Audit Serve, Inc.

The Premier Audit, Security and Sarbanes-Oxley Consulting Company

Continuous Audit Monitoring for IT Impacted Areas
(Part 1 of 2)
By: Mitchell H. Levine, CISA - Audit Serve, Inc.

                                                             

Audit Serve Seminars
Hidden Secrets from IT Auditors
2008 Locations:  Boston   Detroit  Hartford  Minneapolis San Francisco Washington, DC
Update on SOX for IT Auditors: Continuation and What's New
2008 Locations:  Chicago     Washington, DC

With the technology explosion of the last 20 years but a minimal increase in the size of corporate audit staffs, the frequency of audits have decreased.   In order to ensure that controls continue to remain effective, organizations should consider establishing triggers to identify when controls are not maintaining their desired level of effectiveness.

The IIA released a document entitled the Global Technology Audit Guide (GTAG) Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment which attempted to provide a methodology of how to establish a continuous audit monitoring program.  The purpose of this two-part article is to provide a detailed approach of how to construct a continuous audit monitoring program factoring in the recent control mandates by SOX 404 and OMB Circular A-123. 

Organizations have implemented a control framework as required by SOX and A-123 which is comprised of Risk & Control Matrices in which risks were identified and Control Objectives and Control Activities were defined to mitigate these risks.  Traditionally, Audit Department developed audit programs which were structured to determine whether vulnerabilities existed within an organization instead of defining the controls which were necessary to mitigate these risks.  With the rollout of SOX and A-123, audit departments have adapted to these changes and have used the Risk & Control Matrices as the starting points within their audits to perform an independent control assessment to identify missing controls and control design deficiencies.  The next step was either to construct independent compliance tests or utilize the SOX tests established by the internal organizations to assess compliance with these controls.  Non-compliance with controls was either behavioral issues or ineffective control design in which control compliance could never be achieved.   An example of a behavioral issue is not obtaining the proper approval for software change migration.  An example of an ineffective control design is requiring that all new servers be validated against a security checklist prior to deployment but not having an effective control to ensure that newly deployed production servers are being identified.  The triggers embedded within the continuous audit monitoring program that would have identified these two issues would have been a sample test of software change migration forms and the identification of newly deployed servers which were not validated against a security checklist. 

As stated in the GTAG document, Continuous auditing is comprised of a Continuous Control Assessment and Continuous Risk Assessment.  The objective of the Continuous Control Assessment is to determine whether controls remain effective.  Knowing that the frequency of audits have decreased, having the ability to identify whether a control is not effective in-between audits allows for immediate remediation to occur or triggering an earlier audit than planed.  The objective of the Continuous Risk Assessment is to determine whether the level of risk has changed.  The factors which determine whether the level of risk has changed includes changes in the business processes which increase the overall business risk of the area or changes in the technology environment which requires changes or upgrades in the control design which increases the residual risk of the area until the controls have been implemented.  The need to upgrade controls based on changes in the technology environment may include limitation of resources to support detective control review processes when the overall size of the environment is increased.  For instance, if the number of database elevations is increased based on the 25% increase in the number of databases servers supported, performing code reviews of the scripts used to define structural changes may no longer be practical which will necessitate a control redesign to counter the risk of developers inserting code which makes unauthorized security or data changes. 

_________________________________________________________________________________________

Mitchell Levine is the founder of Audit Serve, Inc. Audit Serve performs all types of integrated & IT Audits, SOX Control Design & Testing.  Email Mr. Levine at Levinemh@auditserve.com if you would like to discuss your organization's specific project requirements in order to establish a proposal of services. 

Copyright  2008, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.

Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US

This website has been optimized for Netscape and Internet Explorer 4.0 and above.  Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000  All rights reserved.  27 Pine Street, Suite 700, New Canaan, CT 06840 USA.