it audit for non-it auditors

Powerpoint Templates 1Powerpoint Templates

IT Audit for Non-IT Auditors

Ed Tobias, CISA, CIA, CFEFebruary 4, 2011

http://www.powerpointstyles.com/



Powerpoint Templates 2

Overview

What is an IT Auditor? Skills Without IT Audit, what areas/risks

may not be covered? Areas for Non-IT Auditors Next steps? Questions?



To Keep Things Moving…

Participate! Questions:

Brief – will answer Complex – save until the end or offline



What is an IT Auditor?

Skills Hard vs. Soft

Education Technology-related Non-technical

Professional Background IT Consulting



What is an IT Auditor?

Certifications CISA CITP CISM CISSP Vendors (i.e. MCSE, CCNA, etc.) Others (i.e. PMP, CIPP, CIA, etc.)

Training On the job Specialized courses



Auditors must have …

IIA Attribute Standard 1210.3 “Internal auditors must have sufficient

knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work.”



Areas that may need help

Disaster Recovery Data Mining ITGC review Application Controls testing User-developed applications SAS70 (SSAE 16) considerations Data integrity / confidentiality Working w/IT to get data for testing



Areas that Non-IT Auditors can perform

Disaster Recovery (Steve will present)

Data Mining SAS70 (SSAE 16) review ITGC review



IIA Reseach Foundation



p. 36 - Technical Skills



p. 46 – 5 years from now



Analyze the entire population instead of taking a sample

Predicting major increases in technology audit tools Assess current skills Create plan to address deficiencies



Data Mining

Current Perceptions What is Data Mining? How is it used? How can I use it?



Current Perceptions about DM

Who has NOT heard of DM?



What Is Data Mining?

Automate detection of relevant patterns Look at current & historical data Predict future trends

Efficient method to analyze large amounts of data

Enhance key item sampling Means for “continuous auditing”



How Is Data Mining Used?

Audit Process Risk Assessment Controls Assessment

Fraud Detection and Prevention IIA’s IPPF – Internal Auditing and Fraud

“Routine and/or ad hoc matching of … data against relevant transactions, vendor lists, employee rosters, and other data (p. 22)”



Data Mining Process

1. Validate your data 2. System Risk Assessment 3. Perform testing



1. Validate your data

Compare the file totals to control totals Total Record Count Subtotal of key numeric fields (i.e.

amount



2. System Risk Assessment

Article for upcoming ISACA Journal titled, “Taking Your First Steps in Data Mining” Assess the risk of unauthorized data

modification Important for fraud detection or compliance

Is the system “user-developed”, formally managed by IT, or outsourced?



3. Perform testing

Check for missing data – blank fields or missing records

Invalid data – characters in num fields Duplicate records Data within scope period Accurate computed fields –

independently perform calculations

Stratify data – approval limits

Benford’s Law – find anomalies



Can I Do It?

These functions are possible WITHOUT DM software More time and effort required

DM software provides: Efficiency Audit log functions Repeatability Basis for continuous auditing

Scripts / Enterprise platforms



Example

Risk Assessment / Control Effectiveness

Purchase Order Review - 24 months 6,000+ POs 490,000+ records in Accounting system 510,000+ records r/t Payments



Example

Isolated 14,000 payment records related to 6000+ POs

Developed risk-based reports: Total department spend Total vendor spend Top 10 departments / vendors Possible split transactions Non-Compliance with policies



Example Benford’s Law – helps identify

unusual transactions



IIA’s Value Proposition



SAS70 Review

Why do we need it? Explains controls at a service

organization Test their effectiveness over a period

(Type II SAS 70) Supports financial statement assertions We can’t audit the service organization



SAS 70 -> SSAE 16

Based on Int’l Standards for Assurance Engagements

Effective for period ending on/after June 15, 2011

NOT a certification for the service organization



SSAE 16

Deals with controls over subject matter for financial reporting

Other areas will be dealt with in another AIPCA guide – 2011 Security, Availability, Processing

Integrity, Confidentiality, or Privacy AICPA SOC (Service Organization

Control) 2 – Type II report



IT Audit Items?

Section II – Information provided by the service organization Description of the IT environment and

related ITGC User Control Considerations

Have they been reviewed? Are they implemented?

Section IV – Supplemental Info DR / Business Continuity Plan



ITGC Review





A few words about ITGC…

It’s not necessary to know “everything” about IT controls 2 key control concepts:1. Assurance from IT controls is within

whole system of internal control Continuous Produces reliable evidence trail



A few words about ITGC…

2. Auditor’s assurance is independent, objective assessment of #1.

Understand, examine, and assess the controls r/t risks auditors manage

Perform sufficient control testing – controls designed appropriately & function effectively

GTAG-1: Information Technology Controls, p.3



ITGC Review

Considered during SOX audits Risk of material misstatement Applies to all key systems involved with

financial reporting Can extend to key operational

systems Bad data = Bad Management decisions



ITGC Review

Which is more reliable? Manual or Automated control

Many controls are “hybrid” Partly automated

Manual control relies on application functionality

Example: Key control to detect duplicate receipts relies on review of system report



ITGC Review

Key automated / hybrid controls Assess and test ITGC that provide

assurance -> Automated controls perform consistently

and appropriately



ITGC Review

Minimum 5 areas of review:1. IT Entity-level2. Change Management3. Information Security4. Backup and Recovery5. 3rd party IT providers

Depends on the risk to the system or department



How to use the template?

Guide for examining IT Audit areas Risk Assessment Use judgment to determine applicable

areas Helps determine “key information

technology risks”



1. IT Entity-level

Related to the entity’s env. Covers IT as a whole:

Acquisition Implementation Management Governance (Johan will present) Policies & procedures IT Risk Management Planning / Strategy



1. IT Entity-level

What impact do these controls have on the system? Understand the level of IT

sophistication within the system and/or organization



Level of IT Sophistication

Assess the complexity of the system -> relevance of ITGC Low

COTS, 1 server, 1-15 users High

ERP and/or customized, 4+ servers, 30+ users

Appendix B – guidelines for IT Sophistication levels



1. IT Entity-level

What impact do these controls have on the system? Low IT Sophistication = low risk to

system / department Consider mitigating controls



1. IT Entity-level

Annual Technology Plan IT should align with the business

Annual Budget Overspending?

Prioritization Alignment with business changes



GTAG

Global Technology Audit Guide-1



2. Change Management

All changes to the system Properly authorized Securely implemented

Applies to: Software (applications) Hardware (infrastructure – operating

systems and networks)




Properly scope the risk Vendor-supplied updates In-house coding and updates

Relevant with higher levels of IT Sophistication Mature, more defined processes Change Review Board




Segregation of Duties (SoD) Creating the change Approved Tested Implemented

Emergency Changes Change implemented before approval



Fraud Example

Deputy Treasurer-Controller of a WA state public utility district Issued $236,925.23 to himself Authorized to make program changes Implemented those changes Circumvented manual controls by A/P Caught by A/P clerk who noticed a

$7,000 check cashed by him



Change Management GTAG

GTAG-2



3. Information Security

Unauthorized access to the programs or data

2 types of access: Physical Logical




Physical Limit physical access to the servers and

critical infrastructure Locked doors Cameras Security guards Biometrics




Logical Limit access to the applications and

data Less IS More – Least amount of privileges to

perform job functions Segregation of Duties Limit physical access to the servers




Important to distinguish Information Security problems from risk to the system Compensating manual controls in place

to detect / prevent errors? Low IT Sophistication = Low risk for

financial misstatements Higher operational / regulatory risk




Security Policy Tone at the Top Sets guidelines for acceptable use Part of Employee Handbook

Access privileges Role-based -> well-defined The “backup” has conflicting roles

Bypass management controls




Only current employees have access Disable unused accounts Temps / contractors




Strong passwords Periodic change (90 days) Password history Minimum length Complexity

Upper / lower case Numbers / symbols No dictionary Repeating characters




Administrators / Super Users Bypass monitoring controls

Delete logs Rerun exception reports

Bypass system controls Change employee’s access Log in as employee Bypass workflow approval

Bypass Change Management SoD




High level of access = high risk Download data – data privacy breaches Unauthorized changes

Programs and/or data

Limit administrative access Contractors / temps?




Generic IDs – what’s the problem? No accountability Shared password SoD – bypass controls?

Test IDs – temporary with undocumented access

Vendor default IDs Everyone knows the password




Unique ID / password Accountability Log files / data mining What about contractors /temps?

Sharing the “temp” id?



GTAG

GTAG-1



4. Backup / Recovery

Steve will discuss after lunch

Restore system and data Server crash Disaster – Fire, flood, hurricane, etc

Usually considered very important




Risk for bad recovery Low IT Sophistication

Offsite backups, successful restore in last 12 months

High IT Sophistication Audit procedures to ensure BCP is effective




Backups Who can do them?

Offsite storage Who picks up the tapes? Who can request tapes?

Restoring the system File Database How many transactions are lost?




GTAG-10



5. 3rd party IT Providers

Outsourced service




Why are businesses taking the risk to outsource? Lower Cost Lower IT complexity Higher Reliability Universal Access IT not a core competency




Financial / Operational impact SAS70 -> SSAE16

Vendor Selection / Management Risks properly mitigated?

Data loss Downtime Regulatory constraints Theft of Intellectual Property




What’s the risk if the vendor accesses the data? Compensating controls? Regulatory risks




GTAG-7



Next Steps?

Use your resources and READ Audit programs on the Internet GAIT-R and GTAG series IT Audit section – IIA website



Resources Core Competencies Guide



GAIT and GTAG

Available to IIA members

Guide to the Assessment of IT Risk for Business & IT Risk Top-down assessment of business risk,

risk tolerance, and controls ITGC and automated controls

Business risks mitigated by manual and automated controls



GAIT-R

Designed for internal auditors



GAIT-R

Control identification using GAIT-R



GTAG

Global Technology Audit Guide 15 GTAGs so far



Resources

IIA - IT Audit http://www.theiia.org/intAuditor/itaudit/

AuditNet http://www.auditnet.org/ TeamMate and ACL users

Free Premium Access


http://www.theiia.org/intAuditor/itaudit/

http://www.auditnet.org/


Next Steps?

Network with IT Auditors Get training Get certified (CISA or CITP)



Summary





Can I Do It?

Data Mining

SAS 70 / SSAE 16 Review

ITGC Review



5 years from now



Questions?



Contact Info

[email protected]

http://www.linkedin.com/in/ed3200


mailto:[email protected]

http://www.linkedin.com/in/ed3200


Appendix A – DM software

The following list is provided for information only. The author makes no recommendations for any of the products. Office 2007 Data Mining Add-Ins using SQL Server

2005 / 2008 ($0) Web CAAT Audit Analytics ($0)

70 program steps, 10 business processes Audit Commander ($50) – works with Excel,

Access, or text files May be sufficient for your needs

------------------------------------------------------------ ACL ($1,000) – most popular among auditors IDEA ($2,295) – more user-friendly



Appendix B – System RM

Level of IT Sophistication

Email me – [email protected] for the entire article


mailto:[email protected]

it audit for non-it auditors

Documents