Key IT considerations for Internal Audit Dr. K. Paul Jayakar M.Com., FCA, DIRM, Ph.D, CRISC...

Key IT considerationsfor Internal Audit

Dr. K. Paul JayakarM.Com., FCA, DIRM, Ph.D, CRISC

Director, IT & RMS at Brahmayya & Co.“IT- Security issues in Information System Audit” on

Tuesday, 27th October, 2015

Key IT considerations1. Information security2. Business continuity management3. Mobile4. Cloud5. IT risk management6. Program risk7. Software/IT asset management8. Social media risk management9. Segregation of duties/identity and access management10. Data loss prevention and privacy

2Paul Jayakar

These IT considerations and audit topics may be considered to perform a more effective risk assessment and create a robust annual audit plan.

3Paul Jayakar

Techniques of IT risk assessment

4Paul Jayakar

5Paul Jayakar

Data and inputs

reviewed

Outputs

IT risk assessment techniques-Basic versus leading practice

Basic• IT Internal audit issues• IT regulation driven

(CARO) and external audit issues

Leading• Root causes from past

IT issues• Competitor and peer

risks• Industry trends• Third-party external IT

risk data• Analyst reports

6Paul Jayakar

IT risk assessment techniques-Basic versus leading practice …

Basic

• Run analytics but limited summarization of data

• Business and IA leadership struggle to spot trends in data

Leading

• Risk analytics identifies the most critical questions IT, business and IA need to answer

• Trending and period-to-period comparisons identifies emerging risks or changes to existing risks

• Efforts are aligned with other “big data” initiatives

7Paul Jayakar


Basic

• Focus on IT stakeholders

• Point in time engagement primarily during annual IT risk assessment

• IT and business leaders not trained on risk management

Leading

• Includes operational and global stakeholders beyond IT

• Risk management embedded in IT leadership training

• Planning workshops for significant IT risks scenario

• Continuous dialogue with stakeholders (monthly, quarterly meetings)

• Risk committee utilized to review risk assessment changes

8Paul Jayakar


Basic

• Inconsistent documentation of interviews

• Surveys used for certification purposes or not at all

Leading

• IT subject matter experts participating in select interviews to draw out key risks

• Surveys used to confirm risk assessment results with lower-level IT management who are not interviewed

• Stakeholders self-assessing risk based on IT governance, risk and compliance (GRC) solution containing dynamic risk database

9Paul Jayakar


Basic

• IT internal audit attending interviews with little participation from other risk management functions or operational audit

• IT risk assessment viewed as “internal audit’s IT risk assessment”

Leading

• IT risk assessment collaboratively developed by internal audit (operational and IT) and other risk management functions and IT

• Compliance, external audit and other risk management functions participating in interviews

• Risk assessment embedded within strategic planning process

10Paul Jayakar


Basic

• Impact and likelihood utilized for prioritization

• Audits prioritization based heavily on IT competencies available in IA department

Leading

• Categorize IT risks within each of the following: availability, confidentiality, integrity, effectiveness and efficiency

• Relevance to strategic objectives utilized to prioritize IT risks

• Audits executed based on value to organization and connection to strategic objectives

11Paul Jayakar


Basic

• Relatively static internal audit plan

Leading

• Dynamic IT internal audit plan that changes throughout the year and is reset at selected milestones (e.g., quarter, trimester, bi-annually)

• IT internal audit plan addresses unified framework of all IT compliance needs (e.g., PCI, HIPAA, ISO27001)

• External IT audit plan and internal audit reliance strategy integrated and optimized

12Paul Jayakar

Audit Areas1. Information security2. Business Continuity Management3. Mobile4. Cloud5. IT Risk Assessment6. IT investments program risk 7. Software/IT asset management8. Social media risk management 9. Segregation of duties/identity and access management 10. Data loss prevention and privacy

13Paul Jayakar

1. Information Security

The auditInformation security program assessment — • Evaluates the organization’s

information security program, including strategy, awareness and training, vulnerability assessments, predictive threat models, monitoring, detection and response, technologies and reporting.

Audit considerations• How comprehensive is the

existing information security program?

• Is information security embedded within the organization, or is it an “IT only” responsibility?

• How well does the organization self-assess threats and mitigate the threats?

14Paul Jayakar

1. Information Security…The audit

Threat and vulnerability management program assessment

• Evaluates the organization’s threat and vulnerability management (TVM) program including threat intelligence, vulnerability identification, remediation, detection, response, and countermeasure planning.

Audit considerations

• How comprehensive is the existing TVM program?

• Is the TVM program aligned with business strategy and the risk appetite of the organization?

• Are the components of TVM integrated with one another, as well as with other security and IT functions?

• Do processes exist to make sure identified issues are appropriately addressed and remediation is effective?

15Paul Jayakar

1. Information Security…The audit

Vulnerability assessment —

• Performs a regular attack and penetration (A&P) review. Not basic A&Ps that only scan for vulnerabilities but risk-based and objective-driven penetration assessments tailored to measure the company’s ability to detect and respond to the threats that the company is most concerned about.


• What vulnerabilities exist, and are exploits of these vulnerabilities detected?

• What is the organization’s response time when intrusion is detected?

16Paul Jayakar

2. Business Continuity Management

The audit

Business continuity program integration and governance audit —

• Evaluates the organization’s overall business continuity plan, including program governance, policies, risk assessments, business impact analysis, vendor/third-party assessment, strategy/plan, testing, maintenance, change management and training/awareness.


• Does a holistic business continuity plan exist for the organization?

• How does the plan compare to leading practice?

• Is the plan tested?

17Paul Jayakar

2. Business Continuity Management…

The auditDisaster recovery audit• Assesses IT’s ability to

effectively recover systems and resume regular system performance in the event of a disruption or disaster.

Audit considerations• Are disaster recovery plans

aligned with broader business continuity plans?

• Do testing efforts provide confidence systems that can be effectively recovered?

• Are all critical systems included? Are critical systems defined?

18Paul Jayakar

2. Business Continuity Management…

The auditCrisis management audit

• Reviews the organization’s crisis management plans, including overall strategy/plan, asset protection, employee safety, communication methods, public relations, testing, maintenance, change management and training/awareness.


• Are crisis management plans aligned with broader business continuity plans?

• Are plans comprehensive and do they involve the right corporate functions?

• Are plans well communicated?

19Paul Jayakar

3. MobileThe audit

Mobile device configuration review • Identifies risks in mobile device

settings and vulnerabilities in the current implementation.

• This audit would include an evaluation of trusted clients, supporting network architecture, policy implementation, management of lost or stolen devices, and vulnerability identification through network accessibility and policy configuration.

Audit considerations• How has the organization

implemented “bring your own device” (BYOD)?

• Are the right policies/mobile strategies in place?

• Are mobile devices managed in a consistent manner?

• Are configuration settings secure and enforced through policy?

• How do we manage lost and stolen devices?

• What vulnerabilities exist, and how do we manage them?

20Paul Jayakar

3. Mobile…

The auditMobile application black box assessment — • Performs audit using

different front-end testing strategies: scan for vulnerabilities using various tools, and manually verify scan results. Attempts to exploit the vulnerabilities identified in mobile web apps.

Audit considerations• What vulnerabilities can

be successfully exploited?• How do we respond

when exploited, and do we know an intrusion has occurred?

21Paul Jayakar

3. Mobile…The audit

Mobile application gray box assessment —

• Combines traditional source code reviews (white box testing) with front-end (black box) testing techniques to identify critical areas of functionality and for symptoms of common poor coding practices. Each of these “hot spots” in the code should be linked to the live instance of the application where manual exploit techniques can verify the existence of a security vulnerability.


• How sound is the code associated with the mobile applications used within the organization?

• What vulnerabilities can be exploited within the code?

22Paul Jayakar

4. CloudThe audit

Cloud strategy and governance audit —

• Evaluates the organization’s strategy for utilizing cloud technologies.

• Determines whether the appropriate policies and controls have been developed to support the deployment of the strategy.

• Evaluates alignment of the strategy to overall company objectives and the level of preparedness to adopt within the organization.


• Is there a strategy around the use of cloud providers?

• Are there supporting policies to follow when using a cloud provider? Are policies integrated with legal, procurement and IT policies?

23Paul Jayakar

4. Cloud…The audit

Cloud security and privacy review —• Assesses the information security practices

and procedures of the cloud provider. This may be a review of their 3402 type A, B report(s), a review of their security SLAs and/or an on-site vendor audit.

• Determines whether IT management worked to negotiate security requirements into their contract with the provider.

• Reviews procedures for periodic security assessments of the cloud provider(s), and determine what internal security measures have been taken to protect company information and data.

Audit considerations• Has a business impact

assessment been conducted for the services moving to the cloud?

• Does your organization have secure authentication protocols for users working in the cloud?

• Have the right safeguards been contractually established with the provider?

24Paul Jayakar

4. Cloud…The audit

Cloud provider service review — • Assesses the ability of the cloud

provider to meet or exceed the agreed-upon SLAs in the contract. Areas of consideration should include technology, legal, governance, compliance, security and privacy. In addition, assess what contingency plans exist in case of failure, liability agreements, extended support, and the inclusion of other terms and conditions as part of the service contracts, as well as availability, incident, and capacity management and scalability.

Audit considerations• What SLAs are in place for

uptime, issue management and overall service?

• Has the cloud provider been meeting or exceeding the SLAs?

• What issues have there been?• Does the organization have an

inventory of uses of external cloud service providers, sponsored both within IT and directly by the business units?

25Paul Jayakar

5. IT risk management

The auditIT risk management strategy assessment — • Assesses the framework

and process IT has embedded within the function to assess and manage risks. Evaluates the actions taken to mitigate risks and the level of accountability within the process.

Audit considerations• How well does IT identify risks?• What is done once a risk is

identified?• Are IT risk management

processes followed?• Does your IT risk program cover

all of IT including shadow IT?• Is responsibility for risk

coverage clearly defined?• How are IT risks identified,

remediated or accepted?

26Paul Jayakar

5. IT risk management…

The audit

IT governance audit —

• Evaluates the processes IT has in place to govern capital allocation decisions, project approvals and other critical decisions.


• Do formalized processes for governing IT exist?

• What can be done to increase business confidence in IT governance?

• Are IT governance processes and requirements applicable across all of IT?

• Are there formal charters, mandates and responsibilities documented and followed by key steering committees?

27Paul Jayakar

5. IT risk management…

The auditIT risk assessment —

• Participates in IT’s own risk assessment (as opposed to the independent IT internal audit risk assessment) as an advisory audit. Evaluates the risks identified and provides insight given the unique perspective on the IT organization.


• Is there a comprehensive risk assessment performed to identify all IT risks?

• Is the IT risk assessment process effective?

• How can the process be enhanced?

• Is there an opportunity to coordinate the IT internal audit risk assessment with IT’s own risk assessment?

28Paul Jayakar

5. IT risk management…The audit

Technology enablement/GRC package selection — • Evaluates the organization’s

current use of GRC software or GRC software selection process. Provides value-added insight on critical business requirements.

Audit considerations• How can GRC software be effectively used

within the organization?• How mature is the organization’s use of

existing GRC software? Do we use all functionality available to us?

• What are the key business requirements for GRC software?

• How many GRC technology solutions are in use across the organization? Is there an opportunity for solution convergence?

• What is the level of risk reporting provided to stakeholders to support IT risk decisions?

29Paul Jayakar

6. IT investments program risk

The audit

Project management methodology audit —

• Assesses the design of processes and controls in place to manage projects against leading practices.


• Are the right processes and controls in place to provide that projects are delivered on time, on budget and with the right resources?

• Are controls in place to measure achieved benefits against intended benefits after project completion?

30Paul Jayakar

6. IT investments program risk…

The audit

Project and program execution audit —

• Evaluates common areas of high risk on programs (e.g., third-party contracting, business change, test strategy, data migration). Outputs provide confidence to management that high-risk areas have been independently checked and verified to leading practice.


• Is project/program management methodology being followed correctly?

• What is done when projects are under-performing?

• How is project risk assessed and managed?

31Paul Jayakar

6. IT investments program risk…

The auditPortfolio risk review —• Reviews strategy, projects and

programs to assess alignment. This review focuses on assessing the prioritization of the project portfolio in support of increasing value and reducing the risk that the transformation portfolio exposes.

Audit considerations• Do the right

governance processes exist to provide that projects/programs align to company strategy?

• How is the portfolio managed as corporate objectives change?

32Paul Jayakar

7. Software/IT asset management

The audit

IT and software asset management process and control audit —

• Assesses the design and effectiveness of processes and controls IT has deployed related to software and IT asset management.

• Reviews the impact of these processes on related IT processes such as IT service management, IT contract management and information security.


• Is there a comprehensive approach to IT asset and software management?

• How well are software license costs managed?

• Is there an IT and software asset management technology solution in place to support these processes? If not, should there be?

33Paul Jayakar

7. Software/IT asset management…

The auditSoftware license review — • Performs a review of significant

software license agreements (e.g., ERPs) and evaluate the effectiveness of IT’s software asset management process in practice. Assesses opportunities for cost reduction from improving the management of software licenses.

Audit considerations• Are there opportunities to

renegotiate software licensing agreements based on the way software is actually utilized versus the way original contracts were negotiated?

• Are any existing contractual agreements violated?

34Paul Jayakar

7. Software/IT asset management…

The auditIT contract management assessment — • Evaluates the IT

organization’s ability to manage contracts and how effectively IT and supply chain coordinate to manage costs and negotiate effective agreements.

Audit considerations• Are IT asset and software

contracts planned, executed, managed and monitored effectively?

• Are there “shadow IT” contractual agreements executed in other parts of the organization?

35Paul Jayakar

8. Social media risk management

The audit

Social media risk assessment —

• Collaborates with the IT organization to assess the social media activities that would create the highest level of risk to the organization. Evaluates the threats to the organization’s information security through the use of social media. This audit may be combined with a social media governance audit to then confirm policies have been designed to address the highest risks to the organization.


• Does the organization understand what risks exist related to social media?

• How well are the identified risks managed?

36Paul Jayakar

8. Social media risk management…

The audit

Social media governance audit —

• Evaluates the design of policies and procedures in place to manage social media within the organization. Reviews policies and procedures against leading practices.

Audit considerations• Does a governance

process exist for social media within the organization?

• How well are policies related to social media known amongst employees?

37Paul Jayakar

8. Social media risk management…

The audit

Social media activities audit —

• Audits the social media activities of the organization and its employees against the policies and procedures in place. Identifies new risks and assist in developing policies and controls to address the risks.


• Are social media activities aligned to policy?

• What corrective actions need to be put in place given activity?

• How does existing activity affect brand and reputation?

38Paul Jayakar

9. Segregation of duties/identity andaccess management

The audit

Systematic segregation of duties review audit —

• Evaluates the process and controls IT has in place to effectively manage segregation of duties. Performs an assessment to determine where segregation of duties conflicts exist and compare to known conflicts communicated by IT. Evaluates the controls in place to manage risk where conflicts exist.


• How does IT work with the business to identify cross application segregation of duties issues?

• Do business personnel understand ERP roles well enough to perform user access reviews?

• While compensating controls identified for SoD conflicts may detect financial misstatement, would they truly detect fraud?

39Paul Jayakar

9. Segregation of duties/identity andaccess management…

The auditRole design audit — • Evaluates the design of roles

within ERPs and other applications to determine whether inherent SoD issues are embedded within the roles. Provides role design, role cleanup or role redesign advisory assistance and pre- and post-implementation audits to solve identified SoD issues.

Audit considerations• Does the organization

design roles in a way that creates inherent SoD issues?

• Do business users understand the access being assigned to roles they are assigned ownership of?

40Paul Jayakar


The auditSegregation of duties remediation audit —

• Follows up on previously identified external and internal audit findings around SoD conflicts.

Audit considerations• Does the organization

take appropriate action when SoD conflicts are identified?

• Have we proactively addressed SoD issues to prevent year-end audit issues?

41Paul Jayakar


The auditIAM/GRC technology assessment — • Evaluates how IAM or

GRC software is currently used, or could be used, to improve SoD controls and processes.

Audit considerations• Is IAM or GRC software

currently used effectively to manage SoD risk?

• What software could be utilized to improve level of SoD control, and what are the business requirements?

42Paul Jayakar

10. Data loss prevention and privacy

The auditData governance and classification audit — • Evaluates the processes management has put in place to classify data, and develop plans to protect the data based on the classification.

Audit considerations• What sensitive data is

held — what is the most important data?

• Where does sensitive data reside, both internally and with third parties?

• Where is the data going?

43Paul Jayakar

10. Data loss prevention and privacy…

The auditDLP control review —

• Audits the controls in place to manage privacy and data in motion, in use and at rest. Considers the following scope areas: perimeter security, network monitoring, use of instant messaging, privileged user monitoring, data sanitation, data redaction, export/save control, endpoint security, physical media control, disposal and destruction, and mobile device protection.

Audit considerations• What controls are in

place to protect data?

• How well do these controls operate?

• Where do the vulnerabilities exist, and what must be done to manage these gaps?

44Paul Jayakar

10. Data loss prevention and privacy…

The audit

Privacy regulation audit —

• Evaluates the privacy regulations that affect the organization, and assess management’s response to these regulations through policy development, awareness and control procedures.


• How well do we understand the privacy regulations that affect global business? For example, multiple acts are a potential risk to all organizations.

• Are policies updated and communicated in a timely manner?

• Do users follow control procedures to address regulations?

45Paul Jayakar

How to make a differencePractical advice for applying internal audit’s resources 1.Ensure that the internal audit function has the right development practices and the right

mix of people – headcount is just a number. 2.Ensure that sound recruitment processes for the internal audit team are in place. Be

clear about the skills that are required and that the people recruited have them: recruitment is the most important management activity that any head of internal audit will carry out.

3.Equip the people in the function with the right tools to do the job. Are they working efficiently and effectively? What controls and procedures are in place to check?

4.Minimise areas of duplication in the work that internal audit does, as well as other assurance providers to the business.

5.Learn from the best practices being used by external or other assurance providers, such as external consultants and the Big Four accounting firms.

6.Internal audit must check its own performance as well as the departments it audits: is the feedback from customers and stakeholders good? Does the executive team value internal audit’s contribution? How is feedback monitored, measured and reported?

46Paul Jayakar

Practical advice on how to scope internal audit’s work 1. Agree the scope of internal audit’s work with the audit committee

and have it built into the audit charter, but try to leave a degree of flexibility so that the function can react to emerging risks that become a priority.

2. Look at the range and depth of assurance that is being provided to management from other assurance providers within the organisation: this will reduce duplication and free up resources to provide deeper assurance in other areas.

3. Make sure that internal audit’s work is aligned to management’s view of risk: the function may be focussing on the wrong issues if it does not understand management’s risk priorities.

47Paul Jayakar

Practical advice on auditing projects 1. Make sure internal audit understands what the project is trying to

do, and how it is going to be carried out. 2. Ensure that part of the internal audit team has experience on

working on projects, and that the function has the skills/resources to carry out the work.

3. Check that there is a mechanism for the project to be self-assessed. 4. Consider using an integrated assurance framework: this will provide

more visibility about how the project is being run, as well as better management information. It will also highlight any gaps in assurance.

5. Conduct periodic reviews throughout the project life-cycle to see that the project is on track.

48Paul Jayakar

Practical advice in fostering a good working relationship with the audit committee chair 1. Ensure you have access when necessary: make it clear that there will

be times when you will need to speak to the audit committee chair prior to or after meetings. Similarly, make sure you are available if the audit committee has queries.

2. Know your audience: deliver the information that has been requested, in the way that the audit committee wants it – do members want summaries, full reports, or presentations?

3. Constantly demonstrate the value of internal audit: let the audit committee know what skills and experience the internal audit function has, and suggest other ways that it could add value or provide assurance.

49Paul Jayakar

Practical advice in implementing a risk-based internal audit approach 1.Review whether senior management and the business share the same view of risk – highlight

where differences occur to ensure that the right risks and controls are targeted in the audit plan.

2. Identify and prioritise risks to be reviewed in each business area and develop an “audit universe” to ensure that no key business activities are overlooked and account is taken of previous audit coverage.

3.Develop an audit programme that stretches the team and promotes a high degree of productivity and limited downtime. For example, an auditor can work simultaneously on the reporting phase of one audit and the planning phase of the next.

4.Establish a “warning” system to notify internal audit whether recommendations for further action are being implemented on time and correctly.

5.Ensure that internal audit follows up on reports to check that senior managers are implementing internal audit’s recommendations properly.

6.Risk-based internal audit is not just for large internal audit departments – the smaller the internal audit team, the more important it is for it to follow a risk-based approach. A risk-based internal audit approach can ensure that resources are prioritised on reviewing the controls for the most significant risks to the organisation’s objectives.

7.The success of a risk-based internal audit approach is dependent on identifying the correct risks to review from the start. Internal audit must do this to add value to management as well as providing assurance to the audit committee

50Paul Jayakar

Practical advice on evaluating the impact of internal audit 1.Issue feedback requests after every audit review, keep a “score” of comments from

the business and act quickly and positively on the feedback. 2.Consider carrying out a benchmarking review with a similar sized organisation in the

same industry sector to compare and contrast approaches to internal audit and resourcing.

3.Ask the organisation to conduct an external review of the internal audit activity and approach.

4.Stress the importance of internal audit as an independent challenge to management, and that the function acts as a strategic partner to the business.

5.Keep management and the audit committee informed about the progress of internal audit work, and make them aware of other activities that the function might be able to provide expertise in.

6.Keep an up-to-date record of the number of recommendations that internal audit has made, and the number of actions that management has completed.

7.Review internal audit’s performance annually against the professional Standards

51Paul Jayakar

Examples of Sectoral Legislation and Policy with Data Privacy and Security Implications

Paul Jayakar 52

• Indian Companies Act, 2013• Banking

1. The Negotiable Instruments Act, 18812. The Prevention of Money Laundering Act, 20023. The Bankers Book Evidence Act, 18914. Credit Information Companies (Regulation) Act, 20055. The Insurance Act, 19996. Public Financial Institutions (Obligation as to Fidelity and Secrecy) Act, 19837. Payment and Settlement Systems Act, 2007

Paul Jayakar 53

8. The Banking Regulation Act, 19499. Indian Income Tax Act, 196110. Foreign Contribution Regulation Act, 201011. RBI Guidelines12. Fair Practice Code for Credit Card Operations, 201013. Gopalkrishna Working Group report, 2011

Paul Jayakar 54

• E-governance & Identity1. The Passport Act, 19672. The Representation of People Act, 19503. The Indian Penal Code, 18604. The Census Act, 19485. The Citizenship Act, 19556. The Registration of Births and Deaths Act, 19697. The Collection of Statistics Act, 20088. The Unique Identification Bill, 20109. The DNA Profiling Bill, 2007

Paul Jayakar 55

• Consumer1. The Contract Act, 18722. The Indian Consumer Act, 1986

Paul Jayakar 56

• Freedom of Expression1. The Press Council Act, 19782. Cable Television Networks Regulations Act, 19953. Content Certification Rules, 20084. Justice (Care and Protection of Children) Act, 20005. Contempt of Courts Act, 19716. Code of Criminal Procedure, 19737. The Indian Copyright Act, 1957

Paul Jayakar 57

• Law Enforcement1. The National Security Act, 19802. The Indian Evidence Act, 18723. National Investigation Agency Act, 20084. Intelligences Organizations (Restrictions of Rights) Act, 19855. Central Bureaus of Investigations Bill, 20106. The Intelligence Services (Powers and Regulations) Bill, 2011

Paul Jayakar 58

• Internet and Communications1. The Information Technology Act 20002. The Telegraph Act 18853. The Unlawful Activities (Prevention) Act, 20024. ISP License5. UASL License6. TRAI Regulations on Unsolicited Marketing Calls

Paul Jayakar 59

• Medical1. Medical Council of India’s Code of Ethics Regulations, 20022. Epidemic Diseases Act, 18973. Mental Health Act, 19874. The Persons with Disabilities Act, 19555. Pre-Natal Diagnostic Techniques Act, 19946. Medical Termination of Pregnancy Act, 19717. Ethical Guidelines for Biomedical Research on Human Subjects

Paul Jayakar 60

• Transparency1. The Right to Information Act, 20052. The Official Secrets Act, 19233. The Prevention of Corruption Act, 19884. The Securities and Exchange Board of India Act, 19925. The Monopolies and Restrictive Trade Practices Act, 19696. The LokPal Bill, 20117. The Public Interest Disclosure and Protection to Persons Making Disclosures

Bill, 2010

Paul Jayakar 61

Paul Jayakar 62

THANK YOU

[email protected]

Key IT considerations for Internal Audit Dr. K. Paul Jayakar M.Com., FCA, DIRM, Ph.D, CRISC...

Documents

Transcript of Key IT considerations for Internal Audit Dr. K. Paul Jayakar M.Com., FCA, DIRM, Ph.D, CRISC...