Whereas only specialized auditors once dealt with technological aspects of organizations in the past, now the average auditor must consider such areas due to increased connectivity in modern organizations. The following five risk areas stemming from IT are critical elements to success: access control, network security, data integrity, asset management, and software acquisition and development.
Unauthorized access by insiders and knowledge from insiders are two common denominators to many costly crimes. In addition to these deliberate breaches of security, unintended damage by employees, such as file deletion and virus release, result in costly reparations.
Effective access-control measures will help mitigate the risk of both conscious and unconscious damage. An effective setup should keep intruders out and should grant insiders access only to the minimum number systems necessary. Clearly-defined policies and procedures should be set regarding an individual’s influence on the computing environment. In high-risk content, the views available to each user should be considered. In addition, the work that employees perform beyond computer tasks should be considered in determining their access control so that correct steps must be taken. Employee extrapolation given limited data must also be considered in order to protect company and customer information.
The degree of access control necessary will ultimately depend on the value of the data it protects. The type of access control measures necessary can range from low-security passwords to high-security biometric scans. Auditors can be of help without in-depth knowledge of an organization’s programs by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth.
Regarding network security, organizations must consider outside intruders such as hackers and software engineers who specialize in finding ways around access controls. Risk of such individuals gaining access to protected systems and information is increased by interconnectivity between systems of different organizations and reliance upon the Internet as a means of transferring information.
Intruders using computer technology as a means of infiltrating an organization include both creators of spam, worms, and viruses, which target multiple systems with widespread effects, and also hackers, who target specific systems with goals in mind including information collection, company harm, and personal statement distribution. Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically. Scenario planning can aid in the review process, and recovery in the case of a problematic event should be considered.
Social engineers use personal interaction with people who have access to systems in order to gain access themselves. The impersonation of IT employees over the phone is one example of a social engineering tactic used to gather information from employees such as passwords and usernames. Organizations must train their employees regarding potential social engineering risks present in normal conversation, waste disposal, and other such means of potential secure information communication.
Given the role that data plays in decision-making and important everyday operations of organizations, the integrity of a given organization’s data should be considered from many angles, including its source, input, processing, and protection. A company’s success or failure can hinge on the results of correct or incorrect data.
Sources of data should be trustworthy and unified, and assumptions and extrapolations made from that data need to be questioned. Data input checks such as field validation and naming policies minimize errors; field validation protects data by ensuring that data in a given field conforms to set standards, while naming policies keep computers from interpreting slightly different names of the same entity as two separate entities. In the consideration of data processing, many spreadsheets contain errors, such as rounded multipliers, which can change the final output of a complex calculation by a considerable amount, potentially causing an organization to make incorrect or even unlawful payments or collections unknowingly. In addition to spreadsheet, the actual programs used to process data need to be tested thoroughly, which is not always the case with freeware and shareware programs. Finally, an organization should protect its data by backing it up regularly.
The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process.
Software applications pose legal and security risks to organizations, given that licensing restrictions are easy to overlook and much data is transferred between machines by software. In order to keep a company free of illegal software, especially risky in the face of publisher audits, internal auditors should ensure that IT is responsible for installation and removal of software and that software meant to remain on particular machines is not re-used elsewhere. Controlled purchasing and installation of software keeps track of all software being placed on a company’s machines, and regular audits expose unauthorized software and lead to its source.
People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity.
Software Acquisition and Development
An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development.
Organizations purchasing software must be especially careful with contracts, and a set of criteria against which the software will be developed is instrumental in its assessment by auditors in the end. Contracts should address intellectual property and copyright issues in order to avoid problems such as unexpected royalty fees. Extensive testing and re-testing of software by both technical experts and end users should ensure the performance of both custom-developed and commercially acquired products. Considering the significance of any acquired or developed software in affecting the functions of an organization, an auditor must reflect on basic concerns such as the supplier reputation, former customer opinions, company aims, testing strategies, and customer impact.
A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation.