Audit of information and communication technologies. copextel sa case

The title of our work is: “The double function of the Internal Auditor in the Audit of Information Technology and Communications. Experience of the Villa Clara Territorial Division ”.

The authors of this work are the MsC. Antonio Rodríguez Pérez, Graduate of Law Degree from the Central University of Las Villas, Legal Advisor and Advisor for Internal Control issues at COPEXTEL SA, Villa Clara Territorial Division and Lic. Olga Lidia León Burguera, Legal Advisor, Graduate of Bachelor's Degree in Law from the University of Havana, Advisor to COPEXTEL SA, Villa Clara Territorial Division for Quality Management issues.

The research is framed in the subject of Audit, specifically in the subject related to the Audit of Information Technologies.

The objectives we set for ourselves are the following: Establish the direct history of the Information and Communication Technologies Audit; define the Impact of ICT in Business Management; specify the dual role of the Internal Auditor in ICT Audits and point out the importance of validating all these processes on the basis of International Standards, defining it based on the experience of COPEXTEL SA, Villa Clara Territorial Division.

The ICT Audit has become increasingly relevant, since its appearance in 1969, due to the increasing importance and prominence of computer systems in all areas of our Society. These audits help organizations evaluate the way they do their business or provide their ICT-supported services, seeking to protect the interests of the State, Workers and Clients. One element that has led us, to a large extent, to reduce the risks in terms of the use of ICT in our Division, has been to incorporate the Internal Auditors of our Integrated Quality Management System into the development processes of Computer Systems on those that sustain and organize some of our activities.The participation of the Internal Auditor is one of the best controls in the development of computerized business management systems, as it is the best time for the Auditor to influence the design of controls. Information is the most important resource of any company, as it is the only one that cannot or is very difficult to replace. At the same time, it is the resource that is subject to the highest vulnerabilities. When we were able to include issues related to the application of ICT in business management in Internal Audit, we managed tofor being the only one that cannot or is very difficult to replace. At the same time, it is the resource that is subject to the highest vulnerabilities. When we were able to include issues related to the application of ICT in business management in Internal Audit, we managed tofor being the only one that cannot or is very difficult to replace. At the same time, it is the resource that is subject to the highest vulnerabilities. When we were able to include issues related to the application of ICT in business management in Internal Audit, we managed toevaluate the effectiveness of internal control in this important sphere of the company, achieving true diversity in the Checklist used by the Auditors. Achieving an Integrated Management System, already certified by ISO 9001 Standards, has allowed us to direct the work in order to achieve, in the short term, certification by ISO 27001 and 27002 Standards, standards in which we will briefly stop below.

The main conclusions that we reached in our research is that the vertiginous development that Information Technology and Communications Technologies have require from the business world a more effective action in relation to the ordering of internal control mechanisms without distorting its essence; Furthermore, we were able to verify that the Auditor's work, from the first moments of the emergence and implementation of computer applications, allows us to detect and correct possible risks in Business Management, with less costs and in a more timely manner. Another of the conclusions we reached is that it is feasible and objectively possible to integrate, in matters of Internal Audits of Business Management Systems, the issues related to control,supervision and inspection of Information Technology and Communications Technologies, in addition to having the option to validate these best practices with International Standards such as ISO 27001 and 27002.

Development.

The objectives we set for ourselves are the following:

Establish the direct history of the Audit of Information and Communication Technologies; Define the Impact of ICT on Business Management; Specify the dual role of the Internal Auditor in ICT Audits; Point out the importance of validating all these processes based on International Standards. Highlight the experience of COPEXTEL SA, Villa Clara Territorial Division, in relation to the application of these good practices.

The scope of our investigation was basically focused on the work carried out at COPEXTEL SA, Villa Clara Territorial Division, by the Internal Auditors of the Integrated Quality Management System, related to the revision of Information Technology and Communications Technologies and their insertion in our Business Management System, as part of the actions of the Internal Control System that we have. Our experience covered the seven Strategic Business Units declared in our organizational structure, the 4 Support Managements and the Division's management apparatus.

Globalization, the Internet, new markets… The increasing complexity of the environments in which companies operate and especially the growing importance that Information Systems have acquired makes it necessary for internal audit departments to make an effort to anticipate new risks. before it is too late. Perfect coordination with the departments responsible for the information systems that do not always exist is essential for this task.

The Audit of Information and Communication Technologies is becoming increasingly relevant, since its appearance in 1969, due to the increasing importance and prominence of computer systems in all areas of our Society. Currently, the Companies and Organizations deposit in their Information Systems the responsibility to manage their business transactions effectively and efficiently. Manual processes are less and less frequent and in practice it is observed that almost all companies make use of the enormous capacity for processing, management and communication available, all at increasingly affordable prices to Organizations of all sizes.This responsibility means that a possible loss of the operation of these systems has a very important impact on corporate management capabilities, making it increasingly essential to have methods and technologies that minimize the likelihood of incidents involving these consequences. negative.

Electronic data processing began in the 1950s to keep accounts and record activities in organizations. Soon after, the interest in auditing information systems, the business processes supported by them, financial-accounting data, technological infrastructure and computer security began.

Activities supported by ICT are reviewed to review controls, compliance with policies and regulations, as well as the degree to which they support efficiency, effectiveness and economic profitability.

These audits help organizations evaluate the way they do their business or provide their ICT-supported services, seeking to protect the interests of the State, of the Workers and of the Clients. This allows to validate the security, reliability, integrity and privacy of the information systems.

Given the increasing dependence of organizations on ICT and the emergence of regulations for their good governance, the internal auditor also works as a business advisor, advising on the establishment of policies and standards that ensure information and control of ICT.

One element that has led us, to a large extent, to reduce the risks in terms of the use of ICT in our Division, has been to incorporate the Internal Auditors of our Integrated Quality Management System into the development processes of Computer Systems on Those that sustain and organize some of our activities, for which we will provide our experience based on the elements on which the work of the Auditor is sustained in that context. We are in the presence, in this case, of the prophylactic work of the Auditor, which, when properly prosecuted, contributes not only to the training of skills in the internal control of managers and workers, but to avoiding the occurrence of violations of the standard.

The participation of the Internal Auditor is one of the best controls in the development of computerized business management systems, as it is the best time for the Auditor to influence the design of controls. During this period, changes can be made in the application control structure, at a much lower cost and with less effort, than after the system is in its productive stage.

Their main contribution is to ensure that the new systems include appropriate controls (effective and sufficient).

Our experience has allowed us to define some of the main problems that the Internal Auditor encounters during the development of the Company's Management Information Systems, for which we will formulate some questions that we will answer later.

Auditors lose their independence of mind and objectivity when participating in systems development? If the Auditor participates and says that the controls are appropriate, then he will feel impeded to say that the controls are inadequate? It is justified to produce applications with poor controls simply so that the Auditor can maintain independence?

The solutions to these questions would be:

Have running applications reviewed by Internal Auditors other than those who participated during system development. Conduct reviews only at critical points in the system development life cycle.

To achieve a better understanding of the work of the Internal Auditor throughout the process of creating new computer applications on which certain activity of our Business Management is based, it is necessary to outline the different moments through which it passes from its birth to putting it into operation.

Audit of the Computer Systems Development Project, at which time the company management is evaluated and informed “how well the development phases of the system are carried out” In this sense, the Auditor's work would be aimed at:
1. Monitor and evaluate compliance with system development policies and standards. Evaluate the objectivity of the administrative reviews and approvals of each phase. Evaluate the responsibility and degree of participation of users, suppliers, technicians. Evaluate the planning and execution of the implementation phase.
Audit of the Administration of Systems Development Projects The audit intervention points will be established in each of the stages of the development cycle of the System.
1. Definition of information needs Definition of the data model Design of the information system Construction and testing of the systems Implementation of the system Operation and adjustment to the system
Audit of the Previous Study Phases
1. The Auditor should verify that the processes leading to the solution of the problem are reasonable. Also determine that the needs of the user are defined and documented. Verify that studies have been carried out on the cost / benefit ratio and that this is reasonable. Determine that the business problem has been solved. Verify that control requirements have been specified.
Design Phase Audit
1. Application risks should be identified, determining application controls to reduce the risk to acceptable levels. Compliance with application standards, policies, regulations and Application documentation (manuals) must be complete Application must be capable of solve the problems raised.

Furthermore, the Auditor must verify:

Input Specifications Project Specifications Output Specifications Systems Flow Chart Hardware and Software Requirements Operations Manual Procedure Specifications Data Retention Policy

Audit to the Programming phase The following documents should be reviewed:
1. Programming specifications General application study (transactions and chains) Program documentation Operating Instructions Test documentation (design and test results)
Audit of the Test Phase The information obtained from the test phase includes:
1. Plan tests Data tests Test results user report with acceptance or rejection of the application
Conversion Phase Audit
1. Conversion PlanConversion FlowchartLists of Conversion Programs and DocumentationNecessary documentation for replacing old programs with new onesNew Operator's ManualNew User ManualVerification procedure that the conversion phase has been executed successfully.

Our entity, within their experiences in this modalityAudit can refer to the work carried out in relation to two important applications created by our territorial Specialists: one of them named "Registry of Clients and Contract Registries" and the other "Management System of Technical Services. We observe that from the very birth of these computer applications we are linked to your project, development and implementation for the entire Territorial Division, being able to correct in each of those stages all the technical details necessary to have applications that really respond to the needs of the senior management, but at the same time that they were validated with internal control tools that would give us the certainty that the information contained in each of these software was not easily violated by its users.

Above all, it is necessary to refer that each experience addressed in our research is based on the condition of Internal Auditors that the Management Group has, made up of 11 specialists in our case. This condition of Internal Business Management Auditors has been granted by the Lloyd's Register and is endorsed by the ISO 9001 Standard, which gives us powers to evaluate, audit and improve the management tools enabled for each process declared in the Division. The ISO 9001 Standard does not conflict with the Internal Control System, as it requires as a requirement that all business management be systematically evaluated in order to detect possible deviations in a timely manner, correct them and work on the basis of continuous improvements.It is the Standard itself that requires the inclusion of ICT-related topics in the scope of each Audit, since the operation of the Company in Computer Systems is sustained.

The Legal Adviser, as a watchdog of the legality in the Company, together with part of the Management Group of the Division, can carry out actions of supervision and monitoring of each of the applications to which we allude above, proceed that in the same way can carry out the managers of the different command structures. These reviews or monitoring are done online, it is validated against the primary documents (in hard copy) that support each registration in the Software and it measures not only the legality of each entry made, but also the traceability of the operations executed by the users of the system.

In each supervision we measure not only the compliance with the legal norm, but the operation of the software on which we support each system. The different types of reports that we have enabled as a means of consulting these applications are also part of the control actions that we have planned, which gives us the possibility of measuring the effectiveness and efficiency of each process, but in turn compliance with the standard, the save systems, the possible vulnerability of the systems and the behavior of the human capital that operates these ICTs.

Security Audit based on ISO27001 and ISO27002 Standards

The raison d'être of the ISO27001 and ISO27002 Standards is to have a management system that allows, based on the fact that absolute security does not exist, to offer companies and organizations instruments to guarantee the maximum possible security of your information.

A good definition of security policies is necessary to have specific lines of action in the framework of security related to Information Technology in the future.

ISO / UNE 2700X STANDARD

Information is the most important resource of any company, as it is the only one that cannot or is very difficult to replace. At the same time, it is the resource that is subject to the highest vulnerabilities.

Information security aims to protect information from threats, ensuring business continuity, as well as minimizing potential damage and maximizing return on investment and business opportunities. It is important to underline that information security is not synonymous with computer security. Information security does indeed include technical aspects, but it also extends to the scope of the organization and includes aspects that are strictly legal.

Critical factors for the deployment of good practices included in the ISO 27001 and ISO 27002 Standards

The security policy must be adapted to the objectives of the organization; the information security approach must be consistent with the culture of the organization, requiring the commitment and visible support of management.

SCOPE OF ISO 27002

The ISO27002 standard (formerly ISO 17799) is a guide for companies and organizations, whose content is eminently indicative. It establishes what the company “should do” to have effective information security management.

Structure of ISO 27002

The standard is structured around 12 areas or areas of action called Control Clauses:

Risk analysis Security policy Organization of security Classification and control of assets Security linked to personnel Communications and management of the operation Control of access to the system Physical security and the environment Development and maintenance Continuity Plan Compliance to laws Security incident management

When we were able to include issues related to the application of ICT in business management when it comes to Internal Auditing, we were able to evaluate the effectiveness of internal control in this important area of the company, achieving true diversity in the Checklist used by the Auditors. Those who, assisted by experts in these matters, have given us the opportunity to detect risks in a timely manner, modify internal regulations or manuals, define and correct deviations from the main processes on which Business Management is based, train and develop managers and workers on these activities, making it an important toolwith which the top management of our entity has, which allows effective and timely decision-making in the various command structures.

Achieving an Integrated Management System, already certified by ISO 9001 Standards, has allowed us to direct the work in order to achieve, in the short term, certification by ISO 27001 and 27002 Standards, standards in which we will briefly stop below.

THE ISO 27001 STANDARD

The second part of the BS7799 standard has become the ISO27001 standard, and specifies how to implement the selected controls of the ISO27002 standard.

Finally, it is important to highlight its great interrelation with other management standards such as the well-known ISO 9001 for Quality and ISO 14001 for the Environment.

The development of a Security Audit based on the ISO 27001 and ISO 27002 Standards will make it possible to know the level of security existing in the company's information, as well as having enough elements to tackle future investments following not only capacity but also security criteria.

This has been an experience limited to our Territorial Division, but it can be perfectly applied in any Cuban company, which even without having a certified Management System, can include in the internal control process the issue related to Technology Auditing. of Informatics and Communications

Conclusions.

Recommendations.

Implement, in a phased manner, in the companies of our territory, the experience of the Villa Clara Territorial Division, in relation to the insertion, within the Internal Audit, of the issue related to the control of Information Technology and Communications Technologies. Strengthen the training courses for Internal Auditors in the area of new Information Technology and Communications Technologies on which a large part of the Business Management System is based.Introduce in the study and qualification plans for the subject of Auditing, the issues related to new Information and Communication Technologies. Conduct workshops at the company level,that allow managers and workers to assess the importance and the need to exercise internal control in relation to the ICT applied to the processes of each entity.

Bibliographic reference.

ICT audit. Sergio Etcheverry G. [email protected]… Department of Audit and Information Systems. Updated on: 03/21/2007. www.unap.cl/~setcheve/ati/index.html - 9k - Skeptics about the benefits of audits, or more specifically those of SI-TIC, can dispel their doubts or fears through the Association of www. idg.es/computerworld/articulo.asp?id=160393 - 65k –Audit Process. · Role of Audit in ICT. · Fundamental audit concepts. · Auditing Standards and Guidelines… www.itdeusto.com/itdeusto/modules/idealportal/upload/Master.pdf –Protection of Information Assets and Business Continuity and Disaster Recovery. DIPLOMA. AUDIT OF SYSTEMS AND ICTs. usistemas.cl/2006/images/stories/pdf_diplomas/auditoria_contabilidad/r_diplomado_auditoria_sistemas_ti.pdf –Find other items tagged with “auditoria-tic”:. Technorati Del.icio.us IceRocket · Terms of Service · Privacy · Help · Statistics… en.wordpress.com/tag/auditoria-tic/ - 10k –Expert in Audit, Expertise and ICT Management. Master type:. Expert Course. Face-to-face modality. Start date:. Each month. Teaching hours:… www.ofertaformativa.com/masters/master-cursos-curso-experto-auditoria-peritaje-gestion-tic-esne.htm - 36k - In the audits of the ICT Departments the degree of alignment of the department with the needs of the organization,… integrity.abast.es/auditoria_departamentos_tic.shtml - 11k –Main page of the website of Abast Grup, global provider of business solutions and ICT services.us IceRocket · Terms of Service · Privacy · Help · Statistics… en.wordpress.com/tag/auditoria-tic/ - 10k –Expert in Audit, Expertise and ICT Management. Master type:. Expert Course. Face-to-face modality. Start date:. Each month. Teaching hours:… www.ofertaformativa.com/masters/master-cursos-curso-experto-auditoria-peritaje-gestion-tic-esne.htm - 36k - In the audits of the ICT Departments the degree of alignment of the department with the needs of the organization,… integrity.abast.es/auditoria_departamentos_tic.shtml - 11k –Main page of the website of Abast Grup, global provider of business solutions and ICT services.us IceRocket · Terms of Service · Privacy · Help · Statistics… en.wordpress.com/tag/auditoria-tic/ - 10k –Expert in Audit, Expertise and ICT Management. Master type:. Expert Course. Face-to-face modality. Start date:. Each month. Teaching hours:… www.ofertaformativa.com/masters/master-cursos-curso-experto-auditoria-peritaje-gestion-tic-esne.htm - 36k - In the audits of the ICT Departments the degree of alignment of the department with the needs of the organization,… integrity.abast.es/auditoria_departamentos_tic.shtml - 11k –Main page of the website of Abast Grup, global provider of business solutions and ICT services.Teaching hours:… www.ofertaformativa.com/masters/master-cursos-curso-experto-auditoria-peritaje-gestion-tic-esne.htm - 36k - In the audits of the ICT Departments the degree of alignment of the department with the needs of the organization,… integrity.abast.es/auditoria_departamentos_tic.shtml - 11k –Main page of the website of Abast Grup, global provider of business solutions and ICT services.Teaching hours:… www.ofertaformativa.com/masters/master-cursos-curso-experto-auditoria-peritaje-gestion-tic-esne.htm - 36k - In the audits of the ICT Departments the degree of alignment of the department with the needs of the organization,… integrity.abast.es/auditoria_departamentos_tic.shtml - 11k –Main page of the website of Abast Grup, global provider of business solutions and ICT services.

integrity.abast.es/ - 13k –Generate a meeting of professionals in the field of auditing and control with the new concepts and approaches of this professional work,… 158.170.11.155:8080/moodle/course/info.php?id = 26 - 5k –Information of the article COBIT 4.0 Framework for the audit of ICT. dialnet.unirioja.es/servlet/articulo?codigo=2164668 - 10k -

Download the original file