Beruflich Dokumente
Kultur Dokumente
Clayton Dow,
Geoffrey Yearwood,
Agenda
Stakeholders Auditing in General University Audit Office Information Technology Audit IT Policies The Changing Face of IT Audit IT Controls
Stakeholders
Board of Directors Audit Committee Senior Management External Audit Internal Audit Audit Clients
Stakeholder Roles
Joint effort:
Board of Directors determines and approves strategies, sets objectives and ensures the objectives are being met. Audit Committee responsible for overseeing the internal control structure (operations, compliance, and financial reporting) Senior Management defines, develops, implements, and documents the internal control structure External Audit attests to the fair statement of financial results Internal Audit - validate the internal control structure by analyzing the effectiveness of internal controls
reliability and integrity of information; compliance with policies, plans, procedures, laws, and regulations; safeguarding of assets; and economical and efficient use of resources.
The University Audit Office shall have direct access to all university books and records necessary for the effective discharge of its responsibilities. The reporting relationships duties, and responsibilities of the University Auditor (Audit Director) are contained in the University Bylaws Article XI.
10
Reporting
Audit Schedule
Audit Results
2 Year Cycle
Budget
Analysis
Audit Program
Audit Tests
11
Legend: Bold = Business Process Blue = Institutional Concerns Red = Senior Staff Concerns
12
13
IT Audit Role
Advising the Audit Committee and senior management on IT internal control issues Performing IT Risk Assessments Performing:
Institutional Risk Area Audits General Controls Audits Application Controls Audits Technical IT Controls Audits Internal Controls advisors during systems development and analysis activities.
14
IT Audit Process
Words that come to mind when you hear Audit
Proctology Chinese Water Torture Root Canal
You may be wondering "why me?" Understanding the reasons for an audit and the process involved can help alleviate your fears The audit process is generally a ten-step procedure:
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Notification & Request for Preliminary Information Planning Opening Meeting Fieldwork Communication Draft Report Management Responses Closing Meeting Report Distribution Follow-up
15
IT General Controls
IT Controls
General Controls
Physical Security Physical Access HVAC Fire Protection UPS Backup/Contingency Planning Data Backups Restore Procedures Offsite Storage
16
IT Application Controls
IT Controls
General Controls
Application Controls
Input Controls Data Entry Controls System Edits Segregation of Duties Transaction Authorization
Access Controls User-IDs/Passwords Data Security Network Security Security Administration Access Authorization
February 14, 2007
Processing Controls Audit Trails Interface Controls Control Totals Output Controls Reconciliation Distribution Access
17
IT Policies
18
Established Policies: In the University Library of Policies, information technologies occupies Volume 5.
Abuse of Computers and Network Systems, June 1990 Policy 5.1 Responsible Use of Electronic Communications, October 1995 Policy 5.2 Mass Electronic Mailing, January 2003 Policy 5.3 Use of Escrowed Encryption Keys, January 2003 Policy 5.4.1 Security of Information Technology Resources, June 2004 Policy 5.4.2 Reporting Electronic Security Incidents, June 2004 Policy 5.5 Stewardship and Custodianship of Electronic Mail, Feb. 2005 Policy 5.6 Recording and Registration of Domain Names, April 2004 Policy 5.7 Network Registry, June 2004
Related Policy:
Policy 4.12 Data Stewardship and Custodianship, May 2003
February 14, 2007 19
20
Moving away from policing role into a specialist role in the areas of risks and control
Adding value at strategic and operational levels through the provision of business risk-focused advice and assurance Legislation is having a profound impact on IT Auditing (SOx, GLBA, HIPAA, FERPA, Privacy Notification Regulations ) The continuously changing technology environment brings new risks (i.e. Cyber security, wireless )
21
22
23
IT Controls
24
Understanding IT Controls
A top-down approach used when considering IT controls.
25
Understanding IT Controls
IT control is a process that
provides assurance for information and information services, and help to mitigate risks associated with use of technology.
26
Importance of IT Controls
Needs for IT controls, such as controlling cost protecting information assets complying with laws and regulations Implementing effective IT controls will improve efficiency, reliability, and flexibility.
27
28
Based On Risk
Analyzing Risk
Identify and prioritize risks Consider risk in determining the adequacy of IT controls Define risk mitigation strategy accept/mitigate/ share
29
Monitoring
Monitoring IT Controls
Ongoing monitoring/special review/automated continuous auditing
30
Assessment
Assessing IT controls is an ongoing process Technology continues to advance New vulnerabilities emerge
31
33
34