IS Standards, Guidelines and Procedures for Auditing and Control ...

More documents

Recommendations

Info

G16 Effect of Third Parties on an Organisation’s IT Controls1. BACKGROUND1.1. Linkage to ISACA Standards1.1.1. Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the auditobjectives and comply with applicable laws and professional auditing standards.”1.1.2. Standard S6 Performance of Audit Work states, “During the course of the audit, the IS auditor is to obtain sufficient, reliableand relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriateanalysis and interpretation of this evidence.”1.2. Definitions1.2.1. ISP—Internet service provider: A third party that provides organisations with a variety of Internet, and Internet-related services1.2.2 ASP/MSP—application or managed service provider: A third party that delivers and manages applications and computerservices, including security services to multiple users via the Internet or a private network.1.2.3. BSP—business service provider: An ASP that also provides outsourcing of business processes such as payment processing,sales order processing and application development.1.2.4. In this guideline, ISP’s, ASP/MSP’s and BSP’s are collectively referred to as third parties. Third parties covered under thisguideline include any organisation that is separate from the organisation (such as shared service organisations) whetherlegally separate or not.1.3. Guideline Application1.3.1 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA guidelines.1.4. Need for Guideline1.4.1 This guideline sets out how the IS auditor should comply with the ISACA Standards and COBIT when assessing the effect athird party has on an organisation’s information system controls and related control objectives.1.4.2 This guideline is not intended to provide guidance on how IS auditor’s report on third-party provider controls in accordancewith other standard setting entities.2. ROLE OF THIRD-PARTY SERVICE PROVIDERS2.1. Services of Third-party Providers2.1.1 Organisations are using the Internet and corporate Intranets for a variety of purposes. These include providing employees,vendors and customer access to existing and/or new human resource, financial, sales and purchasing applications. Thisaccess, in many instances, is provided through one or more third-party providers.2.1.2 Third parties may provide such services as:• Connectivity of internal networks to the Internet• Connectivity to the organisation’s partners through virtual private networks or extranets• Connectivity to customers through the use of wireless technology• Web site development• Web site maintenance, management and monitoring• Web site security services• Providing physical location for hardware (known as co-location)• Monitoring of system and application access• Backup and recovery services• Application development, maintenance and hosting (such as ERP systems, e-commerce systems)• Business services including services such as cash management, credit card, order processing and call centre services3. EFFECT ON CONTROLS3.1. Third-Party Providers Effect on Controls3.1.1 When organisations use third parties, they can become a key component in an organisation’s controls and its achievement ofrelated control objectives.3.1.2 The IS auditor should evaluate the role that the third party performs in relation to the IT environment, related controls andcontrol objectives.3.1.3 An organisation that uses third-party providers for limited purposes, such as co-location services, may rely upon these thirdparties for only limited purposes in achieving its control objectives.3.1.4 However, an organisation that uses providers for other purposes, such as hosting financial accounting systems and e-commerce systems, utilises the third-party provider’s controls wholly, or, in conjunction with its own controls, to achieve itscontrol objectives.3.1.5. The effectiveness of third-party controls can enhance the ability of an organisation to achieve its control objectives andconversely, ineffective third-party controls can weaken the ability of an organisation to achieve its control objectives. Theseweaknesses can arise from many sources including the following:• Gaps in the control environment arising from the outsourcing of services to the third party50
G16 Effect of Third Parties on an Organisation’s IT Controls continued• Poor control design causing controls to operate ineffectively• Lack of knowledge and/or inexperience of personnel responsible for control functions• Over reliance on the third party’s controls (when there are no compensating controls within the organisation)4. PROCEDURES TO BE PERFORMED BY THE IS AUDITOR4.1. Obtaining an Understanding4.1.1 As part of the planning process, the IS auditor should obtain and document an understanding of the relationship between theservices provided by the third party and the organisation’s control environment. The IS auditor should consider reviewing suchthings as the contract, service level agreement, policies and procedures between the third party and the organisation.4.1.2 The IS auditor should document the third party’s processes and controls that have a direct effect on the organisation’sprocesses and on its control objectives.4.1.3 The IS auditor should identify each control, its location in the combined control environment (internal or external), the type ofcontrol, its function (preventative, detective or corrective) and the organisation that performs the function (internal or external).4.1.4 The IS auditor should assess the risk of the services provided by the third party to the organisation, its controls and controlobjectives and determine the significance of third-party controls on the ability of the organisation to meet its control objectives.4.2 Confirming the Understanding4.2.1 The IS auditor should confirm his/her understanding of the control environment.4.2.2 The IS auditor can confirm his/her understanding of the control environment through a variety of methods including suchthings as inquiry and observation and transaction walk-throughs.4.3 Assessing the Role of Third-party Provider Controls4.3.1 If the role or effect that the third party has on the organisation’s control objectives is significant, then the IS auditor shouldassess these controls to determine whether they function as described, operate effectively and assist the organisation inachieving its control objectives.5. RISKS ASSOCIATED WITH THIRD-PARTY PROVIDERS5.1 Effects of Third-party Providers on an Organisation5.1.1 Third-party providers can affect an organisation (including its partners), its processes, controls and control objectives on manydifferent levels. This includes effects arising from such things as:• The economic viability of the third-party provider• Third-party provider access to information that is transmitted through their communication systems and applications• Systems and application availability• Processing integrity• Application development and change management processes• The protection of systems and information assets through backup recovery, contingency planning and redundancy5.1.2 The lack of controls and/or weakness in their design, operation or effectiveness can lead to such things as:• Loss of information confidentiality and privacy• Systems not being available for use when needed• Unauthorised access and changes to systems, applications or data• Changes to systems, applications or data occurring that result in system or security failures, loss of data, loss of dataintegrity, loss of data protection or systems unavailability• Loss of system resources and/or information assets• Increased costs incurred by the organisation as a result of any of the above5.2 Assessing Identified Control Weaknesses5.2.1 IS auditors should assess the likelihood (or control risk) that weaknesses in control existence, design or operation may exist inthe IT environment. The IS auditor should identify where the control weakness exists.5.2.2 The IS auditor should then assess whether control risk is significant and what effect it has on the control environment.5.2.3 When weaknesses are identified, the IS auditor should also determine if compensating controls exist to counter the effect ofidentified weaknesses (compensating controls may exist in the organisation, the third-party provider or in both entities). Ifcompensating controls exist, the IS auditor should determine if they mitigate the effect of identified control weaknesses.6. CONTRACTS WITH THIRD-PARTY PROVIDERS6.1 Roles and Responsibilities6.1.1 The relationship between the organisation and a third-party provider should be documented in the form of an executedcontract. The contract is a critical element in the relationship between the organisation and the service provider. Thesecontracts contain many provisions that govern the actions and responsibilities of each party.51
Page 1: IS Standards, Guidelines and Proced
Page 4 and 5: Code of Professional EthicsThe Info
Page 6 and 7: IS Auditing Standards OverviewIssue
Page 8 and 9: IS Auditing StandardsIssued by Info
Page 10 and 11: 03 The IS auditor should plan the i
Page 12 and 13: information provided, appropriate t
Page 14 and 15: Operative Date14 This ISACA standar
Page 16 and 17: IS Auditing GuidelinesG1 Using the
Page 18 and 19: G2 Audit Evidence Requirement1. BAC
Page 20 and 21: G3 Use of Computer Assisted Audit T
Page 22 and 23: G3 Use of Computer Assisted Audit T
Page 24 and 25: G4 Outsourcing of IS Activities to
Page 26 and 27: G5 Audit Charter continued2.3.2 The
Page 28 and 29: G6 Materiality Concepts for Auditin
Page 30 and 31: G8 Audit Documentation1. BACKGROUND
Page 32 and 33: • Organisational characteristics;
Page 34 and 35: G10 Audit Sampling1. BACKGROUND1.1
Page 36 and 37: G10 Audit Sampling continued2.5.2 A
Page 38 and 39: G11 Effect of Pervasive IS Controls
Page 40 and 41: G11 Effect of Pervasive IS Controls
Page 42 and 43: G12 Organisational Relationship and
Page 44 and 45: G13 Use of Risk Assessment in Audit
Page 46 and 47: G14 Application Systems Review1. BA
Page 48 and 49: G15 Planning1.` BACKGROUND1.1 Linka
Page 52 and 53: G16 Effect of Third Parties on an O
Page 54 and 55: G17 Effect of Nonaudit Role on the
Page 56 and 57: G17 Effect of Nonaudit Role on the
Page 58 and 59: G18 IT Governance continued4.1.3 Th
Page 60 and 61: G18 IT Governance continued• Info
Page 62 and 63: G19 Irregularities and Illegal Acts
Page 64 and 65: G19 Irregularities and Illegal Acts
Page 66 and 67: G20 Reporting continued2.1.1 The pu
Page 68 and 69: G20 Reporting continued• Statemen
Page 70 and 71: G21 Enterprise Resource Planning (E
Page 78 and 79: G22 Business-to-consumer (B2C) E-co
Page 86 and 87: G23 System Development Life Cycle (
Page 88 and 89: G23 System Development Life Cycle (
Page 90 and 91: G24 Internet Banking continued• I
Page 92 and 93: G24 Internet Banking continued6.1.2
Page 94 and 95: G24 Internet Banking continued7.2.4
Page 96 and 97: G24 Internet Banking continuedREFER
Page 98 and 99: G25 Review of Virtual Private Netwo
Page 100 and 101:
3.6 Operating Risk3.6.1 Risks such
Page 102 and 103:
• Highlight the risks and issues
Page 104 and 105:
G26 Business Process Reengineering
Page 106 and 107:
Page 108 and 109:
Page 110 and 111:
G27 Mobile Computing1. BACKGROUND1.
Page 112 and 113:
G27 Mobile Computing continued• N
Page 114 and 115:
G28 Computer Forensics1. BACKGROUND
Page 116 and 117:
G28 Computer Forensics continued•
Page 118 and 119:
G28 Computer Forensics continued7.2
Page 120 and 121:
G29 Post-implementation Review1. BA
Page 122 and 123:
G29 Post-implementation Review cont
Page 124 and 125:
G29 Post-implementation Review cont
Page 126 and 127:
G30 Competence continued1.4.6 This
Page 128 and 129:
G30 Competence conntinued4. RECORDS
Page 130 and 131:
G31 Privacy continued1.6 Definition
Page 132 and 133:
G31 Privacy continued■■■Secur
Page 134 and 135:
G31 Privacy continued■■■■
Page 136 and 137:
IS Auditing ProceduresIS Risk Asses
Page 138 and 139:
IS Risk Assessment Measurement Proc
Page 140 and 141:
Page 142 and 143:
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Digital Signature and Key Managemen
Page 152 and 153:
SpecificTechnicalAspect of a CAOper
Page 154 and 155:
Intrusion Detection Procedure P3 co
Page 156 and 157:
Intrusion Detection Systems (IDS) R
Page 158 and 159:
ReportingSuggested ProceduresReport
Page 160 and 161:
Suggested Procedures for Preventing
Page 162 and 163:
Suggested Procedures for Preventing
Page 164 and 165:
Control Risk Self-assessment Proced
Page 166 and 167:
Page 168 and 169:
Facilitatedworkshop usingthe proces
Page 170 and 171:
Page 172 and 173:
Firewalls Procedure P6 continued2.1
Page 174 and 175:
Page 176 and 177:
Firewalls Procedure P6 continued•
Page 178 and 179:
Page 180 and 181:
Stateful inspection/dynamic packetf
Page 182 and 183:
Suggested ProceduresConfirm network
Page 184 and 185:
Firewalls Procedure P6 continuedHar
Page 186 and 187:
Irregularities and Illegal Acts Pro
Page 188 and 189:
AnalyticalproceduresDutiesApplicati
Page 190 and 191:
Irregularities and Illegal Acts Pro
Page 192 and 193:
Security Assessment-Penetration Tes
Page 194 and 195:
Security Assessment-Penetration Tes
Page 196 and 197:
InternetPenetrationTestingSuggested
Page 198 and 199:
InternalPenetrationTestingcontinued
Page 200 and 201:
WebApplicationcontinuedReportSugges
Page 202 and 203:
Evaluation of Management Control Ov
Page 204 and 205:
Evaluation of Management Control Ov
Page 206 and 207:
Aspects ofEncryptionOrganisationalm
Page 208 and 209:
IS Control Professionals StandardsI
Page 210:
ISACA Standards Documents CommentsI
show all

IS Standards, Guidelines and Procedures for Auditing and Control ...

Create successful ePaper yourself

Delete template?

Save as template?