collaborative relationship between it and internal auditing presented by: robert clark, jr., cia,...

Collaborative RelationshipBetween IT and Internal Auditing

Presented by:

Robert Clark, Jr., CIA, CBMDirector of Internal Auditing, Georgia Tech

President, Association of College & University Auditors

[email protected] (404) 894-4606/ fax (404) 894-6990

www.audit.gatech.eduRobert N. Clark, Jr., C.I.A., Director of Internal Auditing, Georgia Tech June 2003

Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

2

Opportunities for Collaboration:

1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy4. Input to IT on recommended controls,

procedures, and best practices5. Cooperation with response to Information

Security incidents


3


1. Assessing Risk


4


1. Assessing Risk2. Advising IA on audit coverage


5


1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy


6



procedures, and best practices


7




Security incidents


8

Reporting Structure at GIT

President

Provost Sr. VP Admin & Finance

Vice Chancellorfor Audit ServicesBoard of Regents

Director ofDirector ofInternal AuditingInternal Auditing

Executive Staff

CIO

Director Info Security


9

Internal Audit Primary MissionFour Potential Orientations

DETECTION

PassivePassive

SCOPESCOPEInternal Control*Internal Control*

•Focus on examination of past transactions

•Report past problems and recommend solutions

•Maintain rigid independence

*Defined along the lines of COSO’s Integrated Framework

APPROACHAPPROACH


10


DETECTION

PREVENTION

PassivePassive

ActiveActive

SCOPESCOPEInternal Control*Internal Control*




•Active promotion of internal control agenda

•Recommending preventive measures to the campus unit and advice in making changes

•Maintain objectivity while eliminating unnecessary organizational barriers


APPROACHAPPROACH


11


DETECTION ADVISORY

PREVENTION

PassivePassive

ActiveActive

SCOPESCOPEInternal Control*Internal Control* Business PerformanceBusiness Performance




•Defining process improvement opportunities, if seen

•By-product of internal control assessment but not focusing on internal controls

•Moving away from compliance auditing (dangerous position…)





APPROACHAPPROACH


12


DETECTION ADVISORY

PREVENTION SOLUTION

PassivePassive

ActiveActive

SCOPESCOPEInternal Control*Internal Control* Business PerformanceBusiness Performance




•Defining process improvement opportunities, if seen

•By-product of internal control assessment but not focusing on internal controls

•Moving away from compliance auditing (dangerous position…)




•Target process improvements as a key goal

•Focus on Assessing Risk and Management’s Mitigation of Risk

•Work toward implementation of cost-beneficial internal controls & compliance

•Teamwork approach while maintaining objectivity and independent perspective


APPROACHAPPROACH

13Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

Internal Audit’s Role…

…it’s more than counting beans...


14

Assessing Risk… Internal Audit’s role: Identify key risksIdentify key risks of the organization Look at all areas of exposure, not just financialnot just financial Focus on the issues that matter most in safeguarding the assets of

the Institute Develop audit procedures to examine high risk areas and verify

strength of processes to mitigate risksstrength of processes to mitigate risks Provide feedback to mgmt on effectivenesseffectiveness of policies and

procedures Promote awareness of policies and best practices Help bring Management togetherbring Management together on key risks Develop organizational approach to managing risk


15

What is RISK?

… Anything that could prevent the organization from meeting its goals


16

Assessing Risk – with Management Talk with all members of

Senior Management (one-on-one discussions)

Ask key questions, such as: “Where are potential exposures?” “What keeps you up at night?” “Where do you see risks for your unit and GIT?” “What are some of the potential adverse situations that What are some of the potential adverse situations that

could occur within…?could occur within…?” Goal is to identify and inventory RISKS


17

Assessing Risks:Description of adverse situation that could occur


18

Assessing Risks:Description of adverse situation that could occurPotential impact of this situation were to occur (1-5)


19

Assessing Risks:Description of adverse situation that could occurPotential impact of this situation were to occur (1-5)xProbability of this situation occurring (1-5)

= Risk Ranking


20

Risk Discussion Tool

Campus Unit

Area(s) in which there may be risk

Description of what a significant adverse condition could be

Potential impact if a significant

adverse condition were to occur

[scale of 1 (low) to 5 (high)]

Probability of the impact(s) [scale of 1:5]

Risk rating [impact X

probability] Comments/ Factors for consideration

Financial

Legal & Regulatory

Public Relations

Information Security

Health & Safety

Effectiveness & Efficiency

Human Resources


21

Audit Risk Universe


22

Audit Focus -- Zeroing InInformation Gathering

Monitoring/ General Awareness (committees)

Informal Reviews Informal Reviews (surveying internal control)(surveying internal control)

Risk-Based Audits (processes & risk)

Process Improvement

(reengineering)

Strategy/Solution Strategy/Solution Development/ Development/ Partnering w/ Partnering w/ Mgmt. as Key Mgmt. as Key

ResourceResource

Audits of compliance & controlsAudits of compliance & controls


23

Identifying Unit-level Information Systems Risks

Logical Security Environmental and Physical

Controls Data Security and Stewardship Management of IS Resources Equipment Maintenance Back-up and Recovery Training and Documentation Operations/ Administration Web Site Operation/ Development Software Licensing


24


1. Assessing Risk2. Advising IA on audit coverage

3. Feedback to IT on effectiveness of IT policy4. Input to IT on recommended controls,


Security incidents


25

IT Advising IA on audit coverage… CIO, Director of Information Security, and others in IT review

draft of audit programs, in some cases helping to draft audit steps (“What would you, as CIO, look for if you were conducting these reviews?”)

IT provides further insight, clarification, and direction to auditors

Internal Auditing seeks IT’s opinion/support regarding feasibility of audit recommendations

Ultimately, Internal Auditing’s decision – but collaborating with IT to ensure the most effective coverage of IT risks throughout the organization


26

The Audit Plan

Focus on reviewing how each organization is moving toward effectively and efficiently mitigating each of the risks

Independent verifications & attestations to determinestrength of processes

Conclusions are forward-looking - how well positionedare they to deal with risk ?


27


28


1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy

4. Input to IT on recommended controls, procedures, and best practices

5. Cooperation with response to Information Security incidents


29

Feedback to IT…

Reports go not only to unit head but to senior management (including CIO) to show where opportunities for improvement exist

Direct communication with CIO regarding areas in which more training/education/guidance or IT focus should be provided to campus units

IA offers advice to senior mgmt on areas for policy enhancement


30



procedures, and best practices

5. Cooperation with response to Information Security incidents


31

Recommended best practices…

IA provides trend analysis summaries to senior management (including CIO) showing common areas acrosscampus requiring improvement

Leads to targeted plans for action aimed at addressing the specific issues (as opposed to blanket policies which may be unnecessarily onerous)


32

Recommended procedures… President assembled committee (chaired by

CIO) to revise Computer Network Usage Policy• VP for Finance, VP for HR, Chief Legal Advisor,

Director of Internal Auditing, Associate Dean, Student Govt. rep, & others

• [Note: IA’s role was not to “set” policy, rather to advise committee on key areas the policy should address]


33




Security incidents


34

Responding to Info Security Incidents Information on an incident may come from

a variety of sources:• OHR – personnel-related complaint• Legal Affairs – person seeking legal advice• Financial Services – questionable transaction(s)• Campus Police – allegation of illegal behavior• Information Security – analysis of questionable traffic or use,

spurious bandwidth usage, intrusion detection system reports, etc.

• Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc.


35

Responding to Info Security Incidents

Challenge: ensuring a consistent approach to dealing with incidents

Risk: If investigation not handled appropriately or consistently, puts Institute at risk

Solution: IA recommended creation of ad-hoc task force and procedure to address Info Security incidents


36

http://www.audit.gatech.edu/IAcollabrative2.wmf

Monday, March 31, 2003

Georgia Tech Dept. of Internal Auditing - Office of InformationTechnology - Information Security Collaborative Diagram

Event Or IncidentRequiring Collaboration

Determine Lead:

- Coordination of Efforts- Determine Custodians of Data

- Responsibility for Reporting

As Required

DetermineScope:

Review Method-Intrusive

-Non Intrusive

Investigation- Level of Forensics

Determine Potential Outcome:

Legal ActionAdministrative Outcome

Ad-Hoc Group Convenes

o Director of Internal Auditing

o Chief Legal Advisor

o Associate VP - Office ofHuman Resources

o Associate VP - Office ofInformation Technology

o Director of InformationSecurity

Communication of Results.

Determine Resources

Other Resources to beConsidered

o Director of Campus Security(Police)

o Associate VP FinancialServices

o Director of InstituteCommunications

o Unit Head of Affected Area

o Chief Technology Officer

ConductInvestigation


37

Step 1

Incident is brought to attention of member of mgmt He/She convenes Ad-Hoc Group [CIO, AVP-OHR, Chief

Legal Advisor, Director Internal Auditing, Director of Information Security]

“What do we know now?” Group shares info to determine other resources that may

need to be involved (e.g., Director Campus Security, AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.)

Group determines needed resources


38

Step 2

Group makes a determination on the potential outcome• E.g., if the situation/allegations are proven true, will this likely

result in (1) legal action, or (2) administrative/personnel action only?

• This determines procedures to be followed in conducting the investigation and standard of evidence to which to adhere

• Also determines whether law enforcement should be notified and/or involved


39

Step 3 Group determines who will take the lead

in facilitating the investigation. This person:• Coordinates efforts, arranges meetings,

initiates status reporting• Initiates status reporting to the

Office of the President• Determines appropriate custodian of

investigation data• Facilitates reporting at the end of investigation


40

Step 4

Investigation is conducted following appropriate procedures agreed-to by Group

Regular communication with Group on status, observations, noteworthy issues

Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues


41

Step 5

Group re-convenes to:• evaluate effectiveness of process; • document “lessons learned”; and • discuss ways the situation may be prevented in the

future, e.g.,– Additional audit steps to examine for this elsewhere?– Need for policy enhancement?– Need for additional education/awareness?


42




Security incidents


43

Results of Collaborative Approach IA and IT aligned on areas of high risk Common approach for responding to Information Security incidents IT becomes source of “education and awareness” for IA IA able to represent organizational perspective on IT issues across

campus to audiences to which IT would not normally have access IA provides independent and objective feedback to IT on

effectiveness of IT policies and procedures (within OIT and across the campus)

Combining perspectives to establish best practices for Information Systems across organization


44

collaborative relationship between it and internal auditing presented by: robert clark, jr., cia,...

Documents

robert clark

internal audit primary

risk slide

georgia tech president

policy slide

audit coverage

recommended controls

business performance