By: Mitchell H.Levine.CISA
Audit Serve, Inc.
Although Integrated Audits over the years have evolved in which the main focus is to assess whether an adequate control structure exists to support the business rules, there are a multitude of control areas within other IT Audits in which consideration needs to be made as to whether they should be covered within an Integrated Audit. One area of concern has always been whether the sampling approach used with the various IT Audits properly covered all areas where business processes are dependent on IT controls which were reviewed within IT General Controls Audits or specialized IT Audits (e.g., Mid-tier Audits, Network Security Audits). Also, the was always a question as to whether the control design review was comprehensive enough within these various IT Audits as compared to the focused review which can be performed when covering these IT processes within an Integrated Audit. One of the challenges if these controls are covered in an Integrated Audit is whether this failed compliance test was an isolated incident or whether it is systemic problem where the design of control is ineffective and therefore would still require the control evaluation to be re-analyzed as part of the originating IT Audit. Even if it decided not to perform the compliance test during an Integrated audit for a particular control which is covered in a traditional IT General Controls audit, the data which comprises potential samples identified during the Integrated Audit should be communicated to the auditors performing the IT General Controls Audit in order for them to use a more targeted sample. It is important that a formal tracking occurs of IT Controls that business processes are dependent upon and where these specific IT controls are being tested (i.e., within the Integrated Audit or a specific IT audit).
One of the most critical pieces of information that is collected during the Integrated Audit business process walkthrough is the identification of applications that the owners of the business process use as part of the workflow processes and the data which encompasses these business processes. The data which encompasses these business processes is either derived through the application itself or it can be unstructured data (i.e., data stored in files not access through the application), or data that users access directly from the database.
Within this two part article we will discuss all the areas within the IT General Controls Audit in which there should be consideration in including specific IT controls for review and testing within an Integrated Audit. It is understood that for large audit organizations the components of an IT General Controls Audit are segmented into separate IT Audits. This two part article is not intended to identify how application audits are can be replaced by Integrated Audits in which there is always a question as to whether Integrated Audits provide sufficient coverage across all traditional areas within an Application Audit.
Database Management Audit
Database Management audits traditional review the controls which the Database Administrators are responsible for. This include change management over database structural changes, security administration over the management of database table changes, and performing a security access review over administration (e.g., SQL Server DBO and global access (i.e. SQL Server DB-Datawriter). The review of whether individual table level access within a database is properly assigned is difficult to perform as part of a standalone Database Management Audit or if this IT process function is included in an overall IT General Controls Audit since there could be tens of thousands of table access permissions to review. This is the reason that this specific control is better served to be reviewed as part of an Integrated Audit. As part of the business process walkthroughs, any instance in which business users are directly updating database tables would be identified. In addition, the determination of whether there is any confidential data stored in these database tables would only be disclosed as part of the business process walkthrough unless an organization instituted a process to run automated tools to uncover the location of confidential data. Alternatively, if a periodic recertification review is performed of database table level access, the effectiveness of the design of the control could be reviewed as part of the Database Management Audit or some other IT Audit.
Another component of the Database Management Audits is the understanding of the application authentication process to the database and whether security measures have been implemented that prevents individual users from “hijacking” the database IDs assigned to the applications. The control assessment of these measures could be performed during a Database Management Audit but this would require control design discussions with each of the application owners which would be a sizable task to be performed during one single audit. Since the control design could be different for each application, a sampling approach would not be appropriate. However, if the application design discussions were conducted as part of the Integrated Audit which ties to specific applications this would be a more effective audit strategy. Alternatively, if an organization has a mature set of controls to handle/monitor application authentication to the database using industry toolsets such as Imperva SecureSphere or IBM Security Guardium to manage these security vulnerabilities, then a review of these controls would be better be served as being part of a single audit instead of handling it as part of a series of Integrated Audits.
In the second part of this Audit Vision article the other areas within the IT General Controls Audit will be discussed in which there should be consideration in including specific IT controls for review and testing within an Integrated Audit.