Auditing Computer and Network Security


The Scope


Information is a critical organization resource. With the expanded availability of computers to users of all types throughout the world, more data are being processed in shorter periods of time. In addition, increasing amounts of data are stored in computers and computer media.

Computer and network security requires comprehension of the terms vulnerability, exposure and risk. A vulnerability is a weakness in the computer and network system that may become a threat or a risk. An exposure results from the threat of an event that has the potential of becoming a risk. A computer risk comprises the probability that an event could result in a loss. The impact of such risks, exposures, and losses can include financial and personnel losses, loss of reputation and client base, inability to function in a timely manner, inability to grow, and violation of laws and regulations.

Auditors assess whether computer and network systems safeguard company assets, maintain data integrity, and achieve the organizations goals. Management and auditors are concerned about the protection against such threats as:

  • Inadequate data integrity
  • Manipulation of financial, operating, and accounting records
  • Unauthorized access to information by both employees and outsiders
  • Industrial espionage
  • Sabotage of programs, equipment, or facilities
  • Loss, damage, or modifications of data due to disasters
  • Inefficient allocation of resources
  • Copyright violations
  • Infection and contamination of software or hardware or by malicious software
  • Obsolescence of equipment, programs, and data
  • Computer abuse and misuse
  • Theft, including computer time
  • Lack of business continuity plan, backup facilities, or equipment
  • Inadequate control of cost, availability, and security of remote computing and telecommunication processes

The audit process will provide recommendations for actions, which eliminate or minimize the losses by identifying vulnerabilities, exposures, and risks. Auditors will check if adequate controls are in place, ensure that audit trails and security measures in place, and ascertain whether these controls, audit trails, and security measures are functioning in an effective manner.

The audit function can be viewed as an effort that focuses on helping organizations attain the traditional audit objectives. Auditors review systems under development, pre-implementations, as well as enhancements, data centers, and application systems.