Audit Plan

FOR STUDENTS: (for private circulation among students of SCIT only. IPR issues involved,Must Not be sent in any form to outsiders))

IT audit is not an isolated discipline , it is derived from the general principles auditing .However due to the nature of this technology and its practice in the industry the It auditing has taken some different flavours and the recent framework is the outcome of the standards and guidelines enunciated by ISACA and Cobit. Thus, the IT auditing starts with an Audit plan and in brief the main sections in IT audit planning process are :

Audit plan

Audit start up: The preparation before commencing an audit involves collecting background information. such as what is the business ? How the IT is associated and aligned to the business processes ? As this is an audit of IT in its various aspects, covering certain depths and dimensions of the technological issues as per the business objective .Thus,certain amount of details are also covered in checking various controls in the IT infrastructure. This calls for audit staff with the right kind of skills to be allotted to the right assignment.

Audit Process: The audit process actually the broad outline of IT auditing.The main items in this process are the following

1.Pre-audit Planning: before the actual audit plan is charted it is a practice to guage the extent and outline the work. This involves first of all the acceptance of the audit task and issue of the engagement letter. Further at this stage the auditor decides team and the skill set needed.2.Planning : As evident the next to pr-audit is the detailed Audit Planning. This involves deciding the audit phases , the approach for a risk based auditing, deliberating over materiality and misstatement and thus arriving at a audit strategy.3.Execution: -This is the phase for detailed audit work, develop audit program and procedure ,gathering data, checking the control, ensuring the quality of audit and data reliability. by proper supervision.4. Reporting: Audit reporting is a skillful completion of the entire checks and survey>One of the greatest concern of the auditor is the quality of audit. There should not appear any slip-up in checks or compromising the ethics and independence of the auditing standards.The report highlights the scope of improvement and in case odf security audit it must point out the various risks that looms over the IT set-up..

The diagram below depicts the Audit Process in broad steps of activities

At the base of all these audit activities rests the fundamental IT audit maxim ,that is i) The auditor obtains and evaluates evidence. ii) The auditor assesses the reliability and sufficiency of the information

contained in the underlying records and other source data.

The evidence obtained and evaluated by the auditor regarding the assertions about IT control and processes . Below is a clip art based depiction of this maxim:

Apart from data gathering the audit process take recourse to preparing the check list for various auditing various IT activities, identifying the assets such as processors and storage system, software, hardware, network equipment etc. identifying the risks and accordingly prepare the questions.

Analyzing the checklist analyzing the checklist, reviewed the answers, went back again for discussion on thediscrepancies identifies the potential threats and risks, and removed redundant questionsor questions not pertaining to the lab as it is a small scale institution.

Preparing the recommendationsAfter thorough review the flaws and hence made recommendations.

Consider Internal ControlTo develop understanding of internal controls, considered information fromprevious audits, the assessment of inherent risk, judgments about materiality, and theComplexity of the organization’s operations and systems.

Performing Audit ProceduresAudit procedures are develop based on the auditor’s understanding of the organizationand its environment.

Issue the Audit Report : This calls for a skillful writing of the whole observations and comments made on each of the audited items. The security aspect must be highlighted, beyond what is installed/practiced to what is desirable in the interest of the company’s business objective. --------------------------------- xxxxx----------xxxxx--------------xxxxx------

Risk based Auditing: (this is not a method but an approach) Risk based Auditing though confined largely in the Financial auditing this approach is equally applicable in IT Auditing. It is necessary to gather the information on the business and the extent of IT alignment to the business processes. This enables the auditors the frame the auditing strategy. The main purpose is to identify the areas to focus concentrated audit efforts due to inherent and control risks. Like financial audit the ”Materiality” need to be coupled with the possibility misstatement, and hence an indicator of risky information. The risk based auditing is associated with four types risks viz, Inherent Risk, Control Risk, Detection riks and audit risk (Quality of audit) .Inherent risk may be viewed as the risk the organization faces without mitigating. Control Risks.

In short, IT auditors review the risks relating to IT systems and processes including:i) Inadequate information security (e.g. missing or out of date antivirus controls)

ii) Inefficient use of corporate resources, or poor governance (e.g. spending large on unnecessary IT projects)

iii) Ineffective IT strategies, policies and practices (including a lack of policies etc.)

iv) IT-related frauds(this strictly comes under Cyber Security)

Benefits of a Risk Based Audit Approach: In a risk based audit approach the focus of audit is on the controls whose infirmity can cause financial loss or operational hazards in the IT set up. consequent to audit report. Prior to audits to determine the level of assurance needed in significant audit areas.Thus emphasis on the detailed audit checks reduces risk by migrating actions initiated by the management Result: The auditor performs a MOREEFFECTIVE and EFFICIENT audit, focused on Higher Risk Areas.

----------xxxxx---------xxxx--------xxxx------

On Infrastructure Audit :

The scope of IT auditing on Infrastructure encompasses many facets but it mainly covers :a) Review of Management controlb) Access control

c) Application controld) Database controle) Network controlf) BCP and DR- review of g) IT security

It has been mentioned earlier that the preparation before commencing any audit plan involves

• collecting background information,viz,.What is the business ? • How the IT is associated in the business processes ? • The IT infrastructure -the architecture at Enterprise level and layout at units and

the piecemeal details.

IT Infrastructure Audit: The business objective determines the details and depths of IT Infrastructure audit. The business stake would be the final criteria. A company in SME sector would be happy to audit at the summary level of all the IT infrastructure items, whereas whereas in the audit of mega corporate it is the practice to go into details of each such as each and every entity of network equipment, their operations and maintenance control, licence issues and so on, need to go far more details of IT audit. A question may come Why audit Infrastructure ? the answer to this in summary is

Since it involves large investment naturally the management need to know - How it is Managed ?Whatever be the applications of IT at the base for most of the technology the infrastructure is the “common denominator”. Everything rest on this platform.For the Enterprise it is the Infrastructure which “Connects to the World”, without a solid infrastructure there would be loss of Revenue on E-Commerce Besides, on security aspect the organization could be susceptible various attacks such as Denial of Service, etc.Last of all the business requires Resilience and reliability and business continuity.

:Nevertheless there are some standard requirement of an IT infrastructure from audit point of view, we may call them as basic needs. They are in summary :

The ‘Functional space’:- safe & secured for locating mission-critical equipmentThey all should be tuned for High Availability (HA)The support facilities should be reliable ,viz, the Power supply should be adequate, steady, ripple free. The Environment Control (HVAC ) cooling ,fire protection etc should be the state-of-the- art,Excellent Communication facilities-for inside users and outside world(- Broadband, LAN, voice,)

A diagram below depicts these requirement of an IT Infrastructure

Typical requirement of an IT Infrastructure

IT infrastructure may be classified under three major components, namelySiteData Centre andSupport and Facilities.

Data Centre is the most elaborate and intricate layout in the IT Infrastructure .The focus of Auditing a centre to check whether the following are pursured or not:• The objective of the data center is to align IT activities with the goals of the

business while maintaining the security and integrity of critical information and processes.

• To adequately determine if whether or not the client’s goal is being achieved, the auditor should perform the following before conducting the review:

Each of them- the Site, Datacentre and Facilities - have several components-each of them important for the smooth functioning and ensures high availability. (For our course we select some of them only) The main area from IT audit point are:-The audit of the Site-The server and OS audit-The audit of Network-Storage and Database audit-Audit of Hardware and peripherals-Audit of support and facilities-Audit of Admin related matter

The site audit is mostly physical and confines itself on Examination of Control relevant to IT Infrastructure site; checking the Process of collecting and evaluating Evidence that the controls are effective For Example: Perimeter control checksAccess control checksSupport and Facilities monitoring checks.On some details: What do we see in a Data Centre (for auditing of them)

- Signage- necessity is felt at the time of any rescue operation-Entry- gate/door-should be a single entry-Access system- control or manual -environmental control (HVAC)-power supply (UPS)-Roles and responsibilities of personnel working at network centre, their Training-Emergency response -system and procedure (BCP and DR ,if exists)

A schematic diagram of the important functional entities of IT Infrastructure for audit

In the above diagram the bottom portion shows Security Audit. This is meant to show that all the above units have also security features that need to be audited.

Having described briefly the auditing of the Site , now we briefly take auditing aspect of some of the other important functional entities of IT Infrastructure.

Server Audit: It is important that the auditor must know something about the server and OS. Usually people take OS as a black box and server as peripheral. ( a collection of processor, memory I/O units and communication cards ) However there are several other aspects. The audit starts with the checks of pre-installation setting against the current status. Check the evidence of how these settings are reconfigured, the authorization recording etc. The next important thing to check is server log.The log gives a hoard of information on the server operation.Besides these the auditing covers the following:

Server type- its role in the entrprise (viz desk top, distributed processing , client-server, web server, Real-time mainframe

Types of OS on different server(s)Configuration- -- how it is authorized and recorded Memory management File management —ditto- Security FeaturesPassword management Audit Trail reading

The current trend of virtualization of the server, additional audit feature would be the management of the virtualized servers,the management of

Network Audit: The audit focus in Network is mainly on three aspects, namely the Availability of the Network, the Access- secured and controlled and the Interception capability (from virus, intruders etc)For this the audit activities begins by Auditing the overview of Computer Networks. This contains mainly

Reviewing Network Policies and operating procedures Reviewing the Network diagram , list of equipment and IP addresses, cabling detailsRisk identification and prioritizationBreaking the network in manageable piecesUnderstanding every element of network and the risk associated with it Checking of trouble reports and Helpdesk logs

Even though the network is segmented into” manageable pieces” the auditactivities can be classified under Network auditing can be classified as under:

Physical – environment, site, layout and installation, cabling (connection and termination),Operational- policy, configuration management , parameter setting of all network equipmentMaintenance- policy and procedure (both operational and support facilities)

Security: physical, network access, intrusion detection

Auditing of Physical aspects of Network involves check of the following

(i) Location proper as per recommendation or not(ii) Life -Beyond certified life or not

(iii) Operations manual- exists or not(iv) Layout /connectivity diagram –exists or not(v) Numbering Tags on cables -exists or not

(vi) Surrounding environment of the Network Centre-check sensitive area, flood prone or not, fire fighting system , electrical system , etc

And many other details

Auditing the Operational Aspect of Network

Network topology and physical infrastructure documentation ,diagram, etc Network wiring is installed in a structured manner and is well labeled. Network addresses and names are assigned in a structured manner and are well documented.

Items call for configuration change Procedure for operations Guidelines and operating manuals –Documents ?Escalation matrix-available ?

On Operations and Control the following must be checked for evidence a) Identifying the functional units in the network that call for regular operations

b) Configuration Management- a policy exists ,whether only by authorized personc) Port identification-labeling and Tagsd) Routine checks and performance monitoring-a policy and adherence to

procedures e) Network Log-reading and follow upf) Service interruption Log available ?g) Contingency plan in the event of any unit down h) Network availability.i) Fault reporting- procedures for rectification, whether exists or not j) Firmwire latest version, licence renewal

Above are the general auditing aspect of Network. However there are other details in the network from auditing angle .They are auditing of the various various independent functional units , which are vital for network availability and performance .The list below identifies them.

While auditing of Network it is recommended to carry out specific audit of the Following network systems:

a) Firewallb) Routerc) Switches d) SNMP operatione) ISP connectivity points and routingf) Servers connectivity over LAN/WANg) Security of the Access Points for WAN

Audit of Storage and Database: The auditing of storage area in a simpler Lab is that of ensuring the regulatory back-up of data from different servers, checking count of records copied on to the mass storage ,tallying the counts of files ,data volume ,etc.However in a modern storage such as SAN things are automatic and the auditing cope is limited to glancing over the log outputs. However the audit of the database calls for more attention. Basically it involves the following checks-

The audit log : this is the most accurate source of events because it's the database that acts as the arbiter to ensure transactional consistency and data integrity. The auditor decides "What sort of activity should I look for? What sort of things can a database audit file tell me?" Metadata Changes. This is another vital area in the DB auditing Here the changes to database structure alter system function and offer new access to database contents. New views and added columns often lead to data leakage and should be monitoredAuditing incurs a performance penalty, and depending upon how you implement it, that penalty can be severe. The auditor need to check ask questions to ensure security of such activities

The Database Administrator manages the following areaDatabase Security— Backup/Recovery— Disaster Recovery— Reorganization— Performance Monitoring— Application Call Level Tuning— Data Structure Tuning— Capacity Planning

This gives the auditor of the DB the clue where to look for controls and the evidence for adherence of the controls.

However apart from the Evaluating evidence for effective controls ,the Security Audit has an added dimension-that of examining everything from vulnerability and risk angle.

A separate paragraph will elaborate on the security audit. The main importance of auditing IT with special focus on security are the following:• This auditing with special orientation for finding gaps in the security helps

identify potential vulnerabilities in the system,( based on audit report)• A Security Audit report also brings out the effectiveness of security vis-à-vis the

industry standards Security audits are also used to determine regulatory compliances (such as HIPPA the Sarbanes-Oxley Act, and the California Security Breach Info Act) that specifies how organizations must deal with information processing

While discussing Security Audit it is worth presenting the subtle differences among the oft used terms Threat Vulnerability and Risk, as described below:

Let us discuss the Basic Approach for carrying out security audit of IT : Apart from the usual audit process for any IT set-up the Security Audit rests on two important aspects namely, Anomalies & Deviation on the observed information about various controls and Log reports.The auditor determines( from the managers and users) a “Baseline” or threshold vaslue of each and every operational or maintenance activities..Then he finds out

– How much of a deviation from the norm represents an anomaly? (Quantity)

– How long must the deviation occur before registering an anomaly? (Time , duration)

- What are “Anomalies” in those observations can occur at any level.(We may dedfine the “anomaly” here as unacceptable deviation).And thendecide

What anomalies should trigger immediate alerts?

-For ascertaining this: Log data monitored for all the IT activity environmentis observed and scrutinized. This leads to two main inferences activities:

– Profiling normal behavior to understand typical system behavior at different times and in different parts of the business cycle (arriving at the Baseline or Threshold value)

– Detecting deviations and anomalies when system activity significantly deviates from the normal behavior you have documented

By depiction through a simple diagram below may be helpful understanding these activities.

However, the Logs themselves must be protected from tampering and corruption.The Common techniques to secure logs

– Remote logging uses a centralized, highly protected, storage location– Printer logging creates a paper trail by immediately printing logged activity– Cryptographic technology digitally signs log files to ensure that changes can be

detected, though the files are vulnerable until they are finalized

Let us next discuss briefly the IT Security Audit Procedure.While the procedures run much in details, in summary they can be described as :

a) Familiarize with the organizational policies and procedures with regard to data collection

b) Interview key personnel to learn about organizational practicesc) Gather all data to be auditedd) Analyze logged data to identify policy compliance. This is the most time

consuming process.e) Perform penetration testing to see effectiveness of security controls

Checklist and Template based auditing :

• However, actually the auditors initial approach is preparing a “check-list” .The Checklists provide a systematic and consistent approach for completing various tasks in any audit, whether IT security audit or other IT audit.This

provides a high-level overview of the overall audit process stepwise processes for auditing different classes of systems

For example:– Configuration checklists contain specific configuration settings– Vulnerability checklists contain lists of critical vulnerabilities for each

operating system in useFor proceeding with this approach , the auditors use a Template on which typical questions are put and the observations/responses are recorded on appropriate column. A sample of types of questions and a hypothetical template is shown for understanding this approach.

Typical Questions related to various aspects of IT in an enterprise

On policy and physical aspects

Is there a security Policy for the network Does the security policy leave any gap in the coverage –physical infrastructure perimeter control/internal control Is proper threat and vulnerability analysis carried out and reflected in the policy

Examining issues on NW related matters

-Are the Access logs examined to check ?-Router access authorization, does it exist -Router Configuration procedure –document exists ?-WLAN security features configured ,documented -Access point configuration –procedure and record document exists?-Address control – IP addresses allocation system and procedure exists ?-Configuration of DHCP- Authorization and control (practice exists ?) -Domain controller – authorization ,password system ? (practice exists ?)-Is there a system of routine periodic checks of controls ? -Security of Log /file for records on configuration, passwords (exists/not)

The Template merely translates these information and their response/observations in a tabular form as shown below: (next page)

Purely Example: nothing to do with reality

Finding facts/data onWhether YES or NO Comments/observations

Is there a security Policy for the network

YesPolicy papers examined and found it addresses / covers all aspects

Does the security policy leave any gap in the coverage –physical infrastructure perimeter control/internal control

No, However, on perimeter control the policy is not very specific, might lead to confusion and create gap.

Are the Access logs examined to check ?

Yes Checks are thorough

Access point configuration –procedure and record document exists?

No This is a Serious ssue

Router access authorization, does it exist

Yes Maintenance of records are perfect, leaves no Gap