The Segregation of Duties: IT Audit - Essay Example

 The Segregation of Duties: IT Audit Word Count: 2,520 (10 pages) A fundamental element of internal control is the segregation of certain key duties. The basic idea 
underlying SOD is that no single employee should be in a position both to perpetrate and to 
conceal errors or fraud in the normal course of their duties. 
In many organizations, responsibility for testing SOD is relegated to the IT auditor — for better or worse. The reasoning behind this assignment correlates SOD controls to logical system access. If 
you were an IT Auditor in an organization, what type of business risks would you consider? What 
type of control mechanisms would you put in place for more efficient audit procedures? Explain its 
relevance from every perspective. I. Introduction Challenges in IT are becoming ever more complicated. Segregation of duties— also known as SOD—is paramount in today’s information technology spectrum as one considers: business risks from the standpoint of an IT auditor in an organization; control mechanisms which can be implemented for more effective auditing procedures; and the relevance of such segregation of duties from every perspective imaginable. II. Business Risks to Consider as IT Auditor in an Organization There are several factors to take into account when considering oneself being put in a position of risk as an IT auditor. “The challenges facing IT auditors today revolve around change—in technology, the business environment, business risks, the legislative and regulatory environment, and the knowledge and skills required to audit effectively in this evolving environment.”1 So, let us analyze in-depth every relevant angle that the IT auditor has to take into consideration. Changes in technology certainly influence what is going on in terms of how IT auditors are going to respond to that issue. For example, the advent of the iPad and the increased use of tablet PC’s has introduced a new monkey-wrench into the works. Generally, tablet PC’s that are not designed by Apple—as well as smartphones—have much less amounts of security features that are already built-in to the software, thus increasing the chances for black-hat (or malicious) hackers to be able to gain access to private information—such as bank account information like routing numbers, all the way down the line to Social Security numbers, birth dates, and all kinds of information. Social media is increasingly becoming profitable for criminals who prey upon peoples’ personal information via the route of the Internet. With the advent of Twitter—where people can have fake identities and use remotely-controlled Internet bots and bot-servers—the possibilities of where attacks could come from are endless. In addition, Facebook—which is known for its lack of privacy and security features—has many problems, the least of which may indeed be its privacy issues. For example, some forms of bullying are still considered acceptable by Facebook, and Facebook makes no effort to censor posts that are put up on the world’s largest social network. It has been suggested that Facebook hire auditors, which would put 8 million people to work—if one auditor was assigned to every 100 people who were users on Facebook. Because, according to current statistics, Facebook has 800 million users. That’s 11.43% of the world’s population. That means that there is about a 1 in 10 chance that any person at random on the planet is a Facebook user. That is huge! And, apparently, Facebook has been having difficulty keeping up with the way technology is rapidly changing. Even though Facebook has introduced new changes in formatting, it really hasn’t solved or resolved issues regarding its privacy measures, as well as its issues regarding how to handle bullying, the buying and selling of personal information, and also the ability to data-mine in order to place advertisements targeting the Facebook user depending upon things that they put in their posts, also known as “status updates.” Author Salman Rushdie just got permission to run afoul of Facebook policy which states that users must use their real name, with no changes to how one’s name is legally. So, for example—instead of being called Ahmed Rushdie, Salman Rushdie insisted on going by his middle name (Salman), which he places in front of his surname and uses it as a first name instead. The business environment is becoming evermore interconnected with social media. Pretty soon lines begin to blur between what is personal and what is professional. This can become very problematic in the world of IT auditing, because, since professional and personal boundaries become more fuzzy—this makes it even easier for conflicts of interest to appear within a system. For the purposes of this piece, we will refer to the system being monitored as a LAN network on the campus of a relatively small private college campus with roughly 4,000 students in attendance. There are several computer labs all across the campus, but there is one main computer lab with about 80 to 100 computers. One of the greatest business risks with interacting as an IT auditor on a LAN network at a college campus is there are always threats of attacks from hackers, who can go into various files and phish through all of the information that emanates from college students—writing papers, checking emails, and various types of different functions and tasks which require the use of a computer. The legislative environment could be dicey, especially if the IT auditor were not to have caught a serious mistake in software. Also, if the IT auditor did not thwart a DDoS attack or perceive the need for antivirus software—or some other foreseeable type of disaster—then the IT auditor could be possibly held legally responsible for problems that would occur on-campus. Thus, it may mean that that person’s job would be on the line. The changes in a regulatory environment can come and go so fast that one is not even aware how they are changing until it is almost (or perhaps already) upon them. Systems are continually being upgraded, new code has to be produced, and various types of software (as well as hardware) need to be continually updated on some kind of regular basis. The change in hard knowledge, as well as soft skills—are continually evolving as well. Not only do IT auditors have to be knowledgeable about technical data, but they also have to be able to put on a good face in the public eye and remember that societal pressures are at a premium. Not having to be a good ‘people person’ has gone the way of the dodo bird in IT. Now, not only are IT auditors expected to be politically correct, but they also must display a certain level of sophistication in dealing with people as well as have at least decent interpersonal skills—so that they can effectively interact with the public and make themselves understood. The days of IT auditors being computer nerds sitting in the corner by their lonesome are long gone. III. Control Mechanisms to Implement for More Effective Audit Procedures Control mechanisms that can be implemented for more effective audit procedures Include several facets—but mainly they deal with one element in common, which is system security. “[S]ystem security features can only be effective when reinforced with policies and procedures that prevent the compromise of security…”2 Control mechanisms which assist in implementing more effective audit procedures include types of software, especially, that can be used in order to foment system security—not to mention the written and unwritten rules in computer labs and the procedural elements which preempt any sort of problems that an Admin might run into on a typical day. So, think about it like this: every potential issue that an Admin comes across might, at some point, become caught in the crosshairs of the IT auditor’s laser-sharp focus. It is the IT auditor’s job to ‘audit’ the system, thus, often what the auditor’s job is is to make a series of tests or ‘checks’ on a system. On a LAN network at a small campus computer lab, such tests could include, but are not limited to the following: checking in on a chat room conversation to make sure that there is no illegal activity going on; monitoring student email addresses and emails so that any suspicious emails or email content (a la the Nigerian Prince email scam) is detected; and making sure that Internet instant messenger boards are safe places in which students can proffer their ideas without worrying about whether or not their private conversations are being hacked from an outside (or inside) source. So, it is the IT auditor’s job to basically do some ‘white-hat’ (or non-malicious) hacking in order to assess the system. If the IT auditor chooses to remain neutral (neither making judgments about ‘good’ or ‘bad’ actions on the system), then the IT auditor is specifically conducting grey-hat (or neutral) hacking in order to make checks upon the system. It is pretty interesting that even the most sophisticated, experienced IT auditor might choose to leave some elements alone when having completed his tests. For example, the IT auditor might see some kind of shady or nefarious activity going on, but considers such activity relatively harmless—for example, perhaps a student is using bad language while chatting via instant messenger on the college campus LAN network in the computer lab. While this may be considered inappropriate use of language, perhaps the IT auditor can detect the level of harm or threat that the bad language actually poses to other students or users on campus. Now, if that particular user were to talk about bringing some type of weapon into the classroom or doing harm to somebody—or the IT auditor had reason to believe that this person was planning to commit a crime at some point in the future—that would definitely be grounds for sounding an alert and immediately identifying who was the purveyor of such information. The IT auditor would probably track down the IP address of the computer and make campus authorities alerted to the situation immediately—as this would be an issue that would require prompt attention. IV. The Relevance of Segregation of Duties from Every Perspective Internal conflicts can be problematic. “When conflicts exist in SOD, organizations can be exposed to significant risks. Auditors are looking for conflicts in SOD in which one individual has access to responsibilities that are inherently in conflict with one another…”3 For example, perhaps a campus security officer is also an Admin at the college campus computer lab. For one thing, the campus security officer obviously cannot do his duty as campus security officer while at the same time working at a government-sponsored work-study job as a campus computer lab Admin. This is where the IT auditor comes into the picture. The IT auditor takes note of the fact that there is an obvious conflict of interests at play here—and that students’ physical security cannot be trumped by the fact that students also, coincidentally, need protection from dangers lurking on computers as well. This could include phishing activities or spyware or malware that affects computers. Phishing scams via email might elicit some responses from college students on-campus. Then, without an Admin because the student would have to be trying to perform two jobs at once—campus security as well as computer lab Admin—it might be almost impossible to perform all the tasks that both jobs require of the person, because both jobs would be going on at the same time. This is simply just too much information overload for the Admin (Administration). Also, let’s say that the computer lab Admin was an honors student who had 18 hours of class this one particular semester, and he was functioning as an Admin on the night shift. He is seen falling asleep at the desk over some books. This could also be perceived as a security threat, because obviously the student is overloaded with work—something those at the graduate level call “the overload principle.” Teachers in college—but especially graduate school—assign more work that students can actually handle on purpose. Yes, they do this on purpose. Why do they do this? They do it because it helps them go from topic to topic, their students always guessing if this was included in the reading or not. Many times, students will feel ashamed if they don’t complete the required readings for class. Nonetheless, the IT auditor must make an executive decision and replace that Admin with someone who has less important academic duties, who is not involved in many extracurricular activities, and has a more normal course load. IT auditors have to take into account for peoples’ work-life balances in order to ensure that Admins have workable schedules. They don’t want to be inconvenienced by someone falling asleep on the job and then having the IT auditor become responsible for it because he didn’t realize that the job was too difficult for the Admin to handle—even if the student was trained well and knew a lot about computers, technology, and systems security—as mentioned in the previous section. So, IT auditors have to take into account a multitude of factors when choosing Admins who they think will be responsible enough to take control over the logical processes of a certain system—and who they think might best handle any kind of situations that might come up in the process. Admins have to be highly dependable individuals, and this is something that IT auditors look for when deciding to choose who to help foment an IT department—especially with the example that has been used here with a small college campus’s computer lab. It can definitely be said of the IT auditor that he must look out for the best interests of his organization, not to mention covering his own back in the case that something does go wrong—he can logically justify whatever went wrong by placing the blame on a technical issue rather than anything that he had direct control over, which would indicate that the IT auditor had been at fault. So, any decisions that the IT auditor makes are purely based on the fact whether or not he has sufficient basis to ensure that any mistakes made were not his own, and that they were solely due to technical glitches and not because of any problem related to himself or the person he put in place to take responsibility over the LAN network. Of course, being able to deduce when conflicts of interest will occur are key—because, having that ability to sniff out problems before they are even identified is definitely evidence of an IT auditor that: a) knows what he is doing; and b) cares enough to ensure that any policies that are in place are followed to the letter, in order to ensure that every word is followed up with action and, most importantly, that jobs are seen through to the end (until they are finished and the matter(s) at hand are resolved). V. Conclusion Segregation of duties includes several elements, which are: business risks from the standpoint of an IT auditor in an organization; control mechanisms which can be implemented for more effective auditing procedures; and the relevance of such segregation of duties from various perspectives. IT auditors are under more stress nowadays more than ever to produce a high-quality security product. Thus, they need to ensure the safety of all of their means of production in order to reassure people that their security systems will not be compromised—likely by using the same software that not only runs virus protection and other forms of network security, but which also powers social media mogul sites like Facebook and Twitter. In an age of decreasing certainty, IT auditors provide the safety net of Internet security to users all over the world. Certainly, the job is sure to become more challenging with the changing times, but that is possibly part of what makes this job fascinating and what’ll make it popular in the future. WORKS CITED Davis, Chris, et al. IT Auditing: Using Controls to Protect Information Assets. US: McGraw-Hill Pro Med/Tech, 2011. Pp. xx. Senft, Sandra, et al. Information Technology Control and Audit. US: CRC Press, 2008. Pp. 615. Tarantino, Anthony, et al. Essentials of Risk Management in Finance. US: John Wiley and Sons, 2010. Pp. 130. Read More