it audit presentation 2-26-2006

8/7/2019 IT Audit Presentation 2-26-2006

1/34

The Role of IT AuditAt Cornell University

Presented by:

Craig Adams, CISA, CISM

Clayton Dow, CPA, CISA, CIA

Geoffrey Yearwood, CISA


2/34

February 14, 2007 2

Agenda

Stakeholders

Auditing in General

University Audit Office

Information Technology Audit

IT Policies

The Changing Face of IT Audit

IT Controls


3/34

February 14, 2007 3

Stakeholders

Board of Directors

Audit Committee

Senior Management

External Audit

Internal Audit

Audit Clients


4/34

February 14, 2007 4

Stakeholder Roles

Joint effort: Board of Directors determines and approves strategies, sets

objectives and ensures the objectives are being met.

Audit Committee responsible for overseeing the internal controlstructure (operations, compliance, and financial reporting)

Senior Management defines, develops, implements, anddocuments the internal control structure

External Audit attests to the fair statement of financial results

Internal Audit- validate the internal control structure by

analyzing the effectiveness of internal controls


5/34

February 14, 2007 5

Definition of Internal Audit

Institute of Internal Auditors (IIA) Standardeffective January 2002

Internal auditing is an independent, objectiveassurance and consulting activity designed to addvalue and improve an organizations operations. Ithelps an organization accomplish its objectives bybringing a systematic, disciplined approach to

evaluate and improve the effectiveness ofriskmanagement, control, and governance processes.


6/34

February 14, 2007 6



7/34

February 14, 2007 7

University Audit Office CharterThe University Audit Office exists to assist university management and the Audit Committee

of the Board of Trustees in the effective discharge of their responsibilities. The UniversityAudit Office is responsible for examining and evaluating the adequacy and effectiveness of

(1) the systems of internal control and their related accounting, financial, computer, and

operational policies and (2) the procedures for financial and compliance monitoring and

reporting and to make recommendations forthe improvement thereof.

The scope ofthe University Audit Office's responsibilities includes examining and evaluating

the policies, procedures, and systems which are in place to ensure:

reliability and integrity of information;

compliance with policies, plans, procedures, laws, and regulations;

safeguarding of assets; and

economical and efficient use of resources.

The University Audit Office shall have direct access to all university books and recordsnecessary for the effective discharge of its responsibilities. The reporting relationships

duties, and responsibilities of the University Auditor (Audit Director) are contained in the

University Bylaws Article XI.


8/34

February 14, 2007 8

University Audit Office Mission

The Audit Office supports the mission oftheuniversity by helping protect its assets and

reputation.

We provide objective assurance and advice

on behalf oftheB

oard of Trustees andCornell University.

We review operations and controls, provide

relevant analyses, recommend

improvements, and promote ethical behavior

and compliance with policies and

regulations.


9/34

February 14, 2007 9

University Audit Office Responsibilities

The scope ofthe University Audit Offices responsibilitiesincludes examining and evaluating the policies,procedures, and systems to ensure:

Reliability and integrity of information;

Compliance with policies, plans, procedures, laws,and regulations;

Safeguarding of assets; and

Economical and efficient use of resources.


10/34

February 14, 2007 10

Cornell University Audit Office


11/34


Cyclical Process of Auditing

Risk Assessment

Audit Schedule

Audit Program

Audit Tests

Analysis

Audit Results

Reporting

Budget

2 Year

Cycle


12/34


Information TechnologyRisk Ranking Results

RANK UNIT RANKING RANK UNIT RANKING

1 WMC-EPIC st 394.6 17 Syst , Us r Pr cti c t ti 3 0.4

Acc ss Sec rityAut entic ti n/Aut riz ti n 391.3 18 VeterinaryMedicine 3 0.3

3 WMC-Office fAcademicComputing 384.9 19 ataMarts 316.0

4 SponsoredPrograms 375.1 20 ComputerScience 312.0

5 Systems evelopment Met odology 368.1 21 Net orkandServerEnvironment 310.6

6 OIT-Business InformationSystems 364.5 22 Net orkOperations Center 308.17 OIT-Net orkandCommunications Services 359.1 23 JohnsonSchool ofManagement-ParkerCenter 304.3

8 Wireless Net ork 353.2 24 University Library 304.1

9 PeopleSoft ApplicationandSecurity 347.8 25 Cornell Nanoscale Facility 293.1

10 Program, ata, & TransactionSecurity 343.8 26 Soft arePiracy 288.4

11 OIT-Distributed LearningServices andATA 338.1 27 MainframeSecurity 281.8

12 Computing & InfoScience 336.0 28 Gannett HealthCenter 277.0

13 ChangeControl &ChangeManagement 333.4 29 Adabas Database 277.014 OIT-Systems andOperations 333.2 30 OIT-CustomerServiceandMarketing 269.4

15 OIT-IntegrationandDelivery 328.9 31 CUPolice 229.9

16 OracleDatabase 322.7 32 GenevaAgricultural Experiment Station 226.4

Legend: Bold = Business Process

Blue = Institutional Concerns

Red = SeniorStaffConcerns


13/34


Information Technology Audit


14/34


IT Audit Role

Advising the Audit Committee and seniormanagement on IT internal control issues

Performing IT Risk Assessments

Performing:

Institutional Risk Area Audits

General Controls Audits

Application Controls Audits

Technical IT Controls Audits Internal Controls advisors during systems

development and analysis activities.


15/34


IT Audit Process Words that come to mind when you hear Audit

Proctology

Chinese Water Torture Root Canal

You may be wondering "why me?"

Understanding the reasons for an audit and the processinvolved can help alleviate your fears

The audit process is generally a ten-step procedure:1. Notification & Request for Preliminary Information

2. Planning

3. Opening Meeting

4. Fieldwork

5. Communication

6. DraftReport

7. ManagementResponses

8. Closing Meeting

9. Report Distribution

10. Follow-up


16/34


IT General Controls

IT ControlsIT ControlsIT ControlsIT Controls

GeneralGeneral

ControlsControls

GeneralGeneral

ControlsControls

IT Concerns and Issues

DisasterRecovery

Business Resumption Plans BRP Testing

Alternate Processing

Physical Security Physical Access

HVAC

Fire Protection

UPS

Backup/Contingency Planning Data Backups

Restore Procedures

Offsite Storage

Change Management

Program Change Controls

Tracking

Change Approvals


17/34


IT Application Controls

IT ControlsIT ControlsIT ControlsIT Controls

ApplicationApplication

ControlsControls

ApplicationApplication

ControlsControls

IT Concerns and Issues

Output Controls

Reconciliation

Distribution

Access

Processing Controls

Audit Trails

Interface Controls

Control Totals

Access Controls

User-IDs/Passwords

Data Security

NetworkSecurity

Security Administration

Access Authorization

GeneralGeneral

ControlsControls

GeneralGeneral

ControlsControls

Input Controls

Data Entry Controls

System Edits

Segregation of Duties

Transaction Authorization


18/34


IT Policies


19/34


Cornell University IT Policies Interim Policies:

Authentication ofIT Resources Privacy of the Network

Established Policies: In the University Library of Policies, informationtechnologies occupies Volume 5.

Abuse of Computers and Network Systems, June 1990

Policy 5.1 Responsible Use ofElectronic Communications, October 1995

Policy 5.2 Mass Electronic Mailing, January 2003

Policy 5.3 Use ofEscrowed Encryption Keys, January 2003

Policy 5.4.1 Security ofInformationTechnology Resources, June 2004

Policy 5.4.2 ReportingElectronic Security Incidents, June 2004

Policy 5.5 Stewardship and Custodianship ofElectronic Mail, Feb. 2005

Policy 5.6 Recording and Registration of Domain Names, April 2004 Policy 5.7 Network Registry, June 2004

Related Policy:

Policy 4.12 Data Stewardship and Custodianship, May 2003


20/34


The Changing Face

of IT Audit


21/34


The Changing Role of the IT Auditor

IT Audit plays a major role in development of ITGovernance framework

Moving away from policing role into a specialist role inthe areas of risks and control

Adding value at strategic and operational levels throughthe provision of business risk-focused advice andassurance

Legislation is having a profound impact on IT Auditing

(SOx, GLBA, HIPAA, FERPA, Privacy NotificationRegulations )

The continuously changing technology environment bringsnew risks (i.e. Cyber security, wireless )


22/34


Emerging & Prevalent IT Audit Issues

Inadequate or Lack of Management Oversight

PoorSegregation of Duties

Inadequate or Lack ofSupporting Documentation

No Business Continuity/DisasterRecovery Plan

Change Management

Data Security

Data Loss Incidents


23/34


What you can do to preparefor an IT Audit?

Read all relevant University IT Policies

Perform a risk assessment

Know your IT vulnerabilities

Identify the internal controls that wouldmitigate inherent risk

Document your business processes, systems,policies and procedures

Keep Current on the Laws and Regulations

Call the Audit Office for advice


24/34


IT Controls


25/34


Understanding IT Controls

A top-down approach -

used when considering

IT controls.


26/34


IT control is a process thatprovides assurance for

information and information

services, and help to mitigate

risks associated with use oftechnology.

Understanding IT Controls


27/34


Importance of IT Controls

Needs for IT controls, such as

controlling cost

protecting information assets

complying with laws and

regulations Implementing effective IT

controls will improve efficiency,

reliability, and flexibility.


28/34


Roles and Responsibilities

Board of Directors /Governing

Body

Management define, approve,

implement IT controls

Auditor


29/34


Based On Risk

Analyzing Risk Identify and prioritize risks

Consider risk indetermining the adequacyof IT controls

Define risk mitigationstrategy accept/mitigate/share


30/34


Monitoring

Monitoring IT Controls

Ongoing monitoring/special

review/automated

continuous auditing


31/34


Assessment

Assessing IT controls is an

ongoing process

Technology continues to

advance New vulnerabilities emerge


32/34


How can I determine if the InternalControls in my area are adequate?

The central theme of internal control is (1) to identifyrisks to the achievement ofthe organizationsobjectives, and (2) to do what is necessary to managethese risks.

1. Identify the business objectives of your area.2. Identify the risks that could prevent your department

from achieving these objectives.

3. Identify the controls that will manage the risksidentified above.

4.Implement the controls that were identified whichminimize risk in a cost effective manner.

5. Periodic review of objectives and controls to determineif they still apply


33/34


A car has brakes

to allow it to go faster


34/34



Contact Information

Phone: 255-9300

email: [email protected] Page: http://audit.cornell.edu/

it audit presentation 2-26-2006

Documents