Escolar Documentos
Profissional Documentos
Cultura Documentos
audit function.
V1.0.0.1
January 2018
Profesor: Mtro. Ing. Félix Ferreiras, PIS, MIS
felix.ferreiras@gmail.com
• Long time ago, IT audits are also known as “Automated Data Processing Audits
or, simply, as ADP Audits“, also like “Computer Audits“; They were formerly called
“Electronic Data Processing audits or, simply as EDP Audits".
• Systems and Applications: An audit to verify that systems and applications are
appropriate, are efficient, and are adequately controlled to ensure valid, reliable,
timely, and secure input, processing, and output at all levels of a system's activity.
• Information Processing Facilities: An audit to verify that the processing facility is
controlled to ensure timely, accurate, and efficient processing of applications
under normal and potentially disruptive conditions.
• Systems Development: An audit to verify that the systems under development
meet the objectives of the organization, and to ensure that the systems are
developed in accordance with generally accepted standards for systems
development.
• Management of IT and Enterprise Architecture: An audit to verify that IT
management has developed an organizational structure and procedures to ensure
a controlled and efficient environment for information processing.
• Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify
that telecommunications controls are in place on the client (computer receiving
services), server, and on the network connecting the clients and servers. [Idem]
1. Entity-level controls
2. Physical facility
3. Networking and communications infrastructure
4. Operating system
5. Middleware
6. Database
7. Application
...
1.Entity-level controls
• These are controls that are pervasive across the organization and
provide the basic foundation for the control environment at the
company.
1. Entity-level controls
2. Physical facility
4. Operating system
• Examples are:
• Unix
• Linux
• Windows
• OS X
• ...
13:19 IT Audit Roles 11
Potential areas for IT audit T
In details: ...
1. Entity-level controls
2. Physical facility
3. Networking and communications infrastructure
4. Operating system
5. Middleware
• This is software that provides additional integration
between two separate “programs” that were not
originally designed to communicate with each other ( e.
g. between a database system and a web server or
between an application and a database that it was not
originally designed to access – JDBC, for example-)
6.Database
7.Application
Below are some styles of IT auditing that describe the role of an IT audit group within
the overall audit function:
• They focus on the application layer because that is all they understand;
• They miss most or all of the other layers, meaning that they only see part of
the picture;
• Really, they aren't IT audit groups at all;
• These groups generally contain no true IT auditors but instead are made up
of business or financial folks who know how to use business application
systems.
• These audit teams focus almost solely on the application layer.
• They do a very thorough job of ensuring that access is properly controlled
and that segregation of duties issues dos not exists;
• They likely will do a good job of ensuring that unauthorized changes to the
application cannot occur and that good controls are in place to ensure the
integrity of data being entered into the system.
• They do not review the foundational controls on which all system rely, such
as the security of the network and of operating system environment.
• [ Remember that: If such aspect are not controlled properly, it's like locking
the door but leaving the windows open, which are way for people to
exploit security weaknesses at those other layers to disrupt the integrity,
reliability, and security of the applications. ]
• This approach occurs when it has not been hired people with the
appropriate technical skill in the IT area that would lead the IT group to
understand and review all the layers implicated.
• They are likely to be experts at data extraction and analysis tools, such as
Audit Command Language (ACL) ;
• They spend the majority of their time pulling data for the financial auditors
and helping them analyze it.
• They receive requirements from the financial auditors and execute those
requirements.
• They are a valuable part of an audit department, but if they constitute the
entire IT audit function, a lot of the risk is missed of be taken in account.
• ...
• It is the most thorough and effective style of IT audit because it ensures that
all layers are being covered and that they are being covered by the people
with the highest level of subject matter knowledge.
• They understand how the audit process works and the important concepts
of testing and substantiation with test cases.
• They help to review the general application controls, such as change control
(Software Configuration Management or Change Control Management) and
overall system access administration.
• Its domain consists of the data layer (database) and the other following
layers (communication, transportation, security, ...)
TCNo: 01-12
ID: <Su número de cédula>
GRUPO MASI: STGO 2017-2019
COORDINADOR: Mtro. Francisco Acosta
• ...