it audit for non-it auditors
Post on 25-Jan-2015
4.462 Views
Preview:
DESCRIPTION
TRANSCRIPT
Powerpoint Templates 1Powerpoint Templates
IT Audit for Non-IT Auditors
Ed Tobias, CISA, CIA, CFEFebruary 4, 2011
Powerpoint Templates 2
Overview
What is an IT Auditor? Skills Without IT Audit, what areas/risks
may not be covered? Areas for Non-IT Auditors Next steps? Questions?
Powerpoint Templates 3
To Keep Things Moving…
Participate! Questions:
Brief – will answer Complex – save until the end or offline
Powerpoint Templates 4
What is an IT Auditor?
Skills Hard vs. Soft
Education Technology-related Non-technical
Professional Background IT Consulting
Powerpoint Templates 5
What is an IT Auditor?
Certifications CISA CITP CISM CISSP Vendors (i.e. MCSE, CCNA, etc.) Others (i.e. PMP, CIPP, CIA, etc.)
Training On the job Specialized courses
Powerpoint Templates 6
Auditors must have …
IIA Attribute Standard 1210.3 “Internal auditors must have sufficient
knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.”
Powerpoint Templates 7
Areas that may need help
Disaster Recovery Data Mining ITGC review Application Controls testing User-developed applications SAS70 (SSAE 16) considerations Data integrity / confidentiality Working w/IT to get data for testing
Powerpoint Templates 8
Areas that Non-IT Auditors can perform
Disaster Recovery (Steve will present)
Data Mining SAS70 (SSAE 16) review ITGC review
Powerpoint Templates 12
Analyze the entire population instead of taking a sample
Predicting major increases in technology audit tools Assess current skills Create plan to address deficiencies
Powerpoint Templates 13
Data Mining
Current Perceptions What is Data Mining? How is it used? How can I use it?
Powerpoint Templates 14
Current Perceptions about DM
Who has NOT heard of DM?
Powerpoint Templates 15
What Is Data Mining?
Automate detection of relevant patterns Look at current & historical data Predict future trends
Efficient method to analyze large amounts of data
Enhance key item sampling Means for “continuous auditing”
Powerpoint Templates 16
How Is Data Mining Used?
Audit Process Risk Assessment Controls Assessment
Fraud Detection and Prevention IIA’s IPPF – Internal Auditing and Fraud
“Routine and/or ad hoc matching of … data against relevant transactions, vendor lists, employee rosters, and other data (p. 22)”
Powerpoint Templates 17
Data Mining Process
1. Validate your data 2. System Risk Assessment 3. Perform testing
Powerpoint Templates 18
1. Validate your data
Compare the file totals to control totals Total Record Count Subtotal of key numeric fields (i.e.
amount
Powerpoint Templates 19
2. System Risk Assessment
Article for upcoming ISACA Journal titled, “Taking Your First Steps in Data Mining” Assess the risk of unauthorized data
modification Important for fraud detection or compliance
Is the system “user-developed”, formally managed by IT, or outsourced?
Powerpoint Templates 20
3. Perform testing
Check for missing data – blank fields or missing records
Invalid data – characters in num fields Duplicate records Data within scope period Accurate computed fields –
independently perform calculations
Stratify data – approval limits
Benford’s Law – find anomalies
Powerpoint Templates 21
Can I Do It?
These functions are possible WITHOUT DM software More time and effort required
DM software provides: Efficiency Audit log functions Repeatability Basis for continuous auditing
Scripts / Enterprise platforms
Powerpoint Templates 22
Example
Risk Assessment / Control Effectiveness
Purchase Order Review - 24 months 6,000+ POs 490,000+ records in Accounting system 510,000+ records r/t Payments
Powerpoint Templates 23
Example
Isolated 14,000 payment records related to 6000+ POs
Developed risk-based reports: Total department spend Total vendor spend Top 10 departments / vendors Possible split transactions Non-Compliance with policies
Powerpoint Templates 24
Example Benford’s Law – helps identify
unusual transactions
Powerpoint Templates 26
SAS70 Review
Why do we need it? Explains controls at a service
organization Test their effectiveness over a period
(Type II SAS 70) Supports financial statement assertions We can’t audit the service organization
Powerpoint Templates 27
SAS 70 -> SSAE 16
Based on Int’l Standards for Assurance Engagements
Effective for period ending on/after June 15, 2011
NOT a certification for the service organization
Powerpoint Templates 28
SSAE 16
Deals with controls over subject matter for financial reporting
Other areas will be dealt with in another AIPCA guide – 2011 Security, Availability, Processing
Integrity, Confidentiality, or Privacy AICPA SOC (Service Organization
Control) 2 – Type II report
Powerpoint Templates 29
IT Audit Items?
Section II – Information provided by the service organization Description of the IT environment and
related ITGC User Control Considerations
Have they been reviewed? Are they implemented?
Section IV – Supplemental Info DR / Business Continuity Plan
Powerpoint Templates 30
ITGC Review
IIA Attribute Standard 1210.3 “Internal auditors must have sufficient
knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.”
Powerpoint Templates 31
A few words about ITGC…
It’s not necessary to know “everything” about IT controls 2 key control concepts:1. Assurance from IT controls is within
whole system of internal control Continuous Produces reliable evidence trail
Powerpoint Templates 32
A few words about ITGC…
2. Auditor’s assurance is independent, objective assessment of #1.
Understand, examine, and assess the controls r/t risks auditors manage
Perform sufficient control testing – controls designed appropriately & function effectively
GTAG-1: Information Technology Controls, p.3
Powerpoint Templates 33
ITGC Review
Considered during SOX audits Risk of material misstatement Applies to all key systems involved with
financial reporting Can extend to key operational
systems Bad data = Bad Management decisions
Powerpoint Templates 34
ITGC Review
Which is more reliable? Manual or Automated control
Many controls are “hybrid” Partly automated
Manual control relies on application functionality
Example: Key control to detect duplicate receipts relies on review of system report
Powerpoint Templates 35
ITGC Review
Key automated / hybrid controls Assess and test ITGC that provide
assurance -> Automated controls perform consistently
and appropriately
Powerpoint Templates 36
ITGC Review
Minimum 5 areas of review:1. IT Entity-level2. Change Management3. Information Security4. Backup and Recovery5. 3rd party IT providers
Depends on the risk to the system or department
Powerpoint Templates 37
How to use the template?
Guide for examining IT Audit areas Risk Assessment Use judgment to determine applicable
areas Helps determine “key information
technology risks”
Powerpoint Templates 38
1. IT Entity-level
Related to the entity’s env. Covers IT as a whole:
Acquisition Implementation Management Governance (Johan will present) Policies & procedures IT Risk Management Planning / Strategy
Powerpoint Templates 39
1. IT Entity-level
What impact do these controls have on the system? Understand the level of IT
sophistication within the system and/or organization
Powerpoint Templates 40
Level of IT Sophistication
Assess the complexity of the system -> relevance of ITGC Low
COTS, 1 server, 1-15 users High
ERP and/or customized, 4+ servers, 30+ users
Appendix B – guidelines for IT Sophistication levels
Powerpoint Templates 41
1. IT Entity-level
What impact do these controls have on the system? Low IT Sophistication = low risk to
system / department Consider mitigating controls
Powerpoint Templates 42
1. IT Entity-level
Annual Technology Plan IT should align with the business
Annual Budget Overspending?
Prioritization Alignment with business changes
Powerpoint Templates 44
2. Change Management
All changes to the system Properly authorized Securely implemented
Applies to: Software (applications) Hardware (infrastructure – operating
systems and networks)
Powerpoint Templates 45
2. Change Management
Properly scope the risk Vendor-supplied updates In-house coding and updates
Relevant with higher levels of IT Sophistication Mature, more defined processes Change Review Board
Powerpoint Templates 46
2. Change Management
Segregation of Duties (SoD) Creating the change Approved Tested Implemented
Emergency Changes Change implemented before approval
Powerpoint Templates 47
Fraud Example
Deputy Treasurer-Controller of a WA state public utility district Issued $236,925.23 to himself Authorized to make program changes Implemented those changes Circumvented manual controls by A/P Caught by A/P clerk who noticed a
$7,000 check cashed by him
Powerpoint Templates 49
3. Information Security
Unauthorized access to the programs or data
2 types of access: Physical Logical
Powerpoint Templates 50
3. Information Security
Physical Limit physical access to the servers and
critical infrastructure Locked doors Cameras Security guards Biometrics
Powerpoint Templates 51
3. Information Security
Logical Limit access to the applications and
data Less IS More – Least amount of privileges to
perform job functions Segregation of Duties Limit physical access to the servers
Powerpoint Templates 52
3. Information Security
Important to distinguish Information Security problems from risk to the system Compensating manual controls in place
to detect / prevent errors? Low IT Sophistication = Low risk for
financial misstatements Higher operational / regulatory risk
Powerpoint Templates 53
3. Information Security
Security Policy Tone at the Top Sets guidelines for acceptable use Part of Employee Handbook
Access privileges Role-based -> well-defined The “backup” has conflicting roles
Bypass management controls
Powerpoint Templates 54
3. Information Security
Only current employees have access Disable unused accounts Temps / contractors
Powerpoint Templates 55
3. Information Security
Strong passwords Periodic change (90 days) Password history Minimum length Complexity
Upper / lower case Numbers / symbols No dictionary Repeating characters
Powerpoint Templates 56
3. Information Security
Administrators / Super Users Bypass monitoring controls
Delete logs Rerun exception reports
Bypass system controls Change employee’s access Log in as employee Bypass workflow approval
Bypass Change Management SoD
Powerpoint Templates 57
3. Information Security
High level of access = high risk Download data – data privacy breaches Unauthorized changes
Programs and/or data
Limit administrative access Contractors / temps?
Powerpoint Templates 58
3. Information Security
Generic IDs – what’s the problem? No accountability Shared password SoD – bypass controls?
Test IDs – temporary with undocumented access
Vendor default IDs Everyone knows the password
Powerpoint Templates 59
3. Information Security
Unique ID / password Accountability Log files / data mining What about contractors /temps?
Sharing the “temp” id?
Powerpoint Templates 61
4. Backup / Recovery
Steve will discuss after lunch
Restore system and data Server crash Disaster – Fire, flood, hurricane, etc
Usually considered very important
Powerpoint Templates 62
4. Backup / Recovery
Risk for bad recovery Low IT Sophistication
Offsite backups, successful restore in last 12 months
High IT Sophistication Audit procedures to ensure BCP is effective
Powerpoint Templates 63
4. Backup / Recovery
Backups Who can do them?
Offsite storage Who picks up the tapes? Who can request tapes?
Restoring the system File Database How many transactions are lost?
Powerpoint Templates 65
5. 3rd party IT Providers
Outsourced service
Powerpoint Templates 66
5. 3rd party IT Providers
Why are businesses taking the risk to outsource? Lower Cost Lower IT complexity Higher Reliability Universal Access IT not a core competency
Powerpoint Templates 67
5. 3rd party IT Providers
Financial / Operational impact SAS70 -> SSAE16
Vendor Selection / Management Risks properly mitigated?
Data loss Downtime Regulatory constraints Theft of Intellectual Property
Powerpoint Templates 68
5. 3rd party IT Providers
What’s the risk if the vendor accesses the data? Compensating controls? Regulatory risks
Powerpoint Templates 70
Next Steps?
Use your resources and READ Audit programs on the Internet GAIT-R and GTAG series IT Audit section – IIA website
Powerpoint Templates 72
GAIT and GTAG
Available to IIA members
Guide to the Assessment of IT Risk for Business & IT Risk Top-down assessment of business risk,
risk tolerance, and controls ITGC and automated controls
Business risks mitigated by manual and automated controls
Powerpoint Templates 75
GTAG
Global Technology Audit Guide 15 GTAGs so far
Powerpoint Templates 76
Resources
IIA - IT Audit http://www.theiia.org/intAuditor/itaudit/
AuditNet http://www.auditnet.org/ TeamMate and ACL users
Free Premium Access
Powerpoint Templates 77
Next Steps?
Network with IT Auditors Get training Get certified (CISA or CITP)
Powerpoint Templates 78
Summary
IIA Attribute Standard 1210.3 “Internal auditors must have sufficient
knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.”
Powerpoint Templates 79
Can I Do It?
Data Mining
SAS 70 / SSAE 16 Review
ITGC Review
Powerpoint Templates 82
Contact Info
Ed.tobias@hillsclerk.com
http://www.linkedin.com/in/ed3200
Powerpoint Templates 83
Appendix A – DM software
The following list is provided for information only. The author makes no recommendations for any of the products. Office 2007 Data Mining Add-Ins using SQL Server
2005 / 2008 ($0) Web CAAT Audit Analytics ($0)
70 program steps, 10 business processes Audit Commander ($50) – works with Excel,
Access, or text files May be sufficient for your needs
------------------------------------------------------------ ACL ($1,000) – most popular among auditors IDEA ($2,295) – more user-friendly
Powerpoint Templates 84
Appendix B – System RM
Level of IT Sophistication
Email me – ed.tobias@hillsclerk.com for the entire article
top related