Basics in IT Audit and Application Control Testing

Basics in
IT Audit and
Application
Control
Testing
Presented by Dinesh Bareja
Doha, 28April 2019

Basics in IT Audit and Application Control Testing
April 28, 2019
This document has been created by IndiaWatch., Open Security Alliance., Dinesh O Bareja
Released in the public domain under Creative Commons License (Attribution- Noncommercial 2.5 India)
http://creativecommons.org/licenses/by-nc-sa/2.5/in/
The information and practices listed in this document are provided as is and for guidance purposes only and should not be
construed to be a standard (unless mentioned otherwise). Readers are urged to make informed decisions before adopting the
information given in this document.
The author(s) may not be held responsible, or liable, in any event and for any issues arising out of the use of the information and / or
guidelines included in this document. Further, we do not give any warranty on accuracy, completeness, functionality, usefulness or
other assurances as to the content in the document. We disclaim all responsibility for any losses, damage caused or attributed, directly
or indirectly, from reliance on and the use of such information.
Readers are welcome to provide feedback to the authors using the contact information provided in this document. This document
has been prepared for general public distribution so all animations have been converted to static images.
Graphics and images are usually obtained from the internet and royalty free sources and are usually acknowledged by us. Errors may
be expected in this practice and this is not intentional.-we resect creative rights and request owner(s) to inform us of any inadvertent
omission. Any trademarks or companies may be displayed or mentioned with the purpose of establishing a point or for better
understanding and we do not claim any exclusivity or relationship with their respective owers.
License and Copyright
Acknowledgements & Disclaimer
Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged (above) where possible. Any company names,
brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or
otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to us
for remediation of the erroneous action(s).

April 28, 2019
ABOUT ME
Dinesh O Bareja
CISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR
• Researcher Founder: IndiaWatch & Open Security Alliance
• Principal Advisor : Pyramid Cyber Security & Forensic Pvt Ltd
Cyber Peace Foundation
Red Team Hacker Academy
• Outsourced CISO : IceWarp Technologies Ltd
• Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch)
Enterprise & Government Policy Development; Cyber Security
Strategy, Design & Architecture; Specialist – GRC, SOC, ERM,
COBIT, ISO, BCP/DR etc;

April 28, 2019
ABOUT
ME
MY CONTACT
INFORMATION
dinesh@opensecurityalliance.org
@bizsprite
linkedin.com/in/dineshbareja
+91.9769890505
dineshobareja
dineshobareja
indiwatch.in
dineshbareja.com
Information Security professional
working hard to stay abreast of
technology, risks, threats,
opportunities and looks forward
to the excitement of the future..

April 28, 2019
introduction
• This presentation is an amalgam of my experience and guidance from
the IIA Global Technology Audit Guide(s) (GTAG guides)
• At times I may specifically mention the GTAG reference where it is used
directly
• I have tried not to include audit basics so as to restrict myself to the IT
specific areas of the practice
• Some places I have shared questions, lists but those are top of the mind
so should not be considered as the complete set … you will have to
build your own questionnaire based on the size of the org etc

April 28, 2019
A Few essentials
to remember as
you get into the
iT Audit and
application
testing domain

April 28, 2019
1. DATA IS THE ULTIMATE ASSET
WHICH NEEDS TO BE PROTECTED
2. RISK management is the
fundamental control for
information security (be it
audit / test / design)

April 28, 2019
IT AUDIT – A Preamble
An Audit is an Audit… we look inside claims of compliance to uncover
hidden weaknesses, invisible issues, organization challenges and more.
IT audit requires a larger set or skills as it has to look at IT technically,
strategically, operationally as well as from the security and business point
of view.
As IT is a key enabling function for business and is increasingly critical for
survival this makes IT Audit an existential necessity for any organization
that wants to grow, survive and thrive.
References:
GTAG-01 - Information Technology Risk and Controls

April 28, 2019
IT AUDIT
• Provides assurance on the security triad of CIA
• Confidentiality : The information in the
systems is available only to authorized users
• Integrity : The information provided by the
system(s) will be accurate, reliable and
timely (always)
• Availability : The computer systems will be
available for business at all times, whenever
needed.
• Examine and evaluate the organization’s
Information Technology infrastructure, policies
and operations to cover people process and
technology
• An IT audit will help determine whether IT
controls protect corporate assets, ensure data
integrity and are aligned with the business's
overall goals
what is
this

April 28, 2019
• Enables higher confidence in IT
processes as business depends on IT
• Contain organizational costs arising out
of data loss or system usage error
• Identify possible risk areas of incorrect
decision making
• Mitigate costs of computer and asset
abuse
• Value of computer hardware, software
and personnel
• Maintenance of privacy
• Envisage and identify improvement
IT AUDIT
THE NEED

April 28, 2019
• Compliance with best practices as
provided by standards, frameworks,
guidelines or laws and regulations
• Protection of organization assets from
any type of risk like theft, misuse
• Disruptive attacks like DDOS,
ransomware, APT etc can be managed
• Reputation and customer confidence
are proactively protected
IT AUDIT
THE
Assurance

April 28, 2019
• International or domestic standards,
guidelines, frameworks
• ISO27001, ISO22301, ISO20000,
Cloud Security Guidelines, PCI-DSS,
GTAG, NIST, GDPR etc
• Industry / business best practices
• Customer requirements
• Vendor guidelines
IT AUDIT
Baselines
references

April 28, 2019
IT Audit
Universe
• An all-encompassing collection of
audit areas, devices, people,
technologies, organizational entities,
and locations
• Business functions that provide
adequate assurance on the
organization’s risk management level
• Tangible or intangible assets (this
includes business, people, process and
technology in the organization)

April 28, 2019
IT Audit coverage
•TECHNOLOGY
• Applications
• Databases
• Operating Systems
• Networks
•CONTROLS
• ITGC
• Systems Development
• Change Management
• Logical Access
• Physical Security
• Service & Support
Process
• Backup and Restore
• APPLICATION
CONTROLS
• Authorization
• Data Integrity
• Segregation
•IT
MANAGEMENT
• IT Planning
• System Operations
• Programming
• Vendor Management

April 28, 2019

April 28, 2019
The audit universe is huge with many different types of
audits being conducted. IT audit too, takes on different
colors, shades or shape depending on the mandate(s).

April 28, 2019
IT Audit Types
•Internal, External
(supplier/customer),
Certification
•ISMS (ISO27001)
•ISO 22301, 31000,
ITSM (ISO:20000)
•Regulatory (SOX, ITGC,
Govt)
•Vendor (3rd Party)
•System development
•Application audits
•IT Infrastructure
•IS Maturity
•Risk assessments
•Cloud
•IS Functional audit
•SLA… etc.

April 28, 2019
Getting
Started
on the
IT audit
•Authority
•Accountability

April 28, 2019
Starting the IT audit
•Purpose of Audit
•Scope
•Operating Principles
•Authority
•Accountability

April 28, 2019
•Authority
•Accountability
• Mission statement
• Role
• Aims/goals
• Objectives
• Relationship with
external audit
• Auditee
requirements
Purpose
• Critical success
factors
• Key performance
indicators
• Risk assessment
• Other measures
of performance
Operating
principles

April 28, 2019
•Authority
•Accountability
• Right of access to
information, personnel,
locations and systems
relevant to the
performance of audits
• Scope or any limitations of
scope
• Functions to be audited
• Auditee expectations
• Organizational structure,
including reporting lines
to board and senior
management
AUTHORITY
• Auditee rights
• Independent quality
reviews
• Assessment of compliance
with standards
• Assessment of completion
of the audit plan
• Comparison of budget to
actual costs
• Agreed actions, e.g.,
penalties when either
party fails to carry out their
responsibilities
ACCOUNTABILITY

April 28, 2019
Looking at the IT Universe (organization) and fundamentals (or call them
basics and essentials) : access controls, asset management, governance,
people, physical environment, operations, communication, incident
response, business continuity & more
IT Audit Basics & Essentials

April 28, 2019
Context
• Fundamentally the audit should show a snapshot of the as-is
state and the remediation path to the to-be state
• Objective view of business, people, process and technology
with respect to the baseline standard / regulatory guideline
• Audit Objective in alignment with the strategic vision and
mission of the business
• “People Process & Technology” and “Confidentiality, Integrity
and Availability” are the two tenets on which the audit should
be based
• People (experienced, skilled and knowledgeable), Process (design,
effective, controlled) & Technology (viable, needed, utilized)

April 28, 2019
Basics that must be in place
• IT Risk Management is fundamental to
the Infosec organization and
operations
• Assets are managed with a risk based
framework
• Access to the organization’s most
valuable assets (data) is adequately
controlled
• RA done to identify assets that
• Are likeliest targets for cyberattacks
• Cause the most significant disruption if
compromised
• Data classification to identify which
data, if compromised, would cause
financial or competitive loss, and have
legal ramifications, or reputational
damage to the organization
• Incident Management & Response
Team is prepared to react / respond
effectively to a security incident
• Roles and responsibilities are defined
• Essential IS management practices like
password, backup, change,
configuration, patch are controlled
• Emerging risks and threats are
continuously monitored

April 28, 2019
Key IT AUDIT Areas
•Security
•Risk Management
•Access Management
•Asset Management
•Backup & Recovery
•Data Classification
•Web Site / Web Applications
•Applications
•Resource Management
•Shadow IT
•Awareness
•Metrics (KPIs)
•BCP/DR
•Incident Response
•Drills and Tests
•Technology Risk Assmt
•Log Management
•Cloud Security
•ROI / UOI

April 28, 2019
ITAUDIT
STRUCTUREGTAG-1ItRiskandControls

April 28, 2019
Probe Questions for CONTROL
Selection
• Do IT / IS policies and IT controls —
exist?
• Role / responsibilities for IT and IT
controls are defined, assigned,?
• Are controls designed and operating
effectively?
• Is the mix of preventive, detective,
and corrective controls effective?
• Do the controls provide evidence
when control parameters are
exceeded or when controls fail?
• How is management alerted to
failures?
• Is evidence retained (e.g., through
an audit trail)?
• Are the IT infrastructure equipment
and tools logically and physically
secured?
• Are access and authentication
control mechanism used?
• Are controls in place to protect the
operating environment and data
from viruses and other malicious
software?
• Are firewall-related controls
implemented?
• Do firewall polices exist?
• Are external and internal
vulnerability assessments completed,
and have risks been identified and
resolved appropriately?
• Are change and configuration
management and quality assurance
processes in place?
• Are structured monitoring and
service measurement processes in
place?
• Have the risks of outsourced services
been taken into consideration? (For
details on this, refer to GTAG 7: IT
Outsourcing.)

April 28, 2019
ROI / UOI / VOU
•Reduce ROI priority
•First review the UOI (Utilization of
Investment)
•Then ensure VOU (Value of Utilization)
•… ROI is assured if these two are in place.
You only have to identify financial values of
the goals / objectives

April 28, 2019
Infrastructure Testing
Servers
Printers
Routers
Workstations
Laptops
If it’s on the network
scan it!
Remote/ Onsite Vulnerability Scans
Secondary
Locations
Branch Offices
Vendors
Warehouses
Shop Floor
Field Offices
Retail Outlets
Tools & Techniques
- Vulnerability Assessment
- Penetration Testing
- Threat Modelling
- Security Maturity Assessment
- Configuration Review
- Hardening

April 28, 2019
IT Audit process - High Level
•Planning
•Assessment /
Testing
•Reporting
•Follow-up
•Communication
•Audit Findings
•Assessment
Results
•Confirmation of
planned actions
•Audit Response
Verification
•Fieldwork
•Evaluation
•Testing
•Internal Control
Questionnaire
•Audit Scope
•Objectives
Planning Assessment
ReportingFollow-up

April 28, 2019
1: Planning
• Kickoff
• Define
Objectives
• Define Scope
• Internal
Controls
• Historical
Incidents
• Past Audits &
Closures
• Site Survey
• Current
Policies, SOP,
Procedures
• Develop Audit
Plan / Checklist
• Questionnaires

April 28, 2019
2: ASSESSMENT / TESTING
• Meet With Functional Team
• What data will be collected
• How/when will it be collected
• Site employee involvement
• Access
• Data Collection
• Based on scope/objectives
• Types of Data
• Physical security
• Interview staff
• Vulnerability assessments
• Access Control assessments

April 28, 2019
3: Reporting
•Exit Meeting – Draft Report
• Questions & answer for site
managers and functional team
• Present & discuss draft report
• Obtain buy-in and acceptance
of findings and report
•Update with feedback…
prepare final report and submit
fpr the board

April 28, 2019
4. Follow-up
•Review of findings i.e. actions
taken to resolve internal audit
findings. They may be tested to
ensure that desired results
were achieved
•Ensure closure of NCs
•Carry out a new scan
(VAPT/AppSec) after closure of
the vulnerabilities, as per
contract

April 28, 2019
• Logs
• Screenshots
• Confirmation messages
• Documents
• Emails
• Minutes of Meetings
• Responses from stakeholders
• Performance / Test Results
• Pictures
• Data and database snapshots
• Observation notes from
walkthroughs etc
Types of
Evidence
for Audit
FindIngs

April 28, 2019
• Which IT assets are at risk and what is the threat
event?
• Value of asset Confidentiality, Integrity, and
Availability?
• Impact and Probability of the risk event?
• If a threat event happened, how bad could its
impact be?
• How often might the event be expected to
occur (frequency of occurrence)?
• How certain are the answers to the first four
questions (uncertainty analysis)?
• What can be done to reduce / manage /
transfer the risk?
• How much will it cost?
• Is the mitigation / remediation cost-efficient?
• Are risks informed to asset owners
IT Risk –
basic risk
assessment

April 28, 2019
IT Risks
Governance Risks
• Lack of commitment from
top management leading to
lack of support
• Lack of security awareness
of people working at the
ground level.
• Complacency of IT security
controls implementation.
• Inadequately defined roles
and responsibilities and lack
of skills
General IT Risks
• The risk of a natural disaster
impacting technology.
• Man-caused disaster
impacting technology.
• Malicious code infection.
• Remote Access, Identity and
Authentication
Management, etc. ...
• Overreliance on security
monitoring software
• Inadequate system logging
• Technology innovations
that outpace security
• Outdated operating systems
• Lack of encryption
• Data on user-owned mobile
devices
• IT “diplomatic immunity”
within your organization
• Challenges recruiting and
retaining qualified IT staff
• Segregation of duties

April 28, 2019
Assessing Risks related to the IT
Environment
• Develop processes to
identify risks.
• Assess risk and rank audit
subjects using IT risk
factors.
• A risk assessment:
• Provides a foundation for
the audit plan;
• Promotes timely audit
reporting on high-risk
conditions;
• Ensures that relevant
information has been
obtained from all
management levels,
including boards of
directors, IT auditors, and
functional area
management;
• Establishes a basis for
managing the audit
department effectively;
and
• Provides a summary of
how the individual audit
subject is related to the
overall organization as
well as to the business
plans.

April 28, 2019
Application risks
• Insecure
development
practices
• Security testing
not done during
dev phase
• Source code
leaked
• Comments and
passwords hard
coded
• Application is not
updated
(patched)
• Logic bomb
dropped by
disgruntled
employee
(changes are
unmanaged)
• Poor
authorization and
authentication
• Insecure
Validation
• Logs not enabled
• Default settings
• Unnecessary
privileges

April 28, 2019
Application Controls
Applications (or software) includes any and
all whether on premises or on cloud (e.g. ERP,
CRM, Intranet, Web Application etc)

April 28, 2019
Application controls are those controls that
pertain to the scope of individual processes or
application systems
This includes data edits, separation of business
functions, balancing of processing totals,
transaction logging, and error reporting, secure
development and operations

April 28, 2019
•Application controls ensure proper coverage
and the confidentiality, integrity, and availability
of the application and its associated data.
•Proper application controls greatly reduce the
risks and threats associated with application
usage because applications are prevented from
executing if they put the network or sensitive
data at risk.

April 28, 2019
Objectives
• Input data is accurate, complete, authorized, and correct
• Data is processed as intended in an acceptable time period
• Output and stored data is accurate and complete
• A record is maintained to track data processing from input to
storage to output
• Cost effective and efficient means to manage risk
• Reliant on the effectiveness on the IT general control
environment
• Approach varies for complex versus non-complex environments

April 28, 2019
Common Application Controls
(GTAG 8)
• Input and access controls
(These controls ensure that all
input transaction data is
accurate, complete, and
authorized.)
• Data checks and validations
• Automated authorization,
approval, and override
• Automated SOD
• File & Data Transmission
Controls (These controls
ensure that internal and
external electronically
transmitted files and
transactions are received
from an identified source and
processed accurately and
completely.)
• File transmission controls
• Data transmission controls
• Processing Controls (These
controls ensure that valid
input data has been
processed accurately and
completely.)
• Automated file identification
and validation
• Automated functionality and
calculations
• Audit trails and overrides
• Data extraction, filtering,
and reporting
• Interface balancing
• Automated functionality and
aging
• Duplicate checks
• Output Controls (These
controls ensure that output is
complete, accurate, and
distributed appropriately.)
• General ledger and sub-
ledger posting
• Update authorization
• Master Files and Standing
Data Controls (These controls
ensure the integrity and
accuracy of master files and
standing data.)
• Update authorization

April 28, 2019
APPLICATION CONTROLS
• Completeness checks – controls
ensure records processing from
initiation to completion
• Validity checks – controls ensure
only valid data is input or
processed
• Identification / Access – controls
ensure unique, irrefutable
identification of all users
• Authentication – controls provide
an application system
authentication mechanism
• Authorization – controls ensure
access to the application system by
approved business users only
• Input controls – controls ensure
data integrity feeds into the
application system from upstream
sources
• Forensic controls – controls ensure
scientifically and mathematically
correct data, based on inputs and
outputs

April 28, 2019
Questioning input controls
• How does the transaction originate?
• How is the transaction authorized (e.g., a manual signature,
electronic signature, screen access authorization, etc.)?
• Who inputs the source data? Are these individuals separate
from those who reconcile the processing results?
• How is the source data added into the application (e.g., batch,
online, etc.)?
• Who has access to the application (input / output/ transaction /
source)
• Is data entry conducted within a short time after the source
document is created?

April 28, 2019
Benefits of Application Controls
• Reliability
• Reduces likelihood of errors due to manual
intervention
• Benchmarking
• Reliance on general controls can lead to concluding
the application controls are effective year to year
without re-testing
• Time and cost savings
• Typically application controls take less time to test and
only require testing once as long as the IT general
controls are effective

April 28, 2019
Application Control Hygiene
• Applications
should be kept in
good hygiene (or
good working
condition)
• This requires that
we take care of
the application
during
• Design
• Development
• Change
• Installation
• Operations
• Maintenance
• In simple terms is
means to take
care of:
• Change
Management
• Security in design
• Secure Coding
• Patch
Management
• Backup
• Versioning
• Documentation
• Logs
• Defaults
• Remote access
• Threat Modelling

April 28, 2019
WRAPUP IT Audits will help to identify
the current state, and, using
risk based methods will be
able to provide an effective
path for mitigation and
remediation. Auditee
organization must enable
continuous improvement as
recommended by the
auditors and most
importantly – remediation /
mitigation measures should
be carried out in the
shortest possible time once
identified.
Application controls are a
cost effective and efficient
means to manage risk
through the process to
build security in. This can be
achieved with practices like
Secure Coding, Access
controls, Patch
Management, Testing and
following industry
standards will help decrease
risks. IA should determine
that application controls are
designed appropriately and
operate effectively

April 28, 2019
RoleofInternal
Auditors
• Knowledge of key IT risks, controls and audit techniques (GTAG 1)
• Where are IT controls applied? Everywhere. IT includes technology components,
processes, people, organization, and architecture, as well as the information itself. Many
IT controls are technical in nature, and IT supplies the tools for many business controls.
• Consultant and advisor providing Independent risk assessment
• Advise on what is to be protected? Level of protection and what are the controls to be
applied.
• Can provide guidance on Risk appetite, tolerance and mandatory regulations as IA has
inside view of the organization.

April 28, 2019
HowMuchOfA
TechieDoYou
NeedToBe
•Knowledge of key IT risks, controls,
audit techniques, events and incidents,
new and upcoming technologies
•Networked with technologists (subject
matter experts)
•Logical and lateral thinker
•Common sense

April 28, 2019
Global Technology Audit Guides
(GTAG)
• GTAG 1: Information Technology
Controls
• GTAG 2: Change and Patch
Management Controls: Critical for
Organizational Success
• GTAG 3: Continuous Auditing:
Implications for Assurance,
Monitoring, and Risk Assessment
• GTAG 4: Management of IT
Auditing
• GTAG 5: Managing and Auditing
Privacy Risks
• GTAG 6: Managing and Auditing IT
Vulnerabilities
• GTAG 7: Information Technology
Outsourcing
• GTAG 8: Auditing Application
Controls
• GTAG 9: Identity and Access
Management
• GTAG 10: Business Continuity
Management
• GTAG 11: Developing the IT Audit
Plan
• GTAG 12: Auditing IT Projects
• GTAG 13: Fraud Prevention and
Detection in an Automated World
• GTAG 14: Auditing User-developed
Applications
• GTAG 15: Information Security
Governance
• GTAG 16: Data Analysis
Technologies
• GTAG 17: Auditing IT Governance
Practice guides who provide detailed guidance for conducting internal audit activities. These guides
are published by the Institute of Internal Auditors (IIA). They include detailed processes and
procedures, such as tools and techniques, programs, and step-by-step approaches, as well as
examples of deliverables.

Basics in IT Audit and Application Control Testing

More Related Content

What's hot

Similar to Basics in IT Audit and Application Control Testing

More from Dinesh O Bareja

Recently uploaded

Basics in IT Audit and Application Control Testing