- Email: [email protected]
The role of the computer auditor
Vol.
THE ROLE COMPUTER
OF THE AUDITOR
9, No.
12, Page
5
Computer fraud cases are being reported with increasing Not so well reported are the many instances where regularity. companies and other organizations lose large amounts of resources due to inadequately-controlled computing developments and operations. Such losses can include abortive development costs, ill-advised hardware and software purchases, or loss of The costs of operational data due to poor operating practices. reconstituting data can be very high, both in cash terms and in the impact on the activities of the business. One of the most effective ways of minimizing the risks associated with all of the above problems is to employ the Computer auditors +re a services of a qualified computer auditor. new breed of professional who have arrived at their specialization usually from one of two sources - internal audit or computing branches. Computer auditing is still largely seen as an extension of the internal auditing function and indeed its objectives are covered by the same definition applying to internal audit, namely to report to management on the economic and efficient use of the organization's resources, to ensure that management's policies are appropriate and are being implemented, and to ensure that the organization's assets are being properly safeguarded. In many cases, external auditors rely considerably on the work undertaken by internal auditors, and increasingly by computer auditors. Computer
security
The concept of computer security extends much wider than merely installing special locks on the doors to the computer room. Computer auditors would expect to see management commitment to secure practices throughout the whole of a computing branch, from development through to production. The old adage "prevention is better than cure" still applies and part of the preventative process is the establishment of an effective computer audit function. Areas
covered
by computer
audit
These conveniently fall into four broad Development of systems Installations Existing systems Assistance to conventional audit. Development
headings:
of systems
The system development life-cycle has a number of points at which control must be exercised. The computer auditor's role is to ensure that each development taking place is being undertaken in a controlled manner and that proper decision-making processes have been gone through at the individual checkpoints. These extend as far back as the original feasibility study, through cost-benefit analysis, user requirement, system specification, programming, system testing, user testing, implementation and also the post-implementation review. A particularly cost-effective use of computer auditors is to include them as part of the development team for large projects,
D 1987 Elsevier Science Publishers No part ofthis means. (Readers
publication
electronic,
mechanical,
in the U.S.A.
B.V., Amsterdam./t%‘/$O.OO + 2.20
may be reproduced. photocopying.
-~ please see special
stored
in a retrieval
recording regulations
system.
or otherwise. listed
or transmitted
without
on back cover.j
the prior
by any form permission
or by any
of the publishers
Vol.
9, No.
12, Page
6
and to regularly consult with them during smaller projects. Specific points of control that need to be incorporated in systems under development may not be identified by users or by computing development staff until it is too late. This can result in a very expensive re-write, or more often in the particular control being omitted. A computer auditor can highlight such omissions at a much earlier stage when the cost of inclusion is negligible but the subsequent benefits are considerable. Installations The audit of an installation can cover a very wide range of activities, obviously dependent on the individual installation. There are, however, common threads running through that a computer auditor would wish to examine. These include the management of the installation itself, the division of duties between data preparation, data control, operations, system software control and maintenance, and in an increasing number of cases, the control over databases. Additional areas which are becoming very important from a system security and a data security point of view are the use and control of networks and telecommunications. It is important that a computer auditor should be able to assure himself that the operation of a network is being undertaken in a properly supervised manner and that no unauthorized activity can or has taken place. Part of the auditor's work in this area will be to examine the use made of network control utilities, how network accesses are controlled, and also what evidence there is of such control being exercised. It can be a distinct advantage for an installation to be audited by a third party because in many installations there are a number of areas which do not fall directly under the responsibility of the computer installation management; for example, the operation, maintenance and repair of air-conditioning equipment or fire detection equipment. In some cases, the access to the operations area is governed by a system administered by a separate department, e.g. house management or site services etc. The computer auditor usually has wide enough authority to examine these areas where they impinge on the overall operation of the computing installation. As mentioned earlier, prevention is better than cure, and it can be of benefit both to audit and more particularly to computing management if computer auditors are consulted when a new An objective viewpoint, installation is being contemplated. combined with the practical experience of having seen other can provide computing management installations and their problems, with specific recommendations on security aspects which might not otherwise have been considered. An area of computer operations which has traditionally been difficult to assess is the use and control over system software A number of tools are being developed and user access control. which enable the computer auditor to interrogate system software to obtain details such as access levels pertaining to specific users or whether options are in force which may enable certain users to avoid control procedures.
Vol.
Existing
9, No.
12, Page
7
systems
The computer auditor is also concerned with the ongoing Sometimes this may operation of established computerized systems. be initiated from within computer audit as part of an overall plan of work or it may form an additional part of a conventional audit While examination of a specific function or location. conventional auditors will audit "around the black box", computer auditors are being called in to give additional assurance so that systems are not being compromised from the computer operations To this end, the computer auditor will not only point of view. examine user procedures for data collection, input, update, output and maintenance, but will also consider the impact on the system of computing branch procedures. An area of operations that is of particular relevance to existing systems is the company's or organization's policy on There will need to have been back-up and disaster recovery. detailed discussions with users as to their requirements in terms of system resilience. A simple question such as "How long will the business survive if this particular system is not working?" can provide some very interesting answers as well as insight into users' perceptions of the importance of their systems. A fruitful area for cutting costs is the often neglected one of output utilization. Many systems have been designed to produce large quantities of output without enough thought being given to the necessity for such output. Many journals print details of all transactions when a summary would suffice backed up with exception reports. Perhaps this area should be attaining a much higher level of importance in view of current concerns about the environment. Assistance
to conventional
audit
As part of most organizations' internal audit teams, computer auditors also provide a service to their colleagues on the conventional audit side. As mentioned above, examination of existing systems can be one means of assistance. Another area is the provision of data extracted from application files so that specific audit tests can be undertaken. Information can be extracted to provide a random sample of a population that meets specific criteria, exceptional items can be extracted for further examination, and re-performance checks can be done to confirm the correct operation of production programs. In many cases, these tasks are undertaken with software that is independent of the manufacturer of the system (software and hardware) on which the application resides. Conclusion The use of professional computer auditors, working in an objective manner and able to report effectively to all levels of can be an important way for an organization to management, demonstrate its commitment to the operation of a properlyThe use of controlled and effectively-run computing function. secondees to computer audit from within computing sections is already in force in some larger organizations and is proving
0 1987 Else&r Science Publishers B.V.. Amsterdam./87/$0.00 + 2.20 No part ofthis publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any means. electronic. mechanical. photocopying, recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol.
9, No.
12, Page
8
extremely beneficial to both the secondees computer auditors with whom they work.
themselves
and to the
A word of caution needs to be sounded; many members of computing branches have never been subject to an audit and it important that they are informed beforehand as to the reasons an audit, what approach will be adopted, and what the final outcome is intended to be. For computer audit to provide the effective benefits to an organization, it needs to be seen to constructive audit while still retaining the strength of its independence. G.R.
SWEDISH STATE DATA NETWORK SECURITY "INADEQUATE", REPORT CLAIMS
Price,
is for most be a
FCA
Sweden's state review board, Riksrevisionsverket (RRV), has published a new and revealing report on the security inadequacies in the country's state-run computer networks. According to RRV's report, entitled Computer Security - Sweden 1987, Sweden's computer systems are not protected against natural or "deliberate catastrophes" and either occurrence would result in "major system failuresn. According to the report, in the event of a "man-made or natural disaster", bank ATM networks would be inoperative, and personal and administrative computer systems "useless and unworkable". The report's investigation was confined to public sector areas including government departments, regional state-run council offices, police administration, and state Data Inspectorate and statistics offices. RRV's researchers concentrated on the "probable" consequences of either a natural or man-made disaster during peace time. The review board's findings were submitted for examination by Government ministers including the Prime Minister, Mr Ingvar Carlsson. RRV has informed the various state concerns investigated that system improvements are required to safeguard computer data and protect against the eventuality of a major breakdown. The sectors involved have until 1 December 1987 to state what improvements have been carried out. "In case there is no forthcoming acceptable security level, the state should give serious consideration to the formulation of fixed regulations to enforce such a level and ensure computer According to security is of the highest degree", says the report. RRV, some state authorities are not aware of the existing rules In other cases, RRV found computer relating to computer security. related laws whose terminology conflicted, throwing the overall computer security law into doubt and confusing those working within such regulations. As an example of how Swedish computer security law conflicts RRV points to one regulation which says that "certain state could be destroyed given the appropriate authorization documents" while a second law questions the destruction of state documents. The first regulation forms part of the existing Swedish Computer Security Act while the second forms part of the Registration Law.
o 1987 Elsevier No part ofthis means. (Keaders
Science
Publishers
publication
electronic.
mechanical.
in the U.S.A.
~
B.V., Amsterdam./87/$0.00
may be reproduced. please
photocopying, see special
stored
recording regulations
+ 2.20
in a retrieval
system.
OI otherwise. listed
or transmitted
without
on back lover.]
the prior
by dny term pcrmisslon
or by any
of the publishers
THE ROLE COMPUTER
OF THE AUDITOR
9, No.
12, Page
5
Computer fraud cases are being reported with increasing Not so well reported are the many instances where regularity. companies and other organizations lose large amounts of resources due to inadequately-controlled computing developments and operations. Such losses can include abortive development costs, ill-advised hardware and software purchases, or loss of The costs of operational data due to poor operating practices. reconstituting data can be very high, both in cash terms and in the impact on the activities of the business. One of the most effective ways of minimizing the risks associated with all of the above problems is to employ the Computer auditors +re a services of a qualified computer auditor. new breed of professional who have arrived at their specialization usually from one of two sources - internal audit or computing branches. Computer auditing is still largely seen as an extension of the internal auditing function and indeed its objectives are covered by the same definition applying to internal audit, namely to report to management on the economic and efficient use of the organization's resources, to ensure that management's policies are appropriate and are being implemented, and to ensure that the organization's assets are being properly safeguarded. In many cases, external auditors rely considerably on the work undertaken by internal auditors, and increasingly by computer auditors. Computer
security
The concept of computer security extends much wider than merely installing special locks on the doors to the computer room. Computer auditors would expect to see management commitment to secure practices throughout the whole of a computing branch, from development through to production. The old adage "prevention is better than cure" still applies and part of the preventative process is the establishment of an effective computer audit function. Areas
covered
by computer
audit
These conveniently fall into four broad Development of systems Installations Existing systems Assistance to conventional audit. Development
headings:
of systems
The system development life-cycle has a number of points at which control must be exercised. The computer auditor's role is to ensure that each development taking place is being undertaken in a controlled manner and that proper decision-making processes have been gone through at the individual checkpoints. These extend as far back as the original feasibility study, through cost-benefit analysis, user requirement, system specification, programming, system testing, user testing, implementation and also the post-implementation review. A particularly cost-effective use of computer auditors is to include them as part of the development team for large projects,
D 1987 Elsevier Science Publishers No part ofthis means. (Readers
publication
electronic,
mechanical,
in the U.S.A.
B.V., Amsterdam./t%‘/$O.OO + 2.20
may be reproduced. photocopying.
-~ please see special
stored
in a retrieval
recording regulations
system.
or otherwise. listed
or transmitted
without
on back cover.j
the prior
by any form permission
or by any
of the publishers
Vol.
9, No.
12, Page
6
and to regularly consult with them during smaller projects. Specific points of control that need to be incorporated in systems under development may not be identified by users or by computing development staff until it is too late. This can result in a very expensive re-write, or more often in the particular control being omitted. A computer auditor can highlight such omissions at a much earlier stage when the cost of inclusion is negligible but the subsequent benefits are considerable. Installations The audit of an installation can cover a very wide range of activities, obviously dependent on the individual installation. There are, however, common threads running through that a computer auditor would wish to examine. These include the management of the installation itself, the division of duties between data preparation, data control, operations, system software control and maintenance, and in an increasing number of cases, the control over databases. Additional areas which are becoming very important from a system security and a data security point of view are the use and control of networks and telecommunications. It is important that a computer auditor should be able to assure himself that the operation of a network is being undertaken in a properly supervised manner and that no unauthorized activity can or has taken place. Part of the auditor's work in this area will be to examine the use made of network control utilities, how network accesses are controlled, and also what evidence there is of such control being exercised. It can be a distinct advantage for an installation to be audited by a third party because in many installations there are a number of areas which do not fall directly under the responsibility of the computer installation management; for example, the operation, maintenance and repair of air-conditioning equipment or fire detection equipment. In some cases, the access to the operations area is governed by a system administered by a separate department, e.g. house management or site services etc. The computer auditor usually has wide enough authority to examine these areas where they impinge on the overall operation of the computing installation. As mentioned earlier, prevention is better than cure, and it can be of benefit both to audit and more particularly to computing management if computer auditors are consulted when a new An objective viewpoint, installation is being contemplated. combined with the practical experience of having seen other can provide computing management installations and their problems, with specific recommendations on security aspects which might not otherwise have been considered. An area of computer operations which has traditionally been difficult to assess is the use and control over system software A number of tools are being developed and user access control. which enable the computer auditor to interrogate system software to obtain details such as access levels pertaining to specific users or whether options are in force which may enable certain users to avoid control procedures.
Vol.
Existing
9, No.
12, Page
7
systems
The computer auditor is also concerned with the ongoing Sometimes this may operation of established computerized systems. be initiated from within computer audit as part of an overall plan of work or it may form an additional part of a conventional audit While examination of a specific function or location. conventional auditors will audit "around the black box", computer auditors are being called in to give additional assurance so that systems are not being compromised from the computer operations To this end, the computer auditor will not only point of view. examine user procedures for data collection, input, update, output and maintenance, but will also consider the impact on the system of computing branch procedures. An area of operations that is of particular relevance to existing systems is the company's or organization's policy on There will need to have been back-up and disaster recovery. detailed discussions with users as to their requirements in terms of system resilience. A simple question such as "How long will the business survive if this particular system is not working?" can provide some very interesting answers as well as insight into users' perceptions of the importance of their systems. A fruitful area for cutting costs is the often neglected one of output utilization. Many systems have been designed to produce large quantities of output without enough thought being given to the necessity for such output. Many journals print details of all transactions when a summary would suffice backed up with exception reports. Perhaps this area should be attaining a much higher level of importance in view of current concerns about the environment. Assistance
to conventional
audit
As part of most organizations' internal audit teams, computer auditors also provide a service to their colleagues on the conventional audit side. As mentioned above, examination of existing systems can be one means of assistance. Another area is the provision of data extracted from application files so that specific audit tests can be undertaken. Information can be extracted to provide a random sample of a population that meets specific criteria, exceptional items can be extracted for further examination, and re-performance checks can be done to confirm the correct operation of production programs. In many cases, these tasks are undertaken with software that is independent of the manufacturer of the system (software and hardware) on which the application resides. Conclusion The use of professional computer auditors, working in an objective manner and able to report effectively to all levels of can be an important way for an organization to management, demonstrate its commitment to the operation of a properlyThe use of controlled and effectively-run computing function. secondees to computer audit from within computing sections is already in force in some larger organizations and is proving
0 1987 Else&r Science Publishers B.V.. Amsterdam./87/$0.00 + 2.20 No part ofthis publication may be reproduced. stored in a retrieval system. or transmitted by any form or by any means. electronic. mechanical. photocopying, recording or otherwise. without the prior permission of the publishers. (Readers in the U.S.A. - please see special regulations listed on back cover.)
Vol.
9, No.
12, Page
8
extremely beneficial to both the secondees computer auditors with whom they work.
themselves
and to the
A word of caution needs to be sounded; many members of computing branches have never been subject to an audit and it important that they are informed beforehand as to the reasons an audit, what approach will be adopted, and what the final outcome is intended to be. For computer audit to provide the effective benefits to an organization, it needs to be seen to constructive audit while still retaining the strength of its independence. G.R.
SWEDISH STATE DATA NETWORK SECURITY "INADEQUATE", REPORT CLAIMS
Price,
is for most be a
FCA
Sweden's state review board, Riksrevisionsverket (RRV), has published a new and revealing report on the security inadequacies in the country's state-run computer networks. According to RRV's report, entitled Computer Security - Sweden 1987, Sweden's computer systems are not protected against natural or "deliberate catastrophes" and either occurrence would result in "major system failuresn. According to the report, in the event of a "man-made or natural disaster", bank ATM networks would be inoperative, and personal and administrative computer systems "useless and unworkable". The report's investigation was confined to public sector areas including government departments, regional state-run council offices, police administration, and state Data Inspectorate and statistics offices. RRV's researchers concentrated on the "probable" consequences of either a natural or man-made disaster during peace time. The review board's findings were submitted for examination by Government ministers including the Prime Minister, Mr Ingvar Carlsson. RRV has informed the various state concerns investigated that system improvements are required to safeguard computer data and protect against the eventuality of a major breakdown. The sectors involved have until 1 December 1987 to state what improvements have been carried out. "In case there is no forthcoming acceptable security level, the state should give serious consideration to the formulation of fixed regulations to enforce such a level and ensure computer According to security is of the highest degree", says the report. RRV, some state authorities are not aware of the existing rules In other cases, RRV found computer relating to computer security. related laws whose terminology conflicted, throwing the overall computer security law into doubt and confusing those working within such regulations. As an example of how Swedish computer security law conflicts RRV points to one regulation which says that "certain state could be destroyed given the appropriate authorization documents" while a second law questions the destruction of state documents. The first regulation forms part of the existing Swedish Computer Security Act while the second forms part of the Registration Law.
o 1987 Elsevier No part ofthis means. (Keaders
Science
Publishers
publication
electronic.
mechanical.
in the U.S.A.
~
B.V., Amsterdam./87/$0.00
may be reproduced. please
photocopying, see special
stored
recording regulations
+ 2.20
in a retrieval
system.
OI otherwise. listed
or transmitted
without
on back lover.]
the prior
by dny term pcrmisslon
or by any
of the publishers