IS Auditing Guidelines G1 Using the Work of Other Experts
APPENDIX COBIT Reference
7. REPORTING 1 Acceptable to Law
7.1.1 As stated earlier, the challenge to computer forensics is finding the data, collecting it, preserving it and presenting it in a manner acceptable to a court of law. The IS auditor should have complete information and clarity on the intended recipients and the purpose of the report.
7.1.2 The report should be in an appropriate form and should state the scope, objectives, nature, timing and extent of investigation performed.
7.1.3 The report should identify the organisation, intended recipients and restrictions on circulation (if any). The report should clearly communicate the findings, conclusions and recommendations, together with any reservations or qualifications that the IS auditor has with respect to the assignment.
G28 Computer Forensics cont.
7.2 Evidence
7.2.1 Electronic evidence ranges from mainframe computers and pocket-sized personal data assistant to floppy diskettes, CDs, tapes or even the smallest electronic chip device.
7.2.2 Industry-specified best practices should be adhered to, proven tools should be utilized and due diligence should be exhibited to provide reasonable assurance that evidence is not tampered with or destroyed. Integrity, reliability and confidentiality of the evidence is absolutely necessary for arriving at a fair judgment by the law enforcement authorities. It is also critical that the evidence is produced and made available at an appropriate time to the authorities.
7.2.3 Example of tracing Internet e-mail:
When an Internet e-mail message is sent, the user typically controls only the recipient line(s) (To and Bcc) and the subject line.
Mail software adds the rest of the header information as it is processed. An example of an e-mail header follows: --- Message header follows ---(1) Return-path: <[email protected]>
(2) Received: from o199632.cc.navy.gov by nps.gov.org (5.1/SMI-5.1) id AAO979O; Fri, 7 Nov 2003 18:51:49 PST (3) Received: from localhost byo199632.gov.org (5.1/SMI-5.1) id AA41651; Fri 7 Nov 2003 18:50:53 PST (4) Message-ID: <[email protected]>
(5) Date: Fri, 7 Nov 2003 18:50:53 -0800 (PST)
(6) From: "Susan Rock" <[email protected]> (7) To: Mott Thick <[email protected]>
(8) Cc: Jokey Ram<[email protected]>
Line 1 tells recipient computers who sent the message and where to send error messages (bounces and warning).
Lines 2 and 3 show the route the message took from sending to delivery. Each computer that receives this message adds areceived field with its complete address and time stamp; this helps in tracking delivery problems.
Line 4 is the message ID, a unique identifier for this specific message. This ID is logged and can be traced through computers on the message route if there is a need to track the mail.
Line 5 shows the date, time and time zone when the message was sent.
Line 6 tells the name and e-mail address of the message originator (the sender).
Line 7 shows the name and e-mail address of the primary recipient; the address may be for a: - Mailing list- System-wide alias - Personal username
Line 8 lists the names and e-mail addresses of the courtesy copy (Cc) recipients of the message. There may be blind carbon copy (Bcc) recipients as well; these Bcc recipients get copies of the message, but their names and addresses are not visible in the headers.8. EFFECTIVE DATE
8.1 This guideline is effective for all information system audits beginning on or after 1 September 2004. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary.
APPENDIX COBIT Reference
Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT
processes and consideration of COBIT’s control objectives and associated management practices. In the review of computer forensics, the COBIT processes likely to be the most relevant are classified below as primary and secondary. The process and control objectives to be selected and adapted may vary depending on the specific scope and terms of reference of the assignment.
Primary:
PO8—Ensure compliance with external requirements
AI1—Identify automated solutions
DS1—Define and manage service levels
DS2—Manage third-party service
DS5—Ensure security systems
DS10—Manage problems and incidents
DS11—Manage data
M3—Obtain independent assurance Secondary:
PO1—Define a strategic IT plan
PO4—Define the IT organisation and relationships
DS6—Identify and allocate costs
DS12—Manage facilities
DS13—Manage operations
M2—Assess internal control adequacyThe information criteria most relevant to a computer forensic review are:
Primary—Reliability, integrity and complianceG29 Post-implementation Review
1. BACKGROUND 1.1 Linkage to Standards
1.1.1 Standard S6 Performance of Audit Work states, “During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence."
1.1.2 Standard S8 Follow-up Activities states, “After the reporting of findings and recommendations, the IS auditor should request and evaluate relevant information to conclude whether appropriate action has been taken by management in a timely manner.”
1.2 Linkage to COBIT
1.2.1 High-level control objective M4, Provide for Independent Audit, states, “Control over the IT process of providing for independent audit that satisfies the business requirement to increase confidence levels and benefit from best practice advice is enabled by independent audits carried out at regular intervals and takes into consideration:
Audit independence
Proactive audit involvement
Performance of audits by qualified personnel
Clearance of findings and recommendations
Follow-up activities
Impact assessments of audit recommendations (costs, benefits and risks)1.2.2 Detailed control objective M4.6, Performance of Audit Work, states, “Audits should be appropriately supervised to provide assurance that audit objectives are achieved and applicable professional auditing standards are met. Auditors should ensure that they obtain sufficient, reliable, relevant and useful evidence to achieve the audit objectives effectively. The audit findings and conclusions should be supported by appropriate analysis and interpretation of the evidence.”
1.3 Reference to COBIT
1.3.1 The COBIT references offer the specific objectives or processes of COBIT to consider when reviewing the area addressed by this guidance. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT’s information criteria.
1.3.2 In a post-implementation review, the first review after the implementation of an IT solution, the following processes are more relevant:
PO2—Define the Information Architecture
PO4—Define the IT organisation and relationship
PO5—Manage the IT investment
PO8—Ensure Compliance with External Requirements
PO9—Assess risks
PO10—Manage projects
PO11—Manage quality
AI1—Identify automated solutions
AI2—Acquire and maintain application software
AI3—Acquire and maintain technology infrastructure
AI5—Install and accredit systems
AI6—Manage changes
DS7—Educate and Train Users
DS11—Manage Data
M1—Monitor the processes1.3.3 The information criteria most relevant to the post-implementation review are:
Primary—Effectiveness and efficiency
Secondary—Availability, compliance, confidentiality, reliability and integrity1.3.4 International Federation of Accountants (IFAC) Information Technology Committee (ITC) Guidelines includes:
Implementation of Information Technology SolutionsG29 Post-implementation Review cont
.
1.4 Purpose of the Guideline
1.4.1 The purpose of this guideline is to describe the recommended practices in carrying out the post-implementation review of information technology solutions, so that the relevant standards for information systems auditing are complied with during the course of the review.
1.4.2 Organisations implement various IT solutions to meet their business requirements. Once the solutions are implemented, post- implementation reviews are generally carried out by IS auditors to assess the effectiveness and efficiency of the IT solutions and their implementation, initiate actions to improve the solution (where necessary) and serve as a learning tool for the future.
1.4.3 Certain practices recommended in this guideline may also be appropriate for reviews of projects where implementations are unsuccessful or aborted prior to implementation.
1.4.4 This guideline provides guidance in applying IS Auditing Standards S6 Performance of Audit Work and S8 Follow-up Activities while conducting a post-implementation review. The IS auditor should consider it in determining how to achieve implementation of these standards, use professional judgment in its application and be prepared to justify any departure.
1.5 Guideline Application
1.5.1 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA guidelines
1.6 Definition and General Coverage
1.6.1 Post-implementation review, for the purpose of this guideline, means the first or subsequent review of an IT solution and/or the process of its implementation, performed after its implementation, to assess any or all of the following:
Whether the intended objectives of the solution are realised
Whether actual costs and benefits are compared against budget
The effectiveness and appropriateness of the implementation process
Causes of time and/or cost overruns, and quality and/or performance issues, if any
Productivity and performance improvements resulting from the solution
Whether business process and internal controls are implemented
Whether user access controls are implemented in accordance with organisational policy
Whether users have been appropriately trained
Whether the system is maintainable and can be further developed effectively and efficiently
Whether available features and procedures, as relevant, have been implemented
Compliance with relevant statutory requirements and organisational policies, as relevant
Compliance with COBIT Control Objectives and COBIT Management Guidelines, as relevant
Opportunities for further improvement in either the solution or implementation process1.6.2 The objectives of a post-implementation review might include:
Ensure that the intended objectives of implementing the IT solution are met and aligned to meet the business objectives of the organisation
Evaluate the adequacy of procedures and controls over input, processing and output to ensure that information captured is complete and accurate, information processing complies with required business rules, and information generated is accurate, reliable and timely
Evaluate the adequacy of procedures and controls over the maintenance and monitoring of the management trail produced by the IT solution
Verify the accuracy of financial and management reports generated by the IT solution
Ensure the adequacy of application-level access control enforced by the IT solution
Verify the adequacy of availability features inherent in the IT solution to recover from any unexpected shutdowns and maintain data integrity
Ensure that the IT solution can be supported and maintained efficiently and effectively in the absence of the specific personnel responsible for its development and implementation
Identify potential risks and weakness in controls, as well as provide solutions to mitigate risks and strengthen controls1.6.3 The post-implementation review essentially seeks to determine whether the investment in the IT solution was worthwhile (as determined and measurable by the organisation) and whether the delivered IT solution can be adequately managed and controlled. These investment returns can be covered as a unique, separate review often called a benefits realisation review (section 8.1). The scope of a post-implementation review should consider:
The nature of the IT solution
The intended usage of the IT solution (for what purpose, who by whom, when and where)
The criticality of the IT solution in achieving business objectives
The scope of the review agreed with the auditee (organisation) management
Whether the IT solution was subject to audit review during the initiation, development and testing stage
Where there has been any non-audit involvement of IS auditors during the project implementationG29 Post-implementation Review cont.
2. AUDIT CHARTER 2.1 Mandate
2.1.1 Before commencing a post-implementation review, the IS auditor should have the requisite mandate to carry out the review. Where the review is initiated by a third party, the IS auditor should obtain reasonable assurance that the third party has the appropriate authority to commission the review.
3. INDEPENDENCE 3.1 Professional Objectivity
3.1.1 Before accepting the assignment, the IS auditor should provide reasonable assurance that his/her interest, if any, in the IT solution that is the subject of the post-implementation review will not impair the objectivity of the review. Any possible conflict of interest should be communicated explicitly to the organisation, and if possible, a written statement of the organisation’s awareness of the conflict should be obtained before accepting the assignment.
3.1.2 Where the IS auditor had any non-audit roles in the implementation of the IT solution being reviewed, the IS auditor should consider guideline G17 Effect of Nonaudit Roles on the IS Auditor’s Independence which provides guidance.
4. PROFESSIONAL ETHICS AND STANDARDS