Changing times for computer auditors — COMPACS '95

Changing times for computer auditors — COMPACS '95

Computer Audit Update Chris Nelms MSc, BSc(Econ), ComputerAudit FCA, CISA is Manager with MEPCpic. Having Stash Jarocki of Citibank November ...

329KB Sizes 3 Downloads 66 Views

Computer Audit Update

Chris Nelms MSc, BSc(Econ), ComputerAudit

FCA, CISA is

Manager with MEPCpic.

Having

Stash

Jarocki

of Citibank

November

1995

considered

the

impact of local area networks (LANs) on an audit

trained with what are now KPMG, he has over a

review

dozen years’ experience

planning. Jarocki pointed out that the objective of

in computer

audit and

of security

and on disaster

recovery

LANs was to promote access to data rather than

writes regularly on computer audit matters.

deter it and that security

was not an integral

feature of the approach. Key risks and exposures to be addressed would include:

CONFERENCE REPORT

the threat of a loss of control caused by the

CHANGING TIMES FOR COMPUTER AUDITORS - COMPACS ‘95

a lack

COMPACS’95, the Institute Auditors’ 19th annual conference

of Internal on computer

audit, control and security, offered day themes based on computer fraud and abuse, client server and distributed systems and ‘hot topics for the 90s’ but a recurring theme throughout the conference was change and its impact on the internal auditor. Changes

Stephen

systems Ross of Deloitte and Touche,

York, considered technology now

New

the impact of client server and in the future. In this

approach, he stressed, end users form part of a complex structure of networked systems, and play an important role in systems developments. He

described

the

technologies

and

hardware/software platforms applicable to client server systems environments and highlighted the possibilities for change that this brings in terms of downsizing operations, improving systems and empowering end users.

of planning,

which

unrestrained

growth

architectures

and topologies;

increasing

complexity

multipurpose

can

result

and

in

diverse

caused by numerous

work

interoperability

stations,

and worldwide

a lack

of

connectivity;

threats from hackers, viruses, malicious acts or vengeance,

computer

related fraud, data

errors and data corruption.

There would need to be a set of baseline security controls, supplemented by systems specific controls and proper management processes. Amongst the elements which would need to be considered would be: network

controls

identification

availability, physical

to

ensure

and authentication

communications

controls

proper

of users;

to ensure

data

integrity and confidentiality; security

and control

over the file

server and storage devices; virus

However, client server also presents a variety of new risks, since the technologies are complex, the speed of change is fast and businesses are introducing mission critical application systems. Auditors must consider the new risks in this approach to ensure that information is processed completely and accurately and that networked systems preserve the continuity, integrity and confidentiality of information.

14

of diverse owners and systems;

Audit would need to specifically address all of these issues in a security review to ensu’re that controls were established to deal with them.

caused by client server and

distributed

dispersion

protection

by user

education

and

improved working practices; full documentation components, of the

and its

covering the physical topology

network

application

of the network and

the

operating

and

systems on the network.

On disaster recovery, Jarocki highlighted the issue that the increasing use of integrated products from different vendors of computing

01995 Elsevier Science Ltd

November

1995

technology

made it less easy to achieve business

continuity

Computer Audit Update

audit skills. Two-thirds

and disaster recovery.

Organizations environment

operating

needed

in

a standard in terms

assessing

the risks and developing

computing

facilities.

Particular

networked

a loss of

attention

would

risks caused by

environment.

The

security four-fifths

from the new types of management many organizations, downwards service locally,

area networks makes it vitally important to identify

control.

and multi-vendor

fully the hardware,

software,

nature networks,

had no and

structure.

as responsibility

In

is devolved

from the centre towards the point of

delivery,

unaware

complex of local

environment

of organizations

awareness training in place practised no risk analysis.

Hut-ford pointed out that risks to data arose

of

alternative

to deal with

need to be paid to the additional the

LAN

planning

to disaster strategies

a

to adopt

approach processing

audit and about a half had no specific computer

local

management

may be

of the need to protect their systems imagining

that the centre

still retains

physical The overall

links and information to be protected and carefully

lesson

managers

of any part of the distributed system. Documentation of the network, the backup procedures and the recovery procedures must be

exercise better control over procedures inhibiting computer abuse - and it is probably more of a people issue than a technology issue.

different types of failure. Changes

have

reminds

to analyse this and plan for recovery from a failure

comprehensive but easy to follow. The whole system needs to be regularly tested, assuming

that they

of the survey

a responsibility

to

Dennis Willetts, Head of Communications Security at British Telecom, highlighted the changes taking place in frauds involving the exploitation of security weaknesses in companies’ PABX systems to make free

in fraud and abuse

Chris Hurford, Associate Director of District Audit, considered change of a different kind in

international and long distance calls and the increasing problem of charge card abuse.

reviewing the results of the fifth survey of computer fraud and abuse conducted by the Audit Commission. This revealed increasing

Changes in audit approaches Ed Hutt of Coopers & Lybrand assessed the

levels of crime and abuse including: a three-fold incidents

increase in the number of overall reported

over

the three

years

between surveys; an almost five-fold increase in virus infections; unauthorized

disclosure

of personal

data

being reported for the first time; an almost eight-fold

rise in the use of illicit

impact of rapid application development approaches on systems development. The benefits from these approaches include improved development

implementation speeds, better software maintainability in the longer term and reduce long-term costs. He warned that internal auditors would need to adapt their approach to avoid criticisms that: l

software: a four-fold unauthorised

auditors

do not fully

understand

rapid

development

approaches

and do

application increase

in instances

not therefore

of

l

they

try

it easy

to enforce

development

incidents.

find

to identify

traditional

approaches

01995

Elsevier Science Ltd

however that had no internal

system

over the reduced

life cycle, instead of assessing The survey also revealed nearly a quarter of organizations

and

address the key issues;

private work; and

a 183% increase in the total value of reported

to the business processes and

the new risks

and adapting their audits accordingly;

15

Computer Audit Update

l

November

they may slow the development

down by not

adopting a timely approach.

centre.

But this leads to a loss of centralized

control

over

program

procedures, John Mitchell’s intriguing

presentation

title of the conference

the Lion and the Unicorn the changing

had the most -

The Dragon,

1995

systems

making

and software

traditional

development

change

approaches

to

impossible

to

reviews

carry out.

but the message on

world of internal audit was simple.

Corporate information

is also now distributed

He reviewed the history of internal auditing and the development and role of computer auditors.

across organizations, confusion

on data ownership.

Their traditional

approach

ownership

of data was a simple issue, probably

to management

the latest risks to business.

stressed

this by saying,

multitasking

operating

had been to highlight He

“We scared them with

systems

and we scared

them even more with real-time systems, but now we can have a real field day with such fairy tale items

as object

oriented

programming,

client

server networks, EDI and that most fearsome ogre of them all, the Internet”.

leading to the scope for Traditionally,

allocated to the head of a department, responsible

the

who was

for saying who should have access

to data and under what conditions. ownership

becomes

environment,

more difficult

Identifying in a modern

and the most important information

has ceased to be transaction

based, and takes

the form of decision support information gathered together from a variety of sources.

But his key message was that many of the disasters

in businesses

were

In mainframe

not technical

issues, but failures caused by management or by human weaknesses, and urged internal auditors to help managers to understand risks and controls, and management’s responsibilities for control. If managers could be persuaded to carry out a control self-assessment process, this would bring immense benefits to the business.

strong

controls

change

data.

systems,

organizations, over which

In today’s

corporate

there

applications

distributed’

could

end user

data might be changed

many points within the organization, staff working

were

at

externally.by

in hotel rooms, and in a transient

way by the uses of spreadsheets.

These

new

risks require fresh thinking from auditors, who will need to consider what new audit principles, tools

The impact of this is to change the role of the auditor from policing, to educating and this

and

requires auditors to understand the business and explain exposure, risk and control in a meaningful

change,

methods

changing

are needed

to deal

world. He warned,

with

“If auditors

like the dinosaurs,

this

do not

they will ultimately

become extinct.”

way to managers. David F Bentley Ken Lindup of SRI was concerned that internal auditors were failing to adapt to changing situations. He warned that many auditors were still using the same audit principles that they had done for years, without recognizing that new technologies changed risks. Others were afraid to implement new technologies because they maintained old fashioned views on security. He argued that technology changes had brought significant computing power to organizations and to auditors. Within organizations, this has led to an explosion of client-server based systems architectures, which remove the need for an expensive mainframe protected by the security perimeter of a computer

16

BOOK REVIEW A Glossary of Computing Terms (8th Edition) British Computer Society. ISBN 0-582-27544-X, f 8-99. In the

perpetually

Longman,

changing

world

UK.

of

Information Technology finding a useful and up-to-date reference guide to terminology can be

01995

Elsevier Science Ltd