How to Prepare for an Information Technology Audit or Review

1
How to Prepare for an Information Technology
Audit or Review

• Andrew J. Thom, Senior Audit Manager
• Information Systems Audit

2
Auditor of States Office

• Responsible for auditing all public offices
• Nearly 3000 audits annually
• 700 auditors / 23 IS auditors

3
Presentation Overview

• Changes in IT and Audit
• Audit Objectives
• Common Control Issues

4
Changes in IT
U.S. Army photo
5
Changes in IT
Server Farm
6
Changes in IT

• Increased Spending On and Use of IT
• Increases in Computing Power
• Shorter Life of Systems and Applications

7
Changes in Audit

• Rare to find an entity whose use of IT does not
  impact its financial audit.
• Technology used by Auditors
• SAS 94

8
Greater Use of Technology by Auditors
9
(No Transcript)
10
(No Transcript)
11
(No Transcript)
12
(No Transcript)
13
Statement on Auditing Standards 94

• Au Section 319 (SAS 94)
• The Effect of Information Technology on the
  Auditors Consideration of Internal Control in a
  Financial Statement Audit

14
A Few Definitions

• Information Technology, IT
• Internal Control
• General Controls
• Application Controls

15
What is Information Technology?

• Information Technology (IT) encompasses automated
  means of originating, processing, storing and
  communicating information, and includes recording
  devices, communication systems, computer systems
  (including hardware and software components and
  data) and other electronic devices.
• AU Section 319 Consideration of Internal Control
  in a Financial Statement Audit.
• (SAS No. 55, SAS No. 78, SAS No. 94)

16
What is Internal Control?

• Defines internal control as a process effected
  by an entitys board of directors, management,
  and other personnel designed to provide
  reasonable assurance regarding the achievement of
  objectives in the following categories (a)
  reliability of financial reporting, (b)
  effectiveness and efficiency of operations, and
  (c) compliance with applicable laws and
  regulations.

AU Section 319 Consideration of Internal Control
in a Financial Statement Audit. (SAS No. 55, SAS
No. 78, SAS No. 94)
17
What are General Controls?

• Effective general controls will ensure the
  applications and systems they reside on are
  properly maintained, secured and backed up for
  recovery purposes.

18
General Controls

• Data center and network operations
• System software acquisition and maintenance
• Access security
• Application system development and maintenance

19
What are Application Controls?

• Application controls differ from general controls
  because they refer to SPECIFIC applications.
• Effective application controls will ensure the
  completeness and accuracy of data input,
  processing, and output.

20
IT Audit Control Objectives

• Overall Operation of the IT Function
• Development Implementation of New Applications
  Systems
• Changes to Existing Applications or Hardware
  Systems
• IT Security
• IT Operations

21
Audit Objectives in the Overall Operation of the
IT Function

• IT Personnel
• Knowledge and education
• Training for personnel

22
Audit Objectives in the Overall Operation of the
IT Function (cont.)

• IT Strategy
• Long range and short range

23
Audit Objectives in Development Implementation
of New Applications Systems

• Project Management
• Plan and/or Schedule?
• Monitoring of the plan and project?

24
Audit Objectives in Development Implementation
of New Applications Systems (cont.)

• Design/Selection of Applications and Hardware
  Systems
• Who was involved in the design?
• Compatibility of the application/hardware with
  existing applications?
• How are changes reviewed and approved?

25
Audit Objectives in Development Implementation
of New Applications Systems (cont.)

• Testing of Applications/Systems
• Who reviews the changes for appropriateness to
  achieve business objectives?
• How are changes to the application controlled
  before transferred into the live environment?

26
Audit Objectives in Development Implementation
of New Applications Systems (cont.)

• Transfer into the Live Environment
• What ensures that only properly tested/reviewed
  and approved applications and hardware are put
  into the live environment?

27
Audit Objectives in Development Implementation
of New Applications Systems (cont.)

• Conversion of Data
• How are the balances (financial/payroll, etc)
  data reconciled prior to transfer?
• How is the conversion process controlled?
• How do you ensure appropriate testing of data is
  performed by both users and IT?

28
Audit Objectives in Development Implementation
of New Applications Systems (cont.)

• Training and Documentation
• Is updated or new documentation provided to end
  users?
• How do you ensure users and IT staff have
  appropriate training?

29
Audit Objectives in Changes to Existing
Applications or Hardware Systems

• Change Requests
• Who requests and approves changes?
• Who is involved in the changes?

30
Audit Objectives in Changes to Existing
Applications or Hardware Systems (cont.)

• Testing of Program Changes or Hardware System
  Upgrades
• What prevents and detects unauthorized changes to
  applications and hardware?

31
Audit Objectives in Changes to Existing
Applications or Hardware Systems (cont.)

• Transfer into the Live Environment
• What ensures that only approved and tested
  changes are put into production?

32
Audit Objectives in Changes to Existing
Applications or Hardware Systems (cont.)

• Documentation and Training
• Is updated or new documentation provided to end
  users?
• How do you ensure users and IT staff have
  appropriate training?

33
Audit Objectives in IT Security

• Security Management
• Is there a security policy for all users and is
  it is acknowledged?
• Are periodic checks performed to confirm the
  users are current and access is commensurate with
  their current job responsibilities?

34
Audit Objectives in IT Security (cont.)

• System Software and Utilities Access Controls
• What ensures that access to system software and
  utility programs is properly restricted and
  monitored?

35
Audit Objectives in IT Security (cont.)

• Application Level Access Controls
• How is access restricted to appropriate functions
  within applications?

36
Audit Objectives in IT Operations (cont.)

• System Administration and Maintenance
• How is the system monitored and measured for
  availability/downtime?
• Are there appropriate escalation procedures to
  resolve operational failures?
• Who ensures the effective administration of the
  databases (DBA)?

37
Audit Objectives in IT Operations (cont.)

• Backup
• When are they performed?
• Where are they stored?
• How do you know the data on the backup is
  restorable?
• Is the data ever tested on the backups?

38
Audit Objectives in IT Operations (cont.)

• Disaster Recovery
• Has management performed an impact analysis?
• Is there a documented plan? Is it tested? Are
  the results maintained and used for improvement?
• Do all parties involved know they are involved
  and to what level?
• Do you have a spokesperson?
• Is the plan kept off-site?
• Do you have insurance for the IT equipment?

39
Audit Objectives in IT Operations (cont.)

• Business Continuity
• Do you have a plan? Does it address what
  applications are critical and what time frame you
  can be with out them?
• Do you have paper stock?

40
Application Control Objectives

• Authorization
• Completeness of Input
• Accuracy of Input
• Cutoff of Transactions
• Transaction Classification
• Transaction Occurrence

41
Application Control Objectives (cont.)

• Existence
• Integrity of Standing Data
• Completeness/Accuracy of Updating
• Completeness/Accuracy of Accumulated Data
• Restricted Access to Assets
• Completeness/Accuracy of Payments

42
IT Audit Common Control Issues

• Security Related
• Unchanged Default Settings
• Excessive Access Rights
• Ineffective Termination Procedures
• Ignoring Security Patches, Advisories and Updates

43
IT audit Common Control Issues (cont.)

• System Availability
• Infrequent, Untested, and/or On-site Storage of
  Backups
• Untested, Out of Date, or IT Centric, DRP/
  Business Continuity Plan
• Infrequent Monitoring of IT Activity

44
IT audit Common Control Issues (cont.)

• Selecting Maintaining Systems
• Not Having an Effective Process for Selecting a
  New Application
• Insufficient Testing of the New Application
• Ignoring Security Controls

45
IT audit Common Control Issues (cont.)

• Selecting Maintaining Systems
• Inadequate Training
• Lack of Documentation
• Too Much Reliance on Vendors

46
Available Guidance

• COBIT
• COSO Integrated Framework
• ISO 17799 Code of Practice for Information
  Security Management

47
Available Guidance (cont.)

• AICPA SysTrust Principles and Criteria
• GAO (FISCAM) to be released soon.

48
Short List of Low Cost, Low Tech Suggestions to
Improve Controls

• Set the Tone at the Top Security Policy
• Enforce Access Based on Job Need
• Change Default Settings

49
Short List of Low Cost, Low Tech Suggestions to
Improve Controls (cont.)

• Test Your Backups
• Document In-house Procedures and Applications
• Monitor IT Activity
• Update IT Skills

50
Reference List

• Statement on Auditing Standard 94 (SAS 94). The
  Effect of Information Technology on the Auditor's
  Consideration of Internal Control in a Financial
  Statement Audit. American Institute of Certified
  Public Accountants Auditing Standards Board,
  2001.
• Internal ControlIntegrated Framework. Committee
  of Sponsoring Organizations of the Treadway
  Commission (COSO), 1992. http//www.coso.org/.
• Control Objectives for Information and Related
  Technology (COBIT), Third Edition. Information
  Systems Audit and Control Foundation and the IT
  Governance Institute, 2000. http//www.isaca.org/
  cobit.htm.
• ISO/IEC 17799 2000 - Information TechnologyCode
  of Practice for Information Security Management.
  International Organization for Standardization,
  2000. http//www.iso.org/.
• AICPA Information Technology Center
  http//www.infortech.aicpa.org/
• CERT Advisories http//www.cert.org/advisories/

51

• 88 East Broad Street
• Columbus Ohio, 43215
• Phone (800) 282-0370 Fax (614) 466-4490
• E-mail contactus_at_auditor.state.oh.us
• www.auditor.state.oh.us