Technology and Security

Risk Services

Session 15
Financial Audit - IT Audit Integration and
Security Management

for Universitas Padjadjaran

EDP Audit – S1 Accounting 07 Desember 2022

!@ #
IS Audit Syllabus
1. Introduction of IS Audit
2. IT Environment
3. IT Process
4. General Computer Control Review (1)
5. Kuliah Umum (IT Governance)
6. General Computer Control Review (2)
7. General Computer Control Case Study
8. Mid-semester Exam
9. Application Control Review (1)
10. Application Control Review (2)
11. Financial Audit – IT Audit Integration & Security Management
12. ERP Systems
13. Final Exam

!@ #
 Technology and Security
Risk Services

Financial Audit –
IT Audit Integration

!@ #
Module Objectives

• Understand the relations between financial

audit and IT audit
• Understand the Security Management

!@ #
Relation with Financial Audit

• To support financial audit because:

At present computers are used extensively to

process data and to provide information for decision
making, so that, a traditional/manual audit
engagement is not adequate to cover the
sophisticated information technology

!@ #
Risks and Audit Risk
RISK Definition (International Standard Organization):
The potential that a given threat will exploit vulnerabilities
of an asset or group of assets to cause loss or damage to
the assets

AUDIT RISK Definition:

The risk of an auditor failing to detect actual or potential
material losses or account misstatements at the conclusion
of the audit

!@ #
Type of Audit Risks
Type of Audit Risk
• Inherent Risk
Reflects
Reflects the
the likelihood
likelihood that
that aa material
material loss
loss or
or account
account misstatement
misstatement exists
exists in
in
some segment of the audit before the reliability of internal control considered
some segment of the audit before the reliability of internal control considered
• Control Risk
Reflects
Reflects the
the likelihood
likelihood that
that internal
internal controls
controls in
in some
some segment
segment will
will not
not prevent,
prevent,
detect
detect or
or correct
correct material
material loss
loss or
or account
account misstatement
misstatement
• Detection Risk
Reflects
Reflects the
the audit
audit procedures
procedures used
used in
in some
some segments
segments of
of the
the audit
audit will
will fail
fail to
to
detect
detect material
material loss
loss or
or account
account misstatement
misstatement

!@ #
 Classification of Controls
• Preventive control
–– Prevent
Prevent an
an error,
error, omission
omission or
or malicious
malicious act
act from
from occurring
occurring
–– Deter
Deter problem
problem before
before they
they arise
arise
–– Attempt
Attempt to
to predict
predict potential
potential problem
problem before
before they
they occurred
occurred and
and make
make
adjustments
adjustments (feed-forward
(feed-forward controls)
controls)
• Detective control
Detect an error, omission or malicious act has occurred
and report the occurrence
• Corrective Control
–– Identify
Identify the
the cause
cause of
of the
the problem
problem
–– Correct
Correct errors
errors arising
arising from
from aa problem
problem
–– Remedy
Remedy problems
problems discovered
discovered by by detective
detective controls
controls
–– Modify
Modify the
the processing
processing system
system toto minimize
minimize future
future occurrences
occurrences of
of the
the
problem
problem
–– Minimize
Minimize thethe impact
impact of
of aa threat
threat

!@ #
Audit Strategy

• Our audit strategy is the level of auditing we

will perform to maintain an acceptable level
of audit risk.

AUDIT RISK = INHERENT RISK X CONTROL RISK X DETECTION RISK

Risk
Risk that
that our
our Nature
Nature of
of the
the Effectiveness
Effectiveness Level
Level of
of
conclusions
conclusions areare Account/
Account/ of
of Clients’
Clients’ Auditing
Auditing We
We
inaccurate
inaccurate and
and Business
Business Controls
Controls Perform
Perform
engagement
engagement
objectives
objectives are
are
not
not met
met

!@ #
 How IT Impacts the Audit
Strategy
AUDIT RISK = INHERENT RISK X CONTROL RISK X DETECTION RISK

Nature
Nature of
of the
the Effectiveness
Effectiveness Level
Level of
of
Account/
Account/ of
of Clients’
Clients’ Auditing
Auditing We
We
Business
Business Controls
Controls Perform
Perform

Financial Statement
Accounts
Cl
Specific Business ie n
ls

tC
ro

Processes on
nt

tro
Co

Specific Computing ls
nt

Applications
ie
Cl

General IT Processes

!@ #
Who Determines What?

Financial Statement Audit Team

Accounts
Audit Team
Specific Business
Processes
Audit Team/ IT
Auditor
Specific Computing
Applications
IT Auditor

General IT Processes

!@ #
 Flowchart of major steps in an Audit

START Test of Controls

Preliminary Audit
Work Re-assess
Control Risk

Obtain understanding
of control structure Still No Extended
Rely on Control ?
Substantive Testing

Assess Control Risk

Yes

Increase No Limited
Form audit
reliance opinion and
Substantive Testing
Rely on Control ? on control ? issue report
No Yes

When does IT audit involved? STOP

!@ #
Type of works in financial audit
GCR (General Computer Controls Review)
– Risks assessment for IT organisation, security, acquisition,
development and maintenance, computer operations
ACR (Application Controls Review)
– Evaluation of controls of computerised business
applications, e.g.: Review of Jakarta Automated Trading
System in Jakarta Stock Exchange
Special review of IT functions
– This will include both general and application. Leading
practice implemented COBIT, the generally accepted IT
Control Principles, which was designed to focus on
processes rather than divisional/unit.

!@ #
Old vs. New: The Big Picture
Status quo: Future state vision:

IT Environment

IT Environ-
ment
IT General Controls

Application Controls
Application
Controls

IT General Controls

!@ #
Two Parts of IT-Related Work: The Big
Picture
1. The IT Environment

Combined Risk Assessment

• Identify business and inherent risks

Value Observation
• Impact on internal control at entity level
• Regulatory requirements
2. Application and IT General Controls
• Focus on controls (including IT-dependent
manual controls) that deal with control risk for
each relevant assertion relating to the
significant accounts

!@ #
First Part: IT Environment

IT Environ-
ment

Application Controls

IT General Controls

!@ #
Second Part – Application and IT General
Controls
• Top-down approach
– We always have to understand RISK in
an automated process
IT Environ-
ment
– Limitation of IT General Control (ITGC)
work to the relevant controls that relate
to the effectiveness of application
Application Controls
controls
– If we test application controls, we need
IT General Controls to test the related ITGC
– If we chose not to test the application
controls, we only walkthrough IT
general controls

!@ #
Classification of Controls

Automated
Manual Controls
Controls

(Purely) Manual IT-Dependent Application

Controls Manual Controls Controls

Assure Functioning
IT General Controls

!@ #
Flowchart of steps in an
Identify &
Walkthrough

IT Audit AppCon

Effective? NO

YES

Evaluate IT
YES GenCon NO

Identify & Identify &

Walkthrough Effective? Walkthrough other
NO Effective?
GenCon or compensating NO
control
YES YES

Test IT General Test other or

Controls Effective? compensating Effective?
NO
NO
control
YES
YES

Test Application
Controls

Rely on YES NO Cannot rely on

Application Effective? Application
Controls Controls

!@ #
 Technology and Security
Risk Services

Question and Answer

!@ #
 Technology and Security
Risk Services

Security Management
Practice

!@ #
Topics to be covered
• Change control
• Data classification
• Employment policies & practices
• InfoSec policies
• Risk management
• Roles and responsibilities
• Security awareness training
• Security management planning

Page 22
!@ #
 Change control & management
• Why is change control & change management a
security issue?
– Many businesses live or die on data integrity
– Changes can break a security model
– Modifying system breaks warranty
– Gartner Group analyst recently stated that a rogue Y2K
programmer can cause $1B in potential losses
• Needed since change requester does not
understand the security implications of their request
• Security administrator must analyze and assess
carefully the impact to the system

Page 23
!@ #
 Change control & management
• For change control & management to work,
you must have:
– Copies of the software, for comparison use or
database generation
– Secure infrastructure. Software must be securely
stored on physically protected media. If an intruder
can get root, and change the golden copies, then the
change control tools will be ineffective.

Page 24
!@ #
 Change control & management
• Hardware
– Disks, peripherals
– Device drivers
– BIOS
• Application and operating systems software
– Upgrades
– Service packs, patches, fixes
– Changes to the firewall rulebase/proxies
– NLM’s
– Router software

Page 25
!@ #
Change control & management

• Policies, procedures and processes

– Develop polices that will stabilize the production processing
environment by controlling all changes made to it
– Formal change control processes will help to ensure that only
authorized changes are made, that they are made at the
approved time, and that they are made in the approved
manner
– Promptly implement security patches, command scripts, &
similar from vendors.
– Have procedures for roll-back to prior versions in case of
problems

Page 26
!@ #
Data classification
• Classification is part of a mandatory access control model
to ensure that sensitive data is properly controlled and
secured
• Multi-level security policy has 4 classifications:
–– Top
Top Secret
Secret
–– Secret
Secret
–– Confidential
Confidential
–– Unclassified
Unclassified
• Other levels in use are:
–– Eyes
Eyes only
only
–– Officers
Officers only
only
–– Company
Company confidential
confidential
–– Public
Public

Page 27
!@ #
Data classification benefits
• Data confidentiality, integrity & availability are
improved since appropriate controls are used
throughout the enterprise
• Protection mechanisms are maximized
• A process exists to review the values of
company business data
• Decision quality is increased since the quality
of the data upon which the decision is being
made has been improved

Page 28
!@ #
Data classification
• Top Secret - applies to the most sensitive business information which
is intended strictly for use within the organization. Unauthorized
disclosure could seriously and adversely impact the company,
stockholders, business partners, and/or its customers
• Secret - Applies to less sensitive business information which is
intended for use within a company. Unauthorized disclosure could
adversely impact the company, its stockholders, its business partners,
and/or its customers
• Confidential - Applies to personal information which is intended for
use within the company. Unauthorized disclosure could adversely
impact the company and/or its employees
• Unclassified - Applies to all other information which does not clearly
fit into any of the above three classifications. Unauthorized disclosure
isn’t expected to seriously or adversely impact the company

Page 29
!@ #
Misc. data classification issues
• In a commercial setting, responsibility for assigning data
classification labels is on the person who created or updated
the information
• With the exception of general business correspondence, all
externally-provided information which is not public in nature
must have a data classification system label.
• All tape reels, floppy disks and other computer storage media
containing secret, confidential, or private information must be
externally labelled with the appropriate sensitivity
classification
• Holders of sensitive information must take appropriate steps
to ensure that these materials are not available to
unauthorized persons.

Page 30
!@ #
Employment policies & practices
• Background checks/security clearances
• Checking public records provides critical
information needed to make the best hiring
decision.
• Conducting these often simple checks
verifies the information provided on the
application is current and true, and gives the
employer an immediate measurement of an
applicant’s integrity.

Page 31
!@ #
Background checks
What does a background check prevent
potentially prevent against:
– lawsuits from terminated employees
– lawsuits from 3rd-parties or customers for negligent hiring
– unqualified employees
– lost business and profits
– time wasted recruiting, hiring and training
– theft, embezzlement or property damage
– money lost (to recruiters fees, signing bonus)
– negligent hiring lawsuit
– decrease in employee moral
– workplace violence, or sexual harassment suits

Page 32
!@ #
Background checks
• What can be checked for an applicant:

– Credit Report
– Workers Compensation Reports
– Criminal Records
– Motor Vehicle Report
– Education Verification & Credential Confirmation
– Reference Checks
– Prior Employer Verification

Page 33
!@ #
Employment agreement

• Non-compete
• Non-disclosure
• Restrictions on dissemination of corporate
information, i.e., press, analysts, law
enforcement

Page 34
!@ #
Separation of duties
• The principle of separating of duties is that an
organization should carefully separate duties,
so that people involved in checking for
inappropriate use are not also capable of
make such inappropriate use
• No person should be responsible for
completing a task involving sensitive,
valuable or critical information from beginning
to end. Likewise, a single person must not
be responsible for approving their own work

Page 35
!@ #
Separation of duties

• Separate:
– development/production
– security/audit
– accounts payable/accounts receivable
– encryption key management/changing of keys

Page 36
!@ #
Information security policies

• Policy is perhaps the most crucial element in a corporate

information security infrastructure
• Marcus Ranum defines a firewall as “the implementation of
your Internet security policy. If you haven’t got a security
policy, you haven’t got a firewall. Instead, you’ve got a thing
that’s sort of doing something, but you don’t know what it’s
trying to do because no one has told you what it should do”
• Corporate computing is a complex operation. Effective
policies can rectify many of the weaknesses and faults

Page 37
!@ #
Information security policies

• Benefits:
– Ensure systems are utilized in the manner intended for
– Ensure users understand their roles & responsibilities
– Control legal liability

Page 38
!@ #
Information security policies
• Components of an effective policy/what should
be included in an effective policy:
– Title
– Purpose
– Authorizing individual
– Author/sponsor
– Reference to other policies
– Scope
– Measurement expectations
– Exception process
– Accountability
– Effective/expiration dates
– Definitions

Page 39
!@ #
Information security policies
• How to ensure that policies are understood:
–– Jargon
Jargon free/non-technical
free/non-technical language
language
–– Rather
Rather then,
then, “when
“when creating
creating software
software authentication
authentication codes,
codes, users
users
must
must endeavor
endeavor toto use
use codes
codes that
that do
do not
not facilitate
facilitate nor
nor submit
submit the
the
company
company to to vulnerabilities
vulnerabilities in
in the
the event
event that
that external
external operatives
operatives
break
break such
such codes”,
codes”, use
use “passwords
“passwords thatthat are
are guessable
guessable should
should not
not
be
be used”.
used”.
• Responsibility for compliance
–– Users
Users must
must understand
understand the
the magnitude
magnitude && significance
significance of
of the
the policy.
policy.
“I
“I thought
thought this
this policy
policy didn’t
didn’t apply
apply to
to me”
me” should
should never
never be
be heard.
heard.

Page 40
!@ #
Information security policies

• How should policies be disseminated?

– New hires should get hard copies at orientation
– Rehires should go through orientation
– Hard copies
– Web/corporate intranet
– Brochures
– Videos
– Posters
– e-mail/voice-mail

Page 41
!@ #
Risk management

• Security risks start when the power is turned-on. At that

point, security risks commence. The only way to deal with
those security risks is via risk management
• Risks can be identified & reduced, but never eliminated
• No matter how secure you make a system, it can always be
broken into given sufficient resources, time, motivation and
money
• People are usually cheaper & easier to compromise than
advance technological safeguards

Page 42
!@ #
Risk assessment
• Since you can’t protect yourself if you do not know what
you are protecting against, a risk assessment must be
performed
• A risk assessment answers 3 fundamental questions:
–– Identify
Identify assets
assets -- What
What II am
am trying
trying to
to protect?
protect?
–– Identify
Identify threats
threats -- What
What do
do II need
need to
to protect
protect against?
against?
–– Calculating
Calculating risks
risks -- How
How much
much time,
time, effort
effort &
& money
money amam II willing
willing to
to
expend
expend toto obtain
obtain adequate
adequate protection?
protection?
• After risks are determined, you can then develop the
policies & procedures needed to reduce the risks

Page 43
!@ #
Security awareness

• Must be driven from the top-down

• Must be comprehensive, all the way down to
the floppy & hard copies
• Education
– Hard copies
– Web-based
– Training & education

Page 44
!@ #
Security management planning
Identify costs
– Initial investment
– ongoing costs

Identify benefits
– Help Desk reduction
– Common data locations
– Reduced Remote Access costs
– Improve Business Partner access
– Enhanced public perception
– Ernst & Young Cyberprocess Certification

Page 45
!@ #
Security management planning

Identify potential losses if security is not

properly implemented
–– Trade
Trade secrets
secrets
–– confidential
confidential information
information
–– personal
personal e-mail
e-mail
–– adverse
adverse publicity
publicity
–– viruses,
viruses, worms,
worms, malicious
malicious Java
Java and
and ActiveX
ActiveX applications
applications
–– denial
denial of
of service
service
–– hard
hard drive
drive reformats,
reformats, router
router reconfigurations
reconfigurations
–– M&A
M&A
–– financials
financials
–– hacked
hacked web
web pages
pages
–– breach
breach ofof Human
Human Resources
Resources information
information

Page 46
!@ #
 Technology and Security
Risk Services

Question and Answer

!@ #
 Technology and Security
Risk Services

Thank You

!@ #