barkerppt743.ppt

7/28/2019 barkerppt743.ppt

http://slidepdf.com/reader/full/barkerppt743ppt 1/30

1

Audit Services



2

Security Breaches in Higher Ed

Ohio University - 2006

The Damage 5 separate systems breached 173,000 social security numbers compromised

367,000 personal files exposed (some for over 13 months) 33 reports by alumni about possible identity theft

The Reaction 8,000 calls to information hotline set up to field concerns 800 e-mails and complaint letters received 34,000 hits on university’s data security web site

The Cost

$77,000 spent to notify students and alumni of breach $750,000 in 21-day emergency response expenses for hardware and consulting $4 million allotted by board of Trustees to secure systems 2 IT administrators fired 1 CIO resigned

Source: The Chronicle of Higher Education – September, 2006

Audit Services



3

Mission

To provide independent and objective assuranceand consulting services designed to add valueand improve the University’s operations;

and to help the University accomplish itsobjectives by bringing a systematic, disciplined

approach for evaluating and improving theeffectiveness of risk management, control, andgovernance processes.

Audit Services



4

Board of Trustees

President UofL

James Ramsey

Audit Committee

Board of Trustees

University Provost

Shirley Willinganz

Vice President

Finance

Mike Curtin

Director Audit

Services

Dave Barker

Senior IS Auditor

Barry Scott

Associate Director

Cheri Jones

Senior Auditor

Patty Durbin

Auditor 1

Will Metcalf

Senior Auditor

Jeanne Kennedy

Organization

Audit Services



5

Risk Assessment Process

Annual Process

Meet with President,VP’s,Deans

Solicit suggestions for the audit plan What do our peers audit?

Results of prior audits

“How would it read in the paper” Experience

Audit Services



6

Risk Assessment Criteria

Internal Control Structure

Complexity of Activity

Dollar Volume/Materiality

Public Exposure/External Influences

Changes in Procedures/Personnel

Audit Services



7

Key Risk Categories

Compliance - Regulatory

Research Grants & Contracts

Human Subjects Medicare/Medicaid Billing

NCAA

Audit Services



8

Key Risk Categories Information Technology

PeopleSoft Implementations

Information Security(Network,Wireless,Desktop,Application)

Departmental Information Systems

System and Data Backup Procedures Compliance with Regulations

Audit Services



9

Key Risk Categories Financial/Operational

Student Retention/Graduation Rates

Budgetary

Advancement

Health Science Center

Clinics/Departments Procurement/Construction Processes

Audit Services



10

Audit Plan2006/2007

Construction Contracts

IT Department

Athletics Capital

Construction Funding Sponsored Program

Accounting

Equine Management

Expense/Cost Transfers

Ophthalmology Psychology

Brown Cancer Center

Family and Community MedicineClinics

PeopleSoft App l icat ion

Procu rement Card Appl icat ion Universi ty Reports

Computer Accou nt

Management System

Firewalls

Institutional Compliance PeopleSoft Consu lt ing

Requested Audits

Audit Name Audit Name

Audit Services



11

Audit Process

Planning

Budget

Risk Assessment Scope and Objectives

Engagement Memorandum

Audit Services



12

Audit Process

Fieldwork Policies and Procedures Sampling Testing Assessment Exceptions Closing

Audit Services



13

Audit Process

Report

Summary of Work Performed

Issues Action Plans

Implementation Dates

Issued to Audit Client, Directors, Dean’s,VP’s, Provost and President

Audit Services



15

What Is IT Audit ?

Definition An examination of the controls within anentity’s information technology infrastructure

PurposeTo review and evaluate an organization’sinformation technology availability,confidentiality and integrity

Availability – Is the technology accessible at all times when

required? Confidentiality – Is information disclosed only to authorized

users? Integrity – Is the information provided by the technology

complete, accurate, timely and reliable?

Audit Services



16

Types of IT Audits Systems and Applications

Verify that systems and applications are appropriate to theentity’s needs, process efficiently and are adequately

controlled to ensure valid, reliable, timely and secure input,

processing and output. Example: Procurement Card App l icat ion Audi t

Information Processing Facilities Verify that processing facilities are appropriately controlled

to ensure timely, accurate and secure processing of systems and application under normal and potentiallydisruptive conditions.

Example: Data Center Secur i ty Au dit

Audit Services



17

Types of IT Audits Systems Development/Change Control

Verify that systems and applications are developed andmaintained in accordance with established policies andprocedures.

Example: IT App l icat ion Change Contro l Au di t

IT Management Verify that management has established an effective

organization structure and has implemented procedures toensure a controlled and efficient environment for information processing.

Example: IT Operat ions Center Aud it

Audit Services



19

Regulations and Legislation Family Educational Rights and Privacy Act

(FERPA)

Health Insurance Portability and Accountability

Act (HIPAA) Graham-Leach-Bliley Act (GLBA)

Sarbanes-Oxley Act (SOX)

Payment Card Industry Data SecurityStandards

Audit Services



20

Top IT Risk Areas at U of L 2006-2007 Audit Risk Assessment PeopleSoft Grants Application Network Security Payroll Interfaces Computer Account Management System PeopleSoft Payroll Application University Firewall System

Audit Services



21

Recent IT Audits Departmental E-mail Systems

Assessed management and administration of selecteddepartmental e-mail systems

Evaluated security, back-up, disaster recovery Recommended formal policies be established for

systems operated outside of enterprise framework Request/approval process

Security standards – logical and physical

System backup standards

Disaster recovery planning

Audit Services



22

Recent IT Audits PeopleSoft Application Security

Evaluated security administration for PeopleSoftfinancial management, student administration andhuman resources applications

Tested selected security tables and user accesses

Recommended policies and procedures be improved Process for modifying and monitoring access for transferred

and terminated employees

Standardization of access request and approval process

Strengthen management of user accounts and accesscapabilities

Audit Services



23

Recent IT Audits Wireless Networks

Assessed the extent of wireless network deployment(both authorized and unauthorized)

Evaluated the security of the wireless networkconnectivity process

Scanned wireless network access points on Belknapand HSC campuses Detect and identify wireless network

Test for channels and Service Set Identifiers (SSID)

Test for rogue access points and clients

Test for wireless network encryption

Audit Services



24


Tools Used

Kismet – wireless scanner and network sniffer for

Linux NetStumber – wireless scanner for Windows

DeLorme Street Atlas with GPS – used withNetStumbler to visualize located of access points

SuperScan – network TCP and UDP port scanner

Ethereal – packet sniffer

Audit Services



25


Scanning Results

40 access points detected on Belknap campus 15 authorized, 20 unauthorized, 5 undetermined origin

40 access points detected on HSC campus 4 authorized, 36 undetermined origin

Audit Services



27


Key Findings

Unauthorized Wireless Access Points

No Detection Process

Lack of Consistent Encryption

Inadequate Wireless Policy

Audit Services



28

Professional Organizations

Institute of Internal Auditors (IIA)

International Standards for the Practice of Internal Auditing

Certified Internal Auditor (CIA) Successful Completion of Exam

Two Years Internal Audit Experience

Louisville Chapter

Student Membership Available www.theiia.org

Audit Services



29

Professional Organizations

Information Systems Audit and Control Association (ISACA)

IS Auditing Standards

Certified Information Systems Auditor (CISA) Successful Completion of Exam

Five Years IT Audit Experience

Kentuckiana Chapter Student Membership Available

www.isaca.org

Audit Services



30

QUESTIONS?

Audit Services

barkerppt743.ppt

Documents