The Role of IT Audit At Cornell University

Presented by: Craig Adams, CISA, CISM

Clayton Dow,

CPA, CISA, CIA CISA

Geoffrey Yearwood,

Agenda
Stakeholders Auditing in General University Audit Office Information Technology Audit IT Policies The Changing Face of IT Audit IT Controls

February 14, 2007

Stakeholders
Board of Directors Audit Committee Senior Management External Audit Internal Audit Audit Clients

February 14, 2007

Stakeholder Roles
Joint effort:
Board of Directors determines and approves strategies, sets objectives and ensures the objectives are being met. Audit Committee responsible for overseeing the internal control structure (operations, compliance, and financial reporting) Senior Management defines, develops, implements, and documents the internal control structure External Audit attests to the fair statement of financial results Internal Audit - validate the internal control structure by analyzing the effectiveness of internal controls

February 14, 2007

Definition of Internal Audit

Institute of Internal Auditors (IIA) Standard effective January 2002 Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

February 14, 2007

University Audit Office

February 14, 2007

University Audit Office Charter

The University Audit Office exists to assist university management and the Audit Committee of the Board of Trustees in the effective discharge of their responsibilities. The University Audit Office is responsible for examining and evaluating the adequacy and effectiveness of (1) the systems of internal control and their related accounting, financial, computer, and operational policies and (2) the procedures for financial and compliance monitoring and reporting and to make recommendations for the improvement thereof. The scope of the University Audit Office's responsibilities includes examining and evaluating the policies, procedures, and systems which are in place to ensure:

reliability and integrity of information; compliance with policies, plans, procedures, laws, and regulations; safeguarding of assets; and economical and efficient use of resources.

The University Audit Office shall have direct access to all university books and records necessary for the effective discharge of its responsibilities. The reporting relationships duties, and responsibilities of the University Auditor (Audit Director) are contained in the University Bylaws Article XI.

February 14, 2007

University Audit Office Mission

The Audit Office supports the mission of the university by helping protect its assets and reputation. We provide objective assurance and advice on behalf of the Board of Trustees and Cornell University. We review operations and controls, provide relevant analyses, recommend improvements, and promote ethical behavior and compliance with policies and regulations.

February 14, 2007

University Audit Office Responsibilities

The scope of the University Audit Offices responsibilities includes examining and evaluating the policies, procedures, and systems to ensure: Reliability and integrity of information; Compliance with policies, plans, procedures, laws, and regulations; Safeguarding of assets; and Economical and efficient use of resources.

February 14, 2007

Cornell University Audit Office

David J. Skorton President Stephen T. Golding Executive Vice President for Finance and Administration Audit Committee Board of Trustees

Michael B. Dickinson University Auditor Kathryn A. Tholen Administrative Assistant

Pamela A. Doran Associate Audit Director

Craig R. Adams Assistant Audit Director Information Technology

Peter H. Pergolis Assistant Audit Director Weill Medical College

Jason T. Sanford Senior Auditor

Robert C. Beveridge IT/Financial Senior Auditor

Clayton A. Dow IT/Financial Senior Auditor

Geoffrey Yearwood Senior IT Auditor

Robert P. DiPalma IT/Financial Senior Auditor WMC

Kevin M. Reilly Senior Auditor WMC

Renee M. Kenney Senior Auditor

Andrea Reece Senior Auditor WMC

Maggie Liu Staff Auditor

February 14, 2007

10

Cyclical Process of Auditing

Risk Assessment

Reporting

Audit Schedule

Audit Results

2 Year Cycle

Budget

Analysis

Audit Program

Audit Tests

February 14, 2007

11

Information Technology Risk Ranking Results

RANK 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 UNIT WMC-EPIC System Access Security Authentication/Authorization WMC-Office of Academic Computing Sponsored Programs Systems Development Methodology OIT-Business Information Systems OIT-Network and Communications Services Wireless Network PeopleSoft Application and Security Program, Data, & Transaction Security OIT-Distributed Learning Services and ATA Computing & Info Science Change Control & Change Management OIT-Systems and Operations OIT-Integration and Delivery Oracle Database RANKING 394.6 391.3 384.9 375.1 368.1 364.5 359.1 353.2 347.8 343.8 338.1 336.0 333.4 333.2 328.9 322.7 RANK 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 UNIT RANKING System, User and Production Documentation 320.4 Veterinary Medicine 320.3 Data Marts 316.0 Computer Science 312.0 Network and Server Environment 310.6 Network Operations Center 308.1 Johnson School of Management-Parker Center 304.3 University Library 304.1 Cornell Nanoscale Facility 293.1 Software Piracy 288.4 Mainframe Security 281.8 Gannett Health Center 277.0 Adabas Database 277.0 269.4 OIT-Customer Service and Marketing CU Police 229.9 Geneva Agricultural Experiment Station 226.4

Legend: Bold = Business Process Blue = Institutional Concerns Red = Senior Staff Concerns

February 14, 2007

12

Information Technology Audit

February 14, 2007

13

IT Audit Role
Advising the Audit Committee and senior management on IT internal control issues Performing IT Risk Assessments Performing:
Institutional Risk Area Audits General Controls Audits Application Controls Audits Technical IT Controls Audits Internal Controls advisors during systems development and analysis activities.
14

February 14, 2007

IT Audit Process
Words that come to mind when you hear Audit
Proctology Chinese Water Torture Root Canal

You may be wondering "why me?" Understanding the reasons for an audit and the process involved can help alleviate your fears The audit process is generally a ten-step procedure:
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Notification & Request for Preliminary Information Planning Opening Meeting Fieldwork Communication Draft Report Management Responses Closing Meeting Report Distribution Follow-up

February 14, 2007

15

IT Concerns and Issues

IT General Controls
IT Controls

General Controls

Physical Security Physical Access HVAC Fire Protection UPS Backup/Contingency Planning Data Backups Restore Procedures Offsite Storage

Change Management Program Change Controls Tracking Change Approvals

Disaster Recovery Business Resumption Plans BRP Testing Alternate Processing

February 14, 2007

16

IT Concerns and Issues

IT Application Controls
IT Controls

General Controls

Application Controls

Input Controls Data Entry Controls System Edits Segregation of Duties Transaction Authorization

Access Controls User-IDs/Passwords Data Security Network Security Security Administration Access Authorization
February 14, 2007

Processing Controls Audit Trails Interface Controls Control Totals Output Controls Reconciliation Distribution Access
17

IT Policies

February 14, 2007

18

Cornell University IT Policies

Interim Policies:
Authentication of IT Resources Privacy of the Network

Established Policies: In the University Library of Policies, information technologies occupies Volume 5.
Abuse of Computers and Network Systems, June 1990 Policy 5.1 Responsible Use of Electronic Communications, October 1995 Policy 5.2 Mass Electronic Mailing, January 2003 Policy 5.3 Use of Escrowed Encryption Keys, January 2003 Policy 5.4.1 Security of Information Technology Resources, June 2004 Policy 5.4.2 Reporting Electronic Security Incidents, June 2004 Policy 5.5 Stewardship and Custodianship of Electronic Mail, Feb. 2005 Policy 5.6 Recording and Registration of Domain Names, April 2004 Policy 5.7 Network Registry, June 2004

Related Policy:
Policy 4.12 Data Stewardship and Custodianship, May 2003
February 14, 2007 19

The Changing Face of IT Audit

February 14, 2007

20

The Changing Role of the IT Auditor

IT Audit plays a major role in development of IT Governance framework

Moving away from policing role into a specialist role in the areas of risks and control
Adding value at strategic and operational levels through the provision of business risk-focused advice and assurance Legislation is having a profound impact on IT Auditing (SOx, GLBA, HIPAA, FERPA, Privacy Notification Regulations ) The continuously changing technology environment brings new risks (i.e. Cyber security, wireless )

February 14, 2007

21

Emerging & Prevalent IT Audit Issues

Inadequate or Lack of Management Oversight Poor Segregation of Duties Inadequate or Lack of Supporting Documentation No Business Continuity/Disaster Recovery Plan Change Management Data Security Data Loss Incidents

February 14, 2007

22

What you can do to prepare for an IT Audit?

Read all relevant University IT Policies Perform a risk assessment Know your IT vulnerabilities Identify the internal controls that would mitigate inherent risk Document your business processes, systems, policies and procedures Keep Current on the Laws and Regulations Call the Audit Office for advice

February 14, 2007

23

IT Controls

February 14, 2007

24

Understanding IT Controls
A top-down approach used when considering IT controls.

February 14, 2007

25

Understanding IT Controls
IT control is a process that
provides assurance for information and information services, and help to mitigate risks associated with use of technology.

February 14, 2007

26

Importance of IT Controls
Needs for IT controls, such as controlling cost protecting information assets complying with laws and regulations Implementing effective IT controls will improve efficiency, reliability, and flexibility.

February 14, 2007

27

Roles and Responsibilities

Board of Directors /Governing Body Management define, approve, implement IT controls Auditor

February 14, 2007

28

Based On Risk
Analyzing Risk
Identify and prioritize risks Consider risk in determining the adequacy of IT controls Define risk mitigation strategy accept/mitigate/ share

February 14, 2007

29

Monitoring
Monitoring IT Controls
Ongoing monitoring/special review/automated continuous auditing

February 14, 2007

30

Assessment
Assessing IT controls is an ongoing process Technology continues to advance New vulnerabilities emerge

February 14, 2007

31

How can I determine if the Internal Controls in my area are adequate?

The central theme of internal control is (1) to identify risks to the achievement of the organizations objectives, and (2) to do what is necessary to manage these risks.
1. Identify the business objectives of your area. 2. Identify the risks that could prevent your department from achieving these objectives. 3. Identify the controls that will manage the risks identified above. 4. Implement the controls that were identified which minimize risk in a cost effective manner. 5. Periodic review of objectives and controls to determine if they still apply
February 14, 2007 32

A car has brakes to allow it to go faster

February 14, 2007

33

University Audit Office Contact Information

Phone: email: 255-9300 audit@cornell.edu

Web Page: http://audit.cornell.edu/

February 14, 2007

34