By: Mitchell H.Levine.CISA
Audit Serve, Inc.
This is the second of a two-part article in which the remaining areas within the IT General Controls Audit will be discussed in which there should be consideration in including specific IT controls for review and testing within an Integrated Audit.
Network Security Audit
The majority of components of a network security audit belong in a standalone audit. However there are two areas in which an integrated audit would provide a unique perspective. Understanding the permissible traffic that is allowed to a specific network segment which contains the applications which are included in-scope within the Integrated Audit. As part of the business and IT walkthroughs during the Integrated Audit, message based traffic which relates to transaction processing and document delivery would be understood along with host-level communications with internal hosts.
When it comes to the ports and services that should be opened to external entities, understanding the relationship with these external entities cannot be understood when conducting the review from a single network security review. These relationships with external parties are understood as part of the business process walkthroughs.
The circumstances in which 3rd party vendors are supporting applications which are reviewed as part of an integrated audit and the controls which are established to provide an oversight of these vendors actions could only be performed through an Integrated Audit.
Application Change Management
The determination of whether all of the components of an Application Change Management Audit should be covered as part of a standalone audit is based on whether all of these applications are managed by a central change management system. If manual processes are used for application change control then these processes should be reviewed as part of the applications that are considered in-scope for the Integrated Audit. As part of the business walkthroughs during the Integrated Audit, a list of applications which are tied to the business processes considered in scope are identified. For each of the applications questions should be asked pertaining to processes used to manage the software migration to test and production environments. If this is not managed by the central change management group then these application change management controls for these applications need to be reviewed as part of the Integrated Audit.
Traditionally Backup/Recovery processes were covered as part of Infrastructure Audits. However, as part of the business process walkthroughs in which specific databases and unstructured data is identified (i.e., file shares) a one-off audit test should be performed to ensure that there are data backup processes established.
Server and Host OS Security Reviews
Traditionally all control areas would be included in a standalone Server and Host OS Security Review. This holds true if the management of the domain and servers that are in-scope for the Integrated Audit is performed by the centralized Infrastructure team. During the business process walkthroughs file shares/directories are identified which store unstructured data used to support key business processes requires a test during the Integrated Audit to validate that access is properly restricted. If Active Directory (AD) groups are used to manage to access to application resources then a review of the design of the AD groups should be included in the Integrated Audit to ensure that resource-based or user functional-based design approach used is carried forward based on the users or resources assigned to the AD groups.
Computer System Operations
Computer System Operations traditionally is covered as part of the ITGC Audit or a specific focused IT Audit on Computer Operations. The Job Scheduling component is typically tested as part of the Computer Operations Audit. However, if the responsibility for scheduling of jobs and the management of the Job Control Language changes which impact the processing of these jobs are managed by users then these control areas should be reviewed as part of the Integrated Audit.
One of the key components of the computer operations areas is to identify job failures. A centralized process within the scheduling group should be in place to manage the identification and follow-up actions.
The management of data interfaces is an area which could be considered part of the central computer operation group but in many cases they are managed by user areas. As part of the business process walkthrough of an Integrated Audit the dependency on a data interfaces to support a business process should be identified along with the understanding of whether the end-users are responsible for the successful send/receive of the data interchange and whether the data was accurate. If this is handled by the end-user then the controls surrounding the accuracy and completeness of this data should be covered as part of the Integrated Audit.
Business Continuity and Disaster Recovery
Audit Departments handle the IT portion of the Disaster Recovery Audit in a standalone infrastructure audit and have separate Business Continuity Planning (BCP) Audits for critical business areas within an organization. There is a clear separation of the control focus for each of these audits. The Business Impact Analysis is one of the key components of Business Continuity audits. The mapping of business processes to applications in order to establish Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) is a key area which should be validated as part of the Integrated Audit. The reason to cover this validation during the Integrated Audit is that during a BCP Audit the proper mapping of business process to application will not be included as part of the compliance test and neither will the proper specification of RTO or RPO.
The testing of the BCP or Disaster Recovery plan is a key component of these “centralized” audits but reviewing the testing performed during an Integrated Audit will allow for a more precise test to ensure that all of the key business processes were tested and that the RPO was properly validated during the test.