Information Technology Audit
32
Information Technology Audit Association of Government Accountants – Boston Chapter 2014 Regional Professional Development Conference Bentley University March 13, 2014
description
Information Technology Audit. Association of Government Accountants – Boston Chapter 2014 Regional Professional Development Conference Bentley University March 13, 2014. With You Today. Geoff W. Clarke CISA CISSP Manager KPMG Advisory Services - PowerPoint PPT Presentation
Transcript of Information Technology Audit
Information Technology AuditAssociation of Government Accountants – Boston Chapter2014 Regional Professional Development ConferenceBentley University
March 13, 2014
2
With You Today
Geoff W. Clarke CISA CISSP
Manager KPMG Advisory Services
Geoff has been with the firm for seven years and is a manager in the KPMG LLP Information Technology Advisory Services (ITAS) Practice. He has over 30 years of business experience in both the MIS and IT Audit disciplines. Prior to joining KPMG, Mr. Clarke worked for several Fortune 500 Companies where he held MIS and IT Audit executive positions including those of Global IT Audit Director and CIO of Asia Pacific Region MIS. As a CIO, he lived in Singapore and had responsibility for sales, manufacturing and supply chain MIS development and support of his employer’s sales, manufacturing and logistical operations in Greater China, Australia, Japan and S.E. Asia.
During his KPMG career, Geoff has provided assistance to private and public sector clients and has managed MIS Projects, IT Risk and Security Assessments, IT Auditing, SSAE16 examinations and IT controls over Financial Reporting.
(617) 998 1408
3
Agenda
IT Auditing – what, who and why
IT Control Frameworks and IT General Control Domains
IT Audit Challenges
4
What is IT Auditing?
Information systems or technology audit is a part of the overall audit process which is one of the facilitators of good organizational governance
While there is no single universal definition of IT audit, Prof. Ron Weber (author of “Information Systems Control and Audit”) defined it as "the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently."
5
Internal and External IT Audit – Some Differences
Internal Audit External Audit
The internal auditor is most often an employee of the organization
The external auditor is an external contractor and not an employee of the organization.
Internal audit seeks to advise management on whether its major operations have sound systems of risk management and internal controls
The external auditor seeks to test the underlying transactions that form the basis of the financial statements
The IT auditor supports the goals of the Enterprise and being part of Internal Audit reports to the audit committee.
The external IT auditor supports the external financial audit by providing insight into the reliance to be placed on automated financial systems through the testing of General IT controls and when requested, IT automated controls.
Internal audit forms an opinion on the adequacy and effectiveness of systems of risk management and internal control, many of which fall outside the main accounting systems.
The external auditor (including supporting IT audit process) seeks to provide an opinion on whether the accounts show a true and fair view,
Besides addressing risk, internal Audit groups play a key role in identifying opportunities to improve operating efficiency in an organization.
While external auditors may comment on potential efficiencies to be made it is generally not a primary focus of their activity.
Internal audits are most often time independent with a goal to be ‘forward looking’ leading to control improvement.
External audits are ‘backward looking’ and most often are focused on the operation of controls during past financial periods
6
The IT Auditor
“Plans and participates in a broad internal auditing program, and in particular audits of an entity’s information technology functions to assure adherence to established entity policies and procedures and to offer constructive analysis and appraisal of the entity’s IT operations, its technology policies and procedures and systems of internal control”.
7
ISACA
ISACA is an international professional association focused on IT Governance.
It is an affiliate member of the Int’l Federation of Accountants(IFAC).
Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves .
ISACA was informally established in the US in 1967 and incorporated formally in 1969 as the Electronic Data Processing (EDP) Auditors Association
ISACA currently has over 110,000 constituents in 200 chapters located in more than 180 countries.
ISACA awards the certification of Certified Information Systems Auditor (CISA) following a successful examination result and 5 years of appropriate and recordable work experience.
Other ISACA certifications related to IT governance include Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC)
8
IT Audit as a Career
A number of schools now offer undergraduate degrees in Information Technology Auditing, including Bentley University
There is a shortfall of trained and experienced IT auditors
IT Auditors can come from both IT and business/accounting backgrounds
9
Impact of Information and Information Technology
Information is a key resource for all enterprises. In some cases, it is all they produce.
Enterprises constantly collect or create information, use it, store it, share it and eventually destroy it.
Information Technology (IT) is a key enabler of the above.
IT is pervasive and ubiquitous in all areas of public and private enterprise, and personal life.
IT has the potential to dramatically change organizational and business operating models, create new opportunities and reduce costs.
High dependency on information requires that it be safeguarded from unauthorized access or misappropriation, have integrity and be made available when required.
Information value brings with it increased internal and external risks and threats of loss or compromise.
Increasing information risks and threats bring with it new statutory requirements specific to the management of information technology
The recognition that while “it is human to err, it requires a computer to really screw up”.
10
The role of IT in Enterprise operations
IT is a key enabler in supporting what organizations most want
to accomplish positive business outcomes
»Achieving business goals
»Meeting corporate governance responsibilities and legal requirements
»Administering and managing business activity efficiently and cost effectively
to minimize business risk and avoid issues and problems
»Business
»Operational
»IT
»Statutory and legal
11
Examples of IT Objectives to be achieved and Risks to be mitigated
IT Objectives
Efficient and successful operations
Data integrity
Protected systems
Safeguarded assets
Data and system availability
Positive ROI
Competitive advantage
Enhanced reputation
Statutory Compliance
IT Risks
Information Loss (accidental or malicious)
Financial Reporting Errors
Loss of data and/or system integrity confidence
Computer fraud
System failure and downtime
Increased cost of operation
Inaccurate data = poor business decisions
Reputational loss
Compliance failure
12
Governance and Risk Management
Security and Confidentiality
Availability
Integrity
Efficiency and Effectiveness
Compliance
Managed cost and ROI
Management’s Requirements from its IT Organization
13
Management’s Objective
PROCESSESPROCESSES
INFORMATIONINFORMATION
IT RESOURCESIT RESOURCES
• Applications• Data• Infrastructure• People
• Applications• Data• Infrastructure• People
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
What it wantsWhat it has
14
The role of IT Audit
To help meet Management’s objective, IT systems and processing environments need to be appropriately managed, controlled and periodically assessed to ensure that:
Organizational objectives that are dependant on IT are achieved
Systems and applications function as expected
Data and systems have integrity and are reliable
Adequate safeguards are in place to protect data, information and other IT resources from unauthorized access, disclosure or misappropriation
Systems, applications and their information assets are kept available for authorized persons
Federal, state and other statutory regulations are complied with
15
IT Controls – Achieving Objectives and Avoiding Risk
To Achieve Business Objectives
To Avoid Risks, Threats and Exposures
Control (as defined by CobIT)
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that
business objectives will be achieved and that undesired events will be prevented or detected and corrected.
Source: COBIT Control Objectives.
16
Characteristics of Good Internal Control Environment
Well-defined operational control objectives
Appropriate supporting controls
Risk assessment and risk management
Policies, standards, defined expectations
Documentation
Competent and trustworthy people
Monitoring, measurement and evaluation
17
CobIT framework as a model for Enterprise IT Governance
CobIT = Control Objectives for Information and Related Technology
IT Audit’s COSO cousin
First issued in 1997, CobIT5 published in 2012 is the latest iteration. Developed and maintained by ISACA and the IT Governance Institute (ITGI).
Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers, IT organizations and auditors
The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes. The COBIT components include:
Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements
Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor.
Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process.
Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes
Maturity models: Assess maturity and capability per process and helps to address gaps.
18
CobIT – Intended to be “all things to all people”
Business Management and User Community
IT Management and IT Organizations
IT Auditors
The Enterprise
19
Other IT Control Frameworks
Information Technology Infrastructure Library (ITIL)
Security Code of Conduct – DTI
Security Handbook – NIST
Federal Information Processing Standards (FIPS)
Organization for Standardization (ISO) 27001/2 (Security)
20
IT Auditor Areas of Interest
Business Information Characteristics and Information Management
IT Resources and Resource Management
IT Processes and Process Management
21
Information Characteristics
Effective— information should be relevant and pertinent to the business process as well as being delivered in a
timely, correct, consistent, usable and complete manner Efficient
— provision of information through the optimal (most productive and economical) use of resources Confidential
— protection of sensitive information from unauthorized disclosure. Integrity
— relates to the accuracy and completeness of information as well as its validity in accordance with business values and expectations
Available— requires that information be available when required by the business process now and in the
future. Compliant
— compliance with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed statutory or business criteria
Reliable— the provision of appropriate and accurate information to management to operate the entity and
exercise its fiduciary and governance responsibilities.
22
IT Resources and Resource Management
IT resources need to be managed in order to provide organizations with type and quality of information required to achieve organizational objectives. Resources comprise:
Application Systems
»are the automated user systems and associated manual procedures that process the information
»Can be in-house or externally hosted (e.g. Software-as-a-Service applications)
Information
»is data in all its forms that when compiled has intelligence and meaning.
Infrastructure and Facilities
»is the technology (hardware, operating systems, database management systems, networking, multimedia, etc.), and the facilities that house and support it, that enable the processing of data through the applications
People
»are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, contracted or totally outsourced as necessary
23
Information Processes and Process Management
Domains
Processes
Tasks &Activities
Natural grouping of processes, oftenmatching an organizational domainof responsibility
A series of joined tasks and activities with natural (control) breaks.
Actions needed to achieve a measurable result. Activitieshave a life-cycle whereas tasksare discrete
24
3) Information Processes and Key General IT Control Domains
Domain 1 – IT Management, Planning, Organization and Risk Management
Domain 2 – Technical Infrastructure and IT Operational Practices
Domain 3 – Protection of Information Assets
Domain 4 – Disaster Recovery and Business Continuity
Domain 5 – Business Application Systems Development, Acquisition, Implementation and Maintenance
25
Domain 1 – IT Management, Planning, Organization and Risk Management
IT Auditor Tasks, e.g.
Conduct an Enterprise risk assessment to determine key risk areas for discussion with Management and use it to develop an appropriate IT audit plan.
Evaluate the organization’s IT strategy and the processes for its development, deployment and maintenance to ensure that its supports the organization’s business objectives
Evaluate the IT organization’s implementation of risk management and governance
Evaluate IT organization and structure (e.g. roles and responsibilities, SOD) to ensure appropriate and adequate and controlled support of the organization’s business requirements
Evaluate the IT policies, standards and procedures (e.g. risk management, change management, project management, security policies) and the processes for their development, deployment and maintenance
Evaluate IT management practices (e.g. staffing practices, training, info sec management, certifications) to ensure compliance with IT policies, standards and procedures
Evaluate the selection and management of 3rd party services to ensure that they support the organization’s IT strategy
26
Domain 2 – Technical Infrastructure and IT Operational Practices
IT Auditor Tasks, e.g.
Evaluate the acquisition, installation and maintenance of hardware, system software and utilities (e.g. o/s, DB management systems, security packages) and network infrastructure components (e.g. voice and data comms, Internet, extranet) to ensure that that they efficiently support the organization’s IT processing and business requirements and is compatible with the organization’s strategies.
Evaluate the use of system performance and monitoring processes, tools and techniques (e.g. capacity planning, problem management, system management) to ensure that computer systems continue to meet the organization's business objectives.
Evaluate IT operational practices (e.g. help desk, user support functions, computer operations, scheduling, data transmission,) to ensure efficient and effective utilization of the technical resources which are used to support the organization’s IT processing and business requirements.
27
Domain 3 – Protection of Information Assets
IT Auditor Tasks, e.g.
Evaluate the design, and implementation of an Information Security organization and associated practices to ensure that it is effective and capable of protecting safeguarding the organization’s information assets.
Evaluate the design, implementation and monitoring of physical access controls to ensure the level of protection for assets and facilities is sufficient to meet the organization’s business objectives.
Evaluate the design, implementation and monitoring of environmental controls (e.g. HVAC, smoke/heat/water detectors, fire suppression, uninterrupted power supply [UPS], backup generator) to prevent and/or minimize potential losses.
Evaluate network infrastructure security to ensure integrity, confidentiality, availability and authorized use of the network and the information transmitted.
Evaluate the design, implementation and monitoring of logical access controls to ensure the integrity, confidentiality and availability of information assets (e.g. programs and data).
Evaluate IT’s safeguards over sensitive data at rest, during transmission and transportation including the copying and storage of data offsite.
Evaluate the Enterprise’s security posture and safeguards against external information threats such as social engineering and ‘phishing’.
28
Domain 4 – Disaster Recovery and Business Continuity
IT Auditor Tasks, e.g.
Evaluate the adequacy of backup and recovery provisions to ensure the resumption of normal information processing in the event of a short-term disruption and/or the need to rerun or restart a process.
Evaluate the organization’s ability to continue to provide information system processing capabilities in the event that the primary information processing facilities are not available (e.g. disaster recovery).
Evaluate the organization’s ability to ensure business continuity in the event of a business disruption.
29
Domain 5 – Business Solution Systems Development, Acquisition, Implementation and Maintenance
IT Auditor Tasks, e.g.
Evaluate the processes by which business solutions are developed and implemented to ensure that they contribute to the attainment of the organization’s business objectives
Evaluate the processes by which business solutions are acquired and implemented to ensure that they contribute to the attainment of the organization’s business objectives
Evaluate the processes by which business solutions are maintained to ensure the continued support of the organization’s business objectives.
Evaluate the Enterprise policies, standards and procedures related to the acquisition, management and monitoring of 3rd party outsourced or hosted key applications, e.g. SaaS solutions.
Evaluate the processes by which system software and utilities are maintained to ensure the continued support of the organization’s business objectives.
30
What comprises a traditional IT audit?
The major elements of IT audit as defined by ISACA and laid out in CobIT can be broadly classified:
Physical and environmental review—This includes physical security, power supply, air conditioning, humidity control and other environmental factors.
System administration review—This includes security review of the operating systems, database management systems, all system administration procedures and compliance.
Application software review—The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed.
Network security review—Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage.
Business continuity review—This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan.
Data integrity review—The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques).
31
IT Audit Challenges
Inaccessible and untouchable computer solutions – Cloud based systems
Involvement at inception
Business owned and driven
Reliance on 3rd party service auditor reports
Year-to-year oversight
Remaining relevant
Effective vendor evaluations, e.g. FedRAMP
Statutory Compliance demands
Data lifecycle management
Keeping ahead of the curve - understanding new technologies, solutions and their risks
End user computing – the ubiquitous mobile device and its vulnerability
Acquiring and retaining qualified staff
Questions
