Auditing
-
Upload
pardhasaradhi-ch -
Category
Technology
-
view
1.815 -
download
0
Transcript of Auditing
![Page 1: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/1.jpg)
http://null.co.in/ http://nullcon.net/
Who am I
null
nullcon
Hackim
Battle UnderGround
Hyderabad Hackers missing two hackers
![Page 2: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/2.jpg)
http://null.co.in/ http://nullcon.net/
Companies are worried about ?
![Page 3: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/3.jpg)
http://null.co.in/ http://nullcon.net/
Restrictions on the accessibility and dissemination of information.
Protecting data from modification or deletion by unauthorized parties
confidentiality
Integrity
Availability
Ensures that information or resources are available when required
![Page 4: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/4.jpg)
http://null.co.in/ http://nullcon.net/
A control put into place to mitigate potential loss.
![Page 5: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/5.jpg)
http://null.co.in/ http://nullcon.net/
AUDITINGIndustry needs it ?
Ch.Pardhasaradhi a.k.a Babloo
![Page 6: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/6.jpg)
http://null.co.in/ http://nullcon.net/
What is Auditing
Types Of Auditors
Audit Planning
Audit Classification
Practical Examples
Phases of the Audit Process
Security Policy
AGENDA
![Page 7: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/7.jpg)
http://null.co.in/ http://nullcon.net/
Auditing
An audit is an evaluation of an organization, system, process, project or product.
Performed by competent, independent and objective person, known as auditors who then issue a report on the results of the audit.
Who is responsible
Formerly called an Electronic Data Processing (EDP) audit
![Page 8: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/8.jpg)
http://null.co.in/ http://nullcon.net/
Types of auditors
Two types of auditors:
These are employees of a company hired to assess and evaluate its system of internal control.
Internal Auditors
External Auditor
These are independent staff assigned by an auditing firm to assess and evaluate financial statements of their clients or to perform other agreed upon evaluations.
![Page 9: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/9.jpg)
http://null.co.in/ http://nullcon.net/
PHASES OF THE AUDIT PROCESS
Subject Example - Area, Department, or entity.
Objective Determine the audit objective or purpose.
Example - Are you going to audit the source code or a firewall services or a security policy.
Scope Typically associated with scope is how much time you going to take for this audit.
Pre-audit planning Identifying the needs
![Page 10: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/10.jpg)
http://null.co.in/ http://nullcon.net/
AUDIT PLANNING Gather Information
Identify Stated Components
Assess Risk
Perform Risk Analysis
Conducting Internal Control Review
Set Audit Scope and Objectives
Develop Auditing Strategy
Assign Resources
![Page 11: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/11.jpg)
http://null.co.in/ http://nullcon.net/
Audit Classifications
Financial
Operational
Integrated
Administrative
Info Systems
Specialized
Forensics
![Page 12: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/12.jpg)
http://null.co.in/ http://nullcon.net/
Security Policy
security policies are a special type of documented business rule for protecting information and the systems which store and process the information.
Types Of Policies
Regulatory Those enforced to meet legal compliance.
Advisory Define a required behavior with sanctions.
Informative Policies that are not enforceable, but can be regulated
![Page 13: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/13.jpg)
http://null.co.in/ http://nullcon.net/
Gather InformationTouring the key organization facilities
Looking at the physical infrastructure
Reading up on background material
Publication from the industry
Annual report
Semi annual reports
Independent financial analysis reports
Short term and long term strategic plans
Interview key personnel, key decision makers, CIO, key managers,
![Page 14: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/14.jpg)
http://null.co.in/ http://nullcon.net/
Identify Stated Components
Understand business issues
Understand business needs
Review prior auditing reports if any
Assess Risk
Risk is the potential that a given threat will exploit vulnerabilities of an asset to cause loss or damage to the assets.
![Page 15: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/15.jpg)
http://null.co.in/ http://nullcon.net/
Risk AnalysisTechnique for identifying and assessing factors that can harm a process or goal.
RA involves implementing preventative measures to avert negative impact of incidents.
Risk assets are of two typesPhysical assets
An item of economic, commercial or exchange value that has a tangible or material existence
ex :Physical location , Physical assets
Information assets
An Information Asset is a definable piece of information, stored in any manner which is recognized as 'valuable' to the organization
Ex: Ip and Data
![Page 16: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/16.jpg)
http://null.co.in/ http://nullcon.net/
Conducting Internal Control Review
There are two types of control evaluations:
Alternative Internal Control Review (AICR)
Internal Control Review (ICR).
AICRs and ICRs have the same goal: Assessing a component’s control system effectiveness.
AICRs and ICRs also share common elements. Both types of reviews consist of the following steps: 1. Identifying what might go wrong (risk) 2. Comparing control systems to the GAO control standards 3. Testing control techniques 4. Documenting the evaluation 5. Planning corrective actions Internal Control - 17 6. Reporting the results
![Page 17: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/17.jpg)
http://null.co.in/ http://nullcon.net/
Set Audit Scope and Objectives
Develop Auditing Strategy
Auditing Standards and is widely applied by auditing firms. The assessment of inherent and control risk as less than high and the performance of a lower level of substantive procedures involves considerable judgment and entails a degree of risk.
Independence
Staffing and training
Relationships
Due care
Planning ,controlling and recording
Evaluation of internal control System
Reporting and follow up
![Page 18: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/18.jpg)
http://null.co.in/ http://nullcon.net/
Assign Resources
Achievable
Implemented
Long term Plans
Preliminary Access
Contingency Allowances
![Page 19: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/19.jpg)
http://null.co.in/ http://nullcon.net/
Auditing practically through some software's
MBSA
Log Parser
Event Viewer
Event tracker
Group Edit policy in windows
gpedit.msc is only in win7 Ultimate, Professional (old Business) and Enterprise editions, and not in the Windows 7 Home Premium or Basic editions.
![Page 20: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/20.jpg)
http://null.co.in/ http://nullcon.net/
gpedit.msc
•Local Computer Policy Computer Configuration Windows Settings Security Settings Local Policy Audit Policy
![Page 21: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/21.jpg)
http://null.co.in/ http://nullcon.net/
Some Certification references ISO 27001
CISA
CISSP
ISACA community https://www.isaca.org/
Hyderabad Chapter http://isaca.org.in/
CISSP ISC2 https://www.isc2.org
GSNA
GIAC Systems and Network Auditor http://www.giac.org/certifications/audit/gsna.php
![Page 22: Auditing](https://reader036.fdocuments.us/reader036/viewer/2022081605/54132e177bef0a40598b5956/html5/thumbnails/22.jpg)
http://null.co.in/ http://nullcon.net/
CISSP GUIDE
Wikipedia
References == Google