International Seminar on IT in Audit

enginestagNetworking and Communications

Oct 26, 2013 (4 years and 15 days ago)

134 views









International Seminar on IT in Audit






CHINA: Hong Kong Special Administrative Region Paper




Sub
-
theme 4: Audit in a network environment








Author: Mr. Maurice CHUN, Auditor



Audit Commission

26th Floor, Immigration Tower

Glouceste
r Road,

Wanchai

HONG KONG

June 2001

e
-
mail: Maurice_kp_chun@aud.gov.hk

http://www.info.gov.hk/aud






INTERNATIONAL SEMINAR ON IT IN AUDIT


Contents



Paragraphs

PREAMABLE



1



MEANING OF A “NETWORK ENVIRONMENT”

2
-
3





General audit risks in a network environment

4

Legal validity of electronic transactions
5

Authenticity of electronic evidence
6

Risks in a network environment
7
-
8




ISSUE 1



DI
FFERENCES AND SIMILARITIES BETWEEN

9



THE COLLECTION AND TESTING OF DATA



IN A NETWORK ENVIRONMENT AND THAT



IN AN INDIVIDUAL SYSTEM ENVIRONMENT


ISSUE 2


ISSUES THAT SHOULD BE GIVEN SPECIAL


10


ATTENTION IN IT AUDIT UNDER


A NETWORK ENVIRONMENT



Legal aspects

11


Controls to ensure the reliability of electronic records as

12
-
13



audit evidence


ISSUE 3


THE MAIN CONTENTS OF THE AUDIT OF
14
-
15



E
-
BUSINESS


Background of the ESD Scheme
16

Early involvement of audit to understand e
-
business
17

U
nderstanding how e
-
business may be supported by third parties
18

Use of expert
19

Scope of audit
20

Audit implications


21


ISSUE 4


HOW DO AUDITORS MAKE USE OF NETWORKS
22


IN THE CONDUCT OF AUDIT



CONCLUSION

23






International Seminar on IT in Audit





CHINA: Hong Kong Special Administrative Region Paper


Sub
-
theme 4: Audit in a network environment




PREAMBLE



The purpose of this paper is to give a brief outline of the audit in a network
environment in the context of the Audi
t Commission of the Hong Kong Special Administrative
Region (HKSAR). It will cover the following four issues (Note 1):


ISSUE 1:

What are the differences and similarities between the collection and testing of
data in a network environment and that in an i
ndividual system environment
(paragraphs 8 to 9 below)


ISSUE
2
:

What issues should be given special attention in IT audit under a network
environment (paragraphs 10 to 13 below)



ISSUE 3:

What are the main contents of the audit of e
-
business (paragraph
s 14 to 211
below)


ISSUE 4:

How do auditors make use of networks (Internet, WAN, LAN) in the conduct of
audit (paragraph 22 below
)


In discussing the above issues, reference is made to the audit implications of the Electronic
Service Delivery (ESD) Schem
e for the Audit Commission of the HKSAR.


MEANING OF A “NETWORK ENVIRONMENT”


2.

A network normally has three key elements: media, devices, and protocols. The
transmission media refer to various wires, optical fibre cables and microwave links. The media
provi
de pathways over which data are transmitted. Devices provide a means for inputting and
outputting data over the transmission media. These devices may be modems, gateways and
microcomputers. Protocols provide the common set of rules for managing the network

pathways






Note 1:

See Sub
-
theme IV of the Guide on Preparation of Papers issued by the CNAO.

and the data traffic. They are the software programs that tie the overall network together and make
it a functioning entity.


3.


Today, data communicatio
ns and transactions over networks and through
computers are common features for both business and government. For example, business and
government operations frequently involve interaction with a remote computer through a wide area
network (WAN), a local a
rea network (LAN) or the Internet .The Internet refers to the world
-
wide


network of computer networks. Its inter
-
operability enables a computer connected to the Internet
to communicate with any other computer connected to the Internet. Once connected, the
se
computers can operate in a “network environment”.


GENERAL AUDIT

RISKS IN A NETWORK ENVIRONMENT


4.

Before discussing the four issues, it should be pointed out that conducting electronic
business (e
-
business) in a network environment, and particularly thro
ugh the Internet, raises
special concerns for management and auditors i.e. legal validity of electronic transactions,
authenticity of electronic evidence, and risks in a network environment.


Legal validity of electronic transactions


5.


The traditional
legal framework for transacting business is based on the use of paper
documents and physical signatures. E
-
business is conducted electronically often in so
-
called
“paperless systems”. This introduces the problem as to whether an electronic transaction is l
egally
valid. An electronic transaction may be irregular if it does not comply with the relevant legislation
(e.g. in the HKSAR, the Electronic Transactions Ordinance). Auditors need to address the legal
issue in their examination of the regularity of elec
tronic transactions.


Authenticity of electronic evidence


6.


Paper documents are inherently more reliable because alterations are generally
apparent or may be uncovered by forensic analysis. By comparison, electronic documents in their
uncontrolled s
tate are highly vulnerable to forgery and unauthorised change. Questionable
authenticity is therefore the most significant problem associated with electronic evidence, Auditors
can rely on electronic evidence as a source of audit evidence only if managemen
t is able to
demonstrate that the electronic evidence is authentic i.e. the evidence tendered is exactly what it
purports to be. Managers and their auditors need to be aware of the risks that threaten the
authenticity of electronic evidence.









Risks
in a network environment


7.

Examples of risks which may threaten the authenticity of electronic evidence which has
passed through a network environment include:



(a)

Threats to accountability


In a manual system, a person has to be physically present to handle

a paper document .It
is not the same in a networked computer system. In a network environment, an
electronic document may be created, accessed, read, amended, deleted or replaced from
anywhere at anytime and the true identity of the person responsible may

not be known.



(b)

Ease of amendment


Computer software and data are stored and transmitted in an intangible form. They can
be amended without any trace.


(c)

Ease of duplication



Computer files can be easily copied and made indistinguishable from the orig
inal. It is
particularly important to prevent and to detect the duplication of electronic records
which have financial value (e.g. records of money transfers).


(d)

Invisible processing


In a network environment, several computer applications may be integrate
d with each
other and the computer system works in a real
-
time on
-
line mode. The auditor may not
be able to observe and inspect the transaction records at different stages of processing.



(e)

Reliance on third party service providers


Owners of traditional i
nformation systems either implement the security requirements
in
-
house, or enter into a contractual relationship with third party service providers
mandating the service providers to meet the agreed security requirements. In an open
network environment, th
e information system owner may not even know all the third
party service providers involved in the transaction processes.



(f)

Business continuity


If an organisation relies too much on its networked computer systems, they become key
points of potential bu
siness failure. Any system malfunction, equipment breakdown or
external attack on the network can cause a breakdown in business operations and control.


(g)
Internet risks


When an entity uses a private network for e
-
business, transactions are transmit
ted
between trading partners through a value added network with access only to the
network’s trading partners. In contrast if e
-
business is transacted over the Internet, which
is a public network, the information being transmitted is vulnerable to being in
tercepted,
altered, lost, diverted or replaced. Due to the open nature of the Internet, an
organisation’s network that is connected to the Internet is also vulnerable to
unauthorised access, computer viruses and denial
-
of
-
service attacks. These
vulnerabili
ties put the authenticity of audit evidence at risk.


8. Management and auditors need to be aware of the risks in a network environment and
ensure that adequate controls are implemented to manage the risks. From the audit point of view,
some of the ab
ove risks:




have implications for the collection and testing of data in a network environment (i.e.
ISSUE 1);



raise issues that should be given special attention in IT audit (i.e. ISSUE 2);



affect the main contents of the audit of e
-
business (i.e. ISSUE 3); and



change the ways auditors make use of networks in the conduct of audit (i.e. ISSUE 4).


These issues are discussed in greater detail below.





ISSUE 1



Differences and similarities between

the collection and


testing of data in a network environment and that in an individual system environment



Individual system environment Network environment


Similarities (collection of data)

Objective

Audit software can be used to
assist the Audit software can be used to assist the auditor

auditor in retrieving data for testing in retrieving data for testing purposes .

purposes.


Differences (collection of data )

Connectivity

Data are entered into, stored in, and

Data can be entered into, stored in, and retrieved

retrieved from a single system . from shared databases throughout the network.


Using an auditor’s work station on the network
system, auditors can

monitor the flow of
transactions across the network.


Accessibility

Old
-
style audit software requires With the use of modern Structured Query Language

reformatting records from the database (SQL), there is no nee
d to reformat the database

for further processing . records into a flat file format . Queries can be run to


access the database directly .




Currency of data

Data collected can be outdated due to

Real
-
time data is collected as the query is run to

the need to generate a flat file at a given access the database on a on
-
line real
-
time mode .

point in time .


Efficiency of data retrieval

Old
-
style audit software is often With the

use of ad hoc queries, the auditor can

cumbersome to develop and modify select data from the database interactively . SQL

to meet the auditor’s needs . programs can be changed easily to meet the



requirements of the auditor.


Similarities (testing of data )

Objective

The auditor’s objective is to ensure The auditor’s objective is to ensure that the data

That the data retrieved are reliable. retrieved are reliable .



Indi
vidual system environment

Network environment

Differences (testing of data)

Availability of paper
-
based source documents

The collected data can be verified against In paperless systems, the authenticity of the

source documents such a
s payment vouchers. collected data may need to be established by


means of the digital signature and other access


controls.


Audit approach

Data are likely to be tested by
direct More reliance is placed on the adequacy of

substantive testing. The computer information system controls to ensure that data

system is treated as if it is a “black box”. stored in a network environment for testing are



safeguarded.



With the use of ad hoc queries, it is easier to
conduct analytical reviews to test the
reasonableness of data.


It is easier to use simulation and other interactive
test technique
s to verify the completeness and
accuracy of data.


There is a need to test the consistency of data and
programs across the network.


As the auditor may use the computer system
itself for storing his audit work, he needs to
exercise care to protect such wo
rk against
unauthorised access.


By monitoring centralised controls used by
management in the network environment,
auditors are in a better position to assess the
adequacy of the overall information system
controls than in an individual system
environment.



Auditor’s skills

IT skills required of the auditor are IT skills required of the auditor are more

simple. extensive. They need to be IT knowledgeable

and be familiar with the network environment .



9. I
t can be seen from the above table that the objectives of collection and testing of data
are the same with in both individual system and network environments. However, there are
differences in the audit approach and new threats and opportunities have arise
n which auditors
should be aware of.


ISSUE 2


ISSUES THAT SHOULD BE GIVEN SPECIAL ATTENTION

IN IT AUDIT UNDER A NETWORK ENVIRONMENT


10. Given the new risks introduced in a network environment, the following issues call for
auditors’ special attention

in IT audit under a network environment:



the legal issues; and



controls to ensure the reliability of electronic evidence as audit evidence.


Legal aspects


11. where applicable, the auditor needs to consider whether an electronic transaction
c
omplies with legislation. For example, in the HKSAR the auditor needs to satisfy himself that the
Electronic Transactions Ordinance and its subsidiary legislation on the format, manner and
procedure for making e
-
submission to the Government under law have
been complied with before
he can accept the electronic transaction record as audit evidence. The enactment of the Electronic
Transaction Ordinance in early 2000 in the HKSAR aims to establish a legal basis for electronic
records and digital signatures. Spe
cifically, the auditor needs to ascertain the validity of the digital
certificates which support the digital signatures appended to the transaction record. In some
applications, where the use of digital signatures by citizens is not required, the auditor h
as to
carefully assess the audit risk. The auditor also needs to ensure accessibility of electronic records
for future checking or reference. This may include seeking expert advice as to whether the
electronic records can (or have already) become inaccessi
ble due to technical obsolescence or loss
of encryption keys.


Controls to ensure the reliability of electronic records as audit evidence


12. As mentioned in paragraph 7(g) above, electronic records in an uncontrolled state are
highly vulnerable to fo
rgery and unauthorised change. Auditors therefore need to ensure that there
is an adequate system of controls designed to ensure that electronic evidence is valid, complete
and accurate and that the controls work correctly and consistently in practice. Aud
itors would
expect management to be able to demonstrate that it has implemented sound records management
and information security in order for auditors to meet existing audit objectives. The minimum
standard with which management should be able to demonstr
ate compliance needs to be set out in
specific standards (e.g. following the guidelines in British Standard 7799 on Information Security
Management). Such standards may provide normative guidelines on best practice in the following
areas:



Classifying a
nd controlling information system assets



Personnel security



physical and environmental security



Communications and operations management



Access control



Systems development and maintenance



Business continuity management



Moni
toring compliance with security policy and procedures.


13. Examples of controls that auditors may reasonably expect management to implement are
as follows:


RISK Key Control Measure

Threats to accountability

Electronic signatures attached to e
-
transactions;










and user authentication and transaction logging


Ease of amendment Enforcement of access rules; keeping before and
after images of records; and enc
ryption and
digital signatures. (Logical access controls have
become more important since the increased use
of networks has blurred the boundaries of
computer sites to be physically protected.)


Ease of duplication Assignment of uniqu
e reference numbers; and
accumulation of control totals at different
processing stages for automated checking


Invisible processing Audit trail; encryption techniques to create a
virtual private channel across the untrusted
network; an
d periodical transaction
reconciliation


Reliance on third party service providers Use of encryption and digital signatures; and
service level agreements incorporating security
and audit requirements


Business continuity Resilie
nt system design; and business continuity
planning and recovery drills


Internet risks Firewalls and intrusion detection systems; and
IT security policy and security auditing



ISSUE 3


THE MAIN CONTENT OF THE AUDIT OF E
-
BUSINE
SS


14. The way an entity uses its Website for e
-
business determines the nature of risks to be
addressed in its security infrastructure. For example, if the entity’s Website is only used for the
dissemination of information, security controls are likel
y to be less extensive than those where the
Website is used for collecting transaction information from customers.


15. In addressing ISSUE 3, we would like to highlight some of the Hong Kong Audit
Commission’s experience in auditing e
-
business in the
Government of the HKSAR, with
particular reference to the ESD Scheme (paragraphs 16 to 20 below).


Background of the ESD Scheme


16. In December 2000, the Government of the HKSAR launched the ESD Scheme as a key
initiative under its Digital 21 Strateg
y. The scheme provides government services online to the
community 24 hours a day and 7 days a week. Through the Internet and public kiosks, the public
can now obtain over 70 services from the Government, ranging from Social Welfare Department
information
look
-
up, simple enquiries on the Employment Ordinance, to electronic filing of tax
returns for individuals and applications for renewal of driver/vehicle licences.


Early involved of audit to understand e
-
business


17. Knowing that the growth of e
-
busin
ess may have a significant impact on the
Government’s traditional business environment, the Audit Commission started the review of the
ESD system while it was still under development. By May 2000, we conducted an audit impact
assessment of the design of th
e ESD Scheme. In that study, we identified the potential audit risks
and considered the impact of the scheme on the Government’s accounts. We also conducted a
preliminary assessment of the design of the ESD system to ensure that the Government had taken
ad
equate action to address the risks posed by the introduction of e
-
transactions.


Understanding how e
-
business may be supported by third parties


18. The ESD system comprises the front
-
end and back
-
end components. The front
-
end
system is owned and opera
ted by an external service provider. According to the outsourcing
agreement, the service provider is required to engage an auditor approved by the Government to
conduct periodical IT security audits of the service provider’s security infrastructure.


Use o
f expert


19. To support our audit team in the review of the ESD system , the Audit Commission made
use of IT experts and system engineers from an university in Hong Kong. Their knowledge of
evolving technologies and processes has proved to be useful t
o us.


Scope of audit


20. The Audit Commission is developing action plans to audit ESD operations as part of our
on
-
going and continuous effort to provide adequate audit coverage. Depending on the
circumstances and the nature of the ESD applications,
such audits are expected to cover:


(i) IT concerns related to e
-
business



Understanding of e
-
business software and systems



System reliability and integrity



Unauthorised access to data and/or systems



Security techniques



Backup techniques and disaster rec
overy


(ii) Legal aspects



Understanding of the legal and regulatory framework applicable to the
government department’s e
-
business activities



The legal enforceability of electronic contracts and signatures



The global nature of e
-
business means that knowl
edge of cross
-
border issues in
relation to the Government’s e
-
procurement activities may be important



(iii) Accounting matters




Going concern considerations related to external service providers



Concerns arising from accrual accounting in relation to

government accounts


Audit implications


21. We note that the Government will further extend the ESD scheme and has set a target for
providing an e
-
option (i.e. the option for the public to obtain the service on
-
line) for 90% of public
services amenab
le to the electronic mode of service by the end of 2003. With the rapid
development of e
-
government, we envisage that a point will eventually be reached where robust
controls become the only means for providing auditors with confidence that auditees’ elect
ronic
records are suitable for audit use. This calls for an audit approach that is more reliant on controls
and the evaluation of the controls, which we consider are the main contents of the auditing of
e
-
business.



ISSUE 4


HOW DO AUDITORS MAKE USE OF NE
TWORKS IN THE CONDUCT OF AUDIT


22. Given the risks in a network environment which have been discussed in para.7 above, it
is suggested that auditors can make use of networks in conducting audits in the following ways:


(a)

Research

The Internet is an exce
llent tool to find, download, purchase and share information from vendors,
national and university libraries, and peer auditing organisations of other nations. In the Audit
Commission’s experience in carrying out value for money audits, we have found that
on
-
line
access to information extremely valuable and helpful in our audit work. In particular, we are able
to obtain useful information about the practices and experiences of overseas audit offices.


(b)

Exchange and submission of audit work

Special audit soft
ware packages (e.g. TEAMMATE marketed by PricewaterhouseCoopers) are
nowadays available to facilitate the documentation of audit work in progress in a computer file,
and the transfer and submission of the file, through the Internet, to other audit team mem
bers or
the team supervisor for immediate action/review.


(c)

Understanding the network

The auditor needs to use the network to gain a thorough understanding of the network in which the
client’s business transactions are originated, processed, stored and trans
mitted from the client to
his clients, and to understand the various resource definitions of what each server in the network
can do. The auditor must also understand the applications on each server in the network, and what
controls the client has implement
ed to ensure that the transactions are accurate and properly
authorised.



(d)

Performing “real
-
time” audit of the client’s accounts

With the assistance of a network, auditors can perform real
-
time test checks of the client’s
transactions. Instead of tracing
the paper records, auditors can use the network to pose as the
client’s customers to test check the various systems (from purchasing to ordering, from payables
to updating of the accounts) of the client. For example, an auditor may test the systems of an
o
n
-
line bookseller in many ways by ordering books from that bookseller through his Website.



(e)

Performing audit confirmations

Auditors may use the network to perform audit confirmations of ownership of assets with the
client’s clients, client’s financial org
anisations, and government records in the public domain
(Note 2), provided that the information exchanged is authentic and properly protected in the
process.


(f)

Outsourcing of audit work

Auditors may use the network to outsource part of the audit work to oth
er auditors, or specialist
organisations. These specialist organisations may be found in the Internet.


CONCLUSION


23. E
-
business techniques will gradually replace the traditional paper
-
based methods of
transacting business. This introduces audit risk
s associated with the legal validity and reliability of
electronic evidence, which need to be addressed by auditors. In summary, conducting e
-
business
in the network environment will have the following impacts on IT audit:





although the audit objectives remain unchanged, auditors face challenges in the
collection and testing of data in a network environment; on the other hand, there is
potential to improve audit efficiency;








there i
s a need for auditors to satisfy themselves that electronic evidence is reliable,
through appropriate audit testing and evaluation of controls, before using it as audit
evidence;






the coverage of auditing e
-
business depends on the way
the entity uses its Website
for e
-
business and, as has been shown in the case of Hong Kong’s ESD Scheme,
the scope of the audit needs to be quite comprehensive; and





auditors can make good use of the network for such purposes as research,
management of audit work and performing real
-
time audit.


Note 2:

As an example, the auditor of an US airline can access the Website of the US
Government’s Federal Aviation Administration, and test check the ownership of any aircraft
registered in the Unit
ed States.