Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA
One of the most fundamental questions for an entry-level IT auditor is: How does one measure something to determine whether it is good, bad or ugly in an IT audit? That is, what is the standard or the benchmark when conducting IT audit tests? While some may suggest that IT auditors do not use a concrete measure, the truth is they do use authoritative standards, and do so with some consistency across the IT audit profession.
This article addresses some of the existing technical literature and audit guidance that provides concrete measures and procedures in evaluating IT in the context of an IT audit. These standards, in general, are fairly widely known and used across the profession. Therefore, like all articles in this column, this one is aimed at the “basic” or entry-level audience of the profession. The specific standards provided are illustrative of those available and not intended to be an exhaustive list.
A framework for performing an audit or review is a critical tool for IT audit tests and procedures. The most widely used framework is COBIT.1 A version of what became COBIT was first published in 1977 by the EDP Auditors Association (EDPAA), the former name of ISACA, which was organized in 1969. Over the years, COBIT has been updated to keep up to date with the ever-changing world of IT and business. COBIT became the de facto framework for performing IT audits, for evaluating IT risk and control, and for other similar purposes.
COBIT 4.1 and earlier provided a multilayer approach to the audit that included four domains, processes for each domain (34), and control objectives for each process (318). It is from the latter that the IT auditor gets a benchmark of what to expect and a sense of how to measure effectiveness of those activities. In addition, COBIT includes quality, fiduciary and security requirements.
Recently, ISACA released COBIT 5. The changes include the melding of certain globally accepted standards, principles, practices, and analytical tools and models for IT audits and other uses. COBIT 5 integrates ISACA’s COBIT, Val IT and Risk IT, and related standards from the International Organization for Standardization (ISO). COBIT 5 is restructured around five basic principles and seven categories of enablers.
The IT auditor can find much assistance in performing IT audits and reviews by studying and using COBIT, which serves as a framework for the approach.
The cornerstone of professional standards is the body of IT audit and assurance standards from ISACA. The most recent body of standards, exposed in late 2012 and awaiting release at the time of this writing, is outlined in figure 1.2 This body of standards is more about the process of performing the audit than the technical aspects of an IT audit.
There are several standards that address certain types of organizations or certain aspects of IT. These provide special assistance and applicable benchmarks for those areas. They also are fairly technical in nature and provide a great deal of assistance and education in determining the issues, risk factors, controls and best practices by which IT can be measured and evaluated.
FFIECThe Federal Financial Institutions Examination Council (FFIEC) provides guidance and oversight in the financial institution sector of the US. It has published several relevant booklets, each referred to as an “IT Examination Handbook,” that address certain aspects of IT for financial institutions, most of which are fairly common to all organizations.3 These booklets provide guidance and standards that can be useful as benchmarks for audits related to IT.
GLBAWith the advent of the US Gramm-Leach-Bliley Act (GLBA) of 1999, certain entities must provide adequate security for certain private information. Specifically, GLBA mandates that every applicable institution has policies and processes in place to protect nonpublic personally identifiable information (PII) from threats. Section 501(b) was implemented by the FFIEC, and its Security IT Examination Handbook discusses a process-based approach to auditing operations and data under GLBA and the 501(b) expectations. The SANS Institute provides a white paper, Conducting an Electronic Information Risk Assessment for GLBA Compliance, that offers good practices on GLBA compliance.4
HIPAAThe US Health Information Portability and Accountability Act was passed in 1996. Title II (Administrative Simplification provisions) of the Act requires the establishment of national standards for electronic patient health information and reasonable security and privacy of patient data. Mandated elements of the Security Rule include administrative, physical and technical safeguards. HIPAA became effective in 2003 with enforcement effective beginning in 2006.
The American Recovery and Reinvestment Act of 2009 requires the US Department of Health and Human Services (HHS) to provide for periodic audits to ensure covered entities are in compliance with HIPAA standards. HHS has provided an Audit Program Protocol that serves as an authoritative standard for auditing HIPAA compliance, complete with items that can serve as benchmarks.5
PCI DSSIf an organization stores, transmits or processes customer credit or debit card data, it is subject to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS was created to meet the growing threat of credit card theft and fraud and to protect the cardholder’s personal information. Compliance is mandatory for the specified organizations. There is also a certification program for PCI DSS auditors, known as Qualified Security Assessor (QSA). The QSA produces a Report on Compliance (ROC) for larger institutions or uses a self-assessment questionnaire (SAQ) for smaller entities. The PCI DSS documents6 and QSA materials provide the benchmarking for this specialty area.
FISMAThe US Federal Information Security Management Act of 2002 (FISMA) requires federal agencies to develop, document and implement information security for the information and systems that support the operations and assets of the agency, including those provided or managed by outsourced entities. FISMA further requires chief information officers (CIOs) and inspector generals (IGs) to conduct annual reviews of the information security program and report results to the US Office of Management and Budget (OMB).
NISTThe US National Institute of Standards and Technology (NIST) is responsible for developing the standards, guidelines, and methods and techniques to provide for adequate information security for the agencies. NIST has developed the Security Content Automation Protocol (SCAP) that provides the specifications.7
There are a number of articles, white papers and independent materials that provide some general guidance and standards.8 The Office of Inspector General (OIG) provides releases of actual reports that can be reviewed.9
NIST provides the FISMA-related standards, and other IT-related standards, especially related to information security. Its Computer Security Division web site provides materials and research related to security standards, including an annual report on computer security.10 NIST also provides useful information on encryption standards.11
NAICThe National Association of Insurance Commissioners developed the annual reporting model regulation known as the Model Audit Rule, in 2006.12 Although NAIC is insurance-specific, the Model Audit Rule can be applied to a variety of industries. For instance, the Model Audit Rule addresses internal control over financial reporting (ICFR). States individually adopt this rule as the standard for auditing insurers, and under this law, the first US Sarbanes-Oxley section 404 type reports were due in 2011 for states.
There are at least two major reports that security professionals often refer to in developing effective IT audits. One is the “Microsoft Security Intelligence Report” (volume 13, 2012, is the current version). This voluminous study provides insights into the current and developing risk factors in the IT space, in particular related to security and developing threats. A second is Verizon’s “Data Breach Investigations Report” (the most recent version was released in 2009). It is a study of threats and risk related to security.
When IT auditors evaluate IT and its risk factors, threats, controls and effectiveness, that process should always be performed with some benchmark in mind. The body of benchmarks could come from a range of sources. This article attempts to provide the basics of where to find authoritative, reliable standards and frameworks from which an IT audit can be developed and conducted. That research should begin with COBIT and, from there, appropriate standards can be added as applicable.
1 ISACA, COBIT 5, USA, 2012, www.isaca.org/cobit52 ISACA, IS Audit and Assurance Standards, USA, www.isaca.org/Knowledge-Center/Standards/Pages/default.aspx. ISACA released the exposure draft of these updated standards in late 2012; the exposure period ended 28 December 2012 and the new standards were being finalized at the time of this writing.3 FFIEC, www.ffiec.gov4 SANS Institute, Conducting an Electronic Information Risk Assessment for GLBA Compliance, 2003, www.sans.org/reading_room 5 Department of Health and Human Services, Audit Program Protocol, www.hhs.gov6 PCI Security Standards Council, www.pcisecuritystandards.org 7 National Institute of Standards and Technology (NIST), Security Content Automation Protocol (SCAP), USA, http://scap.nist.gov8 For example, see “10 Steps to Ace a FISMA Audit,” Information Week, 20 March 2010, www.informationweek.com/government/policy and the Federal IT Security Institute web site, www.fitsi.org, for related materials.9 See an example at www.gsaig.gov. 10 Computer Security Division, www.nist.gov/itl/csd 11 See the Publications section of the Computer Security Resource Center of the NIST web site (http://csrc.nist.gov) for an example of standards NIST publishes. 12 National Association of Insurance Commissioners, Model Audit Rule, www.naic.org
Tommie W. Singleton, Ph.D., CISA, CGEIT, CITP, CPA, is an associate professor of information systems (IS) at Columbus State University (Columbus, Georgia, USA). Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting using microcomputers. Singleton is also a scholar-in-residence for IT audit and forensic accounting at Carr Riggs & Ingram, a large regional public accounting firm in the southeastern US. In 1999, the Alabama Society of CPAs awarded Singleton the 1998–1999 Innovative User of Technology Award. His articles on fraud, IT/IS, IT auditing and IT governance have appeared in numerous publications.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.