ICAI - WIRC · ICAI - WIRC January 21 th, 2012 Auditing the Automated Environment : An increasing...

ICAI - WIRCJanuary 21th , 2012

Auditing the Automated Environment :An increasing need for & Trends in IT Audits around

the world

Presented by :

Sandeep GuptaManaging Director

© 2012 Protiviti Consulting Pvt Ltd.

CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.

Agenda

A look at the automated environments

1

1

Risks in automated environments2

Auditable areas in IT 3

Trends in Auditing IT4

Case on IT audit5



1. A look at the automated

environments



1.A look at the automated environments

Why do businesses go for automation……………….

• Reduce control failures and compliance burdens

• Increase audit efficiency and effectiveness

• Improve the quality of business data

• Better leverage of already acquired applications and tools.

• Sustainability, reduction in costs, and improved value to the organization

GoalsFor

automation

3



Procure to Pay

Order to Cash

HR / Payroll

Fixed assets

Facilities / Infrastructure

Customer Care

What all processes has been impacted automated….


4



How has automation effected business process


“You can no longer separate, or in some places differentiate, between manual and automated parts of business processes.”

Procure

To

Pay

Plan

To

Produce

Process Cycles (end to end processes)

Order

to

Cash

Hire

to

Retire

Accounting

&

Compliance

5



• Budgets for compliance are shrinking

• Due to shrunk budgets software implementations are done in a limited sense giving lesser focus on automating controls

• End users are not adequately trained

• Due to complexity of the application and software controls to be implemented are not adequately designed

• Due to complexity of the applications, potential for risk from an audit perspective cannot be ascertained

The Reality……

Automation is good….But does it work? where do things go wrong?


Automation has its fair share or risks along with the benefits it offers

6



2. Risks in automated environments



Voluminous Transactions and

data

Voluminous Transactions and

data

Different ways of carrying out

Transactions on business

applications

(e.g. ERP’s, CRM, Billing systems)

Different ways of carrying out

Transactions on business

applications

(e.g. ERP’s, CRM, Billing systems)

Automation of Person based

transaction authorizations

Automation of Person based

transaction authorizations

Specialized knowledge required

for operating some applications (e.g. ERP’s, CRM, Billing systems)

Specialized knowledge required

for operating some applications (e.g. ERP’s, CRM, Billing systems)

In accurate data for business decision support

Transaction errors

Configuration errors

Misuse of authorizations

Override ofApplication level controls

Unauthorized transactions

By-product of Automation Resulting risks and probable negative outcomes

Risks

In accurate Business performance information


Impact of automation on business processes & risk management

8



Transactions (CCM-T)“Did anyone __________?”

Master Data (CCM-MD)“Is the underlying data accurate?”

Access to Applications (CCM-SOD)“Can anyone __________?”

Configuration of IT Systems & Processes (CCM-AC)“Do our systems allow anyone to __________?”

Are we making unnec-essary or unapproved

discounts?

Are purchasing cardholders violating

company policy?

Am I losing money because of fraud?

Have any POs been changed after approval?

Are people making unauthorized or incorrect manual entries to the GL?

Are system configuration changes exposing me to risk?

Is anyone manually clearing blocked invoices?

Are we making duplicate payments?

Are we misclassifying assets as expenses?

Are we at risk of an audit finding for user

access?

Can users access sensitive information?

Are my POs missing based on accurate

vendor master data?


How do risks crystallize in the process environment

9




How do IT risks effect business environments ?

Risk Impact

Confidentiality

loss

Integrity

loss

Business

sensitive data is

known to

competitors

Inability to take

Accurate

Business

decisions

Availability

loss

Inability to

transact

business in a

timely manner

efficiency

loss

Inability to

transact

business in a

cost effective

manner

effectiveness

loss

Inability to

transact

business in an

effective

manner

Loss

of

bid information

Wrong

Product

Costing/pricing

Outage of

systems used

for

trading

Excessive

Cost of

customer

service

Delayed

customer

Order

processing

e.g…

10




How do you look for IT risks? Risk = Anything is likely to effects business objectives

Pro

tivit

i T

ech

no

log

y R

isk m

od

el

tm Business control

objectives

Business KPI’s

IT Processes

IT infrastructure

11




How to assess/gauge IT risks – the risk assessment process

• Broadly the risk assessment process to be done by the management should be a part of the enterprise risk assessment process

• The process of assessment remains the same but with special considerations to the following factors which changes the methodology for assessment

Understand business

environment

Create/revisit risk

universe

• Criticality of system (applications and supporting infrastructure) to business operations

• Impact of the system on financial reporting

• Importance of the systems from a business decision making perspective

Identify risk existence

& levels

Identify control

existence & maturity

Assess residual risk &

design Mitigation plan

12




Sample : a risk assessment methodology for IT Security related risks

Source : NIST, USA

13




How are organizations managing IT Risks

OrganizationalMeasures Technology

Measures

14




How are organizations managing IT Risks globally…….

IT Governance Framework

Creating IT policies, processes & procedures compliant to global

standards like COBIT, ISO 27001, ISO 20000

IT Organization

• Recognizing IT as not just a business enabler but a business

driver

• Creating a formalized IT organization with a charter to guide in

governance

• Creation of specialized risk management positions such as

CISO’s.

1

IT Governance Monitoring

Creating, implementing and monitoring SLA’s and IT operational KPI

2

3

15




How are organizations managing IT Risks

Confidentiality

risk

Integrity

risk

Availability

risk

Network

infrastructure

Server & End user

computing

infrastructure

Effectiveness &

efficiency risk

Ne

two

rk

Ma

na

ge

me

nt

too

ls

VA

Sc

an

ne

rs

An

ti

Vir

us D

ata

Le

ak

ag

e

pre

ve

nti

on

Dis

kE

nc

ryp

tio

n

ERP

Applications

Ne

two

rk

Re

sil

ien

ce

GRC

Tools

Resilience :Hot stand by’s

Data Back ups andHot stand by’s

16




Case Study: Organizational measures in a India based power, construction conglomerate

17




Case Study: Organizational measures in a US based pharmaceutical company

18


CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.19

© SAP 2007, 071203_PnT_Team_Update, CSG/19

Business Process

Business Process Platform

SAP Solutions for GRC

Cross-Industry GRC

Access Controls Global Trade Environment Process Controls

Risk Management

GRC Repository: Documentation and Monitoring

Industry-Specific GRC

Business Applications

� Delivers transparency to balanced global risk profile

� Standardizes on common GRC content and rules

� Automates and embeds GRC processes into business processes

� Integrates with existing IT assets and technology partners

� Enables easier collaboration with service and content partners


Case Study: SAP GRC a tool for ERP risk management



Do

cu

men

tT

est

Mo

nit

or

Cert

ify

role of process control module in SOX

Assessment surveys / Test plans

Content Management: Provides formalized

framework to document risk and control

environment.

Automated control testing

Workflow: Automated testing along with workflows

for manual test plans.

Base-lining / Scheduling

CCM: Automatically identify and prioritize issues,

and document resolution.

Certifications

Workflow: Indicates management acceptance of

control status, and provides accountability for the

status of controls.


Case Study: SAP GRC a tool for ERP risk management

20


CONFIDENTIAL: This document is an Educational document for ICAI –WIRC 2012 seminar. Not be copied or distributed to any third party for commercial purposes.21

CxO

� Visibility to enterprise GRC status� Role-tailored analysis� Flexible ad hoc reporting

Oracle GRC Intelligence

Indicators Attestations AlertsDashboards

Business Manager

Internal Auditors

� Data repository� GRC system of record �End-to-end GRC process mgmt

Oracle GRC Manager

AuditManagement Assessment

Issues & Remediation

Event & Loss Management

Risk and Control Frameworks

Application Manager

Configuration Controls

Transaction Controls

� Continuous monitoring of access, policies & controls

� Preventive and detective controls

� Controls risk monitoring

Oracle GRC Controls

Access Controls

IT Manager

� Information security� Enterprise access provisioning � IT configuration management

Technology Controls Management

InformationSecurity

Records & Digital Rights

ConfigurationManagement

Identity Management

Fin

an

cia

l C

om

pli

an

ce

IT G

overn

an

ce

En

vir

on

men

tal

Healt

h

Ris

k M

an

ag

em

en

t

Uti

liti

es &

En

erg

y

Co

mm

un

icati

on

s

Reta

il &

C

on

su

mer

Go

od

s

Co

rpo

rate

R

esp

on

sib

ilit

y

Lif

e S

cie

nces

Fin

an

cia

l S

erv

ices

CEO, Financial CommunityStockholders

Partners provide expertise and

specific solutions for Industry &

Regulatory requirements


Case Study: Oracle GRC a tool for ERP risk management




Significance of IT Risk management measures to auditors

How an organization manages IT risk determines what is to be audited !!

With increase in automation the need for IT audit to take a larger share in the internal audit pie is more than ever !!

22



3. Auditable areas in IT




IT General Process & Controls

ERP Process

& Controls

IT Security

Process & Controls

Broad categorization of auditable areas in IT

24




What to audit areas should you look in IT General Process &

Controls

Protiviti IT Process & System Component View tm

25




What to audit areas should you look in ERP Process & Controls..

Pro

tivit

i E

RP

Co

mp

on

en

t V

iew

tm

26




What to audit areas should you look at IT security..

Configuration management

Patch management

Access management

System

Software

Network

ArchitectureDevices

Application

Software

27



4.Trends in Auditing IT



Achieving balance with the right focus involves approaching audit planning and execution as a two-step process

• The development of an appropriate IT

audit plan takes into account the

organization’s:

- Overall risk assessment from its

use of technology

- As well as which technology

components should be addressed

to mitigate the areas of highest risk

4. Trends in Auditing IT

Deciding how much to audit in IT………

29




Global trend on indicative areas of IT audit on an Industry scale

IT/ITES BFSI Manufacturing

Industry

Weig

hta

ge

for

are

a o

f au

dit

Telecom Construction

Physical security

Logical security

Legal Compliance

Network security

BCP DR

Hig

hM

ed

ium

Lo

w

HR Security

Data mgt.

Change mgt.

IT Asset mgt.

IT Vendor mgt.

Physical security

Logical security

Legal Compliance

Network security

BCP DR

HR Security

Data mgt.

Change mgt.

IT Asset mgt.

IT Vendor mgt.

Physical security

Logical security

Legal Compliance

Network security

BCP DR

HR Security

Data mgt.

Change mgt.

IT Asset mgt.

IT Vendor mgt.

Physical security

Logical security

Legal Compliance

Network security

BCP DR

HR Security

Data mgt.

Change mgt.

IT Asset mgt.

IT Vendor mgt.

Physical security

Logical security

Legal Compliance

Network security

BCP DR

HR Security

Data mgt.

Change mgt.

IT Asset mgt.

IT Vendor mgt.

30




How do IA departments deal with IT Audit….

Audit

Planning

• Risk assessments/surveys are done by IAdepartments jointly for both IT and process areasto ensure a wholesome risk assessment ratherthan a silo based risk assessment.

• Audit planning is done in most cases is doneseparately for ITGC on a separate calendar

• Audit planning for ERP Audits is usually clubbed

31



• ITGC audits in most global entities are performed aton stretch i.e. the areas are not broken into smalleraudits for the following reasons :

• Various areas of internal audit are highlyinterlinked, mitigating controls for a risk in oneprocess may lie in an another process.

• IT looked upon as support function as a whole andan audit of ITGC at one go would give a moreclearer picture on the efficacy and maturity of thefunction.

• ERP Audits are clubbed along side process audits inorder to get a full assessment of process relatedcontrol environment i.e. both manual and automated.


How do IA departments globally deal with IT Audit….

Audit

Execution

32




How do IA departments staff IT Audits ?

IT General Process & Controls

ERP Process

& Controls

IT Security

Process & Controls

• In most companies it is done

by external consultants with

specialized knowledge.

• For multi national companies

in the BFSI and ITES space

done by internal teams

• In 70% of the companies it is

done by external consultants.

• For multi national companies

that have large ERP

implementations its done by a

core ERP team

• In BFSI , IT, ITES segments

80% of the companies have

their own ITAudit teams.

• For 40% companies having

extensive multi national

presence have a skeletal IT

Audit

33



ERP Auditors

ITGC Auditors

Business ProcessAuditors

• ERP Security Training

• Focused ERP Module level

Training

• End User Training

• Basic ERP security training

• ITGC Audit

• ERP End User Training

• Basic ITGC training

• ERP End User Training

Technical

& functional

operational

Level of Audit Auditor Training Overview


Training the audit team for IT Audit :Best practice training/deployment schema for various types

34




Question : But is IT Audit as complex as its is made out to be ?

Example of how an access management review for IT infrastructure entails a reviews at multiple levels

Answer : IT Audit is reasonably complex as it requires a blend of technical knowledge, auditing skill and risk management knowledge to effectively delivery an

IT audit

Application

level

Application server OS

level

Database

level

General

OS level

Multi-level review

Network Device level

35



5.Case Study on IT Audits



User Access Management review and Password Policy Management Reviews at an OS Level

Review at an OS Level involves the

detailed analysis of the various users

having access to the OS . Different servers

in an IT environment can have different

OS’s. s

AIX

Windows Server

Solaris

UNIX

User Access privilegesUser Access privileges

Password Policy ManagementPassword Policy Management


What do we look at :

37



User Access Management review for AIX OS

List of Users from the OS IS

generated with their details

like Userid, Groupid.

The aim is to find out the

number of users having root

level privileges with Userid 0.

What to typically look at during an AIX Review


38



Password Parameters for AIX Servers

Settings which are potentially

dangerous such as minlength

parameter being set to less

than 8

What to typically look at during an AIX Review


39



User Access Management review

Audit account logon Details

Audit Account Management

Audit Directory Service Access

Audit account logon Details

Audit Logon events

Audit Object Access

Audit Policy Change

Audit Privilege Use

Audit Process Tracking

Audit System Events

What constitutes a good auditing policy in Windows OS


40



User Access Management review in Windows Server 2003, OS

For User access

Management in Windows

from the Sample Machine

traverse to the GP Editor

Navigate to the shown

pane/properties


41



User Access Management review : Windows Server 2003 OS

Enforce password History

Maximum Password Age

Minimum Password Age

Minimum Password Length

Password Must meet complexity

Store Passwords using Reversible

Encryption

What will we look at ?


42



Password Setting Review Windows Server, 2003

For User access

Management in Windows

from the Sample Machine

traverse to the GP Editor

Navigate to the shown

pane/properties


43



User Access Management review in ERP System ( SAP)

Table USR02 in SAP system is used to

store all the user identical and password.

This is also called as SAP user master

record.

SU01 ,SU02, SU03 Tables are used to to

Provide information about USERS,

Profiles and Authorizations

Using this we are able to detect users

with weak password settings, excessive

transacting rights and conflicting roles.


44



Conclusion

With fast growing evolution of IT, and ease in execution of transaction risk levels have reached an all time high.

In order to ensure an effective audit and risk management function at a global level it is imperative that CAE’s start looking at enhancing the reach of IA to relevant IT

processes.

45

ICAI - WIRC · ICAI - WIRC January 21 th, 2012 Auditing the Automated Environment : An increasing...

Documents

Transcript of ICAI - WIRC · ICAI - WIRC January 21 th, 2012 Auditing the Automated Environment : An increasing...