How detailed is the IT security checks in an average IT audit? Is an “average” IT Auditor (CISA) qualified to do a detailed security audit, or even to just report on the security aspects of an IT audit? Is the idea of an IT audit not specifically to identify “security” issues or breaches or possible holes in the IT environment? Any what is “security” anyway? (IT Security, that is).
According to ISACA, an Audit is a “Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met.” This, however, refers to an “Audit”, not an “IT Audit”. In COBIT 5, the only reference of IT Audit can be found in the Implementation Professional Guide, where IT Audit is a role player in the implementation of IT Governance activities. This clearly refers to the actual team of IT Auditors, but does not give us a good definition of what IT Audit actually is.
Further investigation revealed the following definition from the INFOSEC Institute: “An IT audit can be defined as any audit that encompasses review and evaluation of automated information processing systems, related non-automated processes and the interfaces among them.”
Lastly, looking at the source everyone will look at firstly: Wikipedia says that an IT Audit is “an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization’s goals or objectives.”
So the basics are that an IT Audit is and Audit in Information Systems (Technology). Pretty self-explanatory, then… But where does IT Security fit into the picture? COBIT 5 has an extensive focus on IT Security – more than any of its predecessors. Three of the COBIT processes refer to Information Security specifically, (APO13 Manage security, DSS04 Manage continuity and DSS05 Manage security services), however the assumption is that Information Security should be pervasive throughout the entire organisation. An entire COBIT 5 Professional Guide is dedicated to the subject. We can then infer that IT Security is a subset of an overall IT Audit.
It follows then that IT Security must be part of an IT Audit, and that IT Auditors should have sufficient, if not superior knowledge of IT Security.
Where does IT Security fit in?
Traditionally, IT Audits was divided between General IT Audits and Application reviews. This was then divided into a multitude of different types of audits. The General Review was always done to check whether you have relatively “good” IT processes in place, and whether your systems aren’t blatantly open to abuse. Application reviews looked at access controls, segregation of duties, specialised controls testing etc.
In both of these cases, IT Security is assumed. What is checking if people have passwords other than IT Security?
In recent times, though, IT Audits have become a lot more specialised (in some cases). ISACA recommends that we see IT Audits in three different types of engagements: A review, an examination and an Agreed-upon Procedures Engagement. In all three of the definitions, IT security is implicit.
A review is designed to provide limited assurance about an assertion. This may include a review about IT Security, but it is not explicitly stated. This is therefore not a traditional “audit” in the sense that it is not an attestation of a formal audit, and does not contain an audit opinion. If the assertion being reviewed is about IT Security, the review will obviously focus on IT Security.
An examination is normally part of a traditional audit. ISACA defines it as “…a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about an entity or event, processes, operations or internal controls, for the purpose of forming an opinion and providing a report on the degree to which the assertions conform to an identified set of standards.” This then can be seen as the normal IT Audit, in layman’s terms. Included in most of the standards and procedures as subscribed by IT Audit norms is a section on IT Audit. More on this later.
An Agreed upon Procedures Engagement is a process whereby the client and the auditor agree on the specific procedures which the auditor will perform to obtain the evidence required by the client. This type of procedure may require more or less audit evidence than an examination, it depends on the agreement by the two parties.
- ISACA also differentiate between the following categories, each of which can be performed through a review, examination or agreed upon procedures engagement:
- General control examination or facility audit;
- Application audit;
- System development audit; or
- Technical or special topic audit.
- Throughout the discussions on the different types and categories of audits, IT Security is never explicitly mentioned, but always implicitly implied.
How much is enough?
When performing an IT Audit, where will the IT auditor draw the line? With a review and an agreed upon procedures engagement, the lines will be clear. The person performing the audit will know what is required, and the specifications will have been set out in a clear fashion, including the inclusion and or exclusion of IT Security (in a non-IT Security engagement).
With an examination, however, the lines are fuzzy. Should the auditor rely on superficial reviews or investigations when it comes to IT Security, or should she get an ethical hacker to perform a black-box review or penetration test? The examination requires the auditor to provide sufficient, relevant and reliable evidence to support audit opinions. This leads the auditor to make a judgement call and can potentially lead to audits skimming over specialised aspects of IT Security, if an IT auditor is involved that does not have specialised IT Security skills.
In recent years, some IT Audit specialist have included specific IT Security steps and procedures in an examination, employing IT Security specialist to ensure that the above mentioned errors are avoided.
Conclusion:
IT Security is a massively growing industry, and should be tightly managed and investigated by IT auditors when performing an examination. IT auditors should also be aware of their limitations when performing an IT audit. Make use of specialists, and ensure that initial knowledge of the organisation to be audited will include detailed descriptions on IT Security.