Auditing Information Systems, Second Edition

Auditing Information Systems, Second Edition

/ / Auditing Information Systems, Second Edition
Auditing Information Systems, Second Edition
byJack J. Champlain

Auditing Information Systems, Second Edition

Jack J. Champlain

John Wiley & Sons, Inc.

Copyright © 2003 by John Wiley & Sons.

All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey

Published simultaneously in Canada

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-750-4470, or on the web at Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ07030, 201-748-6011, fax 201-748-6008, e-mail: <>.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services, or technical support, please contact our Customer Care Department within the United States at 800-762-2974, outside the United States at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books.

Library of Congress Cataloging-in-Publication Data:

Champlain, Jack J.

Auditing information systems / Jack J. Champlain.—2nd ed.

p. cm.

Includes bibliographical references and index.

ISBN 0-471-28117-4 (cloth : alk. paper)

1. Electronic data processing—Auditing.I. Title

QA76.9.A93 C48 2003

658'.0558—dc21 2002034202

Printed in the United States of America

10 9 8 7 6 5 4 3 2 1

While creativity and innovation are what drive new technology, they are also what must secure it.

Jack J. Champlain

List of Registered and Trademarked Names

Access

ACF2

ACL

AFS 2000

Alpha

AltaVista

Amazon.com

AS/400

Baan

Black Hole

BlackICE

BorderWare

Checkpoint Firewall-1

Consumer Reports

Cookie Cutter

Cookie Monster

Cop-Only

CRYPTOCard

Cyber Patrol

CyberCash Wallet

CyberCop Scanner

Cyberguard Firewall

DB2

Defender

Digimark

Diner's Club

EOPACS

Excel

Experian

Explorer

Fedline II

Fedwire

FOCUS

GFX Internet Firewall Systems

Gummi Bears

IDEA

Interceptor

Internet Scanner

J.D. Edwards

Java

JurassicPark

Lawson

Lotus 123

Macintosh

MareSpider

MasterCard

Micro-ID

Monarch

MVS

Net Nanny

Netbuilder Router

Netscape

NetWare

Norton Utilities

ON Guard

Option Finder

Oracle

OS/2

Paradox

PC Tools

Pentium

Pentium II

Pentium Pro

Pentium MMX

PeopleSoft

PGPcookie.cutter

PICK

Pipeline Router

PIX Firewall

Playboy

Portus

PowerBook

PrivateNet

RACF

Retina

SafeBack

Sagent

SAINT

Secure Network Gateway

SecurID

Sidewinder

Star Trek

Star Wars

Tiny

Turnstyle Firewall System

Unix

VAX

VeriSign

Visa

VMS

WebSense

Windows

Windows NT

Windows 95

Windows 2000

Word

WordPerfect

ZoneAlarm

JACK J. CHAMPLAIN, CPA, CISA, CIA, CFSA, is the Information Systems Audit Manager with the Boeing Employee's Credit Union. Of his 22 years in the banking industry, Mr. Champlain has over 15 years of internal auditing experience, including 12 years of information systems auditing. He is a contributor to numerous publications and is a frequent speaker and consultant in the area of information systems auditing. He holds a Masters Degree in Business Administration from SeattleUniversity and a Bachelors Degree in Finance from the University of Washington. Jack was elected to two three-year terms on the national board of directors of the Association of Credit Union Internal Auditors (ACUIA) and is currently the Vice Chair. He is a past president of the Puget Sound Chapter of the Information Systems Audit Control Association (ISACA) and is currently the CISA Coordinator and Chair of the Academic Relations Committee. He is also a member of the American Institute of Certified Public Accountants (AICPA), and the Washington Society of Certified Public Accountants (WSCPA).

Acknowledgments

I would like to acknowledge the following individuals who were instrumental in the completion of this book project:

• My lifelong companion, Shannon, for her patience, love, and understanding during the many 3 A.M. writing sessions we endured
• My two sons, Jonas and Joshua, for their love and for motivating me to be a better father
• Sheck Cho, for his dedicated direction
• Steve Kirschbaum, for his guidance and instruction on network and Internet security

I would also like to thank the following partial list of computer pioneers, some posthumously, for creating a technology that has revolutionized the way humans live and has created a huge industry in which we as IS auditing professionals can make a wonderful, interesting, challenging living.

• Robert "Bob" Bemer The father of ASCII, who made it a worldwide technology standard. In the 1950s he also developed a key component of the COBOL programming language.
• Tim Bernets-Lee A British physicist who in 1989 invented the World Wide Web at CERN, a major particle physics lab in Geneva, Switzerland.
• Dr. Fred Cohen As a University of Southern California student in 1983, he wrote the first computer virus to demonstrate the concept. Unlike most virus writers, his mission is to help mankind, not hurt it. Dr. Cohen also designed protocols for secure digital networks carrying voice, video, and data, and created the first Internet-based information warfare simulations.
• Seymore Cray Cofounded Control Data Corporation in 1957 and then built the first computer that used radio transistors instead of vacuum tubes, thus making the machines more reliable and allowing for miniaturization of components, which enhanced the performance of desktop computers.
• Frances "Betty" Snyder Holberton Programmed the groundbreaking ENIAC digital computer for the army in the 1940s and later helped create the COBOL and FORTRAN languages.
• Claude Shannon Referred to by some as the "father of the Digital Revolution," he outlined a series of mathematical formulas in 1948 to reduce communication processes to binary code, known as "bits," and calculated ways to send the maximum number of bits through phone lines or other modes of communication.
• Ray Tomlinson Invented e-mail in 1971 when he merged two programs he had written earlier (Sndmsg/Readmail and CYPNET) into a single program that enabled messages to be sent between two computers via a network. He chose the @ symbol to separate the user's name from the host computer name.
• Unisys Corporation Introduced the first UNIVAC commercial computer on June 14, 1951.
• The many other computer pioneers whom I have yet to discover and recognize.

Preface

Auditors have always been responsible for consulting with management to help ensure that sufficient and adequate internal controls exist within organizations to mitigate major risks to a reasonable level. Auditors identify and quantify risk using professional judgment based on knowledge, education, experience, and even history. As major events occur, the auditing profession retools its approach to risk assessment to adapt to the new environment.

When the first edition of this book was published (October 1998), it seemed as if the biggest risks organizations faced were insider abuse, hacking, viruses, and the Year 2000 problem. The newspapers were flooded daily with stories of new hacks and viruses, and the creators sometimes were idolized. Huge amounts of human and financial resources were devoted toward Y2K projects. Looking back, the United States and many other western countries were indeed spoiled by the dot-com success and thus became ignorant, complacent, and self-centered. Many businesses worried only about profits, and many individuals worried only about themselves and their antigovernment messages. It was a "me" world. An aura of invincibility existed.

Over the last four years, several new events have forever reshaped the social and business environment of the world. These events have had a direct impact on the internal control environments in which we auditors exist, in both the public and the private sector. Although previously I did not think it was possible, some of these recent events were so significant that they actually have redefined the way most of us view risk. I will discuss three events in particular.

September 11, 2001

Terrorism suddenly became the number-one risk among all risks. It is more disturbing than even war. While war is somewhat predictable in where it is fought and whom the enemy is, terrorists are often faceless and can strike anywhere, at any time, even in the heartland of America. No longer can any organization overlook the possibility of being impacted by a terrorist act.

In the first edition of my book, the 1995 bombing of the FederalBuilding in Oklahoma City and the 1993 bombing of the WorldTradeCenter in New York City were the most serious terrorist acts against the United States. America was outraged that the Oklahoma City bombing was carried out by two of our very own citizens. But these evil acts paled in comparison to the thousands who lost their lives on September 11, 2001. Nobody can forget the horror and feeling of helplessness as we watched the once-mighty twin towers of the WorldTradeCenter buckle from the intense heat caused by the fuel of jets-turned-missiles by Osama bin Laden. A successfully coordinated simultaneous jet missile attack on the seemingly impenetrable Pentagon was beyond anyone's wildest imagination.

Not only did this terrorist act cause great physical and emotional damage, it concurrently struck at the heart of the world economic system. The airline industry was suddenly in jeopardy of being permanently grounded. Commercial airline manufacturers were immediately forced to cut production and reduce workforces. Many businesses within the WorldTradeCenter itself were destroyed, and government resources suddenly had to be diverted to homeland defense and away from social services. Already reeling from the dot-com bust, the stock market tumbled further, and thoughts of any return to economic health were snuffed. Investors lost billions of dollars. All of us were impacted, either directly or indirectly.

Even our seemingly well-prepared disaster recovery and business resumption plans no longer looked so thorough. Many of them were based on the assumptions that people and data storage devices can be flown to hot sites, that automobile traffic would be available and free flowing, and that cell phones would work. The 9/11 attack has shown us that none of these conveniences can be assumed. Post 9/11 disaster recovery and business resumption plans should have backup procedures for each assumption.

Dot-Com Bust

The dot-com stock market house of cards that ignored Alan Greenspan's famous "irrational exuberance" description began tumbling down in late 1999. By the end of 2001, even the most bullish dot-com princesses became bears struggling to survive. Even many blue-chip stocks lost more than half their value. As it turns out, Mr. Greenspan was correct. Most dot-com business models had no basis in making profits, only in generating revenues and intangible market capitalization. Many dot-commers had no business or management skills, only technical skills. Yet they were being rewarded with billions of dollars from venture capital firms as well as Wall Street investors who themselves had no technical skills to realize that the business models were destined for long-term failure. Although many people initially made millions of dollars on dot-com stock, only those few who were fortunate enough to cash in their stock and options before 1999 were able to retain wealth. Many others lost their life savings. Institutional investors running retirement plans, mutual funds, and 401(k) funds lost billions on behalf of their investors. Many individuals will never recover their losses.

Enron Collapse

As if things could not get worse, the Enron collapse that materialized in late 2001 pointed out that auditors need to look in the mirror and reevaluate themselves and their ethical practices. Enron is the most recent and noteworthy example of how unethical practices by top management can quickly destroy a seemingly magnificent firm in a very short time. There are accusations that Enron and other energy trading firms manipulated energy prices, leading to the doubling and tripling of energy bills to individual consumers. The ramifications affected nearly everyone in the United States, either directly through increased energy bills or indirectly through reduced values of stock holdings or investments in 401(k) plans, mutual funds, and retirement plans. State and local governments that invested in mutual funds holding Enron stock suffered, thereby reducing investment revenues and increasing the need for such governments to reduce services and increase taxes to make up the difference.

Role of Internal Controls

As a result of these events alone, all the world's organizations had to reassess risk and rethink their internal controls. Because of the Enron collapse, ethical practices by senior management, board members, external auditors, and even internal auditors are more important now than ever before. The tone at the top should be foremost on every auditor's list of internal controls. Had proper internal controls been exercised at Enron, the firm would not have incentivized growth at any cost and there would not have been a meltdown from so much artificial overvaluation.

The dot-com bust has caused venture capitalists and other investors to closely scrutinize the management skills and business models of new and existing companies. The companies themselves have had to carefully review their internal controls, including corporate governance controls, to help ensure they remain viable businesses. Auditors must play a key role in this assessment.

While better internal controls within the U.S. government might have deterred some or all of the 9/11 attack, likely there would have been too many skeptics to prevent something equally as sadistic from happening later. But better internal controls, such as more timely and accurate communication and coordination among governmental agencies, could have slowed the movement of terrorists and stymied their operational and financial networks. Fully developed and tested disaster recovery and business resumption plans could have saved some organizations and helped lessen the impact on others that managed to survive the attack.

Role of Auditors

Each of the three events just described—the September 11 attack, the dot-com bust, and the Enron collapse—points out the need for everyone to heed the devastating effects of these new twenty-first century risks. It is the role of auditors to make sure that management and indeed world leaders never overlook potential risks by eliminating important and necessary controls. Never again should any of us view risk in the same way. We must learn from history, since eventually it will repeat itself. The types of potential risks are limited only by our imaginations and the imaginations of heinous people and organizations around the globe. Throughout our careers, each time we hear a manager or executive downplay the significance of risks and controls, we should maintain our resolve and continue to remind ourselves never to become complacent or succumb to ignorance or arrogance. Otherwise we risk putting the future of our organizations as well as the future of our families and our way of life in jeopardy.

All organizations must perform complete risk assessments and implement adequate internal controls to help manage all significant risks. The need to do so has always existed, but the urgency has increased dramatically. The western world is under imminent attack, not only by terrorists, but more commonly by thieves and other criminals who will stop at nothing to make money and create havoc at the expense of law-abiding citizens.

Since computing systems play a critical role in all organizations, protection of these systems and the information stored in them is a strategic requirement. Physical security controls over all facilities, including those that house computing systems and information, must be diligently applied. The same is true of logical security controls over computing systems and the information stored in them.