THE

IT AUDIT
PROCESS

1
IT Audit Manual Volume I
The pen and paper of manual transactions have made way for the online data entry of
computerized applications; the locks and keys of filing cabinets have been replaced by
passwords and identification codes that restrict access to electronic files. Each new
vulnerability needs to be controlled; assessing the adequacy of each control requires
new methods of auditing.
Correspondingly the possibilities of data loss and associated organizational costs have
increased tremendously along with new risk factors. Due to vulnerabilities of
network, the danger of tampering with data by insiders and outsiders is much higher in
IS systems.
Computers themselves have moved from being just electronic data processing (EDP)
systems to the realm of Information Technology (IT) Systems since they not only
process data but store, utilize and communicate a wide variety of information that
influences decision making at various levels of an organization. As a reflection of
this evolution, the term “EDP audit” has largely been replaced by such terms as
“Information Technology Audit” and “Information Systems Audit”.

With the increase in the investment and dependence on computerised systems by

the auditee, it has become imperative for audit to change the methodology and
approach to audit because of the risks to data integrity, abuse, privacy, etc. In an
IT system, an independent audit is required to provide assurance that adequate
measures have been designed and are operated to minimize the exposure to
various risks.

Definition of IT Audit

IT Audit as “the process of collecting and evaluating evidence to determine whether

a computer system safeguards assets, maintains data integrity, allows organizational
goals to be achieved effectively and uses resources efficiently”.
IT Audit is a broad term that includes
 Financial Audits (to assess the correctness of an organization’s financial
statements),
 Operational Audits (evaluation of internal control structure),
 Information Systems Audit (including performance Audit),
 Specialized Audits (evaluation of services provided by a third party such as
outsourcing etc.)
 Forensic Audits.
Objectives of IT Audit
The objectives of IT audit include assessment and evaluation of processes that
(a) Ensures asset safeguarding –‘assets’ which include the following five types
of assets:
 Data
Application Systems
Technology
Facilities
People

(b) Ensures that the following seven attributes of data or information

are maintained.
Effectiveness - information being relevant and pertinent to the business process
as well as being delivered in a timely, correct, consistent and usable manner.
Efficiency - concerns– efficient systems use optimum resources to achieve the
required objectives
Confidentiality - sensitive information.
Integrity - relates to the accuracy and completeness of information.
Availability - relates to information being available when required.
Compliance - deals with laws, regulations. It is also the duty of the IT Auditor
to see that the work practices with the laws of the land such as the IT Act
promulgated by the Government of India.
Reliability of information -
o relates to providing management with appropriate information for it to use in
operating the entity,
o financial reporting to users,
o providing information for reporting to the regulatory bodies regarding
compliance with laws and regulations.
IT Audit is all about examining whether the IT processes and IT Resources
combine together to fulfill the intended objectives of the organization to ensure
Effectiveness, Efficiency and Economy in its operations while complying with the
extant rules.

IT CONTROLS
The purpose of the IT Controls module of the IT Audit manual is to provide guidance to
IT Auditors for application in the areas of risks, controls, and audit considerations
related to Information Systems.

It also assists IT Auditors in the scope of issues that generally should be considered in
any review of computers related controls over the integrity, confidentiality, and
availability of electronic data.

It is not an audit standard; however, the IT Controls review work carried out by
IA&AD may be influenced by different International Auditing frameworks.
These may include
 INTOSAI Auditing Standards,
 Control Objectives for Information and Related Technologies (CoBIT) of IT
Governance Institute,
 International Federation of Accountants (IFAC) Auditing Standards,
 international standards of professional IT audit organizations such as the
Information Systems Audit and Control Association (ISACA)
 the Institute of Internal Auditors (IIA), etc.

IT auditors should familiarise themselves with these standards before taking up an IT

audit.

Definition of IT Controls

In many organizations, the entire data has been computerised and all the information is
available only in digital media. In this scenario, auditors have to adapt their
methodology to changed circumstances. While the overall control objectives do not
change in a computerised environment, their implementation does. The approach of
auditors to evaluate internal controls has to change accordingly.
IT Controls in a computer system are all the manual and programmed methods,
policies and procedures that ensure the protection of the entity’s assets, the accuracy
and reliability of its records, and the operational adherence to the management
standards.
Presence of controls in a computerised system is significant from the audit point of
view as these systems may allow duplication of input or processing, conceal or make
invisible some of the processes,
and in some of the auditee organizations where the computer systems are operated by
third party service providers employing their own standards and controls, making
these systems vulnerable to remote and unauthorized access.
When performing IT Control Audit, both types of testing – compliance and substantive
testing would be involved. Compliance testing determines if controls are being
applied in the manner described in the program documentation or by the
auditee. In other words, a compliance test determines if controls are being applied in
a manner that “complies with” management policies and procedures.
Substantive audit the adequacy of existing controls in protecting the organization from
fraudulent activity and encompasses substantiating the reported results of processing
transactions or activities. With the help of CAATs tools, IT auditor can plan for 100 per cent
substantive testing of auditee’s data.
Since auditors rely on an assessment of the controls to do their audit, they have to be
aware of the impact of computers on the controls.
In a computerised environment, there are new causes and sources of error, which bring
new risks to the entity. The impact of the factors discussed below:
Unauthorized access or changes to data or programs:
 Uniform processing of transactions:
Automatic processing:
Increased potential for undetected misstatements:
Anonymity and reduced accountability:
Unusual or non-routine transactions:
Concealment or invisibility of some process:
Inaccurate information:
Failure to identify significant information
Failure to interpret the meaning and value of the acquired information
Failure to communicate information to the responsible manager or chief
decision-maker
Existence, completeness, and volume of the audit trail:
Nature of hardware and software used: The nature of the hardware and
software can affect inherent risk, as illustrated below:
The type of computer processing (on-line, batch oriented, or distributed)
presents different levels of inherent risk.
Peripheral access devices or system interfaces can increase inherent risk..
Distributed networks enable multiple computer processing units to
communicate with each other, increasing the risk of unauthorized access.
Applications software developed in-house may have higher inherent risk
than vendor-supplied software that has been thoroughly tested and is in
general commercial use. On the other hand, vendor-supplied software
new to commercial use may not have been thoroughly tested or
undergone client processing to a degree that would encounter all
existing flaws.
Weak Security: Information systems security should be a concern of both users
and management.
Unauthorized remote access: Some computer operating systems provide for
access controls which limit the ability of remote users to see, alter, delete or
create data..
Inadequate testing: Independent testing is important to identify design flaws
that may have been overlooked by the developer of a system.
Inadequate training: Organizations may decide not to invest in training by
looking only at the up-front costs.
Controls in a Computerised Environment
General Controls
Application controls
General IT Controls

General controls include controls over data centre operations, system software
acquisition and maintenance, access security, and application system development and
maintenance. They create the environment in which the application systems and
application controls operate. They are not specific to individual transaction streams or
particular accounting packages or financial applications. In most instances the general
controls elements of an IT review will concentrate on the organization’s IT department
or similar function.

Categories of general control include:

1. Organization and management controls
2. IT operational controls
3. Physical controls
4. Logical access controls
5. Acquisition and program change controls
6. Business continuity and disaster recovery controls.
Application Controls
Application controls pertain to specific computer applications. They include controls
that help to ensure the proper authorization, completeness, accuracy, and validity of
transactions, maintenance, and other types of data input.
Application controls are particular to an application and may have a direct impact on
the processing of individual transactions. These controls are used to provide assurance
that all transactions are valid, authorized and recorded.
Since application controls are closely related to individual transactions, it is easier to
see why testing the controls will provide the auditor with audit assurance as to the
accuracy of a particular account balance.
Application controls are
1. controls over the input of transactions;
2. controls over processing
3. controls over output; and
4. controls over standing data and master files.

AUDIT OF GENERAL CONTROLS

As stated previously, general controls include controls over data centre operations,
system software acquisition and maintenance, access security, and application system
development and maintenance. They create the environment in which IT applications
and related controls operate.
 The IT auditor will focus on general controls that normally pertain to an entity’s
major computer facilities and systems supporting a number of different IT applications,
such as major data processing installations or local area networks. If general controls
are weak, they severely diminish the reliability of controls associated with individual
IT applications i.e. application controls.
Following are the major categories of general controls that an auditor should consider:
1. Organizational And Management Controls
2. IT Operational Controls
3. Physical Controls
4. Logical Access Controls
5. Controls For IT Acquisition
6. Program Change Controls
7. Business Continuity And Disaster Recovery Controls
The IT auditor may use the information for evaluating the practices adopted by auditee
organization.
In order to facilitate the auditor’s evaluation, sample audit programs in a tabular
format have been summarised in this manual as the checklists. These tables can be
used for both initial evaluations as well as for documenting the auditor’s work regarding
testing and audit procedures adopted for IT auditing while carrying out the control
assessment work.
1. Organisational and Management Controls

Objective
These are the high level controls adopted by management to ensure that the computer
systems function correctly and that they are satisfying business objectives.
The aim of IT auditor will be to determine whether the controls that the auditee
organization has put in place are sufficient to ensure that the IT activities are
adequately controlled.
In carrying out an assessment, IT auditor should cover the following areas:
IT planning and senior management involvement
Personnel and training policies
Documentation and document retention policies
Internal audit involvement
Legal and regulatory compliance
Segregation of duties
Risk Areas
An IT auditor should be aware of the following critical elements:
Inadequate management involvement may lead to a direction-less IT
function
 Poor reporting structures leading to inadequate decision making.
Inappropriate or no IT planning leading to business growth being
constrained by a lack of IT resources
Ineffective staff who do not understand their jobs
Disgruntled staff being able to sabotage the system
Ineffective internal audit function
Loss of the audit trail
Security policies not in place
The organization and management principles which are relevant to an IT function are
the same as those within an organization’s finance function and such high level IT
policies, procedure and standards are very important in establishing.
Management has ultimate responsibility for the safeguarding of the organization’s
assets. They are responsible to the stakeholders; taxpayers and citizens in the public
sector. Management sets policies to ensure that the risks to the assets are identified and
adequately managed.
Management establishes and approves the policies. The policies are usually high
level statements of intent. The policies may feed into standards. while reviewing an
organization’s IT policies and standards, the auditor should bear in mind that each
auditee organization is likely to be different and have different organizational and
management requirements.
IT Planning and Senior Management Involvement: one of the major causes for IT
project’s failures stems out of the little involvement of top management in guiding an
IT project.
objective
To ensure that in IT Planning and implementation, there exists an active involvement of
Senior Level Management so that IT is given the proper recognition, attention or
resources it requires to meet business objectives.
I n formal organizational IT structure with all staff knowing their roles and
responsibilities, by having written down and agreed job descriptions.
Risk areas
To have fruitful results from the introduction of IT in the organization, it is essential to
have proper planning and active Senior Level involvement in IT related decisions and
their implementation.
If such involvement does not exist, there is an increased risk that IT will not be given
the recognition, attention or resources it requires.
Audit procedure
The roles and responsibilities of senior management in relation to their business
systems should be considered in audit. The auditor should review the high level
controls exercised by senior management.
Required involvement of Senior Management:
 Proposal approval
Analysis of design and development
Selection of product and supplier
Implementation and
Post implementation review.
steering committee
 Comprised of user representatives from all areas of the business, including the IT
department.
 The Steering Committee would be responsible for the overall direction of IT.
 The nature of the IT Steering Committee will vary according to the client’s
circumstances.
 The IT Steering Committee would be responsible for issues beyond just the
accounting and financial systems, for example, the telecommunications system
(phone lines, video-conferencing), office automation, manufacturing processing
systems etc.
 To be effective, the IT Steering Committee should draw its members from
senior and middle management. Membership should be drawn from all user
departments within an organization.
 Senior management’s place is especially important since their presence gives
the decisions made by the committee greater weight and also ensures that IT is
business driven and not technology driven.
 Once the Steering Committee agrees on a future direction for IT, the decisions
should be formalised and documented in a plan. The future direction agreed by
the IT Steering Committee is normally set out in a document known as the IT
strategic plan.
 The IT strategic plan is in effect the starting point for any investment in IT as it
identifies future changes which have to be budgeted for. The decisions and
planned changes specified within the IT long term plan would then feed into the
IT department’s tactical plans.
An IT strategic plan to be endorsed by top management is very important from the
following considerations:
Effective management of information technology is a business imperative
and increasingly a source of competitive advantage.
Enhancing the value of existing products or services;
Providing new products and services; and
Introducing alternative delivery mechanisms.
To benefit from information technology requires foresight to prepare for the
changes, planning to provide an economical and effective approach.
 Information technology planning provides a structured means of addressing
 the impact of technologies, including emerging technologies, on an
organization. Through the planning process, relevant technologies are
identified and evaluated in the context of broader business goals and targets.
 Based on a comparative assessment of relevant technologies, the direction for
the organization can be established.
The implementation of information technologies may be a complex, time
consuming and expensive process for organizations. Information technology
planning provides a framework to approach and schedule, information
technology projects in an integrated manner wherever possible.
Through this process, performance milestones can be agreed upon, scope of
specific projects established, resources mobilised and constraints or
limitations identified. Without effective planning, the implementation of
information technologies may be misguided, haphazard, delayed and
more expensive than justified.
Good governance requires that all investments be justified — including any
information technology investments. Information technology planning
provides a process for not only evaluating alternative approaches, but also
for justifying the selected approach in terms of benefits, both tangible and
intangible, that will be realised by an organization. This is an important
dimension when many of the underlying projects may be difficult to support
on an individual basis.
IT strategic plan is likely to have a minimal effect on the current year’s audit it
may have a significant effect on future years’ audits. A review of an organization’s
IT strategic plan could forewarn the IT auditor of problems which may arise in later
years.
The organization should develop information technology plans which reflect its
corporate strategy and match its information technology needs for a given future
period.
Notwithstanding the uniqueness of a business perspective, an information technology
plan must be based on the following:
It should support and complement the business direction of an organization.
The scope of the plan should be established to facilitate formulation of
effective strategies.
A planning horizon should be formulated that provides long-term direction
and short-to-medium term deliverables in a manner consistent with the
business strategy.
Costs of implementation should be justified through tangible and intangible
benefits that can be realised.
 The planning process should recognize the capability and capacity of the
organization to deliver solutions within the stated planning timeframe.
 It should provide a basis for measuring and monitoring performance.
 It should be reassessed periodically.
 It should be disseminated widely.
Responsibility for implementing the plan should be explicit.
Management commitment in implementing the plan should be exhibited.
Controls Over IT Acquisition
The importance of IT related acquisitions is usually directly proportional to their post,
scale and complexity.
In general, the larger and more complex the acquisition, the higher will be its impact on,
and importance to, the business.
In addition, the acquisition may be important to the business due to its interrelationships
with other IT projects.
Control Objective
 A structured acquisition process provides a framework for ensuring that:
there are no major omissions from a business, technical or legal standpoint;
 the costs and resources for the acquisition process are appropriate and are
efficiently deployed;
 the validity of the business case in support of the acquisition is reaffirmed prior
to selecting a solution; and
there is progressive buy-in to the new system as a result of user group
involvement throughout the acquisition process.
Risk Areas
Critical elements involved in the process of acquisition of IT assets are as follows:
In IT systems, the scale, cost and impact of an acquisition may have a strategic
significance well beyond the acquisition itself. Any serious misjudgment in
the acquisition decision will impair not only the success of the underlying IT
project but, in addition, the potential business benefits that are anticipated.
Acquisitions frequently involve significant capital investment for an
organization. In addition to the investment, the opportunity cost of the capital
employed, and the time/resources expended in the acquisition process add to the
importance of the acquisition.
Audit Procedure
As a prudent IT auditor, it must be seen that the process adopted for acquisition of IT
Assets should encompass the following elements:
adherence to a structured approach, comprising all the key acquisition activities
and deliverables, timelines and milestones, project organization and resources;
enunciation of objectives, including a concise statement of the business
expectations from the acquisition, detailed requirements, and specification of
overall scope;
defined evaluation and selection criteria, particularly measurement scale,
 relative weights of all criteria and the manner in which acquisition and project
risks will be minimised;
commitment and support of executive management through a senior level
project sponsor and, if appropriate, the establishment of an acquisition steering
committee;
participation from IT, users, consultants, legal and other interested parties, each
with a defined set of responsibilities with respect to the acquisition; and
compatibility with the organization’s acquisition policies and procedures,
including any applicable regulatory guidelines.

Documentation and Document Retention Policies

Control objective
Documentation should be maintained up to date and documentation retention policies
should be in place in an organization.
When reviewing an organization’s system of internal control, the IT auditor can gain
much of the information required from client documentation.
Risk areas
1. unauthorized working practices by IT staff;
2. increase in the number of errors
3. the risk of system unavailability in case the system is complex and there is no
technical documentation.
Audit procedure
 The auditor may also need to examine client documentation to test check individual
transactions and account balances.
 All system documentation should be kept up to date and that only the latest versions
should be used.
 The backup copies of documentation should be stored.
Document Retention Policies
The auditor may need to examine evidence in order to reach an opinion on the financial
statements or otherwise. Historically, this evidence has been obtained from paper
documents (invoices, purchase orders, goods received notes etc).
As more organizations install computer systems, the auditor will find more evidence
in the form of electronic records.
Ultimately, if the organization does not retain sufficient, appropriate evidence the
auditor would have difficulty in being able to provide an unqualified audit opinion.
The auditor should consider two types of documentation according to the audit
approach:
Controls reliant audit approach: the auditor would require evidence of controls in
 operation during the accounting period. This evidence may consist of
reconciliations, signatures, reviewed audit logs etc.
Substantive testing: the auditor to examine evidence relating to individual
transactions. The audit may need to be able to trace transactions from initiation
through to their summarisation in the accounts.
Where transaction details are recorded in computer systems they should be retained
for audit inspection. If the organization archives data, the auditor may need to ask for it
to be retrieved before commencing the audit analysis.
If the organization summarises transactions into balances the auditor will need to find
or request an alternative audit trail, e.g. asking the organization to produce a hard copy
of the transactions which make up the summarised balances.
There may be other, non-audit requirements which require the organization to
retain transaction documentation,
 import regulations
 taxation regulations
 company legislation requirements

The organization’s documentation retention policies should take account of all such
requirements.
Internal Audit Involvement
Control Objective
Management has the ultimate responsibility of ensuring that an adequate system of
internal controls is in place. Management puts policies and procedures in place and gets
assurance that the controls are in place and adequately reduce identified risks by relying
on the review work carried out by internal auditors.
Risk Areas
Basic risk areas which the external auditor may come across when reviewing internal
audit’s work include:
 Internal audit not reporting to senior management.
 Management not required to act on internal audit’s recommendations.
 Internal Auditor may not be empowered to carry out a full range of
assessments or there may be significant restrictions on the scope of its
work
 Non-availability of sufficient resources, in terms of finances and staff.

Audit Procedure
The external auditor may assess about the quality of internal audit’s work acceptable, in
terms of planning, supervision, review and documentation.
The external auditor can view the organization’s internal audit function as part of the
overall control structure.
The external IT auditor should carry out a general assessment of the organization’s
internal audit function. This assessment will enable the auditor to decide if we can
use or place reliance on internal audit’s work. The external IT auditor should
determine if:
 assurance can be taken from the internal audit activities;
 internal audit staff can be used to provide direct audit assistance, if
necessary under the supervision of the external auditor.
Before placing reliance on the IT controls review work carried out by the organization’s
internal audit, we should carry out our own assessment of their work. This assessment may
be largely informed by past experience and direct examination of internal audit’s work.
Staff with IT audit skills and experience will not always be employed by internal
audit departments. Some internal audit departments may have in-house IT audit staff;
others may contract in IT auditors for specific reviews. Some internal audit
departments may not carry out any IT controls reviews.
The external auditor should consider whether the IT audit department has the staff
necessary to carry out competent reviews on the organization’s computer systems.
Legal and Regulatory Compliance
Control Objective
The legal and regulatory requirements will vary from one country to another. Legal
and regulatory requirements may include:
 data protection and privacy legislation to protect personal data on
individuals, e.g. their payroll information;
 computer misuse legislation to make attempted computer hacking and
unauthorized computer access a criminal offence;
 banking and finance regulations, where banks may have to undergo
regular reviews if they wish to continue operating; and
 copyright laws to prevent theft & illegal copying of computer software.
Risk Areas
Non-compliance could result in action varying from a warning letter to
prosecution or even closure of the activity being undertaken by the entity.
Audit Procedure
It may be assessed whether the organization is aware of local requirements and have
taken appropriate measures to ensure compliance.
Personnel and Training
Control Objective
To ensure that organization has controls and procedures in place to reduce the risk of
 mistakes being made. This may be achieved through the adoption of appropriate
personnel policies and procedures. Few examples of these are as under:
 a clear organizational structure supported by reporting lines/ charts
 job descriptions
 staff planning
 training and staff development
 hiring/firing policies (including codes of conduct)
 staff assessments (promotion/demotion)
 special contracts
 job rotation

Risk Areas
In the absence of strong personnel and training control mechanism, there may be
repeated instances of data losses, unauthorized data and program amendment, and
system crashes attributable to:
Errors and omissions caused by people;
Fraud; and
Hardware/software failure.
Audit Procedure
Errors and omissions are the biggest source of problems. It is therefore important that
the organization has controls and procedures in place to reduce the risk of above
mentioned instances to occur.
Organizational Structure
There should be a clear organizational structure which shows lines of reporting and
management. This should ensure that all staff know how they fit in to the organizational
structure of the business and the IT department. The charts also provide an indication of
who should be informed when the staff encounter problems.
Job Descriptions
All IT staff should be given job descriptions. These should describe what tasks the IT
staff should perform as part of their jobs. They can be used for staff evaluation and
assist the auditor in determining whether there is adequate segregation of duties.
Staff Planning
Staff planning is important to ensure that there are enough appropriately skilled IT
personnel to run the current systems as well as meet future staffing requirements.
Examples of the need for staff resource planning include:
where an organization has decided to upgrade their computer systems, staff
who are considered to be experts in the old system may feel that their value to
the organization has diminished or even that their days of employment are
numbered. Consequently they may feel demoralised and may not support the
old systems adequately;
when installing new systems the technical skill necessary to run the new system
may not be available. Management may need to identify skills requirements up
front and send staff on training courses, recruit new staff or hire consultants for
a period.
Training and Staff Development
Staff training and development are closely linked to staff resource planning. IT
management should know what staff skills are required in both the present and the
foreseeable future. Staff should be given the training to meet those requirements. The
need for training is ongoing as both hardware and software continually develops. IT
training is often costly and should be controlled by training plans and budgets.
Staff Recruitment/Termination Policies and Codes of Conduct
The policies should apply to the employment of permanent staff, temporary staff,
contractors and consultants. Staff hiring policies should be adopted to ensure that
appropriate staff is chosen. There should also be policies and procedures to deal with
the other end of the employment cycle, i.e. termination (whether voluntary or
compulsory). The policies are likely to be heavily influenced by legal requirements,
i.e. the employment legislation within each country.
When hiring new members of IT staff, the organization would be expected to take
account of:
 background checks - including taking up references
 confidentiality agreements - these state that the employee will not reveal
confidential information to unauthorized third parties
 codes of conduct, including contractual relationships with relatives, the
acceptance of gifts, conflicts of interest etc.
New employees should be made aware of their roles and responsibilities in respect of
security matters.
Termination policies should define the steps to be taken when an employee’s services
are no longer required. It is important that these policies and procedures are in place
because of the considerable damage a disgruntled employee can cause to a computer
system.
Staff Assessment
Staff assessment policies and procedures should be seen to be fair and equitable and
understood by all employees. The policies should be based on objective criteria and
consideration should be given to all relevant factors, which may include: the staff
member’s education, training, experience, level of responsibility, achievement, and
conduct.
Special Contracts
It is increasingly common for IT departments to call in specialists, contractors and
consultants for one off jobs. There should be policies which require those on special
contracts to adhere to established policies and procedures.
Job Rotation
Job rotation can provide a degree of control because the same person does not carry out
the same duties all the time. Job rotation allows other staff to perform a job normally
carried out by another person and can lead to the detection and identification of possible
irregularities. Job rotation also acts as a preventive control. Staff is less inclined to
adopt unapproved working practices or commit frauds if they know someone else is
taking over the job.
Segregation of Duties
Control Objective
Segregation of duties is a proven way of ensuring that transactions are properly
authorized, recorded, and that assets are safeguarded. Separation of duties occurs
when one person provides a check on the activities of another. It is also used to
prevent one person from carrying out an activity from start to finish without the
involvement of another person.
Risk Areas
Inadequate segregation of duties increases the risk of errors being made and remaining
undetected, fraud and the adoption of inappropriate working practices. Separation of
duties is a fundamental control requirement as it reduces the risk of error and fraud.
This can be achieved through the existence of, and compliance with, job descriptions.
Computer systems may be able to enforce separation of duties through the use of pre-
programmed user and group security profiles.
Audit Procedure
Evidence of separation of duties can be obtained by obtaining copies of job
descriptions, organization charts and observing the activities of IT staff. Where
computer systems use security profiles to enforce separation of duties, the auditor
should review on-screen displays or printouts of employees’ security profiles in
relation to their functional responsibilities.
The ability to apply and enforce adequate separation of duties is largely dependent upon
the size of the IT department and the number of computer staff involved. Lack of
segregated duties in a small computer department can be addressed by compensating
controls, e.g. regular management checks and supervision, the use of audit trails and
manual controls. However, in a large computer department, the following IT duties
should be adequately segregated:
1. systems design and programming

2. systems support

3. routine IT operations
4. data input

5. system administration

6. system security

7. database administration

8. change management.
In addition to segregated duties within the IT department, there should be no staff
with dual IT department and finance department duties. The computer
department should be physically and managerially separate from end users, such as finance and
personnel. Segregation of duties reduces the risk of fraud since collusion would be required to
bypass the control.
Separation of duties applies to both the general controls environment and to specific
applications or programs. Within the general IT controls environment, the various
functions and roles within the IT department should be segregated.
For example, a software developer should not require access to the live computing
environment to be able to carry out his or her job. Programming staff should not have
the authority to transfer new software between the development, test and production
environments. Segregation of duties between programmers and operations staff would
reduce the risk of those with programming knowledge being able to make unauthorized
amendments to programs or data.
In many cases, the IT department will be divided into two broad types of activity:
programming (systems and applications); and
computer operations

Staff should not have duties which fall into both types of activity. Programming
staff should not be allowed access to live data files and programs.
With the pressure to reduce the cost of IT functions, staff numbers are often reduced.
This limits the scope for segregated duties. If this is the case, then the auditor should
adopt a pragmatic approach to identifying weaknesses and providing recommendations.
Where the scope for segregated duties is limited the auditor should look for the
existence of compensating controls such as strong computer security and end user
reconciliations.
The auditor should determine if IT staff also has responsibilities in user departments. IT
should be segregated from user functions such as finance, stock management, grant
assessment etc. Staff with duties in both IT and a user area would have greater
knowledge of the systems, including the existence of manual and compensating
controls, and be able to make unauthorized changes which would be difficult to detect.
IT Operations Controls

Control Objective
 The roles of IT operations include the following:
capacity planning: i.e. ensuring that the computer systems will continue to
provide a satisfactory level of performance in the longer term. This will involve
IT operation staff having to make estimates of future CPU requirements, disk
storage capacity and network loads capacity.
performance monitoring: monitoring the day to day performance of the system
in terms of measures such as response time.
initial program loading: booting up the systems, or installing new software.
media management: includes the control of disks and tapes, CD ROMs, etc.
job scheduling: a job is normally a process or sequence of batch processes
which are run overnight or in background and which update files etc. Jobs are
normally run periodically, either daily, weekly, monthly, quarterly or annually.
back-ups and disaster recovery: backups of data and software should be carried
out by IT operations staff on a regular basis. Back-up and business continuity
issues are covered in depth in a later session.
help desk and problem management: help desks are the day-to-day link
between users with IT problems and the IT department. They are the ones users
call when they have a printer problem or they forget their password. Problems
may be encountered with individual programs (applications and system),
hardware, or telecommunications.
maintenance: of both hardware and software.
network monitoring and administration: The IT operations function is given
the responsibility for ensuring that communication links are maintained and
provide users with the approval level of network access. Networks are
especially important where the organization uses EDI.
‘Computer operations’ refers to the logistic and infrastructure aspects of hardware and
software. Appropriate computer operations shield users from the need to consider these
matters by ensuring that the application systems are available at scheduled times, they
operate as expected and the results of their processing, such as printouts, are produced
on time. In a well run IT department, we expect to find computer operations that are
transparent to users, fully supporting them in the performance of their roles.
Risks Areas
The risks associated with poorly controlled computer operations are:
1. applications not run correctly
2. loss or corruption of financial applications or the underlying data files:
may result from improper or unauthorized use of system utilities.
3. delays and disruptions in processing. Wrong priorities may be given to jobs
4. lack of backups and contingency planning increases the risk of being unable
to continue processing following a disaster
5. lack of system capacity. The system may be unable to process transactions
in a timely manner because of overload, or lack of storage space
 preventing the posting of any new transactions
6. high amount of system downtime to fix faults: when the systems are
unavailable a backlog of un-posted transactions may build up; and
7. users’ problems remaining unresolved due to a poor help-desk function.
Users may attempt to fix their own problems.
Audit Procedures
Service Level Agreements
It is increasingly common for IT departments to draw up and enter into service level
agreements (SLA) with the rest of the organization, i.e. the user departments. This
allows users to specify and agree, preferably in writing, what levels of service, in terms
of quantity and quality, they should receive. SLAs are in effect internal service delivery
contracts.
The structure and level of service specified in a SLA will depend upon the working
practices and requirements of each organization. A typical SLA would contain the
following:
1. general provisions (including the scope of the agreement, its signatories, date of
next review)
2. brief description of services (functions applications and major transaction
types)
3. service hours (normal working hours and special occasions such as
weekends and holidays)
4. service availability (percentage availability, maximum number of service
failures and the maximum downtime per failure)
5. user support levels (help desk details)
6. performance (response times, turnaround times)
7. contingency (brief details of plans)
8. security (including compliance with the organization’s IT security policy)
9. restrictions (maximum number of transactions, users)
The auditor should review any SLA to determine that they support the accurate and
consistent processing of financial data.
Outsourcing Policy
7.1 There is an increasing trend for IT services to be delivered by third party
service providers. This has arisen because IT is not seen as being a core business
activity. By the late 1990s, IT outsourcing had become a mainstream management
option and outsourcing contracts are now quite common in auditee organizations.
Management may take the attitude that their business involves the delivery of products
and services, and not the provision of IT services.
Control Objective
Outsourcing allows management to concentrate their efforts on the main business
activities as the need for developing and maintaining the IT Systems are taken care
of by the IT expert third parties/agencies.
Risk Areas
The decision of outsourcing any business activity, may have the basic intentions of
allowing the Top Management to concentrate more upon the main business activities,
however, this involves invitation to the risk of allowing a third party to have access
to the business secrets, important data and other related facts.
Audit Procedure
Where an organization does outsource or intends to outsource its IT activities the
auditor should be concerned with reviewing the policies and procedures which ensure
the security of the organization’s financial data. The auditor may need to obtain a copy
of the contract to determine if adequate controls have been specified. Where the
organization intends to outsource its IT function the auditor should ensure that
audit needs are taken into account and included in contracts. Contract terms are
frequently difficult to change once they have been signed. Even if the third party is
willing to amend the contract it is likely to charge a large fee for doing so.
Problems in Outsourcing
Organizations, particularly those in developing countries and those with little relevant
previous experience, may inadvertently create various problems when they decide to
outsource their system development and software implementation projects. These may
include:
The price of the software to be implemented often appears to be the deciding
factor in choosing the outsourcing vendor rather than the overall potential
result for the organization.
The organization generally has little or no clear plan of what it wants done.
There are no clear ideas on reporting requirements and, at times, very little in
the way of specified or defined systems. Most of the time, the development
work is undertaken with systems, procedures and controls evolving alongside.
Management does not really know what platforms may be best suited for the
proposed development work.
Top management is, or regards itself as being, too busy to be trained in the
software to be used. This has a debilitating effect on the rest of the staff.
Success of the project depends on significant participation by top management.
Where activities are outsourced, management and users may sometimes expect
far more than is really possible. They may have an unrealistic expectation of
the value to be expected for the payment being made. For example, even
though the basic payroll or accounts may be produced in a timely and cost-
effective fashion, users may also expect complex and unspecified information
reports that, in fact, are not produced and never could be for the contract price
of the service.
The IT auditor should also focus on issues related to IPR (Intellectual Property Rights)
and evaluate whether the programs etc. developed by outsourcing components to a
third party are duly protected as per contract terms and are not prone to outside use
by other organizations.
Management Control, Review and Supervision
Operations staff should be supervised by the management. From the standpoint of
separation of duties, operations staff should not be given the job of inputting
transactions or any form of application programming.
The organization’s IT systems may have on them software utilities which could
conceivably be used to make unauthorized amendments to data files. Operations staff
with access to such software should be supervised to ensure that they only use the
utilities for authorized purposes.
Management will be unable to provide continuous monitoring of operations staff and
may place some reliance on the automatic logging and monitoring facilities built into
the systems. The events which are recorded in the logs will depend on the parameters
set when the systems were installed. As with most logging systems, a large
quantity of data can be produced in a short period.
Recommending that an organization review the audit logs on a regular basis is unlikely
to be carried out in practice. To assist management in their detection of unauthorized
activity, the organization should develop procedures (e.g. a program) to report
exceptions or anomalies.
Effective supervision over IT operations staff is often difficult to achieve, due to
their high level of technical knowledge. They could do things to the system which
management would not detect, or even recognize the significance of, if they did detect
a change. Therefore, to a certain extent management must place a high degree of trust
on IT operations staff, and that trust will be based on appropriate staff selection and
vetting procedures (as per the organizational and management controls discussed in
the previous topic).
Training and Experience
IT operations staff should have skills, experience and training necessary to carry out
their jobs to a competent standard. The IT auditor should determine if the training needs
of IT operations staff have been assessed. Training needs may include non-technical
training, e.g. management training for IT operations supervisors.
As an aid to continuity of staffing, some organizations may teach staff more than
one role or introduce a form of job rotation.
Closely connected to training is the career development of staff. If IT operations feel
that they are in a dead end job with little scope for progression their morale may be low
and they are less likely to carry out their work to a high standard.
Computer Maintenance
As with most equipment, computers may require regular maintenance to reduce the risk
of unexpected hardware failures. Although preventive maintenance is becoming less
common, especially for mini and microcomputers, it may still be required for
environmental equipment such as air conditioning units and fire extinguishing systems.
The IT operations function should either have an internal maintenance capability, or
contract out the maintenance to a third party supplier.
The IT auditor may wish to examine the maintenance contracts and schedules to
determine if adequate maintenance is carried out. Ultimately the key test to the
adequacy of the organization’s maintenance arrangements is the amount of system
down-time or the number of Helpdesk incidents arising from equipment failures.
Operations Documentation
The organization should have clear, documented operating procedures for all computer
systems to ensure their correct, secure operation. The documented procedures should
be available for the detailed execution of each job, and should include the following
items:
the correct handling of data files;
scheduling requirements (to ensure best use of IT resources);
instructions for handling errors or other exceptional conditions which might
arise when jobs are run;
support contacts in the event of unexpected operational or technical difficulties;
special output handling instructions; and
system restart and recovery procedures.
The organization should also have documented procedures for daily housekeeping and
maintenance activities such as computer start-up procedures, daily data back-up
procedures, computer room management and safety.
Documentation can be used by operations staff when they are unsure about how to
carry out a procedure. They are also useful in training new staff.
The auditor should bear in mind the level and detail of documentation will vary from
one organization to another, and will depend on factors such as the size of the
organization, the type of hardware and software used and the nature of the
applications. The auditor would expect to see large quantities of high quality
documentation in a large, critical IT operation, whereas a small organization running
office automation software would probably have less detailed and extensive
documentation.
 Problem Management
The IT operation section should have documented procedures for detecting and
recording abnormal conditions. A manual or computerised log may be used to record
these conditions.
The ability to add an entry to the log should not be restricted; however the ability to
update the log should be restricted to authorized personnel only. Management
should have mechanisms in place to ensure that the problem management
mechanism is properly maintained and that outstanding errors are being adequately
addressed and resolved.
Network Management and Control
A range of controls is required where an organization uses computer networks. Network
managers should ensure that there are appropriate controls to secure data in networks,
and that the network is adequately protected from unauthorized access. The controls
may include:
1. separation of duties between operators and network administrators
2. establishment of responsibility for procedures and management of
remote equipment
3. monitoring of network availability and performance. There should be
reports and utilities to measure system response time and down time
4. establishment and monitoring of security controls specific to computer
network.
Summary
The IT auditor may be required to review the security and controls in non- financial
systems and financial systems, depending on the scope of an audit and each SAI’s
mandate.
4. Physical Controls (Access and Environmental)
Objective
The objective of physical and environmental controls is to prevent unauthorized access
and interference to IT services. In meeting this objective, computer equipment and the
information they contain and control should be protected from unauthorized users.
They should also be protected from environmental damage, caused by fire, water
(either actual water or excess humidity), earthquakes, electrical power surges or power
shortages. In IT arena, the second most likely cause of errors is natural disasters.
The entity’s IT security policy should include consideration of physical and
environmental risks.
Risks Areas
Physical
1. Accidental or intentional damage by staff.
 2. Theft of computers or their individual components
3. Power spikes or surges which may cause component damage
4. Bypass of logical access controls: having physical access to a fileserver
can be exploited to bypass logical controls such as passwords
5. Copying or viewing of sensitive or confidential information,
Environmental
1. Fire/water damage

2. Spikes: leading to system failures, processing errors, damage to components

of equipment.
3. Failure of equipment due to temperature or humidity extremes
4. Static electricity: can damage delicate electrical components.
5. Others: lightning strikes, etc.
Some of these risks are also covered in greater depth in the Business Continuity
Planning of this manual.
Audit Procedure
To ensure that adequate internal controls exist to protect the business’s assets and
resources, the organization should carry out a risk assessment. This would involve
identifying the threats to the systems, the vulnerability of system components and likely
impact of an incident occurring. Then he should identify counter-measures to reduce
the level of exposure to an acceptable level. To do this, he must balance the risks
identified with the cost of implementing controls. Some controls would be expensive to
implement and would only be justified in a high risk environment.
The counter measures, or controls that the entity puts in place will vary from one
organization to another. For example, a large government department with its own data
centre will usually have a higher degree of controls over its IT facilities than a small
organization using office automation systems such as word processing and spreadsheets.
Physical Controls
Physical access controls are specifically aimed only those who have been authorized by
management have physical access to the computer systems.
Physical access security should be based upon the concept of designated perimeters
which surround the IT facilities.
Physical access controls reduce the risk of unauthorized persons gaining access to the
computer equipment. The auditor should identify controls which would restrict access
to the organization’s site, the computer rooms, terminals, printers and data storage
media. The organization should also have considered the risks posed by cleaners,
security personnel and maintenance staff. Common physical access controls include the
use of locked doors, CCTV, intruder alarms, combination keypads and security guards.
Access to the organization’s site and secure areas should be controlled by layers of
 controls, starting at the perimeter fence and working in through the building’s
entrance to the computer suite and terminals. Physical controls may be explicit, such as
a door lock; or implicit for example an employees’ job description implies a need to
enter the IT operations area.
Biometric devices use voice recognition, facial features, hand geometry, fingerprints, retina
scan etc to control physical access to the system. The process is of two types
 One to many, where the biometric input is compared with the data available in the
system to recognize the person and to give access.
 Many to one, where the identity of the person is disclosed first and then the biometric
input is compared to the specific data relating to that identity.

Environmental Controls
Computer installations should be protected against hazards such as fire, flood, power
cuts, physical damage and theft. Inadequate protection increases the risk to system
availability and ultimately an organization’s ability to produce a complete record of
financial transactions. The organization should have assessed the exposure to
damage and introduced appropriate controls to reduce the risk to an acceptable
level.
The risk of fire damage can be reduced by the provision of fire detection and fire
fighting equipment. Other measures, such as regular cleaning and removal of waste
from the computer room, will reduce the risk of fire damage.
The risk of water damage is largely dependent on the location of the computer facilities.
Equipment located in close proximity to pipes and water tanks are at increased risk.
Where possible, organizations should avoid locating computer equipment in basements
or on floors immediately below or in the vicinity of water tanks. Automatic moisture
detectors may be used to alert IT staff of potential water ingress.
Computer equipment may be damaged or disrupted by fluctuations in the electrical
power supply. Power surges can cause computer systems to delete or contaminate data.
Uninterruptible power supplies reduce the risk of system disruption and damage and can
allow continued processing following a power cut.
Some of the older and larger computer installations require special environmental
controls to regulate both the temperature and humidity in their vicinity. These controls
usually take the form of air conditioning units. Many of the latest generation mini and
micro computers have been designed to operate in an office environment and hence will
not require special environmental controls.

5. Logical Access Controls

“a system of measures and procedures, both within an organization and in the software
products used, aimed at protecting computer resources (data, programs and terminals)
against unauthorized access attempts.”
Objective
The objective of logical access controls is to protect the financial applications and
underlying data files from unauthorized access, amendment or deletion.
Users have only the access needed to perform their duties
Access to very sensitive resources such as security software program,
Employees are restricted from performing incompatible functions or functions
beyond their responsibility
Risk Areas

Users have the access to the areas other than related to the performance of their
duties.
Access to very sensitive resources which may be of mission critical nature, and
Employees are not restrained from performing incompatible functions or
functions beyond their responsibility.
Audit Procedure
Logical access controls can exist at both an installation and application level. Controls
within the general IT environment restrict access to the operating system, system
resources and applications, whilst the application level controls restrict user activities
within individual applications.
The importance of logical access controls is increased where physical access controls
are less effective. The existence of logical access security is particularly important
where an organization makes use of networks and global facilities such as the Internet.
Logical access controls usually depend on the in-built security facilities available under
the operating system (e.g. NOVELL Network) or hardware in use.
The most common form of logical access control is login identifiers (ids) followed by
password authentication.
Menu restrictions can be effective in controlling access to applications and system
utilities. Systems may be able to control access by identifying each individual user
through their unique login ids and then having a pre-defined profile of authorized menus
for each.
Some computer systems may be able to control user access to applications and data files
by using file permissions. These ensure that only those users with the appropriate
access rights can read, write, delete or execute files.
Significant risks are often posed by system administration staff with powerful system
privileges. These ‘super users’ may have access to powerful system utilities that can
by-pass established system controls. Management should have introduced measures to
control the activities of these powerful users and, if possible, limit the system privileges
of individual administrator to those required by their function.
The auditor should bear in mind that some operating systems and associated logical
access control options, file parameters, etc., are very technical in nature.
 Where the organization’s systems are technically complex and the auditor does not
have a working knowledge of the organization’s particular systems, the IT auditor
may need to obtain additional support and assistance from an IT auditor with the
relevant skills and experience.
The critical elements of an access control mechanism should include:
 Classification of information resources according to their criticality and
sensitivity
 Maintenance of a current list of authorized users and their access privileges
 Monitoring access, investigating apparent security violations, and take
appropriate remedial action.
Resources, Files and Facilities requiring
1. Protection Data Files
These may consist of transaction files or databases. Any files containing master file
or standing data information should also be protected,
2. Applications
Unrestricted access increases the risk that the applications will be subject to
unauthorized amendment leading to fraud, data loss, and corruption. Unauthorized
access to the source code of an application could be used to make amendments in the
programming logic.
3. Password Files
If these files are not adequately protected and anyone can read them there would
be little to stop an unauthorized person obtaining the logon identification and
password of a privileged system user
4. System Software and Utilities
These consist of software such as editors, compilers, program debuggers. Access to
these should be restricted as these tools could be used to make amendments to data
files and application software.
5. Log Files
Log files are used to record the actions of users and hence provide the system
administrators and organization management with a form of accountability.

6. Program Change Controls

Objective
Even when the system development process has been completed and the new system is
accepted, it is likely that it will have to be changed, maintained, or altered during its
lifecycle.
If the auditor intends to rely on the system to any extent to provide audit evidence, a
review of the change controls is required.
Change controls are needed to gain assurance that the systems continue to do what
they are supposed to do and the controls continue to operate as intended.
Change refers to changes to both hardware and software.
Reasons for System Changes
After systems are implemented the system maintenance phase begins. Systems rarely
remain the same for long. Even on the day systems go live there are invariably users
who are not satisfied with the systems and submit request for changes (RFC) to be
made.

Changes may be requested for the following reasons:

 To enhance functionality:
 To make systems operations easier, more efficient
 Capacity planning
 Problem rectification : helpdesk incidents leading to the identification of
problems:
 To improve security:
 Routine updates: system developers may update and improve the system
software.
 Changes in requirements: changes in legislation, business requirements or
business direction may require the financial system to be amended.
Risk Areas
Change controls are put in place to ensure that all changes to systems configurations are
authorized, tested, documented, controlled, the systems operate as intended and that
there is an adequate audit trail of changes.
Conversely, the risks associated with inadequate change controls are as follows:
1. Unauthorized changes:
2. Implementation problems: where the change is not in time for
requirements
3. Erroneous processing, reporting: systems which do not process as intended.
4. User dissatisfaction: systems which users are not happy with
5. Maintenance difficulties: poor quality systems, which are difficult or
expensive to maintain.
6. Use of unauthorized hardware and software: in use which are not
authorized. This could lead to incompatibility between different parts of
the system, or breach of copyright legislation; and
7. Problems with emergency changes: uncontrolled emergency changes to
programs in the live environment leading to data loss and corruption of
files.
Audit Procedure

It may be ensured in audit that the organization’s procedures to control changes should
include:
1. Procedures for management authorization
2. Thorough testing before amended software is used in the live environment
3. The amended software is transferred or “transported” to the live
environment only by or often authorized by operations management
4. Management review of the effects of any changes; Maintenance of adequate
records

5. The preparation of fallback plans (just in case anything goes wrong)

6. The establishment of procedures for making emergency changes.

There should be procedures for recording all requests for change (RFC), preferably in a
standard format and/or data input screens.
The requests for changes should be logged and given a unique chronological
reference number.
All RFCs should be allocated a priority rating to indicate the urgency with which the
change should be considered and acted upon.
The task of determining change priority is normally the responsibility of a change
control board or IT steering committee.
The change board and steering committee make their views known via an individual
given the role of the change manager.
The priority of changes is determined by assessing the cost of the change and impact on
the business and its resources.

7. Business Continuity and Disaster Recovery Controls

Objective
It ensure that the organization can still accomplish its mission and it would not lose the
capability to process, retrieve and protect information maintained in case of disaster leading
to loss of computer facilities.
Risks Areas
The absence of Plan may pose the following major threats to the very existence of the
organization in the event of a disaster:
The organization’s ability to accomplish its mission after re-starting its
operations.
To retrieve and protect the information maintained.
To keep intact all the organizational activities after the disaster.
 To start its operations on full scale at the earliest to minimise the business loss
in terms of money, goodwill, human resources and capital assets.
Audit Procedures
1. The organization with computerized systems should have assessed threats to the
system, its vulnerability and the impact a loss of operations would have
on the organization’s ability to operate and achieve organizational objectives.
2. Appropriate measures should then be put in place to reduce risks to a level that is
acceptable to the organization’s senior management.
3. The extent of the planning and the detailed measures required will vary
considerably. Organizations with large IT departments, with mainframe
computers and complex communication networks may require comprehensive,
up to date continuity and recovery plans which incorporate standby facilities at
alternative sites. At the other end of the scale, a small agency or non-
departmental public body with a desk-top PC, running a simple off the shelf
package, would have a simpler plan.
4. The plans should be documented, periodically tested and updated as necessary.
5. The importance of adequate documentation is increased where significant
reliance is placed on a few key members of the IT department. The loss of key
staff, perhaps due to the same reason the computers were disrupted, may
adversely affect an organization’s ability to resume operations within a
reasonable timeframe.
6. Back-up copies of systems software, financial applications and underlying data
files should be taken regularly.
The IT auditor while assessing the adequacy of business continuity and disaster
recovery plan should consider:
Evaluating the plans to determine their adequacy by reviewing the plans and
comparing them to organizational standards and/or government regulations.
Verifying that the plans are effective to ensure that information processing
capabilities can be resumed promptly after an unanticipated interruption by
reviewing the results from previous tests performed, if any, by the IT
organization and the end users.
 Evaluating off site storage to ensure its adequacy by inspecting the facility and
reviewing its contents and security and environmental controls. It may be
ascertained whether backups taken earlier have ever been tested for data
recovery by the auditee organization.
 Evaluating the ability of IT and user personnel to respond effectively in
emergency situations by reviewing emergency procedures, employee training
and results of their drills.
 AUDIT OF APPLICATION CONTROLS
Application controls are particular to an application and may have a direct impact
on the processing of individual transactions. These controls are used to provide
assurance that all transactions are valid, authorized, complete and recorded. Since
application controls are closely related to individual transactions it is easier to see
why testing the controls will provide the auditor with audit assurance as to the
accuracy of a particular account balance.
Before getting on to evaluation of application controls, it will be necessary for an
auditor to secure a reasonable understanding of the system. For this purpose, a brief
description of the application should be prepared;
indicating the major transactions,
Describing the transaction flow and main output,
indicating the major data files maintained and
providing approximate figures for transaction volumes.
Application controls may be divided into:
Input controls
Processing controls
Output controls
Master/Standing Data File controls

Input Controls

Control Objective

The objective of Input control is to ensure that the procedures and controls guarantee
that

(i) the data received for processing are genuine, complete, not previously
processed, accurate and properly authorized and

(ii) data are entered accurately and without duplication. Input control is extremely
important as the most important source of error or fraud in computerized
systems is incorrect or fraudulent input. Controls over input is vital to the
integrity of the system.

Risk Areas
Weak input control may increase the risk of:
entry of unauthorized data
 data entered into the application may be irrelevant.
  incomplete data entry
entry of duplicate/redundant data.

Audit Procedure

The aspects that the auditor should evaluate are:

all prime input, including changes to standing data, is appropriately authorized.
for on-line systems, the ability to enter data from a terminal is adequately
restricted and controlled.
if there is a method to prevent and detect duplicate processing of a source
document.
all authorized input has been submitted or, in an on-line system transmitted and
there are procedures for ensuring correction and resubmission of rejected data.
The controls outlined above may be invalidated if it is possible to by-pass them by
entering or altering data from outside the application. There should be automatic
application integrity checks which would detect and report on any external changes to
data, for example, unauthorized changes made by personnel in computer operations,
on the underlying transaction database. The results of the installation review should
be reviewed to ensure that the use of system amendment facilities, such as editors, is
properly controlled.

Authorization of Input

The organization should have procedures and controls in place to ensure that all
transactions are authorized before being entered into the computer system. From
the external auditor’s point of view authorization controls reduce the risk of
fraudulent, or irregular transactions. The organization also gains better control of
resources.
Computerized applications may be able to permit staff to enter and authorize
transactions directly in the system. This can be achieved by setting up password
access controls to data input devices and data entry permissions, e.g. data input
screens. Financial applications may be able to check that a transaction has been
approved by a person with the appropriate level of authority by checking their log-in
ID against a predefined transaction approvals list.
To place reliance on the automated controls the IT auditor would need to determine that
the appropriate levels of authority have been set up and that they have been working for
the whole accounting period / transaction cycle. This would involve:
1. looking at access matrices
2. obtaining printout of user permissions
3. reviewing audit logs of changes in permissions

Completeness of Input Data

As part of an IT audit, the auditor must determine if the accounting records are
complete and that there are no material omissions. To do this the auditor should
review the controls which ensure that input is complete, i.e. that transactions have not
gone missing. The completeness of transaction input can be ensured by a variety of
controls:
1. manual procedures e.g., keeping a log of transactions which users send for
input. The data input staff in the IT department may expect a regular flow
or pattern of transactions from user departments. Where a batch of input
documents is expected but not received or a batch number appears to be
missing, follow-up action should be taken to identify the missing
transactions.
2. the use of pre-numbered data input forms. These may be sequentially
numbered. When a number is found to be missing the finance / concerned
staff can investigate any disappearances. Alternatively, the input
transactions may be sent on sequentially numbered batch forms from user
departments.
3. use of batch totals: In a traditional batch input system, all data is presented
to the system in batches and incomplete batches are detected and
exception reports are produced.
4. establishing a routine or expectation of data input e.g. if data entry staff
expect to receive input documents from all 10 departments on a
particular day and they only receive 9 sets, they would chase up the missing
set of input documents.
A batch is a collection of input documents which are treated as one group. The
existence of batches is useful in establishing controls to ensure the completeness of
input of data to the system. The total of individual transactions should agree to a
manually calculated total recorded for input on a batch header document.
Batch totals should be recorded at the earliest possible point in the processing cycle and
totals agreed from update reports back to this original record, i.e. the first batch total
acts as a reference to check back to, as the transactions are processed by the system.
Control must be exercised by the users to ensure that all batches are processed as well
as to ensure that the correct value is accepted for each batch. It is therefore essential
that a complete record of all batches sent for processing is maintained. This is
usually a log book completed by the computer operators and reviewed and
signed by a supervisor.
More importantly, applications may also have in-built controls to ensure that all the
key transaction information has been entered before the transaction can be
posted to the accounts. For example, if the finance user does not input data in a key
field such as amount the transaction would be rejected by the system.
Data Input Validation

IT applications may have in-built controls which automatically check that data input is
accurate and valid. Validation may also be achieved by manual procedures such as
double-checking input documents or review by a supervisor.
The accuracy of data input into a system can be controlled by imposing several
computerized validities checks on the data presented to the system. Automated
validation checks should be sufficient to ensure that all data accepted into the system
is capable of acceptance by all subsequent processes, including acceptance into other
systems where there is an automatic transfer of data. Acceptability is particularly
important where feeder systems are used.
There are many types of programmed application control which an IT auditor may
encounter. For example: format checks, validity checks, range checks, limit checks,
check digits, compatibility checks, etc.

Duplicate Checks

The increase in the number of transactions that need to be processed has played a large
part in the computerization of accounting and business critical systems. Unfortunately,
the increased volume of transactions has resulted in end user staff being less likely
to remember the transactions they have previously processed. This increases the risk
that duplicate transactions will occur and remain undetected.
To address this risk, some applications may be able to detect duplicate transactions, e.g.
by comparing new transactions with transactions previously posted to the same
account. An IT auditor can make use of CAATs software to detect the duplicate records
in any transaction file.

Matching

This control checks and compares one transaction record against data contained in
another related transaction. Where data is found to differ, an exception report is
produced. For example, the data entered when goods are received are automatically
compared to the supplier’s invoice and the purchase order data on the system. Where a
mismatch is found the computer produces an exception report. The organization
should then take steps to identify the cause of the discrepancy.

Dealing with Rejected Input

It is important that, where data is automatically checked and validated at data entry,
there are procedures for dealing with transactions which fail to meet the input
requirements, i.e. the auditor should determine what happens to rejected transactions.
There are alternative methods of dealing with input transactions which fail validity tests.
Rejected by the system - Where transactions are rejected outright, the organization
should have procedures in place to establish control over these rejections and ensure
that all data rejected will be subsequently corrected, re-input to and accepted by the
system. The system rules will determine whether individual transactions or complete
batches should be rejected.
Held in suspense - in this case it is critical that users recognize the placing of items in
suspense as a prompt for action. It is essential that all items held in suspense are
corrected and ultimately successfully processed. In adopting this approach, we
overcome the possibility of rejected items being lost but delay the recognition of the
need to take action to correct the input error. Where items are held in suspense the
auditor should review the procedures for identifying, correcting and clearing these
transactions.

Processing Controls

Processing controls ensure complete and accurate processing of input and

generated data. This objective is achieved by providing controls for:
adequately validating input and generated data,
processing correct files
detecting and rejecting errors during processing and referring them back to the
originators for re-processing
proper transfer of data from one processing stage to another
checking control totals (established prior to processing) during or after
processing.
Control Objective
The objectives for processing controls are to ensure that:
transactions processing is accurate.
transactions processing is complete.
 transactions are unique (i.e. no duplicates)
 all transactions are valid.
The computer processes are auditable.
Risk Areas
Weak process controls would lead to:
inaccurate processing of transactions leading to wrong outputs/results.
some of the transactions being processed by the application may remain
incomplete.
allowing duplicate entries or processing which may lead to duplicate
payment in case of payment to vendors for goods.
unauthorized changes or amendments to the existing data.
absence of audit trail rendering, sometimes, the application un-auditable.
Audit Procedure
Processing controls within a computer application should ensure that only valid data
and program files are used, that processing is complete and accurate and that
processed data has been written to the correct files.
Assurance that processing has been accurate and complete may be gained from
performing a reconciliation of totals derived from input transactions to changes in
data files maintained by the process.
The auditor should ensure that there are controls to detect the incomplete or inaccurate
processing of input data.
Application processes may perform further validation of transactions by checking
data for duplication and consistency with other information held by other parts of
the system. The process should check the integrity of data which it maintains, for
example, by using check sums derived from the data. The aim of such controls is to
detect external amendments to data due to system failure or use of system amendment
facilities such as editors.
Computerized systems should maintain a log of the transactions processed. The
transaction log should contain sufficient information to identify the source of each
transaction.
In batch processing environments, errors detected during processing should be
brought to the attention of users.
Rejected batches should be logged and referred back to the originator.
Online systems should incorporate controls to monitor and report on unprocessed or
unclear transactions (such as part paid invoices).
There should be procedures which allow identifying and reviewing all unclear
transactions beyond a certain age.

Output Controls

These controls are incorporated to ensure that computer output is complete, accurate
and correctly distributed. It may be noted that weakness in processing may sometimes
be compensated by strong controls over output.
A well-controlled system for input and processing is likely to be completely
undermined if output is uncontrolled. Reconciliation carried out at the end of the
output stage can provide very considerable assurance over the completeness and
accuracy of earlier stages in the complete cycle.
Control Objective
Output controls ensure that all output is:
produced and distributed on time,
fully reconciled with pre input control parameters,
physically controlled at all times, depending on the confidentiality of the
document and
errors and exceptions are properly investigated and acted upon.
Risk Areas
If output controls prevailing in the application are weak or are not appropriately
designed these may lead to:
repeated errors in the output generated leading to loss of revenue, loss of
creditability of the system as well as that of the organization.
non-availability of the data at the time when it is desired.
availability of the data to an unauthorized person/user.
the information which may be of a very confidential nature may go to the wrong
hands.
Audit Procedure
The completeness and integrity of output reports depends on restricting the ability to
amend outputs and incorporating completeness checks such as page numbers and check
sums.
Computer output should be regular and scheduled. Users are more likely to detect
missing output if they expect to receive it on a regular basis. This can still be achieved
where the subject of computer reports is erratic, such as exception reporting, by the
production of nil reports.
Output files should be protected to reduce the risk of unauthorized amendment. Possible
motivations for amending computer output include covering up unauthorized processing
or manipulating undesirable financial results.
A combination of physical and logical controls may be used to protect the integrity of
computer output.
Output from one IT system may form the input to another system, before finally
being reflected in the financial statements. Where this is the case the auditor should
look for controls to ensure that outputs are accurately transferred from one processing
stage to the next.
Master/Standing Data File Controls
Control Objective
Master/Standing Data File controls are meant for integrity and accuracy of Master Files
and Standing Data.
Risk Areas
Accuracy of data on Master and Standing files is of vital importance to the auditor.
Information stored in master and standing data files is usually critical to the processing
and reporting of financial and operational data. Information on master files can affect
many related transactions and must therefore be adequately protected. Weak Control in
the system in maintenance of Master/Standing Data Files may lead to:
unauthorized and uncontrolled amendments to the standing data as well as
Master data files.
 unrestricted and uncontrolled physical and logical access to the application data
files.
 poor documentation of the amendment procedures, etc.
Audit Procedure
Auditors should see the following while examining the system:
 amendments to standing data are properly authorized and controlled.
integrity of Master and Standing Files is verified by checking, control totals
and periodic reconciliation with independently held records.
amendment procedures are properly documented and controlled by
management authorization and subsequent review and
physical and logical access to application data files are restricted and
controlled.
Specific Control Issues
Organizations, large and small from all over the world, are using networked systems
and the Internet to locate suppliers and buyers, to negotiate contracts with them, and to
service their trades. Uses of networks are multiplying for research, organizational
coordination and control. Networked systems are fundamental to electronic commerce
and electronic business.
End User computing practice is comparatively latest and while auditing it is an
important consideration that data processed by end users on their own workstations is
adequately controlled.
End User computing is the ability of end users to design and implement their own
information system, utilizing computer software products.
Also, several e-Governance projects are being launched by many governmental
organizations for convenience of citizens while transacting with government bodies.
Several control issues have been thrown open by this new area of auditing.
This section would focus on these specific control issues that cover the following:
Network control and use of the Internet include the risk associated
with networks and network controls.
End user computing controls include risks associated with end
user computing and the associated controls.
IT Security
Issues related to Outsourcing

Network and Internet Controls

Control Objective
The majority of systems encountered in medium to large scale organizations use
either local or wide area networks to connect users. The use of networks is increasing
and bringing organizations the following benefits:
the ability to share data.
 to use and share other peripherals, e.g. printers.
 to leave system administration to a central team.
 allow users to send almost instantaneous messages, e.g. e-mail.
 allow users to access the systems from remote locations.
Opening up systems and connecting them to networks is not without its risks. The
network should be controlled such that only authorized users can gain access. Control of
networks is not just about logical access security and keeping out hackers.
Networks are primarily used to transmit data. When data is transmitted, it may be lost,
corrupted or intercepted. There should be controls to reduce all these risks.
The scale of networks is also growing. Recent years have seen the growth of the
Internet, the huge global network which allows millions of users to interact over
communications links. The Internet has brought to light several issues which need to
be addressed before deciding to connect up.
Risk Areas
Networks open up an organization’s computer systems to a wide, potentially
anonymous user base. Where the organization’s systems are connected to networks,
there is potentially a greater risk of unauthorized access by outsiders (hackers) and
non-authorized employees, leading to:
data loss - data may be intentionally deleted or lost in transmission.
data corruption - data can be corrupted by users or data errors can occur during
transmission.
fraud - from internal and external sources.
system unavailability - network links and servers may be easily damaged. The loss
of a hub can affect the processing ability of many users. Communications lines often
extend beyond the boundaries of control of the organization.
disclosure of confidential information - where confidential systems such as
personnel, or research and development are connected to networks, there is an
increased risk of unauthorized disclosure, both accidental and deliberate.
virus and worm infections - worm infections are specifically designed to spread over
networks. Virus infections are very likely, unless traditional protective measures such
as virus scanning are continuously updated. Users tend to scan disks they receive from
external sources but are less likely to scan data received over a network.
contravention of copyright, data protection (privacy) legislation, due to abuses by
users of data or software available on the network or Internet.
Audit Procedures
Because of the nature of networks, physical access controls are of limited value.
The physical components of the network (wires, servers, communication devices) must
be protected from abuses and theft. However, the organization must place great
emphasis on logical access and administrative controls.
The logical access controls will vary from one organization to another depending upon
the identified risks, the operating system, the network control software in use and the
organization’s network and communications policies.
Before carrying out a review of the organization’s logical access and network controls,
the auditor should review any technical material or publications on the organization’s
systems.
For example, if the IT auditor happens to have a copy of a publication on security and
controls for the organization’s network operating system, he should review it before
visiting the organization’s premises.
Controls which the auditor may encounter include:
1. network security policy: this may be a part of the overall IT security policy.
2. network standards, procedures and operating instructions: these should be
based on the network security policy and should be documented. Copies of the
documentation should be available to relevant staff.
3. network documentation: the organization should have copies of
documentation describing the logical and physical layout of the network, e.g.
network wiring diagrams for security reasons, these are usually treated as
confidential.
4. logical access controls: these are especially important, and the organization
should ensure that log-ons, passwords and resource access permissions are in
place.
5. restrictions on the use of external links e.g. modems. There may be a weak
link to the organization’s system, especially where the use of modems has
not been approved.
6. where the use of modems has been approved the organization may have
decided to use call back modems. These are modems which only allow
access when they call out. For example, a remote user at home wants access
to the system. He uses his modem to call the office. The office system connects
and asks for an ID code (and password), which the remote user enters. The
office computer then disconnects. If the id code was correct the office
computer dials back on a pre-programmed number, in this example the home
phone number of the remote user. The auditor should note that call back
modems are not foolproof as their controls can be bypassed by call forwarding
and other technical attacks. There are other controls which use a token (an
electronic device with a identification feature) to confirm that the external user
has permission to access the system.
7. The network should be controlled and administered by staff with the
appropriate training and experience. Those staff should be monitored by
management.
8. Certain network events should be automatically logged by the network
operating system. The log should be periodically reviewed for unauthorized
activities.
9. use of network management and monitoring packages and devices: there
are many tools and utilities available to network administrators. They can be
used to monitor network use and capacity. They can also be used to carry
out inventory checks on the software at each end user terminal.
10. access by external consultants and suppliers should be monitored. It may be
the case that the organization has allowed the software supplier a remote access
link to carry out maintenance and bug fixes. The use of this facility should be
monitored and access only given when required and approved. The modem
should only be activated when approval is given by the organization’s
management and disconnected once the assignment is complete.
11. terminals may be restricted to pre-defined terminals. This may be done via
terminal codes, or ethernet (IP) address.
12. data encryption: In certain circumstances the organization may encrypt data on
the network.
13. use of private or dedicated lines: If the lines are private and dedicated to
network communications there is a lower risk of data interception. Dedicated
lines are also normally able to carry more data and are less likely to result in
data transmission errors, they also cost more.
14. use of digital rather than analog communication links. Digital links tend
to have a higher capacity; they don’t require modems and do not suffer from
digital to analog conversion errors.
INTERNET CONTROLS
If you need to connect one of your computers directly to the Internet, then the safest
policy is to:
1. Physically isolate the machine from the main information system.
2. Assign an experienced and trusted administrator to look after the
Internet machine.
3. Avoid anonymous access to the machine or, if it must be allowed, avoid
setting up directories that can be both read and written.
4. Close all unnecessary logical ports on the Internet server.
5. Monitor attempts to log in to the machine.
6. Transfer files between the main information system and the Internet
machine only when they have been carefully checked and remembering
that programs can be transferred to the body of mail messages.
7. Have as few user accounts as possible on the Internet machine and change
their passwords regularly.
Firewall
Sometimes the business needs to connect directly to the Internet outweighs the risks. In
such cases it is usual to construct a “firewall” to help control traffic between the
corporate network and the Internet. Firewalls consist of a combination of
intelligent routers and gateway hosts. A router can be set up to allow only specific
Internet services between the gateway and other specified Internet hosts. Software on
the gateway host may provide additional services such as logging, authentication and
encryption, and packet filtering.
It is possible for an external computer on the Internet to pretend to be one of the
computers on the corporate network. One particular function of the firewall is to stop
any external packets that claim to be coming from the corporate network.
Internet Password Policy
Authentication is the process of proving a claimed identity. Passwords are one means of
authenticating a user. It is fairly easy for an Internet user to disguise their identity and
their location. Stronger forms of authentication based on encryption have been
developed to reinforce the authentication process.
A good password policy can make a significant contribution to the security of
computers attached to the Internet. All the password policies previously mentioned in
this chapter are applicable to systems with Internet connections, e.g. on password
ageing, sharing, composition etc.
If users must log in over the Internet then it pays to use a challenge and response system as
previously described.
Every file on a computer connected to the Internet should have the minimum read, write
and execute permissions consistent with the way that the file is used. Unix password
files are particularly sensitive as hackers are likely to take copies for later analysis.
Unix passwords are encrypted but there are readily available programs that will encrypt
a list of words comparing each to entries in the password file. Since this can be done on
the hackers own machine it will not trigger any alarms in the way that multiple
unsuccessful attempts to log in should.
This attack is facilitated by the need for the etc/password file to be readable by everyone
since it is read during the log in process. A partial defence is to use shadow password
files and a modified login program. Using this approach the shadow password file can
be protected whilst the etc/password file contains no real passwords. Another defence is
to use a non-standard encryption algorithm.
Encryption
Two forms of encryption are widely used:
1. Symmetric encryption uses the same key for encryption and decryption
2. Asymmetric encryption involves generating a pair of keys which are
known as the public and private keys.
Symmetric encryption is fast but makes key distribution hard whereas asymmetric
encryption is slow but does not suffer from the key distribution problems. A
combination of the two approaches may provide the best solution.