- Email: [email protected]
Changing times for computer auditors — COMPACS '95
Computer Audit Update
Chris Nelms MSc, BSc(Econ), ComputerAudit
FCA, CISA is
Manager with MEPCpic.
Having
Stash
Jarocki
of Citibank
November
1995
considered
the
impact of local area networks (LANs) on an audit
trained with what are now KPMG, he has over a
review
dozen years’ experience
planning. Jarocki pointed out that the objective of
in computer
audit and
of security
and on disaster
recovery
LANs was to promote access to data rather than
writes regularly on computer audit matters.
deter it and that security
was not an integral
feature of the approach. Key risks and exposures to be addressed would include:
CONFERENCE REPORT
the threat of a loss of control caused by the
CHANGING TIMES FOR COMPUTER AUDITORS - COMPACS ‘95
a lack
COMPACS’95, the Institute Auditors’ 19th annual conference
of Internal on computer
audit, control and security, offered day themes based on computer fraud and abuse, client server and distributed systems and ‘hot topics for the 90s’ but a recurring theme throughout the conference was change and its impact on the internal auditor. Changes
Stephen
systems Ross of Deloitte and Touche,
York, considered technology now
New
the impact of client server and in the future. In this
approach, he stressed, end users form part of a complex structure of networked systems, and play an important role in systems developments. He
described
the
technologies
and
hardware/software platforms applicable to client server systems environments and highlighted the possibilities for change that this brings in terms of downsizing operations, improving systems and empowering end users.
of planning,
which
unrestrained
growth
architectures
and topologies;
increasing
complexity
multipurpose
can
result
and
in
diverse
caused by numerous
work
interoperability
stations,
and worldwide
a lack
of
connectivity;
threats from hackers, viruses, malicious acts or vengeance,
computer
related fraud, data
errors and data corruption.
There would need to be a set of baseline security controls, supplemented by systems specific controls and proper management processes. Amongst the elements which would need to be considered would be: network
controls
identification
availability, physical
to
ensure
and authentication
communications
controls
proper
of users;
to ensure
data
integrity and confidentiality; security
and control
over the file
server and storage devices; virus
However, client server also presents a variety of new risks, since the technologies are complex, the speed of change is fast and businesses are introducing mission critical application systems. Auditors must consider the new risks in this approach to ensure that information is processed completely and accurately and that networked systems preserve the continuity, integrity and confidentiality of information.
14
of diverse owners and systems;
Audit would need to specifically address all of these issues in a security review to ensu’re that controls were established to deal with them.
caused by client server and
distributed
dispersion
protection
by user
education
and
improved working practices; full documentation components, of the
and its
covering the physical topology
network
application
of the network and
the
operating
and
systems on the network.
On disaster recovery, Jarocki highlighted the issue that the increasing use of integrated products from different vendors of computing
01995 Elsevier Science Ltd
November
1995
technology
made it less easy to achieve business
continuity
Computer Audit Update
audit skills. Two-thirds
and disaster recovery.
Organizations environment
operating
needed
in
a standard in terms
assessing
the risks and developing
computing
facilities.
Particular
networked
a loss of
attention
would
risks caused by
environment.
The
security four-fifths
from the new types of management many organizations, downwards service locally,
area networks makes it vitally important to identify
control.
and multi-vendor
fully the hardware,
software,
nature networks,
had no and
structure.
as responsibility
In
is devolved
from the centre towards the point of
delivery,
unaware
complex of local
environment
of organizations
awareness training in place practised no risk analysis.
Hut-ford pointed out that risks to data arose
of
alternative
to deal with
need to be paid to the additional the
LAN
planning
to disaster strategies
a
to adopt
approach processing
audit and about a half had no specific computer
local
management
may be
of the need to protect their systems imagining
that the centre
still retains
physical The overall
links and information to be protected and carefully
lesson
managers
of any part of the distributed system. Documentation of the network, the backup procedures and the recovery procedures must be
exercise better control over procedures inhibiting computer abuse - and it is probably more of a people issue than a technology issue.
different types of failure. Changes
have
reminds
to analyse this and plan for recovery from a failure
comprehensive but easy to follow. The whole system needs to be regularly tested, assuming
that they
of the survey
a responsibility
to
Dennis Willetts, Head of Communications Security at British Telecom, highlighted the changes taking place in frauds involving the exploitation of security weaknesses in companies’ PABX systems to make free
in fraud and abuse
Chris Hurford, Associate Director of District Audit, considered change of a different kind in
international and long distance calls and the increasing problem of charge card abuse.
reviewing the results of the fifth survey of computer fraud and abuse conducted by the Audit Commission. This revealed increasing
Changes in audit approaches Ed Hutt of Coopers & Lybrand assessed the
levels of crime and abuse including: a three-fold incidents
increase in the number of overall reported
over
the three
years
between surveys; an almost five-fold increase in virus infections; unauthorized
disclosure
of personal
data
being reported for the first time; an almost eight-fold
rise in the use of illicit
impact of rapid application development approaches on systems development. The benefits from these approaches include improved development
implementation speeds, better software maintainability in the longer term and reduce long-term costs. He warned that internal auditors would need to adapt their approach to avoid criticisms that: l
software: a four-fold unauthorised
auditors
do not fully
understand
rapid
development
approaches
and do
application increase
in instances
not therefore
of
l
they
try
it easy
to enforce
development
incidents.
find
to identify
traditional
approaches
01995
Elsevier Science Ltd
however that had no internal
system
over the reduced
life cycle, instead of assessing The survey also revealed nearly a quarter of organizations
and
address the key issues;
private work; and
a 183% increase in the total value of reported
to the business processes and
the new risks
and adapting their audits accordingly;
15
Computer Audit Update
l
November
they may slow the development
down by not
adopting a timely approach.
centre.
But this leads to a loss of centralized
control
over
program
procedures, John Mitchell’s intriguing
presentation
title of the conference
the Lion and the Unicorn the changing
had the most -
The Dragon,
1995
systems
making
and software
traditional
development
change
approaches
to
impossible
to
reviews
carry out.
but the message on
world of internal audit was simple.
Corporate information
is also now distributed
He reviewed the history of internal auditing and the development and role of computer auditors.
across organizations, confusion
on data ownership.
Their traditional
approach
ownership
of data was a simple issue, probably
to management
the latest risks to business.
stressed
this by saying,
multitasking
operating
had been to highlight He
“We scared them with
systems
and we scared
them even more with real-time systems, but now we can have a real field day with such fairy tale items
as object
oriented
programming,
client
server networks, EDI and that most fearsome ogre of them all, the Internet”.
leading to the scope for Traditionally,
allocated to the head of a department, responsible
the
who was
for saying who should have access
to data and under what conditions. ownership
becomes
environment,
more difficult
Identifying in a modern
and the most important information
has ceased to be transaction
based, and takes
the form of decision support information gathered together from a variety of sources.
But his key message was that many of the disasters
in businesses
were
In mainframe
not technical
issues, but failures caused by management or by human weaknesses, and urged internal auditors to help managers to understand risks and controls, and management’s responsibilities for control. If managers could be persuaded to carry out a control self-assessment process, this would bring immense benefits to the business.
strong
controls
change
data.
systems,
organizations, over which
In today’s
corporate
there
applications
distributed’
could
end user
data might be changed
many points within the organization, staff working
were
at
externally.by
in hotel rooms, and in a transient
way by the uses of spreadsheets.
These
new
risks require fresh thinking from auditors, who will need to consider what new audit principles, tools
The impact of this is to change the role of the auditor from policing, to educating and this
and
requires auditors to understand the business and explain exposure, risk and control in a meaningful
change,
methods
changing
are needed
to deal
world. He warned,
with
“If auditors
like the dinosaurs,
this
do not
they will ultimately
become extinct.”
way to managers. David F Bentley Ken Lindup of SRI was concerned that internal auditors were failing to adapt to changing situations. He warned that many auditors were still using the same audit principles that they had done for years, without recognizing that new technologies changed risks. Others were afraid to implement new technologies because they maintained old fashioned views on security. He argued that technology changes had brought significant computing power to organizations and to auditors. Within organizations, this has led to an explosion of client-server based systems architectures, which remove the need for an expensive mainframe protected by the security perimeter of a computer
16
BOOK REVIEW A Glossary of Computing Terms (8th Edition) British Computer Society. ISBN 0-582-27544-X, f 8-99. In the
perpetually
Longman,
changing
world
UK.
of
Information Technology finding a useful and up-to-date reference guide to terminology can be
01995
Elsevier Science Ltd
Chris Nelms MSc, BSc(Econ), ComputerAudit
FCA, CISA is
Manager with MEPCpic.
Having
Stash
Jarocki
of Citibank
November
1995
considered
the
impact of local area networks (LANs) on an audit
trained with what are now KPMG, he has over a
review
dozen years’ experience
planning. Jarocki pointed out that the objective of
in computer
audit and
of security
and on disaster
recovery
LANs was to promote access to data rather than
writes regularly on computer audit matters.
deter it and that security
was not an integral
feature of the approach. Key risks and exposures to be addressed would include:
CONFERENCE REPORT
the threat of a loss of control caused by the
CHANGING TIMES FOR COMPUTER AUDITORS - COMPACS ‘95
a lack
COMPACS’95, the Institute Auditors’ 19th annual conference
of Internal on computer
audit, control and security, offered day themes based on computer fraud and abuse, client server and distributed systems and ‘hot topics for the 90s’ but a recurring theme throughout the conference was change and its impact on the internal auditor. Changes
Stephen
systems Ross of Deloitte and Touche,
York, considered technology now
New
the impact of client server and in the future. In this
approach, he stressed, end users form part of a complex structure of networked systems, and play an important role in systems developments. He
described
the
technologies
and
hardware/software platforms applicable to client server systems environments and highlighted the possibilities for change that this brings in terms of downsizing operations, improving systems and empowering end users.
of planning,
which
unrestrained
growth
architectures
and topologies;
increasing
complexity
multipurpose
can
result
and
in
diverse
caused by numerous
work
interoperability
stations,
and worldwide
a lack
of
connectivity;
threats from hackers, viruses, malicious acts or vengeance,
computer
related fraud, data
errors and data corruption.
There would need to be a set of baseline security controls, supplemented by systems specific controls and proper management processes. Amongst the elements which would need to be considered would be: network
controls
identification
availability, physical
to
ensure
and authentication
communications
controls
proper
of users;
to ensure
data
integrity and confidentiality; security
and control
over the file
server and storage devices; virus
However, client server also presents a variety of new risks, since the technologies are complex, the speed of change is fast and businesses are introducing mission critical application systems. Auditors must consider the new risks in this approach to ensure that information is processed completely and accurately and that networked systems preserve the continuity, integrity and confidentiality of information.
14
of diverse owners and systems;
Audit would need to specifically address all of these issues in a security review to ensu’re that controls were established to deal with them.
caused by client server and
distributed
dispersion
protection
by user
education
and
improved working practices; full documentation components, of the
and its
covering the physical topology
network
application
of the network and
the
operating
and
systems on the network.
On disaster recovery, Jarocki highlighted the issue that the increasing use of integrated products from different vendors of computing
01995 Elsevier Science Ltd
November
1995
technology
made it less easy to achieve business
continuity
Computer Audit Update
audit skills. Two-thirds
and disaster recovery.
Organizations environment
operating
needed
in
a standard in terms
assessing
the risks and developing
computing
facilities.
Particular
networked
a loss of
attention
would
risks caused by
environment.
The
security four-fifths
from the new types of management many organizations, downwards service locally,
area networks makes it vitally important to identify
control.
and multi-vendor
fully the hardware,
software,
nature networks,
had no and
structure.
as responsibility
In
is devolved
from the centre towards the point of
delivery,
unaware
complex of local
environment
of organizations
awareness training in place practised no risk analysis.
Hut-ford pointed out that risks to data arose
of
alternative
to deal with
need to be paid to the additional the
LAN
planning
to disaster strategies
a
to adopt
approach processing
audit and about a half had no specific computer
local
management
may be
of the need to protect their systems imagining
that the centre
still retains
physical The overall
links and information to be protected and carefully
lesson
managers
of any part of the distributed system. Documentation of the network, the backup procedures and the recovery procedures must be
exercise better control over procedures inhibiting computer abuse - and it is probably more of a people issue than a technology issue.
different types of failure. Changes
have
reminds
to analyse this and plan for recovery from a failure
comprehensive but easy to follow. The whole system needs to be regularly tested, assuming
that they
of the survey
a responsibility
to
Dennis Willetts, Head of Communications Security at British Telecom, highlighted the changes taking place in frauds involving the exploitation of security weaknesses in companies’ PABX systems to make free
in fraud and abuse
Chris Hurford, Associate Director of District Audit, considered change of a different kind in
international and long distance calls and the increasing problem of charge card abuse.
reviewing the results of the fifth survey of computer fraud and abuse conducted by the Audit Commission. This revealed increasing
Changes in audit approaches Ed Hutt of Coopers & Lybrand assessed the
levels of crime and abuse including: a three-fold incidents
increase in the number of overall reported
over
the three
years
between surveys; an almost five-fold increase in virus infections; unauthorized
disclosure
of personal
data
being reported for the first time; an almost eight-fold
rise in the use of illicit
impact of rapid application development approaches on systems development. The benefits from these approaches include improved development
implementation speeds, better software maintainability in the longer term and reduce long-term costs. He warned that internal auditors would need to adapt their approach to avoid criticisms that: l
software: a four-fold unauthorised
auditors
do not fully
understand
rapid
development
approaches
and do
application increase
in instances
not therefore
of
l
they
try
it easy
to enforce
development
incidents.
find
to identify
traditional
approaches
01995
Elsevier Science Ltd
however that had no internal
system
over the reduced
life cycle, instead of assessing The survey also revealed nearly a quarter of organizations
and
address the key issues;
private work; and
a 183% increase in the total value of reported
to the business processes and
the new risks
and adapting their audits accordingly;
15
Computer Audit Update
l
November
they may slow the development
down by not
adopting a timely approach.
centre.
But this leads to a loss of centralized
control
over
program
procedures, John Mitchell’s intriguing
presentation
title of the conference
the Lion and the Unicorn the changing
had the most -
The Dragon,
1995
systems
making
and software
traditional
development
change
approaches
to
impossible
to
reviews
carry out.
but the message on
world of internal audit was simple.
Corporate information
is also now distributed
He reviewed the history of internal auditing and the development and role of computer auditors.
across organizations, confusion
on data ownership.
Their traditional
approach
ownership
of data was a simple issue, probably
to management
the latest risks to business.
stressed
this by saying,
multitasking
operating
had been to highlight He
“We scared them with
systems
and we scared
them even more with real-time systems, but now we can have a real field day with such fairy tale items
as object
oriented
programming,
client
server networks, EDI and that most fearsome ogre of them all, the Internet”.
leading to the scope for Traditionally,
allocated to the head of a department, responsible
the
who was
for saying who should have access
to data and under what conditions. ownership
becomes
environment,
more difficult
Identifying in a modern
and the most important information
has ceased to be transaction
based, and takes
the form of decision support information gathered together from a variety of sources.
But his key message was that many of the disasters
in businesses
were
In mainframe
not technical
issues, but failures caused by management or by human weaknesses, and urged internal auditors to help managers to understand risks and controls, and management’s responsibilities for control. If managers could be persuaded to carry out a control self-assessment process, this would bring immense benefits to the business.
strong
controls
change
data.
systems,
organizations, over which
In today’s
corporate
there
applications
distributed’
could
end user
data might be changed
many points within the organization, staff working
were
at
externally.by
in hotel rooms, and in a transient
way by the uses of spreadsheets.
These
new
risks require fresh thinking from auditors, who will need to consider what new audit principles, tools
The impact of this is to change the role of the auditor from policing, to educating and this
and
requires auditors to understand the business and explain exposure, risk and control in a meaningful
change,
methods
changing
are needed
to deal
world. He warned,
with
“If auditors
like the dinosaurs,
this
do not
they will ultimately
become extinct.”
way to managers. David F Bentley Ken Lindup of SRI was concerned that internal auditors were failing to adapt to changing situations. He warned that many auditors were still using the same audit principles that they had done for years, without recognizing that new technologies changed risks. Others were afraid to implement new technologies because they maintained old fashioned views on security. He argued that technology changes had brought significant computing power to organizations and to auditors. Within organizations, this has led to an explosion of client-server based systems architectures, which remove the need for an expensive mainframe protected by the security perimeter of a computer
16
BOOK REVIEW A Glossary of Computing Terms (8th Edition) British Computer Society. ISBN 0-582-27544-X, f 8-99. In the
perpetually
Longman,
changing
world
UK.
of
Information Technology finding a useful and up-to-date reference guide to terminology can be
01995
Elsevier Science Ltd