This action might not be possible to undo. Are you sure you want to continue?
for Universitas Padjadjaran IS Audit – S1 Accounting
IS Audit Syllabus
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. Introduction of IS Audit IT Environment IT Process General Computer Control Review (1) General Computer Control Review (2) General Computer Control Case Study Kuliah Umum Mid-semester Exam Application Control Review Data Analysis Approach IT Audit Integration Application Control Case Study IT Security IT Risk Management & IT Governance ERP Systems Final Exam
• Gain understanding of the importance and role of IT for the Business • Understand IT organization & its requirements • Introduce the students to:
– The concepts of hardware, operating systems, network, data communication, Internet and Data Centers. – The risks and controls associated with them, and – The basic audit/review aspects and considerations of the above concepts.
Technology and Security Risk Services
Role of IT for the business
Examples of IT in the business • Accounting systems • Payroll systems • Production planning systems • Inventory management systems • Network • Document scanning. digital storing • Email. printing. Internet !@ # .
examples? !@ # .Examples of IT in the business • How is Information Technology used in organizations.
etc. scanners. switch.Elements of Information Technology • Software – Business applications – Office applications – Spreadsheets. databases. router. etc. !@ # .) Printers. etc. • Hardware – – – – – PC’s/workstations Terminals Servers Network equipment (hub.
etc.Elements of Information Technology • Support tools – – – – System development tools Change Management tools Helpdesk software Security software (firewall. anti-virus software.) !@ # .
What Matters to CEOs? 1. Maximizing shareholder value Protecting the market position of the company Therefore they want IT to: • • • • • Enable/facilitate the business’ strategy Deliver ROI Enhance competitive advantage Deliver quality while minimizing risk Achieve compliance goals !@ # . 2.
Source: RHI Management Resources / FEI-CSC Surveys !@ # .CFO IT Perspectives • 49% of CIOs report to the CFO (29% to the CEO) • Technology expertise considered most important skill after financial expertise (44% response) • IT training first priority for developing accounting staff (52%) • 82% of CFOs say accounting departments have become more involved in technology initiatives • Responsibilities outside the scope of traditional financial functions will occupy 37% of a senior accountant’s time in five years.
Changing Role of CFOs Greater role in technology and information systems initiatives 39% More strategic planning and decision making 26% Other/don't know 5% Expanded leadership and management role 14% Increased other interaction with departments 16% Source: RHI Management Resources Survey !@ # .
4% !@ # .3% C. Identifying appropriate level of IT investment 61.IT Priorities for CFOs 80 70 60 50 40 30 20 10 0 A B C D Source: FEI-CSC Survey 2001 2000 1999 A. Prioritizing technology investments 55.3% D.2% B. Identifying how IT can improve or influence business processes 53. Determining appropriate use of eCommerce 32.
Management Challenges • 30% of businesses are unable to determine their return on technology investments • 61% do not have a written strategic plan for information systems • Only 23% of those with plans believe them to be fully aligned to the business strategy Source: FEI-CSC Survey !@ # .
Business Requirements on IT • Confidentiality • Integrity and Reliability • Availability • Effectiveness and Efficiency • Compliance !@ # .
financial and reputational loss • Lack of valid information required to make business decisions • Lack of security resulting in financial and reputational loss • Hardware failure leading to inability to process transactions and/or trade effectively • Legislative implications of non-compliance !@ # .Impact of IT on the Business • Software implementation failures leading to process failure.
Possible Results • Restatement of accounts • Bankruptcy • Falling share price • Poor financial performance • Bad publicity • Customer dissatisfaction !@ # .
Project Management – high price of implementation failure 8. ERP – pros and cons of integrated software 9.. Outsourcing – trusting your business to third parties 10. Budgeting – identifying appropriate investment level 3. Efficiency – evaluating/measuring return on technology 4.Top 10 IT Issues 1. data privacy) !@ # . Regulation – legislation compliance (e. eCommerce – re-volution to e-volution 7.g. Strategy – prioritizing technology investments 2. Continuity – securing the availability of information 6. Security – confidentiality/integrity/reliability of data 5.
Technology and Security Risk Services Organization of IT for the business !@ # .
Responsibility of IT Management Where can you find the IT organization in a company? •Finance manager ( no specific IT manager) •IT Manager. reporting to Finance Manager •IT Manager or CIO. reporting to CEO •CIO and IT Manager !@ # .
Responsibilities in IT Management • System development Development and implementation of new information systems • Application management • Network Management • Helpdesk/user support • Project management !@ # .
Types of IT organizations Small IT organization (1-5 people) CEO/PresDir Marketing Finance Head of IT Application management and support Network (hardware) management Production !@ # .
Types of IT organizations Medium size IT organization (5 .50 staff) CEO/PresDir Marketing Finance Production IT Department System Development Programmers Information analysts Infrastructure management Network management Hardware management Telecommunication management Application management Database Manager Office application management Business application management Helpdesk !@ # .
Organizational requirements for IT departments • Position in the organization • Segregation of duties • Screening and hiring • Staff skills and development (training) !@ # .
Technology and Security Risk Services Hardware !@ # .
Hardware (Content) • Hardware architecture • Hardware components • Risks and Controls • Hardware Review/audit techniques !@ # .
z900 – Unisys NX4801-21 – Bull. Bull • Small (microcomputer) – IBM PC Compatible !@ # . S390.Hardware … Hardware architecture Classes • Large (mainframe) – IBM S-360/370. RISC 6000 – DEC VAX – HP3000 series. S/38. AS/400 (i-series). Fujitsu • Medium (mini computer) – IBM S/36.
!@ # .
Plotter Communication and networking devices Modems. routers. CD-ROM. Hard disk. scanner Printer. POS terminals. NIC !@ # . Barcode readers. Stylus. Monitor. Mouse. Micro film Input/output devices Keyboard. Magnetic Tape.Hardware … Hardware components Devices Processors Storage FDD. switches & hubs.
vandalism Disasters Under/over capacity !@ # . surge protector) • Monitoring and Maintenance Physical access Backup. AC. UPS. avoid flammable materials (incl. Printers) Capacity planning Theft.Hardware … Risks and controls Risks Failures Controls • Environmental controls (humidifiers.
!@ # . Hardware requirements. terminal.Hardware … Hardware review/audit techniques • Physical controls • Environmental controls • Hardware capacity management – – – – CPU. I/O. telecommunication. applications Service level agreements • Hardware monitoring – Hardware error reports – Availability reports – Utilization reports • Hardware acquisition plan & maintenance – Information processing requirements. Support and maintenance requirements. bandwidth and storage utilization Number of users New technologies. System software requirements.
Technology and Security Risk Services Operating Systems !@ # .
Operating Systems • Operating systems tasks • Major Operating Systems • Operating Systems Software Risks and Controls • Operating systems review/audit techniques • Operating systems Audit Tools !@ # .
data • Schedules resources among users • Informs users of any errors that occur with the processor.Operating Systems … Operating systems task • Permits users to share hardware. I/O or programs • Recovery from system errors • Communication between the O/S and application programs. allocating memory to processors. and making the memory available upon the completion of a process • System file and system accounting management !@ # .
DOS. Windows NT. etc • Micro computers – Unix. Unix. MacOS. Linux !@ # . Novell Netware. Windows2000. SunOS. etc • Midrange/Minicomputers – OS/400. OS/2. VMS.Operating Systems … Major Operating systems • Mainframe – MVS. Unisys.
Operating Systems … Risks and Controls Risks Unauthorized access Controls •Strong security management (including user rights and password controls management) •Separation of duties Poor logging and audit trails •Auditor’s involvement in requirement and design phase Incompatibility with applications •Periodic review of log Change management !@ # .
Operating Systems … Review/Audit techniques • System software selection procedures – Address IS and business plan. cost benefit analysis • Installation controls – Written plan for installation. documentations. meet control requirement. passwords) • Audit and logging !@ # . changes are documented and tested • Systems documentation • Licensing – protect against the possibility of penalties – protect from public embarrassment • Security parameters (special functions. identification before being placed to production • Maintenance activities • Change controls for system software – Access limitation to library. feasibility study.
PC-Unix Audit !@ # . Kane Security Analyst (KSA). Tripwire. BindView • UNIX – COPS (Computer Oracle and Password System). Retina. NMAP. NMAP for NT.Operating Systems … O/S Audit tools • AS/400 – PentaSafe • Windows NT – Systems Scanner.
Technology and Security Risk Services Network !@ # .
Network & telecommunication infrastructure • Network Eras • Network architecture • Data Communication • Network Protocols • Transmission media • Local area network and Wide Area Network • Risks and controls • Audit and Evaluation Techniques !@ # .
1995) • ERA 4: Switching LANs (1995 .1975) • ERA 2: Minicomputer Networks (1975 .) !@ # .Network infrastructure… Network Eras • ERA 1: Mainframe Networks (1965 .1985) • ERA 3: Shared-bandwidth LANs (1985 .
Network Eras … Mainframe Networks • Groups of terminals attached to cluster controllers • Controllers were connected to the frontend processor through point-to-point cables (for local connections) or leased telephone lines (for remote connections). !@ # .
• Statistical multiplexers provide wide area fine sharing and error protection.Network Eras … Minicomputers Networks • Terminals connected directly to a port on the mini. !@ # . • Data PBXs were central to many networks. allowing terminal users to select computers and contend for expensive computer ports.
PCs and other devices were attached to a single Ethernet segment or a single token ring !@ # .Network Eras … Shared-bandwidth LANs • LAN-based network operating systems emerged • Shared bandwidth.
which can handle throughput rates significantly higher than Ethernet or token ring provides. • Emergence of the World Wide Web. CAD. !@ # . and pre-press editing (require large amounts of bandwidth). • Data representation through images rather than text. video training. medical radiology. document imaging.Network Eras … Switched LANs • The rapid growth in the power of PCs (servers).
Network architecture • Bus configuration • Ring configuration • Star configuration • Mesh configuration !@ # .
less expensive • Is easy to extend • A repeater can be used to extend the configuration Disadvantages • Heavy network traffic can slow the performance • Each connection between two cables weakens the electrical signal • Difficult to locate network error. Difficult to trouble shoot !@ # .Network architecture … Bus configuration Advantages • Reliable in very small networks • Easy to use and understand • Requires less amount of cables.
since a token is passed around the ring indicating authorization to transmit • The network degrades gracefully Disadvantages • Failure of one computer in the network can affect the whole network Difficult to trouble shoot Adding or removing computers can disrupt the network • • !@ # .Network architecture … Ring configuration Advantages • Every computer is given equal access.
Network architecture … Star configuration Advantages • • • • Easy to modify and add new computers The center of the star is a good place to diagnose network problems Single computer failures do not bring down the network Several cable types can be used in the configuration Disadvantages • If the central hub fails the whole network cease to function • Require a device at the center to rebroadcast or switch network traffic • More cable is required than bus configuration !@ # .
since there is a connection with every machine on the network • High cost of installations !@ # .Network architecture … Mesh configuration Advantages • Fault tolerant • Easy to diagnose problems • Guaranteed channel capacity Disadvantages • Difficult to install and reconfigure.
it involves the transmission of speech and. !@ # . or data between two connected devices.Telecommunication infrastructure… Data Communication • Simply put. • Data communications describes the use of protocols (rules) and specific equipment to coordinate and facilitate the successful transmission and receipt of data between source and destination.
25 !@ # .Telecommunication infrastructure… Network Protocols Protocols are the set of rules for the packaging and transmission of data. X. Examples: – Transmission Control Protocol/Internet Protocol (TCP/IP) – Virtual telecommunications Access Method (VTAM) – IPX/SPX – AppleTalk – PPP (Point-to-Point Protocols).
Telecommunication infrastructure… Transmission media
• Copper (twisted pair) circuits • Coaxial cables • Fiber optic systems • Radio systems • Microwave radio systems • Satellite radio link systems
Telecommunication infrastructure… LANs and WANs
– – – – Within buildings or departments Digital signals used Computer to computer transmission Use high quality cables
– – – – Spread over multiple sites Require the use of special communications hardware May use public long distance communications links Tend to be more complex than LANs.
Telecommunication infrastructure… Network Risks and Controls
Unauthorized access (incl. tapping) Performance degradation •Encryption •Access controls •Performance monitoring
–Response time reports –Down time reports –Online monitors (Echo checking) –Help desk reports
Remote access & dial-up Viruses, trojan
Call back facility •Anti-virus and forced-update •Clear policy •Astalavista.box.sk
Telecommunication infrastructure… Audit and Evaluation Techniques
• LAN review
– Physical security • Observe LAN and transmission wiring closet, server location, test access key – Environmental controls • Surge protector, Air conditioning, humidity, power supply, backup media protection, fire extinguisher – Logical security • Interview LAN admin, penetration test, search for written password, test log off period, dial-up connection
Internet • What is Internet • Why use Internet • The risk of Internet • How to control Internet use • What is a Firewall • How Firewall works • What can Firewall do • What can’t Firewall do !@ # .
etc. gov. companies. • Based on TCP/IP protocol suite • Links Universities. • Large international presence > 170 countries !@ # .What is Internet ? • Worlds largest computer network.
Why Use Internet ? • Provides cost effective communication for: – – – – eCommerce Electronic Mail (SMTP) Remote Terminal Access (Telnet) File Transfer (FTP) • Good information source – World Wide Web access (HTTP) !@ # .
.. security implications are often overlooked – Possible network ‘backdoor’ connections open to hackers – Viruses from downloaded software (e... screensavers) – Disclosure of sensitive info (e.g.You don’t know who is You out there! • Because the Internet is so convenient to use.The Risk of Internet • Perhaps the biggest risk. credit card numbers) !@ # ..g..
How to Control Internet Use ? • Develop policies to define acceptable usage – Personal use – Business use (encrypting messages to business partners) • Educate users on internet risks • Use of ‘Firewalls’ !@ # .
What is a Firewall ? • A firewall is a combination of hardware and software that enforces an existing network access policy • Prevents unauthorized traffic in and out of a secure network • It restricts people to entering at a carefully controlled point • It prevents attackers from getting close to other network security defenses !@ # .
How Firewall works? Firewall Gateway Internet Mainframe/ Legacy Systems Rejected external traffic Local Area Network Wide Area Network Firewall !@ # .
All traffic in and out must pass through this single checkpoint. A Firewall acts as the traffic cop for these services. Many of the services that people want from the Internet are inherently insecure. or “Gateway” • A Firewall can enforce security policy.What can Firewall Do ? • A firewall is a focus for security decisions. Think of a firewall as a choke point. !@ # .
. it a good place to collect information about the system and network use .. • A firewall reduces external network exposure.. AND misuse. Because all traffic passes through the firewall gateway. Preventing certain employees attaching documents to e-mails !@ # . It can also be used to keep sections of a network separate from other sections. – e.g.What can Firewall Do ? (Cont’d) • A Firewall can effectively log Internet activity.
• A firewall can’t protect you against connections that don’t go through it. If the fox is inside the hen house. There is nothing it can do for traffic that does not go through it.What can’t Firewall Do ? • A firewall can’t protect you against malicious insiders. !@ # . a firewall can do nothing for you.
• A firewall can’t protect against viruses as these are typically spread within documents !@ # . You can’t set up a firewall once and expect it to protect you forever.What can’t Firewall Do ? (Cont’d) • A firewall can’t completely protect against new threats. A firewall can only protect against known threats.
Technology and Security Risk Services Data Center !@ # .
hardware/software.) to run computer applications (i. e-mail. etc. trading systems etc. The eventual goal is to fully outsource corporate IT requirements.e.e. website. leveraging economies of scale at price points and service levels that are difficult to achieve in-house. bandwidth to the Internet.” !@ # . facilities management.Data Center Data Center is the business of providing a physical location as well as the applicable IT services (i. IT services. remotely located from a corporate or individuals owned premises.) at a site that is generally.
!@ # .
!@ # .
!@ # .
!@ # .
!@ # .
Discussion What are the risks associated with Data Center?? ……and what controls can mitigate the risks?? !@ # .
communication lines. Internet and Data Center are all organizations assets that should be properly controlled and managed by management. OS. Internet and Data Center) and its risks • IS Auditors tasks: – Review the existing controls available – Test the compliance – Recommend adequate controls !@ # . networks. communication. systems software.Summary • The hardware. Networks. • Today’s auditors should familiar and be prepared to deal with various rapid development in IT (hardware.
Type of Applications !@ # .
such as word processing. business or scientific processing task. business application. etc. interactive game. !@ # .What is Application Software? A software that is designed and created to perform specific personal.
Categories of software • In-house developed application • Integrated application (e. PeopleSoft. ACCPAC. Oracle. ERP systems: SAP. JDE. etc) • Package application (e.g.g. Picador. etc) !@ # .
Q&A !@ # .
Technology and Security Risk Services Thank You !@ # .
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.