Information System Auditing

Yu Xiaobing(余小兵), CISA

Nanjing Audit University

 A Quick Overview of IT

• To auditors, IT is two things

– A domain subject to audit
– A tool to help audit

Nanjing Audit University

 Course Objectives
• Gain basic knowledge to audit IT
– Understand IT and related risks
– Understand IT control concepts
– Learn how to define IT audit universe and IT audit plan
– Study the key IT control areas – application development,
application controls, computer security, access management

• Explore the opportunity of using IT as a tool

to audit

Nanjing Audit University

 Unit 1
– IT and IT-related Risks

Nanjing Audit University

 Agenda
• Defining IT
• IT and business
• IT related risks
• The needs of IT auditing

Nanjing Audit University

 Knowledge Quiz
1. What IT courses have you learned?
2. What are the IT components?
3. What is the relationship between IT and
business?

Nanjing Audit University

1 What IT courses have you learned?

Computer Basics?
Programming
operating system
Database principle
computer network

Nanjing Audit University

2 What are the IT components?

Computer
Network
Database
applications (financial management
systems)

Nanjing Audit University

3 What is the relationship between IT and
business?

Nanjing Audit University

BUSINESS

Finance Sales purchase Inventory

……
Application Application Application

TECHNOLOGY

Nanjing Audit University

BUSINESS

E- Sharing instant Short

commerce economy messaging video

……
Application Application Application
Big data, block chain, cloud computing,
internet of things, artificial intelligence

Infrastructure
Network/Hard ware/Database
TECHNOLOGY

Nanjing Audit University

Defining IT

Nanjing Audit University

 Defining IT
Layer 1 - IT Management
• This layer comprises the set of people,
policies, procedures and processes that
manage the IT environment.
– System Monitoring/Operations
– Programming
– Planning
– Management of Outsourced Vendors
– IT Governance

Nanjing Audit University

 Defining IT
Layer 2 - Technical Infrastructure
This layer refers to the systems that underlie,
support, and enable the primary business
applications.
– Operating Systems
– Databases
– Networks

Nanjing Audit University

An example of typical networked systems

Nanjing Audit University

（LAN）Network Topologies

Nanjing Audit University

Network Example

Nanjing Audit University

 Local Area Network (LAN)

A local area network connects two or

more computers or peripherals. Each
computer and peripheral must be
equipped with a network interface card
(NIC) to connect to the wiring system.
Software in the operating system (called
drivers) operates the network interface
cards.
Nanjing Audit University
 Cabling

A local area network can be implemented

with several choices of connection
technology. Characteristics of each
technology are listed below:
 Twisted Pair
 Fiber-Optic Cable
 Wireless LANs

Nanjing Audit University

 LAN Protocols

Ethernet
Token Ring
AppleTalk
Fiber Distributed Data Interchange (FDDI)

Nanjing Audit University

An example of typical business systems
Database
Server

WEB Server

Browser

Nanjing Audit University

 Distributed Systems
An application usually comprises three logical
parts:
 A graphical user interface (GUI) to collect and
display information
 A set of business rules that perform the logic of
the program
 A data retrieval and storage mechanism – often
implemented by a database management system
Depending upon the application, these three
parts can be distributed between the client
computers and server computers in various
proportions.
Nanjing Audit University
 Two-Tier vs Three-Tier
Two-Tier
If the business rules and the database function
are provided by the same server, we call this
a two-tier client/server model.
Three-Tier
If the database and business rules are
supported by two different computers.

The client computer is always referred to as

tier-one.

Nanjing Audit University

 Client/Server model

• Client/server can be defined as

processing data using two or more
computer platforms to achieve an end
result. Each platform performs a subset
of the total data processing task.

Nanjing Audit University

 Servers based network
File Server
The file server is the repository of user data files.
Some companies store application programs
on the file server instead of allowing
employees to store these programs on their
individual drives.
The file sever is controlled by a network
operating system. The network operating
systems controls access to each of the
directories and files on the sever.

Nanjing Audit University

 Print Server
A print server allows two or more users to
share the use of one or more printers
controlled by the print server. The
servers can be attached directly to the
print server, or they can be equipped
with a network interface card and be
controlled through the LAN connection.
Often the file sever program and print
server program run on the same
computer.
Nanjing Audit University
 Communication Server
The communication server provides shared
access to modems and facsimile modems.
These modems are used for outbound and
inbound communication. The three most
common remote access communication
server programs are Remote Access Server
(RAS), Remote Authentication Dial User
Service (RADIUS), and Terminal Access
Controlled Access System (TACACS).

Nanjing Audit University

E-Mail and GroupWare Servers

The email sever runs the electronic mail system. – Lotus Notes,
Microsoft Exchange Server and sendmail (UNIX).
Database Server
A database server runs a DBMS such as DB2, Oracle, Sybase, or
SQL Server.
Security Server
The Security server provides common control for access to the
network, and access to applications running on the network.
The security server does not control access to files on various
servers. That is the responsibility of the server maintaining
those files.
Application Server
An application server is a server running programs other then those
mentioned above.

Nanjing Audit University

 Operating Systems

The operating system is a critical

component of any computing
environment and needs to be reviewed
to ensure appropriate controls are in
place.

Nanjing Audit University

Operating Systems (continued)
The primary audit objectives include:
Ensuring the integrity of the Operating System from unauthorized
access.
Limiting whom has "privileged" access and what they can do.
There also needs to be logging of the privileged access.
Security fixes and patches need to be applied on a timely basis.
Appropriate testing prior to installing new patches to ensure all
functionality continues to perform after the patch is applied.
Ensuring appropriate controls when installing new operating
systems such as procedures should the new installation not
function satisfactorily.

Nanjing Audit University

 Types of Databases
A database management system (DBMS)
manages data by providing organization,
access, control and security functions. There
are four classes of database structures. They
are listed in the order of their evolutionary
appearance:
 Flat File
 Hierarchical
 Networked
 Relational

Nanjing Audit University

 Relational Data Base
Through the use of indices (identical to
the index in a book), the database
administrator can build relationships
between records in the tables of the
database. For each mode of reference
or look up there must be an index. For
example, if a particular application
requires looking up records by customer
number, order number, and customer
name, there must be three indices.
Nanjing Audit University
 Relational Data Base
(continued)
Where as the index in a book refers the reader to a page
number, the index of a database refers to the location on
the disk where the record is stored. This location on the
disk is properly called the record number. Very often this
location is also called a pointer.
Records are stored on the disk in the order they are created.
The index must be sorted to keep track of where each
record is stored on the disk. Records can contain pointers
to other "related" records. For example the customer
master record might point to the customers: Address
record Loan account record(s) Investment account
record(s) Checking and saving account record(s)

Nanjing Audit University

 Examples of relational
databases
Examples of relational databases include:

DB2
Informix
Lotus Approach
MS Access
Oracle
SQL Server
Sybase

Nanjing Audit University

 Defining IT
Layer 3 - Applications
They are programs that perform specific tasks
related to business operations.
– Transactional applications: processes
and records business transactions
– Supporting applications: facilitate
business activities but generally do not
process transactions

Nanjing Audit University

An example of typical business systems
Database
Server

WEB Server

Browser

Nanjing Audit University

 Defining IT
Layer 4 - External Connections
Internet, EDI, and other external networks

Nanjing Audit University

Network Example

Nanjing Audit University

 Internet
Topics covered in this section include:
– The Internet, Intranets, and Extranets
– Risks of Doing Business on the Internet
– Internet Technologies
– How a Company Connects to the Internet
– Internet Protocol Addressing
– Transmission Control Protocol / Internet Protocol
– Universal Resource Locator
– Domain Name System
– Web page Technologies
– Hypertext Mark-Up Language
– Cookies, Java, JavaScript, ActiveX

Nanjing Audit University

 Internet
The Internet is the largest client/server
distributed computing network in the world.
It is a worldwide network comprising
servers, routers and backbone networks.
The servers provide the information; the
routers direct the messages between the
clients and the servers, and the backbone
network carries the messages between the
clients and the servers.

Nanjing Audit University

 Intranets and Extranets
Intranets An intranet is your organization's
internal network of clients and servers.
The appearance is that of the Internet,
but it is an internal network environment.
Extranets An extranet is the linking of an
intranet of another organization to your
intranet.

Nanjing Audit University

 Intranet and Extranet
It is critical that extranet connections be
controlled through strong firewalls. It is
very important to configure the firewall
so that only authorized employees are
allowed to communicate through the
firewall, and only to authorized
programs. Extranets have the risk of
providing "outsiders" with access to
your internal network and data unless
appropriately controlled.
Nanjing Audit University
 IT and Business
• IT only exists to support and further business
objectives.

Business Objectives
Business
Business Processes

Applications
IT
IT Infrastructure

Nanjing Audit University

 IT and Business
Business Processes
HR IT support Finance … R&D

purchase Production Operation Marketing Sales … Services

Applications
Application A Application B Application C

IT IT
Management IT Infrastructure Management
Database

Operating System

Network/Physical

Nanjing Audit University

• Traditional IT structure
• Cloud computing IT architecture

• The relationship between cloud

computing environment and
business

Nanjing Audit University

 E- Sharing instant Short
commerce economy messaging video

Application Application Application

Development
Saas
System SOFTWARE（OS DBMS）
Paas
Server（Hardware） Iaas
Network

Cloud computing IT architecture

Nanjing Audit University
• Private Cloud——Build and use by a
distributed organization

• Public cloud——organize purchase services

Providers（ Amazon, Alibaba, IBM, Huawei ）

Nanjing Audit University

 IT-related Risks
• What can go wrong?
– Availability
– Integrity
– Confidentiality
– Effectiveness
– Efficiency
– Reliability
• Type of risks
– Pervasive: impact the enterprise as a whole
– Specific risks

Nanjing Audit University

 IT Risks
IT Management Risks
• Lack of management strategy
• Improper organization design
• Improper human resources policies
• Lack of IT governance
• Lack of IT strategies
• ……

Nanjing Audit University

IT Infrastructure Risks
IT Infrastructure Data Center Physical and
Database Environmental Risks
Operating System

Network/Physical • natural disaster

• Fire
• Flood
• steal
• electricity supply
interruption
• Inappropriate temperature
and humidity
......

Nanjing Audit University

IT Infrastructure Risks
IT Infrastructure Network Risks
Database

Operating System • Data leakage

Network/Physical • Hacker
• Low transmission rate
• User override
• Network interruption
• Bypass firewall
......

Nanjing Audit University

IT Infrastructure Risks
IT Infrastructure OS (server/host)Risks
Database

Operating System • Abuse of administrator

Network/Physical privileges
• Improper user management
• Application not supported
• Lack of function
• Security vulnerability
......

Nanjing Audit University

IT Infrastructure Risks
IT Infrastructure Database Risks
Database

Operating System • Improper design

Network/Physical • Lack of integrity
• Poor data quality
• Improper role and user
• Improper user privileges
• Application transaction is not
supported
• Unreliable operation
......

Nanjing Audit University

 Applications Risks
Applications
Application A Application B Application C

• Incorrect application
• Unreasonable process design
• Unreasonable user privileges
• Data input editing error
• Data calculation is incorrect
• Data output is not safe
• ……

Nanjing Audit University

 External Risks

• External network access risk

• External user privilege risk
• Data consistency problem
• Internet risk
• Cloud computing risk
• ……

Nanjing Audit University

 Thinking

What are the risks of the cloud

computing environment?
Especially in the case of
purchasing public cloud services.

Nanjing Audit University

The benefits of cloud
computing are cost saving,
efficiency improvement, and
focus on core business.

Buying cloud computing

services will cause
organizations to lose IT
capabilities, and security
issues are more worthy of
attention.

Nanjing Audit University

 IT responsibilities within the
organization
Information systems are closely knit with
companies on what, when and how
services are render. Efficient, Accuracy,
Confidential, Integrity, Control and
Timely are depend on the information
systems more than ever and on the
increase.

Nanjing Audit University

 IT responsibilities within the
organization
IT systems are primary artery which allows information to
be shared and used directly or via interfaces among HR,
financial, payroll, legal, public and investor
relationships, credit, collection, account payable,
account receivable, general ledger, manufacturing,
distribution, record retention, fulfillment, project
management, physical and logical securities, inventory,
portals, intranet, extranet, trading partners, business
continuity, disaster recovery, external banks, pension,
401K, stock option, firewall, IDS, virus, VPN, telecom,
database farm, TMS, data warehouse and many more.

Nanjing Audit University

 IT responsibilities within the
organization
Primary artery of business units and their support
organization
Primary control points for business activities – audit
trails, historic records of transactions, backup,
access, access privileges, segregation of duties,
physical and logical securities, built-in monitor and
notifications, what, why, when, where, and how to
record and store business transactions and how long
Basis of business decisions – business decisions are
made and approved/rejected based on the information
produced by information systems.

Nanjing Audit University

 Manage Risks
 Inadequate protection of assets (both physical and information)
 Interruption of the business activities and cycles
 Loss of revenue
 Loss of productivity
 Loss of privacy, confidentiality
 Loss of competitive edge
 Lack of data integrity
 Loss of company reputation
 Non compliance of regulation or legal requirements
 Inaccurate reporting
 No audit trails
 Business decisions made based on incorrect/inaccurate
information – the sin of all sins

Nanjing Audit University

 Mitigate Security Risks

• 70% of IT risks are related to security risks

• You can NOT eliminate risks – minimize (with cost
in mind)

Nanjing Audit University

 Mitigate Security Risks
• Physical security – absence of the following,
security policy, fire alarm, fire extinguisher
(including the expired ones), sign in and sign out
control, raise floor in the data center, environment
control, power balance, auxiliary power unit (APU
- generator), emergency power unit (batteries),
locations of primary and secondary data center,
data media, location of media storage and its
policy.

Nanjing Audit University

 Mitigate Security Risks
• Logical security – Security policy, access and its
privileges to application programs, procedure to
enter information, distribution of paper and
electronic output, periodic review/monitor by
management, application platforms and its OS,
outdated or non-supported platforms and
technologies selected and used.
• Policies – Password, create, approve, and
remove of a user, logon process, idle/inactive
users, generic system users,
Nanjing Audit University
 IT-related Risks
• What can go wrong?
– Availability
– Integrity
– Confidentiality
– Effectiveness
– Efficiency
– Reliability
• Type of risks
– Pervasive: impact the enterprise as a whole
– Specific risks

Nanjing Audit University

 Common IT Risks
• IT Governance
• IT Project Risks
• Information Security Management
• Identity and Access Management
• Conforming to Assurance and Compliance Standards
• Privacy Management
• Disaster Recovery Planning & Business Continuity
• IT Outsourcing

Translating IT risk into business impact

Nanjing Audit University

 Group Practice
1. Set up your own company. Create an IT
environment to support your business units.
2. List the potential IT risks in the four layers
• IT management
• Infrastructure
• Application systems
• External connections

40 minutes

Nanjing Audit University

The Needs for IT Auditing
Three main drivers:
1. As organizations become more dependent
on IT, IT presents a higher risk to those
organizations
2. As organizations become more automated
via technology, more internal controls are
systematically driven
3. IT controls have not traditionally been
focused on by organizations

Nanjing Audit University

 Reference

• GTAG 4 – Management of IT Auditing

Nanjing Audit University