presentation - the role of it audit
TRANSCRIPT
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 1/34
The Role of IT AuditAt Cornell University
Presented by:
Craig Adams, CISA, CISM
Clayton Dow, CPA, CISA, CIA
Geoffrey Yearwood, CISA
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 2/34
February 14, 2007 2
Agenda
Stakeholders Auditing in General
University Audit Office
Information Technology Audit
IT Policies
The Changing Face of IT Audit
IT Controls
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 3/34
February 14, 2007 3
Stakeholders
Board of Directors
Audit Committee
Senior Management
External Audit
Internal Audit
Audit Clients
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 4/34
February 14, 2007 4
Stakeholder Roles• Joint effort:
Board of Directors – determines and approves strategies, setsobjectives and ensures the objectives are being met.
Audit Committee – responsible for overseeing the internal controlstructure (operations, compliance, and financial reporting)
Senior Management – defines, develops, implements, anddocuments the internal control structure
External Audit – attests to the fair statement of financial results
Internal Audit - validate the internal control structure by
analyzing the effectiveness of internal controls
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 5/34
February 14, 2007 5
Definition of Internal Audit
Institute of Internal Auditors (IIA) Standardeffective January 2002
Internal auditing is an independent, objectiveassurance and consulting activity designed to addvalue and improve an organization’s operations. Ithelps an organization accomplish its objectives bybringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and governance processes.
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 6/34
February 14, 2007 6
University Audit Office
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 7/34
February 14, 2007 7
University Audit Office CharterThe University Audit Office exists to assist university management and the Audit Committee
of the Board of Trustees in the effective discharge of their responsibilities. The University
Audit Office is responsible for examining and evaluating the adequacy and effectiveness of (1) the systems of internal control and their related accounting, financial, computer, and
operational policies and (2) the procedures for financial and compliance monitoring and
reporting and to make recommendations for the improvement thereof.
The scope of the University Audit Office's responsibilities includes examining and evaluating
the policies, procedures, and systems which are in place to ensure:
reliability and integrity of information;
compliance with policies, plans, procedures, laws, and regulations;
safeguarding of assets; and
economical and efficient use of resources.
The University Audit Office shall have direct access to all university books and recordsnecessary for the effective discharge of its responsibilities. The reporting relationships
duties, and responsibilities of the University Auditor (Audit Director) are contained in the
University Bylaws Article XI.
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 8/34
February 14, 2007 8
University Audit Office Mission
The Audit Office supports the mission of theuniversity by helping protect its assets and
reputation.
We provide objective assurance and advice
on behalf of the Board of Trustees and
Cornell University.
We review operations and controls, provide
relevant analyses, recommend
improvements, and promote ethical behavior
and compliance with policies andregulations.
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 9/34
February 14, 2007 9
University Audit Office Responsibilities
The scope of the University Audit Office’s responsibilitiesincludes examining and evaluating the policies,procedures, and systems to ensure:
Reliability and integrity of information;Compliance with policies, plans, procedures, laws,
and regulations;
Safeguarding of assets; and
Economical and efficient use of resources.
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 10/34
February 14, 2007 10
Cornell University Audit Office
Stephen T. GoldingExecutive Vice President for
Finance and Administration
Michael B. Dickinson
University Auditor
Kathryn A. Tholen
AdministrativeAssistant
Craig R. AdamsAssistant Audit Director
Information Technology
Peter H. PergolisAssistant Audit Director
Weill Medical College
Pamela A. Doran
Associate Audit Director
Robert C. BeveridgeIT/Financial Senior
Auditor
Jason T. SanfordSenior Auditor
Renee M. Kenney
Senior Auditor
Audit CommitteeBoard of Trustees
Geoffrey YearwoodSenior IT Auditor
Clayton A. DowIT/Financial Senior
Auditor
Robert P. DiPalmaIT/Financial Senior
Auditor WMC
Kevin M. ReillySenior Auditor
WMC
Andrea Reece
Senior AuditorWMC
David J. SkortonPresident
Maggie LiuStaff Auditor
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 11/34
February 14, 2007 11
Cyclical Process of Auditing
Risk Assessment
Audit Schedule
Audit Program
Audit Tests
Analysis
Audit Results
Reporting
Budget
2 YearCycle
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 12/34
February 14, 2007 12
Information TechnologyRisk Ranking Results
RANK UNIT RANKING RANK UNIT RANKING
1 WMC-EPIC System 394.6 17 System, User and Production Documentation 320.4
2 Access Security Authentication/Authorization 391.3 18 Veterinary Medicine 320.3
3 WMC-Office of Academic Computing 384.9 19 Data Marts 316.0
4 Sponsored Programs 375.1 20 Computer Science 312.0
5 Systems Development Methodology 368.1 21 Network and Server Environment 310.6
6 OIT-Business Information Systems 364.5 22 Network Operations Center 308.1
7 OIT-Network and Communications Services 359.1 23 Johnson School of Management-Parker Center 304.38 Wireless Network 353.2 24 University Library 304.1
9 PeopleSoft Application and Security 347.8 25 Cornell Nanoscale Facility 293.1
10 Program, Data, & Transaction Security 343.8 26 Software Piracy 288.4
11 OIT-Distributed Learning Services and ATA 338.1 27 Mainframe Security 281.8
12 Computing & Info Science 336.0 28 Gannett Health Center 277.0
13 Change Control & Change Management 333.4 29 Adabas Database 277.014 OIT-Systems and Operations 333.2 30 OIT-Customer Service and Marketing 269.4
15 OIT-Integration and Delivery 328.9 31 CU Police 229.916 Oracle Database 322.7 32 Geneva Agricultural Experiment Station 226.4
Legend: Bold = Business ProcessBlue = Institutional ConcernsRed = Senior Staff Concerns
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 13/34
February 14, 2007 13
Information Technology Audit
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 14/34
February 14, 2007 14
IT Audit Role
Advising the Audit Committee and senior
management on IT internal control issues
Performing IT Risk Assessments
Performing:
– Institutional Risk Area Audits
– General Controls Audits
– Application Controls Audits
– Technical IT Controls Audits
– Internal Controls advisors during systems
development and analysis activities.
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 15/34
February 14, 2007 15
IT Audit Process Words that come to mind when you hear “Audit”
• Proctology
• Chinese Water Torture
• Root Canal
You may be wondering "why me?"
Understanding the reasons for an audit and the processinvolved can help alleviate your fears
The audit process is generally a ten-step procedure:
1. Notification & Request for Preliminary Information
2. Planning
3. Opening Meeting
4. Fieldwork
5. Communication
6. Draft Report
7. Management Responses8. Closing Meeting
9. Report Distribution
10. Follow-up
IT Concerns and Issues
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 16/34
February 14, 2007 16
IT – General Controls
IT Controls
GeneralControls
IT Concerns and Issues
Disaster Recovery
• Business Resumption Plans• BRP Testing
• Alternate Processing
Physical Security
• Physical Access
• HVAC
• Fire Protection
• UPS
Backup/Contingency Planning
• Data Backups
• Restore Procedures
• Offsite Storage
Change Management
• Program Change Controls
• Tracking
• Change Approvals
IT Concerns and Issues
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 17/34
February 14, 2007 17
IT – Application Controls
IT Controls
ApplicationControls
IT Concerns and Issues
Output Controls
• Reconciliation
• Distribution
• Access
Processing Controls
• Audit Trails
• Interface Controls
• Control Totals
Access Controls
• User-IDs/Passwords
• Data Security
• Network Security
• Security Administration
• Access Authorization
GeneralControls
Input Controls
• Data Entry Controls
• System Edits
• Segregation of Duties
• Transaction Authorization
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 18/34
February 14, 2007 18
IT Policies
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 19/34
February 14, 2007 19
Cornell University IT Policies Interim Policies:
– Authentication of IT Resources
– Privacy of the Network
Established Policies: In the University Library of Policies, informationtechnologies occupies Volume 5.
– Abuse of Computers and Network Systems, June 1990
– Policy 5.1 Responsible Use of Electronic Communications, October 1995
– Policy 5.2 Mass Electronic Mailing, January 2003 – Policy 5.3 Use of Escrowed Encryption Keys, January 2003
– Policy 5.4.1 Security of Information Technology Resources, June 2004
– Policy 5.4.2 Reporting Electronic Security Incidents, June 2004
– Policy 5.5 Stewardship and Custodianship of Electronic Mail, Feb. 2005
– Policy 5.6 Recording and Registration of Domain Names, April 2004 – Policy 5.7 Network Registry, June 2004
Related Policy:
– Policy 4.12 Data Stewardship and Custodianship, May 2003
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 20/34
February 14, 2007 20
The Changing Face
of IT Audit
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 21/34
February 14, 2007 21
The Changing Role of the IT Auditor
IT Audit plays a major role in development of ITGovernance framework
Moving away from policing role into a specialist role inthe areas of risks and control
Adding value at strategic and operational levels through
the provision of business risk-focused advice andassurance
Legislation is having a profound impact on IT Auditing
(SOx, GLBA, HIPAA, FERPA, Privacy NotificationRegulations …)
The continuously changing technology environment bringsnew risks (i.e. Cyber security, wireless …)
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 22/34
February 14, 2007 22
Emerging & Prevalent IT Audit Issues
Inadequate or Lack of Management Oversight
Poor Segregation of Duties
Inadequate or Lack of Supporting Documentation
No Business Continuity/Disaster Recovery Plan
Change ManagementData Security
Data Loss Incidents
Wh d
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 23/34
February 14, 2007 23
What you can do to preparefor an IT Audit?
Read all relevant University IT Policies Perform a risk assessment
Know your IT vulnerabilities
Identify the internal controls that wouldmitigate inherent risk
Document your business processes, systems,policies and procedures
Keep Current on the Laws and Regulations
Call the Audit Office for advice
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 24/34
February 14, 2007 24
IT Controls
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 25/34
February 14, 2007 25
Understanding IT Controls
A top-down approach -
used when considering
IT controls.
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 26/34
February 14, 2007 26
IT control is a process that
provides assurance for
information and information
services, and help to mitigate
risks associated with use of
technology.
Understanding IT Controls
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 27/34
February 14, 2007 27
Importance of IT Controls
Needs for IT controls, such as
– controlling cost
– protecting information assets
– complying with laws and
regulations
Implementing effective IT
controls will improve efficiency,
reliability, and flexibility.
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 28/34
February 14, 2007 28
Roles and Responsibilities
Board of Directors /GoverningBody
Management – define, approve,
implement IT controls
Auditor
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 29/34
February 14, 2007 29
Based On Risk
Analyzing Risk – Identify and prioritize risks
– Consider risk indetermining the adequacyof IT controls
– Define risk mitigationstrategy – accept/mitigate/ share
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 30/34
February 14, 2007 30
Monitoring
Monitoring IT Controls
– Ongoing monitoring/special
review/automated
continuous auditing
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 31/34
February 14, 2007 31
Assessment
Assessing IT controls is an
ongoing process
Technology continues to
advance
New vulnerabilities emerge
H I d t mi if th I t l
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 32/34
February 14, 2007 32
How can I determine if the InternalControls in my area are adequate?
The central theme of internal control is (1) to identifyrisks to the achievement of the organization’sobjectives, and (2) to do what is necessary to managethese risks.
1. Identify the business objectives of your area.2. Identify the risks that could prevent your department
from achieving these objectives.
3. Identify the controls that will manage the risksidentified above.
4. Implement the controls that were identified whichminimize risk in a cost effective manner.
5. Periodic review of objectives and controls to determineif they still apply
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 33/34
February 14, 2007 33
A car has brakes
to allow it to go faster…
8/4/2019 Presentation - The Role of IT Audit
http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 34/34
February 14 2007 34
University Audit Office
Contact Information
Phone: 255-9300
email: [email protected]
Web Page: http://audit.cornell.edu/