IS Audit Controls

This topic is related to Information Systems Auditing (IS auditing). Before we jump into understanding the "controls", we must understand the difference between IS and IT.

IS (Information Systems): These are combination of strategic, managerial and operational activities and related processes which are involved in gathering, processing, sorting, distributing and using information and its related technologies.

IT (Information Technology): It is h/w, s/w, communication and other facilities to input, store, process, transmit and output the data in given form.

IS has IT component that interacts with process components.

Coming back to "controls" in auditing, IS Auditors ensure that, appropriate controls are present in an organization to prevent, detect or correct an incident.

Controls: These are nothing but policies, procedures, practices and organizational structure which are implemented to prevent, detect and correct risk events and to reduce the risk to an organization. An audit function or department in an organization reports to audit committee and it further reports to board of directors. Hence, board of directors and senior management are responsible to facilitate an effective and efficient internal control system.

Control objectives: These are statements which describe the desired result or purpose of the activities defined in a control. They provide complete set of high level requirements to be considered by management for effective control of each IT process area. They provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected or corrected.

Typical control objectives are mentioned below which are defined to ensure:

• Assets are safeguarded.
• SDLC processes are established.
• Database integrity, confidentiality and availability is achieved.
• Accuracy and completeness of transactions is achieved.
• Identification and authentication of users of IS resources.
• Compliance with laws and regulations.
• Availability of IT services.
• IS processes and services have clearly defined SLAs.

Control Matrix: An IS auditor assesses the strength and weaknesses of existing controls and determine if they are useful to meet control objectives. For that, a "control matrix" is used by auditors. Known type of errors are placed on top axis and known controls are placed on side axis. Then using "ranking methods", the matrix is filled with appropriate measurements. When completed, the matrix shows the areas where the controls are weak or lacking.

Overlapping and compensating controls:

In some instances, a strong control may compensate for a weak control. If there are two overlapping controls, then both are considered as strong. A group of controls aggregated together may act as a compensating control.

Example of overlapping control is when an employee required a card to swipe at data center entry and security guard also checks the card from employees.

Example of compensating control is when there is a secondary signature required to authorize critical or sensitive transactions passed by one person with his signature.

Compensating/mitigating controls may exist to mitigate the risks resulting from a lack of appropriate segregation of duties (SoD). These controls include audit trails, reconciliation, supervisory reviews and transaction logs. In other words we can say that, due to the nature of the business, and for efficiency, the same user performs both tasks. To prevent fraud, oversight is required. So, we need a compensating control – for example, we may specify that a second user must perform a reconciliation, reviewing the cash against the recorded transactions.

Here it is important to note that, more than one controls may satisfy one control objective.

General Controls:

Some general controls can be listed as below:

• Internal auditing controls
• Operational controls
• Administrative controls
• Defining organizational security policies and procedures
• Physical and logical security
• Procedures for safeguarding assets and facilities.

IS specific controls:

Each general control can be translated to IS specific control. Before we could see few examples of IS specific controls, we must learn the three categories of IS controls.

They are:

1. Preventive Controls: These detect the problems before they arise and attempt to predict potential problems and make adjustments to prevent them from occurring.
2. Detective Controls: These controls detect and report the occurrence of an error, omission or malicious act.
3. Corrective Controls: These controls ensure that they minimize the impact of threat, identify cause of problem and correct errors from a problem and modifies the processing systems to minimize future occurrence of the problem.

Examples of preventive controls:

• SoD (Segregation of duties) to avoid misuse of system: SoD involves breaking down tasks that might reasonably be completed by a single individual into multiple tasks so that no one person is solely in control.
• Controlling access to physical facilities
• Suitable procedures for authorization of transactions such as recording (initiate, submit, process), approving (pre-approval, post entry review), and reconciling. Reconciliation is the process of comparing transactions and activity to supporting documentation. Further, reconciliation involves resolving any discrepancies that may have been discovered.
• Using an access control software which prevents unauthorized personnel to access sensitive and confidential information.
• Use of encryption to prevent unauthorized disclosure of data.

Examples of detective controls:

• Hash totals: A hash total is the numerical sum of one or more fields in a file, including data not normally used in calculations, such as account number. The original hash total is stored, and when required, the data are recalculated and compared with the original. If data are lost or changed, a mismatch signals an error.
• Check points in production jobs: Checkpoints validate that the manufacturing process is functioning as intended. They provide an opportunity to assess the efficiency of each step and identify any potential issues that might arise in subsequent stages.
• Echo controls in telecommunications: It is the local display of data, either initially as it is locally sourced and sent, or finally as a copy of it is received back from a remote destination.
• Duplicate checking of calculations
• Past-due account reports
• Review of activity logs to detect unauthorized access attempts
• Software quality assurance

Examples of corrective controls:

• BCP and DRP
• Backup procedures
• System fix SLAs
• Additional employee training
• Timely adjustments and reassessment of duties of key personnel
• Credit card company blocking your credit card if they detect fraud
• Insurance
• Revised policies and procedures