Page 138 - DCOM509_ADVANCED_AUDITING
P. 138

Unit 8: Auditing in Computerized Environment




          given access to the sensitive information strictly on the need to know basis and is given only  Notes
          those rights to access data and programmes, which are in line with his job duties and nothing
          more. While giving lesser rights than required may decrease the efficiency of working, giving
          more rights has associated risks of misuse or possible frauds. The principle of maker and checker
          means that for each transaction, there must be at least two individuals necessary for its validation.
          While  one individual may create a transaction, the other  individual should be involved in
          confirmation or authentication of the same. Here the segregation of duties plays an important
          role. Thus, strict control is kept over system  software and data keeping in mind functional
          division of labour between all classes of employees.
          However, these principles are very broad and it is necessary and important to go into the exact
          details  of  the  complete  environment,  which  includes  the  operating  systems,  data  base
          management systems, application packages and networking software used or likely to be used,
          for deciding the controls over the systems. As such, it is important that the user management,
          experts on the systems as well as auditors decide on the exact nature of controls required by the
          organization. In other words, there is an inherent need to involve the auditors in the decision
          making process regarding the controls from the beginning itself, whether the related software
          is developed in-house or outsourced.

          In this connection, it may be mentioned that it is the management, who has to decide what to
          reasonably invest for security and control in Information Technology (IT) and how to balance
          risk and control investment in an unpredictable IT environment; as information systems security
          and control helps manage risks and not eliminate them. In addition, exact level of risk can never
          be known since there is always some degree of uncertainty. Excessive controls sometimes result
          into inconvenience, inefficiency, poor customer service and higher cost of its implementation.
          Ultimately, management must decide on the level of risk it is willing to accept. Judging what
          level can be tolerated, particularly weighted  against cost  and inconvenience, is a  difficult
          management decision. Therefore, management needs a  framework for generally accepted IT
          security and control practices to benchmark existing and planned IT environment.
          To solve this problem, Information Systems Audit and Control Association have developed the
          CobiT Framework, the main objective of which is the development of clear policies and good
          practices for security and control in IT. CobiT is designed for use by three distinct audiences,
          (i) Management: to help them balance risk and control investment in an often unpredictable IT
          environment, (ii) Users: to obtain assurance on security and controls of IT services provided by
          internal or third parties and (iii) Information System Auditors: to substantiate their opinions
          and/ or provide advice to management on internal controls.

          The objectives of CobiT are (i) to bridge the gap between control requirements, technical issue
          and business risks, (ii) enable development of clear policy and good practices for IT control and
          (iii) breakthrough in it risk management and governance. For this CobiT has divided IT processes
          in four domains for high-level classification containing in all 34 processes and these processes
          are further divided into 302 control objectives.
              Planning and Organization:  This domain covers strategy and tactics, and concerns the
               identification of the way IT can best contribute to the achievement of the business objectives.
               Furthermore, the realization of the strategic vision needs to be planned, communicated
               and managed for different perspectives. This domain contains 11 processes divided into
               100 control objectives.
              Acquisition  and Implementation:  To realize  the IT  strategy,  IT  solutions need to  be
               identified, developed or acquired, as well as implemented and integrated into the business
               process. In addition, changes in and maintenance of existing systems are covered by this
               domain to make sure that the life cycle is continued  for these  systems. This domain
               contains 6 processes divided into 68 control objectives.




                                           LOVELY PROFESSIONAL UNIVERSITY                                   133
   133   134   135   136   137   138   139   140   141   142   143