History of information technology auditing

burpfancyΗλεκτρονική - Συσκευές

8 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

147 εμφανίσεις


1


http://en.wikipedia.org/wiki/History_of_information_technology_auditing

History of information technology auditing

Introduction

Information Technology Auditing (IT auditing) began as
Electronic Data Process

(EDP)
Auditing and developed largely as a result of the rise in technology in
accounting systems
, the
need for

IT control, and the impact of
computers

on the ability to perform attestation services.
The last few years have been an exciting time in the world of IT auditing as a result of the
accounting

scandals and increased regulation. IT auditing has had a relatively short yet rich
history when compared to auditing as a whole and remains an ever changing field.

Beginning

The

introduction of
computer technology

into accounting systems changed the way
data

was
stored, retrieved an
d controlled. It is believed that the first use of a computerized accounting
system was at
General Electric

in 1954. During the time period of 1954 to the mid
-
1960s, the
au
diting profession was still
auditing

around the computer. At this time only
mainframes

were
used and few people had
the skills and abilities to
program computers
. This began to change in
the mid
-
1960s with the introduction of new, smaller and less expensive machines. This increas
ed
the use of computers in businesses and with it came the need for
auditors

to become familiar
with EDP concepts in
busi
ness
. Along with the increase in computer use, came the rise of
different types of accounting systems. The industry soon realized that they needed to develop
their own
software

and the fi
rst of the generalized audit software (GAS) was developed. In 1968,
the
American Institute of Certified P
ublic Accountants

(AICPA) had the Big Eight (now the
Big
Four
) accounting firms participate in the development of EDP auditing. The result of this was the
release of
Auditing & EDP
. The b
ook included how to document EDP audits and examples of
how to process internal control reviews.

Around this time EDP auditors formed the Electronic Data Processing Auditors Association
(EDPAA). The goal of the association was to produce guidelines, proced
ures and standards for
EDP audits. In 1977, the first edition of
Control Objectives

was published. This publication is
now known as
Control Objectives for Information and Related Technology

(Cob
iT). CobiT is the
set of generally accepted IT control objectives for IT auditors. In 1994, EDPAA changed its
name to Information Systems Audit and Control Association (ISACA). The period from the late
1960s through today has seen rapid changes in technolo
gy from the
microcomputer

and
networking

to the
internet

and with these changes came some major events that change IT
auditing forever.

The formation and rise in popularity of the Internet and
E
-
commerce

have had significa
nt
influences on the growth of IT audit. The Internet influences the lives of most of the world and is

2

a place of increased business, entertainment and crime. IT auditing helps organizations and
individuals on the Internet find security while helping comme
rce and communications to
flourish.

Major Events

There are four major events in U.S. history have had significant impact on the growth of IT
auditing. These are the Equity Funding scandal, the development of the Internet and E
-
commerce, the 1998 IT failure

at
AT&T
, and the
Enron

and
Arthur Andersen LLP

sc
andal.

These events have not only heightened the need for more reliable, accurate, and secure systems
but have brought a much needed focus to the importance of the accounting profession.
Accountants certify the accuracy of public company
financial statements

and add confidence to
financial markets
. The heightened focus on the indust
ry has brought improved control and higher
standards for all working in accounting, especially those involved in IT auditing.

Equity Funding Corporation of America

The first known case of misuse of
information technology

occurred at Equity Funding
Corporation of America. Beginning in 1964 and continuing on until 1973, managers for the
company booked false
insurance policies

to show greater
profits
, thus boosting the price of the
stock

of the company. I
f it wasn’t for a
whistle blower
, the fraud may have never been caught.
After the
fraud

was discovered, it took th
e auditing firm
Touche Ross

two years to confirm that
the insurance policies were not real. This was
one of the first cases where auditors had to audit
thro
ugh the computer rather than around the computer.

AT&T

In 1998 AT&T suffered an IT failure that impacted worldwide
commerce

and
communication
. A
major switch failed due to software and procedural errors and left many
credit card

users unable
to access funds for upwards of 18 hours. Events su
ch as this bring to the forefront our reliance in
IT services and remind us of the need for assurance in our computer systems.

Enron and Arthur Andersen

The Enron and Arthur Andersen LLP scandal led to the demise of a foremost Accounting firm,
an
investor

loss of more than 60 billion dollars and the largest
bankruptcy

in U.S. history. Arthur
Andersen was recently found
guilty of
obstruction of justice

for their role in the collapse of the
energy giant. This scandal had a significant impact on the
Sarbanes
-
Oxley Act

and was a major
self
-
regulation violation.

September 11th Terrorist Attacks


3

The terrorist attacks of
September 11, 2001

left the world feeling vulnerable and afraid. The
economic market began to fall and all realized the most powerful nation in the world was
susceptible to attack. September 11th paved the way for The
Homeland Security Act

and the
increased regulation and security of the electronic infrastructure.

Future

IT auditing is future of the accounting profession. We no longer live in a world wh
ere company
dynamics and financial state can be determined without the use of computers. The rapid rise in
information technology cannot be denied and must be utilized in order to succeed. IT auditing
adds security, reliability and accuracy to the informat
ion systems integral to our lives. Without
IT auditing we would be unable to safely shop on the internet or control our identities. The role
IT auditors play maybe unknown to most but it impacts the lives of all. As history continues we
will continue to se
e the rise of this up and coming profession.

REF:

Senft, Sandra; Manson, Danial P. PhD; Gonzales, Carol; Gallegos, Frederick (2004).
Information Technology Control and Audit (2nd Ed.). Auerbach Publications.
ISBN 0849320321



4

COBIT

The
Control Objectives for Information and related Technology

(
COBIT
) is a framework for
information (IT) management risks
created by the
Information Systems Audit and Control
Association

(ISACA), and the
IT Governance Institute

(ITGI)
. Control Objectives for
Information and related Technology, or
COBIT
, provides managers, auditors, and IT users with a
set of generally accepted information technology control objectives to

assist them in maximizing
the benefits derived through the use of information technology and developing the appropriate IT
governance and control in a company. In its 3rd edition, COBIT has
34 high level objectives

that
cover
318 control objectives catego
rized in four domains:

Planning and Organization,
Acquisition and Implementation, Delivery and Support, and Monitoring.

It comprises six elements: management guidelines, control objectives, COBIT framework,
executive summary, audit guidelines and an implem
entation toolset. All are documented in
separate volumes.

It was developed by the IT Governance Institute and the Information Systems Audit and Control
Foundation in 1992 when the control objectives relevant to information technology were first
identified.

The first edition was published in 1996; the second edition in 1998; the third edition
in 2000, and the on
-
line edition became available in 2003. It has more recently found favour due
to external developments, especially the
Enron scandal

and the subsequent passage of the
Sarbanes
-
Oxley Act
.

The COBIT mission is “to research, develop, publiciz
e and promote an authoritative, up
-
to
-
date,
international set of generally accepted information technology control objectives for day
-
to
-
day
use by business managers and auditors.” Managers, auditors, and users benefit from the
development of COBIT because

it helps them understand their IT systems and decide the level of
security and control that is necessary to protect their companies’ assets through the development
of an IT governance model.


5

Computer forensics

From Wikipedia, the free encyclopedia.

Compu
ter forensics

is the process of investigating data storage devices and/or
data processing

equipment typically a
home computer
,
laptop
,
server
, office
w
orkstation
, or removable media
such as compact discs, to determine if the equipment has been used for illegal, unauthorized, or
unusual activities. It can also include monitoring a network for the same purpose. Computer
forensics experts must
:

1.

Identify so
urces of
documentary

or other
digital

evidence


2.

Preserve the evidence

3.

Analyze the evidence

4.

Present the findings

They must do so in a fashion that adheres to the
standards of
evidence

that is admissible in a
court of law
.

Understand the suspects

It is absolutely vital for the forensics team to have a solid understanding of the

level of
sophistication of the suspect(s). If insufficient information is available to form this opinion, the
suspects
must be considered to be experts
, and
should be presumed to have installed
countermeasures against forensic techniques
. Because of this,

it is critical that you appear to the
equipment to be as indistinguishable as possible from its normal users until you have shut it
down completely, either in a manner which provably prohibits the machine modifying the drives,
or in exactly the same way t
hey would.

If the equipment contains only a small amount of critical data on the hard drive, for example,
software exists to wipe it permanently and quickly if a given action happens. It is straightforward
to link this to the
Microsoft Windows

"
Shutdown" command
, for example. However, simply
"pulling the plug" isn't always a great idea, either
--

information stored solely in
RAM
, or on
special peripherals, may be permanently lost
.
Losing an
encryption key

stored solely in RAM
,
and possibly unkn
own even to the suspects themselves by virtue of having been automatically
generated, may render a great deal of data on the hard drive(s) unusable, or at least extremely
expensive and time
-
consuming to recover.

Electronic Evidence Considerations

Like any
other piece of evidence used in a case, the information generated as the result of a
computer forensics
investigation must follow the
standards of admissib
le evidence
. Special care
must be taken when handling a suspect’s files; dangers to the evidence include
viruses
,

6

electromagnetic

or
mechanical

damage, and even
booby
traps

There are a handful of
cardinal

rules

that are used when to ensure that the evidence is not destroyed or compromised:

1.

Handle the original evidence as little as possible to avoid cha
nging the data

2.

Establish and maintain the chain of custody

3.

Document everything done

4.

Never exceed personal knowledge

If such steps are not followed the original data may be changed, ruined or become tainted, and so
any results generated will be challeng
ed and may not hold up in a
court of law
. Other things to
take into consideration are

1.

The time that business operations are inconvenienced

2.

How sensitive information which is unint
entionally discovered will be handled

Secure the machine and the data

Unless completely unavoidable,
data should never be analyzed using the same machine it is
collected from
. Instead,
forensically sound copies

of all data storage devices, primarily
hard
drives
, must be made.

To ensure that the machine can be analyzed as completely as possible, the following sequence of
steps must be followed:

Examine the machine's surroundings

Look fo
r notes, concealed or in plain view, that may contain passwords or security instructions.
Secure any recordable media, including music mixes. Also look for removable storage devices
such as
keydrives
,
MP3 players

or
security tokens
. In some cases, these can be worn as
jewellery. See
Category:

Solid
-
state computer storage media

Record open applications

If the machine is still active, any intelligence which

can be gained by examining the applications
currently open should be recorded. If the machine is suspected of being used for illegal
communications, such as terrorist traffic, not all of this information may be stored on the hard
drive. If information sto
red solely in
RAM

is not recovered before powering down, it will be
lost. For most practical purposes, it is not possible to completely scan contents of RAM modules

in a running computer. Though specialized hardware could do this,
the computer may have been
modified to detect chassis intrusion

(some
Dell machines
, for example, can do this s
tock;
software need only monitor for it) and
removing the cover could cause the system to dump

the
contents. Ideally, prior intelligence or surveillance will indicate what action should be taken to
avoid losing this information.

Modern RAM cannot be analyz
ed for prior content after erasure and power loss
with any real
probability of success.


7

Power down carefully

If the computer is running when seized, it should be
powered down in a way that is least
damaging to data

currently in memory and that which is on
the
hard disk
. The method that
should be used is dependent on the
operating system

that the computer i
s running. The
recommended methods of shutting down is shown in the following table:
-

DOS

Pull the plug

Windows 3.1

Pull the plug

Windows 95

Pull the plug

Windows 98

Pull the plug

Windows NT

Pull the plug

Windows NT Server

Shut down

Windows 2000

Pull

the plug

Windows 2000 Server

Shut down

Windows XP

Pull the plug

Windows 2003

Shut down

Linux

Shut down

Unix

Shut down

Macintosh OS 9 and older

Pull the plug

Macintosh OS X

Shut down


If the operating system cannot be determined, pulling the plug w
ill suffice
.

When pulling the plug make sure that you
pull the lead out from the computer unit itself
. This is
because if the computer has an
uninter
ruptible power supply

connected and the power to this is
turned off, the power to the computer will remain powered.

Shutting the computer down by the correct method is critical if certain data is normally stored
only in memory, to be committed back to dis
k

when the machine is powered off.

Shutting down computers which do not normally store data in memory (such as Windows XP)
by the usual method will result in possible changes to the data on the hard drive
. This is to be
avoided at all cost, especially if t
here is no benefit in shutting down the computer in this way.
For this reason
it is recommended that the plug is pulled on these computers
.

Inspect for traps

Inspect the chassis for traps
, intrusion detection mechanisms, and self
-
destruct mechanisms. It
ta
kes a lot to destroy a hard drive to the point where no data at all can be recovered off of it
--

but
it doesn't take much to make recovery very, very difficult. Find a hole in the chassis you can use
for inspection (cooling fans are a good bet), or pick a
safe spot in the chassis to drill one, and use

8

an
illuminated
fiberscope

to inspect the inside of the machine.
Look specifically for large
capacitors

or batteries, nonstandard wiring around drives, and possible
incendiary

or explosive
devices
. PC hardware is fairly standardized these days, and you

should treat anything you don't
recognize as cause for concern until proven otherwise.

Look for wires attached to the chassis
--

PCs aren't normally grounded this way, so those are cause for concern.

You should specifically
look for a wire running from
any
thing

to the CMOS battery

or "CMOS
clear" jumper.
CMOS memory

can be used to store data on the motherboard itself, and if power
is removed from it, the contents will be lost. You must avoid causin
g CMOS memory to lose
power.

Encryption keys, etc., may be stored here
.

Once you have determined that the case is safe to open, proceed to remove the cover.

Fully document hardware configuration

Completely
photograph and diagram the entire configuration of

the system
.
Note serial numbers

and other markings. Pay special
attention to the order in which the hard drives are wired, since
this will indicate boot order
, as well as being necessary to reconstruct a
RAID

array. A little time
being thorough here will save you more later.

Duplicate the hard drives

Using a standalone hard
-
drive duplicator or similar device,
completely duplicate the
entire

hard
drive
. This should be done at the
sector

level, making a bit
-
stream copy of every part of the user
-
accessible areas of the hard drive which can physically store data, rather than d
uplicating the
filesystem. Be sure to note which physical drive each image corresponds to. The original drives
should then be moved to secure storage to prevent tampering.

Use some kind of
hardware write protection to insure no writes will be made

to the o
riginal
drive. Even if operating systems like Linux can be configured to prevent this, a hardware write
blocker is the best practice. The process is often called
Imaging.

You can image to another hard
disk drive, a tape, or other media. Tape is a preferred

format for archive images, since it is less
vulnerable for damage and can be stored for a longer time. There are two goals when making an
image:

1.

Completeness (imaging all of the information)

2.

Accuracy (copying it all correctly)

The
imaging process is ver
ified by using a
MD5

message digest

algorithm or higher (
SH
A1
,
etc.).
To make a forensic sound image, you need to make two reads that results in the same MD5
.
Generally, a
drive should be hashed in at least two algorithms
to help ensure its authenticity from
modification in the event one of the algorithms is crac
ked. This can be accomplished by first
imaging to one tape labeled as the Master and then make an image labeled Working. If onsite
and time is critical, the second read can be made to Null.


9

E
-
Mail Review

E
-
mail

has become one of the primary mediums of communication in the digital age, and

vast
amounts of evidence may be contained therein
, whether in the body or enclosed in an
attachment. Because users may access email in a variety of ways, it's

important to look for
different kinds of emails. The user may have used a dedicated program, or
Mail User Agent
(MUA)
, a web browser, or some other program to read and write email
. Additionally, files for
each of these programs may be stored on a local hard drive, a network device, or a removable
device. A good examiner will search all of these locations for email data. Be aware that
many
email clients will save a copy of outgoing
messages
, so both the sender and the recipient may
have a copy of each message. Finally,
mail may also be stored on a dedicated mail serve
r, either
awaiting delivery or as permanent storage.

E
-
mail Headers

All email programs generate headers that attach to

the messages.

The study of these headers is
complex. Some investigators favor reading the headers from the bottom up, others from the top
down. Under normal circumstances, headers are supposed to be created by the mail user agent
and then prepended by mai
l servers, the bottom up method should work. But a malicious mail
server or forger may make this difficult.

The
headers added by an MUA are different than those added by mail servers
. For example, here
is the format for headers generated by Mozilla Thunder
bird 1.0 running on Microsoft Windows.
(Note to editors: This should eventually be moved to a page about analyzing MUA headers)

Message
-
ID: <41B5F981.5040504@hostname.net>

Date: Tue, 07 Dec 2004 13:42:09
-
0500

From: User Name <username@hostname.net>

User
-
A
gent: Mozilla Thunderbird 1.0 (Windows/20041206)

X
-
Accept
-
Language: en
-
us, en

MIME
-
Version: 1.0

To: recipient@otherhost.com

Subject: Testing

Content
-
Type: text/plain; charset=ISO
-
8859
-
1; format=flowed

Content
-
Transfer
-
Encoding: 7bit

Extensions such as enig
mail may add extra headers.

The
Message
-
Id field has three parts
:

1.
The time the message was sent in seconds past the epoch in hexadecimal

2.

A random value called a salt.

The salt is of the format #0#0#0# where # is a random digit.
Because Thunderbird tr
eats the salt like a number, it may be shorter if the leading digits are
zeros. For example, a salt of "0030509" would display as "30509"


10

3. the fully qualified domain name of the sender

Message
-
ID: [time].[salt]@[domain
-
name]

Information on the Message
-
ID

header was derived from the source code in
mozilla/mailnews/compose/src/nsMsgCompUtils.cpp in function msg_generate_message_id()

Sorting Through the Masses

While theoretically possible to review all e
-
mails, the sheer volume that may be subject to review
may be a daunting task; large
-
scale e
-
mail reviews cannot look at each and every e
-
mail due to
the sheer impracticality and cost.
Forensics experts use review tools to

make copies of and search
through e
-
mails and their attachments looking for incriminatin
g evidence using keyword
searches.
Some programs have been advanced to the point that they can recognize general
threads

in e
-
mails by looking at word groupings on either side of the search word in question.
Thanks to this technology vast amounts of time c
an be saved by eliminating groups of e
-
mails
that are not relevant to the case at hand


11

Information forensics

From Wikipedia, the free encyclopedia.

Information Forensics

is the
science of investigation into systemic
processes

that produce
information
. Systemic processes utilize primarily computing and communication technologies to
capture, treat, store and transmit

data. Manual processes complement
technology

systems

at
every stage of system processes; e.g. from data entry to veri
fication of computations, and
management of communications to backing
-
up information reports. In context, both technology
and manual systems, with systemic processes that are either
p
roprietary

by design or evolved
inconsequentially, constitute the enterprise Information System.
The complexity of enterprise
business systems, in particular those augmented with technology and
legacy systems
, often are
susceptible to
fraud
, abuse, mistakes, and
sabotage
.

Information forensic investi
gation dwells into the aspects of creation, operation and
evolution

of
the enterprise
information s
ystem
. Specifically,
investigation focuses on
causal

factors and
processes that govern the life cycle implementation of such systems
.
Forensic

investigation

may
be initiated when a system is suspect or compromised;
generally, investigation occurs when a
system fails
. Investigations normally concentra
te on specific problem areas or components of a
system; the intricacies of business systems,
costs

and
resources

available,
often preclude detail
examination of the whole information system. Nevertheless, bringing about
scientific

examination of
f
acts

when problems occur is only prudent, but necessary for the
court of law
.
The
methodological approach to investigation

at present is the subject of research interest and
topic
al development.

The following discourse highlights some of the issues in Information Forensics that includes:



Adherence to conventions



Dealing with parties of interest



Technology and systems design

Investigation Concerns

Investigations characteristicall
y seek to identify the perpetrators, uncover the processes that lead
to the creation of the system in question, and understand the operational or systemic processes on
information that resulted in the problem

i.e. to clarify and document the erroneous proc
esses.
Investigation may distinguish the causes of failures that include fraudulent intent,
negligence
,
abuse of power,
sabotage

and
terror
.
Problems that warrant forensic investigations normally are
catastrophic

system failures
, bu
t

also include doubtful system operations
,
anomalous

events
or
just exceptional investigations on matters of
compli
ance
.

The
design of the system

in its entirety or in parts,
and the modification
of the system either
through amendments of existing design or inclusion of new system modules in all sorts of

12

manner, are

considered vulnerable phases

of systems development.

In spite of regulatory
constraints, stringent checks,
standardization
, proven methods, professional
edicts
, a
ssurance
contracts, and other forms of preventive measures, systems continue to fail.

A widely
speculated accusation of common causes of
failure

of typically in
-
house developed
information s
ystems is d
ue to the unwarranted
influence

of certain system users with
vested
interests
. Systems deve
lopment processes are often swayed to implement deliberated
functions

to
serve the needs of such users. A form of abuse.

Abuse of Power
.
Strategic
exploitation

of information

is recognized as a source of influence.
The manner of how information is acquired, processed and used, gives rise to
power
. The
process as a whole in particular is of interest to information investigators. In order to fully
comprehend technology and information systems that afford power play, investigators must be
well versed in disciplines that include
psychology
,
sociology
,
ethnicity
,
linguistics
, and
organizations
. Other fields of interest include
ethics
,
theology

and
beliefs
,
epi
stemology
,
knowledge engineering
, and
knowledge management
. Some aspe
cts of technical consideration,
specifically in the field of Information Systems, broadly include close examination of
systems

development

processes i.e. applied
standards

and
models
, the system or business processes, and
the information
or business
domain

itself.

Stakeholders of Information and Systems

Stakeholders of information and owners of information systems typically by and large are
converged at certain geographical lo
cations, bound by local legislations,
professionalism

and
customary

norms
. Their action upon information at their disposal and control of their systems
however affect a greater multitude of users, many whom are from elsewhere and practice
differing norms. What is acceptable, as permissible practic
es in dealing with information and
information systems, may be perceived even established legally as forbidden by others.

Information Users

Users

are the target of information propagation and ge
nerally considered victims of
circumstances. However, users are also benefactors in the manipulation of business information.
Users too, are stakeholders of information.

Manipulation and consumption of information involve the intervention of information
st
akeholders at every stage of the information
value chain
.
Two channels of control

(generally)
run parallel alongside information processes, one
shapes

the other
regulates

the information
system.

Information Processes

Information system processes are
essentially viewed as a
black box

of
algorithms

and
procedures
, proprietary and never disclosed
. This
notion brings about conflicting arguments and
questions on the
intentions
, implementation and operations of certain information systems.


13

Investigation of information processes
emphasises exami
nation of the following
, categorically:

1.

Development approach to the creation of information processes or systems.

2.

Information process itself, e.g. functions, procedures, etc.

3.

Interaction of processes within a
system
.

4.

Interaction of processes among
syste
ms
.

5.

the business context
.

6.

the local environment
.

Technology Systems

Legacy systems are generally designed to serve the businesses they are commissioned for. And
not intended to trace the development of the system itself, which if ever done is performed
by
another system.

Technology systems in itself enable investigators to gather facts of misdeed, though with some
difficulties.

Methods and Standards

Established standards govern the creation, modification, operation and retirement of information
systems.
Standard

methods

however are commonly adapted and modified to suit local or specific
requirements. The prerogative of how
standards are actually implemented rests entirely with the
stakeholders of the system in question.
Contractors

too have a role to play. What really transpires
in the process of devel
opment is
transparent

and will never be known; yet investigators need to
uncover the facts. Although
contracts

are used to define and measure means and deliverables, the
actual approach to resolution is often ignored so long as business objectives are met.

Legal action requires comprehensive explanation and understanding of probable cau
ses and
effects of a forensic situation. In this arena, information management across a multitude of
people and systems is vastly differentiated, necessitates investigators to possess the appropriate
knowledge and understanding of how information
resources

interact to investigate effectively.
The lack of formal expository methods makes this new field rather desirable.

Application of Information Forensics

Some examples of specific applicat
ion of the science of information forensics in a systemic
context include the following:



Bioinformatics




Cryptography
, see
Cryptographic engineering




Information systems forensics



Information traversing Pervasive systems



Information traversing Ubiquito
us networks and computing environments



Intelligence, Command channels


14



Musicology
, in
Music business




R
eview of compliance



Theological research



Trace
, Information trace

What is and is Not Information Forensics

Information forensics encompasses
information systems forensics

and
computer forensics
.
Information forensics deals with system processes, human factors, and applied methodologies
and standards. Arguably information forensics concerns the use of techno
logy,
formal methods
,
and implicating factors which are largely human in nature.

In fundamental research, information forensics examines the extraction and analysis of
informat
ion for security applications (
IEEE SPS
). Fundamental areas of interest include attack
models,
cryptanalysis
,
steganalysis
,
steganography
;
audio engineering
, authentication, human
identification
, performance metrics, signal classification,
surveillance
, transaction tracking, etc.

Information technology audit

An
Information technology

audit

(or
IT audit
) is

a review of the controls within an entity's
technology
infrastructure
. These reviews are
typica
lly performed in conjunction with a
financial
statement audit
,
internal audit

review, or other

form of attestation engagement
. Formerly called
an
Electronic data processing

(EDP) audit, an IT audit is the process of collecting and evaluating
evid
ence of an organization's
information system
, practices, and operations. Evaluation of the
evidence
ensures whether the organization's informati
on system safeguards assets, maintains
data
integrity
, and is operating effectively and efficiently to achieve the organization's goals
.

An IT audit is also known as an EDP Aud
it, an Information Systems Audit, and a computer
audit.

Purpose

An IT audit is similar to a financial statement audit in that the study and evaluation of the basic
elements of internal control are the same. However, the purpose of a financial statement aud
it is
to determine whether an organization's
financial statements

and financial condition are presented
fairly in accordance with
generally accepted accounting principles

(GAAP). The purpose of an
IT audit is to review and evaluate an organization's information system's availability,
con
fidentiality, and integrity by answering questions such as:



Will the organization's computer systems be available for the business at all times when
required? (Availability)



Will the information in the systems be disclosed only to authorized users?
(Confi
dentiality)


15



Will the information provided by the system always be accurate, reliable, and timely?
(Integrity)

Types of IT Audits



Computerized Systems and Applications
: an audit to verify that systems and
applications are
appropriate

to the entity's needs
, is efficient, and
adequately controlled

to
ensure valid, reliable, timely, and secure input, processing, and output at all levels of a
system's activity.



Information Processing Facilities
: an audit to verify that the
processing facility is
controlled

to

ensure timely, accurate, and efficient processing of applications under
normal and potentially disruptive conditions.



Systems Development
: an audit to verify that the
systems under development meets the
objectives of the organization
, and ensures the sys
tems are developed in accordance with
generally accepted standards for
systems development
.



Management of IT and Enterprise Architecture
: an au
dit to verify that IT
management has developed an

organizational structure and procedures

to ensure a
controlled and efficient environment for
information proces
sing
.



Client/Server,
Telecommunications
, Intranets, and Extranets
: an audit to verify that
controls are in place on the client (computer receiving services), server,
and on the
network

connecting the clients and servers.

IT audit process

The following are the basic steps in performing the
Information Technology Audit Process
:

1.

Planning the audit

2.

Evaluation of internal controls

3.

Audit procedures

4.

Completing the audit

History of IT auditing

The concept of IT auditing was

formed in th
e mid
-
1960's

and has gone through numerous
changes due to advances in technology and the incorporation of technology into business.

IT audit topics


16

Regulations and legistation related to IT audits

Several information technology audit regulations have been
introduced in the past few years.
These include the Gramm Leach Bliley Act, the Sarbanes
-
Oxley Act, and the Health Insurance
Portability and Accountability Act(HIPAA).



COBIT




HIPAA




Gramm
-
Leach
-
Bliley Act

(GLBA)



Sarbanes
-
Oxley Act




Companies with Sarbanes
-
Oxley certification delays and material weaknesses caused by
IT issues

o

Captaris Inc.

-

material weakness and filing delay
du
e to inadequate internal controls
and related IT controls per SOX requirements

o

Cray Inc.

-

numerous material weaknesses in internal control over financial reporting,
specifically, inade
quate review of third
-
party contracts and
lack of software
application controls and documentation


Security

Auditing information security

is a vit
al
part of any IT audit
. Within the broad scope of auditing
information security we find topics such as
data centers
,
networks

and

application security
.
Auditing information security covers topics from auditing the
physical security

of data centers to
auditing the
logical security

of databases and highlights key components to look for and different
me
thods used for auditing these areas. It is important to remember that in this ever expanding
technical realm these things are always changing and as such IT auditors must continue to
expand their knowledge and understanding of systems and the systems envir
onment to help
verify and ensure information security.

Emerging Issues

Technology changes rapidly and so do the issues IT auditors must face. From biometric retinal
scans to protecting physical security to transmitting data from a cell phone, this issue is

truly
limited only to one’s imagination.

See also



IT audit resources




Famous IT Auditors & Experts




Information technology audit
-

operations


Operations



Backup systems and recovery




Change management auditing



17



Software development life cycle

auditing



Helpdesk and incident reporting auditing




SAS 70




Disaster recovery and business continuity auditing




Evaluating the qualifications of IT personnel for the purposes of an audit


Auditing systems, applications and networks



Operating system audit




Mainframe audit




Database audit




Enterprise Resource Planning audit




Systems

applications products audit


Computer Forensics



Computer forensics




Data analysis


Fraud



Computer fraud case studies




SAS

99


Retrieved from "
http://en.wikipedia.org/wiki/Information_technology_audit
"


18

Operating system audit

As computers became more sophisticated,
many manual operations are automated
within the
operating system

(see more about the history of
operating systems
).The operating system (OS) is
the program that runs all other programs. OS perform the undertak
ing of coordinating all tasks,
such recognizing input from the keyboard and keeping track of files and directories. It also
ensures that all the different programs that are running and the users for those systems do not
interfere with each other. OS is als
o in charge of security and guarantees that no unauthorized
use occurs.

The

operating system provides a software platform

on top of which other programs called
applications can run. Some examples of popular operating systems include
Windows
,
Unix
, and
Linux
.

Why is OS security relevant?

In today's business climate, there i
s an increasing use and awareness of many OS used by large
organizations. The mechanisms that control the information and the data itself is what is
considered valuable. Therefore security of information systems is crucial. It has been recognized
that it i
s good security protocol to either perform internal security audits or hire external firms to
audit existing policies, practices, and installations. OS interact with vital business assets such as
payroll
,
human resources
, development, and customer information.

The operating system sees “[all] data on the disk as streams of bits in the records inside the files
an
d folders. The operating system does not see the data relating to the basic pay of an employee
as being significantly more or less sensitive than the employee's telephone number. It is the
application software that understands the data from the business pe
rspective; all business rules
relating to the way the data can be manipulated are enforced through programs in the application
software.”

Good
application software

has controls designed to enforce all the validations and business rules
relating to who interacts with which elements of the data and how. As long as the user stays
within such an application, the user's actions are well controlled. “However,

if a user is
able to
bypass the application and gain access to the operating system, then all the rules and controls in
the application software become irrelevant.
” Hence, it is necessary to carry out reviews of the OS
and database for all critical applications and the

servers that hold sensitive information.

How do you perform an Operating Systems audit?

“The purpose of this page is to focus on the concepts and need for the audit of OS and not to
provide detailed guidelines or checklists for doing the same. Such guidel
ines or checklists are
specific in technical detail to different OS. Many professional audit firms develop, through their
own research, guidelines and work procedures for such technical audits.” Typically, operating

19

systems are purchsed from outside vendor
s. The auditor should obtain and understand the
technical descriptions and documentation from their vendors, before beginning an audit.

By their nature,
operating systems are heavily relied upon for general operation

of computer
hardware. Therefore, an ope
rating system audit requires the auditor to deploy further
investigation in determining whether:

1) An application program can access main or
data storage

areas or files being used

by other
applications.

2) Important security and accuracy features (e.g., error handling for invalid data types of
formats) are fully used and are not being overridden by application programs.

3)
Adequate supervisory procedures

are established for the sys
tem
programmers

(in addition, a
security background investigation

should be performed).



Usually, the
system programmers have access to all system software
. A primary control is
neces
sary, in order to
reduce the programmer’s ability to perform unauthorized or damaging
acts

that could impair the accuracy and/or reliability of the system.

4)
Acces
s to and use of privileged instructions (e.g., input and output instructions that would
ena
ble reading or writing of data from another user’s file) is restricted.

5)
Scheduling functions are self
-
processing or require extensive operator intervention
.

6)
Improvements

to the system are routinely implemented. Most of the changes are initiated as
ma
intenance described by the vendors. The organization should
control software changes

by:



Establishing

formal procedures

that
require supervisory authorization
before
implementation.



Ensuring all the changes are
thoroughly tested
.



Removing critical files
and application programs

from the computer area while the
system programmers are making changes.

Important areas in an OS audit are the following:



Physical Security

-

pr
otecting the equipment guarantees that physical access to specific
systems is only granted to those who need it. This is indispensable for many large
organizations because they often have multiple data centers, server rooms, and operating
systems. It is im
portant to ensure that physical access is limited and secure



Logical Security



controlled access to applications and data.



Security Policy and administration



instituti
ng
change control policies
. Sound change
control policies help ensure that systems are kept free of operator errors and other common
problems such as changes that are meant to be temporary, but are then never changed back to
their original state. This also

provides a good baseline review of the organization. On a side

20

note, having a concrete and reliable standard is essential in the event of a disaster or security
breach

The following steps aim to cover each of the aforementioned topics.



“Evaluating whethe
r the security features have been enabled and parameters have been set to
values consistent with the security policy of the organization, and verifying that all users of
the system (user IDs) have appropriate privileges to the various resources and data he
ld in
the system. Next, the auditor should

obtain the list of user IDs in the system and map these
with actual users
. Then, the auditor has to determine for each user what the permissions and
privileges to the different resources/data are in the system. Th
ere are different methods, for
example, commands for ascertaining this from the system for different OS. Another way is
to determine for a given critical piece of data that the users with access are, and whether their
access is appropriate.”



“Some of the
most common security parameters that can be evaluated are
password rule
s,
such as minimum password length, password history, password required, compulsory
password aging,

lock
-
out on unsuccessful logins
, login station and time restrictions. The
other areas

of scrutiny are whether the
logging of certain events
, such as unsuccessful login
attempts, has been enabled or whether the superuser password is held by the appropriate
person. Other OS/version
-
specific parameters also have to be verified.”



“Another poi
nt for examination pertains to the network. With all computers intricately
connected to the internal and external networks, the network
-
related vulnerabilities of such
systems also need to be covered in reviews, although they are even more specialized.”
Th
rough suitable use of tools, the auditor should determine
whether the services that are
open and running in the server (such as
FTP
,
Te
lnet
,
HTTP
) or ports are only those that
really are required
. “If the review is being done on a system that is hosting a
web

server

or a
firewall
, the evaluation must be done by an expert.”



After an assessment of the control is performed, the
auditor must conclude and report thei
r
findings

and see if any changes need to be made to the initial audit plan. This is also the time
when weaknesses are brought to the attention of appropriate parties that need to be informed,
such as management. If weaknesses are discovered in the OS audi
t, and nothing is done it
will compromise the following audits of the organization’s ERP (
Enterprise Resource
Planning
),
SAP
, applications, and business components.


21

Mainframe audit

What is a Mainframe?

The definition of a
mainframe

is not clear
-
cut and may vary depend
ing on what reference is
used. Most people associate a mainframe with a large computer, and though this is generally the
case, mainframes are getting smaller all the time. Another problem is that technology has
become so diverse and multi
-
operational that
characteristics that were once only found in
separate devices and systems have been developed into one product or service. Oftentimes the
terms mainframe and enterprise server are used to describe the same or similar technology. The
advent of the
Supercomputer

has also eradicated the notion that a mainframe is defined simply
by its size. Even though there are similarities between the two, there are obvious differences in
their usa
ge. Supercomputers are generally utilized for their speed and complexity, while
mainframes are used for storing large volumes of sensitive data. The best definition the author
found states that: “Mainframes used to be defined by their size, and they can st
ill fill a room, cost
millions, and support thousands of users. But now a mainframe can also run on a laptop and
support two users. So
today's mainframes are best defined by their operating systems
:
Unix

and
Linux
, and
IBM
's z/OS, OS/390,
MVS
, VM, and VSE
. Mainframes combin
e
four important
features
: 1)
Reliable single
-
thread performance
, which is essential for reasonable operations
against a
database
. 2)
Maximum I/O connectivity
, which means mainframes excel

at providing
for huge disk farms. 3)
Maximum I/O
bandwidth
, so connections between drives and processors
have few choke
-
points. 4)
Reliability
--
mainframes often allow for "graceful degr
adation" and
service while the system is running.” (Software Diversified Services). Other properties particular
to mainframes include:



The ability to handle a large number of users simultaneously.



Being able to distribute large workloads that can be handl
ed by the machine over
different processes and input and output devices.



That
output is sent to a
terminal

through a program running on the mainframe, and
nothing else goes over the line
.

This helps make mainframe data more secure (The
History of Computing Project, April 27, 2005).

What is the history of mainframe systems?

The mainframe computing age got its start in 1939 with the creation of the Atanosoff Berry
Computer (ABC Computer) Io
wa. Though not a computer in the modern sense, as it lacked
general controls or purpose, it was the first proposal to use electronics for calculation and/or
logic. The first computer in the modern sense was the
Eniac
, created in 1942 and was used to
compute World War II ballistic firing tables. This machine was very large and consisted of 30
separate units weighing a combined 30 tons and during operation consumed almost 200 kilowatts
of electrica
l power. As technology improved mainframes became more prevalent, faster,
efficient, and were able to hold more memory and do more complex calculations. As a result of
this mainframe usage grew during the 1950’s, 60’s, and 70’s. Mainframes developed during

that
time include the
UNIVAC

and the
IBM 360

(The History of Computing Project, April 27, 2005).

22

Beginning in the early 1980’
s demand for mainframes began to lower as companies felt that
smaller computers (Such as
IBM PCs
) could accomplish similar goals at a lower cost, while
giving users greater access to their sys
tems. During this time
IBM

was left as the only major
player as other companies were squeezed out or abandoned their mainframe operations. In the
late 1990’s demand reemerged as companies found new
uses for them because of their reliability
for critical operations and their flexibility in being able to run several operations at once.
IBM
currently has over 80% of the market

and current mainframes include the
S/390

and the
zSeries

890 and the zSeries 990 which are
about the size of a dishwasher and can host up to 32 Giga
-
bytes of memory
. These mainframes can also
process hundreds of million instructions per second
(MIPS) (The History of Comp
uting Project, April 27, 2005).

How are mainframes currently used?

Generally mainframes are used by large corporations and government agencies to handle
processing and protection of large volumes of data
. Examples include
sales transactions and
customer in
quiries
. They are also used for computation intensive applications such as analyzing
seismic data and flight simulation and as “Super
-
servers” for large client/server networks and
high volume websites. Other uses include data mining and warehousing, and el
ectronic
commerce applications (O’Brien, 2002).

What are the components of a mainframe?

The components of a mainframe can vary wildly depending on the type and its role in the
organization. Generally, there are four main components of the mainframes that a
re important for
the purposes of our discussion. These are:

1. The
Operating System
: This is: “the main guts” and “ensures that other applications are able to
use memory, i
nput and output devices and have access to the file system.” Types of operating
systems vary greatly but common examples of these include
Unix
, and
MVS

(Multiple Virtual
System), and O/S 390. Generally this is managed by an organization’s systems technicians (The
Henderson Group, October, 2001). (Interview, 2005).

2. The
Security Server
: This help
prevent unauthorized access and manipulation
. Security
software such as
ACF2,
RACF
, and Top Secret

are needed to help secure an MVS operating
system. This
software identifies who the user is, and whether that user can perform a given
functi
on (
The Henderson Group, January, 2002).

3. System Products: These are
performance tools

of the operating system. This includes VTAM
(Virtual Telecommunication Access Method), which manages data flow between terminals and
applications (Or between applicati
ons) and supports multiple teleprocessing applications, and
Netview, a distributed network management system. This also includes
database

management
and administration tools (Also called D
B2 Utilities) and the database manager. Another item of
note that fits this category is TCP (
Transmission Control Protocol
) which is the protocol
for
managing applications over IP (
Internet Protocol
). IP provides message routing, but not
applications (Software Diversified Services, No Date).


23

4. Application System:
A decision support system. It provides graphics, statistical functions,
business modeling, and forecasting. These are usually customized by the users depending on the
goals of an organization (Software Diversified Services).

A company’s mainframe is usuall
y located in the data center, which is a facility used to house
large amounts of computer equipment and data. Because of the large amounts of sensitive data
available access is usually restricted.

How are mainframes audited?

The purpose of a mainframe audi
t is to
provide assurance that processes are being implemented
as required
, the mainframe is operating as it should,

security is strong
, and that procedures in
place are working and are updated as needed. This oftentimes would also entail the auditor
makin
g recommendations for improvement.

Obtain and Support an Understanding of the Mainframe, the Entity and its Environment

Generally this includes but is not limited to an understanding of the following:



The type of mainframe, its features, usage, and its pur
pose in the organization.



Nature of the entity.



Organization’s external factors such as regulatory requirements and the nature of its industry.



Organization’s management, governance, and objectives and strategies.



Entity’s business processes.



Organiza
tion’s performance compared to the industry and its benchmarking procedures
(Messier, 2003).

This information can be obtained by conducting outside research, interviewing employees,
touring the data center and observing activities, consultations with tech
nical experts, and looking
at company manuals and business plans.

Identify Risks, Evaluate the Entity’s Responses to those Risks, Obtain Evidence of
Implementation, and Based on the Risk Assessment, Design and Perform Audit Procedures

General:

Passwords: W
ho has access to what, and are employees protecting their passwords properly? Are
there written policies and procedures in place stating how this is accomplished and are they
enforced. Are passwords timed out? Evidence of implementation can be obtained by
requesting
employee manuals, evaluating the software and user histories, and by physical observation of the
environment. (Gallegos, F., 2004).

Are
cables adequately protected from damage and sniffing

between the
Network

and the Data
Center? This can be achieved by proper routing of the cables,
encryption

linkage
, and a good
network topology

(Software Diversified Services)
.
Physical observation
of where the cables are

24

routed and confirmation of the security procedures should be obtained. Tests of controls should
be conducted to determine any additional weaknesses.

Does the mainframe have access to an
Uninterrupted Power Supply
? If so confirmation should
be obtained that it exists, is available, and is adequate to meet the organizations needs.

Envir
onmental controls: Are physical controls such as
power badges for access
,
fire suppression

devices, and locks in place to protect the data center (and the mainframe inside) from theft,
manipulation or damage? A physical observation should be conducted and
employee reference
manuals should be examined to confirm this assurance. For all items the level of risk should be
assessed and that assessment should be used to determine the general or specific audit procedures
used.

The Operating System

Because this is
needed to run all the other applications it is the most important and critical area to
be examined.

What controls are in place to make sure the system is continually updated? Is the software
configured to do it, or is it done by the system technicians, or
both.
Examination of company
procedures

should be conducted and computer assisted audit techniques need to be employed to
make a determination.

Many of the individuals responsible for maintaining the system have elevated privilege. Controls
should be in pl
ace to deter unauthorized manipulation or theft of data, and processes and
procedures are needed and a risk/benefit analysis should be conducted by the organization to
determine who should have access to a specific application.
Proper segregation of duties

also
needs to be verified. The company’s internal controls need to be tested to determine if they are
effective and recommendations should be made to improve any deficiencies.
Samples of entries
into the system should be examined

to verify that the contro
ls are effective and unauthorized
and/or suspicious voided transactions need to be investigated (Gallegos, 2004).

The
operating system should leave a full audit trail

so that assurances by management can be
verified. Any deficiencies in this area will depe
nding on the circumstances either probably
require more audit investigation and work, or the inability of the audit team to rely on
management’s assurances.

Are there
any processes on the system that could needlessly compromise other components
?
Tests and
procedures need to be conducted to determine if this is the case. Procedures and
measures need to be in place to minimize the risk of unauthorized access through Backdoors in
the system, such as the
Program Properties Table

(PPT). An audit of an MVS needs
to confirm
that all entries through this door are appropriate and were done with proper authorization. In
addition there should be an accurate audit trail that can be followed. This can often be
accomplished by examining the Bypass Password and the Privile
ge Protect Key in the system,
and by examining entries for reasonableness. Mainframe companies such as IBM provide

25

information that can help determine if PPT entries are reasonable. A software tool such as
CA
-
Examine
can also be helpful in this endeavor (T
he Henderson Group, October, 2001).

Security Server

Because the

security administrators

who manage this not only have elevated privilege, but also
model and create the user passwords, this area always takes high priority during an audit. Are
proper segrega
tion of duties implemented and enforced and is technology and procedures in
place to make sure there is a continuous and accurate audit trail? Controls need to be put in place
to minimize the risk of unnecessary and unauthorized entry into the system, and
the protection of
passwords.
Computer assisted audit techniques should be used to explore the system
, and on
hand observations should be conducted to verify procedures, such as segregation of duties are
being followed. Security systems such as RACF, ACF2,
and Top Secret need to be constantly
evaluated to verify that they are providing the necessary security and if additional protection
such as new firewalls is needed. Before beginning an audit of these systems
printouts should be
obtained that provide detai
led information pertaining to specific fields
,

the UID string
, rules,
and/or additional explanations. With this information security info can be more easily understood
and make evaluating it much easier. (The Henderson Group, August, 2002).

System Products

When auditing DB2 the auditor should be most concerned with whether security measures in the
software are properly controlling who can use it, and which data can a user read or write.
Controls by management
should be in place to prevent
unauthorized acces
s or manipulation
, and
how many copies of the software are being used and what for. For VTAM the auditor’s concerns
include whether the applicable security software is contacted when an employee logs in. This is
to
prevent terminated employees from enterin
g the system
, because the security software is
updated immediately while other software generally is not. Because
all connections to the system
come through the VTAM

the dataset describing the connections should be constantly monitored
and examined.
Internal controls

over Backdoors into the system should be sufficient to minimize
unauthorized entry and the auditor should determine what these controls

are so they can be tested
appropriately. Software tools such as CA
-
Examine and Consul can be used for this purpose and
to find additional Backdoors. It should also be verified that certain sensitive network connections
are encrypted, and that rules contro
lling the use of applids (Programs that terminals can be
connected to) and terminals are adequate (The Henderson Group, January, 2002).

Application

System

This area of the audit shou
ld be concerned with the performance and the controls of the system,
its ability to limit unauthorized access and manipulation, that input and output of data are
processed correctly on the system, that any changes to the system are authorized, and that use
rs
have access to the system. Evaluating internal controls and testing the software with computer
assisted audit techniques; including
vulnerability assessment tools

should be accomplished to
achieve these objectives (Gallegos, 2004).


26

It should be noted th
at the vast majority of these computer assisted audit techniques for the
mainframe and its supporting systems can in most cases be conducted from a simple 3270
terminal which has a connection to the network (Interview of a computing security specialist and

IT auditor at Boeing who was interviewed to obtain information for this paper).

Evaluate Whether Sufficient Evidence was Obtained

After performing the necessary tests and procedures
determine whether the evidence obtained is
sufficient to come to a conclu
sion and recommendation
. If the information is sufficient then a
final report and/or recommendation can be completed. If the evidence is insufficient and material
then further testing will be required, unless the information is unattainable, in which case
a full
report cannot be completed.

How is the security of the mainframe maintained?

Mainframes, despite their reliability possess so much data that precautions need to be taken to
protect the information it holds and the integrity of the system. To do this
,
internal controls

must
be put in place. These include:



Physical controls over the mainframe and its components.



Encryption

techniques.



Putting procedures in place that prevent unnecessary and unauthorized entries into a
system and that input, output, o
r processing is recorded and accessible to the auditor.
This is particularly important for people with
Elevated
-
Privilege
.



Security Software such as RACF, ACF2, and Top Secret.



Constant testing of the security system

to determine any potential weaknesses
.



Properly protecting Backdoor accesses.



Continual examination of the techniques to determine effectiveness.

To gauge the effectiveness of these internal controls an auditor should do outside research,
physically observe controls as needed, test the con
trols, perform substantive tests, and employ
computer assisted audit techniques when prudent.

Gallegos, F., Senft, S., Manson, D., Gonzales, C. (2004). Information Technology Control and
Audit. (2nd ed.) Boca Raton, Florida: Auerbach Publications.

Messier
jr., W., F. (2003) Auditing & Assurance Services: A Systematic Approach. (3rd ed.)
New York: McGraw
-
Hill/Irwin.

Philip, G. (2000). The University of Chicago Press: Science and Technology Encyclopedia.
Chicago, IL: The University of Chicago Press.

Wikpedia
(May 19, 2005). Mainframe Computer. Wikpedia: The Free Encyclopedia. Retrieved
May 20, 2005 from the World Wide Web at:
[7]


27

O’Brien, J., A.
, (2002). Management Information Systems: Managing Information Technology
in the E
-
Business Enterprise. 5th ed. New York: McGraw
-
Hill/Irwin.

Retrieved from "
http://en.wikipedia.org/wiki/Mainframe_
audit
"



Database audit

What is a database?

A
database

is an integrated aggregation of
data

usually organized to reflect logica
l or functional
relationships among data elements (Gallegos 759). In simple terms, a database is a computerized
record keeping system. A database includes a system involving data, hardware that physically
stores the data,
software

that utilizes the
hardware
’s file system in order to store the data and
provide a standardized method for retrieving or changing the data, and th
e users who access the
data and turn it into information. Data consists of raw facts and figures that are meaningless by
themselves, and can be expressed in characters, digits, and symbols, which can represent people,
things, and events (Gallegos 759).

Wha
t are the commonly used databases?

Some examples of databases that are currently used by businesses include
Oracle
,
Microso
ft

SQL Server,
Sybase

ASE, Sybase ASA, and IBM DB2.

Is security important in databases and what does it
comprise?

Database system security is a serious issue affecting an organization’s infor
mation security,
damage, and loss (Mookhey 1). It is common for an organization to make every effort to lock
down their
network
, but leave the database vulnerable. It is critical to protect
the database from
unauthorized access because
90% of the organization’s sensitive information is contained within
their database
. Unauthorized access into the database could be catastrophic to a company.

Companies often do not realize how much risk is asso
ciated with the sensitive information within
their database until an internal audit is conducted, which gives the details regarding who can
access the sensitive data. Tremendous financial losses could result if an employee with access to
the sensitive data

distributed the confidential information of the business or its customers.
Depending on the severity of the security breach, the company’s reputation could be adversely
affected, thus resulting in a decline in sales, consumer, and investor confidence.

Eac
h company will need to decide the level of security that suits their organization. This will
require an evaluation of the sensitivity of the data within their database. While considering
options to protect the sensitive database information, the business s
hould ensure that that their

28

privacy protection measures do not interfere with authorized persons obtaining the right data at
appropriate times (Nevins 2).
A database security solution should also be application transparent,
meaning that no changes need to

be made to the underlying applications.

This will provide a
faster implementation and lower support costs.

Scott Nevins, the president and CEO of Protegrity, and the author of “Database Security:
Protecting Sensitive and Critical Information,” considers m
aking sure that you have a secure
-
audit trail for tracking and reporting activity around confidential data the key issue when
purchasing a database security solution. The author also lists additional topics to consider when
selecting a database security te
chnology, such as fast performance, the ability to work across
applications, and ease to implement. IT security experts also recommend selectively encrypting
and securing sensitive database information. This process of wrapping each individual data item
in

a protective security is much more effective than simply building a
firewall

around the
database. With only a firewall protecting the database, if the firewall

is penetrated, the data is
vulnerable to intruders.
Encrypting the data provides an extra layer of protection
. Nevins also
notes that one of the best ways to develop an effective database security solution is to recognize
that securing the data is essenti
al to the company’s reputation, profitability, and critical business
objectives.

Poor database security is a lead contributor to the incidence of
identity theft
; the less secur
ity
measures an organization has in place to protect the database, the higher the incidence of identity
theft will be. Much of the personal information that is used to commit identity theft, such as
Social Security numbers and credit card or bank account n
umbers is stored in databases. Law
enforcement experts estimate that more than half of all identity theft cases are committed by
employees with access to large financial databases (Nevins 2). That means that
more than 50%
of identity theft cases are commit
ted by employees within the organizatio
n who have access to
the database. As more and more security breaches relating to databases occur,
audit committees

are becoming increa
singly stringent about protecting customer information.

There are currently data
-
privacy regulations in place that many companies must comply with.
These regulations include best practice requirements and industry guidelines regarding the usage
and access
to customer data.
Data security is no longer an option, government legislation and
industry regulations mandate it.

Some of the privacy requirements in place for protecting
personal information include proper access control, selective encryption of stored
data,
separation of duties, and centralized independent audit functions (Nevins 2). Financial
institutions are currently regulated by the
Gramm
-
Leach
-
Bliley Act

(
GLBA
), which requires the
protecti
on of non
-
public personal data while in storag
e and implements a variety of access and
security controls. These access and security controls are crucial. A 2002 Computer Crime and
Security Survey revealed that over half of the databases in use have some ki
nd of a security
breach on a yearly basis. This security breach can cost the organization approximately $4 million
dollars in losses. Many organizations will do their best to cover up security breaches within their
company so as not to alarm customers and
harm the business’ profitability. Many professionals
in the field believe that there is much more unauthorized access to databases than corporations
are willing to admit. In an effort to keep companies from covering up security breaches that
occur within t
heir organizations, the state of California recently enacted a law that mandates

29

public disclosure of computer security breaches in which confidential information may have
been compromised.

With the recent database hacks at companies such as
Lexis Nexis

and the loss of Bank of
America data tapes containing the personal and financial information of over 1.2 million
customers, as well as the increase in identity theft, we are likely to
see more legislation in the
coming months and years regarding data security. The good news is that unauthorized access to
the database and the misuse of data can be prevented with database security products and new
audit procedures. Management must realize

that information security is no longer just an IT
function; it is a business necessity that must be grasped by the organization as a whole.

What practical security measures can be put in place?

Database security can be broken down into the following into
the following key categories:



Server

Security



Database Connections



Table Access Control



Restricting Database Access

Server Security: Server security is the process of limiting the access t
o the database server. This
is one of the most basic and most important components of database security. It is imperative
that an organization does not let their database server be visible to the world. If an organization’s
database server is supplying inf
ormation to a web server, then it should be configured to allow
connections only from that
web server
. Also, every server should be configured to allow only
trusted IP addresses.

Datab
ase Connections: With regard to database connections,

system administrators should not
allow immediate unauthenticated updates to a database
. If users are allowed to make updates to a
database via a
web page
, the system administrator should validate all updates to makes sure that
they are warranted and safe. Also,
the system administrator should not allow users to use their
designation of “sa” when accessing the database
. This gives employe
es complete access to all of
the data stored on the database regardless of whether or not they are authenticated to have such
access.

Table Access Control:
Table access control is related to an access control list
, which is a table
that tells a computer op
erating system which access rights each user has to a particular system
object. Table access control has been referred to as one of the most overlooked forms of database
security. This is primarily due to the fact that it is so difficult to apply.
In order

to properly use
Table access control, the system administrator and the database developer will need to
collaborate
.

Restricting Database Access: Internet based databases have been the most recent targets of
attacks, due to their open access or open ports.

It is very
easy for criminals to conduct a “port
scan” to look for ports that are open

that popular database systems are using by default
(Weidman 4).
The ports that are used by default can be changed, thus throwing off a criminal

30

looking for open ports s
et by default
. There are additional security measures that can be
implemented to prevent open access from the Internet, such as



Trusted
IP addresses



Servers can be configured to answ
er pings from a list of trusted hosts
only.



Server account disabling



The server ID can be suspended after three password attempts.



Special tools


Products can be used to send an alert when an external server is attempting to
breach the system’s securi
ty. One such example is RealSecure by ISS.

In previous years, businesses focused on preventing access to their databases via perimeter
security. Perimeter security includes items such as firewalls and intrusion detection equipment.
The problem with this m
ethod, however, is that it protects information from those outside the
organization that might attempt to retrieve information from the database. As was stated earlier,
the majority of security breaches that occur are by those individuals that are within t
he
organization. As we conclude our discussion of database security, it is important to remember
that database security should occur in conjunction with other security technologies, but data
protection should be the core element of a complete enterprise se
curity infrastructure (Nevins 1).

What are the main issues surrounding a database Audit?

The
primary security concerns of the auditor

when conducting a database audit includes
authentication and authorization issues
. The following general principles for de
veloping an audit
strategy, auditing suspicious database activity, and auditing normal database activity can guide
the auditor throughout the audit.

General Principles for Developing an Audit Strategy:



Evaluate you purpose for auditing



In order to have a
n appropriate auditing strategy and to
avoid unnecessary auditing, you must have a clear understanding of the reasons for auditing.



Audit knowledgeably


In order to prevent unnecessary audit information from cluttering the
meaningful information, it is i
mportant to audit the minimum number of statements, users, or
objects required to get the targeted information.

General Principles for Auditing Suspicious Database Activity:



Audit generally, then specifically



Enable general audit options at first, then
use more
specific audit options. This will help the auditor gather the evidence required to make
concrete conclusions regarding the origins of suspicious database activity.



Protect the Audit Trail


Protect the audit trail so that audit information cannot

be added,
changed, or deleted without being audited.

General Principles for Auditing Normal Database Activity:
Auditing normal database activity

refers to the process of
gathering historical information
about particular database activities.



Audit only pe
rtinent actions



In order to avoid cluttering the meaningful information with
useless audit information,
audit only the targeted database activities
.


31



Archive audit records and purge the audit trail



After you have collected the required
information, arc
hive audit records that are of interest and purge the audit trail of this
information.

What are the options auditors have for database audits?

Using an automated database audit solution:

In order to ensure that unauthorized users are not accessing the dat
abase, the auditor will need to
audit user activity.
Auditing user activity provides the auditor with assurance that the policies,
procedures, and safeguards that management has enacted are working as intended

(Mazer 1).
This also helps the auditor to iden
tify any violations that may have occurred.

Auditing user activity can be accomplished via continuous data auditing.
Continuous data
auditing is the process of monitoring, recording, analyzing, and reporting database activity on a
periodic basis
. This is a

critical concept because unauthorized access to the database and the
information contained within can occur at any time.

If the auditor is using a testing schedule,
violators can easily sidestep that schedule
. This is not the case, however, with continuou
s data
auditing. The auditor and management must be able to
identify which behavior is suspicious
versus which behavior is routine
. Any behavior that is not identified as routine and valid access
to the database must be examined and analyzed further.

Befor
e beginning the audit, the auditor should assess the database environment. This includes
identifying and prioritizing the users, data, activities, and applications to be monitored (Mazer 2).
The Internal Audit Association lists the following as
key compone
nts

of a database audit:

1.

Identify all database systems and use classifications. This should include production and
test data.

2.

Classify data risk
within the database systems. Monitoring should be prioritized for high,
medium, and low risk data.

3.

Analyze ac
cess authority
.
Users with higher degrees of access permission should be
under higher scrutiny
, and any account for which access has been suspended should be
monitored to ensure access is denied and attempts are identified.

4.

Assess application coverage
. De
termine
what applications have built
-
in controls
, and
prioritize database auditing accordingly.
All privileged user access must have audit
priority
.
Legacy and custom applications are the next highest priority

to consider,
followed by the packaged applicat
ions.

5.

Ensure technical safeguards. Make sure access controls are set properly.

6.

Audit activity.
Monitor data changes and modifications to the database structure
,
permission and user changes
, and data viewing activities.

7.

Archive, analyze, review, and repo
rt audit information. Reports to auditors and IT
managers must communicate relevant audit information, which can be analyzed and
reviewed to determine if corrective action is required. Organizations that must retain
audit data for long
-
term use should arch
ive this information with the ability to retrieve
relevant data when needed.


32

The first five steps listed are to be performed by the auditor manually, while the last two steps
are best achieved by using an automated solution.

The
ideal approach

to effectiv
ely capture and analyze database activity,
is through non
-
trigger
audit agents

associated with each database server.
Non
-
trigger audit agents capture all relevant
activity, regardless of the application used

(Mazer 3). In comparison,
database triggers
-
an
a
utomatic procedure that occurs when data has been altered in a table
-
are not recommended, as
database administrators can easily disable them
. The
non
-
trigger database audit agents gather
information

through two means:

1.

Database
transaction log



Each databa
se maintains a database transaction log through
the normal course of its operation, which gathers data modifications and other activity.

2.

Database's
built
-
in event notification mechanism



Obtains additional information, such
as permission changes and data

viewing activities.

Data Access Auditing:

Data access auditing is a surveillance mechanism

that watches over access to all sensitive
information contained within the database. This mechanism brings only the suspicious activity to
the auditor’s attention.

As was previously discussed, databases generally organize data into
tables containing columns. Access to the data
generally occurs through a language called
Structured Query Language

or
SQL

(Richar
dson 2). The perfect data access auditing solution
would address the following six questions:

1.

Who accessed the data?

2.

When?

3.

Using what computer program or client software?

4.

From what location on the network?

5.

What was the
SQL query

that accessed the data?


6.

Was it successful; and if so, how many rows of data were retrieved?

The auditor can choose to either audit within the client, audit within the database, or audit
between the client and the database. The following graphic depicts these options:


33

Enterpri
se Resource Planning audit

What is an ERP system?

Any software system designed to support and automate the business processes of medium and
large businesses. This may include manufacturing, distribution, personnel, project management,
payroll, and financia
ls.
Enterprise Resource Planning

systems are accounting
-
oriented
information systems for identifying and planning the enterprise
-
wide resources need
ed to take,
make, distribute, and account for customer orders. ERP systems were originally extensions of
MRP II systems, but have since widened their scope. The basic premise of ERP systems is to
implement a
single information warehouse that will service a
ll of the functional areas of a
business
: marketing and sales, production and materials management, accounting and finance,
and human resources. Information is updated real
-
time in the ERP database, so that employees in
all business units are using the sam
e information, and all information is up
-
to
-
date.

How have ERP systems impacted the nature of Auditing?

The interaction and flow of information, issues with data and the processing of data, controls and
security of the data and the systems, and training of

employees are the four major areas in which
ERP’s have impacted the nature of auditing. The
increased implementation and use of ERP

systems in today’s business environment, and especially in financial reporting,
means auditors
must become knowledgeable

ab
out ERP’s. When a company uses an ERP system, the audit
focus shifts from substantive testing of the books of account to understanding the business
processes
,
testing the systems and applications controls
,
as well as controls over system access
.
The
techni
cal complexity of ERP systems has required auditors to increase their knowledge of
information technology and more often supplement their audits with outside technical expertise
.
At the same time, auditors must retain a firm grasp of how accounting entries

and processes are
performed manually, so that they can ensure that the computer is automating the process
correctly.

What is the history of ERP Systems?

The root of ERP systems began in the manufacturing industry, where software was developed
during the 1
960’s and 1970’s to track inventory. The first software incarnation, called
Materials
Requirements Planning (MRP)

software, was introduced in 1975 and allowed plant managers to
coordinate the planning of production and raw material requirements. MRP softwa
re worked
backwards from sales forecasts, factoring in lead times and then determining the order size and
timing.
MRP was the first attempt at an integrated information system
(Brady 20).

MRP was made possible by mainframe computers handling the basic func
tions through
sequential file processing and
electronic data interchange

(EDI), which increased the availability
of up
-
to
-
date information (Brady 20).

With improvements in mainframe computers during the
1980’s, the idea of MRP was expanded into
Manufacturing Resource Planning (MRP II)
systems. Instead of using the information system to run the manufacturing unit of a business, the

34

goal of MRP II was to
have a companies manufacturing, engineering, marketing, and finance
units run on the same information system, thus using the same set of data (Tibben
-
Lembke).

The first true ERP system began development in 1972 when five former
IBM

systems analysts
formed a company that was to become Systems, Applications and Products in Data Processing
(SAP). With the goal of developing standard software to integrate business processes and make
data available in rea
l time, the founders began developing a standard financial accounting
package. Soon after, a Materials Management program, with modules for Purchasing, Inventory
Management and Invoice Verification, followed. In 1978, SAP developed a more integrated
versio
n of its software products, called the SAP R/2 system. R/2 took full advantage of the
current mainframe computer technology, allowing for interactivity between modules and
additional capabilities like order tracking (Brady 20
-
21).

In
1992, SAP released its

SAP R/3

system, which took four years to develop. The main feature
of R/3 that distinguished it from previous ERP systems is its

use of client
-
server hardware
architecture
.
This setup allow
s the system to run on a variety of computer platforms such as Unix
and Windows NT
. R/3 was also designed with an
open
-
architecture approach
, allowing third
-
party companies to develop software that will integrate with SAP R/3 (Brady 22). During the
1990’s,

ERP competition increased dramatically, with companies such as
Oracle Corporation
,
PeopleSoft
,
J.D. Edwards

and
Baan

producing such systems. Currently, SAP and Oracle are the
two leading ERP system developers.

How d
o you Audit an ERP System?

There are few rules that can be applied to all ERP auditing situations. As each system serves the
client in a different capacity and has been altered to fit the client’s business model, ERP auditors
must be flexible and creative
in designing an audit plan. On the same note, there are no hard
rules on splitting roles and responsibilities between audit groups. Role differentiations are
determined on a client
-
to
-
client basis, as a function of auditor experience, expertise and trainin
g.
A common distinction is made between financial auditors and information systems auditors
.
However,
with ERP, financial reporting and especially internal accounting controls, must be
audited working through the computer
; therefore, it is important that a
uditors have knowledge of
both accounting and technology, learning new skills sets in the process (Moulton). Specialists are
also commonly hired to determine if complex technology is working correctly. The concept of an
“integrated auditor,” who has enough

accounting and IT knowledge to work both sides of the
audit, has emerged as workable solution to the complexities of ERP auditing
(Hahn).

ERP systems are technically complex, with the system residing on multiple computers and the
flexibility to support mu
ltiple configurations and customizations (Hahn). To begin understanding
a client’s ERP system,

auditors must evaluate how the technology relates to the business
environment
. To determine the scope of the audit, they must take into consideration:



how the te
chnology is used in the organization



the number of people using the technology



which ERP models have been implemented



the existence of distributed applications


35



whether legacy systems are used

and to what capacity (Hahn)

Auditors must go through a sign
ificant amount of training to acquire the knowledge necessary to
adequately understand the functioning of an ERP system and how it intakes data and produces
financial reports. Auditors must also co
nsider le
arning new tools to take advantage of functions
in

ERP systems. SAP’s language,
ABAP/4
, would be useful for an auditor to know so that he can
examine the programming code when there is a question about the functioning of the system
(Hahn). As

another example,
Oracle’s database comes with its own set of basic auditing actions

designed to detect unauthorized access and internal abuse

of the data being stored (Finnigan).

ERP’s have specifically
influenced the auditing profession in four main ways
: the

interaction and
flow of information
, issues with
data and the processing of data
,
controls and security of the data
and the systems
, and
training of employees

who use the ERP systems.

Interaction and the Flow of Information

-

With an ERP system,
oper
ational and financial data
are tied together through a complex information flow
.
Transactions can be automatically entered
without review or pre
-
checking
. Therefore, ERP’s
make it difficult to perform financial audits
without relying on system controls
. Su
ch
controls should be designed, in part, to prevent
inaccurate or false information from entering the system
. As many transactions are automated
functions of modules creating information entries for other modules,
it is impossible to audit
“around the comp
uter” (i.e. comparing input to output)
. Rather,
auditing must be done “through
the computer” (i.e. testing the system process that the input went through to create the output)
,
using such methods as test decks and parallel simulation
. In order to conduct a

proper audit
through the computer, the auditor must have a certain level of understanding about technology
and how the system functions.

The ideal of a “paperless office” is facilitated through an ERP system, because the system is
centralized and communic
ates data from a common internal source, the database. Instead of
hardcopy evidence,
ERP’s create event history logs for a visible trail of evidenc
e to trace
information to the original input source (Adint). These audit trails

allow an auditor to both dete
ct
when an undesirable event has occurred and reconstruct an event by what happened
. At a
minimum, the
trails should contain the user ID
, the

data and time of the event
, and
the action
taken
. Other information
could include previous and current field value
s

(Adint). Auditors of
ERP systems need to be cognizant of how to use these audit trails and the appropriateness of
their design because it impacts the ability to rely on system controls or the output created.

Because
ERP’s are customizable

and often chang
ed by an organization’s internal programmers,
auditors must pay attention to how these changes take place. The production code forms the basis
of running the ERP system. To protect this valuable asset,
changes in the production code

should
be:



authorized

b
y the business owner (if functional) or IT manager (if technical)



tested
thoroughly



approved

by the business owner or IT manager



performed by an authorized person



documented


36

To verify the controls of authorization and approval are valid, any
change to

the code should be
traceable

to a request.
Access to the production code should be limited

and traceable to the
authorized individual who made changes. To check these, auditors must look for hard
-
copy
documentation, such as
change request forms
, as well a
s documentation embedded in the code
itself (Adint).

Controls and Security

-

It is important for any entity to segregate the duties of authorization of
transactions, recording of transactions, and custody of transactions.

Auditors should examine the
busine
ss process flows to identify where authorization, recording, and custody of a business
transaction takes plac
e, and compare it to how the user responsibilities have been designed.
Often user responsibilities are given wide
-
open access for the initial insta
llation, but rarely are
access restrictions introduced once the system has proven functional. Also, the auditors should
check to
see if the segregation of duties is accomplished with a combination of system and off
-
line controls
.
Segregation of duties shou
ld be designed into user responsibilities and functions,
and documented in the business requirements stage
. The auditor should determine which users
were given access to what functions by examining documentation from the implementation stage
(Cooke).

The s
ame segregation rule needs to be applied to IT functions to ensure system integrity. For
example,

IT personnel should not have user responsibilities
. This serves the purpose of
segregating development and production

activities. IT personnel are responsible

for maintaining
the production software, including the associated controls, while production data is owned by the
business users and serves as a record for business activities (Adint). If these duties were not
segregated, a transaction could be processed
with circumvented controls compromising data
integrity.

Auditors must now be aware of the logical security of data used by the ERP system.
Logical
security includes user ID’s and passwords
. Auditor’s must make sure that user ID’s are unique,
because unique

ID’s ensure accountability and the ability to trace actions to individuals. The
ability to sign on with a generic ID needs to be tightly controlled
. This requires changing all the
default passwords for generic ID’s that the ERP comes with and allowing few

employees to
know what the new password is. As an example, Oracle databases come programmed with
generic ID passwords such as CHANGE_ON_INSTALL, MANAGER, and ORACLE (Adint).
The problem with retaining the default passwords in prepackaged systems is that t
hese
passwords are open to the public and anyone who has network access can use them to gain
access to the system.

Auditors also must look at
corporate policy regarding application and database password
.
Passwords form the basis of logical security and str
ong passwords protect the data from
unauthorized access. Clear policies stress the importance of employee’s creating strong, complex
passwords. Password policies should encompass minimum length, complexity requirements,
expiration periods and lock out time
s. An example policy would include:



Minimum of 8 characters



Cannot be one of the users previous four passwords



Contains at least one letter or number


37



Contains at least one special character



Not based on words found in the dictionary or on proper names



Expires in 14 days (Adint)

A process must exist for business owners to review the user access lists, as well as
who monitors
day
-
to
-
day administration of controls

and
how often controls are reviewed
(Cooke). Business
owners are in the best position to de
termine if access to the system or an application is needed to
perform an employee’s task (Adint).
Restricting employee access to certain fields and windows

of the ERP system prevents inappropriate changes in the data. For example, an accounts payable
cler
k should not be given access to the purchase order module, since access to this module is not
required to perform his job. The company should also have a review process in place to identify
when people have changed positions or left the company

and no long
er need access to the
system. In order to remove the task from IT, business owners should be enabled to pull their own
access report (Adint).

Data Processing and Data Issues

-

ERP systems are designed to automatic updates of data
throughout the system once

a transaction has been entered, so the
implementation of an ERP
system shifts the focus of an audit from substantive testing to a largely controls
-
based audit
.
Since a logical system is performing the updating and reporting, routine transactions can be
ch
ecked by the presence of proper controls.
If strong controls are in place, auditors can do little
substantive testing when performing an audit
, while
instead focusing on manual and non
-
routine
transactions
, and get reasonable assurance that the financial s
tatements are free of material
misstatements.

Since

ERP’s use on
-
line, real
-
time processing, information is updated simultaneously
. Every
transaction of every function is stored in one common database, and the various modules in an
ERP system automatically

create entries in the database for each other, thus creating
simultaneous updates to the system that are transparent to all users (Hahn). Traditional
“batch”
controls and audit trails are no longer available for the auditor
.

Data entry accuracy is maintai
ned
through the use of default values, cross
-
field checking and transaction balancing rather than
batch processing

(Hahn).

Because the information is updated, maintained and stored electronically, auditors need to
understand how the modules interact with e
ach other and with the database. Additionally, the
flow of information must be understood. Because of the high degree of automation present in
ERP systems, understanding the logical flow of information that is produced will help ensure
that the information

is correct.

With the use of a single database, data entry is more important because an erroneous piece of
information will permeate through the entire company’s records (Brady 120). ERP systems shift
the burden of correctness to the front
-
line workers, wh
ile higher end processes of data transfer
and report creation is done automatically.
Auditors must spend more time with lower
-
level
employees to determine if those entering the data understand what they are doing
, and
especially
what to do if a problem ari
ses

or a mistake is made.
In non
-
integrated information systems, an
error in data input is less harmful than an ERP, because the error will not be spread to the records
of other departments and can be caught when auditors compare record
s. However, with ERP


38

systems there is no way to discover a mistake by checking it against another system since it
relies on a common database.

Employee Training

-

ERP systems
require extensive training

to use. Auditors of ERP systems
need to assess the business environment an
d how it communicates to users of the ERP the proper
uses and processes of the system (Arlinghaus). Training manuals and documents should be
reviewed, as well as training course outlines. The training should be designed for the end user’s
job, and stress t
o employees how the data they control affects the entire business operation. If
proficiency tests

are in place, the auditor should examine the difficulty of the questions (Brady
120
-
121). Continual training, especially in the use of new modules and functio
ns, should also be
examined.

Auditors should also examine how the client’s management deals with the changes that ERP
systems bring to the business. A company’s managers and employees will often resist ERP
systems, because it requires changing the way they

have performed their jobs in the past. Typical
ERP training costs between $10,000 and $20,000 per employee (Brady 32). Because of the high
price and the lack of immediate results, many companies do not properly training employees on
how to use the ERP sys
tem.

Adint, Laura Packaged Software Control Objectives. (Feb. 4, 2002).
[www.auditnet.org/docs/PackagedSoftwareControlObjectives.doc] May 12, 2005

All About ERP: ERP Software Solutions. (2003).
[1]

May 16, 2005

Arlinghaus, Barry. “Internal Audit’s Role in the Implementation of Enterprise and Other Major
Systems.” Internal Auditing, Nov/Dec 2002: p. 32
-
39.

Brady, Joseph, Ellen Monk, and Bret Wagner. Concepts in Enterprise Re
source Planning.
Boston: Thomson Learning. 2001.

Cooke, Michael. Application Audits (2004).
[www.auditnet.org/articles/200404%20Cooke%20Application%20Audits.htm] May 15, 2005

Finnigan, Pete Introduction to Simple Oracle Auditing. (2003). [www.security
focu
s.com/infocus/1689] May 15, 2005

Hahn, Jennifer ERP Systems: Audit and Control Risks. (April 26, 1999).
[www.auditnet.org/docs/erprisks.pdf] May 12, 2005

Internal Audit Process: How It Works. (2005). [www.auditnet.org/process.htm] May 15, 2005

Moulton, Phi
l. Audit Risk in a SAP R/3 Environment. [www.auditnet.org/SAP/
Auditing%20in%20a%20SAP%20Environment.pdf] May 15, 2005

Parth, Frank R. and Joy Gumz. Getting Your ERP Implementation Back on Track. (2003).
[2]

May 15, 2005


39

Tibben
-
Lembke, Ron. ERP History and Overview. (April 9, 2002).
[www.coba.unr.edu/faculty/rontl/701/15tn
-
APICS
-
ERP.ppt] May 15, 2005

Wynne, Diane. Applicat
ion Controls within Oracle. (2001)
[3]

May 12, 2005


40

Systems Applications Products audit

What is SAP’s relationship to ERPs?

Enterprise resource planning

systems are specifically designed to help with the accounting
function and the control over various other aspects of the companies business s
uch as sales,
delivery, production, human resources, and inventory management. There are three main ERP’s
used in today’s larger businesses, they are;
SAP
,
Oracle
, and
PeopleSoft
. Despite the benefits of
ERP’s there are also many potential pitfalls that companies who turn to ERP’s occasionally fall
into.

What i
s SAP?

SAP is the acronym for Systems, Applications, Products. It is a
mainframe

system that provides
users with a soft real time business application. It contains a user interface and i
s extremely
flexible.

What is the history of SAP?

Systems, Applications, Products in data processing or SAP was originally introduced in the
1980’s as
SAP R/2

which was a mainframe system th
at provided users with a soft
-
real
-
time
business application that could be used with multiple currencies and languages. Later when client
servers were introduced SAP brought out a server based version of their software called
SAP
R/3
, henceforth referred to as SAP, which was launched in 1992. They also developed a
graphical user interface or GUI to make it more user friendly and to move away from the
mainframe style user interface. For the ne
xt 10 years SAP dominated the large business
applications market. It was successful primarily because
it was extremely flexible
. Because SAP
was a modular system meaning that the various functions provided by it could be purchased
piecemeal it was an extre
mely versatile system. All a company needed to do was purchase the
modules they wanted and customize the processes to match the company’s business model.
SAP’s flexibility, while one of its greatest strengths is also one of its greatest weaknesses. We
will

now turn to the audit issues surrounding SAP.

What are the two main issues in a SAP Audit?

There are two main areas of concern when doing an SAP audit, they are; Security, and Data
Integrity. We will discuss these issues from implementation to production
to show how this
evolution must be monitored closely or all other efforts to ensure the accuracy of the data
provided by the system will be mute.

Security



Security concerns are the first and foremost concern in any SAP audit
. Making sure
that there is
pr
oper segregation of duties and access controls is paramount

to establishing the
integrity of the controls for the system. When a company first receives SAP it is almost devoid of

41

all security measures. When implementing SAP a company must go through an ext
ensive
process of outlining their processes and then building their system security from the ground up to
ensure proper segregation of duties and proper access.
Proper profile design and avoidance of
redundant user ID’s and super user access

will be import
ant in all phases of operation. Along
with this comes the importance of
ensuring restricted access to terminals
,

servers
, and the
datacenter to prevent tampering
. Because each company will have different modules each
company’s security structure will be di
stinctly different.

With security it all starts at the beginning with the proper design and implementation of security
and access measures for employees. For new employees it is important that their access is set up
properly and that future access granted
has proper approval.
After the system has been
implemented the control over system changes and the approval process

required for it is vital to
ensure the continued security and functionality of the system. Without proper security measures
in place from st
art to finish there will be a material weakness in the controls of the system
because of this there will likely be some level of fraud as well.

Through security you are able to
monitor who has access to what data and processes

and ensure
that there is suff
icient segregation of duties so as to prevent someone from perpetrating fraud.
One of the major advantages of SAP is that
it can be programmed to perform various audit
functions

for you. One of the most important of those is for
reviewing user access and u
sing the
system to cross check based on an access matrix to ensure that proper segregation is in place so a
person with payment request access does not also have access to create a vendor
.

After ensuring that security is set up to ensure proper segregation

of duties the next area of
concern surrounding
security is with regards to system change
s.
All companies should have three
different systems
: the

development

system, the
test

system, and the
production

system.
All
changes to production will need to be run

through an approval process

and be tested to ensure
that they will function properly when introduced into the production system. The security around
who can authorize a change and who can pu
t

that change through into production is paramount to
ensuring th
e security and integrity of the system. Review of this process and the people involved
with it will be a key to the audit of the system.

The goal of auditing the access, steps and procedures for system updates is to ensure proper
controls over change manag
ement of the system and to ensure that proper testing and
authorization procedures are being used
. All of these measures also affect our second major area
of concern, data integrity.

Data Integrity



Because
SAP integrates data from
Legacy systems

it is extremely important to
ensure that the mapping of the interaction between the legacy systems and SAP is thorough and
complete. Without that any data received from SAP would be su
spect. Also, it is important that
proper backups of the database be maintained

along with an up to date and
practiced disaster
recovery plan

to ensure continuity after a disaster. A thorough review of these plans along with
the mapping of system interfaces

will be important in this phase of the audit. Also, because all
SAP data is stored on inter
-
related tables it is possible for users with certain security to change
them. It is extremely important that the output be verified to ensure accuracy. SAP does pr
ovide

42

some basic audit programs to assist with the review of data to ensure that it is processing
properly. It is also customizable so that

a user can create a program to audit a specific function
.

The

monitoring of change management
, the moving of updates

to the system from the
development stage is one of the key elements of this particular concern. The review and testing
procedures for these programs that are being pulled through to production need to be
painstakingly reviewed to ensure that they will fun
ction properly and not adversely affect
another area of the system. If anything is missed the potential for a processing error or system
crash could cause some major concern. Because of this review of the process of review and pull
through to production ne
eds to be a high priority.

Controls around the system need to be reviewed especial around the accounts payable and
account receivable sub ledgers
.
Auditors must perform or review reconciliations between SAP
and external information such as bank reconciliat
ions and A/P statement reconciliations
. They
must
review cost center and responsibility accounting
,
management review and budgetary
control and the route of authorization for non
-
routine transactions
.

The audit review should include a review of validation
of data that is input in certain
transactions, the design of ABAP statements and their authority checks matching documents
prior to closing. Also, with regard to the master file control
there must be an independent review
of master file changes and creatio
n of transactional responsibilities to identify any redundant
master files
.

When it comes to data integrity the primary concerns are the integration of data from the legacy
systems and then ensuring that data being input into the system for processing has
been properly
approved

and is accompanied by the proper documentation. Through reviewing these aspects of
the processing from implementation through to production you can gain reasonable confidence
that the controls surrounding the data are sufficient and
that the data is likely free of material
error. The
use of the built in audit functions will greatly assist with this process

and the ability to
create your own audit programs will allow you to customize the work to the company you are
working with.

The tw
o major control risks

that need to be monitored with SAP
are security and data integrity
.
To ensure that both are sufficient it is important that both be properly outlined and developed
during implementation.
User profiles must be designed properly

and
acc
ess must be sufficiently
segregated to minimize the chance of fraud
. Use of the
SAP audit functions to cross check the
user access with the matrix of allowable accesses is the quickest and easiest way

to ensure that
duties and access are properly segregate
d. New and old users must be entered and removed
promptly and avoidance and monitoring of any super user access is imperative. Also, review of
the access to upload and pull through changes to production and review of the associated
authorization process is

important from both a security and data integrity point of view. To
further ensure data integrity it is important that proper documentation be reviewed along with
confirmation of any external data available either through a legacy system or through a thir
d
party. This is extremely important with regard to certain sensitive accounts such as A/P. Review
of controls around budgets and management review and also review of authorization for non
-
routine transactions and physical access will be imperative to ensu
ring the accuracy of the data

43

input and output from the system. The use of and development of tools within SAP will help
accelerate this process and help to ensure that it is accurate. These are the two most vital parts to
any SAP audit and successful revi
ew of them should allow you to determine the adequacy of
control around the SAP system and access to it to determine whether or not there are any
material deficiencies with the systems controls.

Retrieved from "
http://en.wikipedia.org/wiki/Systems_Applications_Products_audit
"



Perry, William E., "Auditing the Data Center: An Introduction," in
EDP Auditing
, Pennsauken,
NJ: Auerbach Publishers, Inc., 1985.