DOC PREVIEW
UNCW MSA 516 - IT Auditor and Access Controls

This preview shows page 1 out of 4 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 4 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 4 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

IT Audit BasicsIT Audit BasicsI NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 4, 2008© 2008 ISACA. All rights reserved. www.isaca.org.1What Every IT Auditor Should KnowAbout Access ControlsTommie W. Singleton, Ph.D.,CISA, CITP, CMA, CPAis an associate professor ofinformation systems at theUniversity of Alabama atBirmingham (USA), aMarshall IS Scholar and adirector of the ForensicAccounting Program. Prior toobtaining his doctorate inaccountancy from theUniversity of Mississippi(USA) in 1995, Singletonwas president of a small,value-added dealer ofaccounting informationsystems (IS) usingmicrocomputers. Singleton isalso a scholar-in-residence for IT audit and forensicaccounting at Carr RiggsIngram, a large regionalpublic accounting firm in thesoutheast US. In 1999, theAlabama Society of CPAsawarded Singleton the 1998-1999 Innovative User ofTechnology Award. Singletonis the ISACA academicadvocate at the University ofAlabama at Birmingham. Hispublications on fraud, IT/IS,IT auditing and ITgovernance have appeared innumerous publications,including the InformationSystems Control Journal.One of the more pervasive concerns ofIT audits, whether associated withfinancial audits or not, is the riskassociated with IT general controls, such asaccess control. The increased usage ofdatabases, the growth of access points onnetworks (especially remote connectivity) andwireless technologies have increaseddramatically the risk associated with networksand access control. Once a person has gainedaccess to a system, that person couldpotentially access data, financial reportingdata, applications (e.g., journal entrysoftware) and other high-risk functions. Whileeach entity must be analyzed according to itsindividual characteristics, virtually all entitiessubject to audits have some risk associatedwith access control.The most basic principle in assessing thesufficiency of access control is to verify thealignment of the level of protection(sophistication) of access controls with thelevel of risk; that is, the more risk, thestronger the controls should be. It isbecoming increasingly necessary to test moreIT controls due to Sarbanes-Oxleyrequirements, the American Institute ofCertified Public Accountants (AICPA)’s RiskSuite requirements and increased reliance onIT controls. This article demonstrates onemethodology to assess the appropriateness of access controls using risk assessment,assess controls evaluation, and assess accesscontrol tests. Authorization vs. AuthenticationThe first area of understanding regardingaccess controls is the difference betweenauthorization controls and authenticationcontrols. Authorization controls basicallyprovide the functionality to verify that acertain combination of ID and password hasbeen granted authorization to access thenetwork. Hopefully, that ID/password also hasbeen granted access to a limited number offiles, applications, or data and appropriateaccess rights (read/write permission) via somenetwork technology. Authorization is thecornerstone of access controls, and absolutelynecessary, but it should not be the only accesscontrol, except in the most basic of systemsand circumstances (e.g., small companies,simple systems or low-risk situations). Thekey to the authorization aspect of accesscontrol is whether or not the entity employsbest practices for password policy. Authentication becomes the second aspect,and more powerful in terms of mitigating risk.Authentication verifies that the login(ID/password) belongs to the person who isattempting to gain the access, i.e., users arewho they say they are. Some examplesinclude swipe cards, smart cards, USBdevices, temporary PINs, specific and privateinformation, and biometrics. There arevarious ways to implement a control with this objective, but there are times that the IT auditor would want to verify that some control for authentication exists (e.g., higher risk).Measuring the Level of RiskMost of the auditing profession today,regardless of the type of audit, uses a risk-based or top-down approach to the audit. TheIT auditor will want to assess the level of riskassociated with access controls, and the ITauditor working on a financial audit willprobably limit the evaluation to risksassociated with material misstatements,financial reporting, and financial dataassociated with risks of unauthorized access.That level of risk is escalated by a variety of circumstances.One of the issues is the size of thesystem(s) under review. Size is measured bythe sheer number of workstations, servers andnetwork components. Typically, smallersystems are found in smaller entities. Smallerentities have fewer resources for segregationof duties and IT staff. Usually this inherentconstraint has a negative impact on thestrength of the system of internal controls,especially automated or IT-dependentcontrols. Therefore, the smaller the size, theI NFORMATION S YSTEMS C ONTROL J OURNAL, VOLUME 4, 2008more likely the IT auditor would assess access control risk at ahigher level. That is not to say that large, complex systems,such as enterprise resource planning (ERP), do not haveinherent risks as well—some most certainly do. But the riskassociated with large ERP systems is more a function ofcomplexity than size (number of users). Complexity, or sophistication, of the systems under review iscorrelated to risk—the more complex, the more risk, generallyspeaking. If all of the systems are the same platform, the risk islower than if there are multiple systems, especially thoseaffecting financial reporting and data, and different platforms.For instance, in frauds of the past, it is a common factor thatfraudsters who have the authority will deliberately use differentsystems for different aspects of the accounting functions andfinancial reporting, including pulling data off the varioussystems into a spreadsheet and producing financial reports fromoffline spreadsheets in a smoke-filled back room. Thus,generally speaking, the more systems in use, and the moredisparate platforms being used, the greater the risk assessed bythe IT auditor. Access control across disparate systems is usuallydifficult to administer.If the entity has access to the source code, modifies code orgenerates code, then the access control risk is probably higher.Anytime people can affect the code being generated, there is arelatively high risk of error (which can be mitigated), andusually a moderate risk of fraudulent or malicious code.Therefore, if an entity has its own in-house


View Full Document

UNCW MSA 516 - IT Auditor and Access Controls

Documents in this Course
Load more
Download IT Auditor and Access Controls
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view IT Auditor and Access Controls and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view IT Auditor and Access Controls 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?