WALTER HUDSON's ELECTRONIC JOURNAL
GROUP PROJECT(PAPER)

HOME
CH 1
CH 2
CH 3
CH. 4
CH. 5
CH. 6
CH. 7
CH.8
CH. 9
CH.10
CH. 11
D-S-S
OLAP
DATA MINING
Smart Card
MSSP
LOUD CLOUD
CASE STUDY: THE VALUE OF IS
REAL WORLD CASE
amazon.com
MRS. FIELD'S COOKIES
Application Exercise 3.3
GROUP PROJECT(PAPER)
ZD NET ARTICLE
Real World Case #3

ERP: Auditing - hints, tips, tricks, problems, and ADVENTURE???

What is Auditing and ERP?

            Information Technology has proven to be one of the fastest growing business out there today and with this said, there is an overwhelming need for security. Security should rank at the top of any IT company, professional, or end user. There is a need for people in strategic positions to provide management with inputs on where and how it improves business processes. These people are auditors. The business processes are centered on ERP, an enterprise resource planning system in an integrated multi-module company- wide software system. The goal of ERP is to facilitate information sharing and improve communications across the organization. How do these two go together? Auditing ERPs are an extensive, well thought out definition of security access capabilities. The authorizations occur within the application and not in the database level. This works in the best benefit for the company because delivered system security is not necessarily strong. The network and database access is required. Also typical, an ERP implementation is combined with a business reorganization reengineering.

Why are auditors needed?

            Proven continuously, undocumented networks may hide vulnerabilities. T o properly secure IT infrastructure, there needs to be a determination of how systems are connected in relation to one another. By using an accurate network diagram, the trusts relationships could be determined among servers. Also interviews could take place between system administrators, network professionals and auditors. While automated assessment tools and application services can help keep networks running with minimal exposure, there are no substitutes for an annual checkup of the system. The annual security checkup is handled by a trained staff. Often, automated tools do not take into consideration people, processes, best practices, physical security as well as the steps to provide a company with a comprehensive risk assessment sweep. The following are points that should be audited in a company wide security assessment:

  • Security policy and accountability for its enforcement
  • Risk assessment against critical information
  • Account management and access controls
  • Authentication
  • Configuration and change management
  • Session controls
  • Network security, Internet access policies and network services
  • Cryptographic technologies for transmission and storage
  • Modems
  • System administration
  • Incident response
  • Auditing Viruses
  • Contingency Planning
  • Backups
  • Maintenance
  • Labeling
  • Media Sanitizing and disposal
  • Physical Security
  • Personal Security Training and Awareness

What are the roles of an auditor?

            As many auditors know, IT auditing is not just a walk in the park. Auditors need to know how to conduct analytical reviews for the accounts and be able to identify the relationship between accounts and the new risks associated with ERP technologies. They also need to determine the amount of substantive or detail testing that will be necessary to rely on those accounts. Inadequate data cleansing may dramatically affect an auditors interpretation of the reliability of the account records. Auditors need to understand the interaction and the flow of information. Seen often as the IT Police, these auditors like to think of themselves as people companies hire to insure that IT projects are not delayed, risky mistakes are not taking place, nor any other mistakes hat could cost the company more money than needed. Frequently these auditors come from corporate auditing backgrounds. They are responsible for evaluating two areas: project progress and political winds. CIOs have to keep in mind not to shoot the messenger because it is the auditor whom has to deliver news about what has gone wrong under their supervision as well as inform the senior management. Some auditors see it as a thankless job because often they are seen as ineffective if no problems are found and inaccurate if problems are found.

To increase the understanding of IT auditors, ISACA launched an offshoot group called the IT Governance Institute (www.itgovernance.org). ISACA stands for the Information Systems Audit and Control Association. Founded in 1969, it is recognized as being a global leader in IT governance, control and assurance. The organization sponsors international conferences, training events and a global knowledge network (K-NET). They also administer the globally respected Certified Information Systems Auditor (CISA) designation with more than 30,000 members world wide as well as the Certified Information Systems Auditor (CISM). ISACA also develops globally applicable information systems auditing and control standards. The IT Governance Institute, established by ISACA and founded in 1998, assists enterprise leaders in their responsibility to make IT successful in supporting the enterprises mission and goals. Recently, ISACA was named one of the top five most influential non-vendors in the information security field by Information Security Magazine. The idea of this group is to encourage the business side of a company to work more closely with the technology managers. IT auditors want them to understand that their interaction it is more like a partnership than a competition and that the communication lines should be open between the two groups. To help overcome the divide between IT professionals and auditors, it is very important that the IT department gets educated about what the auditors goals are. The auditors also must know the technology at all costs. Also they must work faster to learn about new technology at a much quicker rate due to the fact that IT deployment has picked up as companies work to complete internet projects in internet time. To be effective IT auditors they must not only report to IT managers or CIO but they must also be independent of the people they are monitoring to receive the most accurate results. Knowing the technology also helps to get off on the right track with the professionals in which the auditor interacts. Getting involved from the start of a project is also a way of eliminating time and effort trying to figure out exactly, when, where, how and why a project went wrong. The criteria used to monitor projects should be publicized so that the workers do not feel as if they are being secluded from the process. Dealing with conflict in a professional manner is crucial to being an IT auditor.

What are some of the challenges of being an IT auditor?

            One of the first audit challenges is the challenge f understanding the ERP system. As previously stated the ERP system is an integrated multi-module, company-wide software system. It has the objective to integrate key processes of order entry, manufacturing, procurement, accounts payable, payroll and human resources, for example.  The first year audits are opportunities to learn and understand how these processes fit into the puzzle of a completed audit evaluation. The use of subject matter is also a challenge because it is very necessary for the auditor to understand what he or she is looking for. Process audits are a challenge due to the chance that many companies will reengineer business processes. The focus may very well be placed on the business process/internal controls pertaining to the audit tests. Challenges also arrive between internal audits and external audits. In most cases it is suggested that a company look outside of their company when getting audited to keep from retrieving inadequate reports. Partnering with one another is another positive aspect in the sense that the IT professionals need to know that the auditor is not out to get them. The skill of the team also is an issue. There should be an understanding between the team members as what each others strengths and weaknesses and what area they will be working. Electronic Information also challenges the auditors. The electronic information and the hardcopy should contain the same information and should not be altered. Information received electronically should be reviewed thoroughly. Data Issues such as data retention, data entry and segregation of duties are also challenges. The data should be entered accurately and immediately upon occurrence. A segregation of duties should also be defined due to the fact that a programmer should not be assigned to a job in which he or she has access to make changes or sabotage information. Managing expectations should be defined throughout the audit evaluation. If there is a change in the audit, the best practice information should be shared and value therefore added to the audit. Another challenge of audits is that of keeping costs and time at a minimum. To aid in this, the audit should be completed on one system. Auditors face many challenges but with the adequate training, they are capable of handling the situation.

What do auditors think about disaster recovery planning?

            Auditors tend to view disaster recovery planning as a way for companies to further guarantee the security and integrity of its data processing capability. In the past auditors have been content with a regular schedule of backup data and off-site storage, they are now concerned with being prepared to handle he worst. A necessary part of business operation integrity is to have documented and tested recovery plans. They are concerned that the backup material will maintain the well founded integrity and security. The importance of this became vivid as auditors became worried about hackers and system failure of Y2K. Today IT audit handbooks contain chapters providing information entirely on auditing and IT departments disaster recovery plan. Plan provisions are valuable to the auditors. The auditors will be able to review documents to see when the plan was last revised as well as dates and procedures. Plan test schedule and result assessments are also required to make sure that the plans in effect actually work. Just because it looks well on paper does not exactly mean that it will work well in event of emergency. Training and awareness is also a factor in success. A disaster recovery plan addresses two time frames: the future time frame in which the plan will be implemented to cope with the disaster and he present time when the plan is maintained and planned participants are trained and every corporate employee is made aware of the disaster preparedness and prevention. The auditor may want to see a schedule of the dates in which training sessions occurred. Requirements of a disaster recovery plan may include having full articulated planning rationale pin point discussion strategies and selection criteria. Also included may be effective disaster prevention and mitigation measures for all critical business processes including strategies for system, network and end user recovery. There also needs to be evidence that these measures can be implemented in numerous scenarios. There needs to be documentation of relationships with other companies for backup system platforms in case of facility disaster and contracts with vendors of system backup facilities and services (ex. hot site, mobile recovery facilities). There needs to be a schedule for off-site updates of paper files, media backups, schemes for electronic tape vaulting and / or remote data mirroring. Provisions should also be made with network recovery including contracts with network vendors for on- demand routing or automatic switching of voice and data communication services. Specifications for fire protection systems, power continuation systems, water detection systems as well as alarm systems with disaster prevention capabilities should also be planned.

Real World Case

            For the past months a firm has been in the process of implementing People Soft for managing corporate payroll, benefits and other human resource functions. In relation to this project, management asked the information security department to conduct a comprehensive audit and penetration test against the infrastructure. This is understandable since the data that some of the systems will contain is sensitive in nature. The company is implementing the version of Pleasanton, Calif. - based PeopleSoft Inc.s application that includes a web- based front end that mentions several other systems. The only problem with a web-based front end is that anyone with a Web-based browser has access to the application. The system consists of a three-tiered architecture consisting of back- end database that house their critical data, mid-tier application and front end web-servers. Data included is employee compensation information, health care data and personal information such as employee Social Security numbers, dates of births as well as dependent information. Auditing is essential to answering questions like: Can someone on the public internet gain unauthorized access to People Soft data? Can someone exceed their authorization standards? Can an employee gain unauthorized access? With an implementation like people soft  the audit must not only be conducted against the application but also test the network resources, servers, software, people and interaction of all pieces to implement the application efficiently and securely. The order is very important when conducting the audit and penetration tests. To the company, understanding the entire process, interaction and flow are the most important steps. 

            The company met with the application folks and went over the entire systems operation. They covered what parts were necessary between each of the resources as well as trust relationships between the servers or proper operation. Once this information was collected it made it easier to audit the access control lists on the firewalls and routers. Gathering this information was time consuming. They found that the security scanning tools they used for assessing the system and network devices were not able to uncover programming and configuration errors in the application. To correct this problem, the company chose California based Sanctum Inc.s AppScann. It is different because instead of starting with an IP address or network segment it starts with a web-page. With a variety of operating modes, ranging from fully automated to interactive, AppScann as successful for this company. It enumerated several configuration errors which might have otherwise allowed unauthorized access to the web pages. The results of the audit were favorable. A security audit, proved to be essential in the success of the company.

Tips to a Successful Audit.

            For a company to administer a successful audit, the must be able to Address the new environment in several respects. The training and staffing must be at the highest level possible. Generous time and effort should be placed in making sure everyone is properly educated. The implementation approach is also crucial to how successful the audit will be to the company. During the implementation, they must make sure hat the right procedures, and attitudes go into the beginning of the audit process. The auditor must, at this point, know the roles he/she should take in order to adequately supply the company with reports about their system. During the Implementation approach, the audit should take an active role. It is important for the auditor to know that reengineered business processes require a change in the method of control. There should be new security, audit and control tools developed to accompany the effective audit. They must also take the time to evaluate the complexity of the technology environment. In doing this they should be able to identify which ERP modules have been implemented, evaluate the wide variety of possibilities for applications, and determine which systems are used as well as gain knowledge about the companys organizational model. Auditors must, understand the controls in which the company uses. They must also keep into consideration that not all audit steps are the same and that clients using ERP are usually large multi-national corporations with complex structure and reporting. IT auditors as well as IT professionals must realize that auditors are not going to go way and neither is the need for security. As many IT professionals have found out the wrong way, IT is more time and cost efficient if the auditors get involved from the start.