Scribd Logo
Upload

Welcome to Scribd!

  • Is Audit Basics - Trust, But Verify

    Uploaded by

    Akshay Iyer
    11 views3 pages
    IS Audit basics

    Original Title

    Is Audit Basics_ Trust, But Verify

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IS Audit basics

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    11 views3 pages

    Is Audit Basics - Trust, But Verify

    Uploaded by

    Akshay Iyer
    IS Audit basics

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    1/24/2016

    ISAuditBasics:Trust,butVerify

    ISACAJournalVolume1,2016
    Columns

    COMMENTS

    ISAuditBasics:Trust,butVerify
    EdGelbstein,Ph.D.

    Trust,butverifyisaRussianproverbthatbecamemorewidelyknownwhenthenUSPresidentRonaldReaganuseditinthe
    1980s.(,[doveryai,noproveryai]).Thefactthatproverbsarepassedunchangedthroughgenerations
    impliesthattheyareseenasthetruth.

    ToReauditorNottoReaudit
    Theauditorsarrive,dotheirwork,writeareportthatincludescriticalrecommendationsthatcouldbeseenasaninstruction:...the
    auditeeshall....
    Shouldtheauditstrategyandplanningcallforareview(e.g.,oneyearafterissuingthefinalreport)toseeiftheyhavebeen
    implementedand,ifso,whethertheimplementationhasbeencompletedinawaythatsignificantlyreducesbusinessrisk?
    Whilethismakesgoodsense,thechallengeisthattheaudituniversehasbecomesolargethatreauditingissuesareboundto
    conflictwiththeoverallauditplan.

    ThatUnwelcomeFeeling
    Manyauditeesmistrusttheauditors:Theirfindingsaretheequivalentofcallingtheauditeesbabyugly.Noparentwouldeverdo
    this,butthen,thereareuglybabies.Therefore,unlessagoodworkingrelationshiphasbeenestablishedovertheyears,the
    auditorcannotexpectawarmwelcomeorfortheauditeestosharetheirproblemsandconcerns.
    Apoorwelcomecouldincludefindingthattheauditorshavebeenassignedpooraccommodations,possiblyinaninconvenient
    location,limitedsupportfacilities(e.g.,printers,photocopiers,lockeddoorsandcabinets,shredders),anunhelpfulcontactpoint
    ordiscoveringonshortnoticethatacriticalpersonisnotavailablefordiscussions.
    Therewillbemanyplausibleexcuses.Itisneveragoodtimetoconductanauditandaccommodationisanissuealmost
    everywhere.Ifthearrangementsarereallypoor,itmaybegoodtohavethechiefauditexecutive(CAE)speakwithasenior
    managerwhocanacttoresolvetheissueandunderstandtherootcauseofthesituation.

    ThingsAuditeesMayForgettoDisclose
    Acompetentandexperiencedinformationsystems(IS)managerwouldbeexpectedtoanticipatewhattheauditorsmayfindby
    conductingabrutallyhonestassessmentofthemanyaspectsofISandIT.GuidelinesandframeworkssuchasCOBIT5can
    facilitatethistask.Inpractice,thisdoesnothappenoftenasotheractivities,deemedmoreurgent,displacetheseandbeforeyou
    knowit,itisaudittimeagain.
    Iftheauditeecandemonstratetotheauditorthattheycareabouttheauditprocessthattheyunderstandhowitisconductedand
    thencomeupwithalistoffindings,observationsandcorrectiveactionsbythemselves,therelationshipwouldbestrengthened
    anditwouldmakebetteruseoftheauditorsknowledgeandexperience.Thedownsideofkeepinginformationfromtheauditorsis
    thattheywillfindoutbychanceorbyprocess.
    Inoneexample,therewasawiringcabinetinanofficeenvironmentforacriticalnetworkthattheownerhadknownforyears
    consistedofspaghetticabling,equipmentonthefloorandatreeofextensionleads.Thiswasnotmentionedatthestartofthe
    audit,butastheauditorswerepassingby,someoneopenedthecupboarddoor.Aphotographofthescenewasincludedinthe
    draftandfinalauditreports,despiterequestsforitsremoval.

    LookandListen
    Theexamplesintheprevioussectionshowcarelessnessandincompetence,butnotmalice.Unfortunatelytherearemanymore
    thingsthattheauditeesknowthattheirmanagementdoesnot.Thisbecomesanexplosiveissuewhenitinvolvesthemeansto
    workaroundsoundpolicies(e.g.,needtoknow,leastprivilege,segregationofduties,changemanagement).Herearesome
    examplescollectedovermanyyears.
    http://www.isaca.org/Journal/archives/2016/Volume1/Pages/trustbutverify.aspx?utm_campaign=ISACA+Main&cid=sm_1200779&utm_content=1453238853

    1/3

    1/24/2016

    ISAuditBasics:Trust,butVerify

    Ahomemade,old(e.g.,COBOL)financialapplicationwasmadeY2Kcompliantandfullymettheneedsoftheorganization.Itwas
    robust,reasonablywelldocumentedandmaintainedbyasmallteamthathaddonesosincetheinitialdesign.Duringanauditthat
    didnotinvolvethisapplication,itwasdiscoveredthattheleaddeveloperhadembeddedundocumentedhiddenaccountsand
    backdoors,nottobeabused,buttohelptheorganizationtowardbypassingtheusualcontrols.And,therewasnorecordofwho
    hadwhataccesscontrolsandprivilegesorifanywerekeptbyindividualsastheircareersprogressed.Furthermore,weakchange
    controlsupportedthesechanges.
    Theleaddesignerwasduetoretire,andoncetheauditorsbecameunofficiallyawareofthis,thequestionaroseastowhethera
    colleaguemonthsoryearsawayfromretirementshouldholdthesecretoftheseunofficialfeatures.Themanagementviewwas
    aclearno,andthesystemwasretiredandreplacedbyacommercialapplicationwithrolebasedaccesscontrolsandmore
    manageablesuperuserfeatures.
    Superuserprivilegescanbeaproblem.Inanothercaseatadifferentorganization,thedesignofanenterpriseresourceplanning
    (ERP)systemhadaprojectmanagerwhoassignedhimselfextensivesuperuserrights.Aftertheprojectwascompleted,nobody
    thoughttoverifywhatrightswereretainedbytheimplementationteam.
    Anevenmoreextraordinarysituationhappenedwhenaseniorexecutiveatanorganizationinstructedthatallsecuritypoliciesbe
    withdrawnandtheorganizationsdatabedeclassifiedinordertobefullytransparent.Neitherinternalaudit,riskmanagementor
    legalcounselwereconsultedandnobodywaswillingtosay,Theemperorhasnoclothes.

    Serendipity
    Sometimesonehasthegoodfortuneofcomingacrosssomethinginterestingwithoutlookingforit.Herearesomeexamples.
    TheinvisiblesinglepointoffailureAlawenforcementunit(inthe1980s)wasimplementinganewsecurenetworkof
    leasedlines.Theserviceproviderdesignedittoensurethatdifferentcableroutesprovidedresilience.Surprise!Thetwo
    leasedlinesenteredthebuildingthroughasinglepointaccessiblethroughamanholeinthestreetjustoutsidethemain
    entrance.
    ExternalauditofalargeandcomplexinformationsystemsandtechnologydepartmentDuringanaudit,the
    systemsarchitecture,i.e.,howapplicationsexchangeddatawithotherapplicationswithorwithoutformatconversion,
    dynamically,byfiletransferwasrequested.Loandbehold,ithadnotbeendocumented.Therewasnocomprehensive
    systemsarchitecturelisting,forexample,thenameofthesystem,itscustodian,purpose,highlevelfunctionalityand
    interfaces.Moreover,therewasnostatementaboutthesystemscondition(e.g.,robust,welldocumented,frozen)and
    plannedactivities.Thisledtoanunplannedquestionaboutthedataarchitecture,astheauditteamtriedtounderstandhow
    manydataentitieswereduplicatedacrosssystems(inincompatibleformats,ofcourse),andthiswasreceivedwithanot
    inmyjobdescriptionresponse.
    HiddenorforgottenopportunitiesInfact,thereisplentyoutthereneatlyhiddenorforgotten,includingsoftware
    licensesthatarepaidfor,butnotusedlarge,overoptimisticandunderresourcedprojectsrenewalsandupgrades
    postponeduntiltheservicedeteriorates,bypassingprocurementrulescriticalactivitiesforwhichtherearenobackupsfor
    theresponsibleindividualsandunqualifiedindividuals(e.g.,internsortrainees)doingthingsbeyondtheircapabilities.
    Someareduetoweakmanagementorpoliticalposturing(e.g.,ItismybudgetandIwilldoitdespitewhatyousay.)
    othersarecausedbySMRC(savingmoneyregardlessofcost),alsoreferredtoasshareholdervalue.

    Conclusion
    Thereismuchtobegainedfromanopen,collaborativerelationshipbetweenauditorsandauditeesinwhichbothpartiesfocuson
    understandingandmanagingbusinessrisk.Rationally,weallknowthisisthecase,buthumanfactorssuchaslackoftrustand
    organizationalpoliticsoftengetintheway.
    EdGelbstein,Ph.D.,workedinIS/ITintheprivateandpublicsectorsinvariouscountriesformorethan50years.Gelbsteindid
    analoganddigitaldevelopmentinthe1960s,incorporateddigitalcomputersinthecontrolsystemsforcontinuousprocessinthe
    late60sandearly70s,andmanagedprojectsofincreasingsizeandcomplexityuntiltheearly1990s.Inthe1990s,hebecame
    anexecutiveatthepreprivatizedBritishRailwaysandthentheUnitedNationsglobalcomputinganddatacommunications
    provider.Followinghis(semi)retirementfromtheUN,hejoinedtheauditteamsoftheUNBoardofAuditorsandtheFrench
    NationalAuditOffice.Thankstohisgenerousspiritandprolificwriting,hiscolumnwillcontinuetobepublishedintheISACA
    Journalposthumously.
    RELATEDARTICLES: ITandShareholderReturn:CreatingValueintheInsuranceIndustry / RedTeams:AnAuditTool,Techniqueand
    MethodologyforInformationAssurance / JOnline:DelegatingRootAuthorityandAuditingActivitiesonUNIX/LinuxSystems / JOnline:
    AuditingEnterpriseResourcePlanningSystems

    http://www.isaca.org/Journal/archives/2016/Volume1/Pages/trustbutverify.aspx?utm_campaign=ISACA+Main&cid=sm_1200779&utm_content=1453238853

    2/3

    1/24/2016

    ISAuditBasics:Trust,butVerify

    NEXTARTICLE

    AddComments
    RecentComments
    OpinionsexpressedintheISACAJournalrepresenttheviewsoftheauthorsandadvertisers.Theymaydifferfrompoliciesand
    officialstatementsofISACAandfromopinionsendorsedbyauthorsemployersortheeditorsoftheJournal.TheISACAJournal
    doesnotattesttotheoriginalityofauthorscontent.

    http://www.isaca.org/Journal/archives/2016/Volume1/Pages/trustbutverify.aspx?utm_campaign=ISACA+Main&cid=sm_1200779&utm_content=1453238853

    3/3

    You might also like