9.11 Obtain a copy of COBIT (available at www.isaca.org), and
read the control objectives that relate to encryption (DS5.8 and
DS5.11). What are the essential control procedures that
organizations should implement when using encryption?COBIT control
objective DS5.8 addresses key management policies with respect to
encryption. This should include procedures concerning:
Minimum key lengths Use of approved algorithms Procedures to
authenticate recipients Secure distribution of keys Secure storage
of keys Key escrow Policies governing when to use encryption and
which information should be encrypted (this probably requires the
organization to classify and label all information assets so that
employees can identify the different categories) Procedures for
revoking compromised keys
COBIT control objective DS5.11 addresses the use of encryption
during the transmission of information. This should include
procedures concerning:
Procedures to ensure information is encrypted prior to
transmission Specification of approved encryption algorithms Access
controls over incoming encrypted information Secure storage of
encryption keys10.3For each of the three basic options for
replacing IT infrastructure (cold sites, hot sites, and real-time
mirroring), give an example of an organization that could use that
approach as part of its DRP. Be prepared to defend your answer?Many
solutions are possible. The important point is to justify that the
method yields an appropriate RTO for the organization. Cold sites
yield RTOs measured in days; hot sites result in RTOs measured in
hours; and real-time mirroring have RTOs measured in minutes. Here
are some possible examples:Cold site: smaller businesses, such as a
local CPA firm. In most situations, CPA firms can probably function
without their main information system for a day or a couple of
days. Most employees have laptops and could continue to do much of
their work (collecting audit evidence, writing reports, working on
spreadsheets) and then upload their work to the main servers once
the cold site is up and running. Hot site: Many businesses could
function for several hours using paper-based forms until their data
center was back up and running. For example, if a retailers
information system went down, new sales orders could be processed
on paper and entered later. Real-time mirroring: Internet-only
companies need this because they can only earn revenue when their
web site is up and running. Nor can airlines and financial
institutions operate using paper-based forms; they need to have a
backup system available at all times.11.1You are the director of
internal auditing at a university. Recently, you met with
IssaArnita, the manager of administrative data processing, and
expressed the desire to establish a more effective interface
between the two departments. Issa wants your help with a new
computerized accounts payable system currently in development. He
recommends that your department assume line responsibility for
auditing suppliers invoices prior to payment. He also wants
internal auditing to make suggestions during system development,
assist in its installation, and approve the completed system after
making a final review.RequiredWould you accept or reject each of
the following? Why?a. The recommendation that your department be
responsible for the pre-audit of suppliers invoices?Internal
auditing should not assume responsibility for pre-audit of
disbursements. Objectivity is essential to the audit function, and
internal auditors should be independent of the activities they must
review. They should not prepare records or engage in any activity
that could compromise their objectivity and independence.
Furthermore, because internal auditing is a staff function,
involvement in such a line function would be inconsistent with the
proper role of an internal auditor.b. The request that you make
suggestions during system development?It would be advantageous for
internal auditing to make specific suggestions during the design
phase concerning controls and audit trails to be built into a
system. Internal auditing should build an appropriate interface
with the Data Processing Department to help achieve this goal.
Neither objectivity nor independence is compromised if the auditor
makes recommendations for controls in the system under review. For
example, internal auditing may: Provide a list of control
requirements. Review testing plans. Determine that there are
documentation standards and that they are being followed. Determine
that the project itself is under control and that there is a system
for gauging design progress.
Internal auditing must refrain, however, from actual
participation in system design.c. The request that you assist in
the installation of the system and approve the system after making
a final review?The auditor must remain independent of any system
they will subsequently audit. Therefore, the auditor must refrain
from giving overall approval of the system in final review. The
auditor may help in the installation or conversion of the system by
continuing to offer suggestions for controls, particularly during
the implementation period. In this situation, the auditor may
review for missing segments, results of testing, and adequacy of
documentation of program and procedures in order to determine
readiness of the system for installation or conversion. After
installation or conversion, the auditor may participate in a
post-installation audit, either alone or as part of a team.
