Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,

Published byEden Daley Modified over 10 years ago

Similar presentations

Presentation on theme: "Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,"— Presentation transcript:

1 Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President, Association of College & University Auditors rob.clark@business.gatech.edu voice (404) 894-4606/ fax (404) 894-6990 www.audit.gatech.edu Robert N. Clark, Jr., C.I.A., Director of Internal Auditing, Georgia Tech June 2003

2 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 2 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

3 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 3 Opportunities for Collaboration: 1.Assessing Risk

4 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 4 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage

5 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 5 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy

6 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 6 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices

7 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 7 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

8 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 8 Reporting Structure at GIT President Provost Sr. VP Admin & Finance Vice Chancellor for Audit Services Board of Regents Director of Internal Auditing Executive Staff CIO Director Info Security

9 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 9 Internal Audit Primary Mission Four Potential Orientations DETECTION Passive SCOPE Internal Control* Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence *Defined along the lines of COSO’s Integrated Framework APPROACH

10 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 10 Internal Audit Primary Mission Four Potential Orientations DETECTION PREVENTION Passive Active SCOPE Internal Control* Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence Active promotion of internal control agenda Recommending preventive measures to the campus unit and advice in making changes Maintain objectivity while eliminating unnecessary organizational barriers *Defined along the lines of COSO’s Integrated Framework APPROACH

11 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 11 Internal Audit Primary Mission Four Potential Orientations DETECTION ADVISORY PREVENTION Passive Active SCOPE Internal Control* Business Performance Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence Defining process improvement opportunities, if seen By-product of internal control assessment but not focusing on internal controls Moving away from compliance auditing (dangerous position…) Active promotion of internal control agenda Recommending preventive measures to the campus unit and advice in making changes Maintain objectivity while eliminating unnecessary organizational barriers *Defined along the lines of COSO’s Integrated Framework APPROACH

12 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 12 Internal Audit Primary Mission Four Potential Orientations DETECTION ADVISORY PREVENTIONSOLUTION Passive Active SCOPE Internal Control* Business Performance Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence Defining process improvement opportunities, if seen By-product of internal control assessment but not focusing on internal controls Moving away from compliance auditing (dangerous position…) Active promotion of internal control agenda Recommending preventive measures to the campus unit and advice in making changes Maintain objectivity while eliminating unnecessary organizational barriers Target process improvements as a key goal Focus on Assessing Risk and Management’s Mitigation of Risk Work toward implementation of cost- beneficial internal controls & compliance Teamwork approach while maintaining objectivity and independent perspective *Defined along the lines of COSO’s Integrated Framework APPROACH

13 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 13 Internal Audit’s Role… …it’s more than counting beans...

14 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 14 Assessing Risk… Internal Audit’s role:  Identify key risks  Identify key risks of the organization not just financial  Look at all areas of exposure, not just financial  Focus on the issues that matter most in safeguarding the assets of the Institute strength of processes to mitigate risks  Develop audit procedures to examine high risk areas and verify strength of processes to mitigate risks effectiveness  Provide feedback to mgmt on effectiveness of policies and procedures  Promote awareness of policies and best practices bring Management together  Help bring Management together on key risks  Develop organizational approach to managing risk

15 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 15 What is RISK? … Anything that could prevent the organization from meeting its goals

16 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 16 Assessing Risk – with Management  Talk with all members of Senior Management (one-on-one discussions)  Ask key questions, such as:  “Where are potential exposures?”  “ What keeps you up at night? ”  “Where do you see risks for your unit and GIT?” What are some of the potential adverse situations that could occur within…?  “ What are some of the potential adverse situations that could occur within…? ”  Goal is to identify and inventory RISKS

17 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 17 Assessing Risks: Description of adverse situation that could occur

18 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 18 Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5)

19 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 19 Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5) x Probability of this situation occurring (1-5) = Risk Ranking

20 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 20 Risk Discussion Tool

21 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 21 Audit Risk Universe

22 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 22 Audit Focus -- Zeroing In Information Gathering Monitoring/ General Awareness (committees) Informal Reviews (surveying internal control) Risk-Based Audits (processes & risk) Process Improvement (reengineering) Strategy/Solution Development/ Partnering w/ Mgmt. as Key Resource Audits of compliance & controls

23 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 23 Identifying Unit-level Information Systems Risks  Logical Security  Environmental and Physical Controls  Data Security and Stewardship  Management of IS Resources  Equipment Maintenance  Back-up and Recovery  Training and Documentation  Operations/ Administration  Web Site Operation/ Development  Software Licensing

24 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 24 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

25 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 25 IT Advising IA on audit coverage…  CIO, Director of Information Security, and others in IT review draft of audit programs, in some cases helping to draft audit steps (“What would you, as CIO, look for if you were conducting these reviews?”)  IT provides further insight, clarification, and direction to auditors  Internal Auditing seeks IT’s opinion/support regarding feasibility of audit recommendations  Ultimately, Internal Auditing’s decision – but collaborating with IT to ensure the most effective coverage of IT risks throughout the organization

26 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 26 The Audit Plan  Focus on reviewing how each organization is moving toward effectively and efficiently mitigating each of the risks  Independent verifications & attestations to determine strength of processes  Conclusions are forward- looking - how well positioned are they to deal with risk ?

27 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 27

28 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 28 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

29 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 29 Feedback to IT…  Reports go not only to unit head but to senior management (including CIO) to show where opportunities for improvement exist  Direct communication with CIO regarding areas in which more training/education/guidance or IT focus should be provided to campus units  IA offers advice to senior mgmt on areas for policy enhancement

30 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 30 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

31 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 31 Recommended best practices…  IA provides trend analysis summaries to senior management (including CIO) showing common areas across campus requiring improvement  Leads to targeted plans for action aimed at addressing the specific issues (as opposed to blanket policies which may be unnecessarily onerous)

32 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 32 Recommended procedures…  President assembled committee (chaired by CIO) to revise Computer Network Usage Policy VP for Finance, VP for HR, Chief Legal Advisor, Director of Internal Auditing, Associate Dean, Student Govt. rep, & others [Note: IA’s role was not to “set” policy, rather to advise committee on key areas the policy should address]

33 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 33 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

34 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 34 Responding to Info Security Incidents  Information on an incident may come from a variety of sources: OHR – personnel-related complaint Legal Affairs – person seeking legal advice Financial Services – questionable transaction(s) Campus Police – allegation of illegal behavior Information Security – analysis of questionable traffic or use, spurious bandwidth usage, intrusion detection system reports, etc. Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc.

35 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 35 Responding to Info Security Incidents  Challenge: ensuring a consistent approach to dealing with incidents  Risk : If investigation not handled appropriately or consistently, puts Institute at risk  Solution : IA recommended creation of ad-hoc task force and procedure to address Info Security incidents

36 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 36  http://www.audit.gatech.edu/IAcollabrative2.wmf http://www.audit.gatech.edu/IAcollabrative2.wmf

37 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 37 Step 1  Incident is brought to attention of member of mgmt  He/She convenes Ad-Hoc Group [CIO, AVP-OHR, Chief Legal Advisor, Director Internal Auditing, Director of Information Security]  “What do we know now?”  Group shares info to determine other resources that may need to be involved (e.g., Director Campus Security, AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.)  Group determines needed resources

38 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 38 Step 2  Group makes a determination on the potential outcome E.g., if the situation/allegations are proven true, will this likely result in (1) legal action, or (2) administrative/personnel action only? This determines procedures to be followed in conducting the investigation and standard of evidence to which to adhere Also determines whether law enforcement should be notified and/or involved

39 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 39 Step 3  Group determines who will take the lead in facilitating the investigation. This person: Coordinates efforts, arranges meetings, initiates status reporting Initiates status reporting to the Office of the President Determines appropriate custodian of investigation data Facilitates reporting at the end of investigation

40 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 40 Step 4  Investigation is conducted following appropriate procedures agreed-to by Group  Regular communication with Group on status, observations, noteworthy issues  Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues

41 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 41 Step 5  Group re-convenes to: evaluate effectiveness of process; document “lessons learned”; and discuss ways the situation may be prevented in the future, e.g., –Additional audit steps to examine for this elsewhere? –Need for policy enhancement? –Need for additional education/awareness?

42 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 42 Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

43 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 43 Results of Collaborative Approach  IA and IT aligned on areas of high risk  Common approach for responding to Information Security incidents  IT becomes source of “education and awareness” for IA  IA able to represent organizational perspective on IT issues across campus to audiences to which IT would not normally have access  IA provides independent and objective feedback to IT on effectiveness of IT policies and procedures (within OIT and across the campus)  Combining perspectives to establish best practices for Information Systems across organization

44 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003 44

Download ppt "Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,"

Similar presentations

1

1
Managing Compliance Related to Human Subjects Research Review Joseph Sherwin, Ph.D. Office of Regulatory Affairs University of Pennsylvania Fourth Annual.

Managing Compliance Related to Human Subjects Research Review Joseph Sherwin, Ph.D. Office of Regulatory Affairs University of Pennsylvania Fourth Annual.
Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.
Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.

Copyright © 2011, Elsevier Inc. All rights reserved. Chapter 6 Author: Julia Richards and R. Scott Hawley.
Task Group Chairman and Technical Contact Responsibilities ASTM International Officers Training Workshop September 2012 Scott Orthey and Steve Mawn 1.

Task Group Chairman and Technical Contact Responsibilities ASTM International Officers Training Workshop September 2012 Scott Orthey and Steve Mawn 1.
Joint Investigation Protocols Convening Presented by: Theresa Costello, MA Emily Hutchinson, MSSW The National Resource Center for Child Protective Services.

Joint Investigation Protocols Convening Presented by: Theresa Costello, MA Emily Hutchinson, MSSW The National Resource Center for Child Protective Services.
1 Introduction to Safety Management April 2006. 2 Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
Aviation Security Training Module 4 Design and Conduct Exercise II 1.

Aviation Security Training Module 4 Design and Conduct Exercise II 1.
Business Transaction Management Software for Application Coordination 1 www.choreology.com Business Processes and Coordination. Introduction to the Business.

Business Transaction Management Software for Application Coordination 1 Business Processes and Coordination. Introduction to the Business.
ActionDescription 1Decisions about planning and managing the coast are governed by general legal instruments. 2Sectoral stakeholders meet on an ad hoc.

ActionDescription 1Decisions about planning and managing the coast are governed by general legal instruments. 2Sectoral stakeholders meet on an ad hoc.
The Managing Authority –Keystone of the Control System

The Managing Authority –Keystone of the Control System
1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.

1 RA I Sub-Regional Training Seminar on CLIMAT&CLIMAT TEMP Reporting Casablanca, Morocco, 20 – 22 December 2005 Status of observing programmes in RA I.
ICAO AVIATION SAFETY PROGRAMMES

ICAO AVIATION SAFETY PROGRAMMES
Module N° 9 – SMS operation

Module N° 9 – SMS operation
Illinois Department of Children and Family Services, Pathways to Strengthening and Supporting Families Program April 15, 2010 Division of Service Support,

Illinois Department of Children and Family Services, Pathways to Strengthening and Supporting Families Program April 15, 2010 Division of Service Support,
Create an Application Title 1A - Adult Chapter 3.

Create an Application Title 1A - Adult Chapter 3.
Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.

Custom Statutory Programs Chapter 3. Customary Statutory Programs and Titles 3-2 Objectives Add Local Statutory Programs Create Customer Application For.
1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.

1 Click here to End Presentation Software: Installation and Updates Internet Download CD release NACIS Updates.
Site Safety Plans PFN ME 35B.

Site Safety Plans PFN ME 35B.
1 Implementing Internet Web Sites in Counseling and Career Development James P. Sampson, Jr. Florida State University Copyright 2003 by James P. Sampson,

1 Implementing Internet Web Sites in Counseling and Career Development James P. Sampson, Jr. Florida State University Copyright 2003 by James P. Sampson,

Similar presentations

Ads by Google