Working knowledge of the business environment and business objectives is required to plan a risk-based audit. The IS auditor should have a sufficient understanding of the overall architecture and technological specifications of the various applications used by the organization and the risks associated with those applications.
In understanding the issues and current risks facing the business, the IS auditor should focus on the areas that are most meaningful to management. To effectively audit business application systems, an IS auditor is required to gain a thorough understanding of the system under the scope of the audit.
The following are some of the widely used applications in business processes. The CISA candidate should be aware of the risks associated with each of them.
E-commerce
Let’s start with understanding how e-commerce works:
- Single-tier architecture runs on a single computer, that is, a client-based application
- Two-tier architecture includes a client and server
- Three-tier architecture consists of the following:
- A presentation tier (for interaction with the user)
- An application tier (for processing)
- A data tier (for the database)
The risks are as follows:
- A compromise of confidential user data
- Data integrity issues due to unauthorized alterations
- The system being unavailable may impact business continuity
- The repudiation of transactions by either party
The IS auditor’s roles are as follows:
- To review the overall security architecture related to firewalls, encryption, networks, PKI to ensure confidentiality, integrity, availability, and the non-repudiation of e-commerce transactions
- To review the process of log capturing and monitoring for e-commerce transactions
- To review the incident management process
- To review the effectiveness of the controls implemented for privacy laws
- To review anti-malware controls
- To review business continuity arrangements
Electronic Data Interchange (EDI)
Let’s start with understanding how EDI works:
- EDI is the online transfer of data or information between two enterprises.
- EDI ensures an effective and efficient transfer platform without the use of paper.
- The traditional exchange of paper documents between organizations has been replaced with EDI platforms.
- EDI applications contain processing features such as transmission, translation, and the storage of transactions flowing between two enterprises.
- An EDI setup can be either traditional EDI (batch transmission within each trading partner’s computers) or web-based EDI (accessed through an internet service provider).
The risks are as follows:
- One of the biggest risks applicable to EDI is transaction authorization.
- Due to electronic interactions, no inherent authentication occurs.
- There could be related uncertainty with a specific legal liability when we don’t have a trading partner agreement.
- Any performance-related issues with EDI applications could have a negative impact on both parties.
- Other EDI-related risks include unauthorized access, data integrity and confidentiality, and the loss or duplication of EDI transactions.
The IS auditor’s roles are as follows:
- To determine the data’s confidentiality, integrity, and authenticity, as well as the non-repudiation of transactions
- To determine invalid transactions and data before they are uploaded to the system
- To determine the accuracy, validity, and reasonableness of data
- To validate and ensure the reconciliation of totals between the EDI system and the trading partner’s system
The IS auditor should determine the use of some controls to validate the sender, as follows:
- The use of control fields within an EDI message
- The use of VAN sequential control numbers or reports
- Acknowledgment transactions with the sender
The auditor should also determine the availability of the following controls:
Control requirements for inbound transactions:
- A log of each inbound transaction on receipt
- Segment count totals built into the transaction set trailer
- Checking digits to detect transposition and transcription errors
Control requirements for outbound transactions:
- Transactions to be compared with the trading partner’s profile
- Proper segregation of duties for high-risk transactions
- A log to be maintained for outbound transactions
EDI audits also involve the use of audit monitors (to capture EDI transactions) and expert systems (to evaluate transactions).
Point of Sale (POS)
Let’s start with understanding how POS works:
- Debit and credit card transactions are the most common examples of POS.
- Data is captured at the time and place of sale.
The risks of this are as follows:
- The risk of skimming, that is, the unauthorized capturing of card data with the purpose of duplicating the card
- The risk of the unauthorized disclosure of PINs
The IS auditor’s objectives are as follows:
- To determine that data used for authentication (PIN/CVV) is not stored in the local POS system
- To determine that the cardholder’s data (either at rest or in transit) is encrypted
Electronic banking
Let’s start with understanding how it works:
- E-banking websites and mobile-based systems are integrated with the bank’s core system to support automatic transactions without any manual intervention.
- Automated processing improves processing speed and reduces opportunities for human error and fraud.
- Electronic banking increases the dependence on internet and communication infrastructure.
Two of the risks of this are as follows:
- Heavy dependence on internet service providers, telecommunication companies, and other technology firms
- Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity
The IS auditor’s objectives are as follows:
- To determine the effectiveness of the governance and oversight of e-banking activities
- To determine arrangements for the confidentiality, integrity, and availability of e-banking infrastructure
- To determine the effectiveness of security controls with respect to authentication and the non-repudiation of electronic transactions
- To review the effectiveness of the controls implemented for privacy laws
- To review anti-malware controls
- To review business continuity arrangements
Electronic funds transfer (EFT)
Let’s start with understanding how EFT works:
- Through EFT, money can be transferred from one account to another electronically, that is, without cheque writing and cash collection procedures.
Some of the risks are as follows:
- Heavy dependence on internet service providers, telecommunication companies, and other technology firms
- Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity
The IS auditor’s objectives are as follows:
- To determine the availability of two-factor authentication for secure transactions.
- To determine that systems and communication channels have undergone appropriate security testing.
- To determine that transaction data (either at rest or in transit) is encrypted.
- To determine the effectiveness of controls on data transmission.
- To review security arrangements for the integrity of switch operations. An EFT switch connects with all equipment in the network.
- To review the log capturing and monitoring process of EFT transactions. In the absence of paper documents, it is important to have an alternate audit trail for each transaction.
Image processing
Let’s start with understanding how it works:
- An image processing system processes, stores, and retrieves image data.
- An image processing system requires huge amounts of storage resources and strong processing power for scanning, compression, displays, and printing.
- Such systems are capable of identifying colors and shades.
- The use of image processing (in place of paper documents) can result in increased productivity, the immediate retrieval of documents, enhanced control over document storage, and efficient disaster recovery procedures.
Some of the risks are as follows:
- Implementation without appropriate planning and testing may result in system failure.
- The workflow system may need to be completely redesigned to integrate with the image processing system.
- Traditional controls and audit processes may not be applicable to image processing systems. New controls must be designed for automated processes.
- Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity.
The IS auditor’s objectives are as follows:
- To determine the effectiveness of controls on the inputs, processing, and outputs of image processing systems
- To determine the reliability of the scanners used for image processing
- To review the retention process for original documents
- To determine that original documents are retained at least until a good image has been captured
- To review the confidentiality, integrity, and availability arrangements of image processing systems
- To review the training arrangements for employees to ensure that the processes of image scanning and storing are maintained as per the quality control matrix
Artificial intelligence and expert systems
Artificial intelligence and expert systems do the following:
- Capture and utilize the knowledge and experience of individuals
- Improve performance and productivity
- Automate skilled processes without manual intervention
A knowledge base in AI contains information about a particular subject and rules for interpreting that information. The components of a knowledge base include the following:
- Decision trees: Questions to lead the user through a series of choices
- Rules: Rules that use “if” and “then” conditions
- Semantic nets: A knowledge base that conveys meaning
- Knowledge interface: Stores expert-level knowledge
- Data interface: Stores data for analysis and decision making
The risks are as follows:
- Incorrect decisions or actions performed by the system due to incorrect assumptions, formulas, or databases in the system
- Cyber risks such as system hacking, system unavailability, and a lack of transaction integrity
The IS auditor’s roles are as follows:
- To assess the applicability of AI in various business processes and determine the associated potential risks
- To review adherence to documented policies and procedures
- To review the appropriateness of the assumptions, formulas, and decision logic built into the system
- To review the change management process for updating the system
- To review the security arrangements to maintain the confidentiality, integrity, and availability of the system
Once the IS auditor understands the basic architecture of the business applications and associated risks, the next step is to understand the appropriateness and effectiveness of the implemented controls to mitigate the risks.
Key aspects from CISA exam perspective
The following covers the important aspects from a CISA exam perspective:
CISA questions | Possible answer |
What is the major risk of EDI transactions? | The absence of agreement (in the absence of a trading partner agreement, there could be uncertainty related to specific legal liability). |
What is the objective of encryption? | To ensure the integrity and confidentiality of transactions. |
How are inbound transactions controlled in an EDI environment? | Inbound transactions are controlled via logs of the receipt of inbound transactions, the use of segment count totals, and the use of check digits to detect transposition and transcription errors. |
What is the objective of key verification control? | Key verification is a method where data is entered a second time and compared with the initial data entry to ensure that the data entered is correct. This is generally used in EFT transactions, where another employee re-enters the same data to perform this check before any money is transferred. |
What is the objective of non-repudiation? | Nom-repudiation ensures that a transaction is enforceable and that the claimed sender cannot later deny generating and sending the message. |
What is the most important component of the artificial intelligence/expert system area? | Knowledge base (The knowledge base contains specific information or fact patterns associated with a particular subject matter and the rules for interpreting these facts; therefore, strict access control should be implemented and monitored to ensure the integrity of the decision rules) |
Self-evaluation questions
- Which of the following is the area of greatest concern in an EDI process?
- No logging and monitoring of EDI transactions.
- Senior management has not approved the EDI process.
- The contract for a trading partner has not been entered.
- EDI using a dedicated channel for communication.
- Encryption helps in achieving which of the following objectives in an EDI environment?
- Ensuring the confidentiality and integrity of transactions
- Detecting invalid transactions
- Validating and ensuring the reconciliation of totals between the EDI system and a trading partner system
- Providing functional acknowledgment to the sender
- In an EDI environment, which of the following procedures ensures the completeness of an inbound transaction?
- The process for transaction authentication
- The build segment count coming to the transaction set trailer of the sender
- An audit trail
- The segregation of duties for high-risk transactions
- In which of the following processes are details entered by one employee re-entered by another employee to check their accuracy?
- Reasonableness check
- Key verification
- Control total
- Completeness check
- Which of the following is used in an e-commerce application to ensure that a transaction is enforceable?
- Access control
- Authentication
- Encryption
- Non-repudiation