IT Audit For Non-IT Auditors


Published on

Discusses IIA expectations for Internal Auditors regarding knowledge of key technology risks and technology audit tools.

IT Audit For Non-IT Auditors

  1. 1. IT Audit for Non-ITAuditors<br />Ed Tobias, CISA, CIA, CFE<br />February 4, 2011<br />Powerpoint Templates<br />
  2. 2. Overview<br />What is an IT Auditor? Skills<br />Without IT Audit, what areas/risks may not be covered?<br />Areas for Non-IT Auditors<br />Next steps?<br />Questions?<br />
  3. 3. To Keep Things Moving…<br />Participate!<br />Questions:<br />Brief – will answer<br />Complex – save until the end or offline<br />
  4. 4. What is an IT Auditor?<br />Skills<br />Hard vs. Soft<br />Education<br />Technology-related<br />Non-technical<br />Professional Background<br />IT<br />Consulting<br />
  5. 5. What is an IT Auditor?<br />Certifications<br />CISA<br />CITP<br />CISM<br />CISSP<br />Vendors (i.e. MCSE, CCNA, etc.)<br />Others (i.e. PMP, CIPP, CIA, etc.)<br />Training<br />On the job<br />Specialized courses<br />
  6. 6. Auditors must have …<br />IIA Attribute Standard 1210.3<br />“Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.”<br />
  7. 7. Areas that may need help<br />Disaster Recovery<br />Data Mining<br />ITGC review<br />Application Controls testing<br />User-developed applications <br />SAS70 (SSAE 16) considerations<br />Data integrity / confidentiality<br />Working w/IT to get data for testing<br />
  8. 8. Areas that Non-IT Auditors can perform<br />Disaster Recovery (Steve will present) <br />Data Mining<br />SAS70 (SSAE 16) review<br />ITGC review<br />
  9. 9. IIA Reseach Foundation<br />
  10. 10. p. 36 - Technical Skills<br />
  11. 11. p. 46 – 5 years from now<br />
  12. 12. Analyze the entire population instead of taking a sample<br />Predicting major increases in technology audit tools<br />Assess current skills<br />Create plan to address deficiencies<br />
  13. 13. Data Mining<br />Current Perceptions<br />What is Data Mining?<br />How is it used?<br />How can I use it?<br />
  14. 14. Current Perceptions about DM<br />Who has NOT heard of DM?<br />
  15. 15. What Is Data Mining?<br />Automate detection of relevant patterns<br />Look at current & historical data<br />Predict future trends<br />Efficient method to analyze large amounts of data<br />Enhance key item sampling<br />Means for “continuous auditing”<br />
  16. 16. How Is Data Mining Used?<br />Audit Process<br />Risk Assessment<br />Controls Assessment<br />Fraud Detection and Prevention<br />IIA’s IPPF – Internal Auditing and Fraud<br />“Routine and/or ad hoc matching of … data against relevant transactions, vendor lists, employee rosters, and other data (p. 22)”<br />
  17. 17. Data Mining Process<br />1. Validate your data<br />2. System Risk Assessment<br />3. Perform testing<br />
  18. 18. 1. Validate your data<br />Compare the file totals to control totals<br />Total Record Count<br />Subtotal of key numeric fields (i.e. amount<br />
  19. 19. 2. System Risk Assessment<br />Article for upcoming ISACA Journal titled, “Taking Your First Steps in Data Mining”<br />Assess the risk of unauthorized data modification<br />Important for fraud detection or compliance<br />Is the system “user-developed”, formally managed by IT, or outsourced?<br />
  20. 20. 3. Perform testing<br />Check for missing data – blank fields or missing records<br />Invalid data – characters in num fields<br />Duplicate records<br />Data within scope period<br />Accurate computed fields – independently perform calculations<br />Stratify data – approval limits<br />Benford’s Law – find anomalies<br />
  21. 21. Can I Do It?<br />These functions are possible WITHOUT DM software <br />More time and effort required<br />DM software provides:<br />Efficiency<br />Audit log functions<br />Repeatability<br />Basis for continuous auditing<br />Scripts / Enterprise platforms<br />
  22. 22. Example<br />Risk Assessment / Control Effectiveness<br />Purchase Order Review - 24 months <br />6,000+ POs<br />490,000+ records in Accounting system<br />510,000+ records r/t Payments<br />
  23. 23. Example<br />Isolated 14,000 payment records related to 6000+ POs<br />Developed risk-based reports:<br />Total department spend<br />Total vendor spend<br />Top 10 departments / vendors<br />Possible split transactions<br />Non-Compliance with policies<br />
  24. 24. Example<br />Benford’s Law – helps identify unusual transactions<br />
  25. 25. IIA’s Value Proposition<br />
  26. 26. SAS70 Review<br />Why do we need it?<br />Explains controls at a service organization<br />Test their effectiveness over a period (Type II SAS 70)<br />Supports financial statement assertions<br />We can’t audit the service organization<br />
  27. 27. SAS 70 -> SSAE 16<br />Based on Int’l Standards for Assurance Engagements <br />Effective for period ending on/after June 15, 2011<br />NOT a certification for the service organization<br />
  28. 28. SSAE 16<br />Deals with controls over subject matter for financial reporting<br />Other areas will be dealt with in another AIPCA guide – 2011<br />Security, Availability, Processing Integrity, Confidentiality, or Privacy<br />AICPA SOC (Service Organization Control) 2 – Type II report<br />
  29. 29. IT Audit Items?<br />Section II – Information provided by the service organization<br />Description of the IT environment and related ITGC<br />User Control Considerations<br />Have they been reviewed?<br />Are they implemented?<br />Section IV – Supplemental Info<br />DR / Business Continuity Plan<br />
  30. 30. ITGC Review<br />IIA Attribute Standard 1210.3<br />“Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.”<br />
  31. 31. A few words about ITGC…<br />It’s not necessary to know “everything” about IT controls<br />2 key control concepts:<br />Assurance from IT controls is within whole system of internal control<br />Continuous <br />Produces reliable evidence trail<br />
  32. 32. A few words about ITGC…<br />Auditor’s assurance is independent, objective assessment of #1. <br />Understand, examine, and assess the controls r/t risks auditors manage<br />Perform sufficient control testing – controls designed appropriately & function effectively<br />GTAG-1: Information Technology Controls, p.3<br />
  33. 33. ITGC Review<br />Considered during SOX audits<br />Risk of material misstatement<br />Applies to all key systems involved with financial reporting<br />Can extend to key operational systems<br />Bad data = Bad Management decisions<br />
  34. 34. ITGC Review<br />Which is more reliable?<br />Manual or Automated control<br />Many controls are “hybrid”<br />Partly automated<br />Manual control relies on application functionality<br />Example: Key control to detect duplicate receipts relies on review of system report <br />
  35. 35. ITGC Review<br />Key automated / hybrid controls <br />Assess and test ITGC that provide assurance -><br />Automated controls perform consistently and appropriately<br />
  36. 36. ITGC Review<br />Minimum 5 areas of review:<br />IT Entity-level<br />Change Management<br />Information Security<br />Backup and Recovery<br />3rd party IT providers<br />Depends on the risk to the system or department <br />
  37. 37. How to use the template?<br />Guide for examining IT Audit areas <br />Risk Assessment<br />Use judgment to determine applicable areas<br />Helps determine “key information technology risks”<br />
  38. 38. 1. IT Entity-level<br />Related to the entity’s env.<br />Covers IT as a whole:<br />Acquisition<br />Implementation<br />Management <br />Governance (Johan will present)<br />Policies & procedures<br />IT Risk Management<br />Planning / Strategy<br />
  39. 39. 1. IT Entity-level<br />What impact do these controls have on the system?<br />Understand the level of IT sophistication within the system and/or organization<br />
  40. 40. Level of IT Sophistication<br />Assess the complexity of the system -> relevance of ITGC<br />Low<br />COTS, 1 server, 1-15 users<br />High<br />ERP and/or customized, 4+ servers, 30+ users<br />Appendix B – guidelines for IT Sophistication levels<br />
  41. 41. 1. IT Entity-level<br />What impact do these controls have on the system?<br />Low IT Sophistication = low risk to system / department <br />Consider mitigating controls<br />
  42. 42. 1. IT Entity-level<br />Annual Technology Plan<br />IT should align with the business<br />Annual Budget<br />Overspending? <br />Prioritization<br />Alignment with business changes<br />
  43. 43. GTAG<br />Global Technology Audit Guide-1<br />
  44. 44. 2. Change Management <br />All changes to the system<br />Properly authorized<br />Securely implemented<br />Applies to:<br />Software (applications) <br />Hardware (infrastructure – operating systems and networks)<br />
  45. 45. 2. Change Management <br />Properly scope the risk<br />Vendor-supplied updates<br />In-house coding and updates<br />Relevant with higher levels of IT Sophistication<br />Mature, more defined processes<br />Change Review Board<br />
  46. 46. 2. Change Management <br />Segregation of Duties (SoD)<br />Creating the change<br />Approved<br />Tested<br />Implemented<br />Emergency Changes<br />Change implemented before approval<br />
  47. 47. Fraud Example<br />Deputy Treasurer-Controller of a WA state public utility district<br />Issued $236,925.23 to himself<br />Authorized to make program changes<br />Implemented those changes<br />Circumvented manual controls by A/P<br />Caught by A/P clerk who noticed a $7,000 check cashed by him<br />
  48. 48. Change Management GTAG<br />GTAG-2<br />
  49. 49. 3. Information Security<br />Unauthorized access to the programs or data<br />2 types of access:<br />Physical<br />Logical<br />
  50. 50. 3. Information Security<br />Physical<br />Limit physical access to the servers and critical infrastructure<br />Locked doors<br />Cameras<br />Security guards<br />Biometrics<br />
  51. 51. 3. Information Security<br />Logical<br />Limit access to the applications and data<br />Less IS More – Least amount of privileges to perform job functions<br />Segregation of Duties<br />Limit physical access to the servers<br />
  52. 52. 3. Information Security<br />Important to distinguish Information Security problems from risk to the system <br />Compensating manual controls in place to detect / prevent errors?<br />Low IT Sophistication = Low risk for financial misstatements <br />Higher operational / regulatory risk<br />
  53. 53. 3. Information Security<br />Security Policy<br />Tone at the Top<br />Sets guidelines for acceptable use<br />Part of Employee Handbook<br />Access privileges<br />Role-based -> well-defined<br />The “backup” has conflicting roles<br />Bypass management controls<br />
  54. 54. 3. Information Security<br />Only current employees have access<br />Disable unused accounts<br />Temps / contractors<br />
  55. 55. 3. Information Security<br />Strong passwords<br />Periodic change (90 days)<br />Password history<br />Minimum length<br />Complexity<br />Upper / lower case<br />Numbers / symbols<br />No dictionary<br />Repeating characters<br />
  56. 56. 3. Information Security<br />Administrators / Super Users<br />Bypass monitoring controls<br />Delete logs<br />Rerun exception reports<br />Bypass system controls<br />Change employee’s access<br />Log in as employee <br />Bypass workflow approval<br />Bypass Change Management <br />SoD<br />
  57. 57. 3. Information Security<br />High level of access = high risk<br />Download data – data privacy breaches<br />Unauthorized changes<br />Programs and/or data<br />Limit administrative access<br />Contractors / temps?<br />
  58. 58. 3. Information Security<br />Generic IDs – what’s the problem?<br />No accountability<br />Shared password<br />SoD – bypass controls?<br />Test IDs – temporary with undocumented access<br />Vendor default IDs<br />Everyone knows the password<br />
  59. 59. 3. Information Security<br />Unique ID / password<br />Accountability<br />Log files / data mining<br />What about contractors /temps?<br />Sharing the “temp” id?<br />
  60. 60. GTAG<br />GTAG-1<br />
  61. 61. 4. Backup / Recovery<br />Steve will discuss after lunch<br />Restore system and data<br />Server crash<br />Disaster – Fire, flood, hurricane, etc<br />Usually considered very important<br />
  62. 62. 4. Backup / Recovery<br />Risk for bad recovery<br />Low IT Sophistication<br />Offsite backups, successful restore in last 12 months<br />High IT Sophistication<br />Audit procedures to ensure BCP is effective<br />
  63. 63. 4. Backup / Recovery<br />Backups<br />Who can do them?<br />Offsite storage<br />Who picks up the tapes?<br />Who can request tapes?<br />Restoring the system<br />File<br />Database<br />How many transactions are lost?<br />
  64. 64. 4. Backup / Recovery<br />GTAG-10<br />
  65. 65. 5. 3rd party IT Providers<br />Outsourced service<br />
  66. 66. 5. 3rd party IT Providers<br />Why are businesses taking the risk to outsource?<br />Lower Cost<br />Lower IT complexity<br />Higher Reliability<br />Universal Access<br />IT not a core competency<br />
  67. 67. 5. 3rd party IT Providers<br />Financial / Operational impact<br />SAS70 -> SSAE16<br />Vendor Selection / Management<br />Risks properly mitigated?<br />Data loss<br />Downtime<br />Regulatory constraints<br />Theft of Intellectual Property<br />
  68. 68. 5. 3rd party IT Providers<br />What’s the risk if the vendor accesses the data?<br />Compensating controls?<br />Regulatory risks<br />
  69. 69. 5. 3rd party IT Providers<br />GTAG-7<br />
  70. 70. Next Steps?<br />Use your resources and READ<br />Audit programs on the Internet<br />GAIT-R and GTAG series<br />IT Audit section – IIA website<br />
  71. 71. Resources<br />Core Competencies Guide<br />
  72. 72. GAIT and GTAG<br />Available to IIA members<br />Guide to the Assessment of IT Risk for Business & IT Risk<br />Top-down assessment of business risk, risk tolerance, and controls<br />ITGC and automated controls<br />Business risks mitigated by manual and automated controls<br />
  73. 73. GAIT-R<br />Designed for internal auditors<br />
  74. 74. GAIT-R<br />Control identification using GAIT-R<br />
  75. 75. GTAG<br />Global Technology Audit Guide <br />15 GTAGs so far<br />
  76. 76. Resources<br />IIA - IT Audit<br /><br />AuditNet<br /><br />TeamMate and ACL users<br />Free Premium Access<br />
  77. 77. Next Steps?<br />Network with IT Auditors<br />Get training<br />Get certified (CISA or CITP)<br />
  78. 78. Summary<br />IIA Attribute Standard 1210.3<br />“Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.”<br />
  79. 79. Can I Do It?<br />Data Mining<br />SAS 70 / SSAE 16 Review<br />ITGC Review <br />
  80. 80. 5 years from now<br />
  81. 81. Questions?<br />
  82. 82. Contact Info<br /><br /><br />
  83. 83. Appendix A – DM software<br />The following list is provided for information only. The author makes no recommendations for any of the products.<br />Office 2007 Data Mining Add-Ins using SQL Server 2005 / 2008 ($0)<br />Web CAAT Audit Analytics ($0)<br />70 program steps, 10 business processes<br />Audit Commander ($50) – works with Excel, Access, or text files<br />May be sufficient for your needs<br />------------------------------------------------------------<br />ACL ($1,000) – most popular among auditors<br />IDEA ($2,295) – more user-friendly<br />
  84. 84. Appendix B – System RM<br />Level of IT Sophistication<br />Email me – for the entire article<br />