Basics in IT Audit and Application Control Testing

1. Basics in IT Audit and Application Control Testing Presented by Dinesh Bareja Doha, 28April 2019

2. Basics in IT Audit and Application Control Testing April 28, 2019 This document has been created by IndiaWatch., Open Security Alliance., Dinesh O Bareja Released in the public domain under Creative Commons License (Attribution- Noncommercial 2.5 India) http://creativecommons.org/licenses/by-nc-sa/2.5/in/ The information and practices listed in this document are provided as is and for guidance purposes only and should not be construed to be a standard (unless mentioned otherwise). Readers are urged to make informed decisions before adopting the information given in this document. The author(s) may not be held responsible, or liable, in any event and for any issues arising out of the use of the information and / or guidelines included in this document. Further, we do not give any warranty on accuracy, completeness, functionality, usefulness or other assurances as to the content in the document. We disclaim all responsibility for any losses, damage caused or attributed, directly or indirectly, from reliance on and the use of such information. Readers are welcome to provide feedback to the authors using the contact information provided in this document. This document has been prepared for general public distribution so all animations have been converted to static images. Graphics and images are usually obtained from the internet and royalty free sources and are usually acknowledged by us. Errors may be expected in this practice and this is not intentional.-we resect creative rights and request owner(s) to inform us of any inadvertent omission. Any trademarks or companies may be displayed or mentioned with the purpose of establishing a point or for better understanding and we do not claim any exclusivity or relationship with their respective owers. License and Copyright Acknowledgements & Disclaimer Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged (above) where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s).

3. Basics in IT Audit and Application Control Testing April 28, 2019 ABOUT ME Dinesh O Bareja CISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR • Researcher Founder: IndiaWatch & Open Security Alliance • Principal Advisor : Pyramid Cyber Security & Forensic Pvt Ltd Cyber Peace Foundation Red Team Hacker Academy • Outsourced CISO : IceWarp Technologies Ltd • Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch) Enterprise & Government Policy Development; Cyber Security Strategy, Design & Architecture; Specialist – GRC, SOC, ERM, COBIT, ISO, BCP/DR etc;

4. Basics in IT Audit and Application Control Testing April 28, 2019 ABOUT ME MY CONTACT INFORMATION dinesh@opensecurityalliance.org @bizsprite linkedin.com/in/dineshbareja +91.9769890505 dineshobareja dineshobareja indiwatch.in dineshbareja.com Information Security professional working hard to stay abreast of technology, risks, threats, opportunities and looks forward to the excitement of the future..

5. Basics in IT Audit and Application Control Testing April 28, 2019 introduction • This presentation is an amalgam of my experience and guidance from the IIA Global Technology Audit Guide(s) (GTAG guides) • At times I may specifically mention the GTAG reference where it is used directly • I have tried not to include audit basics so as to restrict myself to the IT specific areas of the practice • Some places I have shared questions, lists but those are top of the mind so should not be considered as the complete set … you will have to build your own questionnaire based on the size of the org etc

6. Basics in IT Audit and Application Control Testing April 28, 2019 A Few essentials to remember as you get into the iT Audit and application testing domain

7. Basics in IT Audit and Application Control Testing April 28, 2019 1. DATA IS THE ULTIMATE ASSET WHICH NEEDS TO BE PROTECTED 2. RISK management is the fundamental control for information security (be it audit / test / design)

8. Basics in IT Audit and Application Control Testing April 28, 2019 IT AUDIT – A Preamble An Audit is an Audit… we look inside claims of compliance to uncover hidden weaknesses, invisible issues, organization challenges and more. IT audit requires a larger set or skills as it has to look at IT technically, strategically, operationally as well as from the security and business point of view. As IT is a key enabling function for business and is increasingly critical for survival this makes IT Audit an existential necessity for any organization that wants to grow, survive and thrive. References: GTAG-01 - Information Technology Risk and Controls

9. Basics in IT Audit and Application Control Testing April 28, 2019 IT AUDIT • Provides assurance on the security triad of CIA • Confidentiality : The information in the systems is available only to authorized users • Integrity : The information provided by the system(s) will be accurate, reliable and timely (always) • Availability : The computer systems will be available for business at all times, whenever needed. • Examine and evaluate the organization’s Information Technology infrastructure, policies and operations to cover people process and technology • An IT audit will help determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business's overall goals what is this

10. Basics in IT Audit and Application Control Testing April 28, 2019 • Enables higher confidence in IT processes as business depends on IT • Contain organizational costs arising out of data loss or system usage error • Identify possible risk areas of incorrect decision making • Mitigate costs of computer and asset abuse • Value of computer hardware, software and personnel • Maintenance of privacy • Envisage and identify improvement IT AUDIT THE NEED

11. Basics in IT Audit and Application Control Testing April 28, 2019 • Compliance with best practices as provided by standards, frameworks, guidelines or laws and regulations • Protection of organization assets from any type of risk like theft, misuse • Disruptive attacks like DDOS, ransomware, APT etc can be managed • Reputation and customer confidence are proactively protected IT AUDIT THE Assurance

12. Basics in IT Audit and Application Control Testing April 28, 2019 • International or domestic standards, guidelines, frameworks • ISO27001, ISO22301, ISO20000, Cloud Security Guidelines, PCI-DSS, GTAG, NIST, GDPR etc • Industry / business best practices • Customer requirements • Vendor guidelines IT AUDIT Baselines references

13. Basics in IT Audit and Application Control Testing April 28, 2019 IT Audit Universe • An all-encompassing collection of audit areas, devices, people, technologies, organizational entities, and locations • Business functions that provide adequate assurance on the organization’s risk management level • Tangible or intangible assets (this includes business, people, process and technology in the organization)

14. Basics in IT Audit and Application Control Testing April 28, 2019 IT Audit coverage •TECHNOLOGY • Applications • Databases • Operating Systems • Networks •CONTROLS • ITGC • Systems Development • Change Management • Logical Access • Physical Security • Service & Support Process • Backup and Restore • APPLICATION CONTROLS • Authorization • Data Integrity • Segregation •IT MANAGEMENT • IT Planning • System Operations • Programming • Vendor Management

15. Basics in IT Audit and Application Control Testing April 28, 2019

16. Basics in IT Audit and Application Control Testing April 28, 2019 The audit universe is huge with many different types of audits being conducted. IT audit too, takes on different colors, shades or shape depending on the mandate(s).

17. Basics in IT Audit and Application Control Testing April 28, 2019 IT Audit Types •Internal, External (supplier/customer), Certification •ISMS (ISO27001) •ISO 22301, 31000, ITSM (ISO:20000) •Regulatory (SOX, ITGC, Govt) •Vendor (3rd Party) •System development •Application audits •IT Infrastructure •IS Maturity •Risk assessments •Cloud •IS Functional audit •SLA… etc.

18. Basics in IT Audit and Application Control Testing April 28, 2019 Getting Started on the IT audit •Authority •Accountability

19. Basics in IT Audit and Application Control Testing April 28, 2019 Starting the IT audit •Purpose of Audit •Scope •Operating Principles •Authority •Accountability

20. Basics in IT Audit and Application Control Testing April 28, 2019 Starting the IT audit •Authority •Accountability • Mission statement • Role • Aims/goals • Objectives • Relationship with external audit • Auditee requirements Purpose • Critical success factors • Key performance indicators • Risk assessment • Other measures of performance Operating principles

21. Basics in IT Audit and Application Control Testing April 28, 2019 Starting the IT audit •Authority •Accountability • Right of access to information, personnel, locations and systems relevant to the performance of audits • Scope or any limitations of scope • Functions to be audited • Auditee expectations • Organizational structure, including reporting lines to board and senior management AUTHORITY • Auditee rights • Independent quality reviews • Assessment of compliance with standards • Assessment of completion of the audit plan • Comparison of budget to actual costs • Agreed actions, e.g., penalties when either party fails to carry out their responsibilities ACCOUNTABILITY

22. Basics in IT Audit and Application Control Testing April 28, 2019 Looking at the IT Universe (organization) and fundamentals (or call them basics and essentials) : access controls, asset management, governance, people, physical environment, operations, communication, incident response, business continuity & more IT Audit Basics & Essentials

23. Basics in IT Audit and Application Control Testing April 28, 2019 Context • Fundamentally the audit should show a snapshot of the as-is state and the remediation path to the to-be state • Objective view of business, people, process and technology with respect to the baseline standard / regulatory guideline • Audit Objective in alignment with the strategic vision and mission of the business • “People Process & Technology” and “Confidentiality, Integrity and Availability” are the two tenets on which the audit should be based • People (experienced, skilled and knowledgeable), Process (design, effective, controlled) & Technology (viable, needed, utilized)

24. Basics in IT Audit and Application Control Testing April 28, 2019 Basics that must be in place • IT Risk Management is fundamental to the Infosec organization and operations • Assets are managed with a risk based framework • Access to the organization’s most valuable assets (data) is adequately controlled • RA done to identify assets that • Are likeliest targets for cyberattacks • Cause the most significant disruption if compromised • Data classification to identify which data, if compromised, would cause financial or competitive loss, and have legal ramifications, or reputational damage to the organization • Incident Management & Response Team is prepared to react / respond effectively to a security incident • Roles and responsibilities are defined • Essential IS management practices like password, backup, change, configuration, patch are controlled • Emerging risks and threats are continuously monitored

25. Basics in IT Audit and Application Control Testing April 28, 2019 Key IT AUDIT Areas •Security •Risk Management •Access Management •Asset Management •Backup & Recovery •Data Classification •Web Site / Web Applications •Applications •Resource Management •Shadow IT •Awareness •Metrics (KPIs) •BCP/DR •Incident Response •Drills and Tests •Technology Risk Assmt •Log Management •Cloud Security •ROI / UOI

26. Basics in IT Audit and Application Control Testing April 28, 2019 ITAUDIT STRUCTUREGTAG-1ItRiskandControls

27. Basics in IT Audit and Application Control Testing April 28, 2019 Probe Questions for CONTROL Selection • Do IT / IS policies and IT controls — exist? • Role / responsibilities for IT and IT controls are defined, assigned,? • Are controls designed and operating effectively? • Is the mix of preventive, detective, and corrective controls effective? • Do the controls provide evidence when control parameters are exceeded or when controls fail? • How is management alerted to failures? • Is evidence retained (e.g., through an audit trail)? • Are the IT infrastructure equipment and tools logically and physically secured? • Are access and authentication control mechanism used? • Are controls in place to protect the operating environment and data from viruses and other malicious software? • Are firewall-related controls implemented? • Do firewall polices exist? • Are external and internal vulnerability assessments completed, and have risks been identified and resolved appropriately? • Are change and configuration management and quality assurance processes in place? • Are structured monitoring and service measurement processes in place? • Have the risks of outsourced services been taken into consideration? (For details on this, refer to GTAG 7: IT Outsourcing.)

28. Basics in IT Audit and Application Control Testing April 28, 2019 ROI / UOI / VOU •Reduce ROI priority •First review the UOI (Utilization of Investment) •Then ensure VOU (Value of Utilization) •… ROI is assured if these two are in place. You only have to identify financial values of the goals / objectives

29. Basics in IT Audit and Application Control Testing April 28, 2019 Infrastructure Testing Servers Printers Routers Workstations Laptops If it’s on the network scan it! Remote/ Onsite Vulnerability Scans Secondary Locations Branch Offices Vendors Warehouses Shop Floor Field Offices Retail Outlets Tools & Techniques - Vulnerability Assessment - Penetration Testing - Threat Modelling - Security Maturity Assessment - Configuration Review - Hardening

30. Basics in IT Audit and Application Control Testing April 28, 2019 IT Audit process - High Level •Planning •Assessment / Testing •Reporting •Follow-up •Communication •Audit Findings •Assessment Results •Confirmation of planned actions •Audit Response Verification •Fieldwork •Evaluation •Testing •Internal Control Questionnaire •Audit Scope •Objectives Planning Assessment ReportingFollow-up

31. Basics in IT Audit and Application Control Testing April 28, 2019 1: Planning • Kickoff • Define Objectives • Define Scope • Internal Controls • Historical Incidents • Past Audits & Closures • Site Survey • Current Policies, SOP, Procedures • Develop Audit Plan / Checklist • Questionnaires

32. Basics in IT Audit and Application Control Testing April 28, 2019 2: ASSESSMENT / TESTING • Meet With Functional Team • What data will be collected • How/when will it be collected • Site employee involvement • Access • Data Collection • Based on scope/objectives • Types of Data • Physical security • Interview staff • Vulnerability assessments • Access Control assessments

33. Basics in IT Audit and Application Control Testing April 28, 2019 3: Reporting •Exit Meeting – Draft Report • Questions & answer for site managers and functional team • Present & discuss draft report • Obtain buy-in and acceptance of findings and report •Update with feedback… prepare final report and submit fpr the board

34. Basics in IT Audit and Application Control Testing April 28, 2019 4. Follow-up •Review of findings i.e. actions taken to resolve internal audit findings. They may be tested to ensure that desired results were achieved •Ensure closure of NCs •Carry out a new scan (VAPT/AppSec) after closure of the vulnerabilities, as per contract

35. Basics in IT Audit and Application Control Testing April 28, 2019 • Logs • Screenshots • Confirmation messages • Documents • Emails • Minutes of Meetings • Responses from stakeholders • Performance / Test Results • Pictures • Data and database snapshots • Observation notes from walkthroughs etc Types of Evidence for Audit FindIngs

36. Basics in IT Audit and Application Control Testing April 28, 2019 • Which IT assets are at risk and what is the threat event? • Value of asset Confidentiality, Integrity, and Availability? • Impact and Probability of the risk event? • If a threat event happened, how bad could its impact be? • How often might the event be expected to occur (frequency of occurrence)? • How certain are the answers to the first four questions (uncertainty analysis)? • What can be done to reduce / manage / transfer the risk? • How much will it cost? • Is the mitigation / remediation cost-efficient? • Are risks informed to asset owners IT Risk – basic risk assessment

37. Basics in IT Audit and Application Control Testing April 28, 2019 IT Risks Governance Risks • Lack of commitment from top management leading to lack of support • Lack of security awareness of people working at the ground level. • Complacency of IT security controls implementation. • Inadequately defined roles and responsibilities and lack of skills General IT Risks • The risk of a natural disaster impacting technology. • Man-caused disaster impacting technology. • Malicious code infection. • Remote Access, Identity and Authentication Management, etc. ... • Overreliance on security monitoring software • Inadequate system logging • Technology innovations that outpace security • Outdated operating systems • Lack of encryption • Data on user-owned mobile devices • IT “diplomatic immunity” within your organization • Challenges recruiting and retaining qualified IT staff • Segregation of duties

38. Basics in IT Audit and Application Control Testing April 28, 2019 Assessing Risks related to the IT Environment • Develop processes to identify risks. • Assess risk and rank audit subjects using IT risk factors. • A risk assessment: • Provides a foundation for the audit plan; • Promotes timely audit reporting on high-risk conditions; • Ensures that relevant information has been obtained from all management levels, including boards of directors, IT auditors, and functional area management; • Establishes a basis for managing the audit department effectively; and • Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plans.

39. Basics in IT Audit and Application Control Testing April 28, 2019 Application risks • Insecure development practices • Security testing not done during dev phase • Source code leaked • Comments and passwords hard coded • Application is not updated (patched) • Logic bomb dropped by disgruntled employee (changes are unmanaged) • Poor authorization and authentication • Insecure Validation • Logs not enabled • Default settings • Unnecessary privileges

40. Basics in IT Audit and Application Control Testing April 28, 2019 Application Controls Applications (or software) includes any and all whether on premises or on cloud (e.g. ERP, CRM, Intranet, Web Application etc)

41. Basics in IT Audit and Application Control Testing April 28, 2019 Application Controls Application controls are those controls that pertain to the scope of individual processes or application systems This includes data edits, separation of business functions, balancing of processing totals, transaction logging, and error reporting, secure development and operations

42. Basics in IT Audit and Application Control Testing April 28, 2019 Application Controls •Application controls ensure proper coverage and the confidentiality, integrity, and availability of the application and its associated data. •Proper application controls greatly reduce the risks and threats associated with application usage because applications are prevented from executing if they put the network or sensitive data at risk.

43. Basics in IT Audit and Application Control Testing April 28, 2019 Objectives • Input data is accurate, complete, authorized, and correct • Data is processed as intended in an acceptable time period • Output and stored data is accurate and complete • A record is maintained to track data processing from input to storage to output • Cost effective and efficient means to manage risk • Reliant on the effectiveness on the IT general control environment • Approach varies for complex versus non-complex environments

44. Basics in IT Audit and Application Control Testing April 28, 2019 Common Application Controls (GTAG 8) • Input and access controls (These controls ensure that all input transaction data is accurate, complete, and authorized.) • Data checks and validations • Automated authorization, approval, and override • Automated SOD • File & Data Transmission Controls (These controls ensure that internal and external electronically transmitted files and transactions are received from an identified source and processed accurately and completely.) • File transmission controls • Data transmission controls • Processing Controls (These controls ensure that valid input data has been processed accurately and completely.) • Automated file identification and validation • Automated functionality and calculations • Audit trails and overrides • Data extraction, filtering, and reporting • Interface balancing • Automated functionality and aging • Duplicate checks • Output Controls (These controls ensure that output is complete, accurate, and distributed appropriately.) • General ledger and sub- ledger posting • Update authorization • Master Files and Standing Data Controls (These controls ensure the integrity and accuracy of master files and standing data.) • Update authorization

45. Basics in IT Audit and Application Control Testing April 28, 2019 APPLICATION CONTROLS • Completeness checks – controls ensure records processing from initiation to completion • Validity checks – controls ensure only valid data is input or processed • Identification / Access – controls ensure unique, irrefutable identification of all users • Authentication – controls provide an application system authentication mechanism • Authorization – controls ensure access to the application system by approved business users only • Input controls – controls ensure data integrity feeds into the application system from upstream sources • Forensic controls – controls ensure scientifically and mathematically correct data, based on inputs and outputs

46. Basics in IT Audit and Application Control Testing April 28, 2019 Questioning input controls • How does the transaction originate? • How is the transaction authorized (e.g., a manual signature, electronic signature, screen access authorization, etc.)? • Who inputs the source data? Are these individuals separate from those who reconcile the processing results? • How is the source data added into the application (e.g., batch, online, etc.)? • Who has access to the application (input / output/ transaction / source) • Is data entry conducted within a short time after the source document is created?

47. Basics in IT Audit and Application Control Testing April 28, 2019 Benefits of Application Controls • Reliability • Reduces likelihood of errors due to manual intervention • Benchmarking • Reliance on general controls can lead to concluding the application controls are effective year to year without re-testing • Time and cost savings • Typically application controls take less time to test and only require testing once as long as the IT general controls are effective

48. Basics in IT Audit and Application Control Testing April 28, 2019 Application Control Hygiene • Applications should be kept in good hygiene (or good working condition) • This requires that we take care of the application during • Design • Development • Change • Installation • Operations • Maintenance • In simple terms is means to take care of: • Change Management • Security in design • Secure Coding • Patch Management • Backup • Versioning • Documentation • Logs • Defaults • Remote access • Threat Modelling

49. Basics in IT Audit and Application Control Testing April 28, 2019 WRAPUP IT Audits will help to identify the current state, and, using risk based methods will be able to provide an effective path for mitigation and remediation. Auditee organization must enable continuous improvement as recommended by the auditors and most importantly – remediation / mitigation measures should be carried out in the shortest possible time once identified. Application controls are a cost effective and efficient means to manage risk through the process to build security in. This can be achieved with practices like Secure Coding, Access controls, Patch Management, Testing and following industry standards will help decrease risks. IA should determine that application controls are designed appropriately and operate effectively

50. Basics in IT Audit and Application Control Testing April 28, 2019 RoleofInternal Auditors • Knowledge of key IT risks, controls and audit techniques (GTAG 1) • Where are IT controls applied? Everywhere. IT includes technology components, processes, people, organization, and architecture, as well as the information itself. Many IT controls are technical in nature, and IT supplies the tools for many business controls. • Consultant and advisor providing Independent risk assessment • Advise on what is to be protected? Level of protection and what are the controls to be applied. • Can provide guidance on Risk appetite, tolerance and mandatory regulations as IA has inside view of the organization.

51. Basics in IT Audit and Application Control Testing April 28, 2019 HowMuchOfA TechieDoYou NeedToBe •Knowledge of key IT risks, controls, audit techniques, events and incidents, new and upcoming technologies •Networked with technologists (subject matter experts) •Logical and lateral thinker •Common sense

52. Basics in IT Audit and Application Control Testing April 28, 2019 Global Technology Audit Guides (GTAG) • GTAG 1: Information Technology Controls • GTAG 2: Change and Patch Management Controls: Critical for Organizational Success • GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment • GTAG 4: Management of IT Auditing • GTAG 5: Managing and Auditing Privacy Risks • GTAG 6: Managing and Auditing IT Vulnerabilities • GTAG 7: Information Technology Outsourcing • GTAG 8: Auditing Application Controls • GTAG 9: Identity and Access Management • GTAG 10: Business Continuity Management • GTAG 11: Developing the IT Audit Plan • GTAG 12: Auditing IT Projects • GTAG 13: Fraud Prevention and Detection in an Automated World • GTAG 14: Auditing User-developed Applications • GTAG 15: Information Security Governance • GTAG 16: Data Analysis Technologies • GTAG 17: Auditing IT Governance Practice guides who provide detailed guidance for conducting internal audit activities. These guides are published by the Institute of Internal Auditors (IIA). They include detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well as examples of deliverables.

53. Basics in IT Audit and Application Control Testing April 28, 2019

Basics in IT Audit and Application Control Testing

Basics in IT Audit and Application Control Testing

Recommended

More Related Content

What's hot

What's hot(20)

Similar to Basics in IT Audit and Application Control Testing

Similar to Basics in IT Audit and Application Control Testing (20)

More from Dinesh O Bareja

More from Dinesh O Bareja(20)

Recently uploaded

Recently uploaded(20)

Basics in IT Audit and Application Control Testing