Information Systems Auditing

By Nina F Collins, November 2011

Introduction

In this update I discuss some new areas of  risk that have emerged in IT and information systems. I also provide some additional material of interest to those studying the module. 

Topic 4 Information systems governance

Agreements to manage IT services - section 4.3 of the learning text
Depending on how the IT function is located and structured in the organisation, a number of documents may be published to manage standards and expectations:
  • Service level agreements (SLAs) are often defined as agreements that set out the service level between a third party service supplier and its client. However, organisations are increasingly using them internally to define service standards between functions.
  • Operational level agreements (OLAs) define the relationship between different IT functional areas within an organisation. An OLA is similar to a service level agreement (SLA) but it is a wholly internal document and tends to be more technical. An OLA often includes hours of operation, responsibilities, authorities, response times etc.
  • Service catalogues set out the IT services that organisations provide either to their employees or customers. The layout and contents will vary. However, as an example, the catalogue of one of the UK universities contains the following: a description of each service the IT function is responsible for and its deliverables; the hours in which each service is supported; the IT department’s and the user’s responsibilities; the costs associated with services; and restrictions associated with the services.
 
Post-merger integration of IT services – section 4.3.1 of the learning text
When organisations merge they will undertake a process of integration (that is, post-merger integration or PMI) that involves combining the social, technical and physical structures and systems of the organisations into one. Such a process is usually managed as a project (or more commonly, programme). IT services integration forms part of the wider PMI process. The principles of project management will apply to the management of IT integration in a merger. Thus, the two key stages to managing the process are:
  1. Planning the transformation process. This stage will include assessing and documenting the IT infrastructures of the two organisations; defining the new IT infrastructure for the merged organisation; and agreeing the change (or transformation) process.
  2. The actual change process.
 
The issues associated with IT services integration are:
  • Process and structure: The two organisations may have organised their IT functions in different ways. For example, one organisation may have a decentralized structure and the other a centralized one. There may also be differences in the management and reporting structure. Trying to merge two very different structures will be a very complex process.
  • Networks, systems and data: There are the obvious issues of developing new applications, and migrating data etc. In addition, as part of the integration process, the organisation needs to ensure that all connections are secure, and that ‘legacy’ connections are closed down, such as those to divested business units and former service providers. There are also issues pertaining to agreeing standards and frameworks for IT projects, IT architecture, and IT procurement. PMI may involve disposing of IT assets, so there needs to be agreement as to how this will be done.
  • People: There are risks associated with ‘talent flight’; for example, the sense of uncertainty and proposed changes in the IT model may result in the departure of key IT staff whose specialized IT knowledge is essential for ensuring business continues as usual whilst the integration takes place. Further, PMI may involve the adoption of new IT systems which is likely to require training and re-skilling of staff. Last, PMI may involve making some IT staff redundant, and they may become disgruntled. Disgruntled staff pose a threat to the security of the IT system – such vulnerabilities need to be managed. Many IT functions employ third-party contractors, and managing them will form part of the PMI. 
  • Relationships: IT functions usually have many outsourcing agreements, and as part of the PMI, the organisation may need to renegotiate contracts, negotiate penalties as a result of terminating contracts, close access points on networks when contracts are terminated etc.    
  • Project management: As I have noted, PMIs are essentially projects, and so the risks associated with project management will apply to PMI such as time, budget and quality.
(Adapted from Gerds et al, 2010, and Markulec, 2009)
 
Topic 10 Security
 
Dimensions of privacy – section 10.1 of the learning text
The issue of personal privacy has received much attention recently, particularly with the increased use of e-commerce and social media. There is no agreed definition of what privacy is but it is clear there are several dimensions to the term:
  • Privacy of the person: concerns the integrity of the individual’s body, and is thus sometimes referred to as ‘bodily privacy’. Thus, submission to biometric measurements would concern this aspect of privacy.
  • Privacy of personal information: relates to data or information about an individual.
  • Privacy of personal behaviour: relates to the observation of what individuals do, so issues such as optical surveillance would concern this aspect. Personal behaviour could also relate to matters such as habits and political associations. The increased use of social media has made individuals’ personal lives and views more transparent. There are two aspects to how organisations respond to this greater visibility that has implications for the 'privacy of personal behaviour'. First, how organisations mine and utilise information from social networks for marketing purposes. Second, how organisations gather and utilise information from social networks about their employees.
  • Privacy of personal communications: relates to the freedom of communication amongst individuals. Issues of concern to this aspect of privacy include recording and monitoring of communication.
(Adapted from Information Commissioners Office, 2009) These four aspects overlap. Thus, biometric data held on a database about an individual would concern bodily privacy as well as privacy of personal information.
 
Protecting individual privacy through PETs – section 10.1 of the learning text
Privacy enhancing tools (PETs) are IT-based tools that can help companies protect the privacy of users of their services. There are different types of PETs that manage privacy in different ways, such as tools that neutralise privacy-invasive technologies (PITs) and those that allow for pseudonyms (Clarke, 2001, and Information Commissioners Office, 2007)
 
Topic 14 Outsourcing
 
Cloud computing – section 14.2 of the learning text
Gartner, the information technology research and advisory company, defines cloud computing as’ a style of computing in which massively scalable IT-enabled capabilities are delivered as a service to multiple customers using internet technologies’ (taken from Yale, 2011). So, essentially rather than a company building its own IT infrastructure to host databases or software, a third party hosts them in its large server farms (Weber, 2011). The company has access to its data and software over the internet.
 
There are four models for delivering cloud services (see Figure 1). And there are variations within these model. Thus, private clouds can be hosted on the organisation's premises or they may be hosted by a third party.
 
Figure 1 Models for delivering cloud services and types of cloud services
 Models and types of cloud services
In addition, there are three service models for the cloud (see Figure 1):
  • Infrastructure as a service (Iaas): a third party manages an organisation’s infrastructure, including networks, storage, servers and operating systems.
  • Platform as a service (Paas): an organisation puts its in-house developed or purchased software on a cloud infrastructure managed by a third party.
  • Software as a service (Saas): organisations use the provider’s applications running in the cloud. Applications are available from any location and through multiple devices, for example, webmail.
Taken from Bilton, 2011a.
 
The organisation's choice of delivery model and services will determine the risks to the organisation. However, the key issues can be grouped into four inter-related areas:
  • Information security
  • Regulatory compliance
  • Contractual agreements with service providers
  • Dependencies on third parties.
Data issues are one of the main concerns for organisations, particularly those organisations considering public delivery models or private models hosted by a third party. Thus, the geographic location of data presents issues relating to information security and regulatory compliance. And the location of data within data centres (particularly in relation to public delivery models) provides the auditor with practical challenges on providing assurance on information security (Pindar and Rigelsford, 2011, p. 32).
 
There a number of ‘assurance’ frameworks that the internal auditor can utilise. There are general IT frameworks such as CobiT, ITIL and the ISO27000 group of standards. There are also frameworks that have been developed specifically for cloud computing. They include:
  • Cloud Security Alliance’s (CSA) Security Guidance for Critical Areas of Cloud Computing version 3.0 (released November 2011) that includes the governance, risk and compliance (GRC) stack (see Bilton, 2011b for details).
  • Common Assurance Maturity Model (CAMM)
  • ISACA guide: IT Control Objectives for Cloud Computing
 
Types of outsourcing agreements – section 14.2 of the learning text
There are two types of agreements organisations outsourcing their IT and information systems can make with their service providers: guaranteed capacity agreements and guaranteed service agreements. The former involves the service provider guaranteeing that a certain amount of assets will be used exclusively for the client. Assets that form part of guaranteed capacity agreements are typically large pieces of computer hardware, such as mainframes, and personnel to manage the hardware and associated software. Guaranteed service agreements are more common and in this arrangement the client specifies the outputs or services to be performed by the service provider. The service provider then determines what assets are required to deliver the services.
 
Underpinning contracts – section 14.3.2 of the learning text
An underpinning contract is a contractual agreement created between an IT service provider and a third party supplier of services. The underpinning contract defines the targets and responsibilities that are necessary to meet the requirements set out in the SLA between the IT service provider and client.
 
Managing service levels with service providers – sections 14.3.3 and 14.3.4 of the learning text
Some service level agreements specify service-level credits or debits. Service credits are payments that are made by the service provider to the client as a result of a failure to meet certain agreed standards. Service debits are payments from the client to the service provider when service is measured to be exceptionally good. Proponents argue that service credits and debits make it easier to resolve disputes over service quality between service providers and clients. However, such systems are reliant on clear key performance measurements, and systems for monitoring them.
 
References
 
Bilton, A. (2011a), 'Internal audit and the cloud: part 1', Audit and Risk [online], 19 September. Available from www.auditandrisk.org.uk (accessed 28 November 2011).
 
Bilton, A. (2011b), 'Internal audit and the cloud: part 2', Audit and Risk [online], 19 September. Available from www.auditandrisk.org.uk (accessed 28 November 2011).
 
Clarke, R. (2001), Introducing PITs and PETs: Technologies Affecting Privacy, www.rogerclarke.com (accessed 23 June 2011).
 
Gerds, J., and Strottman, F. (with Jayaprakash, P.) (2010), ‘Post merger integration: hard data, hard truths’, Deloitte Review, issue 6.
 
Information Commissioners Office (2007 v. 2), Data Protection Guidance Note: Privacy enhancing technologies, London, ICO.
 
Information Commissioners Office (2009 v. 2), Privacy Impact Assessment Handbook, London, Information ICO.
 
Markulec, M. (2009), ‘Integrating IT in a time of shotgun mergers’, Bank Accounting and Finance, April – May, pp. 48 – 52.
 
Pindar, J., and Rigelsford, J. (2011), Cybersecurity and Information assurance,  ECIIA and University of Sheffield.
 
Weber, T. (2011), ‘Cloud computing: How to get your business ready’, BBC News [online], 18 March. Available from www.bbc.co.uk (accessed 23 June 2011).
 
Yale, W. (2011), ‘Cloud covered’, Internal Auditing, vol. 35, no. 1 (Feb), pp. 31 – 33.
SEARCH  
  1. Member login
  2. Contact us