An Audit Question
38 views
Skip to first unread message
Steve
May 5, 2009, 12:00:37 PM5/5/09
to IT Audit Forum
Hi Everyone - I recenly received an email from a new member to the IT
Audit Forum on Google Groups (Welcome Sasha!), and thought I would
share it with everyone. Please see my response to the request at the
top of the email thread attached below, and feel free to offer any
additional thoughts by adding to this discussion.
Cheers,
Steve
===========================================================
Hi Sasha,
There are a few things I would do:
1.) Explain to the director that there are three types of controls
that we cannot rely on:
- Fear: "They would not do anything wrong because they are afraid of
the consequences."
- Ignorance: "They would not do anything wrong because they do not
know how."
- Trust: "They would not do anything wrong because they are good
people that can be trusted."
In our modern world, we live in an era of 'trust but verify.' So, we
must have controls in place, even in the difficult scenarios like you
have described. Regardless of the director's attitude or responses,
there are findings that should be reported because of the currently
uncontrolled risk.
2) Regardless of the director's opinion, the board should require the
director to find a way to adequately monitor the programmers'
activities, including changes in the middle of the night. In these
cases, it can sometimes be good to implement "Fire IDs." Fire IDs are
administrator passwords that nobody knows, which are stored in a
sealed envelope in a secure location. They can only be used in
emergency situations. If there is an emergency, the programmer would
need to contact someone else who will 'check out' the ID to them.
They will also turn on advanced monitoring tools at that time. Once
the fix has been corrected, the password is changed and sealed in
another envelope, and the logs of the emergency acitivity are reviewed
the next day to ensure there was no inappropriate behavior.
I hope that information helps. Good luck with your presentation.
Regards,
Steve
--------------------------------------------------------------------------------
From: Sasha
To: Steve
Sent: Monday, May 4, 2009 9:59:35 PM
Subject: Re: Welcome!
Hi Steve,
I am a student of Professional Accountant body of Pakistan. I am a
finalist and need your help regarding making the presentation for my
final exam. Can you please help me in this regard?
The situation is as follows:
Khaleej Enterprises Limited (KEL) is a public electronic funds
transfer network with its head office and major computer switch based
in Karachi. The company has computer switches in each capital city
throughout Pakistan that are linked into a national communications
network. Approximately 150 financial institutions – banks, building
societies, credit unions – use the network to provide automatic teller
machine and point of sales services to their customers. KEL has been
in operation for last few years, but during this time it has been
performing very successful. It has used cutting edge
technology, high quality innovative services, and aggressive pricing
to attract customers away from other electronic funds transfer
networks. Moreover, any new financial institutions that have entered
the market have inevitably selected KEL to provide their electronic
funds transfer (EFT) services in preference to other network vendors.
As a consultant specializing in computers and audit, you have been
hired by the managing director of KEL to examine, the state of
controls within the EFT system. She explains to you that an increasing
number of potential customers are requesting some type of independent
assurance that controls within the system are reliable. Accordingly,
the board of directors of KEL has decided to initiate a controls
review of the entire system so that a third party “letter of comfort”
can be provided to potential customers.
The initial part of your controls review focuses on the main switch in
Karachi. As part of your review of physical controls, you note one day
during a visit that one of KEL’s system programmers has a card key
that provides with access to the computer room. You interview the
supervising operator and he informs you that all system programmers
have similar keys.
As a result of this finding, you enquire from the managing director
why do systems programmers have access to the computer room. She
argues that they need access because they are called in at any hour of
the day or night to correct problems “on the fly” that customers are
experiencing with the system. For example, customers might be having
problems with a communications line, and the system programmer has to
diagnose the problem and correct it as soon as possible so that
continuous services can be maintained.
You explain to managing director that you are concerned about the
possibility of system programmers undertaking unauthorized activities,
particularly if they come in during the middle of the night when no
one else is present in the computer room. She laughs and says that
system programmers can carry out unauthorized activities at any time
they want because of their in-depth knowledge of the system.
Accordingly, she says that it is useless to exercise certain
compensating controls over system programmers. First, she has pointed
out to the system programmers their responsibility for preserving
system security and that they will be fired immediately if any breach
of security is
discovered. Second, because KEL employs only four system programmers,
it will not be hard to pin point responsibility if any type of
irregularity occurs.
Required:
Give your presentation covering the following two issues:
(1) In the light of managing director’s responses, how will you now
proceed with your investigation?
(2) What will be the likely implications, if any of your current
findings for the report you will present to the board of directors?
I will be very thankful for your earliest reply. You can email me at
sash...@gmail.com.
Best Regard and thanks
On Jan 31 2008, 11:05 pm, Steve wrote:
> Hello and welcome to the IT Audit Forum!
>
> This is a place for IT Auditors to ask questions, get answers, and
> collaborate on IT Audit matters. I (the group's moderator) have ten
> years experience in the Big 4 firms as an IT Auditor in the San
> Francisco Bay Area, working mostly with high-tech, healthcare, and
> biotech clients in the Silicon Valley. I left the Big 4 a couple of
> years ago and now work in the retail industry, still as an IT
> Auditor. In addition to my client work with the Big 4, I was also the
> Education Coordinator for the Pacific Northwest Region and spent
> several months at their national office helping to create the firm's
> global audit methodology. I'll be monitoring this group regularly and
> hope I can offer any advice that could be helpful on any questions you
> may have.
>
> Please join the group and setup a profile, which can be as public or
> private as you like. The more members we have, the wider the
> audience, and the more value from the group can be gained by all.
>
> Cheers,
> Steve
Audit Forum on Google Groups (Welcome Sasha!), and thought I would
share it with everyone. Please see my response to the request at the
top of the email thread attached below, and feel free to offer any
additional thoughts by adding to this discussion.
Cheers,
Steve
===========================================================
Hi Sasha,
There are a few things I would do:
1.) Explain to the director that there are three types of controls
that we cannot rely on:
- Fear: "They would not do anything wrong because they are afraid of
the consequences."
- Ignorance: "They would not do anything wrong because they do not
know how."
- Trust: "They would not do anything wrong because they are good
people that can be trusted."
In our modern world, we live in an era of 'trust but verify.' So, we
must have controls in place, even in the difficult scenarios like you
have described. Regardless of the director's attitude or responses,
there are findings that should be reported because of the currently
uncontrolled risk.
2) Regardless of the director's opinion, the board should require the
director to find a way to adequately monitor the programmers'
activities, including changes in the middle of the night. In these
cases, it can sometimes be good to implement "Fire IDs." Fire IDs are
administrator passwords that nobody knows, which are stored in a
sealed envelope in a secure location. They can only be used in
emergency situations. If there is an emergency, the programmer would
need to contact someone else who will 'check out' the ID to them.
They will also turn on advanced monitoring tools at that time. Once
the fix has been corrected, the password is changed and sealed in
another envelope, and the logs of the emergency acitivity are reviewed
the next day to ensure there was no inappropriate behavior.
I hope that information helps. Good luck with your presentation.
Regards,
Steve
--------------------------------------------------------------------------------
From: Sasha
To: Steve
Sent: Monday, May 4, 2009 9:59:35 PM
Subject: Re: Welcome!
Hi Steve,
I am a student of Professional Accountant body of Pakistan. I am a
finalist and need your help regarding making the presentation for my
final exam. Can you please help me in this regard?
The situation is as follows:
Khaleej Enterprises Limited (KEL) is a public electronic funds
transfer network with its head office and major computer switch based
in Karachi. The company has computer switches in each capital city
throughout Pakistan that are linked into a national communications
network. Approximately 150 financial institutions – banks, building
societies, credit unions – use the network to provide automatic teller
machine and point of sales services to their customers. KEL has been
in operation for last few years, but during this time it has been
performing very successful. It has used cutting edge
technology, high quality innovative services, and aggressive pricing
to attract customers away from other electronic funds transfer
networks. Moreover, any new financial institutions that have entered
the market have inevitably selected KEL to provide their electronic
funds transfer (EFT) services in preference to other network vendors.
As a consultant specializing in computers and audit, you have been
hired by the managing director of KEL to examine, the state of
controls within the EFT system. She explains to you that an increasing
number of potential customers are requesting some type of independent
assurance that controls within the system are reliable. Accordingly,
the board of directors of KEL has decided to initiate a controls
review of the entire system so that a third party “letter of comfort”
can be provided to potential customers.
The initial part of your controls review focuses on the main switch in
Karachi. As part of your review of physical controls, you note one day
during a visit that one of KEL’s system programmers has a card key
that provides with access to the computer room. You interview the
supervising operator and he informs you that all system programmers
have similar keys.
As a result of this finding, you enquire from the managing director
why do systems programmers have access to the computer room. She
argues that they need access because they are called in at any hour of
the day or night to correct problems “on the fly” that customers are
experiencing with the system. For example, customers might be having
problems with a communications line, and the system programmer has to
diagnose the problem and correct it as soon as possible so that
continuous services can be maintained.
You explain to managing director that you are concerned about the
possibility of system programmers undertaking unauthorized activities,
particularly if they come in during the middle of the night when no
one else is present in the computer room. She laughs and says that
system programmers can carry out unauthorized activities at any time
they want because of their in-depth knowledge of the system.
Accordingly, she says that it is useless to exercise certain
compensating controls over system programmers. First, she has pointed
out to the system programmers their responsibility for preserving
system security and that they will be fired immediately if any breach
of security is
discovered. Second, because KEL employs only four system programmers,
it will not be hard to pin point responsibility if any type of
irregularity occurs.
Required:
Give your presentation covering the following two issues:
(1) In the light of managing director’s responses, how will you now
proceed with your investigation?
(2) What will be the likely implications, if any of your current
findings for the report you will present to the board of directors?
I will be very thankful for your earliest reply. You can email me at
sash...@gmail.com.
Best Regard and thanks
On Jan 31 2008, 11:05 pm, Steve wrote:
> Hello and welcome to the IT Audit Forum!
>
> This is a place for IT Auditors to ask questions, get answers, and
> collaborate on IT Audit matters. I (the group's moderator) have ten
> years experience in the Big 4 firms as an IT Auditor in the San
> Francisco Bay Area, working mostly with high-tech, healthcare, and
> biotech clients in the Silicon Valley. I left the Big 4 a couple of
> years ago and now work in the retail industry, still as an IT
> Auditor. In addition to my client work with the Big 4, I was also the
> Education Coordinator for the Pacific Northwest Region and spent
> several months at their national office helping to create the firm's
> global audit methodology. I'll be monitoring this group regularly and
> hope I can offer any advice that could be helpful on any questions you
> may have.
>
> Please join the group and setup a profile, which can be as public or
> private as you like. The more members we have, the wider the
> audience, and the more value from the group can be gained by all.
>
> Cheers,
> Steve
Reply all
Reply to author
Forward
0 new messages