Computer audit FAQ

Inadequate information security (e.g. missing or out of date antivirus controls)

Inefficient use of corporate resources, or poor governance (e.g. spending large on unnecessary IT projects)

Ineffective IT strategies, policies and practices (including a lack of policies etc.)

Independent - the auditors should not be directly involved with the operations or management of a function being audited. They should report to a separate line of management and be free to state the facts of a situation and their honest opinions without fear of recrimination from those in the subject area. Just as importantly, independence is also a state of mind i.e. freethinking, able to consider situations objectively. Switzerland has the right idea. Some judicial systems come close.

Examination - auditing involved the gathering and assessment of factual information from various sources. It is important that the formal outputs of the auditing process (primarily audit reports containing recommendations for control improvements) are traceable to valid information sources.

Records and other information, including what are often called “audit records”. Auditors need to refer to information regarding the business processes and systems under review (such as completed data-entry forms, system-generated reports and, of course, the people involved in doing or managing the relevant business processes). IT auditors often use data analysis tools to examine computer records. Furthermore, all auditors normally interview staff in the business areas under review and may use other observational techniques to examine business processes in action.

Opinion - auditors provide both objective facts and subjective opinions on a given situation. Although subjective, their opinions are based on an interpretation of the facts and are open to legitimate challenge. You don’t have to agree with us but if you do, you’d better be ready for a ‘full and frank discussion’.

Integrity - literally means completeness, accuracy and trustworthiness. A control system which is only partially effective may be better than nothing, or it may give a false sense of security: either way, the auditor will probably not be impressed.

System of controls - different types of control operate at many levels. IT auditors work with technical controls built-in to the computer systems, of course, but also procedural controls (operations procedures etc.), legal controls (software licenses etc.), Human Resources controls (employment contracts etc.) etc. These controls may be preventive (‘You can’t do that’), detective (‘I know exactly what you did and I’m really not happy about it’) or corrective in nature (‘Sort that mess out and don’t ever do it again’).

Recommend - auditors generate “audit recommendations” but have neither the authority to implement suggested changes nor can we force management to do so. We achieve improvements mostly by a process of explanation, justification and persuasion, explaining the risks represented by control weaknesses, justifying the need to change systems and/or processes, and persuading management to apply the necessary resources and direction in order to address the risks. As a last resort, audit’s big stick comes out i.e. political clout.

Control improvements - improving the system of controls generally means adding necessary controls that were missing. In rare cases, auditors may recommend removing controls, generally because they are ineffective, disruptive or wasteful.

Limit - risks, like fraudulent politicians, spam emails and bugs, can be reduced but not totally eliminated. Good business involves minimising risks cost-effectively, and being prepared for the worst if things go wrong (contingency planning).

Risk – is the chance that something might go horribly wrong. Formally, risk is the chance combination of threats (usually caused by someone with malicious intent, sometimes just due to carelessness or incompetence), acting on vulnerabilities (weaknesses in ‘the system’, typically due to a lack of controls in many computer systems and operating procedures) to cause impacts (adverse outcomes i.e. financial, human and political fallout when the brown stuff hits the fan).

Discover what’s really going on at a point in time

Find out about potential problems, hopefully before it’s too late to fix them

Evaluate business situations objectively

Face up to the truth and make informed, if difficult decisions

Implement corrective actions, changes and improvements where needed

Do what they really wanted to do all along but didn’t have the nerve to carry off (provided, that is, the auditors agree)

Sleep more soundly, in the end

National standards bodies such as BSI, ANSI and NIST issue lots of carefully-considered guidance on information security and other areas that could be considered Best Practice, at least within the specific scope of their intended applications

Professional bodies such as (ISC)², SANS, ISSA, ISF and ISACA also promote best information security practices in an international arena. The CISSP CBK (Common Body of Knowledge), COBIT, the Information Security Forum’s Standard of Good Practice in Information Security Management and GAISP/GASSP (Generally Accepted Information/Systems Security Practices) are all examples of generally agreed standards of Best Practice, though whether an individual agrees with any or all of them is a moot point

Some industry bodies define their own generic information security related standards too e.g. SAS 70 and PCI DSS for financial services

Governments and legislatures define standards in the forms of laws and regulations e.g. for electronic signatures, copyright, privacy & governance. Some of these are really mandatory (comply or go to prison), most are highly recommended (comply or risk going to prison), and some are advisory (comply or risk spending a fortune on lawyers defending your position)

Some companies set and promote their own best practice standards

Consultancies such as KPMG, PwC, E&Y etc. typically have their own interpretations of security standards but are increasingly using ISO/IEC 27002 and the like as the benchmarks, and fall back on professional auditing standards defined by ISACA, the IIA and the audit/accountancy trade bodies and regulators such as the PCAOB

Information security professionals (CISSPs, CISMs and others) typically bring with them their own individual sets of ‘accepted good practice’ based on their professional experiences which, in many happy cases, coincide with generally accepted best practice. This is in the nature of a skilled craft - the craftsman brings his own unique mix of skills, competencies, attributes and experience to each job, and is well placed to select and adapt generic standards to the task at hand. However, beware the advice of recent college graduates without Real World Experience, some of whom scored higher on theory than common sense.

Scoping and pre-audit survey - the auditors determine the main area/s of focus and any areas that are explicitly out-of-scope, based normally on some form of risk-based assessment. Information sources at this stage include background reading and web browsing, previous audit reports and, sometimes, subjective impressions that deserve further investigation.

Planning and preparation - during which the scope is broken down into greater levels of detail, usually involving the generation of an audit workplan or risk-control-matrix (don’t be fooled, it’s only a checklist with a bunch of interesting questions, space to scribble some notes and some other impressive-looking columns).

Fieldwork - gathering evidence by interviewing staff and managers, reviewing documents, printouts and data, observing processes etc. This step may include the use of Computer Aided Audit Techniques (CAATs) - more info below.

Analysis - this step involves desperately sorting out, reviewing and trying to make sense of all that evidence gathered earlier. SWOT (Strengths, Weaknesses, Opportunities, Treats) or PEST (Political, Economic, Social, Technological) techniques may come in handy.

Reporting - desperately reviewing and trying to make sense of the analysis, then writing it up, re-writing it, re-re-writing it ... circulating it within the department for peer review, modifying it again, then circulating or presenting it to clients and client managers to have their say, and finally issuing it. [I bet this was a challenging process when the US Department of Health and Human Services (HHS) was audited by the Government Accountability Office (GAO), judging by the HHS comments after the report was published: “The frequent use of the word ‘significant’ to describe control weaknesses documented throughout this GAO assessment evokes a negative connotation that is not reflective of the progress or current state of HHS’ information security program,” according to the HHS response.”].

Closure - in addition to sorting out the mess somewhat mistakenly called ‘indexing and cross-referencing’ and literally shutting the audit files, closure involves preparing notes for future audits and chasing-up management to complete the actions they promised months earlier. Neither the best nor the worst organizations do audit follow-ups, in both cases because there is literally no point. Most organizations however do need to ‘close the loop’ (as in ‘form the noose’). Sometimes, there really are valid reasons why previously-agreed actions are not undertaken (one of the most common excuses being “Things have moved on”). Sometimes a quiet word in the CEO’s ear about the consequences (in terms of share price, career progression or jail sentence) if certain governance issues are not promptly resolved can work wonders. At the end of the day, Management not Audit carry the can (except perhaps for Arthur Anderson LLP as a result of the Enron debacle).

“First of all, I’d suggest that the best way to start is to conduct some form of risk assessment as a starting point to your audit/review (it’s only an audit if you are truly independent of the area under review). You can use a formal risk assessment method (there’s plenty to choose from) but personally I prefer simply to think carefully and separately about the threats (generally the people, things or situations that could potentially cause loss), vulnerabilities (any weaknesses in the system of controls that might be exploited by threats) and impacts (what would be the [worst case] effects if some of those threats actually materialized and hit some of your vulnerabilities?). An interesting way to do this in practice is to brainstorm, perhaps with a colleague who understands the situation you are reviewing, someone who knows about risk and control (an experienced auditor or information security/risk manager, maybe a consultant), and ideally someone representing the business/IT owner(s) of the system under review (this person will probably end up being your main ‘client’ contact on the audit, and they will understand what’s driving you to ask lots of awkward questions later on). You can safely ignore the ‘low’ threats, vulnerabilities and impacts, and you can probably set aside the ‘mediums’ too for now. You should definitely prioritize the ‘highs’ for obvious reasons (as all hippies know). These are the things that would keep you, the system owners, the CEO and the shareholders (if only they knew!) awake at night. They are the main areas of concern that you will need to explore in the actual audit fieldwork.

Next, I like to develop some reasonably realistic, business-oriented scenarios in which the high risks could come to pass. These help me think-through the risks and are helpful if, later on, people start pushing back when I’m asking those awkward questions.

Next, develop your ‘audit checklist’, mind-map or whatever you use to map out the things you want to check, the issues that concern you, and the boundaries of your audit. This is an important step, drawing on the control objectives and specific controls that you are going to go looking for.

After all that preparation, the actual audit work is quite straightforward! It’s time to gather your evidence, ask questions, take copious notes, explore the threats/vulnerabilities/impacts, check the controls, challenge things that seem suspect, ask more questions, look for evidence that the controls are actually working or not, think hard and ask the really awkward/tough questions that nobody wants to answer, and generally probe around, following your nose until the time is up.

The hardest bit of all involves taking all the information from the previous steps into account, thinking it over, checking the details and making sense of it in your head, then developing rational arguments for why Something Must Be Done. This is the primary output of the audit - the impetus for change.

The last bits are to prepare a draft report, decide on some recommended changes, discuss/negotiate these with the client, update the report and finally present and ‘issue’ the report. Easy peasy ... OK not really, but not too hard if the previous steps have been done thoroughly. You should be in a strong position to argue your point, but even now you sometimes need to be prepared to concede weaker points in order to push through your main points, and always be prepared to go back and ‘take another look’ if someone insists you have got a fundamental point or finding wrong.

And if that’s all too much, find yourself a real IT auditor but stick to them the way non-stick paint sticks on a frying pan so, next time, maybe you’ll have the nerve to fly solo.

The remit of the Department (for Internal Audit) or the contract (External Audit) in relation to other review and control functions (e.g. information security, risk management, legal)

Audit resources i.e. the number of IT auditors, other auditors and their managers, plus the breadth and depth of their experience in IT audit (e.g. in some departments, IT-skilled business auditors cover a lot of areas that would be left to IT auditors elsewhere)

Scope of the individual IT audit assignments

The audit plan for the period - usually documents the high-risk topics the auditors are likely to cover

State of relations with client functions. Whereas some departments refer to formal definitions, ‘audit friendly’ folk tend to be more chilled-out to the extent that auditors may even occasionally be called upon to perform conventional (internal) consultancy rôles.

Operational computer systems (servers, workstations), networks (LANs, WANs) and data

Computer systems under development and/or being tested or implemented

The IT Department whether central or distributed and their relationship with management, user departments, end-users, support/admin functions (e.g. Human Resources, Legal), customers, suppliers, partners, regulators etc.

Operational computer system/network audits: review the controls within and surrounding operational computer systems and networks, at various levels e.g. network, operating system, layered software, application software, databases, logical/procedural controls, preventive/detective/corrective controls, crypto, logging ...

IT installation audits: take a look at the computer building, suite, room or cupboard, including aspects such as physical security (walls, CCTV, locks, guards, barbed wire, visitor procedures ...), environmental controls (fire and flood protection, power supply, hair conditioning), computer and network operations processes and management systems, oh and the IT equipment itself.

Developing systems audits: typically cover either or both of two aspects: (1) project/programme management controls (often, the auditor is the only person with the knowledge, experience and balls nerve to point out that the average project manager’s progress reporting is “somewhat optimistic” at best); and (2) the specification, development, testing, implementation and operation of technical and procedural controls, including classical technical information security controls and the related business process controls such as divisions of responsibility.

IT management audits: review the organization, structure, strategy, work planning, resource planning, budgeting, cost controls etc. and, where applicable, relationships with outsourced IT providers (in some cases, these aspects may be audited by operations and financial auditors, leaving the IT auditors to the more technological aspects).

IT process audits: review processes which take place within IT such as application development, testing, implementation, operations, maintenance, housekeeping (backups, preventive maintenance etc.), support, incident handling.

Change management audits: review the planning and control of changes to systems, networks, applications, processes, facilities etc., including configuration management, control over the promotion of code from development through testing to production, and the management of changes to the organisation as a result of ICT.

Information security & control audits: review controls relating to confidentiality, integrity and availability of systems and data.

IT legal compliance audits: review legal and regulatory aspects of IT systems (e.g. software copyright compliance, protection of personal data).

Disaster contingency/business continuity planning/disaster recovery audits: review arrangements to restore some semblance of normality after a disaster affecting the IT systems, and perhaps assess the organisation’s approach to risk management.

IT strategy audits: review various aspects of IT strategy, vision and plans, including their relationship to other strategies, visions and plans, or not as the case may be.

“Special investigations”: this is audit-speak for contingency and other un-pre-planned/hush-hush work such as investigating suspected frauds or information security breaches, performing due diligence review of IT assets for mergers and acquisitions etc. Oh and Christmas parties.

What were the top 10% of transactions by value last March?

How many changes were made to the customer details file during the previous year?

Are there any out-of-range or unusual data values in column 4, or any suspicious data patterns?

Are any of our suppliers also employees?

Who will win the Americas Cup? [worth asking perhaps but can you trust the answer?]

Reviewing business cases to see if they hold water and conform to corporate investment policies and 'risk appetite', and ideally checking that they are updated to reflect inevitable changes in the lifetime of the project (see ISACA’s ValIT or read John Thorpe’s wonderful book The Information Paradox for the reasons why this is so important)

Reviewing project management controls through attending the Project Control Group as a “nonvoting observer”, reviewing project plans & progress reported, reviewing project risk and quality management processes etc. (including periodic or phase-end audits)

Mentoring project managers, user management, project team members, sponsors, users, testers etc. - whether that’s a shoulder to cry on or a quiet word in your ear

Reviewing risk assessments, system security designs etc. from audit’s governance and control specialist point of view

Contributing to system designs, acting as specialist advisors to assist management in specifying “audit trails”, “anti-fraud controls”, “divisions of responsibility”, “accountability”, “rôles and responsibilities” and various other arcane aspects of governance, risk, security and control - the stuff we do

Hands-on testing of key system controls (technical and procedural - please don’t tell me the user training and sysadmin docs will be finished “later”, do them first or failing that now!)

Reviewing implementation processes and process or quality assurance controls (e.g. have sensible plans been prepared to “cleanse” malodorous data from the old system? Have new users, sysadmins and support people received appropriate puppy training? Have new users, sysadmins and support people been assigned to suitable rôles with appropriate access rights? Has “enough” testing been done? Are all approvals complete i.e. have appropriate people been involved in testing and signing-off the system? Is there clear accountability just in case the new system should happen to fall off the Web in a smouldering heap on day 1?)

Facilitating post-implementation review meetings to tease out the lessons learnt for future reference (often resulting in new entries in the Audit Director’s little black book)

Reports from the former type of audit function are not ends in themselves, but are means of persuading management to make improvements. They are typically the basis for an open discussion with management. So long as management eventually accepts the report and makes improvements, the aim is met. The final report plus management feedback (typically an agreed action plan naming responsible parties and with deadlines) should be sufficient record, although it is normal to retain other key audit evidence, working papers, risk assessments etc. for future work in the same area. The relationship between auditor and auditee/management is based on trust - management are responsible for enacting the recommendations as they see fit, audit merely advises and provides the motivation to act. Audit anticipates action even on items that were not reported formally, including less material points and issues which they believe to be true but were perhaps unable to prove.

Reports from the latter tend to be more formalized. They are the formal statements from audit which management had better act on, or else! In some cases, they are a matter of public record. The final issued report, plus the key evidence, plus the discussion on drafts - all are important elements of this formal style of auditing, and will probably be required if there is an ‘inquest’ later (whether The Person In Charge demands an inquiry into the debacle, or someone’s decomposing remains are discovered). The audit-auditee relationship is based on distrust - audit has to report formally in order to get management to act at all, and expects that anything not stated formally in the final issued report will probably not happen. Unfortunate but essentially true.

First is to define the audit such as the scope (what risks you want examining, depth and breadth of coverage, any constraints, any especially ‘interesting’ elements that need a really good poke around, number or percentage of locations/systems/networks/users to be reviewed and what they are to be reviewed against e.g. good practice information security management such as ISO/IEC 27002 or relevant legislation) and reporting (how and when is the assignment to be reported, and to what level of detail e.g. executive summary, management report, recommendations, structured audit files with evidence ... ?) [This information would of course still be needed if the audit was run by in-house employees]

Secondly, what type of auditor are you looking for? What qualifications and experience (e.g. CISA, CISSP, relevant industry and management experience - there’s more information in the next section of this FAQ)? What are the personal characteristics that would suit the job, or conversely would not be suitable? What kind of person would you personally like to work with? Are you looking for a consultative or confrontational approach? How important is personal hygiene to you?

Thirdly, how will the assignment be managed? How would you like to relate to/manage/deal with the consultant(s)? Do you want them to take the lead, drive the job, report the findings, generate an agreed management action plan etc. or do you purely want someone to do the fieldwork to your specifications and guidance? Or something else? Are you thinking about someone to organise and coordinate/manage a team of auditors, a whole team, or someone to work alone? Do you want a weekly update, monthly reporting, or what? This is an important section of the ITT, often neglected. If you get this section right, your relationship with the consultant/s should be much less stressful all round (the same applies to the consultant/s).

ABCP, CBCP & MBCP: Associate, Certified & Master Business Continuity Professional certifications from DRII, the Disaster Recovery Institute International

BSc, MSc, PhD and similar academic qualifications in information security and/or IT auditing from eminent institutions such as Royal Holloway, University of Houston, University of Nebraska, University of Texas, Norwich University (of Northfield, Vermont, not Norwich Business School at the University of East Anglia in Norwich, England), DePaul University, Colorado Technical University, Capella University and James Madison University. Accused by those with their ears too close together of being “too academic”, courses like these give students the conceptual framework, depth of understanding and confidence to tackle any infosec topic, including the most technical issues, provided they are still prepared to put in the time and effort to gain real-world experience and dry behind their ears

CCE: Certified Computer Examiner (and upcoming Master CCE) from the International Society of Forensic Computer Examiners - for forensic IT specialists

CCIE, CCSP, CCNP, CCIP, CCDP etc. are Cisco’s no-bones vendor-specific certifications

CCO - Certified Confidentiality Officer from BECCA, the Business Espionage, Controls and Countermeasures Association

CCSA, CCSE, CCSE Plus, CCMSE, CCMSE Plus VSX, CCSPA: are Check Point’s no-bones vendor-specific certifications (CCSA shares the same acronym as the IIA’s Certified Control Self Assessor qualification - there’s more info in the next section)

CEH: Certified Ethical Hacker, CHFI Computer Hacking Forensic Investigator, LPT Licensed Penetration Tester and ECSA EC-Council Certified Security Analyst, all from “EC Council” which is the self-styled International Council of E-Commerce Consultants and promoter of Defcons, not some obscure body of the European Commission

CFE: Certified Fraud Examiner from ACFE, the Association of Certified Fraud Examiners

CISA: Certified Information Systems Auditor (here’s an independent view of CISA which is also a well-established qualification from a well-respected professional body, probably the most widely trusted IT audit certification) and CISM Certified Information Security Manager (a newer certification, broadly similar to CISSP but with more emphasis on management judgment and experience on information security management matters), both from ISACA whose focus has shifted from IT audit to IT governance [Note: if you are registering for CISA or CISM or seeking study materials, beware lookalike phishing sites: register directly with ISACA.org. Similar advice applies to other similar situations, similarly.]

EnCE - Encase Certified Examiner vendor-specific certification by Guidance Software, supplier of Encase the industry standard forensics software

GIAC: Global Information Assurance Certification by SANS - includes a general information security course plus specialisations (“G7799” is the GIAC ISO/IEC 17799 [now ISO/IEC 27002] specialism, for example). GIAC originally involved a practical element to the assessment but unfortunately it was dropped like a clanger

ISSPCS - the International Systems Security Professional Certification Scheme from the International Systems Security Engineering Association (ISSEA)

MCSE:security and MCSA:security - Microsoft Certified Systems Engineer and Administrator certifications with security specialism from Microsoft

PCI & CPP: Professional Certified Investigator and Certified Protection Professional from ASIS International

PCIP: Professional in Critical Infrastructure Protection is a certification from the Critical Infrastructure Institute, covering the design, maintenance and management of security architectures for critical infrastructure, SCADA and other high-availability environments, apparently

Security+: a basic entry-level information security qualification from CompTIA, the Computing Technology Industry Association - a good place to start if you have minimal prior knowledge in this area

SPS: Symantec Product Specialist, STA Symantec Technology Architect, SCSE Symantec Certified Security Engineer and SCSP Symantec Certified Security Practitioner claim to include “vendor neutral” (i.e. non-Symantec) elements

SSCP: Systems Security Certified Practitioner (aimed at practioners/professionals with a focus on information security implementation i.e. those people that enforce the information security policies, processes and procedures on a daily basis; requires 1 year’s work experience; said to be ideal for those working toward or who have already attained positions as Senior Network Security Engineers, Senior Security Systems Analysts or Senior Security Administrators) and CISSP Certified Information Systems Security Professional (the world leading qualification in information security; scope a mile wide but an inch deep; requires 4 years’ work experience), plus ISSAP, ISSEP, ISSMP and ISSJP (Information Systems Security Architecture/Engineering/Management/Japan Professional specialisations; an inch wide and a mile deep in each case; only available to those who already hold CISSP, with SSCP concentrations evidently under development), and CAP Certification and Accreditation Professional - all of these from (ISC)², the International Information Systems Security Certification Consortium that exists purely to certify infosec professionals, not for profit you understand

TICSA and TICSE: TruSecure’s ICSA Certified Security Associate/Expert program. Although TruSecure runs the program, it is said to be vendor-n

Frequently Avoided Questions
about IT auditing

Clickable contents

Introduction

All about IT auditing

What is IT auditing all about?

What do IT auditors actually do?

Also known as ...

OK, so what is auditing then?

What’s so interesting about risk and control?

Isn’t it really just accounting?

Is it anything to do with counting PCs?

What do IT auditors audit against?

Auditing is just compliance testing, right?

How does IT audit fit with governance, risk management and information security?

How is an IT audit performed?

“How do they do that”?

How long does an audit take?

What questions should an auditor ask?

What is the scope of IT audit?

What is the difference between Internal and External (IT) audit?

What are the main types of IT audit?

Computer Aided Audit Techniques CAATs

Why don’t the auditors stop IT development projects going off-the-rails?

Aren’t IT auditors meant to stop (IT) frauds?

Who audits the auditors?

Do IT auditors give technical support to the rest of audit?

What happens to the audit evidence?

How should I find a consultant IT auditor?

How should I word an Invitation To Treat (ITT)?

Who should I “Invite To Tender”?

How should I select from the proposals?

OK, what next?

I think I want to become an IT auditor

How should I start?

I am already an auditor – can I become an IT auditor?

What qualifications do I need?

Frequently Avoided Questionsabout IT auditing