Since many audit departments are relatively small compared to the size of the functional departments, auditors need software to make their assessments more reliable. For this, Computer-Assisted Auditing Tools and Techniques (CAATTs) were developed. Unfortunately, most software tools have to be adjusted to the needs of the company, so that a standard software approach is most likely not possible [1].
Four of the, in my opinion, most useful software classes are:
In conclusion, without the help of these Software tools, IT auditing would not only be very hard to conduct, but also too costly or too low in quality. Many other types of CATT-Software exist and we will see a more thorough development in the future, when more and more standards will emerge in this field.
References:
Four of the, in my opinion, most useful software classes are:
- Flowcharting software, taking into account that many tasks of business processes have sub-processes and sub-sub-processes, the complexity can be too high to step through every task manually. To ease the burden of the auditing department as well as to enhance quality and reliability of business process audits, flowcharting software can help in this area. By automatically testing the segregation of duties and the control of information, changes in the business processes can be tested for compliance before they are being introduced in the company. An example would be the Compliance Monitoring Software by ComplianceTrack [2].
- Computer-Aided Software Engineering Tools, these are tools that are mainly used to control the way programmers plan and implement software to increase the quality of the resulting code. They can be used to generate program code from workflows, control the structure of the implementation of code (e.g. comments, declaration of variables, etc.) or even automatically generate a full documentation. Since 70-80% of the total costs of software are maintenance costs, a large amount of money can be saved through generating easier to maintain code. Higher quality program code decreases the risks of system failures during and after the introduction of the new applications. With the increase in quality and costs, a constant auditing of the programming policies can be established without the need of an auditor to control the code after a change. A review of the policies as well as test samples would then be enough to control this potential risk area. Examples of these CASE tools could be MagicDraw [3] or Astade [4].
- Disaster simulations, testing a disaster recovery plan at the time of implementation as well as a periodic check if it is still appropriate to the situation is of the utmost importance. Unfortunately, it is nearly impossible to test the recovery plans during normal operations without risking a loss of data and interruption of tasks. For this reason, disaster simulations have been invented. They simulate how humans react to certain threats, displaying shortages of resources and how certain technical failures could lead to a shutdown of the systems. Although these systems are still in their early development and are rather used in real disasters, like terrorist attacks or physical security assessments, some attempts have been made to use them in the corporate world, too [5], [6].
- Network security Frameworks, since security issues are still a very large portion of IT risk management, more versatile network security auditing tools have emerged. They range from network security scanners – tools that are scanning a range of IP addresses for open ports and display the applications that might be vulnerable – like Nessus to nearly fully automatic frameworks like the Metasploit Framework, which enable a user not only scanning, but exploitation of the vulnerabilities [7]. The automation can not only find computers that are not complying with security policies, but also test Intrusion Detection Systems that are being deployed in the company.
Video: Using the Metasploit Framework
In conclusion, without the help of these Software tools, IT auditing would not only be very hard to conduct, but also too costly or too low in quality. Many other types of CATT-Software exist and we will see a more thorough development in the future, when more and more standards will emerge in this field.
References:
[1] CIO-Magazine, "Top 10 ERM Myths", http://advice.cio.com/gordon_burnes/top_10_enterprise_risk_management_myths
[5] BusinessWeek, "Simulation Software vs. Terrorists", May 25, 2004, http://www.businessweek.com/technology/content/may2004/tc20040525_7827_tc148.htm
[6] Wired.com, "Videogame Technology Helps With Disaster Planning", February 2, 2009, http://www.wired.com/software/coolapps/news/2009/02/disaster_modeling
