Continuous Audit Monitoring for IT Impacted Areas
(Part 1 of 2)
By: Mitchell H. Levine, CISA- Audit Serve, Inc.
With the technology explosion of the last 20 years but a minimal increase in the size of corporate audit staffs, the frequency of audits have decreased. In order to ensure that controls continue to remain effective, organizations should consider establishing triggers to identify when controls are not maintaining their desired level of effectiveness.
The IIA released a document entitled the Global Technology Audit Guide (GTAG) Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment which attempted to provide a methodology of how to establish a continuous audit monitoring program. The purpose of this two-part article is to provide a detailed approach of how to construct a continuous audit monitoring program factoring in the recent control mandates by SOX 404 and OMB Circular A-123.
Organizations have implemented a control framework as required by SOX and A-123 which is comprised of Risk & Control Matrices in which risks were identified and Control Objectives and Control Activities were defined to mitigate these risks. Traditionally, Audit Department developed audit programs which were structured to determine whether vulnerabilities existed within an organization instead of defining the controls which were necessary to mitigate these risks. With the rollout of SOX and A-123, audit departments have adapted to these changes and have used the Risk & Control Matrices as the starting points within their audits to perform an independent control assessment to identify missing controls and control design deficiencies. The next step was either to construct independent compliance tests or utilize the SOX tests established by the internal organizations to assess compliance with these controls. Non-compliance with controls was either behavioral issues or ineffective control design in which control compliance could never be achieved. An example of a behavioral issue is not obtaining the proper approval for software change migration. An example of an ineffective control design is requiring that all new servers be validated against a security checklist prior to deployment but not having an effective control to ensure that newly deployed production servers are being identified. The triggers embedded within the continuous audit monitoring program that would have identified these two issues would have been a sample test of software change migration forms and the identification of newly deployed servers which were not validated against a security checklist.
As stated in the GTAG document, Continuous auditing is comprised of a Continuous Control Assessment and Continuous Risk Assessment. The objective of the Continuous Control Assessment is to determine whether controls remain effective. Knowing that the frequency of audits have decreased, having the ability to identify whether a control is not effective in-between audits allows for immediate remediation to occur or triggering an earlier audit than planed. The objective of the Continuous Risk Assessment is to determine whether the level of risk has changed. The factors which determine whether the level of risk has changed includes changes in the business processes which increase the overall business risk of the area or changes in the technology environment which requires changes or upgrades in the control design which increases the residual risk of the area until the controls have been implemented. The need to upgrade controls based on changes in the technology environment may include limitation of resources to support detective control review processes when the overall size of the environment is increased. For instance, if the number of database elevations is increased based on the 25% increase in the number of databases servers supported, performing code reviews of the scripts used to define structural changes may no longer be practical which will necessitate a control redesign to counter the risk of developers inserting code which makes unauthorized security or data changes.
Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs all types of integrated & IT Audits, SOX Control Design & Testing. Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services.
Copyright 2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.