In: Computer Science
Subject: Security Policy & Procedures
Describe what a Data Flow Diagram is and why it is useful for IT auditing. One paragraph should describe what a Data Flow Diagram is, and the second paragraph should describe why it is useful for IT auditing.
What is a data flow diagram (DFD)?
A picture is worth a thousand words. A Data Flow Diagram (DFD) is a traditional way to visualize the information flows within a system. A neat and clear DFD can depict a good amount of the system requirements graphically. It can be manual, automated, or a combination of both.
It shows how information enters and leaves the system, what changes the information and where information is stored. The purpose of a DFD is to show the scope and boundaries of a system as a whole. It may be used as a communications tool between a systems analyst and any person who plays a part in the system that acts as the starting point for redesigning a system.
It is usually beginning with a context diagram as level 0 of the DFD diagram, a simple representation of the whole system. To elaborate further from that, we drill down to a level 1 diagram with lower-level functions decomposed from the major functions of the system. This could continue to evolve to become a level 2 diagram when further analysis is required. Progression to levels 3, 4 and so on is possible but anything beyond level 3 is not very common. Please bear in mind that the level of detail for decomposing a particular function depending on the complexity that function.
Useful for IT auditing
The critical ingredients involved in planning an IT audit are an appreciation of the IT environment, understanding the IT risks and pinpointing the resources required to carry out the work. We will cover each in turn.
The IT environment - An appreciation of the IT environment flows from an understanding of the internal IT procedures and operations of the subject under review. This cannot be stressed enough. Without this basic understanding it is likely that audit work will be misdirected, raising the risk of drawing unsuitable or incorrect conclusions. This initial research work should involve a high level review of the IT procedures and control environment in place focusing on the basic principles of IT security which are Confidentiality, Integrity and Availability. At a minimum, the areas covered at this stage would be:
a) Change Management, i.e. the change controls around software and hardware updates to critical systems;
b) Access Security i.e. the access controls enforced to enter the systems both internally and externally, and;
c) Business Continuity and Disaster recovery i.e. the ability of an enterprise to safeguard information assets from unforeseen threats or disasters and how to quickly recover from them.
Having this level of understanding will enable the IT auditor to plan out their work efficiently and effectively.
IT risks - As is the case for other types of professionally handled audit work, these days most IT auditors apply the risk-based approach to planning and performing their work. This involves identifying the most important risks, linking these to control objectives and identifying specific controls to mitigate these risks. In this respect, IT auditing standards/guidelines (e.g. ISO 27001 & COBIT 5) may be used by the IT Auditor to identify or advise on controls that will reduce the risks identified to an acceptable level.
Resources required – The last important piece in the audit planning jigsaw is to assess the amount of work involved including the need for specialist expertise. With the timing and availability of suitable IT audit human resources typically being a challenge, getting this step right should result in higher quality and lower cost audit work.