Clay Douglas Blake Varner

Chuck Wysocki

ISACA Geek Week

August 19, 2013

What’s in it for me (IT Auditor)?

What should I continuously audit and why?

How should I continuously audit?

Does this fit my organization?

Food for thought…….?

Source: Global Technology Audit Guide Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment authored by David Coderre, Canadian Mounted Police (RCMP) with Subject Matter Experts John G. Verver, ACL Services Ltd. J. Donald Warren Jr., Center for Continuous Auditing, Rutgers University

Continuous Auditing – used by the IT audit professional to perform control and risk assessments on a more frequent basis using CAATs that enable continuous monitoring of controls and risk while allowing auditors to gather selective audit evidence through automation.

Continuous monitoring is a management process to

monitor whether policies, procedures and business processes are effective on an ongoing basis.

Continuous (Auditing + Monitoring) Satisfies the demands for assurance that: Control procedures are effective Information for decision making is relevant and reliable

Source: IS Auditing Guideline: G42 Continuous Assurance

Source: Global Technology Audit Guide Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment authored by David Coderre, Canadian Mounted Police (RCMP) with Subject Matter Experts John G. Verver, ACL Services Ltd. J. Donald Warren Jr., Center for Continuous Auditing, Rutgers University

“The power of continuous auditing lies in the

intelligent and efficient continuous testing of

controls and risks that results in timely notification

of gaps and weaknesses to allow immediate follow-

up and remediation.”

Start

Fieldwork

Report

Findings

Report

Improve

Test Report

Improve

Test Report

Improve

Test

Automated Test Procedures

Automated Test Procedures

Automated Test Procedures

1. Managing and retaining data 2. Securing the IT environment 3. Managing IT risk and compliance 4. Ensuring privacy 5. Managing system implementations 6. Preventing and responding to computer fraud 7. Enabling decision support and analytics 8. Governing and managing IT investment/spending 9. Leveraging emerging technologies 10. Managing vendors and service providers

Source: American Institute of CPAs Website

Accounts

Payable

Key

Performance

Indicators

Accounts

Receivable

P Cards

Manual

Journal

Entries

Expense

Reports

Terminated

Employee

Access

Changes that

Cause

Incidents

Project Status

Reporting

User Access

Design Source: ITIL V3 Service Design Volume

5 - CONTINUAL SERVICE IMPROVEMENT • Seven Step Improvement Process

Measurement is the key to the

continuous improvement cycle

(Plan – Do – Check – Act)

12

People Tools Process

Enablers

Process Inputs

Process Triggers

Procedures

Process Activities

Roles & Responsibilities Process Metrics

Process

Process Improvements

Work Instructions

Process Objectives

Process Feedback

Process Policies Process Control

Process Documentation

Process Owner

13

KPIs

Process Outputs

Measurements Reports Reviews

Data identification: starts with vision

broken down to measurements Vision

Mission

Goals

Objectives

CSF

KPI

Metrics

Measurements

"If you can not measure it, you cannot improve it.“

Lord Kelvin (Sir William Thompson, 1824-1907)

14

reporting goes back up the path

15

Respond to the customer’s changing business requirements, maximizing value and reducing incidents, disruption and re-work.

Respond to the business and IT requests for change that will align the services with the business needs.

Ensure that changes are recorded and evaluated, and that authorized changes are prioritized, planned, tested, implemented, documented and reviewed in a controlled manner.

Ensure that all changes to configuration items are recorded in the configuration management system.

Optimize overall business risk – it is often correct to minimize business risk, but sometimes it is appropriate to knowingly accept a risk because of the potential benefit.

CSF - Responding to business and IT requests for change that will align the services with the business needs while maximizing value

CSF - Ensuring that all changes to configuration items are well managed and recorded in the configuration management system

CSF - Optimizing overall business risk

Reduction in disruptions to services, defects and re-work caused by poor or incomplete impact assessment

Increase in change success rate

Reduction in unauthorized changes identified

16

KPI - Reduction in disruptions to services, defects

and re-work caused by poor or incomplete impact

assessment

Change assessment results, Change review results,

Incidents

KPI - Increase in change success rate

Change review results

KPI - Reduction in unauthorized changes identified

Changes, approvals

17

18

Data collection points:

Change records

Change assessment criteria

Change assessment

Build or test plans

Change approval(s)

Review and verification

Data Analytics (Live Demo)

Pick a tool… ANY TOOL!

At least in the data analytics world…

So how do I come up with this plan??

Know Your

Enemy!

Are data analytics in place?

What tools are available?

Are there data warehouses, data marts, etc.?

Is there a CPI (continuous process improvement) program?

Is there a Six Sigma program?

Are your IT service management processes mature?

Are the systems centralized or decentralized?

Are there high integrity metrics in place?

Is there a history of fraud?

Do we have senior management support?

Can it be incorporated into the Annual Audit Planning?

32

For your Internal Audit process, what are the:

Goals, Objectives

Critical Success Factors

Key Performance Indicators

Metrics

Measurements

08/27/2013 33