IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier,...
-
Upload
pierce-farmer -
Category
Documents
-
view
217 -
download
2
Transcript of IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier,...
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 1
IT Auditing in the Small Audit Shop
Beth Breier, CPA, CISA
City of [email protected]
http://talgov.com/citytlh/auditing/index.html
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 2
Outline
Using IT in Audits vs. IT Audits Types of IT Audits Determining What Audits to Do IT Audit Examples Successful Strategies References
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 3
Using IT in Audits
Using IT tools to analyze data within
a performance or financial audit
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 4
Using IT in Audits
Exporting data from application systems
Using IT software to identify trends, “outliers”, exceptions, etc.
Entire populations can be analyzed
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 5
Using IT in Audits
MS Access ACL IDEA SQL Business Objects Focus
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 6
Using IT in Audits
Disbursement data– Benford Analysis
– Invoices between or over a specified dollar amount
– Duplicate invoices
Fleet data – Total work order costs by vehicle for year
Transactions conducted by an individual user or vendor
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 7
IT Audit
Conducting an audit or review of information technology “to ensure the productivity, usefulness, and availability of the IT systems that serve organizations.”
IT Audits, Xenia Ley Parker (2003)
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 8
IT Audits
Separate audit
Combined with performance or financial audit
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 9
Types of IT Audits
IT General Controls Application Controls - Software
IT Project Progress
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 10
IT General Controls
General Controls are the structure, policies, and procedures that apply to an entity’s overall computer operations.
Federal Information System Controls Audit Manual, GAO, 1999
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 11
IT General Controls Entity-wide Security Planning and
Management Access Controls Application Development/Change Controls System Software Segregation of Duties Service Continuity IT Governance
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 12
Software ApplicationAny Application that affects the
Financial Statements or provides information that management relies on to measure performance or make decisions.
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 13
Software Application
Input– Including interfaces
Processing Output
– Including Interfaces
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 14
IT Project Progress
Conducting an assurance and consulting audit during a specified phase of a major IT project.
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 15
IT Project Progress
Audit Phases:– Planning
– Acquisition
– Implementation
– Post-Implementation
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 16
Determining What Audits to Do
Gain an understanding of IT in Organization: Environments
Connectivity Locations Operating Systems Application Systems
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 17
DATA
Remote
Network
Operating System
Database
Application
ISS Provides
Department-Owner Provides
Environments
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 18
ISS Computer Room
Multiple ServersMainframes
FTP
In te rne t
V is itW eb sites
F ileT ransferP ro toco lused to
D ownloadfiles
S end/R ece iveE -m ail and
attached files
R em oteaccess via
M odem
N etworkA ccess
to o ther C ityB u ild ings
Inside C ity H a ll
W orksta tion
ExampleNetwork 1
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 20
Put in an example diagram of network
ExampleNetwork 3
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 21
Determining What Audits to Do
Listing of Operating Systems
Windows 95, 98, NT Windows 2000, XP UNIX LINUX
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 22
Determining what audits to do
Listing of all Software Applications and their Owners:
Financial statement related systems
Other systems
23Beth Breier, City of Tallahassee IIA_Tampa_2-3-2004
Treasurer-ClerkManagement &Administration
Electric Doc MngtSystem (EDMS)
Check-Printing / FMS(DMS-2 on Unisys)
Still active???
Payments/Receiptsin CIS/Billing
CIS OccupationalLicenses
(Access DB)
FinancialsPeopleSoft
Fixed Asset System(FMA) Still Active??
Payroll Module ofHRMS
City Network &Personal
Computers
Telecommunications
GeographicInformation System
(GIS)
Broken Line BoxNot Critical
(FY 98 Audit Report
Bold Box - Critical(FY 98 Audit Report)
Round cornersAccess DB
Paula CookRec MngtJay Collins, ISS
Retirement Module ofHRMS
Round or Sqare Dots -Not sure
HaroldLane
Gil BrucePeopleSoft
LEGEND:
Terry Baker,Joe Kaparak
Integration Project
New System/Project
Data Warehouse &Web Project
RodneyRegister
Otherapplications:
-Tech Data-PARAGON
(Bonds)-RetirementCalculation
-DP500RemittanceProcessing
HR- IVR AnnualBenefits Enrollment
Jay Johnson,(Arc Info)
Risk ManagementSystem
CORE RevenueCollection
Gordon Klein
Web Server
Terry Baker,Joe Kaparak
Example
24Beth Breier, City of Tallahassee IIA_Tampa_2-3-2004
Safety and NeighborhoodServices
Assistant to the City Manager
Development &Transportation Services
Comp Aided Dispatch/ Records Mngt
(CAD/RMS)
800 MHZ Radio /Communications
Animal Center(Chameleon)
Y2-OK
Traffic System
Permit EnforcementTracking System(PETS) - Y2-OK
Fleet MaintenanceSystem
(FASTER)
Facilities Maint.Program (City Hall)
MBE - AccessStill Active??
ParkMaloy
Safety OfficeAccess ?
Being upgradedTraffic Engin
Broken Line BoxNot Critical
(FY 98 Audit Report
Bold Box - Critical(FY 98 Audit Report)
Round cornersAccess DB
Round or Square dots not sure
LEGEND:
Street SweepingMonitoring SystemNot sure?
SabrinaHolloman
New System/Project
Jay Collins
Levin MagruderISS ProjectManager (otheragencies usetoo)
TRACKS (Gastracking system)
TALTRANTraffic Routing
TALTRANBus Display System
800 MHZ DataSystem
Levin MagruderISS ProjectManager
ParkMaloy
Mobile DataComputers
Streets & Drainage -new program 2002
ParkMaloy
ParkMaloy
Example
25Beth Breier, City of Tallahassee IIA_Tampa_2-3-2004
Customer InquiryTracking System (CITS)
Utilities Services
Wastewater PlantMonitoring & Control
System
Water Utilities
Laboratory Info MngtSystem (LIMS)
Work Ticket Systemfor Gas & Water
CIS PeopleSoft
RouteSmart(Solid Waste)
Solid WasteGas Operations Electric Utilities
Parking Ticket System(to be enhanced)
CMMS(Facility Maintenance)
Supervisory Control &Data Acquisitio Sys
(SCADA)
Energy Mngt System(EMS)
Proprietary
Mobile Data Mngt.System(MDMS)
Meter ChangeOut/ WorkOrder System
Supervisory Control &Data Acquisitio Sys
(SCADA)
Mail-In Receipt System(feeds CIS)
Meter Reading System(Feeds CIS)
DOS-Based Application
RouteSmart(Meter Reading)
Automated RouteControl System
(ARCS)
Safety & TrainingSoftware
Loan ProgramAccess DatabaseEnergy Services
Numerous AccessDBs (leaks, taps,
hydrant)
Access DBs for workorders (usually 2 days
behind)
Access DBs to trackout of service areas
(Waste Mngt)
Utilities Rate Estimation(Proprietary)
Substation ComponentsSubsystem (not surewhere or what this is)
Example
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 26
Determining what audits to do
Do a Risk Assessment and Consider impact on: Business Operations
RevenuesExpendituresManagement Decision-makingPolitical and public crisis
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 27
Determining what audits to do
Other Areas that impact Risk Assessment:
Available Staffing w/ needed skills
Meets Current Standards
Formal Business owner
Maturity of IS operations
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 28
Audit Planning
Based on your risk assessment, outline a potential progression of audits:
1. Start Broad 2. Narrow down into
specific areas
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 29
New IT System
Infrastructure and Security
IS General Operations
PerformanceMeasures
Financial Statements
Consider All the Pieces
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 30
Develop your IT Audit Plan
IS General Operations
Infrastructure and Security
Financial Statements
PerformanceMeasures
New IT System
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 31
IT Audit Examples
1. General Control - Logical Security
2. Application Control – Fleet Management System
3. IT Project Progress – Planning and Acquisition
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 32
General Controls - Audit Example
Logical Security Objectives:
– General understanding of the network– Logical access paths– Adequacy of policies and procedures– Security controls management believed
were in place
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 33
General Controls - Audit Example
Logical Security Objectives (Continued):
– Controls in place to prevent unauthorized access in the City’s LAN
– accessibility to confidential information
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 34
General Controls - Audit Example
Logical Security Procedures:
– Interview IS Staff and Business staff– Review network schema – Examine network security system settings, user
specific settings– Examine relevant laws, ordinances, policies, etc
re: confidential information – Examine and test user security at network,
databases, applications– Conduct vulnerability assessment procedures
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 36
Application Controls – Audit Example
Fleet Application Objectives
– Understand the internal control components– Evaluate application controls – Evaluate selected general controls
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 37
Application Controls – Audit Example
Fleet Application Procedures
– Review documentation– Identify and prioritize controls – Test effectiveness of controls – Examine interface programs and test interfaces– Test accuracy and completeness of reports
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 38
Application Controls – Audit Example
Fleet Application Issues:
– Poor input controls (validation, etc.)– Specific controls not working– Calculations not accurate– Reports not complete or accurate – Interfaces not working as intended
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 39
Application Controls – Audit Example
Fleet Application Issues (Continued)
– Lack of segregation of duties – users and IS staff
– No software change management procedures– No written backup and recovery procedures
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 40
IT Project Progress – Audit Example
Public Safety Systems Integration Phase: Planning and Acquisition Objectives:
– Compliance with City policies and procedures and contract requirements
– Independent assessment of risk management and project controls
– Project status and accomplishments– Significant issues and status
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 41
IT Project Progress – Audit Example
Public Safety Systems Integration Procedures:
– Advisory (non-voting) member of project teams and committees
– Review key documentation (RFPs, contracts)– Test transactions for appropriateness– Interview key IS and user department staff – Observe contract negotiations
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 42
IT Project Progress – Audit Example
Public Safety Systems Integration Issues:
– No cost benefit analysis conducted– Needs assessment not documented– No documentation of major decisions– Lack of budget monitoring– Lack of management oversight– Lack of communication among project team
and/or management
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 43
IT Project Progress – Audit Example
Public Safety Systems Integration Issues (Continued):
– Needs and expectations exceed scope– Lack of communication among projects– No plan to address insufficient infrastructure to
support new system– New system will require more technical
expertise than City or department has
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 44
3 Recommended Strategies
Start broad and then narrow the focus
Limit scope for a reasonable time frame
Plan specific IT training for staff
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 45
References - Audit Programs
GAO Federal Information System Controls Audit Manual (FISCAM) (http://www.gao.gov/policy/guidance.htm)– General Controls– Currently developing Chapter 4 on Application
Controls NASACT Information Systems Security Audit
Forum (ISSAF) web page (http://www.nasact.org/IISAF/about.html)
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 46
References - Audit programs CoBIT - Information Systems Audit and
Control Association (ISACA) (http://www.isaca.org/)
ISACA Systems Auditability and Control IT Audits, Xenia Ley Parker, published by
Aspen, 2003 Handbook on IT Auditing (Warren, Edelson
& Parker) www.ITAudit.org
IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 47
References - Audit programs
Federal Information Processing Standards (FIPS), http://csrc.nist.gov/publications/fips/index.html, including:
– FIPS 46-3, Data Encryption Standard (DES); – FIPS 112 , Password Usage
Computer Security Resource Center, http://csrc.nist.gov/index.html