Information Systems Audit

Who should I call if I experience a security breach?

Call or email the Network Security Incident Response Team (NSIRT) of University Information Systems (UIS). Call 496-4736 at any time. During business hours (Monday to Friday 8 a.m. to 6 p.m.), a staff member will take your call. After hours you can leave a voice mail to page the on-call engineer. A team member can assist you in further evaluating the situation and determining what follow-up actions to take.

What is an Integrated Audit?

An integrated audit considers information technology, financial and operational controls as mutually dependent for establishing an effective and efficient internal control environment.

From an information technology perspective, the objective is to assure that information technology controls are effective and efficient to support the business process. From a financial and operational perspective, the objective is to assure that financial and operational controls are effective and efficient to support the business process. Even though issues may not be identified in financial and operational controls, issues identified in information technology may negate the effectiveness of the financial and operational controls and visa versa. Therefore for an integrated audit, all perspectives need to be considered since information technology, financial and operational issues can significantly impact the achievement of management’s objectives of safeguarding information system assets and ensuring reliability and integrity of information.

The integrated audit includes an audit of the applications, servers, and network configurations that support the business process. The examination and testing of the application, servers, and network configuration are similar to that of an information systems audit.

Additionally, the information system and the financial and operational auditors collaboratively consider the following as they relate to the business process being examined:

  • The business and information processing risks and controls are understood and agreed upon by the business owners, information technology delivery and support organization, and the integrated audit team.
  • Manual and automated feeds, system interfaces, and communications are accurate, timely and secure.
  • Manual and automated transactions are approved, timely and accurately processed.
  • Information is secure and privacy controls are in compliance with current regulations and University standards.
  • Disaster recovery plans and business continuity plans provide reasonable assurance that both the system and business operations can recover and continue when a system or business interruption occurs.
  • Program changes are authorized, tested, approved and migrated to production as prescribed by the business process owners.

The business process owner is ultimately responsible for ensuring information technology and financial and operational controls are implemented, effective and efficient.

What is a Systems Audit?

An information systems audit performed by RMAS is a comprehensive examination of a given targeted system. The audit consists of an evaluation of the components which comprise that system, with examination and testing in the following areas:

  • High-level systems architecture review
  • Business process mapping (e.g. determining information systems dependency with respect to user business processes)
  • End user identity management (e.g. authentication mechanisms, password standards, roles limiting or granting systems functionality)
  • Operating systems configurations (e.g. services hardening)
  • Application security controls
  • Database access controls (e.g. database configuration, account access to the database, roles defined in the database)
  • Anti-virus/Anti-malware controls
  • Network controls (e.g. running configurations on switches and routers, use of Access control lists, and firewall rules)
  • Logging and auditing systems and processes
  • IT privileged access control (e.g. System Administrator or root access)
  • IT processes in support of the system (e.g. user account reviews, change management)
  • Backup/Restore procedures

The general mechanics of the audit consist of sampling configuration and log files, with subsequent interviews with key personnel. Additionally, RMAS performs testing with regard to identified key controls, and may require the creation of user accounts such that RMAS auditors may more thoroughly peruse the system and determine the efficacy of implemented controls. Further, a subset of integration testing may be performed against test or staging environments to assure controls that the general user may experience are in place and functioning as described and expected.

While much of the evaluation performed in an information systems audit is heavily focused on the IT general control environment for the given system, interviews with primary the primary users or information owners may be conducted. Inquiry into the user community would be performed to determine general user acceptance of the system and to determine service expectations with regard to the system.

What is an IT Governance audit?

An IT Governance audit evaluates an IT organization’s strategic and operational alignment with its enterprise’s business strategy, ensuring that IT is supporting the organization’s overall goals while measuring IT delivery performance and transparently reporting the results.

This type of audit will assess how an IT organization is functioning overall, what key metrics management needs and what value it provides to the enterprise. According to the IT Governance Institute, there are five focus areas:

  • Strategic alignment: Linking business and IT so they work well together
  • Value delivery: Making sure that the IT department does what’s necessary to deliver the benefits promised at the beginning of a project or investment.
  • Resource management: Ensuring that resources are managed effectively and efficiently.
  • Risk management: Establishing a formal risk framework that puts some rigor around how IT measures, accepts, manages and reports risk approach.
  • Performance measures: Putting structure around both qualitatively and quantitatively measuring IT performance.

RMAS uses the COBIT (Control Objectives for Information and related Technology) framework, an international standard that assesses IT governance. Basically, COBIT is a comprehensive set of governance control objectives focused on risk and mitigation. These objectives introduce good control practices that integrate business requirements with IT delivery.