Information Technology Auditing An Evolving Agenda Jagdish Pathak Information Technology Auditing An Evolving Agenda ^J Springer Jagdish Pathak Odette School of Business University of Windsor Windsor, N9B3P4 Canada E-mail: [email protected] Library of Congress Control Number: 2005921591 ISBN 3-540-22155-7 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilm or in any other way, and storage in data banks. Dupli- cation of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9,1965, in its current version, and permission for use must always be obtained from Springer-Verlag. Violations are liable for prosecution under the German Copy- right Law. Springer is a part of Springer Science+Business Media springeronline.com © Springer-Verlag Berlin Heidelberg 2005 Printed in Germany The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Cover design: Erich Kirchner Production: Helmut Petri Printing: Strauss Offsetdruck SPIN 11012511 Printed on acid-free paper - 43/3153 - 5 4 3 2 1 0 This Monograph is dedicated to all those who saw a potential in me and motivated me to strive hard in the education and career. They are many and difficult to iso- late from the sea of well-wishers. I dedicate this volume to my parents (Shri Ma- dan Lai Pathak and Mrs. Bhagwati Devi Pathak); brothers (Mr. Goverdhan Pathak and Mr. Giridhari Pathak) and sisters (Mrs. Vidya Mishra, Mrs. Lakshmi Mishra and Mrs. Binu lata Tiwari); parents of my wife (Mr. Kiriti Ranjan Das and Mrs. Minuprava Das); my late teachers (Dr. N.K.Sharma and Dr. S.M.Bijli); Dean of Odette School of Business, Dr. Roger Hussey; my students in India and Canada, Nupur, my wife; Joy, my son; and many unnamed others. Preface Information Systems (IS) auditing is a component in the domain of Modern Audit- ing as well as accounting information systems. This component has acquired pre-dominance with the extensive use of computer technology in the business in- formation processing area. Modern computer-based highly integrated information systems are fast replacing the traditional centralized and distributed information systems. The audit methodologies developed and used by the auditors in the ear- lier information systems have acquired adequate soundness and if at all any prob- lem exists, it is more to do with the application of these methodologies rather than these methodologies themselves. Information needs of all the levels of manage- ment is not only fast evolving but getting diversified dramatically during the last two decade as a result of the growth and diversification of business interests. Economies of some of biggest countries of the world are fast opening up their markets to seek global participation and remove the obsolescence from the techno- logical scenario. A New World trade order has emerged to seek the barrier less market mechanism. The concept of protectionism is almost given a good bye by many of these economies to open the channels for the global market forces to in- teract and decide optimally. And, of course, one should not forget the aftermath of ENRON and other big name's meltdown in the history of business and corporate world. Auditing had always been a key point of discussion and decisions made under various provisions of Sarbanes-Oxley Act 2002. New information processing and communication technologies are being applied to satisfy managements' information needs. In Response to this need, communica- tion and digital electronic computer technologies have merged to provide the high- speed data communication capabilities (information super highways) used by many large business houses across the world. Multi-national business activities share the need for data communications capabilities, but also have other require- ments that increase the complexities of management information needs. For in- stance, the need to accommodate currency conversion, regulatory reporting, and variations in accounting disclosure practices in developing information systems is felt more in case of multinational business entities. Expansion in target markets and product lines has involved acquisitions for much business. This has led to consolidation of activities in some situations and diversification in others. Increased transaction volumes and an expansion of exist- ing information systems often accompany consolidation. Diversification through acquisition has, in contrast, often required an information exchange between pre- viously unrelated management information systems. In some cases, diversifica- tion has resulted in a significant expansion of data processing/ information proc- VIII Preface essing capabilities in order to provide required management information on a con- solidated basis. The monograph in your hand is the outcome of my researches in the realm of information technology auditing during the span of more than twenty years in on different generations of hardware and software. The embedded objective of com- piling these ten scholarly and applied essays in one book is to provide the deve- lopmental agenda at one place in this fast evolving field of specialty. The growth of EDP Auditing into a major force to reckon with in modern cyber environment is mostly due to the tireless efforts made by the Information Systems Audit & Controls Association (ISACA), many scholars of EDP Auditing, many professio- nal certified information systems auditors and various prominent accounting bo- dies of professionals and big auditing firms of international stature. These ten essays have applied and scholarly flavor so as to make them useable by the professionals of all hue in this field of knowledge. The chapters carry many new developments and their potential impact on the auditors and their procedures. I have made my best efforts to provide synergy and integration of research and practice into this monograph. This monograph is basically designed to provide the basis for serious study and application of various recent developments in the segment of information and communication technology auditing. Any typical text on information technology auditing talks about many more complex concepts, techniques and software and refers them without often explaining the impact of those on the information tech- nology auditing as many of these concepts, methods, applications are fast develo- ping into industry standards, like enterprise resources planning or enterprise appli- cation integration etc. An auditor would be able to identify, understand and comprehend various new and fast evolving technologies to face them professional- ly. I have integrated many of my past papers with several modifications to extend the continuum to these chapters. I am indebted to many of my former and present colleagues who have contribu- ted directly or indirectly to this monograph and its development which include my self development in acquiring the capability to write this monograph. I would ex- tend my thanks to Professor Andrew Chambers, Former Dean & Professor, City University of London (UK); Professor (Dr.) Gerald Vinten, Head, European Busi- ness School, London (UK); Dr. Scott Summer, Brigham Young University, Utah (US); Professor (Dr.) Ram Sriram, Georgia State University, Atlanta, GA; Dr. Amelia Baldwin, University of Alabama, Tuscaloosa, AL; Professor (Dr.) Mary Lind, North Carolina A&T State University, Greensboro, NC; Professor (Dr.) Ramesh Chandra, Professor (Dr.) Jeffrey Kantor, Dr. Ben Chaouch, all of Univer- sity of Windsor, ON, Canada; Professor (Dr.) S.N. Maheshwari, Director at Delhi Institute of Advanced Studies, New Delhi, India, Late Professor (Dr.) N.K. Shar- ma, Visiting Professor at Birla Institute of Technology & Science, Pilani, India & Late Professor (Dr.) Shah Mohammad Bijli, Former Dean, Faculty of Business at University of Goa. The list is not complete as there are still many who are not in this list but their contribution has been tremendous. My thanks go to them as well. Preface IX I am also indebted to my wife Nupur and my son Joy who were always my source of joy and encouragement in this arduous task of putting my stray thoughts together in this monograph. Finally, I am as usual responsible for any error in this monograph and would make my best efforts to correct those errors in the second edition of this text (if it ever happens!). February 2005 Jagdish Pathak, PhD Odette School of Business University of Windsor Canada Table of Contents 1 IT Auditing: An Overview and Approach 1 1.1 Evolution in Managements' Perceptions 1 1.2 Evolution in Information Processing Capabilities 2 1.3 Exposure to Loss 3 1.4 Objectives of IT Auditing 5 1.5 Internal Controls and IT Audit 5 1.5.1 Various Internal Controls 7 1.6 Growth and Genesis of IT Auditing 7 1.7 IT Audit Approach 9 1.7.1 Nature of IT Controls 9 1.7.2 Controls and Loss 11 1.7.3 Internal Controls and Auditing Approach 12 1.8 Steps in an IT Audit 12 1.9 Audit Decisions 15 2 Auditing and Complex Business Information Systems 21 2.1 Complex Integrated Accounting Systems 22 2.2 Distributed Data and its Effects on Organisations 24 2.2.1 Networks 25 2.2.2 Portability and Systems 31 2.2.3 Integration of Applications 32 2.3 Productivity Aspect of the Technology 32 2.4 Business Process Re-engineering 33 2.5 Intelligent Systems 34 2.6 Auditors and Changing Technology 36 2.7 Strategic Use of Technology and Audit Implications 37 2.8 Internal Controls and Auditing 40 3 Generation-X Technologies and IT Auditing 45 3.1 Generation-X Enterprise Technologies 46 3.2 Information Systems Integration: A Challenge 48 3.3 Assured Information Emanates from Assured Systems 51 3.4 Information Assurance: A Function of Strategic Importance 53 3.5 Various Information Assurance and Control Measures 56 3.5.1 Web-Level Assurance Measures 57 3.6 Control Objectives and System Assurance 58 XII Table of Contents 3.6.1 British Standards: BS7799 and BS 7799-2:2002 60 3.6.2 System Security Engineering Capability Maturity Model: SSE-CMM 60 4 Complex Information Systems, Auditing Standards and IT Auditors 63 4.1 The Approach and Objectives 63 4.1.1 The Scenario 65 4.2 Impact of Technology Complexity on the Auditor 65 4.2.1 Complex Information Technologies and Audit Risks 67 4.2.2 SAS-94 and its Effect on the Audit Process 70 5 ERP and Information Integration Issues: Perspective for Auditors 75 5.1 What is Enterprise Resource Planning? 77 5.2 Implementation Cycle 79 5.3 Conceptual Models 80 5.3.1 Successes and Disasters 81 5.4 Types of Implementation 82 5.5 Social Integration 83 5.6 Resistance in Social Integration 84 5.7 Process Integration 84 5.7.1 Communications in Process Integration 85 5.7.2 Alignment of Culture in Process Integration 86 5.7.3 Knowledge Integration 86 5.7.4 Workflow Integration 89 5.7.5 Best Practices in Functional Integration 90 5.7.6 Virtual Integration 91 5.8 Auditor and ERP 92 5.8.1 ERP Internal Control Procedures 92 6 Technology, Auditing and Cyber-Commerce 95 6.1 Technology and Auditing 96 6.2 Risk Understanding in e-Commerce for IT Auditor 99 6.3 Information at Risk 101 6.4 Controls and Audit Evidences 105 7 IT Auditing and Security of Information Systems 107 7.1 Information Security 108 7.1.1 Computer Assets 109 7.2 Security Controls 110 7.3 Security Evaluation and Certification Criteria 112 7.3.1 Networks Security 113 7.3.2 OSI Architecture 115 7.3.3 Security Mechanisms 118 7.3.4 Integrity 120 7.3.5 Security Mechanisms Location 122 7.4 Future Trends 123