Title: What do IT Auditors want and Why do they want it
1What do IT Auditors want(and Why do they want
it)?
2What is an IT Audit?
- Like operational, financial and compliance
auditors, Information Technology (IT) auditors
work to - Understand the existing internal control
environment - Identify high risk areas through a formal
methodology - Ensure that adequate internal controls are in
place and operate effectively (through the
testing of said controls) - Recommend control implementation where risk
exists
3How Does IT Audit Add Value?
- IT Audit provides independent technical
expertise to assist non-IT auditors, as well as
independent advice to assist management
understand and effectively manage - IT risks and opportunities in various areas,
including - Logical security over information assets.
- IT resource management and usage (hardware,
software, staff). - Compliance with company IT policies/standards/proc
edures, state and federal laws/regulations, and
IT contract provisions. - Backup, retention/archival, and off-site media
rotation/storage. - Business continuity and disaster recovery
planning. - Software change control and system development
life cycle - Physical security (data center,
building/perimeter, off-site area) -
4What Impacts An IT Audit?
5Lets Step Back WHY IT Audit?
- Because of Information Technology RISK!!
- Risk The probability that a particular threat
exploits a particular vulnerability (i.e. an
issue which may impact ability to meet
objective). - Threat Event or entity with the potential to
cause unauthorized access, modification,
disclosure, or destruction of info resources. - Vulnerability Weakness in a system control, or a
design flaw, that can be exploited to violate
system, network, or data integrity.
6How is IT Risk Detected?
- A Risk Analysis uses a formal Risk Methodology
- Risk Analysis (or Risk Assessment) Process of
identifying assets and threats, prioritizing the
threats vulnerability and identifying
appropriate internal controls (i.e. safeguards). - Qualitative (judgmental) and quantitative
(measured risk components) analysis is used. - Risk Methodology Process used to assess the
control risks associated with any particular
technology or process vulnerability.
7What Reduces IT Risk and What about any
Remaining Risk?
- Internal Controls (i.e. safeguards)
- Control Protective measure implemented to ensure
company assets (IT or otherwise) are both
available and accurate in order to meet the
business requirements of that asset. - Residual Risk The risk that is left over after
reasonable internal controls have been both
evaluated and implemented. - Internal Controls do not eliminate all risk!!
8General Control Reviews May Include
9Why perform a General Control Review?
- A Baseline evaluation of IT security controls
surrounding the overall computer environment,
that (along with a Risk Analysis performed)
determines specific IT areas needing review! - General Control Reviews (GCR) usually apply to
all of a particular IT platform
application/operating systems. A GCR usually
includes a review of logical security, physical
security, backup/off-site media rotation, data
center/LAN/WAN operations system
administration, disaster recovery/business
continuity planning, and/or system development
life cycle/system change control.
10What are Application Control Reviews?
- A specific audit of one application or process
that very often involve processing of business
transactions (such as payroll), but may also be
of a more technical nature (like a PBX or wire
transfer EDI/EFT or a security s/w installation).
- Application Control Reviews usually include
in-depth evaluation of logical security for one
particular system (which is done in addition to
the logical security review performed as part of
the GCR). In addition, input edits, segregation
of duties, processing checkpoints/restart,
process edits, output control (report
distribution and proper destruction of
confidential info) are evaluated.
11What Else Do IT Auditors Do?
- Internal Consulting new system development
projects or systems having major modifications. - IT auditors, for independence reasons, should not
be intimately involved in design, development, or
installation of new or modified systems. - However, IT audit should provide input regarding
design of proper internal controls within and
surrounding new or modified systems, proper
system testing (module, end-to-end, etc.), and
proper use of system life cycle methodologies. -
12What Else Do IT Auditors Do? - here are some
more examples
- Provide independent technical advice, and even
programming, for financial/operational auditors - Assist with IT project prioritization and funding
(like participation in workgroups and steering
committees) - Computer systems implementation, conversion, and
upgrade projects (project management controls
system development and/or software selection life
cycle) - Use of IT Audit instead of hiring an outside
consultant - Fraud investigations involving computer info
systems
13How May IT Audit Help Info Sec?
- Provide internal IT audit consulting of any
areas deemed to be risky that may later be
evaluated in-depth by external auditors or
government regulators (Y2K, for example, used
many IT auditors to ensure proper documentation
and retention of the remediation work). - Provide Security Administration with additional
ammo to convince management of needs for security
software or intrusion detection systems, disaster
recovery plans or an off-site recovery locale,
additional Info Sec staff, more time or resources
for system design, testing, etc. - IT Audit and Information Security are two sides
of the same coin IT audit wants control
whereas Info Sec wants security they are
often the exact same thing!
14What about Compliance IT Auditing?
- Software licensing agreements audit or
assistance - Internet usage policies/procedures audit or
assistance - Service Level Agreements (SLAs) audit or
assistance - HIPAA, GLBA, COPPA, etc. regulations audit
participation in project implementation teams
(for example, review compliance with new
information security and electronic data
transmission standards, etc. required by the
acts). More info found on these below.
15More Compliance IT Auditing
- Gramm-Leach-Bliley Act (GLBA) protects customer
financial information from disclosure without
permission - Health Insurance Portability and Accountability
Act of 1996 (HIPAA) protects patients health
information and provides for insurance when
worker is terminated - Children's Online Privacy Protection Act (COPPA)
protects children under the age of 13 from
being exploited or manipulated on the Internet
16IT Audit Coverage is Expanding
- Provide IT audit expertise to those
areas/locations with higher risks and/or those
requesting IT audit assistance - Assist external auditors in their audit planning,
risk assessment, and even their actual IT audit
work. - IT risk areas identified for external auditing
may only be performed if previous internal IT
audit work of the area is found lacking coverage
or proper testing. - Establish relationships with management at
distant company locals to provide proper IT
controls and/or perform IT control self
assessments (CSAs). - Share IT Best Practices across all client
locations.
17What about OTHER types of audits that may impact
Security Administration functions
- Traditional Audit Types
- Financial opinion audits (CPAs)
- Operational process audits now includes
environmental construction - Compliance laws/regulations and policies,
standards, and procedures - IT usually considered operational unless
performed so opinion auditors may rely on
financial info provided - Hybrid - Integrated Audit today almost all
audits are actually hybrid
18Financial Audits
- Evaluate financial system processing control
- Ensure that dollars total and balance
- Ensure financial reporting is consistent
throughout all financial documents and tie - Financial audits are in the realm of public
auditors (Big 4) and government examiners (SEC,
OCC, FDIC, GAO, etc.) - Public (external) auditors provide an Opinion
on company financial condition - Internal auditors may assist opinion audit
- IT auditors may be part of opinion audit
-
19Operational Audits
- Review operating policies/procedures
- Documented policies/procedures?
- Informal policies/procedures?
- Work flow examined (thru flowchart or description
requested/developed) - Controls identified and documented
- Examine the business process and recommend
improvements control related or
efficiency/effectiveness -
20In addition, IT Auditors provide
- Risk consulting
- Fraud investigation related to computers
- Benchmarking (compare us to them)
- Technology expertise related to business
- Business expertise related to technology
- Trusted, objective and independent advise
- to company depts and/or management
- Peer Reviews of other audit depts
- Help with Control Self Assessments (CSA)
21Questions?
22Murray Harvel, CISA, CFE
Comptroller of Public Accounts 512-936-0672murray
.harvel_at_cpa.state.tx.us