ravenswood consultants ltd what to audit & why derek j. oliver ravenswood consultants ltd
TRANSCRIPT
RavenswoodConsultants Ltd
What to Audit & Why
Derek J. OliverRavenswood Consultants Ltd
Derek J. Oliver
RavenswoodConsultants Ltd
Derek J. Oliver
20+ years in IS Audit & Security Former Head of UK Internal Audit, FDC
Certified Information Systems Auditor Certified Information Security Manager Certified Fraud Examiner Fellow of the British Computer Society Fellow of the Institution of Analysts &
Programmers Past President, ISACA, London Chapter
Why me ?
Derek J. Oliver
RavenswoodConsultants Ltd
Programme
The Failsafe Approach Essential Audits “Nobody ever got the sack. . . . .”
The Real Life Approach Risk-based auditing
What could go wrong? Would it matter if it did? What can we do about it
WHOCARES?
RavenswoodConsultants Ltd
The Failsafe Approach
Nobody ever got the sack for scheduling these audits
Derek J. Oliver
RavenswoodConsultants Ltd
The Annual Audit Plan #1
Transaction Processing Trace key transactions through the process
from document receipt to final print Input Controls
Validation; credibility etc Processing Controls
Run-to-run totals; check pointing etc Output Controls
System Balancing; Report Distribution etc
Derek J. Oliver
RavenswoodConsultants Ltd
The Annual Audit Plan #2
Logical Security Access Control Hierarchic restrictions Access to Source Code Access to Production Systems Access to Operating Systems Access to Utilities
Derek J. Oliver
RavenswoodConsultants Ltd
The Annual Audit Plan #3
Change Management Access to Source Code Development Libraries Testing Quality Assurance Transfer to Production Implementation Control Division of Duties
Derek J. Oliver
RavenswoodConsultants Ltd
The Annual Audit Plan #4
Physical Security
Derek J. Oliver
RavenswoodConsultants Ltd
Justification
#1: Is the computer system working? Are all the controls working?
#2: Is essential data secure? Are programs secure?
#3: Can unknown changes be made to programs? Are all changes properly tested & authorized
#4: Can strangers or unauthorised people disrupt your
systems
But this only needs to be doneonce because systems cannot
change themselves
But what if confidentiality is notA Business Risk in your
Organization?
Do you needSophisticated
Change management?
Probably a likely annual auditBut how do you know what’sImportant to your business?
Risk Based Audit Planning!
RavenswoodConsultants Ltd
The “Real Life” Approach
Risk Based AuditingOr
Meeting the Business Needs!
Derek J. Oliver
RavenswoodConsultants Ltd
The Risk-Based Approach
MUST address BUSINESS risk No other risk is relevant For every audit, you should ask:“How will this audit help my company
to achieve it’s stated business objectives”
If you can’s answer this, then . . . .
Why are you conducting the audit?
Derek J. Oliver
RavenswoodConsultants Ltd
Why did the Auditor cross the road ?
It’s the old, old question . . . . .
Because according to the audit file, that’s what theydid three years ago !
Derek J. Oliver
RavenswoodConsultants Ltd
Why is RISK important ?
Business must take risks !Business must live with risks !Business must understand risks !Business must control risks !
BUSINESS !
Derek J. Oliver
RavenswoodConsultants Ltd
How can RISK be identified ?
Work backwards . . . . . . What could happen to the business ?
Fail to comply with legislation Lose business to competitors Lose customer / public confidence
How could it happen ? Are there controls to prevent it happening ? Are there controls to minimise the effect ?
What do we need to know?
Derek J. Oliver
RavenswoodConsultants Ltd
Core Businesses and Critical Support Units
An Inventory of Core Businesses Should Be Made Has this been done? What are they? Why are they core?
When these have been established then we can further analyze the situation.
Derek J. Oliver
RavenswoodConsultants Ltd
What constitutes a core business operation for an organization? a. Revenue
b. Net incomec. Cash flow
Core Businesses and Critical Support Units
Derek J. Oliver
RavenswoodConsultants Ltd
What constitutes a critical business unit within core business? What criteria would you use? Would you make any classifications by type?
Productive Operations Support Operations
How would you define them? Function Product line Department
Core Businesses and Critical Support Units
Derek J. Oliver
RavenswoodConsultants Ltd
What is the importance of making these determinations?
What critical computer application systems support these operations or departments?
What is the importance of knowing this? Are they in a state of transition?
Core Businesses and Critical Support Units
Derek J. Oliver
RavenswoodConsultants Ltd
Why analyse RISK ?
Enable risks to be compared Using a standard approach !
Enable risks to be addressed By an appropriate parameter
By the most serious effect By the easiest / cheapest / quickest to control According to Business objectives / strategy
Enable a business decision on Risk strategy
Derek J. Oliver
RavenswoodConsultants Ltd
What is RISK Strategy ?
Linking Risk to Business ObjectivesBalancing cost of control against
potential losse.g. Disaster Recovery :
Derek J. Oliver
RavenswoodConsultants Ltd
Managing & Controlling RISK
1. Identify the THREATS2. Assess the level of RISK3. Establish the EXPOSURE4. Design & Implement CONTROL
Derek J. Oliver
RavenswoodConsultants Ltd
Managing Risk
PREVENTION : Remove the THREAT
DETERRENCE : Minimise the RISK
DETECTION : Minimise the EXPOSURE
Derek J. Oliver
RavenswoodConsultants Ltd
Managing Risk ?
Nothing new :
Consider the
Caveman . . . ?
Not forgetting the Merchant Navy . . . . !
What about the
Romans . . . !
Derek J. Oliver
RavenswoodConsultants Ltd
Preventive Control
Early Man feared attack from animals so lived in a cave : Most armies fought with the protection of armour.
We may identify confidentiality as a risk so implement strict logical access control
Derek J. Oliver
RavenswoodConsultants Ltd
Deterrent Control
The Romans feared insurgence so
maintained a big, well-trained army
We may identify information theft as
a risk so log all user online activity
Derek J. Oliver
RavenswoodConsultants Ltd
Detective Control
Ships were sinking through being overloaded so the Plimsoll Line was introduced
We may identify fraud as a risk and implement balancing controls & management checks
Derek J. Oliver
RavenswoodConsultants Ltd
Risk - Summary
RISK must be Managed
RISK must be Controlled
RISK must be Understood
CONTROL must reflect BUSINESS needs
CONTROL must be appropriate
CONTROL must be reasonable
Derek J. Oliver
RavenswoodConsultants Ltd
So, the WHY is likely to be
What represents RISK to the BUSINESS Losing Money
Theft Fraud
Losing Market Share Losing Customers Losing out to Competition Failing to achieve objectives Failing to achieve growth
Derek J. Oliver
RavenswoodConsultants Ltd
That’s the why, but HOW
Loss of: Money –
Poor management controls = opportunity? Poor logical security = fraud? abuse? Poor physical security = theft? vandalism? Incorrect data processing = disappearing money? Late or over budget projects = disappearing
money!!! Information –
Poor logical security = espionage? legislation? Poor management controls = legislation? Poor physical security = errors? fraud? Poor availability = lost or corrupted data?
Derek J. Oliver
RavenswoodConsultants Ltd
Resulting in . . . apart from the obvious
Lost money = lost cash flow = poor performance = lost market share = shareholder concern
Released data = public humiliation = lost confidence = lost market share = shareholder concern
Lost/bad data = lost business = lost money = lost market share = shareholder concern
Derek J. Oliver
RavenswoodConsultants Ltd
Then, to get to the audit plan
WHERE can this go wrong? Logical Security Physical Security Transaction Control Change Management & QA Project Management Disruption
#1
#2
#3
#4
#5
#6
Derek J. Oliver
RavenswoodConsultants Ltd
Which gives us our Annual Audit Plan . . .
1. Transaction Processing Management
2. Logical Security3. Change Management4. Physical Security5. Project Management & QA6. Disaster Recovery Planning
Derek J. Oliver
RavenswoodConsultants Ltd
So lets start to reach the conclusion
The Audit Plan must be based on ‘What Could Go Wrong?’ ‘What would be the effect if it did?’ ‘How could it happen?’ ‘Can we prevent it by removing the
risk?’ ‘Can we minimise the effect by control?’ What risk are we living with?’
Derek J. Oliver
RavenswoodConsultants Ltd
And of course, we now have
Is about Risk Management Identify the inherent risk Quantify the risk Control the risk Assess the residual risk Evaluate controls Regularly assess & report residual risk
Derek J. Oliver
RavenswoodConsultants Ltd
Conclusion
It’s the
BUSINESS NEEDS
that count !
When considering how to manage Risk . . . .
Derek J. Oliver
RavenswoodConsultants Ltd
Questions Questions ??Derek J. Oliver CISA, CFE
Ravenswood Consultants Limited
What to Audit & Why?