Deloitte Internal Audit Wednesday 18 October Paul McGinty / Adnan Saleem

Deloitte Internal Audit The role of internal audit The Deloitte team Our experience Our objectives Work so far Audit planning An integrated approach IT internal audit The audit plan and associated reviews Further Internal audit services Discussion Management, the board and the audit committee look to Internal Audit to provide assurance that appropriate controls are designed and operating effectively to manage technology risks both today and in the future. Dedicated IT internal auditors should form part of an Internal Audit team and assist in addressing the risks arising from and relating to the use of technology. The importance of IT is continually growing and this needs to be matched by the skills of the auditors who provide assurance over IT controls.

The role of internal audit Provide independent assurance to the Audit Committee and to the University Court that an adequate system of internal control is in place within the University. Management look to internal audit to provide assurance that appropriate controls are designed and operating to manage business processes and technology risks both today and in the future. How? By reviewing and auditing the most important risks and the most important processes within the University Add value, process improvement and increased assurance to the University and its operations.

The Deloitte Team Colin Gibson- Partner Paul McGinty- Director (Internal Audit) Laura Green- Assistant manager (Internal Audit) Adnan Saleem- Manager (IT Internal Audit)

Our Experience Team dedicated to internal audit, risk management and governance Experience working with a number of other Scottish Universities Strong credentials across UK and internationally Broad experience across public and private sector and across key process areas

Our Objectives Work openly and constructively with you Understand you and the University of Glasgow Work towards developing and improving internal control and assurance Meet with you again soon.

Work so far Appointed in August 2006 Undertaken Business Risk Workshop with senior management team Developed Internal Audit plan for approval by Audit Committee Undertaken initial work on key process and risk areas including Purchasing, Accounts Payable, Revenue, Payroll and the IT security framework. Detailed plan of work outlined for 2006/7.

Audit planning IA Project Plan Process Universe Business Risks

Conducting a review Initial planning with key stakeholders Produce draft scope / specification Agree scope Perform review Discuss findings with management Present draft report Obtain management comment and agree action plan

Aligning IT internal audit and operational audit plans Aligning Operational and IT Audit is extremely important for a number of reasons Many business risks faced are dependant upon IT Management is dependant on IT supporting the business An integrated audit approach consists of one team of operational and IT specialists working together to look at the business events and transactions, determining the controls and identifying the most efficient and effective ways to test these controls. Why is important? Timely alignment of audit effort across IT and business auditors What does it mean? Example GL review for Agresso

Integrated Approach The ‘traditional’ approach An ‘integrated’ approach Figure 2.1 – An Integrated IT Internal Audit approach Business Processes (process controls) Business Processes (process controls) Process A Process B Process C Process D Process A Process B Process C Process D Business Events & Transactions Applications (application controls) Application 1 Application 2 Application 3 IT Infrastructure (general controls) IT Infrastructure (general controls) General Controls General Controls General Controls General Controls Key Features Separate business and IT Internal Audit teams Work not co-ordinated Detailed technical focus to IT Internal Audit work which is difficult to relate to business processes Business audit teams test what they can see – automated controls are assumed to work Key Features One team comprising process and IT specialists working side-by-side IT findings are business process specific Key benefits The IT specialists gain an understanding of the business elements of the cycle while the business specialists develop an understanding of which applications are integral to the business process. The integrated audit approach focuses the scope of IT Internal Audit on the applications and IT infrastructure which are directly linked to the business process, reducing redundant or unnecessary work. The IT findings are business process specific which increases management’s understanding of their relevance and impact as well as ensuring their support.

IT Internal Audit & answering the difficult questions Can I trust the integrity of information being used to make business decisions? What are my most significant IT risks? …and what is being done in my organisation to address these? Are applications being developed, implemented and maintained in a well-controlled manner? Do my IT governance efforts support wider regulatory and compliance efforts? Are third party outsourcers meeting service levels and control commitments? As internal audit we work closely with our clients to understand the challenges they face, bringing added benefits such as knowledge transfer, specialist skills and best practice methodologies. Key Questions that IT internal audit can play a role in addressing How good is my IT security? Will my systems and information be available when I need them? …and does it fit together in an efficient and cohesive manner?

Emerging areas of risk Some Key Challenges: Data Governance; Ownership, classification, storage, assessment of risk (e.g. third party access) IT Governance; Risk management, KPIs, reporting, communication Regulation; Data Protection Act, Computer Misuse Act Data Gov:- Who owns data, how do we assign ownership, how is it communicated, storage (shared drive), assessment of risk IT Gov:- risk management process- how are risk raised, key performance indictors, representative reporting Regulations:- risk management process key performance indictors

Audit planning IA Project Plan Process Universe Business Risks

IT internal Audit plan Review Of Business Continuity Planning Arrangements for business continuity in the event of a significant incident or disaster require formal review, covering all key aspects of B.C.P. Review Of ICT Strategy and Governance This review will assess how ICT strategy and overall governance of IT is managed and controlled in order to provide a comprehensive view of the current and forward strategic plan for IT. Review Of Information and Network Security It is critical that information assets and network structures are robust, well managed and protected from threats. This review will assess the quality of controls around information and network security. Review Of Software License Management It is critical that software in use within the University is properly managed and controlled and that software license arrangements are effective. This review will assess the adequacy and effectiveness of controls in this area.

What happens next Risk register Regular follow-up Report updates/current status Audit committee See some of you soon

Emerging technologies Keeping pace with emerging technologies. Increasing security threats and the pressure to work faster and be more effective poses a significant challenge. Operating systems security SekChek® benchmarks computer security against real-life averages by industry sector. SekChek offers: Comprehensive reporting on system-based security controls, not sample-based; An independent assessment of security against international standards; Bench-marking against industry averages for security compiled from 20,000 systems in 80 countries; Minimal client intervention.

IT Security & Privacy IT Project Assurance Business Continuity Data Management IT Governance Infrastructure security; Security governance; Web applications; Biometrics; Identity & Access Management. Project management co-sourcing; Project review and risk assessment; Project audit against specific standards (e.g. Prince2, COBIT 4.0). Crisis Management; Business Continuity & Resumption; IT Disaster Recovery. Data investigation; Data migration; Data investigation. Strategic IT planning; IT monitoring and risk reporting, IT change

Project Risk Management Process Project Goals & Objectives Identify & Assess Project Risks Project Risk Management Strategies Improve Risk Management Process Information or Decision Making Monitor Project Risk Management Process Project Risk Control Processes Our project assurance capabilities across the project life cycle Project Initiation Project Development Project Roll-out Project Monitoring Business case and cost / benefit analysis Design and implementation of project management and control processes Project strategy and testing Data migration Control framework design and implementation Contingency planning Development and modification of technical and process documentation User support Management information and project reporting Third party management controls and reporting Pre and post implementation reviews

Disaster! Business Continuity Management Normal Operations Time Normal Operations Business Recovery Resilience, Redundancy etc. BCP, DRP and Contingency plans Lessons Learned implemented Business Continuity Management

Gaps in Control Framework Mapping to frameworks/regulations An effective IT Governance framework should be an integral part of the existing governance and reporting structure, fully supported by management and deployed throughout the organisation. It should enable IT to demonstrate: How it supports the business strategy; Compliance with all relevant laws and regulations; and Demands on IT are managed and met in an efficient, cost effective and consistent manner. We have a proven methodology supported by a comprehensive compliance tool that enables us to: Analyse your current control environment; Our IT Governance model Sarbox SYSC (FSA) Basel II DPA UK Acts Computer Misuse etc. COBIT BS7799 /2 Select the frameworks and regs to be included. Control Requirements Output Control requirements. Current Controls Gaps in Control Framework Output Gap analysis of current control coverage. ITIL ITIL ITIL Chosen Control Set Output Chosen control set. Mapping of chosen control set to frameworks and regulations. Mapping to frameworks/regulations Output

Close Questions Discussion

Contact Us pmcginty@deloitte.co.uk 304 5112 asaleem@deloitte.co.uk 304 5108