to the front-
end processor through
point-to-point cables (for
local connections) or
leased telephone lines
(for remote connections).
!@ #
Network Eras …
Minicomputers Networks
• Terminals connected directly
to a port on the mini.
• Statistical multiplexers provide
wide area fine sharing and
error protection.
• Data PBXs were central to
many networks, allowing
terminal users to select
computers and contend for
expensive computer ports.
!@ #
Network Eras …
Shared-bandwidth LANs
• LAN-based network operating
systems emerged
• Shared bandwidth, PCs and
other devices were attached
to a single Ethernet segment
or a single token ring
!@ #
Network Eras …
Switched LANs
• The rapid growth in the power of PCs (servers), which can handle
throughput rates significantly higher than Ethernet or token ring
provides.
• Data representation through images rather than text.
• Emergence of the World Wide Web, document imaging, medical
radiology, CAD, video training, and pre-press editing (require large
amounts of bandwidth).
!@ #
Network architecture
• Bus configuration
• Ring configuration
• Star configuration
• Mesh configuration
!@ #
Network architecture …
Bus configuration
Advantages Disadvantages
!@ #
Network architecture …
Ring configuration
Advantages Disadvantages
• Every computer is given equal
• Failure of one computer in the
access, since a token is passed
network can affect the whole
around the ring indicating
authorization to transmit network
• Difficult to trouble shoot
• The network degrades • Adding or removing computers
gracefully can disrupt the network
!@ #
Network architecture …
Star configuration
Advantages Disadvantages
• Easy to modify and add new
computers • If the central hub fails the whole
network cease to function
• The center of the star is a good place • Require a device at the center to
to diagnose network problems
rebroadcast or switch network
• Single computer failures do not bring traffic
down the network • More cable is required than bus
• Several cable types can be used in the configuration
configuration
!@ #
Network architecture …
Mesh configuration
Advantages Disadvantages
• Fault tolerant
• Difficult to install and
• Easy to diagnose problems reconfigure, since there is a
• Guaranteed channel capacity connection with every
machine on the network
• High cost of installations
!@ #
Telecommunication infrastructure…
Data Communication
• Simply put, it involves the
transmission of speech and, or
data between two connected
devices.
• Data communications describes
the use of protocols (rules) and
specific equipment to coordinate
and facilitate the successful
transmission and receipt of data
between source and destination.
!@ #
Telecommunication infrastructure…
Network Protocols
Protocols are the set of rules for the packaging
and transmission of data.
Examples:
– Transmission Control Protocol/Internet Protocol
(TCP/IP)
– Virtual telecommunications Access Method (VTAM)
– IPX/SPX
– AppleTalk
– PPP (Point-to-Point Protocols), X.25
!@ #
Telecommunication infrastructure…
Transmission media
• Copper (twisted pair) circuits
• Coaxial cables
• Fiber optic systems
• Radio systems
• Microwave radio systems
• Satellite radio link systems
!@ #
Telecommunication infrastructure…
LANs and WANs
• LANs
– Within buildings or departments
– Digital signals used
– Computer to computer transmission
– Use high quality cables
• WANs:
– Spread over multiple sites
– Require the use of special communications hardware
– May use public long distance communications links
– Tend to be more complex than LANs.
!@ #
Telecommunication infrastructure…
Network Risks and Controls
Risks` Controls
Unauthorized access (incl. •Encryption
tapping)
•Access controls
Performance degradation •Performance monitoring
–Response time reports
–Down time reports
–Online monitors (Echo checking)
–Help desk reports
Remote access & dial-up Call back facility
!@ #
What is Internet ?
!@ #
Why Use Internet ?
!@ #
The Risk of Internet
!@ #
How to Control Internet Use ?
!@ #
What is a Firewall ?
!@ #
How Firewall works?
Firewall
Gateway Internet
Mainframe/
Legacy
Systems
Rejected external
traffic
Local Area Network
Firewall
!@ #
What can Firewall Do ?
!@ #
What can Firewall Do ? (Cont’d)
!@ #
What can’t Firewall Do ?
!@ #
What can’t Firewall Do ? (Cont’d)
!@ #
Technology and Security
Risk Services
Data Center
!@ #
Data Center
!@ #
!@ #
!@ #
!@ #
!@ #
!@ #
Discussion
!@ #
Summary
• The hardware, systems software, communication lines,
networks, Internet and Data Center are all organizations assets
that should be properly controlled and managed by
management.
• Today’s auditors should familiar and be prepared to deal with
various rapid development in IT (hardware, OS,
communication, Networks, Internet and Data Center) and its
risks
• IS Auditors tasks:
– Review the existing controls available
– Test the compliance
– Recommend adequate controls
!@ #
Type of Applications
!@ #
What is Application Software?
A software that is designed and created to
perform specific personal, business or
scientific processing task, such as word
processing, interactive game, business
application, etc.
!@ #
Categories of software
• In-house developed application
!@ #
Q&A
!@ #
Technology and Security
Risk Services
Thank You
!@ #