Information security management

Michael Hobbs, KPMG - RHU London, Information Security Group
30 Oct. 1997

Text by Filip Schepers

This text is part of a series of summaries of lectures given at Royal Holloway University of London in the context of information security management. It intends to reflect the vision of KPMG on the role of audit in security management as explained by Michael Hobbs, senior manager with KPMG. This text is about external financial audit, internal audit and computer audit and tries to define these terms and relate them to IT security management.

It is widely accepted that the enormous economic growth of the Western European world during the twentieth century can be attributed to the capitalist model of economies. An essential part of this model is the dual vision on management and ownership. Whereas shareholders are the owners of a company, it is the directors that run it in the best interests of the owners. The purpose of external financial audit is to give an independent review that the numbers in the accounts, as reported to the shareholders, are a reasonable picture of what happened and how the company is doing, in that way serving the interests of the shareholders. As profit or loss statements can change with the accounting systems used, external audit does not guarantee the correctness of the account numbers or notes, but merely intends to give a true and fair opinion of results reported by the management. Furthermore, auditors interpret their findings and suggest adjustments to be made.

To give a fair view of the company's financial situation, it is necessary that the documents and numbers produced meet the requirements of completeness, existence and accuracy, thus leading to integrity of the information provided. This means that in order to give an opinion, an audit firm will require that appropriate controls are in place. A risky environment ("risky" characters as directors for instance) needs tighter controls and more audit assurance. Only in specific areas a systems based audit approach can be used. In this case a number of extra requirements have to be fulfilled: the subject of the audit has to consider routine transactions, completely and accurately recorded, with internal control over the recording, processing and reporting of these transactions.

An organisation can also put an internal audit system in place. Generally internal control will not just address financial aspects of the organisation, but the whole business operation, including its economy, efficiency and effectiveness. Internal audit is characterised by its larger scope and by the fact that it reports to management instead of to the shareholders. In many cases however, external audit will partly (but not blindly) rely on the work performed by the internal control system.

Internal audit can (partly) consist of computer and IT audit. In this case, its relationship to external control is that it can help in determining IT risks and audit requirements. External audit can then encompass the review of installation, system evaluation en computer assisted audit techniques. Internally, it can cover operational risks and report to management.

Internal control starts from risk assessment. Next, it requires that the information it will use be determined as well as the way this information will be communicated. This means that control activities have to be defined and control has to be structured. Finally of course, the monitoring itself has to take place. The control environment consists of the organisation and management of the IT infrastructure and logical and physical access control to computers and communication systems. This includes application systems development, acquisition and maintenance of operating system software, backup and disaster recovery and computer operations in general. Audit factors in IT concern higher level controls on the input data ("rubbish in, rubbish out") and controls on the way operations are done. Actually, IT audit will look at the flow of information through the IT system: is rubbish stopped from coming in, from being processed, from coming out? Apart from that, computer audit can include special assignments that are not part of regular, standard audit and that not directly support financial reviews. These special tasks can refer to the benchmarking of controls (for instance against the BS7799 standard), the review of security policies, systems and IT projects, business continuity planning and legislation.

It is clear that as profit is the driving factor in business, financial audit is a necessity for shareholders to have an unbiased view of their company's situation. As businesses become more and more reliant on IT, financial audit needs to cover the information flow that eventually produces the results as account numbers. In this process, external audit can partially rely on the results provided by internal control systems (if these exist). On the other hand, an overall security review will certainly include the aspect of integrity. Therefore, an audit company can provide good insights in the way information should be processed so that integrity of the end result is preserved. It is my personal opinion however that the process of putting this in place is part of a larger project that can be done by consulting firms that handle this in the broader context of overall IT security management.