DEPARTMENT OF BUSINESS AND SOCIAL STUDIES

BIT 4108: INFORMATION SYSTEMS AUDIT

BIT 4108: PROJECT ANALYSIS AND MANAGEMENT
Contact hours: 42

Purpose:
Expected Learning Outcomes of the Course:
By the end of the course, students should be able to:-

Course Content:

Course Outline

TABLE OF CONTENTS
Page
COURSE OUTLINE.............................................................................................................i
TABLE OF CONTENTS.....................................................................................................iv
CHAPTER ONE: Introduction………………….................................................................1
1.1 Project………………………………………………………………………………………………1
1.2 Project Plan………………………………………………………………………………………..1
1.3 Project Planning…………………………………………………………………………………..2
1.3.1 National Plans………………………………………………………………………….3
1.3.2 Sectoral Plans…………………………………………………………………………..3
1.4 Project Management……………………………………………………………………………...3
1.5 History of Project Management…………………………………………………………………5
Review Questions………………………………………………………………………………………6
References for further reading……………………………………………………………………….6

CHAPTER TWO: Project Cycle……………………………………………………………7

2.1 The Warren C. Baum (World Bank) Project Cycle…………………………………………...7
2.2.1 The UNIDO Project Cycle: New Industrial Projects……………………………………..11
2.2.2 Rehabilitation and Expansion Projects……………………………………………………..18
Review Questions……………………………………………………………………………………..21
References for further reading……………………………………………………………………...21

CHAPTER THREE: Market and Demand Analysis……………………………………..22

3.1 Situational Analysis and Specification of Objectives……………………………………….22
3.2 Collection of Secondary Information………………………………………………………….23
3.3 Conduct of Market Survey……………………………………………………………………...24
3.4 Characterization of Market…………………………………………………………………….25
3.5 Demand Forecasting……………………………………………………………………………26
3.6 Market planning…………………………………………………………………………………29
Review Questions…………………………………………………………………………………….30
References for further reading……………………………………………………………………..30

CHAPTER FOUR: Raw Materials and Supplies Study………………………………….31

4.1 Classification of Raw Materials and Supplies……………………………………………….33
4.2 Specification of Requirements………………………………………………………………….34

ii
4.3 Availability and Supply………………………………………………………………………….37
4.4 Costs of Raw Materials and Suppliers………………………………………………………...40
Review Questions……………………………………………………………………………………..42
References for further reading……………………………………………………………………...42

CHAPTER FIVE: Location Analysis……………………………………………………..43

5.1 The Natural Environment……………………………………………………………………….44
5.2 Environment Impact Assessment……………………………………………………………….44
5.2.1 Objectives of Environmental Impact Assessment………………………………...46
5.2.3 Phase and Structure of Environmental Impact Assessment……………………46
5.2.4 The Assessment Process……………………………………………………………..47
5.2.5 Methodologies and Tools……………………………………………………………48
5.2.6 The following basic steps should be observed when performing
environmental impact assessment…………………………………………………50
5.2.7 Cost-benefits analysis of environment impacts…………………………………..51
5.2.8 Assessment of environment costs and benefits…………………………………...52
5.2.9 Environment Parameters……………………………………………………………52
5.3 Socio-economic policies………………………………………………………………………..53
5.4 Infrastructural conditions………………………………………………………………………53
5.5 Resources or market orientation………………………………………………………………54
5.6 Assessment of location………………………………………………………………………….54
5.7 Site selection……………………………………………………………………………………..55
5.8 Requirements and relevant factors……………………………………………………………55
Review Questions……………………………………………………………………………………56
References for further reading……………………………………………………………………..56

CHAPTER SIX: Production Program and Plant Capacity……………………………...57

6.1 Production program…………………………………………………………………………….57
6.1.1 Determination of the production program……………………………………..58
6.1.2 Plant capacity………………………………………………………………………58
6.2 Technology and Engineering Study…………………………………………………………...61
6.2.1 Definition of technology……………………………………………………………..61
6.2.2 Selection of Technology……………………………………………………………..62
6.3 Civil Works……………………………………………………………………………………….67
Review Questions…………………………………………………………………………………….67
References for further reading……………………………………………………………………..68

CHAPTER SEVEN: Human Resource and Organization……………………………….69

7.1 Categories and Functions………………………………………………………………………70
7.2 Socio-Economic and Cultural Environment………………………………………………….70
7.3 Project Related Requirements………………………………………………………………….71
7.4 Organizational Set-Up…………………………………………………………………………..72
7.5 Availability and Recruitment…………………………………………………………………...75
Review Questions…………………………………………………………………………………….79
References for further reading……………………………………………………………………..79

iii
CHAPTER EIGHT: Financial and Economic Analysis…………………………………80
8.1 Total investment costs…………………………………………………………………………...80
8.2 Production Costs…………………………………………………………………………………85
8.3 Marketing costs…………………………………………………………………………………..86
8.4 Project cash flows………………………………………………………………………………..87
8.5 Financial Evaluation…………………………………………………………………………….88
8.5.1 Basic assumptions underline cash flow discounting in financial evaluation...88
8.5.2 Methods of Financial Evaluation…………………………………………………..88
8.5.2.1 Net Present Value (NPV) Method……………………………………….88
8.5.2.2 Internal Rate of Return (IRR)……………………………………………89
8.5.2.3 Profitability Index (PI)/present value index (PVI)/benefit-cost
ratio……………………………………………………………………….……….…92
8.5.2.4 Discounted Payback period……………………………….………….….93
Review Questions……………………………………………………………………………….........94
References for further reading………………………………………………………………….…..94

CHAPTER NINE: Project Document……………………………………………………..95

9.1 Preliminary Section of the project document…………………………………………………95
9.2 The Main Body of the Project Document……………………………………………………...95
Review Questions……………………………………………………………………………………100
References for further reading…………………………………………………………………….100

CHAPTER TEN: Project Monitoring and Evaluation………………………………….101

10.1 Performance Indicators……………………………………………………………………...101
10.2 The Logical Framework Approach………………………………………………………...102
10.3 Theory-Based Evaluation…………………………………………………………………...103
10.4 Formal Surveys……………………………………………………………………………….104
10.5 Rapid Appraisal Methods……………………………………………………………………105
10.6 Participatory Methods……………………………………………………………………….106
10.7 Public Expenditure Tracking Surveys……………………………………………………..108
10.8 Cost-Benefit and Cost-Effectiveness Analysis……………………………………………108
10.9 Impact Evaluation……………………………………………………………………………109
Review Questions…………………………………………………………………………………..112
References for further reading…………………………………………………………………...112
Appendix 1: Project Classification Codes........................................................................113
Appendix 2: Sample Test Papers………………………………………………………..117

iv
 CHAPTER ONE: INTRODUCTION TO INFORMATION SYSTEMS AUDIT
Learning Objectives

By the end of this chapter the learner should be able to:

Define the term IS Audit
Describe the benefits of IS Audit
Explain the functions and elements of an IS Audit
Describe the Phases of an IT Audit
Classify audits

1.0 What is an IS Audit?

 An IS audit is the process of collecting and evaluating evidence of an org IS, practices
and operations with a view of establishing whether they are inline with organizational
goals.

 The evaluation of obtained evidence determines if the orgs assets and other interests
are actually safeguared.

 In summary IS audits:

-focus on the computer-based aspects of an organization‘s information system.

-assess the proper implementation, operation, and control of computer
resources
―‗…a process that examines how well the organization‘s information needs and deliverables
connect to the organizational mission, goals and objectives.‘ (St. Clair, 1997, quoted in
Henczel, 2001, p. xxii).

1.1 Why IS audit?

 Different from a financial audit where the primary focus is to evaluate whether
financial controls are adhered to.

 The primary goal of IS auditing is to :

 Evaluate a system‘s efficiency and performance.

 Evaluate the orgs ability to protect its information assets; in other words CIA
breaches are catered for.

1.2 Benefits of IS Audit

 Several benefits of IS audit exist, namely validity, diagnostic, feedback,
information and training benefits.

 Validity : The org gets a valid and accurate information on the status of
information as a corporate resource.

1
  Diagnostic : The diagnostic element of an audit allows for strong points and weak
points (or ―gaps‖) to be identified. This information can be used to build on the
strong points and to eliminate the weak ones.

 Feedback: The information audit is used to determine whether specific

information inputs deliver the expected/desired information outcomes.

 The information audit is therefore an instrument of evaluation and provides

information that can be used to plan and implement corrective actions

 Information : A communication audit focuses attention on the process of

communication in an organization and the improvement thereof.

 In the same manner, an information audit can help to focus staff members’
attention on the value and benefits of the use of information as a corporate
resource

 Training: An information audit provides the ideal opportunity to involve staff in

the auditing process and at the same time to teach them more about the
processes, philosophy and structures that support the usage of corporate
information resources.

 By the time the information audit has been completed, these staff members will
have a better understanding and picture of information and its role in the
organization

1.3 Functions of IS/IT Auditor

IT Auditor often is the translator of business risk, as it relates to the use of IT, to management,
someone who can check the technicalities well enough to understand the risk (not necessarily
manage the technology) and make a sound assessment and present risk-oriented advice to
management
 IT auditors review risks relating to IT systems and processes, some of them are:

 Inadequate information security (e.g. missing or out of date antivirus controls,

open computer ports, open systems without password or weak passwords etc.)

 Inefficient use of corporate resources, or poor governance (e.g. huge spending on

unnecessary IT projects like printing resources, storage devices, high power servers
and workstations etc.)

 Ineffective IT strategies, policies and practices (including a lack of policies for use of
Information and Communication Technology (ICT) resources,Internet usage policies,
Security practices etc.)

 IT-related frauds (including phishing, hacking etc)

1.4 Elements of an IT Audit

 Systematic procedures are used

2
  Evidence is obtained

 tests of internal controls

 substantive tests (financial systems)

 Determination of materiality for weaknesses found.

 Prepare audit report & audit opinion

1.6 Types of Audit Tests

 Tests of controls – tests to determine if appropriate internal controls are in place and
functioning effectively

 Systems and applications – An audit used to verify that systems and applications are
appropriate, are efficient, reliable and adequate to meet orgs objectives.

 Systems Development – An audit used to verify that systems under development meet
objectives set out at each phase of development.

 IT Governance – verifies that that IS structure and procedures to ensure an secure

environment (especially segregation of duties )for IS processing

1.6.1 Segregation of Duties

 Transaction authorization is separate from transaction processing.

 Asset custody is separate from record-keeping responsibilities.

 The tasks needed to process the transactions are subdivided so that fraud requires
collusion.

1.6.2 Classification of audits

 Financial audits: assessment of the correctness of an orgs financial statements to
confirm correctness and reliability.

 Operational Audit: evaluates internal control structure in a given process or area e.g.
an application.

 Integrated Audit: combination of financial and operational audit. It also assess overall
objectives of an org relating to financial information and asset protection.

 IS Audit : collects and evaluate evidence to determine whether IS adequately

safeguard assets, maintain data and system integrity and provide relevant and reliable
information to meet org goals.

 Specialized audits : specialized reviews of work performed by third parties, this is due
to increasing dependence on out-sourcing

1.7 Phases of an IT Audit

3
Phases of the Information Systems Audit
1. Establish terms of engagement

2. Preliminary review

3. Establish materiality and assess risks

4. Plan the audit

5. Consider internal controls

6. Perform audit process

7. Issue an audit report

1.7.1 Establish terms of Engagement

 Helps set the scope and objectives

 The engagement letter should address:

Responsibility( scope, independence, deliverables)

Authority (right to access information)
Accountability (auditees‘ rights, completion dates and reporting lines
1.7.2 Preliminary Review
 Initial review and evaluation of the area to be audited, and the audit plan preparation

 Get the orgs strategy and business model and the extend to which IS are beneficial.

 Identify financial application areas

 Prepare an audit plan

4
  Representative decisions include the following:

Will the entire organization be audited, or just certain representative or critical

groups? Will it include all offices, or just certain locations?
Will it cover all the information assets in the organization, or focus on
particular types of information, such as online resources or archives?
1.7.3 Risk assessment
 Assess the orgs business risks(threats to the orgs ability to achieve its objectives)

 An orgs risk exposure may change as a result of various changes including adoption of
new technologies.

 Analyze the mitigative measures in place to the risks identified.

1.7.4 Planning the audit

 The planning stage may well be the most important. During this stage, objectives are
established. It is critical to know what is to be accomplished with the audit, to
understand the organization, and to identify all the stakeholders.

 In addition, the planning stage identifies required resources. These include human,
financial, technical, and physical. It is necessary to decide if the audit will be
conducted using company personnel or will be outsourced. The decisions in this phase
of the planning stage are interrelated in that, for example, outsourcing requires greater
financial outlay but fewer physical resources.

1.7.5 Consider internal controls

 Auditors perform tests of controls to determine that the control policies, practices, and
procedures established by management are functioning as planned. This is known as
compliance testing.

 The auditor should consider information from previous audits

 An understand of internal controls helps the auditor assess the level of risk exposure.

1.7.6 Perform the audit

 Audit procedures are developed based on the auditors understanding of the
organization and its environment.

 Several procedures and frameworks can be used.

1.7.7 Issue an audit report

 Once audit procedures have been performed and results evaluated, the auditor will
issue an audit report based on the findings.

 The report will help management decide on the way forward with regard to the set
objectives.

5
 Review Questions
i) Define a the following terms:
a) IS Audit
b) An IS auditor
c) Segregation of duties
d) IS audit planning
ii) Describe the different phases of an IS audit.
iii) Distinguish between an IS auditor and an IT auditor.

References for further reading

i) ,

6
CHAPTER TWO: Audit Planning
Learning Objectives
By the end of this chapter the learner should be able to:
Define the terms materiality and internal controls.
Explain why audit planning is important.
Describe the tasks involved in audit planning
Evaluate the different audit planning steps.
Discuss the different categories of control.

2.0 Audit Planning –Why?

 An auditor should plan his work to enable him to conduct an effective audit in
efficient and timely manner.

 Audit planning is required because it facilitates the following:

i. Ensure that appropriate attention is devoted to all important areas of audit.

ii. Ensures that potential problems are properly identified

iii. Ensure that work is completed expeditiously

2.1.Factors to be considered for audit planning

1. Complexity of audit.

2. Environment in which the organization operates.

3. Knowledge of area of business.

4. Discussion with top management.

2.2 Tasks
 There are five (5) tasks within the IS audit planning:
 Develop and implement a risk-based IS audit strategy for the organization in
compliance with IS audit standards, guidelines and best practices.
 Plan specific audits to ensure that IT and business systems are protected and
controlled.
 Plan how to conduct audits in accordance with IS audit standards, guidelines
and best practices to meet planned audit objectives.
 How to communicate emerging issues, potential risks and audit results to key
stakeholders.
Advise on the implementation of risk management and control practices within the
organization while maintaining independence

2.2.1 The TEN knowledge statements

1. Knowledge of IS Auditing Standards, Guidelines and Procedures and
Code of Professional Ethics

7
 2. Knowledge of IS auditing practices and techniques

3. Knowledge of techniques to gather information and preserve evidence

4. Knowledge of the evidence life cycle

5. Knowledge of control objectives and controls related to IS

6. Knowledge of risk assessment in an audit context

7. Knowledge of audit planning and management techniques

8. Knowledge of reporting and communication techniques

9. Knowledge of control self-assessment (CSA)

10. Knowledge of continuous audit techniques

2.3.0 Audit Planning Steps

1. Gain an understanding of the business‘s mission, objectives, purpose and processes.

2. Identify stated contents (policies, standards, guidelines, procedures, and organization

structure)

3. Evaluate risk assessment and privacy impact analysis

4. Perform a risk analysis.

5. Conduct an internal control review.

6. Set the audit scope and audit objectives.

7. Develop the audit approach or audit strategy.

8. Assign personnel resources to audit and address engagement logistics.

2.3.1 ISACA IS Auditing Standards and Guidelines

 The framework for the ISACA IS Auditing Standards provides for multiple
levels, as follows:

 • Standards define mandatory requirements for IS auditing and reporting.

 • Guidelines provide guidance in applying IS Auditing Standards. The IS

auditor should consider them in determining how to achieve implementation of
the above standards, use professional judgment in their application and be
prepared to justify any departure.

 • Procedures provide examples of procedures an IS auditor might follow in an

audit engagement. The procedure documents provide information on how to

8
 meet the standards when completing information systems auditing work, but
do not set requirements.

2.3.2 Materiality
 An auditing concept regarding the importance of an item of information with regard to
its impact or effect on the functioning of the entity being audited.

 Materiality is judged in terms of its inherent nature, impact (influence) value, use
value, and the circumstances (context) in which it occurs. Opposite of triviality.

 In assessing materiality, the IT auditor should consider:

 The aggregate level of error acceptable to management, the IT auditor, and appropriate
regulatory agencies.

 The potential for the cumulative effect of small errors or weaknesses to become
material.

 While establishing materiality, the auditor may audit non-financial items such as
physical access controls, logical access controls, and systems for personnel
management, manufacturing control, design, quality control, and password generation.

 While planning the audit work to meet the audit objectives, the auditor should identify
relevant control objectives and determine, based on materiality, which controls should
be examined. Internal control objectives are placed by management and identifies
what the management strives to achieve through their internal controls.

 Where financial transactions are not processed, the following identifies some measures
the auditor should consider when assessing materiality:

2.3.2.1 Measures
 Criticality of the business processes supported by the system or operation.

 Cost of the system or operation (hardware, software, third-party services)

 Potential cost of errors.

 Number of accesses/transactions/inquiries processed per period.

 Penalties for failure to comply with legal and contractual requirements.

2.4. Evaluation of Internal Controls

 Policies, procedures, practices and organizational structures implemented to reduce
risks are referred to as internal controls.

 Internal controls are developed to provide reasonable assurance that an organization‘s

business objectives will be achieved and undesired risk events will be prevented, or
detected and corrected, based on either compliance or management-initiated concerns.

9
The auditor evaluates the organization‘s control structure by understanding the organization‘s
five interrelated control components

2.5. Control components

 Control Environment Provides the foundation for the other components.
Encompasses such factors as management‘s philosophy and operating style.

 The board of directors and senior management are responsible for establishing the
appropriate culture to facilitate an effective and efficient internal control system and
for continuously monitoring its effectiveness though each individual within an
organization must take part in this process.

 Risk Assessment Consists of risk identification and analysis.

 Control Activities Consists of the policies and procedures that ensure employees
carry out management‘s directions. Types of control activities an organization must
implement are preventative controls (controls intended to stop an error from
occurring), detective controls (controls intended to detect if an error has occurred), and
mitigating controls (control activities that can mitigate the risks associated with a key
control not operating effectively).

 Information and Communication Ensures the organization obtains pertinent

information, and then communicates it throughout the organization.

 Monitoring Reviewing the output generated by control activities and conducting

special evaluations.

2.5.1 Internal Control Objectives

 Safeguarding of information technology assets

 Compliance to corporate policies or legal requirements

 Authorization of input

 Accuracy and completeness of processing of transactions

 Output authorization

 Reliability of processes

 Backup/recovery

 Efficiency and economy of operations

Two Things
 There are two key aspects that a control needs to address, what you want to achieve
(objectives) and what you want to avoid (risk). Not only do internal controls address

10
 business/operational objectives, but need to address undesired events through
preventing, detecting, and correcting undesired events.

2.5.2 Categories
 Controls are generally categorized into 3 major classifications:

 Preventive: These controls are to deter problems before they arise.

 Detective: Controls that detect and report the occurrence of an error, omission
or malicious act..

 Corrective: These controls minimize the impact of a threat, remedy problems

discovered by detective controls, identify the cause of a problem.

2.5.3. IS Control Objectives

Control objectives in an information systems environment remain unchanged from
those of a manual environment. However, control features may be different. The
internal control objectives, thus need, to be addressed in a manner specific to IS-
related processes.
 Safeguarding assets

• Assuring the integrity of general operating system environments

• Assuring the integrity of sensitive and critical application system environments

through:

– Authorization of the input

– Accuracy and completeness of processing of transactions
– Reliability of overall information processing activities
– Accuracy, completeness and security of the output
– Database integrity
• Ensuring the efficiency and effectiveness of operations

• Complying with requirements, policies and procedures, and applicable laws

• Developing business continuity and disaster recovery plans

• Developing an incident response plan

2.6.0 Types of controls

 Information system controls are broadly classified into two broad categories:

 General Controls

 Application controls

 General controls include controls over data centre operations, system software
acquisition and maintenance, access security, and application system development and
maintenance.

11
 2.6.1 General controls
 They create the environment in which the application systems and application controls
operate. Examples:

 IT policies, standards, and guidelines pertaining to IT security and information

protection, application software development and change controls, segregation
of duties, service continuity planning, IT project management, etc.

2.6.1.1 Factors to consider

 The following points should be covered while reviewing these controls:

(i) Obtain a list of hardware including, computer, ancillary and terminal

equipment in use indicating model, performance details and check the existence of this
equipment.
(ii) Obtain an organizational chart which is up-to-date and see how the
computer fits into the overall Organization;
(iii) Obtain an up-to-date staff organization chart of the computer department showing
the relative responsibilities and authorities and note any changes on review;
(iv) Obtain job specification (role definition) for senior computer staff and supervisors
of the ancillary section and note any changes;
(v) Obtain the details of standards and norms fixed for each of the functions like data
control, data preparation, system operation and verify their implementation.
(vi) Whether manuals are maintained and kept up-to-date specifying the control
procedures and whether they are enforced in practice through a 'test check'

2.6.2 Application controls

 Application controls pertain to specific computer applications. They include controls
that help to:

 Ensure the proper authorization, completeness, accuracy, and validity of

transactions, maintenance, and other types of data input. Examples include
system edit checks of the format of entered data to help prevent possible
invalid input, system enforced transaction controls that prevent users from
performing transactions that are not part of their normal duties.

 Before getting on to evaluation of application controls, it will be necessary for an

auditor to secure a reasonable understanding of the system. For this purpose, a brief
description of the application should be prepared;

(i) Indicating the major transactions,

(ii) Describing the transaction flow and main output,
(iii) Indicating the major files maintained and
(iv) Providing approximate figures for transaction volumes.
 Application Control requirements may be divided into:

(i) Documentation standards

(ii) Input control
(iii) Processing control

12
 (iv) Output control
(v) Master/Standing Data File control
(vi) Audit requirements

2.6.2.1 Factors to consider

 Audit of an application system which is operational involves verification of
input/output controls, processing controls and audit trail. Evidence may be obtained on
the following points in the course of audit to come to a reasonable conclusion
regarding existence of controls and their adequacy:

i) Whether the data processed are genuine, complete, accurate and not provisional?

(ii) Whether expected output is produced and distributed on time?

(iii) Whether application programs process the data as intended and accurately?
(iv) Whether a complete audit trail is available for tracing back a transaction from the final
result to the initial input?
(v) Whether the data and changes to it are authorized by appropriate authority both in the
user and computer departments?

2.6.3 Audit trail

 Objective of audit trail is to obtain sufficient evidence matter regarding the reliability
and integrity of the application system. To achieve this, the audit trail should contain
enough information to allow management, the auditor and the user:

(i) To recreate processing action;

(ii) To verify summary totals and
(iii) To trace the sources of intentional and unintentional errors.
 The audit trail should include the following information:

 System information including start up time, stop time, restarts, recovery etc.

 Transaction information including input items which change the database,

control totals and rejected items (relevant to database applications).

 Communication information including terminal log-on/off, password use,

security violation, network changes and transmission statistics (relevant to
transaction processing i.e. TP applications).

Review Questions
i) How does the IS Audit planning objectives differ from IS audit control
objectives?
ii) State the objectives of IS audit planning

13
iii) Discuss how IS audit controls can be achieved.
iv) Describe the stages of the IS audit planning?

References further reading

14
CHAPTER THREE: Risk Assessment
Learning Objectives
By the end of this chapter the learner should be able to:
Define the term risk, threat and threat source.
Describe the different types of risk and their relationships.
Explain why risk management is important
Assess the impact of risk.

3.0 Risk
 Risk is the potential harm that may arise from some current process or from some
future event.

 From the IT security perspective, risk management is the process of understanding and
responding to factors that may lead to a failure in the confidentiality, integrity or
availability of an information system.

3.1.1Risk is a function of the likelihood of a given threat-source’s exercising a particular

potential vulnerability, and the resulting impact of that adverse event on the organization.

3.1.2Threat: The potential for a threat source to exercise (accidentally trigger or

intentionally exploit) a specific vulnerability.

3.1.3 Threat-Source: Either (1) intent and method targeted at the intentional exploitation of
a vulnerability or (2) a situation and method that may accidentally trigger a
vulnerability.

3.1.4 Vulnerability: A flaw or weakness in system security procedures, design,

implementation, or internal controls that could be exercised (accidentally triggered or
intentionally exploited) and result in a security breach or a violation of the system‘s security
policy.

3.1.5 Threat vs threat sources

The threat is merely the potential for the exercise of a particular vulnerability. Threats in
themselves are not actions. Threats must be coupled with threat-sources to become dangerous

3.2How Is Risk Assessed?

 Risk is assessed by identifying threats and vulnerabilities, then determining the
likelihood and impact for each risk.

 Threats should include the threat-source to ensure accurate assessment.

 Some common threat-sources include:

• Natural Threats—floods, earthquakes, hurricanes

15
 • Human Threats—threats caused by human beings, including both
unintentional (inadvertent data entry) and deliberate actions (network based attacks,
virus infection, unauthorized access)
• Environmental Threats—power failure, pollution, chemicals, water damage
3.2.1 Identifying Vulnerabilities
 Vulnerabilities can be identified by numerous means. Different risk management
schemes offer different methodologies for identifying vulnerabilities. In general, start
with commonly available vulnerability lists or control areas.

 Then, working with the system owners or other individuals with knowledge of the
system or organization, start to identify the vulnerabilities that apply to the system.

3.2.2 Tools
 While the following tools and techniques are typically used to evaluate the
effectiveness of controls, they can also be used to identify vulnerabilities:

 Vulnerability Scanners – Software that can examine an operating system, network

application or code for known flaws by comparing the system (or system responses to
known stimuli) to a database of flaw signatures.

 Penetration Testing – An attempt by human security analysts to exercise threats

against the system. This includes operational vulnerabilities, such as social
engineering

 Audit of Operational and Management Controls – A thorough review of

operational and management controls by comparing the current documentation to best
practices (such as ISO stnds) and by comparing actual practices against current
documented processes.

3.2.2.1 Relating Threats to Vulnerabilities

 One of the more difficult activities in the risk management process is to relate a threat
to a vulnerability. Nonetheless, establishing these relationships is a mandatory activity,
since risk is defined as the exercise of a threat against a vulnerability. This is often
called threat-vulnerability (T-V) pairing.

3.3 Defining Likelihood

 Determining likelihood is fairly straightforward. It is the probability that a threat
caused by a threat-source will occur against a vulnerability. In order to ensure that risk
assessments are consistent, it is an excellent idea to utilize a standard definition of
likelihood on all risk assessments.

3.3.1Sample Likelihood Definitions

Low 0-25% chance of successful exercise of threat during a one-year period.
Moderate 26-75% chance of successful exercise of threat during a one-year period.
High 76-100% chance of successful exercise of threat during a one-year period.
3.3.2 Defining Impact

16
  Impact is best defined in terms of impact upon availability,impact upon integrity and
impact upon confidentiality.

 Impact can be:

 Low.

 Moderate.

 Severe.

3.3.2.1 Issues to consider in the risk assessment process

 Identifying mission-critical information systems:

 For example, systems that are part of an Intranet/extranet and may have
external access to the Internet.

 This process also involves a through review of the organisation‘s security

programs such as firewalls.

 The system architecture with the topological layout plus a list of all nodes,
hardware and software.

3.4 Managing risk

 There are four basic strategies for managing risk: mitigation, transference, acceptance

and avoidance.
3.4.1 Mitigation

 Mitigation is the most commonly considered risk management strategy. Mitigation

involves

 fixing the flaw or providing some type of compensatory control to reduce the
likelihood or impact associated with the flaw.

 A common mitigation for a technical security flaw is to install a patch provided

by the vendor. Sometimes the process of determining mitigation strategies is
called control analysis.

3.4.2 Transference
Transference is the process of allowing another party to accept the risk on your behalf.
Risk is transferred from the individual to a pool of insurance holders, including the
insurance company.
Note that this does not decrease the likelihood or fix any flaws, but it does reduce the
overall impact (primarily financial) on the organization.

3.4.3 Acceptance

17
 Acceptance is the practice of simply allowing the system to operate with a known risk.
Many low risks are simply accepted. Risks that have an extremely high cost to
mitigate are also often accepted.
Often risks are accepted that should not have been accepted, and then when the
penetration occurs, the IT security personnel are held responsible. Typically, business
managers, not IT security personnel, are the ones authorized to accept risk on behalf of
an organization.
3.4.4 Avoidance
Avoidance is the practice of removing the vulnerable aspect of the system or even the
system itself.
For instance, during a risk assessment, a website was uncovered that let vendors view
their invoices, using a vendor ID embedded in the HTML file name as the
identification and no authentication or authorization per vendor. When notified about
the web pages and the risk to the organization, management decided to remove the
web pages and provide vendor invoices via another mechanism. In this case, the risk
was avoided by removing the vulnerable web pages.

3.5 Audit Risk

 Audit risk can be defined as the risk that the information/financial report may contain
material error that may go undetected during the course of the audit.
 The risk that the auditor will incorrectly issue an unqualified opinion
 Several types of audit risks:
 Inherent risk
 Control risk
 Detection risk
 Overall audit risk

3.5.1 Inherent risk

 The risk that an error exists that could be material or significant when combined with
other errors encountered during the audit, assuming that there are no related
compensating controls.
 Inherent risk can also be categorized as the susceptibility to a material misstatement in
the absence of related controls. For example, complex calculations are more likely to
be misstated than simple ones and cash is more likely to be stolen than an inventory of
coal. Inherent risks exist independent of an audit and can occur because of the nature
of the business.
 Inherent risk is:
 Higher in complex transactions
 Higher where items are more naturally prone to fraud
 Based in part on prior experience
 Industry and management pressures
 Inherent risk cannot be changed by the auditor – it just is

3.5.2 Control risk

18
  The risk that a material error exists that will not be prevented or detected in a timely
manner by the internal controls system.OR
 The risk that internal controls will fail to prevent or detect material misstatement
 For example, the control risk associated with manual reviews of computer logs can be
high because activities requiring investigation are often easily missed, owing to the
volume of logged information. The control risk associated with computerized data
validation procedures is ordinarily low if the processes are consistently applied.
 Depends on the design and execution of controls:
 Audit Risk = risk that internal controls will FAIL to prevent or detect misstatement
 High CR means high risk controls will fail
 Low CR means low risk controls will fail
 If CR is high, auditor will not rely much on controls
 If CR is low, auditor can rely on ICS and reduce other types of testing

3.5.3 Detection risk

 The risk that an IS auditor uses an inadequate test procedure and concludes that
material errors do not exist when, in fact, they do. Failure of audit tests.
 Detection of an error would not be determined during the risk assessment phase of an
audit. However, identifying detection risk would better evaluate and assess the
auditor‘s ability to test, identify and recommend the correction of material errors as
the result of a test.
 Detection risk is:
 A function of the types of tests the auditor does.
 Depends on nature, timing, and extent of audit.
 This is the only risk element that can be controlled by the auditor

3.5.4 Overall audit risk

 The combination of the individual categories of audit risks assessed for each specific
control objective.
 An objective in formulating the audit approach is to limit the audit risk in the area
under scrutiny so the overall audit risk is at a sufficiently low level at the completion
of the examination. Another objective is to assess and control those risks to achieve
the desired level of assurance as efficiently as possible.

3.5.4.1 Interrelationship of Risks

 IF IR and CR are high, then DR should be low (lots of testing)
 If IR is high and CR is low then DR can be higher, because controls offset high IR
 If IR is low and CR is low then DR can be high
 If IR is low but CR is high then Somewhat indicative of fraud. DR should be very low

3.5.4.2 Keep Things Open

 Control risk assessment must be backed up by control testing results.
 If tests show weaker controls, CR is higher, thus DR needs to be lower.

19
3.6 Designing materiality
 Materiality as "the magnitude of an omission or misstatement of information that, in
the light of surrounding circumstances, makes it probable that the judgment of a
reasonable person relying on the information would have been changed or influenced
by the omission or misstatement."
 There is an inverse relationship between materiality and the level of audit risk, that is
the higher the materiality level, the lower the audit risk and vice versa. Auditors take
into account the inverse relationship between materiality and audit risk when
determining the nature, timing and extent of audit procedures.

3.6.1 How it is determined

 In an audit of an information system, the auditor's judgment as to matters that are
material to users of this system is based on consideration of the needs of users as a
group.
 The evaluation of whether a misstatement could influence decisions of users, and
therefore be material, involves consideration of the characteristics of those users.
Users are assumed to:

3.6.2 User characteristics

 Have an appropriate knowledge of IS and activities.
 Recognize the uncertainties inherent in the measurement of amounts based on the use
of estimates, judgment, and the consideration of future events.
 Make appropriate economic decisions on the basis of the information given by an
expert.

Review Questions
Define the following terms, risk, materiality, vulnerability, threat source
Describe some of the factors to consider when determining materiality.
Explain any FOUR methods of managing risk in IS audit.
Why is risk management important to an organization.

References for further Reading

20
 CHAPTER FOUR: Performing the Audit
Learning Objectives
By the end of this chapter the learner should be able to:
Define the term audit sampling, evidence and CAATs
Distinguish the various audit sampling techniques and CAATs techniques
Evaluate the benefits of audit sampling
Explain the difference between compliance testing and substantive testing
Describe the rules of evidence and the techniques for gathering evidence.

4.1.0 Sampling
 Audit sampling is the testing of less than 100% of the items within a population to
obtain and evaluate evidence about some characteristic of that population, in order to
form a conclusion concerning the population.

4.1.1 Statistics as an Audit Tool

 Auditors use inferential statistics to draw conclusions about populations based on
samples of data.
 Why do auditors use samples—usually too costly and time-consuming to examine
entire ―universe‖

4.1.2. Requirements of Audit Sampling Plans

 When planning the sample consider:
 The relationship of the sample to the relevant audit objective.
 Materiality or the maximum tolerable misstatement or deviation rate.
 Allowable sampling risk.
 Characteristics of the population.
 Select sample items in such a manner that they can be expected to be representative of
the population
 Sample results should be projected to the population
 Items that cannot be audited should be treated as misstatements or deviations in
evaluating the sample results.
 Nature and cause of misstatements or deviations should be evaluated

4.1.3. Sampling Techniques

 Sampling techniques include:
 Non –statistical (Judgment) sampling: subjective selection of sample size and
items (target high-risk transactions)
 Statistical sampling techniques:
 Random sampling: each item has equal probability
 Cluster sampling: randomly selected clusters. Items in the cluster are
smpled.
 Systematic sampling: random start and then take every nth item

21
  Multistage samples – sampling on several levels, a user takes samples from
sevaral locations and then takes another sample from the sampled items.

4.1.3.1 Statistical vs Non-statistical

 Statistical sampling involves the use of techniques from which mathematically
constructed conclusions regarding the population can be drawn.
 Non-statistical sampling is not statistically based, and results should not be
extrapolated over the population as the sample is unlikely to be representative of the
population.
 The difference between statistical and non-statistical sampling is that statistical
sampling allows the user to measure the sampling risk associated with the
procedure. Statistical sampling applies the laws of probability to determine the
percent likelihood that the sample does not accurately reflect the population.
 In essence, the laws of probability say that large, relatively homogeneous populations
have similar distributions and other features so that if a random sample is taken, it will
consistently reflect the population within certain limits. In order for the sample to be a
―statistical" sample, the results must be evaluated and calculations made that tell the
user how likely it is that the sample results are within a given range of the actual
population.
 A properly designed non-statistical sample can provide results that are accurate and
effective, but will not measure the sampling risk.
 Generally, the decision to apply a statistical or non-statistical sampling application to a
particular audit test is a matter of cost effectiveness. Statistical applications usually
require more training for auditors and more time to apply.

4.2. Methods
 Within the two general approaches are two primary methods of sampling:
 Attribute sampling - Generally applied in compliance testing situations and deals with
the presence or absence of the attribute and provides conclusions that are expressed in
rates of incidence.
 The auditor is attempting to determine the operating effectiveness of a control
procedure in terms of deviations from the prescribed internal control.

4.2.1 Discovery Sampling

 A modified case of attributes sampling
 Purpose is to detect at least one deviation (i.e. critical deviations)
 Useful in fraud detection
 Auditor risk and deviation assessments:
 Risk of assessing control risk too low (i.e. 5%)
 Tolerable rate (normally set very low, i.e. < 2%)
 Expected deviation rate is generally set at 0

4.2.2 Variable sampling

22
  Variable sampling - Generally applied in substantive testing situations and deals
with population characteristics that vary, such as dollars and weights, and provides
conclusions related to deviations from the norm.

4.3 Planning the tests

 Determine the objective of the test

 Define the attributes and deviation conditions

 Define the population to be sampled

 Specify:

 The risk of assessing control risk too low

 The tolerable deviation rate

 The estimated population deviation rate

 Determine the sample size

 Select the sample

 Test the sample items

 Evaluate the sample results

 Document the sampling procedure

4.3. Types of tests

 There is a difference between choosing a sample for the purpose of testing an
organization‘s compliance with control procedures and choosing a sample to evaluate
the integrity of individual transactions, data or other information. The former
procedures are called compliance tests and the latter are called substantive tests.

4.3.1 Compliance Testing

Auditors perform tests of controls to determine that the control policies, practices, and
procedures established by management are functioning as planned.
 For example, if the IS auditor is concerned about whether program library controls are
working properly, the IS auditor might select a sample of programs to determine if the
source and object versions are the same. The broad objective of any compliance test is
to provide IS auditors with reasonable assurance that the particular control on
which the IS auditor plans to rely is operating as the IS auditor perceived in the
preliminary evaluation.

4.3.2. Substantive Testing

Substantive testing is the direct verification of a process, whether it generates required
results. Examples would include reconciling a bank account and confirming accounts
receivable.

23
  An IS auditor might develop a substantive test to determine if the tape library
inventory records are stated correctly. To perform this test, the IS auditor might take a
thorough inventory or might use a statistical sample, which will allow the IS auditor to
develop a conclusion regarding the accuracy of the entire inventory.
 There is a direct correlation between the level of internal controls and the amount of
substantive testing required. If the results of testing controls (compliance tests) reveal
the presence of adequate internal controls, then the IS auditor is justified in
minimizing the substantive procedures. Conversely, if the testing of control reveals
weaknesses in controls that may raise doubts about the completeness, accuracy or
validity of the accounts, substantive testing can alleviate those doubts.

4.3.2.1Select Test Methods

Three methods for testing controls to determine if they are working :
1. DOCUMENT ANALYSIS – Review records, forms, or other documents
2. OBSERVATION – Watch the control being performed in practice
3. INTERVIEW – Elicit information from those performing that control

4.3.2.2 Areas to audit

 An IS auditor can audit several areas where controls apply, of course guided by
materiality of the chosen sample:
 Around the computer
 Through the computer
 With the computer
Auditing Around the Computer
The auditor ignores computer processing. Instead, the auditor selects source
documents that have been input into the system and summarizes them manually to see
if they match the output of computer processing.
Auditing With The Computer
The utilization of the computer by an auditor to perform some audit work that would
otherwise have to be done manually
Auditing Through the Computer
The process of reviewing and evaluating the internal controls in an electronic data
processing system e.g. using an internal measuring instrument

4.4. Materiality and Precision

 Materiality and precision are related concepts that also affect sample size.
 Materiality—a 10 percent misstatement in the accounts receivable balance is probably
material; but a 10 percent misstatement in the office supplies account balance might
not be.
 If testing accounts receivable balances, we‘ll need to look at a larger sample if we
want to have an estimate that falls within 10 percent, than if our desired precision was
only 20 percent.

4.4.1. Confidence
 Confidence is also important in determining sample size.

24
 The greater the confidence, the larger the sample size.
 So if we want to be 95 percent confident that the estimated accounts receivable
balance falls within 10 percent of the true value, we will need a larger sample than if
we only needed to be 80 percent confidence.
4.5. Sampling risk
 Sampling risk is the probability that the sample results are not representative of the
entire population and thus the auditor‘s conclusion is different to that which would be
reached if the whole population was examined.
 This may result in:
(a) ‗the risk of incorrect rejection‘ (also called Alpha risk) which arises when the
sample indicates a higher level of errors than is actually the case. This situation is
usually resolved by additional audit work being performed. This risk affects audit
efficiency but should not affect the validity of the resulting audit conclusion;
(b)‗the risk of incorrect acceptance’ (also called Beta risk) when material error is not
detected in a population because the sample failed to select sufficient items
containing errors. This risk, which affects audit effectiveness, can be quantified
using statistical sampling techniques. Although it is possible that an unqualified
auditors‘ report could be issued inappropriately, such errors should be detected by
other complementary audit procedures (assuming that the sample size is appropriate to
the level of detection risk).

 Sampling risk is frequently expressed as a %. For example, 5% means that there is a 1

in 20 chance of material error going undetected (this is the risk accepted by many
audit firms for any specific audit tests). Risk can also be expressed in terms of
confidence levels (assurance required) and reliability factors.
4.6. Evidence

25
 Evidence is any information used by the IS auditor to determine whether the entity or
data being audited follows the established audit criteria or objectives. It may include
the auditor‘s observations, notes taken from interviews, material extracted from
correspondence and internal documentation or the results of audit test procedures.
Some evidence is more reliable than others.

4.6.1. Rules of evidence

 Determinants for evaluating the reliability of audit evidence include:
 Independence of the provider of the evidence: Evidence obtained from outside
sources is more reliable than from within the organization. This is why confirmation
letters are used for verification of accounts receivable balances.
 Qualification of the individual providing the information or evidence: Whether the
providers of information or evidence are inside or outside of the organization, the IS
auditor should always consider the qualifications of the persons providing the
information.
 Objectivity of the evidence: Objective evidence is more reliable than evidence that
requires considerable judgment or interpretation. An IS auditor‘s count of a cash fund
is direct, objective evidence, but his analysis of the efficiency of an application, based
upon discussions with certain personnel, may not be objective audit evidence.
 Timing of evidence—The IS auditor should consider the time during which
information exists or is available in determining the nature, timing and extent of
substantive testing and, if applicable, compliance testing. For example, audit evidence
processed by electronic data interchange (EDI), document image processing (DIP) and
dynamic systems such as spreadsheets may not be retrievable after a specified period
of time if changes to the files are not controlled or the files are not backed up

4.6.2. Techniques for evidence gathering

 Review information systems organization structures :The IS auditor should
understand general organizational controls and be able to evaluate these controls in the
organization under audit.
 Review IS policies and procedures
The IS auditor should review whether appropriate policies and procedures are
in place, determine whether personnel understand the implemented policies and
procedures, and ensure that they are being followed.
 Reviewing information systems standards
The IS auditor should understand the existing standards in place within the
organization.
 Review information systems documentation
A first step in reviewing the documentation for an information system is to
understand the existing documentation in place within the organization. The IS auditor
should look for a minimum level of information systems documentation.
 Interviewing appropriate personnel
The purpose of such interviews is to gather audit evidence. Personnel
interviews are discovery in nature and should never be accusatory.
 Observing processes and employee performance

26
 The observation of processes is a key audit technique for many types of
reviews. The IS auditor should be unobtrusive while making observations and should
document everything in sufficient detail to be able to present it, if required, as audit
evidence at a later date.
Analyze Test Results To:
Determine specific causes of variances
Identify regional or statewide trends
Assess actual or potential impacts

4.6.3Areas with Weak Controls

Weak controls may not show up immediately but certain signs point to this deficiency:
 Inability to meet management‘s deadlines for supplying information
 Incorrect or unclear information
 Unusually high employee turnover
 Crowded, poorly organized files, requiring extra effort to locate material
 Poor employee morale

4.7. Computer Assisted Audit Techniques (CAATs)

 CAATs are computer programs and data that the auditor uses as part of the audit
procedures to process data of audit significance, contained in an entity‘s information
systems
CAATs may be used in performing various auditing procedures, including the
following:
 Tests of details of transactions and balances, for example, the use of audit software for
recalculating interest or the extraction of invoices over a certain value from computer
records
 Analytical procedures, for example, identifying inconsistencies or significant
fluctuations

27
  Tests of general controls, for example, testing the set-up or configuration of the
operating system or access procedures to the program libraries or by using code
comparison software to check that the version of the program in use is the version
approved by management ;
 Sampling programs to extract data for audit testing
 Re performing calculations performed by the entity‘s accounting systems.

4.7.1 Types of CAAT SW

 Generalized audit software (ACL, IDEA, etc.) - provides an independent
means to gain access to data for analysis. The effective and efficient use of the
software requires and understanding of its capabilities and limitations.
Generalized audit software (GAS) refers to standard software that has the
capability to directly read and access data from various database platforms, flat
file systems and ASCII formats. IS auditors can directly access the data stored
in a computer and perform various types of mathematical computations and
statistical analysis.
 Utility software - is a subset of software, such as database management
systems report generators, that provide evidence to the auditors about system
control effectiveness.
 Test data - involve the auditors using a sample set of data to assess whether
logic errors exist in a program and whether the program meets its objectives.
 Application software for continuous online audits - review of an application
system will provide information about internal controls built in the system.
 Audit expert systems - give direction and valuable information to all levels of
auditors while carrying out the audit because the query-based system is built
on the knowledge base of the senior auditors or managers.

4.7.2 Need for CAATs

 The audit findings and conclusions are to be supported by appropriate analysis and
interpretation of the evidence. Today‘s information processing environments pose a
stiff challenge to the IS auditor to collect sufficient, relevant and useful evidence since
the evidence exists on magnetic media and can only be examined using CAATs.
 With systems having different hardware and software environments, different data
structure, record formats, processing functions, etc., it is almost impossible for the IS
auditors to collect evidence without a software tool to collect and analyze the records.

4.7.3Advantages
 Reduced level of audit risk
 • Greater independence from the auditee
 • Broader and more consistent audit coverage
 • Faster availability of information
 • Improved exception identification
 • Greater flexibility of run times

28
  • Greater opportunity to quantify internal control weaknesses
 • Enhanced sampling
 • Cost savings over time

Review Questions
i) A number of factors could have a strong influence on the type statistical methods
used and the qualities of results, describe them
ii) Discuss the objectives of audit sampling
iii) Explain the rationale for using CAATs
iv) Why is it necessary to evaluate the reliability of audit evidence?
References for further Reading

29
 CHAPTER FIVE: PREPARING AUDIT REPORTS
Learning Objectives
At the end of this lesson, the learner should be able to;
Explain what an audit report is.
Describe the different types of audit reports.
Evaluate the benefits of an audit report.

5.0Preparing Audit Reports

Introduction
 The Auditor's report is a formal opinion, or issued by an auditor as a result of an audit
or evaluation performed on a company.
 The report is subsequently provided to a ―user‖ (such as an individual, a group of
persons, a company etc) as an assurance service in order for the user to make decisions
based on the results of the audit.
 Upon the performance of the audit test, the Information Systems Auditor is required to
produce and appropriate report communicating the results of the IS Audit. An IS Audit
report should:
 Identify an organization, intended recipients and any restrictions on circulation.
 State the scope, objectives, period of coverage, nature, timing and the extend
of the audit work.
 State findings, conclusions, recommendations and any reservations,
qualifications and limitations.
 Provide audit evidence.

5.1 Types of reports

 There are four common types of auditor‘s reports, each one presenting a different
situation encountered during the auditor‘s work.
 Unqualified Opinion report
 Qualified Opinion report
 Adverse Opinion report
 Disclaimer of Opinion report
5.1.1 Unqualified opinion report
 This type of report is issued by an auditor when the information systems presented are
free of material misstatements and are in accordance with the Generally Accepted IS
Audit Principles, which in other words means that the company‘s information systems
and operations are fairly presented. It is the best type of report an auditee may receive
from an external auditor.
5.1.2 Qualified Opinion report
A Qualified Opinion report is issued when the auditor encountered one of two
types of situations which do not comply with generally accepted auditing
principles, however the rest of the controls are fairly intact. This type of opinion is

30
 very similar to an unqualified or ―clean opinion‖, but the report states that there
exists a certain exception which is otherwise misstated. The two types of situations
which would cause an auditor to issue this opinion over the Unqualified opinion
are:
5.1.2.1 Single deviation from IS standards – this type of qualification occurs when one or
more areas do not conform with ISA standards (e.g. are misstated), but do not affect
the rest of the report.
5.1.2.2 Limitation of scope - this type of qualification occurs when the auditor could not
audit one or more areas as planned, and therefore it could not be verified, the rest of
the areas were audited and they conform standards. Examples of this include an
auditor not being able to observe and test a company‘s inventory system. If the auditor
audited the rest of the information systems and is reasonably sure that they conform
with standards, then the auditor simply states that the information systems are fairly
represented, with the exception of the inventory system which could not be audited

5.1.3 Adverse Opinion report

An Adverse Opinion is issued when the auditor determines that the information
systems of an auditee are materially misstated and, when considered as a whole, do
not conform with ISA.
It is considered the opposite of an unqualified or clean opinion, essentially stating
that the information contained is materially incorrect, unreliable, and inaccurate.
5.1.4 Disclaimer of Opinion report
A Disclaimer of Opinion, commonly referred to simply as a Disclaimer, is issued
when the auditor could not form, and consequently refuses to present, an opinion
on the financial statements. This type of report is issued when the auditor tried to
audit an entity but could not complete the work due to various reasons and does
not issue an opinion.
Although this type of opinion is rarely used, the most common examples where
disclaimers are issued include audits where the auditee willfully hides or refuses to
provide evidence and information to the auditor in significant areas of the audit,
where the auditee is facing significant legal and litigation issues in which the
outcome is uncertain (usually government investigations), and where the auditee
has going concern issues (the auditee may not continue operating in the near future

Review Questions
i) Define an audit report
ii) Discuss the key issues that one must consider when preparing audit reports
iii) Describe benefits of an audit report

References for further Reading

31
CHAPTER SIX: INFORMATION TECHNOLOGY AUDIT & FORENSIC
TECHNIQUES

Learning Objectives

By the end of this chapter the learner should be able to:

i) Define the term forensic computing, evidence
ii) Explain the challenges to IT forensic computing
iii) Describe the steps followed in a digital forensic investigative frame work.
iv) Explain the various tools used in forensic computing.

6.0 INTRODUCTION
Forensic Computing is the process of identifying, preserving, analyzing, and presenting
digital evidence in a manner that is legally acceptable in a court of law
Our interest is in …
 Identifying and preserving evidence,
 ―post-mortem‖ system analysis to determine extent and nature of attack, and
 the forensic framework

6.1 Challenge IT Forensic Techniques to Organizations

Forensic Audit
Used to discover information about a possible crime. To understand fraud
 Gather evidence about the existence of fraud
 Identify and respond to fraud risks
 Document and communicate findings
 Incorporate a technology focus

6.1.1 Network Fraud

 Companies now highly reliant on networks
 Networks increasingly vulnerable to attacks
 Viruses, Trojans, Rootkits can add backdoors
 Social Engineering including Phishing and Pharming
 Confidential and proprietary information can be compromised
 Can create a corporate liability

6.1.2 Security Challenges

 Technology expanding and becoming more sophisticated
 Processes evolving and integrating with technologies
 People under trained
 Policies outdated
 Organizations at risk

6.2 Challenges of IT Forensic Techniques to Auditors

 Majority of fraud is uncovered by chance

32
  Auditors often do not look for fraud

 Prosecution requires evidence

 Value of IT assets growing

6.2.1 Knowledge, Skills, Abilities: Needs

Auditor‘s need KSAs to …
 Build a digital audit trail

 Collect ―usable‖ courtroom electronic evidence

 Trace an unauthorized system user

 Recommend or review security policies

 Understand computer fraud techniques

 Analyze and valuate incurred losses

6.2.2 Immediate Concerns

 What is level of certainty that a problem exists?

 Is this a criminal act?

 Can the system be isolated?

 Is the intrusion internal or external?

 Are suspects known?

 Is extent of loss/damage known?

6.2.3 Immediate Response

 Shut down computer (pull plug)

 Bit-stream mirror-image of data

 Begin a traceback to identify possible log locations

 Contact system administrators on intermediate sites to request log preservation

 Contain damage

 Collect local logs

 Begin documentation

6.2.4 Continuing Investigation

 Implement measures to stop further loss

 Communicate to management and audit committee regularly

33
  Analyze copy of digital files

 Ascertain level and nature of loss

 Identify perpetrator(s)

 Develop theories about motives

 Maintain chain-of-custody

6.3 Digital Crime Scene Investigation

Goal: Determine what fraud events occurred
by using digital evidence.
 Incident/Crime: An event that violates a policy or law

 Investigation: A process that develops and tests hypotheses to answer questions about
events that occurred

6.4 Framework for an Investigative Process for Digital Forensics

6.4.1Identification
 Event/crime detection

 Resolve signature

 Profile detection

 Anomalous detection

 Complaints

 System monitoring

34
  Audit analysis

6.4.2 Preservation
 Goal: Preserve the state of as many digital objects as possible and document the crime
scene.

 Methods:

 Shut system down

 Unplug (best)

 Do nothing

 Bag and tag

6.4.3 Documenting the Scene

 Note time, date, persons present

 Photograph and video the scene

 Draw a layout of the scene

 Search for notes (passwords) that might be useful

 If possible freeze the system such that the current memory, swap files, and even CPU
registers are saved or documented

6.4.3.1 Types of evidence

 Direct Evidence: proves existence without inference of presumption e.g. a testimony
from an eyewitness or written documents.

 Indirect evidence: use a hypothesis to make a claim based on inference and

presumption.

 Often a chain of circumstances will lead to a claim. Also called circumstantial

evidence.

6.4.3.2 Grading evidence

 Four xteristics are used to grade evidence:

 Material Relevance, how well it relates to the issue being investigated. The
more material, the more helpful.

 Evidence objectivity, ability to be accepted and undrestood with little

judgement. The more more judgement, the less objective.

 Competency of the evidence provider, evidence from a person directly

involved is better.

35
  Evidence Independence, the provider should not have any gain or loss by
providing the evidence.

6.4.3.3 Rules of Evidence

 Complete

 Authentic

 Admissible

 Reliable

 Believable

6.4.3.4 Requirements for Evidence

Computer logs …
 Must not be modifiable

 Must be complete

 Appropriate retention rules

6.4.3.5 Timing of evidence

 Particularly important when dealing with digital evidence, which may be available
only during a limited window of time before it is overwritten or deleted.

6.4.3. 6 Problems with Digital Evidence

 Timing essential – electronic evidence volatile

36
  Auditor may violate rules of evidence

 NEVER work directly on the evidence

 Skills needed to recover deleted data or encrypted data

6.4.3.7 Technology for gathering evidence

 Magnetic disks contain data after deletion

 Overwritten data may still be salvaged

 Memory still contains data after switch-off

 Swap files and temporary files store data

 Most OS‘s perform extensive logging (so do network routers)

6.4.3.8 Order of Volatility

 Preserve most volatile evidence first

 Registers, caches, peripheral memory

 Memory (kernel, physical)

 Network state

 Running processes

 Disk

 Floppies, backup media

 CD-ROMs, printouts

6.4.4 Collecting Evidence

 Must use:

 Approved methods

 Approved software

 Approved hardware

 Legal authority

 Lossless compression

 Sampling

 Data reduction

 Recovery techniques

37
6.4.5 Examination
 Involves :

 Preservation

 Traceability

 Validation Techniques

 Filtering techniques

 Pattern matching

 Hidden data discovery

 Hidden data extraction

6.4.6 Analysis
 Involves

 Preservation

 Traceability

 Statistical

 Protocols

 Data mining

 Timeline

6.4.7 Presentation

Involves
 Documentation

 Expert testimony

 Clarification

 Mission impact statement

 Recommended countermeasure

 Statistical interpretation

6.5 Digital Forensic Investigation Process

A process that uses science and technology to examine digital objects and that develops and
tests theories, which can be entered into a court of law, to answer questions about events that
occurred.

38
IT Forensic Techniques are used to capture and analyze electronic data and develop theories.
6.5.1 Approach
 A formalized approach

 Has specific rules, structure and vocabulary

 Allows repeatability

 May be used to verify a process

6.6 Forensic Tools

Forensic Software Tools are used for …
 Data imaging

 Data recovery

 Data integrity

 Data extraction

 Forensic Analysis

 Monitoring

6.7 Process/System Analysis Tools

 sysinternals tools for Windows

 FileMon – shows filesystem activity in real time

 PSMon – watch process/thread creation in real time

39
  PsFile - shows files opened remotely

 PsKill - kill processes by name or process ID

 PsInfo - list information about a system

 PsList - list detailed information about processes

6.7.1 Process/System Analysis Tools

 PsLoggedOn - see who's logged on locally and via sharing

 PsLogList - dump event log records

 PsPasswd - changes account passwords

 PsService - view and control services

 PsSuspend - suspends processes

 Handle – shows which files are opened by which processes

 RegMon – see registry activity in real time

 ListDLLs – show loaded DLLs

6.7.2 Audit Command Language

ACL is a computer data extraction and analytical audit tool with audit capabilities …
 Statistics

 Duplicates and Gaps

 Stratify and Classify

 Sampling

 Benford Analysis

6.8 Developing a Forensic Protocol

 The response plan must include a coordinated effort that integrates a number of
organizational areas and possibly external areas

 Response to fraud events must have top priority

 Key players must exist at all major organizational locations

6.8.1 End-to-End Forensic Analysis

First rule of end-to-end forensic digital analysis
 Primary evidence must always be corroborated by at least one other piece of relevant
primary evidence to be considered a valid part of the evidence chain. Evidence that
does not fit this description, but does serve to corroborate some other piece of
evidence without itself being corroborated, is considered to be secondary evidence.

40
An Example of an End-to-End Investigation

41
6.9 The Role of Policies in forensics
 They define the actions you can take

 They must be clear and simple to understand

 The employee must acknowledge that he or she read them, understands them and will
comply with them

 They can‘t violate law

42
6.9.1 Forensic Response Control
Incident Response Planning …
 Identify needs and objectives

 Identify resources

 Create policies, procedures

 Create a forensic protocol

 Acquire needed skills

 Train

 Monitor

6.9.2 Forensic Protocol

 First responder triggers alert

 Team response

 Freeze scene

 Begin documentation

 Auditors begin analysis

 Protect chain-of-custody

 Reconstruct events and develop theories

 Communicate results of analysis

Review Questions
i) Define the term forensic computing, evidence, forensic protocol.
ii) Describe the forensic investigative framework.
iii) What are challenges facing forensic investigations.
iv) Explain the role of policy in forensics.
v) Has forensic investigation had a breakthrough in detecting crime?discuss,

References for further Reading

43
CHAPTER SEVEN: COBIT
Learning Objectives:
By the end of this chapter the learner should be able to:
Define the term COBIT
Explain the uses of COBIT the various domains, processes and resources used.
Describe the benefits of COBIT

7.0 Introduction
 COBIT – Control Objectives for Information and related Technology

 COBIT development started in 1994 with first version published in 1996 by ISACA
(Information Systems Audit and Control Association) http://www.isaca.org

 Supports IT governance by providing a comprehensive description of the control

objectives for IT processes

 Created to provide a set of measures, indicators, processes and best practices

 Generic control objectives for each IT process

 Framework to align IT governance with business requirements

 Management Guidelines for alignment

 Control Objectives

 Set metrics (―Goal Indicators- KGIs‖ and ―Performance Indicators – KPIs‖)

 Assess ―as-is‖ and ―to-be‖ capability using maturity models

7.1 COBIT Target Groups

 COBIT is primarily intended for management, business users of IT and auditors

 Main target groups

 Managers – holding executive responsibility for operation of the enterprise.

 End users – provide assurance of security and controls

 Auditors – independent assurance of quality and controls

 Business and IT consultants – bring knowledge and advice

 IT Service Management Professionals – provides a framework covering

complete lifecycle of IT systems and services

44
The Framework’s Principles

45
7.2 IT Resources
 Data : Data objects in their widest sense, i.e., external and internal,
structured and non-structured, graphics, sound, etc.

 Application Systems : understood to be the sum of manual and

programmed procedures.

46
  Technology : covers hardware, operating systems, database management
systems, networking, multimedia, etc..

 Facilities : Resources to house and support information systems.

 People : Staff skills, awareness and productivity to plan, organize,

acquire, deliver, support and monitor information systems and services.

7.3 COBIT Domains

 Plan & Organize – concerned with identification of the way IT can best contribute to
the achievement of business objectives

 Acquire and Implement – acquiring, implementing or development of IT Solutions to

be integrated into business process

 Deliver & Support – delivery of required services including traditional operations,

security, and training

 Monitor & Evaluate – regular assessment over time for quality and compliance with
control requirements

7.3.1 COBIT Processes within Domains

 Each of the previous Domains are composed of processes(34):

47
Domains and processes
 A Domain contains the relationships of each individual processes

 For example: Plan and Organize

48
7.4 COBIT Process Descriptions
 COBIT does offer detailed descriptions for all 34 processes.
 The Process Descriptions:

 contain the inputs, outputs, responsibilities, metrics and goals

 Provide a basis of expert knowledge from which the enterprise may decide is
relevant to their organization

 Diagrams with relationships to other processes are also illustrated

7.5 COBIT as an IT Governance Framework

 COBIT provides a framework to control IT and supports the following 5
requirements for an IT control framework

 Providing a sharper business focus

 Ensuring a process orientation

 Having a general acceptability among organizations

 Defining a common language

 Helping to meet regulatory requirements

7.5.1 IT Governance Focus Areas

 Strategic Alignment – focus on ensuring the linkage of business and IT plans

 Value Delivery – executing the value proposition throughout the delivery cycle

49
  Risk Management – requires risk awareness by senior corporate officers, compliance
requirements, transparency

 Resource Management – optimal investment in and management of critical

resources: people, applications, information and infrastructure

 Performance Measurement – tracks and monitors strategy implementation

7.6 Why Should an Organization Adopt COBIT?

 Attention on Corporate IT Governance

 Linking IT to business requirements

 Organize IT activities into a generally accepted process model

 Clear ownership and responsibilties, based on process orientation

 Shared understanding among stakeholders

 Identifying the major IT resources to be leveraged

 Defining management control objectives

 Specific need for control of IT resources

50
 Business oriented solutions

 Process focused

 Metrics driven

7.7 Who needs COBIT?

 Management needs COBIT

 To evaluate IT investment decisions

 To balance risk and control of investment in an often unpredictable IT

environment

 To benchmark existing and future IT environment

 IT Managers

 To provide the IT services that business requires to support business strategy

 To use as baseline model to be benchmark against with various standards (ISO,

FFIEC, SOX etc.)

 Users need COBIT

 To obtain assurance on security and controls of products and services provided

by internal and third-parties

 Developers Need COBIT

 Ensure that all applicable IT control objectives in the development project have
been addressed

 IS Information Security Officer & Auditors

 To substantiate opinions to management on internal controls

 To answer the question: What minimum controls are necessary?

Review Questions
i) Define the term COBIT
ii) Who are the users of COBIT
iii) What are the benefits of using COBIT
iv) Describe the various domains of COBIT

51
52