Exposure Draft of Standard on Internal Audit (SIA) 520, Auditing in an Information Technology Environment (Comments to be received by February 05, 2020)
STANDARD ON INTERNAL AUDIT (SIA) 520
AUDITING IN AN INFORMATION TECHNOLOGY ENVIRONMENT
The Internal Audit Standards Board of the Institute of Chartered Accountants of India (ICAI) invites comments on Standard on Internal Audit (SIA) 520, Auditing in an Information Technology Environment.
Comments are most helpful if they indicate a clear rationale and, where applicable, provide a suggestion for alternative wording.
Comments can be e-mailed either at email@example.com or firstname.lastname@example.org
Last date for sending comments is February 05, 2020.
*Note: This Standard on Internal Audit (SIA) 520 seeks to revise and supersede Standard on Internal Audit (SIA) 14, Internal Audit in an Information Technology Environment, issued in March 2009 (in recommendatory form by the Board). This SIA will become mandatory from its effective date.
STANDARD ON INTERNAL AUDIT (SIA) 520
AUDITING IN AN INFORMATION TECHNOLOGY ENVIRONMENT
This Standard on Internal Audit (SIA) 520, “Auditing in an Information Technology Environment,” issued by the Council of the Institute of Chartered Accountants of India (ICAI) should be read in conjunction with the “Preface to the Standards on Internal Audit”, “Framework Governing Internal Audits” and “Basic Principles of Internal Audit” issued by the Institute.
1.1 This Standard deals with the responsibility of the Internal Auditor to conduct audit in an Information Technology (IT) environment.
1.2 An Information Technology Environment (ITE) exists when information is captured, stored and processed through automated means and is managed through various policies & procedures to support business operations and objectives. The two main components of ITE include:
(a) IT infrastructure (including, but not limited to, hardware, operating systems, communication network, storage systems); and
(b) Application software and data (including, but not limited to, Enterprise Resource Planning, Customer Relationship Management, Dealer and Channel Management System, E-commerce applications, Robotic Process Automation).
1.3 The overall objectives of an internal audit do not change in an ITE. However, the different nature of risks, and the controls required to mitigate those risks, do impact the audit approach and procedures deployed in the ITE. An audit in an ITE aims to evaluate an organization’s IT risks and establish whether IT controls are adequate to help achieve organization’s business strategy and goals.
1.4 Scope: This standard applies to internal audit assignments conducted in an IT environment, and where the IT systems are managed by the company. A separate Standard on Internal Audit (“SIA 530: Third Party Service Providers”) covers those situations where the IT systems are managed by external third-party service providers.
2.1 The objectives of this standard are to define the essential requirements for auditing in an IT environment so that:
(a) Audits are undertaken after due study and understanding of the Organisation’s ITE, including the IT strategy, operating procedures, the risk and governance mechanism in place to manage the ITE;
(b) An independent risk assessment, along with an evaluation of the controls required to mitigate those risks, forms the basis of the audit procedures; and
(c) The audit procedures designed and executed are sufficient to allow an independent assurance, especially in the areas of (indicative list):
2.2 The overall objective of performing internal audits in an ITE is provide independent assurance and help make improvements in the ITE, thus enabling the achievement of business objectives.
3.1 Internal Auditor shall gain an understanding of the business operations and the corresponding IT Environment. This information shall be used to perform an independent IT risk assessment, and the nature of controls required to mitigate those risks, before commencing any IT audit activities. (Refer Para 4.1).
3.2 Internal Auditor shall have the requisite qualifications, skillsets and experience to perform IT audits. Specialized skills in the areas of IT governance, Application Controls, Infrastructure reviews, and IT Cyber Security and Data Privacy regulation are essential. (Refer Para 4.2).
3.3 Internal Auditor shall assess the ITE to scope the IT audit areas and internal controls relevant to the audit. An appropriate assessment of the level of risk shall form the basis for designing the nature, extent, and timing of audit procedures. (Refer Para 4.3).
3.4 Appropriate planning activities shall be performed by the Internal Auditor, before commencing the field work. Key outputs of the planning phase are: A documented understanding of ITE, Risk Assessment, planned audit approach, project plan and skill resources/ team members. (Refer Para 4.4).
3.5 As part of audit execution phase, Internal Auditor shall test the design and operating effectiveness of relevant IT controls and identify control gaps, operating deficiencies, and violations of procedures, if any. (Refer Para 4.5).
3.6 Internal Auditor shall document all the ITE understanding and scoping, risk assessment, planning, testing and reporting stage related activities. Audit documentation as per SIA 330 (Documentation) will be prepared and retained. (refer Para 4.6).
3.7 The outcome of the audit procedures will be shared with the process owners and action plans to address the areas of concerns drawn jointly. Internal Auditor’s final conclusion along with an explaining of the basis of the conclusion shall be documented as part of the working papers. (Refer Para 4.7).
4. Explanatory Comments
4.1. IT Understanding and Risk Assessment (refer Para 3.1): The Internal Auditor will gain an understanding of the business environment, its business processes, relevance of IT to the business, in order to undertake an IT risk assessment. This study will cover the IT Infrastructure components (hardware, operating system, storage and network devices), the Applications deployed, the nature of computerized processing, IT organization structure and governance mechanism, etc. IT risk assessment will be undertaken to identify the areas of importance and special focus, along with the Internal Controls required to mitigate IT specific risks.
4.2. Internal Auditor Credentials (refer Para 3.2): Internal Auditor will obtain a Diploma in Systems Audit (DISA) or equivalent qualification to develop relevant knowledge and skills required to perform IT audits. Knowledge and experience of Enterprise Resource Planning (ERP) systems, Analytic tools, Core Banking Systems (CBS), Operating system, databases, cloud and emerging tool like Robotic process automation, block chain, audit of Artificial Intelligence / Machine learning are important to perform effective IT audits.
4.3. IT Audit Scoping (refer Para 3.3): An Internal Auditor will identify the scope of the IT audit procedures to be executed based on the understanding of the overall ITE, objective of the IT audit and results of the IT risk assessments performed. As part of the scoping exercise, key areas within the audit scope (such as business / IT processes, systems and applications, including third party services), need to be clearly identified and documented. An illustrative list of audit areas to consider for scoping is provided in Annexure 1.
4.4. IT Audit Planning (refer Para 3.4): An Internal Audit Assignment plan including the IT audit approach, methodology and timelines, will to be defined, documented and maintained, based on the objectives and audit scope identified above. Use of emerging audit tools and technologies and related test procedures for better audit insights and efficiencies may also be considered during this phase. Further, refer to “SIA 310 – Planning the Internal Audit Assignment” for detailed description on objectives and outcomes of the planning exercise.
As part of establishing the audit approach, the Internal Auditor may consider various audit controls and procedures relevant to the ITE. An illustrative checklist of IT controls which can be reviewed and the nature of the audit procedures which can be conducted by the Internal Auditor is given in Annexure 2.
4.5. Audit Execution (refer Para 3.5): Internal Auditor will review the robustness of the IT environment and consider any deficiency in the design, implementation and operating effectiveness of IT controls by performing interviews, review of supporting documentation, review of system configuration, inspection and physical walk through.
Internal Auditor will exercise due professional care and use professional judgement and scepticism in applying appropriate audit methodology, audit procedures and sampling guidelines.
4.6. Audit Documentation (refer Para 3.6): Audit test procedures conducted, conclusion reached and the basis of the same, shall be documented. Some areas of documentation include IT environment understanding and scoping, IT risk assessment, IT Audit planning, IT risk and controls matrix, IT test of design, implementation and operative effectiveness work papers, references to the supporting documentation, evidences gathered, etc. Use of audit documentation tools may be considered for deployment by the Internal Auditor to make the audits more efficient and effective.
4.7. Management Discussion on Deficiencies (refer Para 3.7): Internal Auditor will consider any additional evidence or information provided by the control or process owner, as well as other risk mitigating factors, before concluding on a test of control. Additional procedures may be performed for understanding the root cause, assess any impact on financials and presence of other mitigating controls. Final set of deficiencies and recommendations will be discussed with executive management for inputs (on remediation actions).
5. Effective Date
5.1 This Standard is applicable for internal audits beginning on or after a date to be notified by the Council of the Institute.
Illustrative list of Audit Areas to consider as part of the
Audit Scope when conducting
Internal Audits in an IT Environment
(Refer paragraph 3.3 and 4.3)
(This Annexure is illustrative in nature and does not form part of the Standard)
|S. No.||ILLUSTRATIVE AUDIT AREAS|
|1||IT Strategy, Governance and Oversight Audit: involves audit of controls around IT Governance Body, its structure, practices, planning processes, budgeting, Risk Management, IT Strategy and its alignment with the business strategy and entity goals.|
|2||IT General Controls Testing (ITGC): comprises of basic controls around audit of application systems,underlying operating systems, databases and network infrastructure, its components. Examples of ITCGs include logical access security controls, change/release management approval/testing/migration controls, and data centre and network operations related controls including Job scheduling and monitoring, interface, cyber incident management.|
|3||Automated Business Controls: comprise of business cycle controls that are configured in the application. Some examples include Data entry and validation controls, Reasonableness checks and logics, Completeness checks, Logical security/access controls, Segregation of Duties, Pre and post implementation audits, including audit of new system and controls (e.g. GST implementation, CRM, CBS, SRM, RPA, Blockchain, etc.)|
|4||System Reports Testing wherein test logic, completeness and accuracy of reports is covered.|
|5||IT Operations audit: comprises of controls within processes and services supported by organization’s IT department. Examples include capacity planning and performance monitoring, system hardening procedures, batch job controls backup and restoration, IT helpdesk and problem management, network monitoring administration related controls.|
|6||Cyber Security Audit: comprises of controls aiming to detect, protect, and recover assets from cyber-attacks and respond to such attacks. Examples include controls related to cyber security policies and procedures, cyber security organization, cyber risk management and compliance, application, network and infrastructure, physical security, training and awareness, third party cyber risk management, business continuity, cloud security, bot assurance, cyber incident management, threat intelligence and vulnerability management, etc.|
|7||Emerging Audit Tools and Technologies audit including data analytics, artificial intelligence, governance risk and compliance (GRC), RPA (Robotic Process Automation), workflow/automated audit scripts, security monitoring/threat intelligence, dash-boarding, etc.|
|8||Compliance and Regulatory: The audit may covers areas of compliance to Information Technology Act, 2000, including amendment in year 2008, Data privacy and compliance requirement, software licencing requirement, data protection and compliance, data storage, Companies Act, 2013, compliance on companies record retention, RBI/IRDA/TRAI Cyber/ Information technology compliances, vendor and customer contractual software/asset/data compliances, etc.|
|9||Disaster Recovery and Business Continuity: Controls covering data backup, storage of date required for recovery and Disaster Recovery Management procedures, their periodic testing, etc.|
Illustrative Information Technology Controls to be
Reviewed During Internal Audit in an IT Environment
(Refer paragraph 3.4 and 4.4)
(This Annexure is illustrative in nature and does not form part of the Standard)
|Sr. No||ILLUSTRATIVE IT CONTROL PARAMETERS|
|IT Governance and Strategy|
|1||Executive management is periodically updated with the value achieved from System implementation, including:
– The overall strategy, vision and maturity
– Assessment of system program’s health through means of key performance indicators (KPIs) and key risk indicators (KRIs)
– Trends and anomalies regarding production concerns (e.g. capacity, downtime and exceptions)
– Return on investments (ROI) and targets for further automation.
|2||Presence of a formal methodology for evaluating a system solution prior to commencement of development activities and the same is approved by authorized personnel on a periodical basis. The methodology shall contain details of how the projects / business processes are inventoried, analysed and prioritized for System implementations.|
|System Change Control|
|3||Application changes are appropriately tested and approved before being moved into the production environment.|
|4||Appropriate User Acceptance Testing (UAT) for the solution is performed with appropriate consideration of business input for design, execute and approve testing, and signed off prior to be accepted. Documentation of test cases and approvals for each system solution is retained.|
|5||Access to implement changes into the application production environment is appropriately restricted and segregated from the development environment.|
|6||Management reviews and approves the results of the conversion of data (e.g., balancing and reconciliation activities) from the old application system or data structure to the new application system or data structure and monitors that the conversion is performed in accordance with established conversion policies and procedures.|
|IT Security and Logical Access Control|
|7||Presence of structured IT Policy and facility personnel are aware of the applicable policies.|
|8||All accounts used by system are unique and have been assigned to personnel with ultimate responsibility over the usage of the account. For each system, usage of its account is tracked and reviewed on a periodical basis. In case shared accounts are used, compensating controls are in place where appropriate.|
|9||Management approves the nature and extent of user-access privileges for new and modified user access, including standard application profiles/roles, critical financial reporting transactions, and segregation of duties.|
|10||Privileged-level access (e.g., security administrators) is authorized and appropriately restricted.|
|11||Access to terminated and/or transferred users is removed or modified in a timely manner.|
|12||Segregation of duties is monitored, and conflicting access is either removed or mapped to mitigating controls, which are documented and tested.|
|13||User accounts (used by / to the system) and system privileges that have access to the IT environment system, solution, additional data storage facilities, log files) are reviewed on a periodical basis and are documented. Any exceptions identified during the reviews are reviewed and corrective actions are taken.|
|14||All key attributes of the security configuration are appropriately implemented.|
|15||System security parameter like password, audit log, access to super user profiles, critical programs, files, and data is adequately secured.|
|IT Back-up and Recovery|
|16||The System has adequately documented backup and recovery procedures and schedules, backup is adequately monitored.|
|17||System backup is adequately tested for recovery.|
|18||For disaster-recovery purposes, system applications have been prioritized and scheduled for recovery based on importance to the operation.|
|IT Physical and Environmental Controls|
|19||Physical security procedures are implemented, only authorized users have access to data center, access to data center is monitored, environment control like, raised ceiling, humidity controls, smoke detection and automatic fire-extinguishing equipment’s installed for protection against fire hazards.|
|20||There is a complete inventory of the following: Hardware: Computers, File Servers, Printers, Modems, Switches, Routers, Hubs, etc. Software: all software for each Computer is logged with licenses and serial numbers.|
|21||There are written procedures for keeping system inventory which identify who (title) is responsible for maintaining the inventory report.|
|22||Unused equipment is properly and securely stored. All Assets are adequately managed by AMC or Inhouse to keep them in working condition.|
|23||The information system identifies and handles error conditions in an expeditious manner without providing information that could be exploited by adversaries.|
|24||Appropriate procedures are in place to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.|
|25||Requirements for human resources are defined (e.g. recruitment, role profiles, training, retention strategy, third-parties involvement) and aligned with the automation strategy and roadmap. Operational teams are skilled and trained according to the required level of capability and capacity.|
|26||HR processes are in place to recruit, develop and retain IT human resources to ensure ongoing ability to operate an IT control environment around automation solutions.|
|27||An overall real-time monitoring/ alerting framework/ mechanism is in place to detect any anomalies in the end-to-end operation of the IT system processes, controls, systems and/or data. Detailed logging is enabled to capture and review each system solution’s transactions/ activities. Detailed logs are maintained to obtain last execution status in case the system solution fails.|
|28||Network administrator monitors the Network response time, disk storage space, and Network utilization.|
|IT Interface and Job Monitoring|
|29||All System interface and jobs are adequately monitored. Only authorised persons have access to schedule Interface/job and monitor the same to ensure appropriate, accurate and successful Interface and Job.|
|30||Only authorized users have access to update the batch jobs (including interface jobs) in the job scheduling software.|
|IT Service Agreements|
|31||Vendor reliability is considered before purchasing IT system hardware and software. Vendor agreement cover relevant clause(s) to ensure confidentiality, integrity and availability of support. Agreements are signed with defined SLA and monitoring mechanism.|
|32||SLA with vendor are documented and monitored, there is adequate system to ensure service log is maintained to document and monitor performance of vendor support servicing.|
|33||System hardware and software purchase contracts include Statements regarding vendor support and licensing.|
|IT Cyber Protection Policy|
|34||The level of cyber protection established on servers and workstations is determined and the monitoring of cyber-attack are undertaken by IT administration. Cyber protection through antivirus, DLP and other Application is updated on a monthly basis. Laptops and Remote login access if issued is ensured to have secured internet access.|
|36||Network is adequately designed, tested and managed from cyber security perspective.|
|37||Data is adequately categorised, and controls are configured and implemented as per “Data Leakage Prevention” policy.|