presentation - the role of it audit

34
 The Role of IT Audit At Cornell University Presented by: Craig Adams, CISA, CISM Clayton Dow, CPA, CISA, CIA Geoffrey Yearwood, CISA

Upload: daniel-privitelli

Post on 07-Apr-2018

222 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 1/34

 

The Role of IT AuditAt Cornell University

Presented by:

Craig Adams, CISA, CISM

Clayton Dow, CPA, CISA, CIA

Geoffrey Yearwood, CISA

Page 2: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 2/34

February 14, 2007 2

Agenda

Stakeholders Auditing in General

University Audit Office

Information Technology Audit

IT Policies

The Changing Face of IT Audit

IT Controls

Page 3: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 3/34

February 14, 2007 3

Stakeholders

Board of Directors

Audit Committee

Senior Management

External Audit

Internal Audit

Audit Clients

Page 4: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 4/34

February 14, 2007 4

Stakeholder Roles• Joint effort:

Board of Directors  – determines and approves strategies, setsobjectives and ensures the objectives are being met.

Audit Committee  – responsible for overseeing the internal controlstructure (operations, compliance, and financial reporting)

Senior Management – defines, develops, implements, anddocuments the internal control structure

External Audit – attests to the fair statement of financial results

Internal Audit - validate the internal control structure by

analyzing the effectiveness of internal controls 

Page 5: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 5/34

February 14, 2007 5

Definition of Internal Audit

Institute of Internal Auditors (IIA) Standardeffective January 2002

Internal auditing is an independent, objectiveassurance and consulting activity designed to addvalue and improve an organization’s operations. Ithelps an organization accomplish its objectives bybringing a systematic, disciplined approach to

evaluate and improve the effectiveness of risk management, control, and governance processes. 

Page 6: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 6/34

February 14, 2007 6

University Audit Office

Page 7: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 7/34

February 14, 2007 7

University Audit Office CharterThe University Audit Office exists to assist university management and the Audit Committee

of the Board of Trustees in the effective discharge of their responsibilities. The University

Audit Office is responsible for examining and evaluating the adequacy and effectiveness of (1) the systems of  internal control and their related accounting, financial, computer, and

operational policies and (2) the procedures for financial and compliance monitoring and

reporting and to make recommendations for the improvement thereof.

The scope of the University Audit Office's responsibilities includes examining and evaluating

the policies, procedures, and systems which are in place to ensure:

reliability and integrity of information;

  compliance with policies, plans, procedures, laws, and regulations;

safeguarding of  assets; and

economical and efficient use of resources.

The University Audit Office shall have direct access to all university books and recordsnecessary for the effective discharge of its responsibilities. The reporting relationships

duties, and responsibilities of the University Auditor (Audit Director) are contained in the

University Bylaws Article XI.

Page 8: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 8/34

February 14, 2007 8

University Audit Office Mission

The Audit Office supports the mission of theuniversity by helping protect its assets and

reputation.

We provide objective assurance and advice

on behalf of the Board of Trustees and

Cornell University.

We review operations and controls, provide

relevant analyses, recommend

improvements, and promote ethical behavior

and compliance with policies andregulations. 

Page 9: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 9/34

February 14, 2007 9

University Audit Office Responsibilities

The scope of the University Audit Office’s responsibilitiesincludes examining and evaluating the policies,procedures, and systems to ensure:

Reliability and integrity of information;Compliance with policies, plans, procedures, laws,

and regulations;

Safeguarding of assets; and

Economical and efficient use of resources.

Page 10: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 10/34

February 14, 2007 10

Cornell University Audit Office

Stephen T. GoldingExecutive Vice President for

Finance and Administration

Michael B. Dickinson

University Auditor

Kathryn A. Tholen

AdministrativeAssistant

Craig R. AdamsAssistant Audit Director

Information Technology

Peter H. PergolisAssistant Audit Director

Weill Medical College

Pamela A. Doran

Associate Audit Director

Robert C. BeveridgeIT/Financial Senior

Auditor

Jason T. SanfordSenior Auditor

Renee M. Kenney

Senior Auditor

Audit CommitteeBoard of Trustees

Geoffrey YearwoodSenior IT Auditor

Clayton A. DowIT/Financial Senior

Auditor

Robert P. DiPalmaIT/Financial Senior

Auditor WMC

Kevin M. ReillySenior Auditor

WMC

Andrea Reece

Senior AuditorWMC

David J. SkortonPresident

Maggie LiuStaff Auditor

Page 11: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 11/34

February 14, 2007 11

Cyclical Process of Auditing

Risk Assessment

Audit Schedule

Audit Program

Audit Tests

Analysis

Audit Results

Reporting

Budget

2 YearCycle

Page 12: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 12/34

February 14, 2007 12

Information TechnologyRisk Ranking Results

RANK UNIT RANKING RANK UNIT RANKING

1 WMC-EPIC System 394.6 17 System, User and Production Documentation 320.4

2 Access Security Authentication/Authorization 391.3 18 Veterinary Medicine 320.3

3 WMC-Office of Academic Computing 384.9 19 Data Marts 316.0

4 Sponsored Programs 375.1 20 Computer Science 312.0

5 Systems Development Methodology 368.1 21 Network and Server Environment 310.6

6 OIT-Business Information Systems 364.5 22 Network Operations Center 308.1

7 OIT-Network and Communications Services 359.1 23 Johnson School of Management-Parker Center 304.38 Wireless Network 353.2 24 University Library 304.1

9 PeopleSoft Application and Security 347.8 25 Cornell Nanoscale Facility 293.1

10 Program, Data, & Transaction Security 343.8 26 Software Piracy 288.4

11 OIT-Distributed Learning Services and ATA 338.1 27 Mainframe Security 281.8

12 Computing & Info Science 336.0 28 Gannett Health Center 277.0

13 Change Control & Change Management 333.4 29 Adabas Database 277.014 OIT-Systems and Operations 333.2 30 OIT-Customer Service and Marketing 269.4

15 OIT-Integration and Delivery 328.9 31 CU Police 229.916 Oracle Database 322.7 32 Geneva Agricultural Experiment Station 226.4

Legend: Bold = Business ProcessBlue = Institutional ConcernsRed = Senior Staff Concerns

Page 13: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 13/34

February 14, 2007 13

Information Technology Audit

Page 14: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 14/34

February 14, 2007 14

IT Audit Role

Advising the Audit Committee and senior

management on IT internal control issues

Performing IT Risk Assessments

Performing:

 –  Institutional Risk Area Audits

 –  General Controls Audits

 –  Application Controls Audits

 –  Technical IT Controls Audits

 –  Internal Controls advisors during systems

development and analysis activities.

Page 15: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 15/34

February 14, 2007 15

IT Audit Process Words that come to mind when you hear “Audit” 

• Proctology

• Chinese Water Torture

• Root Canal

You may be wondering "why me?" 

Understanding the reasons for an audit and the processinvolved can help alleviate your fears

The audit process is generally a ten-step procedure:

1. Notification & Request for Preliminary Information

2. Planning

3. Opening Meeting

4. Fieldwork 

5. Communication

6. Draft Report

7. Management Responses8. Closing Meeting

9. Report Distribution

10. Follow-up

IT Concerns and Issues

Page 16: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 16/34

February 14, 2007 16

IT – General Controls

IT Controls

GeneralControls

IT Concerns and Issues

Disaster Recovery

• Business Resumption Plans• BRP Testing

• Alternate Processing

Physical Security

• Physical Access

• HVAC

• Fire Protection

• UPS

Backup/Contingency Planning

• Data Backups

• Restore Procedures

• Offsite Storage

Change Management

• Program Change Controls

• Tracking

• Change Approvals

IT Concerns and Issues

Page 17: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 17/34

February 14, 2007 17

IT – Application Controls

IT Controls

ApplicationControls

IT Concerns and Issues

Output Controls

• Reconciliation

• Distribution

• Access

Processing Controls

• Audit Trails

• Interface Controls

• Control Totals

Access Controls

• User-IDs/Passwords

• Data Security

• Network Security

• Security Administration

• Access Authorization

GeneralControls

Input Controls

• Data Entry Controls

• System Edits

• Segregation of Duties

• Transaction Authorization

Page 18: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 18/34

February 14, 2007 18

IT Policies

Page 19: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 19/34

February 14, 2007 19

Cornell University IT Policies Interim Policies: 

 –  Authentication of IT Resources 

 –  Privacy of the Network 

Established Policies: In the University Library of Policies, informationtechnologies occupies Volume 5.

 –  Abuse of Computers and Network Systems, June 1990

 –  Policy 5.1 Responsible Use of Electronic Communications, October 1995

 –  Policy 5.2 Mass Electronic Mailing, January 2003 –  Policy 5.3 Use of Escrowed Encryption Keys, January 2003

 –  Policy 5.4.1 Security of Information Technology Resources, June 2004

 –  Policy 5.4.2 Reporting Electronic Security Incidents, June 2004

 –  Policy 5.5 Stewardship and Custodianship of Electronic Mail, Feb. 2005

 –  Policy 5.6 Recording and Registration of Domain Names, April 2004 –  Policy 5.7 Network Registry, June 2004

Related Policy: 

 –  Policy 4.12 Data Stewardship and Custodianship, May 2003

Page 20: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 20/34

February 14, 2007 20

The Changing Face

of IT Audit

Page 21: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 21/34

February 14, 2007 21

The Changing Role of the IT Auditor

IT Audit plays a major role in development of ITGovernance framework 

Moving away from policing role into a specialist role inthe areas of risks and control

Adding value at strategic and operational levels through

the provision of business risk-focused advice andassurance

Legislation is having a profound impact on IT Auditing

(SOx, GLBA, HIPAA, FERPA, Privacy NotificationRegulations …) 

The continuously changing technology environment bringsnew risks (i.e. Cyber security, wireless …) 

Page 22: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 22/34

February 14, 2007 22

Emerging & Prevalent IT Audit Issues

Inadequate or Lack of Management Oversight

Poor Segregation of Duties

Inadequate or Lack of Supporting Documentation

No Business Continuity/Disaster Recovery Plan

Change ManagementData Security

Data Loss Incidents

Wh d

Page 23: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 23/34

February 14, 2007 23

What you can do to preparefor an IT Audit?

Read all relevant University IT Policies Perform a risk assessment

Know your IT vulnerabilities

Identify the internal controls that wouldmitigate inherent risk 

Document your business processes, systems,policies and procedures

Keep Current on the Laws and Regulations

Call the Audit Office for advice

Page 24: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 24/34

February 14, 2007 24

IT Controls

Page 25: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 25/34

February 14, 2007 25

Understanding IT Controls

A top-down approach -

used when considering

IT controls.

Page 26: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 26/34

February 14, 2007 26

IT control is a process that

provides assurance for

information and information

services, and help to mitigate

risks associated with use of 

technology.

Understanding IT Controls 

Page 27: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 27/34

February 14, 2007 27

Importance of IT Controls

Needs for IT controls, such as

 –  controlling cost

 –  protecting information assets

 –  complying with laws and

regulations

Implementing effective IT

controls will improve efficiency,

reliability, and flexibility.

Page 28: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 28/34

February 14, 2007 28

Roles and Responsibilities

Board of Directors /GoverningBody

Management – define, approve,

implement IT controls

Auditor 

Page 29: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 29/34

February 14, 2007 29

Based On Risk

Analyzing Risk  –  Identify and prioritize risks

 –  Consider risk indetermining the adequacyof IT controls

 –  Define risk mitigationstrategy – accept/mitigate/ share

Page 30: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 30/34

February 14, 2007 30

Monitoring

Monitoring IT Controls 

 –  Ongoing monitoring/special

review/automated

continuous auditing

Page 31: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 31/34

February 14, 2007 31

Assessment

Assessing IT controls is an

ongoing process

Technology continues to

advance

New vulnerabilities emerge

H I d t mi if th I t l

Page 32: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 32/34

February 14, 2007 32

How can I determine if the InternalControls in my area are adequate?

The central theme of internal control is (1) to identifyrisks to the achievement of the organization’sobjectives, and (2) to do what is necessary to managethese risks.

1. Identify the business objectives of your area.2. Identify the risks that could prevent your department

from achieving these objectives.

3. Identify the controls that will manage the risksidentified above.

4. Implement the controls that were identified whichminimize risk in a cost effective manner.

5. Periodic review of objectives and controls to determineif they still apply

Page 33: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 33/34

February 14, 2007 33

A car has brakes

to allow it to go faster… 

Page 34: Presentation - The Role of IT Audit

8/4/2019 Presentation - The Role of IT Audit

http://slidepdf.com/reader/full/presentation-the-role-of-it-audit 34/34

February 14 2007 34

University Audit Office

Contact Information

Phone: 255-9300

email: [email protected]

Web Page: http://audit.cornell.edu/