What do IT Auditors want and Why do they want it

1
What do IT Auditors want(and Why do they want
it)?
2
What is an IT Audit?

• Like operational, financial and compliance
  auditors, Information Technology (IT) auditors
  work to
• Understand the existing internal control
  environment
• Identify high risk areas through a formal
  methodology
• Ensure that adequate internal controls are in
  place and operate effectively (through the
  testing of said controls)
• Recommend control implementation where risk
  exists

3
How Does IT Audit Add Value?

• IT Audit provides independent technical
  expertise to assist non-IT auditors, as well as
  independent advice to assist management
  understand and effectively manage
• IT risks and opportunities in various areas,
  including
• Logical security over information assets.
• IT resource management and usage (hardware,
  software, staff).
• Compliance with company IT policies/standards/proc
  edures, state and federal laws/regulations, and
  IT contract provisions.
• Backup, retention/archival, and off-site media
  rotation/storage.
• Business continuity and disaster recovery
  planning.
• Software change control and system development
  life cycle
• Physical security (data center,
  building/perimeter, off-site area)

4
What Impacts An IT Audit?
5
Lets Step Back WHY IT Audit?

• Because of Information Technology RISK!!
• Risk The probability that a particular threat
  exploits a particular vulnerability (i.e. an
  issue which may impact ability to meet
  objective).
• Threat Event or entity with the potential to
  cause unauthorized access, modification,
  disclosure, or destruction of info resources.
• Vulnerability Weakness in a system control, or a
  design flaw, that can be exploited to violate
  system, network, or data integrity.

6
How is IT Risk Detected?

• A Risk Analysis uses a formal Risk Methodology
• Risk Analysis (or Risk Assessment) Process of
  identifying assets and threats, prioritizing the
  threats vulnerability and identifying
  appropriate internal controls (i.e. safeguards).
• Qualitative (judgmental) and quantitative
  (measured risk components) analysis is used.
• Risk Methodology Process used to assess the
  control risks associated with any particular
  technology or process vulnerability.

7
What Reduces IT Risk and What about any
Remaining Risk?

• Internal Controls (i.e. safeguards)
• Control Protective measure implemented to ensure
  company assets (IT or otherwise) are both
  available and accurate in order to meet the
  business requirements of that asset.
• Residual Risk The risk that is left over after
  reasonable internal controls have been both
  evaluated and implemented.
• Internal Controls do not eliminate all risk!!

8
General Control Reviews May Include
9
Why perform a General Control Review?

• A Baseline evaluation of IT security controls
  surrounding the overall computer environment,
  that (along with a Risk Analysis performed)
  determines specific IT areas needing review!
• General Control Reviews (GCR) usually apply to
  all of a particular IT platform
  application/operating systems. A GCR usually
  includes a review of logical security, physical
  security, backup/off-site media rotation, data
  center/LAN/WAN operations system
  administration, disaster recovery/business
  continuity planning, and/or system development
  life cycle/system change control.

10
What are Application Control Reviews?

• A specific audit of one application or process
  that very often involve processing of business
  transactions (such as payroll), but may also be
  of a more technical nature (like a PBX or wire
  transfer EDI/EFT or a security s/w installation).
  
• Application Control Reviews usually include
  in-depth evaluation of logical security for one
  particular system (which is done in addition to
  the logical security review performed as part of
  the GCR). In addition, input edits, segregation
  of duties, processing checkpoints/restart,
  process edits, output control (report
  distribution and proper destruction of
  confidential info) are evaluated.

11
What Else Do IT Auditors Do?

• Internal Consulting new system development
  projects or systems having major modifications.
• IT auditors, for independence reasons, should not
  be intimately involved in design, development, or
  installation of new or modified systems.
• However, IT audit should provide input regarding
  design of proper internal controls within and
  surrounding new or modified systems, proper
  system testing (module, end-to-end, etc.), and
  proper use of system life cycle methodologies.

12
What Else Do IT Auditors Do? - here are some
more examples

• Provide independent technical advice, and even
  programming, for financial/operational auditors
• Assist with IT project prioritization and funding
  (like participation in workgroups and steering
  committees)
• Computer systems implementation, conversion, and
  upgrade projects (project management controls
  system development and/or software selection life
  cycle)
• Use of IT Audit instead of hiring an outside
  consultant
• Fraud investigations involving computer info
  systems

13
How May IT Audit Help Info Sec?

• Provide internal IT audit consulting of any
  areas deemed to be risky that may later be
  evaluated in-depth by external auditors or
  government regulators (Y2K, for example, used
  many IT auditors to ensure proper documentation
  and retention of the remediation work).
• Provide Security Administration with additional
  ammo to convince management of needs for security
  software or intrusion detection systems, disaster
  recovery plans or an off-site recovery locale,
  additional Info Sec staff, more time or resources
  for system design, testing, etc.
• IT Audit and Information Security are two sides
  of the same coin IT audit wants control
  whereas Info Sec wants security they are
  often the exact same thing!

14
What about Compliance IT Auditing?

• Software licensing agreements audit or
  assistance
• Internet usage policies/procedures audit or
  assistance
• Service Level Agreements (SLAs) audit or
  assistance
• HIPAA, GLBA, COPPA, etc. regulations audit
  participation in project implementation teams
  (for example, review compliance with new
  information security and electronic data
  transmission standards, etc. required by the
  acts). More info found on these below.

15
More Compliance IT Auditing

• Gramm-Leach-Bliley Act (GLBA) protects customer
  financial information from disclosure without
  permission
• Health Insurance Portability and Accountability
  Act of 1996 (HIPAA) protects patients health
  information and provides for insurance when
  worker is terminated
• Children's Online Privacy Protection Act (COPPA)
  protects children under the age of 13 from
  being exploited or manipulated on the Internet

16
IT Audit Coverage is Expanding

• Provide IT audit expertise to those
  areas/locations with higher risks and/or those
  requesting IT audit assistance
• Assist external auditors in their audit planning,
  risk assessment, and even their actual IT audit
  work.
• IT risk areas identified for external auditing
  may only be performed if previous internal IT
  audit work of the area is found lacking coverage
  or proper testing.
• Establish relationships with management at
  distant company locals to provide proper IT
  controls and/or perform IT control self
  assessments (CSAs).
• Share IT Best Practices across all client
  locations.

17
What about OTHER types of audits that may impact
Security Administration functions

• Traditional Audit Types
• Financial opinion audits (CPAs)
• Operational process audits now includes
  environmental construction
• Compliance laws/regulations and policies,
  standards, and procedures
• IT usually considered operational unless
  performed so opinion auditors may rely on
  financial info provided
• Hybrid - Integrated Audit today almost all
  audits are actually hybrid

18
Financial Audits

• Evaluate financial system processing control
• Ensure that dollars total and balance
• Ensure financial reporting is consistent
  throughout all financial documents and tie
• Financial audits are in the realm of public
  auditors (Big 4) and government examiners (SEC,
  OCC, FDIC, GAO, etc.)
• Public (external) auditors provide an Opinion
  on company financial condition
• Internal auditors may assist opinion audit
• IT auditors may be part of opinion audit

19
Operational Audits

• Review operating policies/procedures
• Documented policies/procedures?
• Informal policies/procedures?
• Work flow examined (thru flowchart or description
  requested/developed)
• Controls identified and documented
• Examine the business process and recommend
  improvements control related or
  efficiency/effectiveness

20
In addition, IT Auditors provide

• Risk consulting
• Fraud investigation related to computers
• Benchmarking (compare us to them)
• Technology expertise related to business
• Business expertise related to technology
• Trusted, objective and independent advise
• to company depts and/or management
• Peer Reviews of other audit depts
• Help with Control Self Assessments (CSA)

21
Questions?

22
Murray Harvel, CISA, CFE
Comptroller of Public Accounts 512-936-0672murray
.harvel_at_cpa.state.tx.us