Você está na página 1de 14

FOR STUDENTS: (for private circulation among students of SCIT only.

IPR issues
involved,Must Not be sent in any form to outsiders
IT audit is not an isolated discipline , it is derived from the general principles
auditing !o"ever due to the nature of this technolog# and its practice in the industr# the
It auditing has ta$en some different flavours and the recent frame"or$ is the outcome of
the standards and guidelines enunciated %# IS&'& and 'o%it Thus, the IT auditing
starts "ith an &udit plan and in %rief the main sections in IT audit planning process are :
!udit plan
&udit start up: The preparation %efore commencing an audit involves collecting
%ac$ground information such as "hat is the %usiness ( !o" the IT is associated and
aligned to the %usiness processes ( &s this is an audit of IT in its various aspects,
covering certain depths and dimensions of the technological issues as per the %usiness
o%)ective Thus,certain amount of details are also covered in chec$ing various controls
in the IT infrastructure This calls for audit staff "ith the right $ind of s$ills to %e
allotted to the right assignment
!udit Process" The audit process actuall# the %road outline of IT auditingThe main
items in this process are the follo"ing
*Pre#audit Planning" %efore the actual audit plan is charted it is a practice to guage the
e+tent and outline the "or$ This involves first of all the acceptance of the audit tas$ and
issue of the engagement letter Further at this stage the auditor decides team and the s$ill
set needed
,Planning : &s evident the ne+t to pr-audit is the detailed &udit .lanning This
involves deciding the audit phases , the approach for a ris$ %ased auditing, deli%erating
over materialit# and misstatement and thus arriving at a audit strateg#
$.%&ecution" #This is the phase for detailed audit "or$, develop audit program and
procedure ,gathering data, chec$ing the control, ensuring the /ualit# of audit and data
relia%ilit# %# proper supervision
'. Reporting" &udit reporting is a s$illful completion of the entire chec$s and
surve#0One of the greatest concern of the auditor is the /ualit# of audit There should not
appear an# slip-up in chec$s or compromising the ethics and independence of the
auditing standardsThe report highlights the scope of improvement and in case odf
securit# audit it must point out the various ris$s that looms over the IT set-up
T(e diagram belo) depicts t(e !udit Process in broad steps of activities

Subject Object
Resource and
&t the %ase of all these audit activities rests the fundamental IT audit ma+im ,that is
i T(e auditor obtains and evaluates evidence.
ii The auditor assesses the reliability and sufficiency of the information
contained in t(e underlying records and ot(er source data.
The evidence o%tained and evaluated %# the auditor regarding the assertions about IT
control and processes 1elo" is a clip art %ased depiction of this ma+im:
!ssertion on
*ant to see
+o) to Produce
%vidence ,
&part from data gathering the audit process ta$e recourse to preparing the chec$ list for
various auditing various IT activities, identif#ing the assets such as processors and
storage s#stem, soft"are, hard"are, net"or$ e/uipment etc identif#ing the ris$s and
accordingl# prepare the /uestions
!naly-ing t(e c(ec.list
anal#2ing the chec$list, revie"ed the ans"ers, "ent %ac$ again for discussion on the
discrepancies identifies the potential threats and ris$s, and removed redundant /uestions
or /uestions not pertaining to the la% as it is a small scale institution
Preparing t(e recommendations
&fter thorough revie" the fla"s and hence made recommendations
Consider Internal Control
To develop understanding of internal controls, considered information from
previous audits, the assessment of inherent ris$, )udgments a%out materialit#, and the
'omple+it# of the organi2ation3s operations and s#stems
Performing !udit Procedures
&udit procedures are develop %ased on the auditor3s understanding of the organi2ation
and its environment
Issue t(e !udit Report " This calls for a s$illful "riting of the "hole o%servations and
comments made on each of the audited items The securit# aspect must %e highlighted,
%e#ond "hat is installed4practiced to "hat is desira%le in the interest of the compan#3s
%usiness o%)ective
--------------------------------- +++++----------+++++--------------+++++------
Ris. based !uditing" (t(is is not a met(od but an approac(
Ris$ %ased &uditing though confined largel# in the Financial
auditing this approach is e/uall# applica%le in IT &uditing It is necessar# to gather the
information on the %usiness and the e+tent of IT alignment to the %usiness processes This
ena%les the auditors the frame the auditing strateg# The main purpose is to identif# the
areas to focus concentrated audit efforts due to inherent and control ris$s 5i$e financial
audit the 67aterialit#6 need to %e coupled "ith the possi%ilit# misstatement, and hence
an indicator of ris$# information
The ris$ %ased auditing is associated "ith four t#pes ris$s vi2, Inherent Ris$, 'ontrol
Ris$, Detection ri$s and audit ris$ 89ualit# of audit: Inherent ris$ ma# %e vie"ed as the
ris$ the organi2ation faces "ithout mitigating 'ontrol Ris$s
In short, IT auditors revie" the ris$s relating to IT s#stems and processes including:
i: Inade/uate information securit# 8e.g missing or out of date antivirus controls:
ii: Inefficient use of corporate resources, or poor governance 8e.g spending large
on unnecessar# IT pro)ects:
iii: Ineffective IT strategies, policies and practices 8including a lac$ of policies
iv: IT-related frauds8this strictl# comes under '#%er Securit#:
Risk based
Depiction of types of Risks in
Risk base uditing
/enefits of a Ris. /ased !udit !pproac("

In a ris$ %ased audit approach the focus of audit is on the controls "hose infirmit#
can cause financial loss or operational ha2ards in the IT set up conse/uent to audit
report .rior to audits to determine the level of assurance needed in significant audit
areasThus emphasis on the detailed audit chec$s reduces ris$ %# migrating actions
initiated %# the management
Result: The auditor performs a 7ORE
EFFE'TI;E and EFFI'IENT audit, focused on !igher Ris$ &reas
0n Infrastructure !udit "
T(e scope of IT auditing on Infrastructure encompasses man# facets %ut it mainl#
covers :
a: Revie" of 7anagement control
%: &ccess control
c: &pplication control
d: Data%ase control
e: Net"or$ control
f: 1'. and DR- revie" of
g: IT securit#
It has %een mentioned earlier that the preparation %efore commencing an# audit plan
collecting %ac$ground information,vi2,*(at is t(e business (
!o" the IT is associated in the %usiness processes (
T(e IT infrastructure -the architecture at Enterprise level and la#out at units and
the piecemeal details
IT Infrastructure !udit" The %usiness o%)ective determines the details and depths of IT
Infrastructure audit The %usiness sta$e "ould %e the final criteria & compan# in S7E
sector "ould %e happ# to audit at the summar# level of all the IT infrastructure items,
"hereas "hereas in the audit of mega corporate it is the practice to go into details of each
such as each and ever# entit# of net"or$ e/uipment, their operations and maintenance
control, licence issues and so on, need to go far more details of IT audit & /uestion ma#
come <h# audit Infrastructure ( the ans"er to this in summar# is

Since it involves large investment naturall# the management need to $no" - !o" it is
7anaged (
<hatever %e the applications of IT at the %ase for most of the technolog# the
infrastructure is the =common denominator6 Ever#thing rest on this platform
For the Enterprise it is the Infrastructure "hich ='onnects to the <orld6, "ithout a
solid infrastructure there "ould %e loss of Revenue on E-'ommerce
1esides, on securit# aspect the organi2ation could %e suscepti%le various attac$s such
as Denial of Service, etc
5ast of all the %usiness re/uires Resilience and relia%ilit# and %usiness continuit#
Nevertheless there are some standard re/uirement of an IT infrastructure from audit
point of vie", "e ma# call them as %asic needs The# are in summar# :
The >Functional space3:- safe ? secured for locating mission-critical e/uipment
The# all should %e tuned for !igh &vaila%ilit# 8!&:
The support facilities should %e relia%le ,vi2, the .o"er suppl# should %e ade/uate,
stead#, ripple free The Environment 'ontrol 8!;&' : cooling ,fire protection etc
should %e the state-of-the- art,
E+cellent 'ommunication facilities-for inside users and outside "orld8- 1road%and,
5&N, voice,:
& diagram %elo" depicts these re/uirement of an IT Infrastructure
T#pical re/uirement of an IT Infrastructure
2acilities and
/usiness 0b3ective
IT Infrastructure
IT infrastructure ma# %e classified under three ma)or components, namel#
4ata Centre and
Support and 2acilities.
Data 'entre is the most ela%orate and intricate la#out in the IT Infrastructure The focus
of &uditing a centre to chec$ "hether the follo"ing are pursured or not:
The ob3ective of the data center is to align IT activities )it( t(e goals of the
%usiness "hile maintaining the securit# and integrit# of critical information and
To ade/uatel# determine if "hether or not the client3s goal is %eing achieved, the
auditor should perform the follo"ing %efore conducting the revie":
Each of them- the Site, Datacentre and Facilities - have several components-each of them
important for the smooth functioning and ensures high availa%ilit# 8For our course "e
select some of them onl#: The main area from IT audit point are:
-The audit of the Site
-The server and OS audit
-The audit of Net"or$
-Storage and Data%ase audit
-&udit of !ard"are and peripherals
-&udit of support and facilities
-&udit of &dmin related matter

The site audit is mostl# ph#sical and confines itself on E+amination of 'ontrol
relevant to IT Infrastructure site@ chec$ing the .rocess of collecting and evaluating
Evidence that the controls are effective
2or %&ample"
.erimeter control chec$s
&ccess control chec$s
Support and Facilities monitoring chec$s
0n some details" <hat do "e see in a Data 'entre 8for auditing of them:
- Signage- necessit# is felt at the time of an# rescue operation
-Entr#- gate4door-should %e a single entr#
-&ccess s#stem- control or manual
-environmental control 8!;&':-po"er suppl# 8U.S:
-Roles and responsi%ilities of personnel "or$ing at net"or$ centre, their Training
-Emergenc# response -s#stem and procedure 81'. and DR ,if e+ists:
& schematic diagram of the important functional entities of IT Infrastructure for audit
Storage &
DB audit
Support 5
+* 5
S%C6RIT7 !64IT
In the a%ove diagram the %ottom portion sho"s Securit# &udit This is meant to sho"
that all the a%ove units have also securit# features that need to %e audited
!aving descri%ed %riefl# the auditing of the Site , no" "e %riefl# ta$e auditing aspect of
some of the other important functional entities of IT Infrastructure
Server !udit"
It is important that the auditor must $no" something a%out the server and
OS Usuall# people ta$e OS as a %lac$ %o+ and server as peripheral 8 a collection of
processor, memor# I4O units and communication cards : !o"ever there are several other
aspects The audit starts "ith the chec$s of pre-installation setting against the current
status 'hec$ the evidence of ho" these settings are reconfigured, the authori2ation
recording etc The ne+t important thing to chec$ is server logThe log gives a hoard of
information on the server operation1esides these the auditing covers the follo"ing:
Server t#pe- its role in the entrprise 8vi2 des$ top, distri%uted processing , client-server,
"e% server, Real-time mainframe
T#pes of OS on different server8s:
'onfiguration- -- ho" it is authori2ed and recorded
7emor# management
File management Aditto-
Securit# Features
.ass"ord management
&udit Trail reading
The current trend of virtuali2ation of the server, additional audit feature "ould %e the
management of the virtuali2ed servers,the management of
Net)or. !udit" The audit focus in Net"or$ is mainl# on three aspects, namel# the
&vaila%ilit# of the Net"or$, the &ccess- secured and controlled and the Interception
capa%ilit# 8from virus, intruders etc:
For this the audit activities %egins %# &uditing the overvie" of 'omputer Net"or$s This
contains mainl#
Revie"ing Net"or$ .olicies and operating procedures
Revie"ing the Net)or. diagram , list of e/uipment and I. addresses, ca%ling details
Ris$ identification and prioriti2ation
1rea$ing the net"or$ in manageable pieces
Understanding ever# element of net"or$ and t(e ris. associated "ith it
'hec$ing of trou%le reports and +elpdes. logs
Even though the net"or$ is segmented into6 managea%le pieces6 the auditactivities can
%e classified under
Net"or$ auditing can %e classified as under:
P(ysical B environment, site, la#out and installation, ca%ling 8connection and
0perational# polic#, configuration management , parameter setting of all net"or$
Maintenance# polic# and procedure 8%oth operational and support facilities:
Security" ph#sical, net"or$ access, intrusion detection
!uditing of P(ysical aspects of Net)or. involves c(ec. of t(e follo)ing
8i: 5ocation proper as per recommendation or not
8ii: 5ife -1e#ond certified life or not
8iii: Operations manual- e+ists or not
8iv: 5a#out 4connectivit# diagram Be+ists or not
8v: Num%ering Tags on ca%les -e+ists or not
8vi: Surrounding environment of the Net"or$ 'entre-chec$ sensitive area, flood prone
or not, fire fighting s#stem , electrical s#stem , etc
&nd man# other details
!uditing t(e 0perational !spect of Net)or.
Net"or$ topolog# and ph#sical infrastructure documentation ,diagram, etc
Net"or$ "iring is installed in a structured manner and is "ell la%eled
Net"or$ addresses and names are assigned in a structured manner and are "ell
Items call for configuration change
.rocedure for operations
Cuidelines and operating manuals BDocuments (
Escalation matri+-availa%le (
0n 0perations and Control t(e follo)ing must be c(ec.ed for evidence
a: Identif#ing the functional units in the net"or$ that call for regular operations
%: 'onfiguration 7anagement- a polic# e+ists ,"hether onl# %# authori2ed person
c: .ort identification-la%eling and Tags
d: Routine chec$s and performance monitoring-a polic# and adherence to
e: Net"or$ 5og-reading and follo" up
f: Service interruption 5og availa%le (
g: 'ontingenc# plan in the event of an# unit do"n
h: Net"or$ availa%ilit#
i: Fault reporting- procedures for rectification, "hether e+ists or not
): Firm"ire latest version, licence rene"al
&%ove are the general auditing aspect of Net"or$ !o"ever there are other details
in the net"or$ from auditing angle The# are auditing of the various various
independent functional units , "hich are vital for net"or$ availa%ilit# and
performance The list %elo" identifies them
<hile auditing of Net"or$ it is recommended to carr# out specific audit of the
Follo"ing net"or$ s#stems:
a: Fire"all
%: Router
c: S"itches
d: SN7. operation
e: IS. connectivit# points and routing
f: Servers connectivit# over 5&N4<&N
g: Securit# of the &ccess .oints for <&N
!udit of Storage and 4atabase" The auditing of storage area in a simpler 5a% is that of
ensuring the regulator# %ac$-up of data from different servers, chec$ing count of records
copied on to the mass storage ,tall#ing the counts of files ,data volume ,etc!o"ever in a
modern storage such as S&N things are automatic and the auditing cope is limited to
glancing over the log outputs !o"ever the audit of the data%ase calls for more attention
1asicall# it involves the follo"ing chec$s-
The audit log " t(is is the most accurate source of events %ecause itDs the data%ase
that acts as the ar%iter to ensure transactional consistenc# and data integrit# The
auditor decides E<hat sort of activit# should I loo$ for( <hat sort of things can a
data%ase audit file tell me(E
Metadata C(anges This is another vital area in the D1 auditing !ere the changes to
data%ase structure alter s#stem function and offer ne" access to data%ase contents
Ne" vie"s and added columns often lead to data lea$age and should %e monitored
&uditing incurs a performance penalt#, and depending upon ho" #ou implement it,
that penalt# can %e severe The auditor need to chec$ as$ /uestions to ensure securit#
of such activities
The Data%ase &dministrator manages the follo"ing area
Data%ase Securit#
A 1ac$up4Recover#
A Disaster Recover#
A Reorgani2ation
A .erformance 7onitoring
A &pplication 'all 5evel Tuning
A Data Structure Tuning
A 'apacit# .lanning
This gives the auditor of the D1 the clue "here to loo$ for controls and the evidence
for adherence of the controls
!o"ever apart from the Evaluating evidence for effective controls ,the Securit# &udit
has an added dimension-that of e+amining ever#thing from vulnera%ilit# and ris$ angle
& separate paragraph "ill ela%orate on the securit# audit The main importance of
auditing IT "ith special focus on securit# are the follo"ing:
This auditing "ith special orientation for finding gaps in the securit# helps
identif# potential vulnera%ilities in the s#stem,8 %ased on audit report:
& Securit# &udit report also %rings out the effectiveness of securit# vis-F-vis the
industr# standards
Securit# audits are also used to determine regulator# compliances 8such as !I..& the
Sar%anes-O+le# &ct, and the 'alifornia Securit# 1reach Info &ct: that specifies ho"
organi2ations must deal "ith information processing
<hile discussing Securit# &udit it is "orth presenting the su%tle differences among the
oft used terms Threat ;ulnera%ilit# and Ris$, as descri%ed %elo":
Threat: Something that can potentially cause damage to
the organisation, IT Systems or network.
Risk: A possibility that a threat exploits a vulnerability in an
asset and causes damage or loss to the asset.
&ulnerability' A weakness in the organization, IT Systems, or network
that can be exploited by a threat.
5et us discuss the 1asic &pproach for carr#ing out securit# audit of IT : &part from the
usual audit process for an# IT set-up the Securit# &udit rests on t"o important aspects
namel#, !nomalies 5 4eviation on the o%served information a%out various controls and
5og reportsThe auditor determines8 from the managers and users: a 8/aseline9 or
threshold vaslue of each and ever# operational or maintenance activitiesThen he finds
!o" much of a deviation from the norm represents an anomal#(
!o" long must the deviation occur %efore registering an anomal#( 8Time ,
- <hat are =&nomalies6 in those o%servations can occur at an# level8<e ma#
dedfine the =anomal#6 here as unaccepta%le deviation:&nd thendecide
<hat anomalies should trigger immediate alerts,
For ascertaining this: :og data monitored for all the IT activit# environment
is o%served and scrutini2ed This leads to t"o main inferences activities:
.rofiling normal be(avior to understand t#pical s#stem %ehavior at
different times and in different parts of the business cycle 8arriving at the
1aseline or Threshold value:
Detecting deviations and anomalies "hen s#stem activit# significantl#
deviates from the normal %ehavior #ou have documented
1# depiction through a simple diagram %elo" ma# %e helpful understanding these
0bservations :ogs
!o"ever, the 5ogs themselves must %e protected from tampering and corruption.
The 'ommon techni/ues to secure logs
Remote logging uses a centrali2ed, highl# protected, storage location
Printer logging creates a paper trail %# immediatel# printing logged activit#
Cryptograp(ic tec(nology digitall# signs log files to ensure that changes can %e
detected, though the files are vulnera%le until the# are finali2ed
5et us ne+t discuss %riefl# the IT Securit# &udit .rocedure<hile the procedures
run much in details, in summar# the# can %e descri%ed as :
a: Familiari2e "ith the organi2ational policies and procedures "ith regard to data
%: Intervie" $e# personnel to learn a%out organi2ational practices
c: Cather all data to %e audited
d: &nal#2e logged data to identif# polic# compliance This is the most time
consuming process
e: .erform penetration testing to see effectiveness of securit# controls
C(ec.list and Template based auditing
!o"ever, actuall# the auditors initial approach is preparing a =chec$-
list6 The 'hec$lists provide a s#stematic and consistent approach for completing
various tas$s in an# audit, "hether IT securit# audit or other IT auditThis
a high-level overvie" of the overall audit process
step"ise processes for auditing different classes of s#stems
For e+ample:
'onfiguration chec$lists contain specific configuration settings
;ulnera%ilit# chec$lists contain lists of critical vulnera%ilities for each
operating s#stem in use
For proceeding "ith this approach , the auditors use a Template on "hich t#pical
/uestions are put and the o%servations4responses are recorded on appropriate column &
sample of t#pes of /uestions and a h#pothetical template is sho"n for understanding this
T#pical 9uestions related to various aspects of IT in an enterprise
On polic# and ph#sical aspects
Is there a securit# .olic# for the net"or$
Does the securit# polic# leave an# gap in the coverage Bph#sical infrastructure
perimeter control4internal control
Is proper threat and vulnera%ilit# anal#sis carried out and reflected in the polic#
E+amining issues on N< related matters
-&re the &ccess logs e+amined to chec$ (
-Router access authori2ation, does it e+ist
-Router 'onfiguration procedure Bdocument e+ists (
-<5&N securit# features configured ,documented
-&ccess point configuration Bprocedure and record document e+ists(
-&ddress control B I. addresses allocation s#stem and procedure e+ists (
-'onfiguration of D!'.- &uthori2ation and control 8practice e+ists (:
-Domain controller B authori2ation ,pass"ord s#stem ( 8practice e+ists (:
-Is there a s#stem of routine periodic chec$s of controls (
-Securit# of 5og 4file for records on configuration, pass"ords 8e+ists4not:
The Template merel# translates these information and their response4o%servations in a
ta%ular form as sho"n %elo": 8ne+t page:
Purely %&ample" not(ing to do )it( reality
Finding facts4data on
<hether GES or NO 'omments4o%servations
Is there a securit# .olic#
for the net"or$
.olic# papers e+amined and
found it addresses 4 covers
all aspects
Does the securit# polic#
leave an# gap in the
coverage Bph#sical
infrastructure perimeter
control4internal control
!o"ever, on perimeter
control the polic# is not
ver# specific, might lead to
confusion and create gap
&re the &ccess logs
e+amined to chec$ (
Ges 'hec$s are thorough
&ccess point
configuration B
procedure and
record document
No This is a Serious ssue
Router access
authori2ation, does
it e+ist
Ges 7aintenance of records are
perfect, leaves no Cap