IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee

Slides:



Advertisements
Similar presentations
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
Advertisements

NSAA Information Technology Conference Planning the Scope of Your IT Audit _____________________________________ October 1, 2014 Jennifer Schreck, Audit.
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Auditing Computer Systems
The Islamic University of Gaza
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Association of Government Accountants
Security Controls – What Works
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.
Managing the Information Technology Resource Jerry N. Luftman
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Expect the Unexpected Planning the Scope of an IT Performance Audit Robin Garity, C.P.A., C.I.S.A. October 2014.
System Implementations American corporations spend about $300 Billion a year on software implementation/upgrade projects.
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
Internal Auditing and Outsourcing
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Introduction to Information System Development.
1 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Introduction to IT audits PART II IT.
Organizing Information Technology Resources
MnSCU Audit Reports Presentation to the MnSCU Audit Committee Office of the Legislative Auditor September 21, 2004.
Overview of Systems Audit
Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.
Internal Control in a Financial Statement Audit
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley Internal and Governmental Financial Auditing and Operational Auditing.
Internal Control in a Financial Statement Audit
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Auditing Information Systems (AIS)
The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.
ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.
10/20/ The ISMS Compliance in 2009 GRC-ISMS Module for ISO Certification.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
Webinar for FY 2011 i3 Grantees February 9, 2012 Fiscal Oversight of i3 Grants Erin McHughJames Evans, CPA, CGFM, CGMA Office of Innovation and Improvement.
Chapter 6 Internal Control in a Financial Statement Audit Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
[Hayes, Dassen, Schilder and Wallage, Principles of Auditing An Introduction to ISAs, edition 2.1] © Pearson Education Limited 2007 Slide 7.1 Internal.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Business Analysis. Business Analysis Concepts Enterprise Analysis ► Identify business opportunities ► Understand the business strategy ► Identify Business.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte.
Audit Evidence Process
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
What is a Performance Audit or Performance Auditing?
Chapter 8 Auditing in an E-commerce Environment
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Collaboration Process 1. IC Objectives and Risk Tolerances Define, document, and implement top-down internal control objectives and risk tolerances: 
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Chapter 15 Telecommunication Department Management.
Internal Audit Agency Integrity + Professionalism INTERNAL AUDIT AGENCY ISACA Presentation 15 July, 2013 Alisa Hotel, ACCRA.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Internal and external control in an automated environment
Internal Control in a Financial Statement Audit
Auditing Information Technology
What a non-IT auditor needs to know about IT & IT controls
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee

IIA_Tampa_ Beth Breier, City of Tallahassee2 Outline u Using IT in Audits vs. IT Audits u Types of IT Audits u Determining What Audits to Do u IT Audit Examples u Successful Strategies u References

IIA_Tampa_ Beth Breier, City of Tallahassee3 Using IT in Audits Using IT tools to analyze data within a performance or financial audit

IIA_Tampa_ Beth Breier, City of Tallahassee4 Using IT in Audits u Exporting data from application systems u Using IT software to identify trends, “outliers”, exceptions, etc. u Entire populations can be analyzed

IIA_Tampa_ Beth Breier, City of Tallahassee5 Using IT in Audits u MS Access u ACL u IDEA u SQL u Business Objects u Focus

IIA_Tampa_ Beth Breier, City of Tallahassee6 Using IT in Audits u Disbursement data –Benford Analysis –Invoices between or over a specified dollar amount –Duplicate invoices u Fleet data –Total work order costs by vehicle for year u Transactions conducted by an individual user or vendor

IIA_Tampa_ Beth Breier, City of Tallahassee7 IT Audit Conducting an audit or review of information technology “t o ensure the productivity, usefulness, and availability of the IT systems that serve organizations.” IT Audits, Xenia Ley Parker (2003)

IIA_Tampa_ Beth Breier, City of Tallahassee8 IT Audits u Separate audit u Combined with performance or financial audit

IIA_Tampa_ Beth Breier, City of Tallahassee9 Types of IT Audits u IT General Controls u Application Controls - Software u IT Project Progress

IIA_Tampa_ Beth Breier, City of Tallahassee10 IT General Controls General Controls are the structure, policies, and procedures that apply to an entity’s overall computer operations. Federal Information System Controls Audit Manual, GAO, 1999

IIA_Tampa_ Beth Breier, City of Tallahassee11 IT General Controls u Entity-wide Security Planning and Management u Access Controls u Application Development/Change Controls u System Software u Segregation of Duties u Service Continuity u IT Governance

IIA_Tampa_ Beth Breier, City of Tallahassee12 Software Application Any Application that affects the Financial Statements or provides information that management relies on to measure performance or make decisions.

IIA_Tampa_ Beth Breier, City of Tallahassee13 Software Application u Input –Including interfaces u Processing u Output –Including Interfaces

IIA_Tampa_ Beth Breier, City of Tallahassee14 IT Project Progress Conducting an assurance and consulting audit during a specified phase of a major IT project.

IIA_Tampa_ Beth Breier, City of Tallahassee15 IT Project Progress u Audit Phases: –Planning –Acquisition –Implementation –Post-Implementation

IIA_Tampa_ Beth Breier, City of Tallahassee16 Determining What Audits to Do u Gain an understanding of IT in Organization: u Environments u Connectivity u Locations u Operating Systems u Application Systems

IIA_Tampa_ Beth Breier, City of Tallahassee17 DATA Remote Network Operating System Database Application ISS Provides Department-Owner Provides Environments

IIA_Tampa_ Beth Breier, City of Tallahassee18 Example Network 1

IIA_Tampa_ Beth Breier, City of Tallahassee19 Example Network 2

IIA_Tampa_ Beth Breier, City of Tallahassee20 Put in an example diagram of network Example Network 3

IIA_Tampa_ Beth Breier, City of Tallahassee21 Determining What Audits to Do u Listing of Operating Systems u Windows 95, 98, NT u Windows 2000, XP u UNIX u LINUX

IIA_Tampa_ Beth Breier, City of Tallahassee22 Determining what audits to do u Listing of all Software Applications and their Owners: u Financial statement related systems u Other systems

IIA_Tampa_ Beth Breier, City of Tallahassee23 Example

IIA_Tampa_ Beth Breier, City of Tallahassee24 Example

IIA_Tampa_ Beth Breier, City of Tallahassee25 Example

IIA_Tampa_ Beth Breier, City of Tallahassee26 Determining what audits to do u Do a Risk Assessment and Consider impact on: t Business Operations t Revenues t Expenditures t Management Decision-making t Political and public crisis

IIA_Tampa_ Beth Breier, City of Tallahassee27 Determining what audits to do u Other Areas that impact Risk Assessment: t Available Staffing w/ needed skills t Meets Current Standards t Formal Business owner t Maturity of IS operations

IIA_Tampa_ Beth Breier, City of Tallahassee28 Audit Planning u Based on your risk assessment, outline a potential progression of audits: 1.Start Broad 2.Narrow down into specific areas

IIA_Tampa_ Beth Breier, City of Tallahassee29 New IT System Infrastructure and Security IS General Operations Performance Measures Financial Statements Consider All the Pieces

IIA_Tampa_ Beth Breier, City of Tallahassee30 Develop your IT Audit Plan IS General Operations Infrastructure and Security Financial Statements Performance Measures New IT System

IIA_Tampa_ Beth Breier, City of Tallahassee31 IT Audit Examples 1. General Control - Logical Security 2. Application Control – Fleet Management System 3. IT Project Progress – Planning and Acquisition

IIA_Tampa_ Beth Breier, City of Tallahassee32 General Controls - Audit Example Logical Security u Objectives: –General understanding of the network –Logical access paths –Adequacy of policies and procedures –Security controls management believed were in place

IIA_Tampa_ Beth Breier, City of Tallahassee33 General Controls - Audit Example Logical Security u Objectives (Continued): –Controls in place to prevent unauthorized access in the City’s LAN –accessibility to confidential information

IIA_Tampa_ Beth Breier, City of Tallahassee34 General Controls - Audit Example Logical Security u Procedures: –Interview IS Staff and Business staff –Review network schema –Examine network security system settings, user specific settings –Examine relevant laws, ordinances, policies, etc re: confidential information –Examine and test user security at network, databases, applications –Conduct vulnerability assessment procedures

IIA_Tampa_ Beth Breier, City of Tallahassee35 Issues - Federal Agencies

IIA_Tampa_ Beth Breier, City of Tallahassee36 Application Controls – Audit Example Fleet Application u Objectives –Understand the internal control components –Evaluate application controls –Evaluate selected general controls

IIA_Tampa_ Beth Breier, City of Tallahassee37 Application Controls – Audit Example Fleet Application u Procedures –Review documentation –Identify and prioritize controls –Test effectiveness of controls –Examine interface programs and test interfaces –Test accuracy and completeness of reports

IIA_Tampa_ Beth Breier, City of Tallahassee38 Application Controls – Audit Example Fleet Application u Issues: –Poor input controls (validation, etc.) –Specific controls not working –Calculations not accurate –Reports not complete or accurate –Interfaces not working as intended

IIA_Tampa_ Beth Breier, City of Tallahassee39 Application Controls – Audit Example Fleet Application u Issues (Continued) –Lack of segregation of duties – users and IS staff –No software change management procedures –No written backup and recovery procedures

IIA_Tampa_ Beth Breier, City of Tallahassee40 IT Project Progress – Audit Example Public Safety Systems Integration u Phase: Planning and Acquisition u Objectives: –Compliance with City policies and procedures and contract requirements –Independent assessment of risk management and project controls –Project status and accomplishments –Significant issues and status

IIA_Tampa_ Beth Breier, City of Tallahassee41 IT Project Progress – Audit Example Public Safety Systems Integration u Procedures: –Advisory (non-voting) member of project teams and committees –Review key documentation (RFPs, contracts) –Test transactions for appropriateness –Interview key IS and user department staff –Observe contract negotiations

IIA_Tampa_ Beth Breier, City of Tallahassee42 IT Project Progress – Audit Example Public Safety Systems Integration u Issues: –No cost benefit analysis conducted –Needs assessment not documented –No documentation of major decisions –Lack of budget monitoring –Lack of management oversight –Lack of communication among project team and/or management

IIA_Tampa_ Beth Breier, City of Tallahassee43 IT Project Progress – Audit Example Public Safety Systems Integration u Issues (Continued): –Needs and expectations exceed scope –Lack of communication among projects –No plan to address insufficient infrastructure to support new system –New system will require more technical expertise than City or department has

IIA_Tampa_ Beth Breier, City of Tallahassee44 3 Recommended Strategies u Start broad and then narrow the focus u Limit scope for a reasonable time frame u Plan specific IT training for staff

IIA_Tampa_ Beth Breier, City of Tallahassee45 References - Audit Programs u GAO Federal Information System Controls Audit Manual (FISCAM) ( ) –General Controls –Currently developing Chapter 4 on Application Controls u NASACT Information Systems Security Audit Forum (ISSAF) web page (

IIA_Tampa_ Beth Breier, City of Tallahassee46 References - Audit programs u CoBIT - Information Systems Audit and Control Association (ISACA) ( u ISACA Systems Auditability and Control u IT Audits, Xenia Ley Parker, published by Aspen, 2003 u Handbook on IT Auditing (Warren, Edelson & Parker) u

IIA_Tampa_ Beth Breier, City of Tallahassee47 References - Audit programs u Federal Information Processing Standards (FIPS), including: –FIPS 46-3, Data Encryption Standard (DES); –FIPS 112, Password Usage u Computer Security Resource Center,

IIA_Tampa_ Beth Breier, City of Tallahassee48 “Do what you can with what you have where you are.” Theodore Roosevelt QUESTIONS …..??