Audit Program for Information Technology It Strategic Plans by avd91654

VIEWS: 45 PAGES: 34

Audit Program for Information Technology It Strategic Plans document sample

More Info
									  The Role of IT Audit
  At Cornell University


Presented by:
   Craig Adams, CISA, CISM
   Clayton Dow,   CPA, CISA, CIA

   Geoffrey Yearwood,     CISA
                       Agenda
            Stakeholders
            Auditing in General
            University Audit Office
            Information Technology Audit
            IT Policies
            The Changing Face of IT Audit
            IT Controls


February 14, 2007                            2
                     Stakeholders

               Board of Directors
               Audit Committee
               Senior Management
               External Audit
               Internal Audit
               Audit Clients



February 14, 2007                    3
                     Stakeholder Roles
• Joint effort:
    Board of Directors – determines and approves strategies, sets
     objectives and ensures the objectives are being met.

    Audit Committee – responsible for overseeing the internal control
     structure (operations, compliance, and financial reporting)

    Senior Management– defines, develops, implements, and
     documents the internal control structure

    External Audit – attests to the fair statement of financial results

    Internal Audit - validate the internal control structure by
     analyzing the effectiveness of internal controls



 February 14, 2007                                                         4
    Definition of Internal Audit

         Institute of Internal Auditors (IIA) Standard
                     effective January 2002

Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization’s operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.


February 14, 2007                                        5
       University Audit Office




February 14, 2007                6
  University Audit Office Charter
The University Audit Office exists to assist university management and the Audit Committee
of the Board of Trustees in the effective discharge of their responsibilities. The University
Audit Office is responsible for examining and evaluating the adequacy and effectiveness of
(1) the systems of internal control and their related accounting, financial, computer, and
operational policies and (2) the procedures for financial and compliance monitoring and
reporting and to make recommendations for the improvement thereof.

The scope of the University Audit Office's responsibilities includes examining and evaluating
the policies, procedures, and systems which are in place to ensure:

         reliability and integrity of information;
         compliance with policies, plans, procedures, laws, and regulations;
         safeguarding of assets; and
         economical and efficient use of resources.

The University Audit Office shall have direct access to all university books and records
necessary for the effective discharge of its responsibilities. The reporting relationships
duties, and responsibilities of the University Auditor (Audit Director) are contained in the
University Bylaws Article XI.



February 14, 2007                                                                          7
   University Audit Office Mission
  The Audit Office supports the mission of the
   university by helping protect its assets and
   reputation.
  We provide objective assurance and advice
   on behalf of the Board of Trustees and
   Cornell University.
  We review operations and controls, provide
   relevant analyses, recommend
   improvements, and promote ethical behavior
   and compliance with policies and
   regulations.


February 14, 2007                                 8
University Audit Office Responsibilities

The scope of the University Audit Office’s responsibilities
includes examining and evaluating the policies,
procedures, and systems to ensure:

       Reliability and integrity of information;
       Compliance with policies, plans, procedures, laws,
        and regulations;
       Safeguarding of assets; and
       Economical and efficient use of resources.




February 14, 2007                                             9
                    Cornell University Audit Office
                   David J. Skorton                                                                                                    Audit Committee
                                                                          Stephen T. Golding
                      President                                                                                                        Board of Trustees
                                                                      Executive Vice President for
                                                                      Finance and Administration




                                                                         Michael B. Dickinson
                                                                          University Auditor

                                                                                                             Kathryn A. Tholen
                                                                                                              Administrative
                                                                                                                 Assistant




                 Pamela A. Doran                                            Craig R. Adams                                              Peter H. Pergolis
              Associate Audit Director                                  Assistant Audit Director                                     Assistant Audit Director
                                                                        Information Technology                                        Weill Medical College




                                  Robert C. Beveridge      Clayton A. Dow                   Geoffrey Yearwood         Robert P. DiPalma                    Kevin M. Reilly
Jason T. Sanford
                                   IT/Financial Senior   IT/Financial Senior                 Senior IT Auditor        IT/Financial Senior                  Senior Auditor
 Senior Auditor
                                         Auditor               Auditor                                                   Auditor WMC                           WMC




Renee M. Kenney                                                                                                                                            Andrea Reece
 Senior Auditor                                                                                                                                            Senior Auditor
                                                                                                                                                               WMC


  Maggie Liu
  Staff Auditor



        February 14, 2007                                                                                                                                         10
             Cyclical Process of Auditing

                                 Risk Assessment



                                                   Audit Schedule
                    Reporting




                                  2 Year
        Audit Results                                     Budget
                                  Cycle


                                                    Audit Program
                      Analysis



                                   Audit Tests



February 14, 2007                                                   11
                                  Information Technology
                                   Risk Ranking Results

RANK                       UNIT                           RANKING            RANK                          UNIT                  RANKING
  1    WMC-EPIC System                                     394.6              17      System, User and Production Documentation   320.4
  2    Access Security Authentication/Authorization        391.3              18      Veterinary Medicine                         320.3
  3    WMC-Office of Academic Computing                    384.9              19      Data Marts                                  316.0
  4    Sponsored Programs                                  375.1              20      Computer Science                            312.0
  5    Systems Development Methodology                     368.1              21      Network and Server Environment              310.6
  6    OIT-Business Information Systems                    364.5              22      Network Operations Center                   308.1
  7    OIT-Network and Communications Services             359.1              23      Johnson School of Management-Parker Center  304.3
  8    Wireless Network                                    353.2              24      University Library                          304.1
  9    PeopleSoft Application and Security                 347.8              25      Cornell Nanoscale Facility                  293.1
 10    Program, Data, & Transaction Security               343.8              26      Software Piracy                             288.4
 11    OIT-Distributed Learning Services and ATA           338.1              27      Mainframe Security                          281.8
 12    Computing & Info Science                            336.0              28      Gannett Health Center                       277.0
 13    Change Control & Change Management                  333.4              29      Adabas Database                             277.0
 14    OIT-Systems and Operations                          333.2              30      OIT-Customer Service and Marketing          269.4
 15    OIT-Integration and Delivery                        328.9              31      CU Police                                   229.9
 16    Oracle Database                                     322.7              32      Geneva Agricultural Experiment Station      226.4


                                                      Legend: Bold = Business Process
                                                              Blue = Institutional Concerns
                                                              Red = Senior Staff Concerns




  February 14, 2007                                                                                                               12
Information Technology Audit




February 14, 2007              13
                      IT Audit Role
 Advising the Audit Committee and senior
  management on IT internal control issues
 Performing IT Risk Assessments
 Performing:
          –   Institutional Risk Area Audits
          –   General Controls Audits
          –   Application Controls Audits
          –   Technical IT Controls Audits
          –   Internal Controls advisors during systems
              development and analysis activities.

February 14, 2007                                         14
                          IT Audit Process
       Words that come to mind when you hear “Audit”
            •       Proctology
            •       Chinese Water Torture
            •       Root Canal
       You may be wondering "why me?"
       Understanding the reasons for an audit and the process
        involved can help alleviate your fears
       The audit process is generally a ten-step procedure:
            1.      Notification & Request for Preliminary Information
            2.      Planning
            3.      Opening Meeting
            4.      Fieldwork
            5.      Communication
            6.      Draft Report
            7.      Management Responses
            8.      Closing Meeting
            9.      Report Distribution
            10.     Follow-up


February 14, 2007                                                        15
                                                                    IT Concerns and Issues




              IT – General Controls
                               Physical Security
                               • Physical Access
      IT Controls
                               • HVAC
                               • Fire Protection
                    General    • UPS
                    Controls
                                             Backup/Contingency Planning
                                             • Data Backups
                                             • Restore Procedures
                                             • Offsite Storage

  Change Management
                               Disaster Recovery
  • Program Change Controls
                               • Business Resumption Plans
  • Tracking
                               • BRP Testing
  • Change Approvals
                               • Alternate Processing



February 14, 2007                                                      16
                                                                                 IT Concerns and Issues




             IT – Application Controls

                    IT Controls                        Input Controls
                                                       • Data Entry Controls
    General                       Application
                                                       • System Edits
    Controls                       Controls            • Segregation of Duties
                                                       • Transaction Authorization



                                                       Processing Controls
  Access Controls                                      • Audit Trails
  • User-IDs/Passwords                                 • Interface Controls
  • Data Security                                      • Control Totals
  • Network Security                Output Controls
  • Security Administration         • Reconciliation
  • Access Authorization            • Distribution
                                    • Access
February 14, 2007                                                                    17
                    IT Policies




February 14, 2007                 18
         Cornell University IT Policies
 Interim Policies:
    – Authentication of IT Resources
    – Privacy of the Network
 Established Policies: In the University Library of Policies, information
  technologies occupies Volume 5.
    –   Abuse of Computers and Network Systems, June 1990
    –   Policy 5.1 Responsible Use of Electronic Communications, October 1995
    –   Policy 5.2 Mass Electronic Mailing, January 2003
    –   Policy 5.3 Use of Escrowed Encryption Keys, January 2003
    –   Policy 5.4.1 Security of Information Technology Resources, June 2004
    –   Policy 5.4.2 Reporting Electronic Security Incidents, June 2004
    –   Policy 5.5 Stewardship and Custodianship of Electronic Mail, Feb. 2005
    –   Policy 5.6 Recording and Registration of Domain Names, April 2004
    –   Policy 5.7 Network Registry, June 2004
 Related Policy:
    – Policy 4.12 Data Stewardship and Custodianship, May 2003


   February 14, 2007                                                         19
                The Changing Face
                   of IT Audit




February 14, 2007                   20
The Changing Role of the IT Auditor

     IT Audit plays a major role in development of IT
      Governance framework
     Moving away from policing role into a specialist role in
      the areas of risks and control
     Adding value at strategic and operational levels through
      the provision of business risk-focused advice and
      assurance
     Legislation is having a profound impact on IT Auditing
      (SOx, GLBA, HIPAA, FERPA, Privacy Notification
      Regulations …)
     The continuously changing technology environment brings
      new risks (i.e. Cyber security, wireless …)



February 14, 2007                                                21
Emerging & Prevalent IT Audit Issues

  Inadequate or Lack of Management Oversight
  Poor Segregation of Duties
  Inadequate or Lack of Supporting Documentation
  No Business Continuity/Disaster Recovery Plan
  Change Management
  Data Security
  Data Loss Incidents




February 14, 2007                               22
            What you can do to prepare
                for an IT Audit?
    Read all relevant University IT Policies
    Perform a risk assessment
    Know your IT vulnerabilities
    Identify the internal controls that would
     mitigate inherent risk
    Document your business processes, systems,
     policies and procedures
    Keep Current on the Laws and Regulations
    Call the Audit Office for advice


February 14, 2007                                 23
                    IT Controls




February 14, 2007                 24
                   Understanding IT Controls

   A top-down approach -
    used when considering
    IT controls.




    February 14, 2007                          25
       Understanding IT Controls
 IT control is a process that
    provides assurance for
    information and information
    services, and help to mitigate
    risks associated with use of
    technology.




February 14, 2007                    26
         Importance of IT Controls
 Needs for IT controls, such as
   – controlling cost
   – protecting information assets
   – complying with laws and
       regulations
 Implementing effective IT
  controls will improve efficiency,
  reliability, and flexibility.




February 14, 2007                     27
          Roles and Responsibilities
 Board of Directors /Governing
  Body
 Management – define, approve,
  implement IT controls
 Auditor




February 14, 2007                      28
                    Based On Risk
 Analyzing Risk
     – Identify and prioritize risks
     – Consider risk in
       determining the adequacy
       of IT controls
     – Define risk mitigation
       strategy – accept/mitigate/
       share




February 14, 2007                      29
                       Monitoring

 Monitoring IT Controls
     – Ongoing monitoring/special
       review/automated
       continuous auditing




February 14, 2007                   30
                    Assessment

 Assessing IT controls is an
  ongoing process
 Technology continues to
  advance
 New vulnerabilities emerge




February 14, 2007                31
  How can I determine if the Internal
   Controls in my area are adequate?
The central theme of internal control is (1) to identify
risks to the achievement of the organization’s
objectives, and (2) to do what is necessary to manage
these risks.
      1. Identify the business objectives of your area.
      2. Identify the risks that could prevent your department
         from achieving these objectives.
      3. Identify the controls that will manage the risks
         identified above.
      4. Implement the controls that were identified which
         minimize risk in a cost effective manner.
      5. Periodic review of objectives and controls to determine
         if they still apply


February 14, 2007                                                  32
             A car has brakes
         to allow it to go faster…




February 14, 2007                    33
              University Audit Office
                    Contact Information

Phone:                255-9300
email:                audit@cornell.edu
Web Page: http://audit.cornell.edu/




February 14, 2007                         34

								
To top