IT audit
Good day!
I would like to highlight the issue of compliance with the requirements for managing the IT department in the framework of the external financial audit of the company. The purpose of the article is not to describe the associated laws, but to their specific impact on the management of the IT department.
Probably, many of you have already encountered these requirements in the form of either an everyday routine or an emergency job at the end of the calendar year (I am more inclined towards the second), but personally, apart from mentioning such concepts as SOX, HIPAA, SAS 70 (replaced by SSAE 16 ) and ITGC, did not meet with any exhaustive description of this issue.
')
Not so long ago, as part of my work, I prepared a presentation for new employees, which gives a minimal idea of this type of activity of our company. As a matter of fact, the presentation itself encouraged me to write this article. Here I want to note that my experience in the CIS countries is very limited - I work more with international companies.
If you are interested in this question, welcome.
I will conduct a brief insight into the history of these requirements: as a result of financial fraud in several large companies in the early 2000s, the SOX law was approved by the US President regarding the direct responsibility of top managers for the accuracy of financial reporting. Since financial reporting in our time is not in barn books, but in specialized information systems, it has become necessary to make sure that financial data stored in these systems can be relied upon.
Each of you may have a question, how does this relate to the company where you work? If a company is listed on the US stock market, or is a subsidiary of one of these companies, it is necessary to create an internal mechanism to monitor the work of the IT department. Of course, it is necessary to create a similar mechanism in other departments, but here I repeat that the purpose of this article is the IT department.
So, how is such a control mechanism created? As a rule, a company turns to a consulting firm, which acts as a representative of this company in negotiations with an auditing firm, and another auditing firm can also act as a consultant. A consulting company uses its expertise, customizing them to varying degrees for each particular company.
What are these practices? In fact, this is a common Excel spreadsheet containing risks and controls arranged on topics that I will describe later. Where did these risks and controls come from? Depending on the degree of dedication of the staff of consulting firms, starting with a thorough study of various standards (COBIT, ITIL, COSO), their subsequent analysis and building their own “library” of risks and controls, and ending with simple plagiarism, as a rule, former employees of large firms, set sail.
The audit process of the IT department can be divided into two periods of time. The first, as a rule, takes place in late spring or early summer; it includes a description of IT processes and controls (matrix filling) and requires providing at least one documented example for each key control. From my own experience I can say that this stage is extremely important for the IT department itself - in the absence of a thorough check of the described IT processes and controls, possible inaccuracies can be costly in the future. The second part of the audit falls in the fall, and includes testing all key controls by collecting documentation on these controls.
Here, a small explanation of the difference between conventional and key control is required: the usual control is entered into the matrix in the form of a description, but the key one, in addition to the description, must be tested. How to find out where it is necessary to provide documentation on control, and where can I limit myself to just a mention? No This is negotiated between the mediator and the auditor, based on the size of the company, the results of the first part of the audit, etc. However, for most of the controls listed below, documentation must be provided.
Before starting to describe the audit process, I would like to mention the topic of orders and procedures - all key workflows of the IT department need to be documented. These documents must be approved by the management of the company, periodically reviewed and updated in case of significant changes in processes or technologies.
And one more note: if possible, provide lists in Excel format - this will make your life easier for both auditors and yourself (repeated requests with requests to provide the same, but in another form can make you nervous).
Let us turn to the description of the controls. The table of risks and controls is divided into three parts:
1. Logical and physical access
2. Operation of information systems
3. Management of changes in information systems
The fourth part, “Developing Information Systems,” is usually checked as part of change management, because it focuses on documenting changes.
The first section is Logical and physical access to all information systems on which the audit focuses.
1. System administrators - here you need to provide a list of administrators in each system, including the company's network (Administrators, Domain, Enterprise, and Scheme Admins) and databases. The list should be either exported from the system or provided as screenshots, the first one being preferable.
For each employee with system administrator rights, there must be an approval order. You also need to know each service account with similar rights.
2. Access rights of employees - several sub-items are tested:
a. Employees who started work in the test year - it is required to provide a list of such employees, the easiest way from the accounting program (based on the fact that there is no employee who does not receive a salary).
b. Employees who have completed their work in the test year are likewise a list of such employees.
c. Employees who have changed their position - a list of employees.
d. Additionally, you should provide complete lists of users in all systems, including the company network and databases
At the request of the auditors (full list or sample), you should provide the completed and certified forms of hiring and dismissal of employees.
Data will be cross-checked: are there any employees who received access rights to any systems without proper permission, are there any dismissed / outgoing employees with open access rights, are there any unused open accounts (logged in more than 90-180 days ago) .
It also checks the implementation of the annual procedure for auditing user rights - you must provide a certified list of users and their rights in each system. By the way, with the help of this check, it is possible to detect accounts of dismissed / outgoing employees that are not closed on time.
3. Remote access rights - you must provide a list of all employees eligible for remote access. It can also verify the performance of the audit procedure of the list of employees as part of the annual audit procedure of user rights. If in AD there is a separate group with these rights - prepare for additional cross-checking.
4. Rights for local software installation - it is desirable that no employee be a local administrator on his computer.
5. External connections - it is desirable to block the CD-ROM, USB-ports, LAN-sockets and Wi-Fi-points. Plus, use a tracking system and alerts for connections.
6. Password Policy - you must provide a screenshot of the password settings screen for all systems, as well as AD. Minimum password requirements:
a. minimum length of 8 characters
b. use of different characters
c. change password a maximum of 90 days, at least every other day
d. preservation of password history for at least 5 generations, or year
e. inability to recover password
f. account blocking after 5 incorrect attempts
g. unlocking the account by the network administrator (it is advisable not to use the automatic reset of the lock)
It will also check the date of the last password change in AD for all accounts.
7. Firewall - a screenshot of the FW version, the FW administrators list, the alert distribution list. You may also request a certified periodic rule check in FW. In severe cases, they will review the log or require a document certifying (!) That such a check is being performed.
8. Antivirus - a screenshot of the AV version, the distribution list of alerts, the settings screen of the AV server updates and clients.
9. Laptop security - rarely (for the time being) require a list of employees with laptops. Whether hard drives are encrypted, if so, how.
10. Emergency management - each company must maintain a list of such incidents (network hacking attempts, etc.). It is advisable to transfer the quarterly reports to the higher management.
Well, the security of information systems seems to be sorted out. We turn directly to their operation.
1. Data backup is one of the main checks in this section.
You should provide a screenshot of the version of the backup program, the distribution list of the job completion status, and the backup settings screen. Since, as a rule, each financial system is installed on its virtual server, and the backup requirements may be different (full, differential, incremental), an appropriate number of screenshots will be required. The continuity of the backup process is checked by viewing the logs, so you need to keep backup logs for the previous three months, and even better - for the entire test year. Here are looking for problems with backup systems, lasting more than 2-3 days. In such cases, reports should be saved to the higher management, at least in the form of e-mail messages.
2. Check data recovery - you must provide data recovery logs from tapes. An experienced auditor is not limited to a few documents from a file server; therefore, it is advisable to perform database and financial system restores.
3. Backup cassettes - the rotation and cassette rewriting policy must comply with the following rules:
a. daily tapes must be kept for at least two weeks
b. weekly tapes - at least a month
c. monthly cassettes - at least a year
d. one-year cassettes - at least seven years
Cassettes should be stored in a fireproof safe, at least not in the server room, but better in another building. Accordingly, it is necessary to have a list of all employees with access to the safe.
4. Access to the server room - you should provide a certified list of employees with access to the server room. It is necessary to keep a log of visits, and to do this through the installation of a specialized access control system. In my opinion, the usual access system for personal ID (ID tag) is sufficient. I would advise to periodically review the log of visits - in some cases, you may see an interesting picture.
5. Monitoring the environment in the server room - the presence of smoke, fire, flooding sensors, independent air conditioning (from nearby premises), the presence of UPS and a generator, a list of employees who receive notifications in case of emergency.
6. Backup DC - distance from the head office, data transfer method, availability of a BCM / DRP plan (IT department should pay attention to the second part of the plan), implementation of annual (at a minimum) plan exercises.
7. Batch data processing - here it means automatic data processing (as a rule, performed at night), which does not require operator intervention. You need a list of all employees with the rights to change the settings, the distribution list of the status of data processing. They may also be asked to provide a log and examine it for errors, as is the case with backups.
8. Interfaces - in principle, interconnected with the previous paragraph, but still mention this control. It is desirable to have an interface diagram of all financial systems (not only between them, but also from them).
9. Solving infrastructure problems - here we mean an internal call center for registering and then solving all the problems arising in the company, to one degree or another associated with information systems and infrastructure (server crashed, electricity cut off, mouse not working, two Start buttons etc.). Emergency management from the previous section can be carried out within this control.
Two sections behind, one left, requiring close attention, since successful audits, as a rule, require changes in the work processes themselves. So, change management in information systems.
I'll start with a few comments. First, it is necessary to have documented and approved development procedures. Secondly, it is very, very desirable to have a specialized development management system in which every change will be documented. Third, provided that the development is carried out in outsourcing, or the use of boxed products, the audit will be somewhat different.
1. Working environments are very simple: for each financial system to provide screenshots of at least three working environments - development, testing and combat. For the above cases, the last two screenshots are enough (yes, even for the boxed version there should be a testing environment).
2. Access to work environments - lists of accounts for each environment, list of names of developers and testers. A cross-check already known to us is being performed, the meaning of which is as follows: developers and testers are denied access to the combat environment, ordinary users are denied access to everything except the combat environment. If the version is boxed, the lists for test and combat environments are sufficient. This is very problematic to do in companies of small and medium size, so the auditors make some compromises.
3. The process of transferring changes - ideally, the employee who is responsible for transferring changes from the test environment to the combat environment is not related to the development or business processes. Again, in this case, the auditors can also compromise.
4. Changes - you must provide a list of all changes in the financial systems implemented in the test year. There were no such? This means a screenshot of the folder with the installed system, with files sorted by date of changes. Well, if there were, then you will be asked to provide the following documentation:
a. Request for changes from the user - special forms, or an email.
b. The terms of reference for the change - depending on the type of change (add a field in the form or develop a module from scratch) - documentation will be required - from a regular letter with a description of the change to a full-page multi-page document certified by signatures of various heads and managers.
c. Testing a change - test cases with checklists and the user's permission that this change satisfies his request.
d. Permission to transfer changes to the military environment - signed by the head responsible for the development in this direction.
5. Managing critical changes - by and large does not differ from the previous paragraph. The only difference is that critical changes usually occur without documentation, so it is important to get all documents retroactively and save for the future.
So you have finished collecting all the necessary documentation, what to do next? The auditor will ask you for the collected documents and analyze them. For some controls, additional documents will be requested, since the auditor needs to maintain independence from internal checks (all of a sudden you have only 10 requests to open accounts for new employees, although there are more than 50 employees themselves; or you have deleted the account from the screenshot of the administrators group Director General). And then the table of risks and controls will be filled with test results and presented for discussion to the head of the IT department and financial director of the company (since he is responsible for the financial statements).
The work of the auditor is to find defects and deficiencies in the processes and controls. Even if everything works perfectly, the auditor can catch on a minor detail and unleash it to a serious shortcoming. A small digression: flaws fall into three categories - flaw (defect), serious flaw and major flaw, the latter being entered in the annual financial statements and may affect the value of the company. An experienced IT manager can use this nuance to request an additional budget for the needs of the department. The fact that there is no fireproof safe or access control system to the server room for the second year in a row rises to the level of an audit committee consisting of members of the board of directors, which, with the right approach, allows you to get the necessary budget to eliminate the deficiency.
In my opinion, this description sufficiently gives an idea of the external audit process of the IT department, but I think the main question is this: is it possible to independently prepare for the external audit of the IT department without the help of intermediaries? Based on my experience, I declare that it is possible, although it requires some effort, but in the end, it will allow us to save a decent amount every year. However, if you are preparing for an audit for the first time and are not confident in your abilities and knowledge, I would still recommend hiring a good consulting firm. True, it is advisable to single out one employee to assist in preparing for the audit, so that he will further assume this responsibility.
I hope the information provided will be useful both to those directly involved in the audit and to the wider public.
I am happy to answer all your questions.
I would like to highlight the issue of compliance with the requirements for managing the IT department in the framework of the external financial audit of the company. The purpose of the article is not to describe the associated laws, but to their specific impact on the management of the IT department.
Probably, many of you have already encountered these requirements in the form of either an everyday routine or an emergency job at the end of the calendar year (I am more inclined towards the second), but personally, apart from mentioning such concepts as SOX, HIPAA, SAS 70 (replaced by SSAE 16 ) and ITGC, did not meet with any exhaustive description of this issue.
')
Not so long ago, as part of my work, I prepared a presentation for new employees, which gives a minimal idea of this type of activity of our company. As a matter of fact, the presentation itself encouraged me to write this article. Here I want to note that my experience in the CIS countries is very limited - I work more with international companies.
If you are interested in this question, welcome.
Introduction
I will conduct a brief insight into the history of these requirements: as a result of financial fraud in several large companies in the early 2000s, the SOX law was approved by the US President regarding the direct responsibility of top managers for the accuracy of financial reporting. Since financial reporting in our time is not in barn books, but in specialized information systems, it has become necessary to make sure that financial data stored in these systems can be relied upon.
Each of you may have a question, how does this relate to the company where you work? If a company is listed on the US stock market, or is a subsidiary of one of these companies, it is necessary to create an internal mechanism to monitor the work of the IT department. Of course, it is necessary to create a similar mechanism in other departments, but here I repeat that the purpose of this article is the IT department.
So, how is such a control mechanism created? As a rule, a company turns to a consulting firm, which acts as a representative of this company in negotiations with an auditing firm, and another auditing firm can also act as a consultant. A consulting company uses its expertise, customizing them to varying degrees for each particular company.
What are these practices? In fact, this is a common Excel spreadsheet containing risks and controls arranged on topics that I will describe later. Where did these risks and controls come from? Depending on the degree of dedication of the staff of consulting firms, starting with a thorough study of various standards (COBIT, ITIL, COSO), their subsequent analysis and building their own “library” of risks and controls, and ending with simple plagiarism, as a rule, former employees of large firms, set sail.
The audit process of the IT department can be divided into two periods of time. The first, as a rule, takes place in late spring or early summer; it includes a description of IT processes and controls (matrix filling) and requires providing at least one documented example for each key control. From my own experience I can say that this stage is extremely important for the IT department itself - in the absence of a thorough check of the described IT processes and controls, possible inaccuracies can be costly in the future. The second part of the audit falls in the fall, and includes testing all key controls by collecting documentation on these controls.
Here, a small explanation of the difference between conventional and key control is required: the usual control is entered into the matrix in the form of a description, but the key one, in addition to the description, must be tested. How to find out where it is necessary to provide documentation on control, and where can I limit myself to just a mention? No This is negotiated between the mediator and the auditor, based on the size of the company, the results of the first part of the audit, etc. However, for most of the controls listed below, documentation must be provided.
Before starting to describe the audit process, I would like to mention the topic of orders and procedures - all key workflows of the IT department need to be documented. These documents must be approved by the management of the company, periodically reviewed and updated in case of significant changes in processes or technologies.
And one more note: if possible, provide lists in Excel format - this will make your life easier for both auditors and yourself (repeated requests with requests to provide the same, but in another form can make you nervous).
Let us turn to the description of the controls. The table of risks and controls is divided into three parts:
1. Logical and physical access
2. Operation of information systems
3. Management of changes in information systems
The fourth part, “Developing Information Systems,” is usually checked as part of change management, because it focuses on documenting changes.
Logical and physical access
The first section is Logical and physical access to all information systems on which the audit focuses.
1. System administrators - here you need to provide a list of administrators in each system, including the company's network (Administrators, Domain, Enterprise, and Scheme Admins) and databases. The list should be either exported from the system or provided as screenshots, the first one being preferable.
For each employee with system administrator rights, there must be an approval order. You also need to know each service account with similar rights.
2. Access rights of employees - several sub-items are tested:
a. Employees who started work in the test year - it is required to provide a list of such employees, the easiest way from the accounting program (based on the fact that there is no employee who does not receive a salary).
b. Employees who have completed their work in the test year are likewise a list of such employees.
c. Employees who have changed their position - a list of employees.
d. Additionally, you should provide complete lists of users in all systems, including the company network and databases
At the request of the auditors (full list or sample), you should provide the completed and certified forms of hiring and dismissal of employees.
Data will be cross-checked: are there any employees who received access rights to any systems without proper permission, are there any dismissed / outgoing employees with open access rights, are there any unused open accounts (logged in more than 90-180 days ago) .
It also checks the implementation of the annual procedure for auditing user rights - you must provide a certified list of users and their rights in each system. By the way, with the help of this check, it is possible to detect accounts of dismissed / outgoing employees that are not closed on time.
3. Remote access rights - you must provide a list of all employees eligible for remote access. It can also verify the performance of the audit procedure of the list of employees as part of the annual audit procedure of user rights. If in AD there is a separate group with these rights - prepare for additional cross-checking.
4. Rights for local software installation - it is desirable that no employee be a local administrator on his computer.
5. External connections - it is desirable to block the CD-ROM, USB-ports, LAN-sockets and Wi-Fi-points. Plus, use a tracking system and alerts for connections.
6. Password Policy - you must provide a screenshot of the password settings screen for all systems, as well as AD. Minimum password requirements:
a. minimum length of 8 characters
b. use of different characters
c. change password a maximum of 90 days, at least every other day
d. preservation of password history for at least 5 generations, or year
e. inability to recover password
f. account blocking after 5 incorrect attempts
g. unlocking the account by the network administrator (it is advisable not to use the automatic reset of the lock)
It will also check the date of the last password change in AD for all accounts.
7. Firewall - a screenshot of the FW version, the FW administrators list, the alert distribution list. You may also request a certified periodic rule check in FW. In severe cases, they will review the log or require a document certifying (!) That such a check is being performed.
8. Antivirus - a screenshot of the AV version, the distribution list of alerts, the settings screen of the AV server updates and clients.
9. Laptop security - rarely (for the time being) require a list of employees with laptops. Whether hard drives are encrypted, if so, how.
10. Emergency management - each company must maintain a list of such incidents (network hacking attempts, etc.). It is advisable to transfer the quarterly reports to the higher management.
Operation of information systems
Well, the security of information systems seems to be sorted out. We turn directly to their operation.
1. Data backup is one of the main checks in this section.
You should provide a screenshot of the version of the backup program, the distribution list of the job completion status, and the backup settings screen. Since, as a rule, each financial system is installed on its virtual server, and the backup requirements may be different (full, differential, incremental), an appropriate number of screenshots will be required. The continuity of the backup process is checked by viewing the logs, so you need to keep backup logs for the previous three months, and even better - for the entire test year. Here are looking for problems with backup systems, lasting more than 2-3 days. In such cases, reports should be saved to the higher management, at least in the form of e-mail messages.
2. Check data recovery - you must provide data recovery logs from tapes. An experienced auditor is not limited to a few documents from a file server; therefore, it is advisable to perform database and financial system restores.
3. Backup cassettes - the rotation and cassette rewriting policy must comply with the following rules:
a. daily tapes must be kept for at least two weeks
b. weekly tapes - at least a month
c. monthly cassettes - at least a year
d. one-year cassettes - at least seven years
Cassettes should be stored in a fireproof safe, at least not in the server room, but better in another building. Accordingly, it is necessary to have a list of all employees with access to the safe.
4. Access to the server room - you should provide a certified list of employees with access to the server room. It is necessary to keep a log of visits, and to do this through the installation of a specialized access control system. In my opinion, the usual access system for personal ID (ID tag) is sufficient. I would advise to periodically review the log of visits - in some cases, you may see an interesting picture.
5. Monitoring the environment in the server room - the presence of smoke, fire, flooding sensors, independent air conditioning (from nearby premises), the presence of UPS and a generator, a list of employees who receive notifications in case of emergency.
6. Backup DC - distance from the head office, data transfer method, availability of a BCM / DRP plan (IT department should pay attention to the second part of the plan), implementation of annual (at a minimum) plan exercises.
7. Batch data processing - here it means automatic data processing (as a rule, performed at night), which does not require operator intervention. You need a list of all employees with the rights to change the settings, the distribution list of the status of data processing. They may also be asked to provide a log and examine it for errors, as is the case with backups.
8. Interfaces - in principle, interconnected with the previous paragraph, but still mention this control. It is desirable to have an interface diagram of all financial systems (not only between them, but also from them).
9. Solving infrastructure problems - here we mean an internal call center for registering and then solving all the problems arising in the company, to one degree or another associated with information systems and infrastructure (server crashed, electricity cut off, mouse not working, two Start buttons etc.). Emergency management from the previous section can be carried out within this control.
Management of changes in information systems
Two sections behind, one left, requiring close attention, since successful audits, as a rule, require changes in the work processes themselves. So, change management in information systems.
I'll start with a few comments. First, it is necessary to have documented and approved development procedures. Secondly, it is very, very desirable to have a specialized development management system in which every change will be documented. Third, provided that the development is carried out in outsourcing, or the use of boxed products, the audit will be somewhat different.
1. Working environments are very simple: for each financial system to provide screenshots of at least three working environments - development, testing and combat. For the above cases, the last two screenshots are enough (yes, even for the boxed version there should be a testing environment).
2. Access to work environments - lists of accounts for each environment, list of names of developers and testers. A cross-check already known to us is being performed, the meaning of which is as follows: developers and testers are denied access to the combat environment, ordinary users are denied access to everything except the combat environment. If the version is boxed, the lists for test and combat environments are sufficient. This is very problematic to do in companies of small and medium size, so the auditors make some compromises.
3. The process of transferring changes - ideally, the employee who is responsible for transferring changes from the test environment to the combat environment is not related to the development or business processes. Again, in this case, the auditors can also compromise.
4. Changes - you must provide a list of all changes in the financial systems implemented in the test year. There were no such? This means a screenshot of the folder with the installed system, with files sorted by date of changes. Well, if there were, then you will be asked to provide the following documentation:
a. Request for changes from the user - special forms, or an email.
b. The terms of reference for the change - depending on the type of change (add a field in the form or develop a module from scratch) - documentation will be required - from a regular letter with a description of the change to a full-page multi-page document certified by signatures of various heads and managers.
c. Testing a change - test cases with checklists and the user's permission that this change satisfies his request.
d. Permission to transfer changes to the military environment - signed by the head responsible for the development in this direction.
5. Managing critical changes - by and large does not differ from the previous paragraph. The only difference is that critical changes usually occur without documentation, so it is important to get all documents retroactively and save for the future.
So you have finished collecting all the necessary documentation, what to do next? The auditor will ask you for the collected documents and analyze them. For some controls, additional documents will be requested, since the auditor needs to maintain independence from internal checks (all of a sudden you have only 10 requests to open accounts for new employees, although there are more than 50 employees themselves; or you have deleted the account from the screenshot of the administrators group Director General). And then the table of risks and controls will be filled with test results and presented for discussion to the head of the IT department and financial director of the company (since he is responsible for the financial statements).
Conclusion
The work of the auditor is to find defects and deficiencies in the processes and controls. Even if everything works perfectly, the auditor can catch on a minor detail and unleash it to a serious shortcoming. A small digression: flaws fall into three categories - flaw (defect), serious flaw and major flaw, the latter being entered in the annual financial statements and may affect the value of the company. An experienced IT manager can use this nuance to request an additional budget for the needs of the department. The fact that there is no fireproof safe or access control system to the server room for the second year in a row rises to the level of an audit committee consisting of members of the board of directors, which, with the right approach, allows you to get the necessary budget to eliminate the deficiency.
In my opinion, this description sufficiently gives an idea of the external audit process of the IT department, but I think the main question is this: is it possible to independently prepare for the external audit of the IT department without the help of intermediaries? Based on my experience, I declare that it is possible, although it requires some effort, but in the end, it will allow us to save a decent amount every year. However, if you are preparing for an audit for the first time and are not confident in your abilities and knowledge, I would still recommend hiring a good consulting firm. True, it is advisable to single out one employee to assist in preparing for the audit, so that he will further assume this responsibility.
I hope the information provided will be useful both to those directly involved in the audit and to the wider public.
I am happy to answer all your questions.
Source: https://habr.com/ru/post/151610/
All Articles