Cyber Security Cost and Management Audit 15.

An IT security audit is:

- a comprehensive examination and assessment
- of an enterprise’s information security system.
Benefits of IT security Audit
- identifies weak spots and vulnerabilities in IT infrastructure - hardware, software, services,
networks, and data centers,
- verify security status and controls,
- ensure compliance with data security laws

The Steps in an IT Security Audit

A cyber security audit consists of five steps:
1. Define the objectives - Layout the goals that the auditing team aims to achieve by conducting the
IT security audit. Make sure to clarify:
a. Which systems and services do want to test and evaluate?
b. Do audit for digital IT infrastructure, physical equipment, and facilities, or both?
c. What are the specific risks to be addressed?
d. Does the audit need to be geared towards proving compliance with a particular regulation?

2. Plan the audit – After laying out the goals / objectives of the audit, it is crucial to:
a. Define the roles and responsibilities of the management team and the IT system
administrators for each tasks
b. Identify, monitor, report the tools that the team will use for each task.
c. Document and circulate the plan to ensure that all staff members have understood the plan
before the audit begins.

3. Perform the auditing work - The auditing team should conduct the audit according to the plan.
This will include:
a. running checks on IT resources to assess network security, data access levels, user access
rights, and other system configurations.
b. physically inspect the data center for protection from to fires, floods, and power surges.
c. interview employees outside the IT team to assess their knowledge of security concerns and
adherence to company security policy

4. Report the results - Compile audit-related documentation into a formal report that can be given
to management stakeholders or the regulatory agency. The report should include
a. a list of any security risks and vulnerabilities detected in IT systems,
b. actions taken by IT staff to mitigate them.

Email ID – [email protected]; Mob.: +91 96439 29913

YouTube Channel – CA CS CMA Nikkhil Gupta; - [email protected] (only for FB)
 Cyber Security Cost and Management Audit 15.2

5. Take necessary action for the deficiencies - Follow the recommendations outlined in the audit
report. Examples of remedial actions which can be taken:
a. Performing remediation procedures to fix a specific security flaw or weak spots.
b. Training employees in data security compliance and security awareness.
c. Adopting additional best practices for handling sensitive data and recognizing signs of
malware and phishing attacks.
d. Acquiring new technologies to strengthen existing systems and regularly monitor
infrastructure for security risk.

Difference Between a Security Audit and a Risk Assessment

Security Audit Risk Assessment

Performed on an existing IT infrastructure Performed at the start of an IT initiative before
tools and technologies have been deployed
To test and evaluate the security of current It’s also performed every time the internal or
systems and operations external security threat increases – Eg. when
there is a sudden rise of ransomware attacks
Schedule security audits to be performed at Performed regularly to assess new risks and re-
regular intervals so that overall security posture evaluate risks that were previously identified
is on an ongoing basis
To make sure that security audit is effective in to determine how best to build IT infrastructure
identifying flaws and weaknesses in the IT to address known security risks
system, follow these best practices.

Compliance and Security Framework

Banking Sector heavily relies on electronic platforms and online transactions, hence cyber security is
imperative. Hence, RBI expects banks to:
- Assess their Cyber Security preparedness - Effectiveness of Information security controls
- Bank’s operating board to adhere to information security governance.
- report to the Cyber Security and Information Technology Examination (CSITE) Cell of the
Department of Banking Supervision

Email ID – [email protected]; Mob.: +91 96439 29913

YouTube Channel – CA CS CMA Nikkhil Gupta; - [email protected] (only for FB)
 Cyber Security Cost and Management Audit 15.3

CYBER SECURITY AND CYBER FORENSICS

Cyber Security Cyber Forensics
preventing data loss or cybercrimes from focuses on uncovering and preserving encrypted
occurring or lost data
Preventive Reactionary
Creating defensive measures to protect against Practice of recovering data from a device, often
cyber attacks to uncover evidence of criminal activity. It is not
concerned with preventing the incident itself
Information technology (IT) skills required Skill required:
- programming, - Investigation
- operating systems, and - Recovery of lost data
- networking
The objective is to create a network or system The objective is to use a variety of skills to locate
that is impossible to breach, thereby protecting and recover valuable data
the information
Ways of ensuring appropriate cyber security: Recovery of lost data is done using :
- setting user permissions - programming,
- requiring secure and frequently changing - hardware knowledge and
passwords - software knowledge
Everyone in the organization is responsible for
Computer forensics specialists are called in to
cyber security help a company recover lost data. This may be
presented in court of law, if required
Specializations required for a Cyber security Specializations required for a Cyber forensics
professional: professional:
- systems architecture, - criminal investigations,
- software security, - uncovering data that is relevant to a
- access management, crime, and
- ethical hacking, and - data recovery
- vulnerability assessment

Email ID – [email protected]; Mob.: +91 96439 29913

YouTube Channel – CA CS CMA Nikkhil Gupta; - [email protected] (only for FB)
 Cyber Security Cost and Management Audit 15.4

IT AUDIT IN BANKING SECTOR

Computerization / Digitisation has been introduced in banking and financial orgnisations to achieve
the goals effectively and efficiently. However, there are several risks that an organization is exposed
to in the computerized environment. IT / IS audit evaluates the adequacy of the security controls and
informs the Management with suitable conclusions and recommendations.

Objectives of IT / IS audit
1. Safeguarding of Information System Assets/Resources - The Information System Assets of
the organization must be protected by a system of internal controls. It includes the protection
of
o Hardware (it can be damaged by fire/flood or maliciously),
o Software and data files (they can be deleted or altered),
o Facilities / Supplies (can be used by unauthorized persons),
o people (knowledge) (they can be poached by the competitors),
o system documentation

2. Maintenance of Data Integrity/Safety – Data Integrity includes the safeguarding of the

information against unauthorized addition, deletion, modification, or alteration

The desired features of the data (which needs to be protected) are described hereunder:
 Accuracy: Inaccurate data may lead to wrong decisions.
 Confidentiality: Data should be protected from being read or copied by anyone who
is not authorized to do so.
 Completeness: Incomplete data loses its significance and importance.
 Up-to-date Status: If the information is not updated regularly, it presents a false
picture of the organization.
 Reliability: Data should be reliable because all business decisions are taken based on
the current database.
 Availability: Data should be available when an authorized user needs it. At the same
time, it should be unavailable to unauthorized users.
 Timeliness: If data is not available when required, the purpose of maintaining the
database gets defeated.
 Effectiveness: Information should be effective so that it helps in the process of
business development and expansion.

3. Maintenance of System Effectiveness – one of the objectives of IS audit is to verify system

effectiveness. It provides input to decide when what and how the system should be improved so
that its utility to the management is maximum

4. Ensuring System Efficiency - Information Systems such as the machines, computer peripherals,
software, etc. are scarce and costly. Efficient Information Systems use minimum resources to
achieve the desired objectives. It is necessary to know whether the available capacity has been
exhausted or the existing allocation of the computer resources is causing the bottlenecks /
stoppage in work. Hence, the assessment of the capabilities of the hardware and software against
the workload of the environment is very essential.

Email ID – [email protected]; Mob.: +91 96439 29913

YouTube Channel – CA CS CMA Nikkhil Gupta; - [email protected] (only for FB)
 Cyber Security Cost and Management Audit 15.5

Scope of IT / IS Audit
The IT / IS audit should cover all the computerized departments/offices of the organization. The scope
of IS audit should include:
- planning and organization of the Information Systems activity,
- monitoring of such activity, and
- the examination of the adequacy of the organization and management of the IS specialist staff
and the non-specialists with IS responsibilities to address the exposures of the organization.

Information Systems Audit Approaches

There are three approaches for conducting Information Systems Audit viz. auditing around the
computer, auditing through the computer, and auditing with the computer.
1. Auditing around the Computer – Under this approach, the emphasis is on checking the
correctness of the output data/documents concerning the input of a process without going into
the details of the processing involved. This approach may be used when an application system
uses a generalized package that is well tested and used by many users as its software platform.

2. Auditing through the Computer – Auditing through the computer requires a fair knowledge
of the operating system, hardware being used, and certain technical expertise in systems
development. Under this approach, the computer programs and the data are audited. This
approach is time-consuming, as it needs an understanding of the internal working of an
application system. It also needs some technical expertise.

3. Auditing with the Computer – Under this approach, the computer system and its programs
are used as tools in the audit process. The objective is to perform the audit using the computers
and their programs. Audit interrogation and the query are carried out data, using special
programs designed for the purpose. Computers are quite useful in the testing of transactions.
Some of the software tools used for this purpose are briefly described hereunder:
- Computer Assisted Audit Tools (CAATs) - used to audit system-generated files, records,
and documents and to evaluate internal controls of an accounting system.
- Audit Software: It is a program, used by the auditors, to process data of audit significance
from the auditee’s accounting system
- Test Data Techniques: A sample of data transactions is entered into the auditee’s
computer system and the results are compared with the predetermined results.

Information Systems Audit Methodology

1. Planning IT / IS audit: IS auditors should plan the audit work in a manner appropriate for meeting
the audit objectives. As a part of the planning process, IS auditors should:
a. obtain an understanding of the auditee department/ office/organization and its
processes.
b. Understand the objectives to be accomplished in the audit,
c. collecting background information,
d. assigning appropriate staff keeping in mind skills, aptitude, etc., and
e. identifying the areas of risk.

Email ID – [email protected]; Mob.: +91 96439 29913

YouTube Channel – CA CS CMA Nikkhil Gupta; - [email protected] (only for FB)
 Cyber Security Cost and Management Audit 15.6

In this phase, IS auditors are required to understand the internal controls used within an
organization. Various techniques can be used to understand the internal controls viz.
 review of previous audit reports/papers,
 interview/ interaction with the management and Information Systems personnel,
 observation of activities carried out within the Information Systems function, and
 review of Information Systems documentation.

2. Tests of Controls: During this phase of IS audit, Internal Controls are tested to evaluate whether
they operate effectively. The objective is to evaluate the reliability of the controls and find out
weaknesses of the controls.

3. Tests of Transactions: Tests of Transactions are used to evaluate whether erroneous

transactions have led to a material misstatement of the financial information. The objective
is to evaluate data integrity.

4. Tests of Balances: During this phase, final judgment is made on the extent of the losses or account
misstatement that occur when Information Systems fail to safeguard assets, maintain data
integrity. Following substantive tests used are :
a. confirmation of the receivables,
b. physical verification of inventory, and
c. recalculation of depreciation on the fixed assets.

5. Completion of Audit: This is the final stage of IT/IS audit. Auditors are required to form their
opinion, clearly indicating
a. their findings,
b. analysis, and
c. recommendations.
IS audit findings should be discussed with the appropriate/authorized personnel throughout IS
auditing. The draft audit report should be should be shared with the auditee. Once the auditee’s
responses have been received, the final audit report should be prepared and submitted to the
designated authority/ management of the organization.

Broad Framework for Conducting IT/IS Audit

The major concerns of the IT/IS audit are as under:
1. Safeguarding Assets: One of the prime objectives of any audit is to ensure that the assets of the
organization are safeguarded. In the computerized environment, the assets to be safeguarded are
a. hardware,
b. software,
c. data, and
d. users.
An organization may expect losses if these assets are destroyed, stolen, lying unutilized, service
denied, or used for unauthorized purposes. The IS auditors should verify that the assets are put to
effective use in a secured environment. IS auditors should inspect the following areas:

Email ID – [email protected]; Mob.: +91 96439 29913

YouTube Channel – CA CS CMA Nikkhil Gupta; - [email protected] (only for FB)
 Cyber Security Cost and Management Audit 15.7

 Environmental Security: The server room must not easily accessible. The server room should
be exclusively for the server itself and the other items, equipment, etc. should not be kept there.
 Uninterrupted Power Supply: Conditioned and stabilized power must be supplied to
computer equipment at all times. The UPS must function properly when electricity fails.
 Electrical Lines: Faulty electrical cabling and wiring are responsible for operational failures.
There should be separate and proper earthing for the dedicated electrical line.
 Data Cabling: Network problems arise due to cable fault. Hence, routing cables, locations of
cable closets, sites of Switch, Router installation, etc. should be carefully planned. Further,
electrical cable and data cable should not cross each other to avoid possible disturbance during
data transfer.
 Fire Protection: Fire alarm systems, smoke detectors, and fire extinguishers are very
important to deal with the event of a fire breaking out.
 Insurance: All critical computer equipment is required to be insured with a reputed insurance
firm/s to secure the Information System resources/assets of the organization.
 Annual Maintenance Contract: Periodic maintenance of the computers, network, etc. is
essential to ensure trouble-free operations of the equipment.
 Logical Security: It restricts access to the system if the user fails to identify himself/herself to
the system correctly. Login name/user ID and password are controls for this security. Secrecy
and security of the user ID and password, different levels of access rights and their allocation
to the users require consideration of the IS auditors.

2. Data Integrity: Data is the most important resource in a computerized environment, which needs
to be accurate, complete, consistent, up-to-date, and authentic. IS auditors must examine following
points in respect of data integrity:
 Data Input Controls: Data entry is a major area for intentional fraudulent activity. It involves
the addition, deletion, modification, or alteration of the input transactions or data. Hence, the
IS auditors should minutely evaluate the effectiveness of the data input controls.
 Data Processing Controls: The application system processes the data online on a day-to-day
basis. The IS auditors should examine that only designated/authorized officers perform the data
processing operation.
 Purging of Data Files: It is deleting of the useless data files usually of the past period (which
is no more necessary in the current period). Before undertaking the purging activity, it is
necessary to take a backup of the full data directory.
 Data Backup: Data backup is an essential aspect of all computer operations. Some commonly
used computer media include hard disks, floppy disks, tape cartridges, CD-ROMs, DVD
ROMs, etc.
 Restoration of Data: It is defined as downloading of data from backup media in case of a
crash of the system/ corruption / loss of data due to a virus attack or destruction of a server or
the computer site.

3. Business Continuity Planning: Disruption of operations can occur because of power failure, UPS
failure, server failure, inability to read/restore backups, cable fault, fire, flood, building collapse
etc. Business Continuity Plan is prepared to recover from such kinds of interruptions. It is all about
anticipating any disastrous event and planning adequately for the business to live through it.

4. System Effectiveness: It is expected that the Information system should improve the overall
quality of work including accuracy and time consumed in performing the tasks. Further, it should
be user-friendly. The IS auditors should judge how effective the system is in accomplishing the
goals with which computerization was introduced.

Email ID – [email protected]; Mob.: +91 96439 29913

YouTube Channel – CA CS CMA Nikkhil Gupta; - [email protected] (only for FB)
 Cyber Security Cost and Management Audit 15.8

5. System Efficiency: The IS auditors should examine whether every computer asset is used to its
maximum operational capacity.

6. Organization and Administration: Efficiency in computerized operations is dependent on the

efficiency of the personnel using the computer resources. Computer personnel should do their
work completely, timely, accurately and that too, with minimum resources.

Email ID – [email protected]; Mob.: +91 96439 29913

YouTube Channel – CA CS CMA Nikkhil Gupta; - [email protected] (only for FB)