Audit Issues of EBusiness

1

Audit Issues of E-Business

2
Todays e-Environment

• New delivery channels
• New geographical virtual markets
• New products and services
• Closer relationships with customers
• Increased efficiencies in business processes
• Integrated supply chains
• Easy to use, accessible, available, anytime,
  anywhere
• Internet-based with estimates of 500 billion for
  2002 (mostly B to B)

3
Todays e-Environment

• CSI/FBI 2001 Computer Crime and Security Survey
• 85 reported computer security breaches
• 64 reported associated financial losses
• 2000 average loss 1.07 million
• 1999 average loss 0.76 million
• 1998 average loss 0.57 million
• 2001 average loss 2.03 million
• Reputation and trust is at greater risk rapidly
• e-Business ventures makes you a target
• Both internal and external threats
• Requires effective controls

Reference http//www.gocsi.com/prelea_000321.htm
4
Todays Environment
Also . Today, information technology has grown
in sophistication/complexity to a point that it
is now an integral component in both business
operations and financial systems. You can no
longer just count beans or audit around the
box - SAS 80 stated
Because of the growth in the use of computers
and other information technology, many entities
process significant information electronically.
Accordingly, it may be difficult or impossible
for the auditor to access certain information for
inspection, inquiry, or confirmation without
using information technology.
5
Todays e-Environment Audit Approach

• Old standard of auditing around the computer must
  be revised
• Exposure points and controls may now be tiered at
  varying points in the processing flows
• Multiple platforms, network components, and
  varied tools require a firm understanding of
  layered security architectures and change
  control procedures that now may transcend
  multiple systems.
• New approaches are required to ensure that the
  scope and business risks are clearly understood
  and articulated to management.

6
Risk-Based Approach
Business Risk must be the driving force for all
aspects of evaluating the global business
activities .

• Remember ....Business Risks are just that
  ...Risks That The Organization Must Face As
  Part Of Doing Business.
• These may be
• External Processes Items completely outside of
  the organizations control
• Internal Processes Technology Architecture,
  Policies
• Managements strategic decision philosophy

As such there must be a clear understanding of
the Business Risk prior to embarking on an
assessment of what should be included within an
IT audit and when it must be implemented.
Therefore, a structured risk assessment process
is required in order to address how it will be
reviewed.
7
Risk-Based Approach - Test Controls
Test controls for mitigating high risk areas
Evaluate effectiveness Ensure functions as
intended
Identify The Business Risk Understand The
Business Process/Flow
Evaluate Effectiveness Of Controls
Identify Control/ Management Points
8
Risk-Based Approach - Test Controls
Process independently from platform
applications controls Function as network
traffic managers Perform authentication,
authorizations, monitoring validation between
systems Ensure applications, platforms,
networking infrastructure components function
as expected. Rely on logical based
processing controls
Network Review
Identify The Business Risk Understand The
Business Process/Flow
Evaluate Effectiveness Of Controls
Identify Control/ Management Points
9
Risk-Based Approach
Focus on system-based preventive detective
controls evaluations Ensure implemented
consistently across all IT layers
Network Review
To touch upon all aspects of risk-based control
evaluations, we will focus on Network
Components as a case study for auditing an
E-Business environment
10
So what is E-Business

• Organization providing an on-line service
  accessed via an open public network
  infrastructure (i.e., internet)
• Clients (consumers or other organizations)
  connect to service using computers (or possibly
  other devices such as personal digital assistants
  or mobile telephones)
• Exchange of transactions relating to purchase of
  goods services

11
Successful e-business Strategies

• Protect and enhance brand
• Optimize shareholder value
• Increase revenue and market share
• Maximize opportunities for reducing costs
• Enable competitive advantage

12
Components of E-Business ...
Traditional Application/Process Mapping Review
Databases
Database Technical Review Data Analysis Reviews
Traditional Platform Baseline Controls Assessment
Distributive Environment
OS/390 RACF/ACF2
Network Router
Dial In - Modems
Internet Firewall
E-Business processes applicable to all IT
layers
13
Network Layer - Initial Entry Points ...
Limits the types of activity that will be
allowed in out of the network . Provides
monitoring, logging, and first layer security
Most sophisticated control point to the
internal network.
Firewall
Provide point-to-point connectivity . Makes
remote user look feel like a local user
Greater security from unknown user, but also
increases exposures based on adequacy of
platform/ application controls.
Direct Connect
Can be a significant exposure point to the
organization . May be controlled by
either IT or users May provides limited
monitoring, logging, and authentication
Dial-In
14
Network Layer - Internal Direction Controls ...
Point - to - Point connections Provides
greater efficiency by directing specific type
of activity to specific platforms - e.g. FTP to
a specific server Provides internal
authorization, authentication, monitoring, and
fault tolerance controls.
Switch
Switches
More broad based - traffic management Can be
used to limit access between different devices
(by IP addressees and access control lists)
Provides internal authorization, authentication,
monitoring, and fault tolerance controls.
Router
15
Platform/Database Layers ...
Have their own internal access, authentication,
and monitoring controls . . traditional
base-line controls that have been historically
performed by IT audit
OS/390 RACF/ACF2
Distributive Environment
Databases
16
Application/Process Layers ...
Similarly, E-Business users will also rely on
manual processes that provide control mechanisms
(e.g. report review, analysis, etc) These
may be assessed as pat of the application review.
17
Understand Layered Security Approach
You will need to communicate logical security
points and will need to understand them and how
they flow together e.g. security through the
various layers - Router/Platform/
Application/Physical Security.
18
Next Steps
Understand the environment ........... Platform,
network connectivity, business organizations,
applications, etc do your homework!
Logically approach information gathering /
analysis/ review....

• System programmers

• Network Control Group

• End-Users

Determine what will be tested ..............
Full documentation/reporting ...
19
Information Gathering Analysis / Review
20
Information Gathering - Analysis/Review
Specific Very Focused Control Mechanisms (e.g.
Specific Access To An Application Transactions)
During the review, volumes of control mechanisms
will be identified ranging from Very Specific
to broad Procedural controls.
The pressing question is, Which Ones Provide The
Greatest Level Of Comfort That Adequate Controls
Are In Place Which Ones To Test As Opposed To
Being Satisfied with Users Explanations?
Broad General Controls Areas Normally Procedural
Or Based Upon Exception Based Reporting
Again - it should be based on business risks.
21
Information Gathering - Analysis/Review
So . What types of things do you assess to
understand network based controls

• Intrusion tests
• Firewall configurations
• Router/Switch IOS configurations
• Dial-in security configurations (e.g. secured,
  PCAnywher, etc.)
• Capacity issues
• Traditional Access Control Concerns

22
Conclusion
Today we covered how to communicate just one area
within a global business risk based audit
approach - the infrastructure components
associated with E-Business applications. To
fully evaluate document todays IT
environment, similar assessments must be made
within
Application Review
Data Warehousing/ Mining
Raw Data
Understand Needs
Data Location
Format
Build
Exceptions
Analysis
Synchronization Integrity Of Data Within the
Organization
Effectiveness Of Operating System Control
Managing Change To Ensure Consistency In Overall
Controls
Assess user processes that may augment and/or
detract from system controls