Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

9
Auditing Information Systems

9.1. What is an audit?

9.1.1. A need for measurement: alignment by audit

Alignment requires an objective, an outcome and a measurement. For this, a governance mechanism is necessary. To meet the economic and organizational realities of businesses, a governance policy must be defined.

The processes of alignment and governance must, however, be dynamic, while covering all the stakeholders of an organization and its network. Given these organizational challenges, a great many audit processes and repositories, both internal and external, have appeared. In this chapter, we propose an analysis of information system alignment and governance by audit. This approach tends to demonstrate the importance of existing frameworks and repositories for the management of an open, multi-stakeholder territory.

As previously mentioned, the strategic alignment of information systems involves: ensuring business department issues have been understood, taking into account process developments, mapping an urbanized target information system, defining the technical architecture and infrastructures to support the target applications, breaking the target information system down into projects, defining the route map to reach the target, prioritizing projects and highlighting interdependencies.

To accomplish these multiple objectives, organizations have progressively set up audit structures and repositories to ensure that their information system is aligned to strategic IS governance and also to the organizational structures in which the information systems are anchored [VAN 09].

Auditing has a long history. The etymological origin of the word comes from the Latin verb audire, meaning “to listen”. The Romans were already using this word to refer to the monitoring exercised by the Imperial power over all the provinces. The audit as we know it these days is, however, a modern invention.

Internationally, the audit became officially recognized in 1941, with the formation of the Institute of Internal Auditors (IIA). The French equivalent of this organization is the Institut français des auditeurs et contrôleurs internes (IFACI), established in 1965, which between 2001 and 2009 produced its Guides pratiques, the French version of the Global Technology Audit Guide (GTAG). The information system audit made its first appearance in the banking and insurance sector, and then developed in industry, services and transport. The 1990s were a turning point in the development of information system auditing, with the publication of important standards and repositories such as Control Objectives for Information and related Technology (COBIT) by the Information Systems Audit and Control Association (ISACA). This progress has been reinforced and confirmed by the information system elements of the 2002 U.S. regulations, the Sarbanes–Oxley Act (SOX), and its French equivalent in 2003: La loi de sécurité financière (LSF).

In its traditional form, the audit is a set of monitoring, verification and advisory exercises, the aim of which is to make a comparison between an object and a benchmark framework. Thus it is a mission of expertise and assessment on a management system. Audits have a cost, which means that not everything can be audited. Accordingly, the audit is linked upstream to a decision as to its purpose and the level of detail needed. The audit has two requirements: to give visibility to the organization’s internal mechanisms and to establish communication between them, the auditees and the Executive. An audit is driven by the need for clarification on scope and budget, performance measurement and alignment, and reassurance on certification and approvals.

9.1.2. The place of the audit

The information system audit adopts the general audit process to evaluate the information system through the added value it brings to the organization. Information system auditing is unique because of the information system’s central structuring position within an organization. Consequently, the information system is unquestionably strategic in nature and appears as a pivot and a tool for continuous improvement. However, at the same time, the integration of the information system into the overall control framework requires specific projects to be managed in line with:

– implementation of the Public Company Accounting Oversight Board (PCAOB) rules internationally, and of the Haut conseil du commissariat aux comptes (H3C) rules in France;
– compliance with the requirements of SOX, the European directives or the Loi de sécurité financière (LSF);
– compliance with requirements relating to confidentiality, availability and integrity of data, in relation to the Data Protection Act and the European data protection regulations.

Thus, the information system has a double commitment: one is to adapt to quality or reliability requirements, deriving from the performance audit, and the other is to meet regulations whose aim is to correct specific organizational deficiencies, deriving from the regulatory compliance audit. Separate elements emerging from the information system audit can be mentioned, such as the framework audit for the business continuity plan (BCP), whose primary objective is to protect the organization from an information system failure, or an IT security audit, designed to test the information system’s resistance to intrusions and attacks via a vulnerability assessment.

For a long time, the information system was regarded as a neutral factor in terms of the production of information for audit purposes. As such, it was not subject to any special procedures. The development of international standards and the application of the regulatory dictates deriving from SOX changed the situation. Information systems must now be held accountable. As such, they are subject to their own audit. In a sense, auditing the information system gives an assurance as to the quality of the data collected for the other audits. The audit is a way to combat internal fraud, as well as to protect the information system from external cyberattacks.

This puts the information system in a central position in terms of auditing. In the 1990s, responsibility for conducting the information system audit was mainly given to external providers, but the 2000s saw the creation of audit departments in major corporations as part of their information system management. This reflects the importance attached to the information system audit in general management deliberations.

Box 9.1. Money laundering, cryptocurrencies and virtual gold coins

One of the major problems in the fight against cybercrime is the rapid spread of new hacking techniques, the reduction in cost of criminal activity, and finally, the reduction in knowledge required to become a cybercriminal. Indeed, the barriers to entry have never been so low: the services provided by cloud computing platforms can be abused to launch spam campaigns at minimal cost, crack passwords and increase the power of a botnet.

There is no longer any need to be an IT expert to become a cybercriminal: black-hat hacker communities market crimeware-as-a-service [RIC 13a], software that enables its users to launch cyberattacks with no technical skills. Online cybercriminal communities contribute to the growth in cybercrime, providing tips, techniques and turnkey tools and in some cases even offering tutorials for beginners who want to become cybercriminals.

New money laundering techniques increasingly involve the use of cryptocurrencies, and, in particular, bitcoin. Bitcoin is a decentralized currency and uses screen names – in other words, it requires no identification as such, unlike a traditional bank that needs to know exactly who you are. However, a user’s identity can be traced from his or her posts, which are displayed publicly in the public ledger recording bitcoin transactions, and this is accessible to all on the Internet. These methods involve the use of “electronic money-laundering services”, platforms that will camouflage tracks in the public ledger, sometimes referred to as “layering”, enabling criminals to use bitcoin without fear of detection. Each time a member of money-laundering service makes a bitcoin transaction, that transaction will be merged at random with a transaction made by another of the money-laundering service’s users. The more members the money-laundering service has, the more difficult it will be for investigators to trace the flows of dirty money. The task will be all the harder if the cybercriminal uses a number of bitcoin money-laundering services to cover his or her tracks with even more layering. Other money-laundering methods involve the use of virtual currencies from massively multiplayer online role-playing games (MMORPGs or MMOs) such as Second Life or World of Warcraft. Cybercriminals buy virtual gold coins on the black market with their dirty money and arrange meetings via a video game, in which their online alias will retrieve the gold coins. They then immediately resell them to other players in exchange for genuine real money – and the other players find themselves quite involuntarily involved in a money-laundering operation [RIC 13b]! In this context, auditing and monitoring play an increasingly important role. Some MMORPG platforms implement monitoring tools to inspect sudden and suspicious gains by players (the buyers) and to detect players who suddenly win and lose large amounts of gold coins on a regular basis (the sellers, moving the gold pieces through their accounts). These gaming platforms can subsequently conduct investigations (audits) to determine whether the money has been acquired legitimately (a reward following the completion of a quest in the game) or illegitimately (an external purchase). This satisfies both internal mechanisms (to keep the game balanced and prevent cheating) and external mechanisms (to provide assurances to the financial markets that the game is not being used to commit fraud). Investigations use End User License Agreements (EULA) as the audit repository; an EULA lists the rights and commitments of players in the context of the game (these are, in a way, the rules of the game). Following the investigation, a decision may be taken to suspend a player temporarily, or even to permanently ban him or her from the game.

9.2. Information systems and auditing

Reconciling the concepts of alignment and governance entails drawing parallels between the notions of evaluating and monitoring the information system, and leads to consideration of an audit of the information system, which has major implications for the governance of a computerized organization. Information system auditing raises many questions, because it involves a large number of internal and external stakeholders. To a large extent, the information system audit has been developed and structured at the international level, with the Institute of Internal Auditors (IIA), the Information Systems Audit and Control Association (ISACA), the Public Company Accounting Oversight Board (PCAOB), and on the French national level with the Institut français de l’audit et du contrôle internes (IFACI), the Association française de l’audit et du conseil informatiques (AFAI) and the Haut conseil du commissariat aux comptes (H3C). Thus, its interpretations and the standards on which it is based are also multiple: Global Technology Audit Guides (GTAG), Control Objectives for Information and related Technology (COBIT) and Auditing Standard 2 (AS2).

As mentioned above, the repositories available are potentially in competition and sometimes redundant. The auditor must therefore be capable of seeing the bigger picture, as this will help him or her use them wisely. He or she must also be able to apply them so as to meet the legal and organizational obligations of the information system. To do so, the auditor must be able to refer to an analysis grid. This may be based on a breakdown into operational versus strategic audit, and on a redistribution of competences between stakeholders, territories and projects. The various auditors must also be capable of comparing their findings and extracting from them similar analyses [HAM 81b].

As with the majority of management activities, the various stages of the information system audit can involve the use of Computer-Assisted Audit Techniques (CAAT).

9.2.1. Information system internal audits

Internal audits are most often part of the regular monitoring of compliance and risk management. As such, the internal audit team specializing in information systems or ICT is there to meet requests for ongoing monitoring made by the General Management or by third parties: legal or regulatory responses, requests from shareholders or customers. When the General Management is the originator of the audit request, it sets targets and produces a mission list to answer its own questions relating to information system management. In this case, the internal audit traditionally focuses on the business activities and the specialist functions of the information system management committee: architecture, quality, methodology and security. An internal audit can also be carried out at the request of the information system management committee itself for purposes of legitimization or reassurance. Finally, an audit can be requested by the internal or external customers of the information system management. It is then in the information system management’s interests to position itself as a high-quality provider, leveraging transparency and partnership.

An internal audit can cover the entire group, one subsidiary or one business activity. Thus, there could be a decision to change the scope of the audit and to move from a global IT audit to an audit of one particular subset: country, region. Requests are addressed to internal experts, who usually become involved upstream of an external audit, during an accreditation process, for instance. We also talk about “mock audits”. In all cases, information system audits cover compliance and risk management with reference to best practices. Information system risks are identified and addressed. Otherwise, they are pending identification and in that case they pose a threat.

In large organizations, internal audit teams dedicated to the information system management must be provided with sufficient resources and clear procedures to successfully carry out their assignments. Indeed, issues relating to conflicts of interest may soon arise if roles and resources are not clearly defined. It is therefore important that the internal audit manager should report directly to the General Management on the findings from his or her work.

9.2.2. Information system external audits

These are audits conducted by an external provider. This is the most common audit and the one which historically was the first to make its appearance. The advantage of an external audit is that it can leverage the cutting edge expertise of major specialist practices. Apart from the assumed reduction, according to the transaction costs theory, bringing in an external provider offers the advantage of greater legitimacy in communicating the findings of the audit. An external auditor has greater autonomy with regard to the information system management committee than the person in charge of an internal audit.

With regard to external audits, the Executive is usually seeking reassurance on complex topics and challenges such as ICT processes and information system project management. Therefore, it is the fact of having confidence in the expertise of an external provider that will lead to the triggering of this type of audit.

In the latter case, it can be assumed that the findings reported will receive recognition from all stakeholders and everyone involved. In the field of IT production, for example, there are recurrent issues that must be addressed: the information system’s response time in relation to the number of workstations and users, processing time (historically referred to as batch processing), the frequency and duration of downtime, etc. In the field of project management, the issues that crop up regularly are more to do with costs, deadlines and quality expectations.

Directors also ask for external audits on topics which they feel are not being dealt with adequately and that they do not know how to manage. Certain gaps have been reported, but no solution has been proposed. For example, the General Management may have noticed a lack of transparency and problems in coordinating information system strategies between the group and its branches when implementing a CRM application. The external audit will then address the ICT issues between the group and the local entity (the branch). In this context, the external audit will be an explicit request for recommendations on how to structure and steer governance.

As regards audits carried out at the request of the information system management committee, these are mainly external audits. They have an operational and/or strategic focus, for example, a budgetary issue. If the information system management feels the budget that has been allocated to it is unrealistic, it will look to the external auditor for arguments it can use in renegotiating the budget with the General Management in the short term, and/or resources to effect cost savings in the medium and long term.

The external audit market is regulated by a number of international and national institutional actors. It is controlled within the regulatory framework established by private operators who have developed expertise that now crosses national borders.

Box 9.2. Artificial intelligence to the rescue of cybersecurity and auditing

Do you know Watson? Watson is a language analysis engine, the world’s first acknowledged cognitive system. In 2011, IBM’s artificial intelligence made the headlines by winning $1 million on Jeopardy!, competing against the two greatest champions in the history of the game. Watson was capable of reading sentences (words and letters), and analyzed questions syntactically, grammatically and semantically. It then buzzed to offer its hypothetically most viable answers, all in under three seconds. Prior to this, Watson had ingested 200 million pages of natural language (including Wikipedia) so as to be able to find the answers.

Some people see this as the beginning of a new world, while others are afraid of the massive volume it represents. One thing is for sure: Big Data is at the heart of current thinking. The ecosystem in which we live, full of personal devices (smartphones, tablets, etc.) and connected objects, is causing an exponential increase in data volume, to the point where, these days, human intelligence alone is no longer capable of processing it.

In terms of cybersecurity, this raises questions. Knowing that a computer attack is generally fragmented and dispersed across a number of sources, how can we expect these nexuses of information to monitor large data flows in real time? Would not artificial intelligence, which is now able to review and process massive quantities of data, be a solution to identify the full range of weak signals relating to a threat?

The same question arises for audits. During a technical audit of an information system, the auditor can collect a lot of data, such as extracts from system logs, access logs and databases. How can we ensure end-to-end system security? AI can be of great assistance by correlating this mass of data to detect weak signals, indicating vulnerabilities in the information system being audited.

The contribution that AI makes these days is the technological capacity to review a massive amount of data and filter out the noise to extract weak signals, and in doing so make connections between them to produce new significance, new information, that is more highly synthesized and thus more understandable to humans. All in all, it emerges as the cure for data saturation, which is typical of the information age.

AI is spreading pretty much everywhere, surpassing human performance in the challenges of image analysis, for instance. It opens the potential to automate (thanks to powerful computers) information processing in record time. The issue of its application to cybersecurity, particularly within Security Operation Centers (SOC), or the department responsible for operational security within an organization, has never been more relevant.

9.3. The audit process

The audit process is based on very strict methodology and working practices, which enable the definition and sequencing of the various activities to be carried out [HAM 81a]. While specialist audit firms use many repositories, there are a number of recurrent and important steps that can be noted:

– defining the audit parameters: as explained above, the audit has a cost, and this will inevitably limit the scope of the investigation. Moreover, the requirement specified by the person making the request will determine the scope of the domain to be audited. For instance, in the case of a request initiated by the General Management, the audit may be strategic in nature and focus on the information system’s place within the organization and its degree of alignment. If the request was initiated by a departmental manager, the audit may be more operational in nature and may aim to assess the security attached to an application or the quality of a delivered service covered by a Service Level Agreement (SLA). These two examples show how the nature of the requester will determine the focus of the audit and, consequently, its scope;
– planning the audit process: during this phase, the auditor will determine the audit’s objectives and priority themes, individual responsibilities (of the stakeholders and the auditor), the preliminary analyses and feasibility studies, the competences needed in terms of the number of people in the audit term and their experience, the methods to be used (according to the type of repositories used), and the provisional completion schedule, which is normally short, less than two months. During this stage, a number of documents, such as tracking sheets, specifications and the results of preliminary studies, are produced and passed on to the audit committee and the requester;
– conducting the audit: the process will be different according to the nature of the audit to be carried out. In every case, however, it will begin with data collection, using specific tools, evaluation grids and maintenance grids, and will proceed with data analysis: reprocessing of raw data and analysis of deviations from good practice;
– audit outcomes: the purpose of this stage is to deliver an assessment on the domain under audit. This assessment will be driven by the drafting of action plans for improvement designed to demonstrate to the requesters the reasons for deviations noted and corrective action that could be taken to solve them. Based on this initial work, the auditor will prepare to follow up on the recommendations. The purpose of this second document is to set out the re-evaluation period chosen, which we call “periodicity of audit”, the number of criteria to be re-evaluated and the impact of the corrective measures proposed. Moreover, following up the recommendations usually means considering a new contract with an external provider to undertake and implement the corrective measures.

9.3.1. Structuring an information system audit project

An information system audit project is structured around a number of essential stakeholders, among whom are, for instance, the requester, those being audited, the audit team and the audit committee [CHA 03]. The requester includes the actors who can claim to be at the origin of an information system audit, and there are potentially many of them. It can be the General Management, the information system management committee, a department manager or an end user. It can also be a request from shareholders, the government or an accrediting body. We must therefore distinguish between an external requester and an internal requester, because they each have different needs and expectations.

Those under audit are not only the information system management, as project manager, but other stakeholders too: the end user, the department manager. When the information system management committee has signed outsourcing contracts, the audit will extend to external service providers involved both in project management and in project owner support. The auditor will thus ask for details of the outsourcing scope negotiated by the information system management committee.

Table 9.1. Levels of responsibility within large audit firms [NOЁ 08]

Grade	Experience	Role
Junior auditor	Less than two years and CISA-qualified (Certified Information Systems Auditor)	Works as part of a team on all or part of the auditing tasks: implements the audit program specified by his or her firm, participates in information-gathering, carries out most of the operational checks
Senior auditor	Three to five years	Supervising, organizing and coordinating tasks delegated to the junior auditors, supervising teams on assignments, customer relationship management, reporting to management
Assistant manager, Senior manager	Five years +	Managing teams, participating in in-house training and recruitment, business development, mandate management
Associate	Has a diploma in accounting	Managing the practice, business development

The composition of the audit team is directly related to the request by the person asking for the audit. The number of people involved and their level will depend on the size of the structure to be audited and the scope of the audit: how many processes, applications and stakeholders are involved, and the nature of the technical architecture. The audit team, including the junior auditors performing the basic operational checks and the senior auditors supervising them, is under the charge of an assignment supervisor, manager or associate. This at least is the type of organization that predominates in large audit firms.

The audit committee’s objective is to bring together representatives of all the stakeholders involved in the audit process within the organization, such as the Executive and the General Management in terms of the internal information system audit. The audit committee plays a watchdog role, to ensure that the requirements of transparency and communication, essential to the correct implementation of an audit, are well insured throughout the process. Article 14 of Ordinance No. 2008-1278 of December 8, 2008, transposing directive 2006/43/EC of May 17, 2006 relating to the statutory auditors, sets out the duties of this committee in terms of monitoring the process of preparing accounting and financial information. This ordinance also specifies that the audit committee is under the exclusive and collective responsibility of the Executive or the Supervisory Board.

9.4. Scope of the audit

To define the scope of the audit, it may be useful to refer to the typology adopted by the Public Company Accounting Oversight Board (PCAOB). The European directives are directly based on this.

Table 9.2. Audit typology

Audit level	Content	Objectives
A company or entity	Strategy and action plan, policies and procedures, risk assessment, training, quality assurance, internal audit	Organizational scoping
Application	Comprehensiveness, precision, existence and approval, range of information to be provided	Functional scoping
Computing in general	Development of applications, changes to applications, access to data and programs, computer processing	Integration of monitoring within the IT function

There are three families of information system controls: Company Level Controls, Application Controls and General Controls.

images — **Figure 9.1.** *Audit configurations*

Figure 9.1 illustrates the structure and its audits. At General Management level, audits will be carried out at the scale of the entity (this is organizational scoping). At the level of the information system management’s IT services, general audits will be carried out at the scale of the IT function. Finally, at process level, application audits will be carried out (functional scoping).

9.4.1. Domains and processes audited

An information system audit may involve: information system management, an information system project, an information system study, the information system infrastructure and information system planning. An audit of the information system management has the widest scope, because it sets out to give an audit of the positioning and structuring of the whole information system management. It is therefore necessary to identify management roles in steering the information system, to check the definition and quality of the standards and procedures used, to determine the positioning of the management stakeholders within the information system and to check the existence and reliability of an analytical accounting system.

Auditing information system projects involves checking the existence of a project management methodology and compliance with the various phases required in the implementation of delivered information system services. It is necessary to be able to audit the deviation between actual management practice and the management standards adopted. The audit should also enable an analysis of project risks and an assessment of the steering effected.

Auditing the studies aims to assess compliance with standards in terms of documentation and quality of deliverables. In terms of good practice, studies must be linked to the entire lifecycle of each project (analysis of needs, challenges, production, reception, implementation follow-up). The audit involves checking this link.

Auditing information system infrastructures carry out an inventory of the network and telecommunications infrastructures and the exploitation and management of resources. This audit aims to highlight the potential risks associated with the choice of standards and protocols used, to take stock of incident management and to analyze resource management.

Auditing information system planning involves checking the existence and quality of an IT plan and blueprint. This audit focuses on the coherence between the objectives expressed in these documents and the organization’s strategy.

9.5. Audit repositories

At the international level, the Institute of Internal Auditors (IIA) is an American expert on internal auditing. As regards control procedures, the IIA has published the Global Technology Audit Guides (GTAG). The IIA has also developed a code of ethics that aims to promote an ethical culture within the internal audit profession.

The Information Systems Audit and Control Association (ISACA), whose motto is “Trust in, and value from, information systems”, is an organization whose role is to promote information system governance, control, security and audit through the publication of repositories, such as Control Objectives for Information and related Technology (COBIT), Val IT, Risk IT and information system audit standards.

The Information Systems Audit and Control Association (ISACA) also advocates the use of methods and techniques to improve stakeholder skills. This takes the form of certifications in three major areas: internal information system auditing, Certified Information Systems Auditor (CISA), information system security, Certified Information Security Manager and information system governance, Certified in the Governance of Enterprise IT. In 1998, the Information Systems Audit and Control Association (ISACA) set up its own research unit, the Information Technology Governance Institute (ITGI). This institute develops standards and norms and offers advisory guides.

The repository Control Objectives for Information and related Technology (COBIT) has now attracted a great many stakeholders for its relevance in terms of information system audits, having received endorsement from the Institute of Internal Auditors (IIA).

In France, for instance, there are two organizations that it is important to be aware of. These are the Institut français de l’audit et du contrôle internes (IFACI), which is the French equivalent of the Institute of Internal Auditors (IAA), and the Association française de l’audit et du conseil informatiques (AFAI), the French equivalent of the Information Systems Audit and Control Association (ISACA).

Table 9.3. Audit types

Acronym	Name	Repository	Scope
IIA	Institute of Internal Auditors	Global Technology Audit Guides (GTAG) and practical IT audit guides Adopted by the Institut français des auditeurs et contrôleurs internes (IFACI)	Information system audit taking the traditional internal audit approach
ISACA (ITGI)	Information Systems Audit and Control Association (Information Technology Governance Institute)	Control Objectives for Information and related Technology (COBIT) Adopted by the Association française de l’audit et du conseil informatiques (AFAI)	External, specific audit, legal versus contractual
PCAOB	Public Company Accounting Oversight Board	Auditing Standard 2, i.e. audit of internal control over financial reporting performed in conjunction with an audit of financial statements (AS2)	Financial audit complying with the Sarbanes–Oxley Act (SOX)
H3C	Haut conseil du commissariat aux comptes (statutory auditors)	Repository based on AS2	Financial audit
EC	European Commission	8th directive (206/43)	Information system audit

At European level, the Commission produces guidelines designed to provide a framework for information system auditing. These European directives have been transposed into French law under law number 2008-649 of July 3, 2008, which precisely defines a frame of reference for internal information system audits, and by the Ordinance of December 8, 2008, which establishes an audit committee.

Among the regulatory bodies, we should mention at the international level the Public Company Accounting Oversight Board (PCAOB), author of Auditing Standard 2 (AS2) or Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, and, in France, the Haut conseil du commissariat aux comptes (H3C).

Box 9.3. Cybersecurity, a challenge for 2020

The Club des experts de la sécurité de l’information et du numérique (CESIN) is an association of IT security managers or Responsables de la sécurité informatique (RSSI) from 280 major French companies. Each year, CESIN publishes a barometer conducted by OpinionWay on information piracy risk [KHA 17]. In 2016, attacks have increased significantly. In 2016, ransomware became more widespread, as follows: 85% of the IT security managers surveyed had experienced a ransomware attack. The average number of attacks experienced had increased by more than 100%: 29 attacks in 2016, as compared to 13 in 2015 [KHA 17]. The survey shows the pessimistic view of France’s IT security managers: only 52% of them have confidence in their business’s ability to deal with cyberattacks.

Antoine Izambart reported on discussions of the Forum international de la cybersécurité (FIC) when the CESIN study was released: “These attacks may jeopardize the survival of a large group”, was the reaction of the CEO of Orange, Stéphane Richard. “The challenges related to cybersecurity, which is essential to the development of businesses, are continually growing” [IZA 17]. In 2016, French government agencies and ministries foiled 2,400 external attacks. “We need experts, that is crucial to being able to deal with the threat”, added Guillaume Poupard, Director General of the Agence nationale de la sécurité des systèmes d’information (ANSSI) [IZA 17]. The creation of a pool of talent for analysts and specialist cryptographers has been given priority status by the French Government. One billion euros and 1,000 jobs will be allocated to cybersecurity by 2019 [IZA 17].

9.6. Towards an approach via the risks of strategic alignment?

The approach via the risks of strategic alignment was developed as an extension of the COBIT, RiskIT and ValIT standards, chiefly in the English-speaking world.

The aims of this approach are to align the information systems, to bring benefits to the information system stakeholders and to manage information system risk. In terms of aligning the information system to business needs, the information system must be able to provide correct and relevant information, ensuring integrity, to the right users, ensuring confidentiality, at the right time for the business, ensuring availability, relative to the tangible benefits to the information system’s stakeholders, projects and territories. This is possible through improving business process operations. It enables efficient and effective use of resources, maximization of the information system’s usefulness to users, and also a reduction of the information system’s usefulness to unauthorized users who may succeed in breaking into the system. On the subject of managing risks related to the information system, this approach makes it possible to measure their impact on business departments (plan), to safeguard the company’s strategic assets (do) and to constantly evaluate the performance delivered by the information system in order to improve it and make it more resilient (check and act).

Alignment should be seen as situated at the crossroads of a number of business activities: risk management, resilience, IS security and business continuity. However, while this method does address security issues, it sees them at a strategic and organizational level. Thus, the issues addressed will remain within the field of security governance.

Implementation of this method is based on identifying the business’s critical assets and strategic advantages to be protected, assessing threats to these assets and evaluating vulnerabilities. Thereafter, it will study the potential and severity of each risk scenario and roll out a plan to manage strategic risk that will be visible to management. Information system audits can be carried out and, through successive iterations, the risk management plan will be incremented by new threats on new assets.

9.7. Conclusion

Information system audits present a strong organizational aspect and a clear link to the “traditional” activities of audit and management. Their distinguishing feature lies in leveraging and advocating standards to provide a framework for the audit. An audit can be seen first and foremost as a comparative analysis process of what currently exists against a frame of reference. The only value of an audit is that it can determine the triggering of sanction mechanisms in the event of non-validation. Ultimately, an audit is only of value because of what preceded it, i.e. the analysis of a dysfunctionality or a request for clarification, and what follows it, in the form of corrective actions, development plans and organizational adjustments. It should enable the auditee to improve, and the value of the audit is thus measured by what it brings to the auditee. The audit’s focal point in economic terms is naturally seen as the implementation timescale and the cost. As such, the audit is correlated with the setting of the budget, in which the amount of budget allocated to the audit itself will be borne in mind.

9.8. Exercise: an auditor’s view

The following comments are taken from an interview with an external financial auditor (a statutory auditor, who must also evaluate aspects of the information system as part of the annual audit of accounts):

“What is an audit? How is the success of an audit determined? I see an auditor as a trusted third party, a partner. As auditors, our mandate with a company often lasts for several years. We develop a trust-based relationship. With every company we experience high points, resulting from strategic decisions and technology choices. A strong relationship between auditor and auditee gives the auditor a better understanding of the company’s challenges, its projects, its management, its practices and its strengths. The human and interpersonal aspect of the audit is always present. However, it it because this is a lasting relationship that the auditor is able to really act as an independent and legitimate third party. The purpose of the audit is to give an opinion on the financial and operational health of the business: we communicate honest and trustworthy information to the market. […]

You could say that the auditor acts as a critical friend. In a sense, a friend who has no qualms in telling you home truths and coming straight to the point. ‘Trust’ does not mean ‘collusion’. Criticism is not intended to damage the business; the auditor is not in opposition to the business. On the contrary, this critical friend wants to help the business. The auditor gives positive, relevant and constructive criticism. This leads towards continuous improvement.

For sure, the auditor is working in the interests of the business being audited. Notwithstanding his or her independence, the auditor is a cornerstone of the governance of the business, contributing to external audits and improve internal audits. That is how (s)he builds trust and confidence, making the business’s activities more robust, and giving his or her opinion on its conformity with the regulatory environment”.

Test your skills

1) What are the benefits of a good relationship with the customer in the context of an audit?
2) According to this auditor, what place do compliance and adherence to standards occupy?
3) How can adopting the stance of critical friend, as advocated by this auditor, impact the quality of the auditor’s judgment?
4) How independent can a trusted third party be?

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 9 Auditing Information Systems

Create new playlist

Sign In

Sign Up