Auditoría De La Ofimática PDF

# AUDITORÍA DE LA OFIMÁTICA ## 9.1. INTRODUCCIÓN The term "office automation", commonly used in different professional fields, is not defined in the dictionary of the Royal Spanish Academy of the Language. Although the objective of this chapter is not to determine the concept of "office automation" or to delve into it, it is essential to have a definition that serves as a starting point for the development of the topic we are dealing with. For this purpose, we will start from the definition made by Schill, understanding "office automation" as the computerized system that generates, processes, stores, retrieves, communicates, and presents data related to the functioning of the office. The concept of "office automation" emerged at the beginning of the last decade, and the first applications were developed on the central computers of organizations. Although offices have always been considered as pioneers in the use of information tools for the development of their activities, since the beginning of the nineties there has been a spectacular growth in the demand for "office automation" systems that continues to increase. Examples of this are: specific applications for task management, such as spreadsheets or word processors; tools for document management, such as file management or optical information storage systems; personal agendas and databases; group work systems such as email or workflow control; etc. The evolution experienced in the microcomputer environment has conditioned the development of current "office automation" systems. The increase in computing power, the high quality of products, and the reduction in the cost of computers, along with personal computers and workstations, have shifted the development of "office automation" applications to microcomputer platforms and local area networks. Today, it seems unquestionable that products developed on microcomputer platforms offer performance and a cost / benefit ratio far superior to solutions on centralized computers. This development of "office automation" systems has maintained two fundamental paradigms: the virtual desktop and cooperative work (CSCW, Computed Supported Cooperative Work). We can approximate the concept of a virtual desktop as a single panel represented by the computer screen that replaces the traditional desk and where all the tools necessary to carry out the office worker's activities are available. The interface must appear natural to the user and should be easy to learn and use. The various applications, in addition to performing the tasks for which they were designed in an efficient and effective way, must be perfectly integrated with each other. CSCW could be considered as an extension of the concept of application integration. According to Kraemer, we could define it as a multiplicity of coordinated activities, carried out by a group of participants and supported by a computer system. Consequently, the "office automation" environment, in addition to enabling the performance of the personal work of each employee, must allow information to be exchanged as needed in the various processes of the organization, as well as possible interactions with other organizations. Almost all of the "office automation" packages on the market have been developed following the virtual desktop paradigm, reaching a reasonable level of development and even facilitating integration with other products from different manufacturers. Furthermore, in recent years, the supply of CSCW applications has increased, mainly due to the spectacular development experienced in communications. These types of applications have increased their functionality and are advancing in the implementation of standards for integration between "office automation" systems from different organisations. ## 9.2. CONTROLES DE AUDITORÍA Most of the problems that arise in the computerization of offices do not differ substantially from those found in other areas of the organization. However, there are two characteristics that are peculiar to "office automation" environments: the distribution of applications across the different departments of the organization instead of being in a single centralized location, and the shift of responsibility for certain controls of information systems to final users, who are not professionally dedicated to information technology and may not understand the importance of them or how to perform them. As a result of the two factors mentioned, a specific problem has been generated in this type of environment: poorly planned acquisitions; inefficient and ineffective developments, even in critical processes for the proper functioning of the organization; lack of user awareness of information security; the use of illegal copies of applications; deficient backup procedures; insufficient staff training; lack of documentation; etc. Taking into account the problems mentioned and leaving aside the concepts developed in the chapter corresponding to network auditing to avoid overlaps, we have prepared a list of basic audit controls. The selected controls, while not exhaustive, have been described in such a way that they can be applied to any organization, adapting them to the characteristics of the same. Some environments will require some additional control that is not found among those proposed, and in other environments some of the controls may not be appropriate. The controls presented are grouped according to criteria related to aspects of economy, efficiency, and effectiveness; security and legal requirements, are general enough to serve as a basis in the development of a work plan for the auditor team. ### 9.2.1. ECONOMY, EFFICIENCY AND EFFECTIVENESS **Determine if the office automation inventory accurately reflects the equipment and applications in the organization** It is difficult to maintain a reliable record of all purchases made by the organization due to the low cost of many components. Departments often circumvent purchase authorization procedures, for example, by using invoices for the purchase of non-inventory materials. A poorly maintained inventory can have an impact on the organization's balance, making it possible to detect neither theft of computer equipment nor licenses for contracted programs. We have selected this particular control first, since reliable inventory will be essential to audit other controls that are presented later. The audit team will verify that mechanisms have been defined to guarantee that all equipment purchased by the organization has been properly inventoried. Next, the audit team will verify that the reconciliation made in the last financial audit between the official inventory and purchases made has been completed. Next, by reviewing all departments, warehouses, and archives, they will prepare a comprehensive list of computer equipment and software that is currently in the organization and the archives associated with each piece of equipment. This list should also include the version of each application. Finally, they will identify the actual differences between the list prepared by the audit team and the official inventory so they can correct the errors that were discovered. **Determine and evaluate the acquisition procedure for equipment and applications.** A decentralized acquisition policy in which each department is responsible for making its own purchases offers advantages in terms of flexibility and responsiveness, but could lead to significant economic losses for the organization. The audit team will verify that in the acquisition procedure, aspects related to the actual need for the requested equipment and its integration with the existing system are evaluated. In the case of the purchase of packages or the contracting of external developments, the audit team will determine whether the performance offered by the requested product is aligned with the activities that are intended to be developed with it; if the platforms where the applications are to be installed have sufficient capacity to support them efficiently; if the new products can be configured, if necessary, to obtain sufficient audit trails to allow the monitoring of anomalies that arise during their execution; and the experience and solvency of the vendor. Starting with an updated inventory, the audit team will analyze the procedures for the acquisition of products in the company's different departments and determine the existence of equipment and similar applications. In the event that the various departments of the company place orders for equipment and accessories independently, the team will assess whether the potential to negotiate discounts through the application of a centralized purchasing policy is being wasted. Similarly, the team will consider other mechanisms that could reduce the organization's costs, such as centralized purchase negotiations for application licenses. **Determine and evaluate the maintenance policy defined in the organization.** Decentralized procedures have led to situations in which equipment purchased is not included in the organization's inventory or in maintenance contracts. It could even happen that the organization's maintenance personnel lack the knowledge necessary to carry out the tasks. The audit team will examine the use of warranties for purchased products, verifying that unnecessary fees are not being paid for services on equipment that is still under warranty. To do so, the team will verify that end users are aware of the warranty status of each product they use and the procedures for making the warranty effective. With respect to products whose warranties have expired, the team will determine which have active maintenance contracts with external companies, and which are the responsibility of the organization. In the case of maintenance contracts with external companies, the team will verify that aspects such as the maximum response time, spare parts and labor, preventive maintenance, etc. have been included in the contract. The team will also verify that the personnel assigned to maintenance tasks, both internal and external, have sufficient knowledge of the platforms they must maintain and that they receive the appropriate training on the new products installed in the organization. In connection with the management of incidents that arise, the audit team will verify the existence of a record of incidents, the procedures implemented to assign resources to resolve them, the scripts prepared to resolve the most frequent incidents, and the monitoring of incidents until they are resolved. The team will also assess whether the time spent responding to requests and resolving incidents can affect the organization's performance. **Evaluate the quality of the applications of the "office automation" environment developed by the organization's own personnel.** The use of "office automation" tools by end users has led to the development of applications, in many cases without the due guarantees of reliability, whose failure to work properly can significantly affect the activities of the organization when dealing with applications that manage critical processes. Furthermore, it is common for applications developed in these environments to have not followed adequate quality and security controls, allowing some programmer to introduce backdoors, logic bombs, or any other mechanism that could disrupt the operation of the application developed. The audit team will determine whether there is a department responsible for controlling the development of applications throughout the organization, and that general procedures for requesting, authorizing, assigning priorities, programming, and delivering applications have been defined; or if departments have developed applications for internal use under their own criteria, without the control of a responsible department. In the case of developments carried out by the personnel of the departments themselves, the audit team will have to determine whether the methodology used and the test runs are in line with the organization's procedures. In the same way that for applications purchased or developed outside the organization, the audit team will verify that internally developed applications can be configured so that sufficient audit trails can be obtained to allow monitoring of anomalies that arise during their execution. In addition, the team will verify that developments are carried out on a development environment, avoiding operating directly on the actual production data. The task of the audit team also includes examining the reports of incidents in applications, as well as complaints expressed by clients and users as evidence to detect those applications that could be malfunctioning. **Evaluate the correction of the existing procedure for making changes to versions and applications.** Changes to applications or versions can create situations of lack of integration and incompatibility between the new products installed and those existing previously. Almost all new versions are capable of handling formats used by previous versions, but this does not always happen in the opposite direction. The audit team will determine whether there are procedures formally established for the authorization, approval, acquisition of new applications and version changes. In addition, the team will verify that the applications installed and version changes have followed all the procedures in the established procedure. The team will also seek to determine whether the integration problems and incompatibilities that new products may pose have been analyzed before their implementation; whether there is a plan in place for training end users who will be using these new products; and if those responsible for maintaining them have acquired sufficient knowledge so that the changes that are about to occur do not negatively impact the organization's operations. **Determine whether users have sufficient training and supporting documentation to perform their tasks effectively and efficiently.** Insufficient knowledge of the functionality of applications by end users or those responsible for their maintenance can lead to a loss of efficiency and effectiveness in their use. We must not forget that a lack of knowledge may be due to the fact that users have not been trained or that they have not made the best of the training courses they have received. The audit team will determine whether there is a training plan to ensure that all personnel are familiar with the products they have to use, including new applications and the versions that have been installed. The team will also verify that after the courses are taken, a mechanism is in place to determine the level of learning achieved by the students and that basic documentation of the product's operation is provided to users, or whether they have easy access to it in case they need it. The team will also verify that employees are making use of the product's offerings and not simulating procedures used in previous versions or applications used previously. In addition, the team will evaluate the mechanisms and circuits established to resolve doubts and problems, determining if responsibility for addressing them lies with a common support team for the entire organisation, or if it falls to the department itself. **Determine if the existing system is aligned with the real needs of the organization.** The existence of obsolete or underutilized equipment can lead to situations in which, due to the poor distribution of equipment in relation to the organization's needs, the system is not functioning properly. The audit team will assess how the company's equipment is actually used, preparing a list of those computers that are not operational. In addition, the team will review the activities that are carried out on each computer, determining those work stations that, due to the tasks they perform, need to be automated, or whose equipment needs to be updated; as well as those work stations that, due to their low activity, are over-dimensioned. Based on the results obtained, the team will prepare a list of recommendations on the removal of obsolete products, the redistribution of existing equipment, and the purchases of new equipment and applications. ### 9.2.2. SECURITY **Determine whether there are sufficient guarantees in place to protect unauthorized access to the company's confidential information and the integrity of the same.** "Office automation" applications manage confidential information such as contact lists, reports on confidential matters, statistics obtained with information extracted from the company's corporate database, etc. Unauthorized access or inconsistencies in this type of information can compromise the good operation of the organization. In addition to the requirements that the regulation of security under development in the area of Article 9 of Organic Law 5/1992, on the regulation of the automated processing of personal data, still subject to approval, will require, the organization must establish the security policies and procedures necessary to guarantee confidentiality, integrity, and availability of stored information. The functionality of security mechanisms in "office automation" applications and operating systems of personal computers has increased significantly in recent years, offering a reasonable level of security. However, ensuring compliance with some of the security measures mentioned below will require acquiring additional packages, and above all, taking organizational measures. The audit team will examine the documentation on security in place at the organization and verify that procedures have been defined, at least, for: information classification, access control, identification and authentication, management of media, incident management, and audit controls. Subsequently, the team will proceed to verify whether the defined security measures are actually operational. First, the team will determine whether the procedure for classifying information has been developed taking into account the importance and sensitivity of the information, and will verify that all information has been classified in accordance with the established criteria. Once the team has verified that the duties, responsibilities, and security obligations of each job position are clearly defined and documented, it will also verify that the necessary measures have been taken to ensure that all personnel are aware of both those that affect the performance of their duties and those responsibilities that they could face if they fail to meet them. The team will examine the updated list of system users and access rights, to verify that each user is authorized to access the information technology systems, to the extent necessary for their work. The audit team will verify whether identification and authentication procedures have been implemented for system access. When the authentication mechanism is based on passwords., the team will ascertain whether the procedure for creating, storing, distributing, and modifying passwords guarantees their confidentiality. The team will also determine whether users disconnect their workstations at the end of the working day, and whether there is any mechanism that automatically disconnects a user after a predetermined period of inactivity, or that requires a password to resume work. The team will not, under any circumstances, forget to verify compliance with procedures established for requesting new access or modifications concerning rights that have been defined for a user, and that only authorized personnel perform the function of granting, altering, or revoking access rights to data and computer resources. The audit team will analyze the procedure for reporting and managing incidents defined in the authorization, determining: the types of incidents reported, the time at which they occur, the person who reports the incident, who the report is sent to, the assigned person to review and correct it, the effects it has had, and the actions taken in response. Finally, the team will verify that all computer media allow information to be identified, are inventoried and stored in a location that is only accessible to authorized personnel. The team will also verify that the output of computer media outside the organization is properly authorized. **Determine whether the backup procedure for generating copies is reliable and guarantees the recovery of information in the event of a need.** The information generated by the system must be available at all times. The unavailability of data, especially of those procedures that are critical to the organization, in addition to the well-known economic losses, could lead, in the extreme, to the paralysis of the department. The audit team will examine the backup procedure followed in the organization, verifying the sufficiency of its frequency, the proper assignment of responsibilities, and the adequate storage of the media. The team will verify, first, that responsibility for making backups is assigned, and that each person responsible for the backup makes copies of the information that falls under their responsibility, so that all data are saved. The team will then verify the existence of an inventory of backup media and the information stored. Later, the team will determine whether security implemented to ensure the confidentiality and integrity of the backups offers guarantees equivalent to those defined for the information they contain, both on the media that are kept in the company's facilities and on those that are transferred to an external location. Finally, the team will check the effectiveness of the procedure defined for the recovery of the backups, determining whether the media contains the information that is supposed to contain, and if it is possible to recover the information in such a way that the final result is a faithful reflection of the previous situation. **Determine whether the uninterrupted operation of applications whose failure could entail a loss of data integrity and applications is guaranteed.** In organizations, processes are carried out that could lead to a loss of data integrity and applications handled, in some cases, beyond recovery, in the event of a power outage. The audit team will determine the existence of uninterruptible power systems, and whether they cover the operation of the equipment on which processes are executed whose interruption could lead to serious repercussions. The team must, also, in the event of a power outage, verify whether the uninterruptible power systems are activated, and make sure that the time provided by the uninterruptible power system is sufficient to complete the critical processes and shut down the system. **Determine the degree of exposure to the possibility of virus intrusion.** The costs arising from the intrusion of computer viruses have multiplied in recent years: loss of information and the deployment of resources and time to restore the system, in some cases leading to the temporary paralysis of the department. The audit team will analyze the protection established at each of the points in the system through which viruses could be introduced: floppy drives, modems, network accesses, etc. The team will also review the regulations for the installation and periodic updating of antivirus products, paying special attention to those cases where the information processed is critical to the operation of the organization. In addition, the team will analyze the configuration of the equipment and the installation of programs that allow the detection of existing viruses, preventing them from entering the system and removing any that have already entered. If the audit team discovers a virus on any of the equipment, the team will immediately inform the authorized person, suggesting measures that it deems appropriate to prevent any further spread. ### 9.2.3. LEGAL REGULATIONS **Determine whether the office automation environment has any situations that could constitute a breach of Organic Law 5/1999, on the Protection of Personal Data (LOPD).** The LOPD establishes a series of principles and rights regarding the protection of personal data for all individuals, including automated filing systems. In addition, individuals who suffer damages or injuries to their property, goods, or rights as a result of a violation of the LOPD may file a claim for compensation with the courts of justice. The audit team will have to verify the existence of an inventory of files that manage personal data and verify that this inventory contains all the files managed in "office automation" environments. While in most cases, these environments manage files that act as mere support for those that exist at the organization, there may be situations where personal data is stored but not in one of those files or databases. The job of the audit team will be to ascertain that the files that manage personal data in "office automation" environments are under control and have notified the General Registry of the Data Protection Agency. The controls for verifying that existing files comply with the requirements established in the LOPD cannot be excluded from the general procedures for the entire organization, going beyond, therefore, the scope of this chapter. It is important to note that the audit team will have to inspect the adequacy and validity of the procedures in place at the organization to guarantee compliance with the principles (data quality, information provided when collecting, consent of the affected person for processing and transfer, data security, duty of confidentiality, etc.) and rights (access, rectification, and cancellation) included in this law. **Determine whether the office automation environment has any situations that could constitute a breach of Royal Legislative Decree 1/1996, of April 11, on intellectual property.** The vast majority of illegal copies used in organizations correspond to microcomputer applications, especially "office automation" applications. This fact could lead those affected by damages who have suffered any harm or prejudice as a result of non-compliance with the Royal Legislative Decree on intellectual property to file claims in the courts of justice that could lead to criminal proceedings. The audit team must prepare a full list of applications located in "office automation" equipment that require licenses for their use. This list will be compared with the organization's inventory to verify that they coincide, and if they do not, the team will have to determine which are illegally used copies. The audit team will verify the definition and application of preventive measures, such as the existence of a disciplinary code known to all employees, the disabling of floppy drives and other ports for incoming and outgoing data, and limitations on access to networks external to the organization. The team will also verify the existence of detective measures, such as the assignment of personnel responsible for performing periodic reviews of applications on each computer and analyzing the use levels of the shared applications on the network. Finally, the team will verify the definition of corrective measures such as the removal of illegal copies that have been detected; procedures for determining how the intrusion occurred, and subsequently defining measures to prevent this situation from re occurring, as well as taking disciplinary action. ## 9.3. CONCLUSIONS Most "office automation" application audits do not differ considerably from the steps required to audit centralized systems. In both cases, the auditor's professional experience is the key element for selecting the controls to be verified and their suitability to the system being audited, keeping in mind at all times that the evolution of "office automation" environments will require specific knowledge and novel techniques. The presentation of controls here reflects a sequence in the steps to be taken in the audit. As a preliminary step to the audit itself, the audit team must fully understand the system's operation and how it is used, as well as analyze the risks to which it is exposed. For each of the aspects under review, the team must verify the definition of preventive, detective, and corrective controls. Next, the team must verify whether the defined controls are actually implemented by users during the development of these activities. Finally, the team will provide an assessment of the sufficiency and suitability of the controls defined and implemented for the prevention of the risks to which the system is subjected. During the presentation of controls, we have frequently referred to documents, procedures, and policies of action that are defined and implemented in the organization; however, it is common for some of them to have not been defined yet. It is up to the auditor to detect, and acknowledge in the report, the deficiencies that may be present in the organization's operation, but they should also participate in their definition. In other words, the auditor should address the deficiencies present in the organization's operations, but also contribute with his knowledge and experience to develop those procedures and recommendations that help to resolve the deficiencies. It should be noted that, ideally, "office automation" audits should not be carried out independently. It seems preferable to incorporate "office automation" controls into a broader audit, primarily for reasons of efficiency and effectiveness in the preparation and development of the audit. ## 9.4. RECOMMENDED READINGS - Thomas, A. J., Douglas, I. J. _Auditoria informática_. Paraninfo, 1987. - Ron Weber. _EDP auditing. Conceptual foundations and practice_. McGraw Hill, 1988. - Kraemer, K. L., King, J. L. _Computer-Based systems for Cooperative Work and Group Decisions Making_. *ACM Comp. Surveys*, vol. 20, no. 2, June 1988, pp. 115-146. - Auerbach Publications. _EDP Auditing_, 1993. Chapters 74-01-01, 74-01-05, 74-0174-01-30, 74-01-65, 74-01-71 and 75-01-15. - Chill, Alexander. _Cooperative office systems: Concepts_. Prentice Hall, 1995. ## 9.5. REVIEW QUESTIONS 1. What elements of a computer system are part of "office automation"? 2. Explain the virtual desktop paradigm. 3. What distinguishes the audit of "office automation" from other information technology environments? 4. Analyze the repercussions that a poorly maintained inventory may have in a company from the perspectives of the economy, efficiency, and effectiveness. 5. How should a procedure for implementing changes in versions of "office automation" packages be like? 6. Calculate the actual cost of a personal computer for a company (taking into account hardware, software, maintenance, training, etc.). 7. What security mechanisms that you know of can be applied to personal computers?. 8. Write down a procedure for using "office automation" equipment that can be understood by end users. 9. Analyze the main "anti-virus" in the market against viruses that affect personal computers. 10. What considerations regarding "office automation" environments are found in the LOPD?

Auditoría De La Ofimática PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue