Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010."— Presentation transcript:

1 “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010

2 Your Presenters Thomas Luccock, CPA, CIA Director of Internal Audit Steve Kurncz, CISA, CISM Information Technology Audit Manager Michael Chandel, CISA Senior Information Technology Auditor

3 Our Mission “ To assist University units in effectively discharging their duties while ensuring proper control over University assets. ”

4 Internal Audit at MSU History of Internal Audit function at MSU Our Charter ―Introduction ―Purpose ―Authority ―Responsibility ―Independence ―Audit Scope ―Special Investigations ―Reporting ―Audit Standards and Ethics

5 Organization of Internal Audit

6 Internal Auditing Defined Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. - Courtesy of the Institute of Internal Auditors (IIA)

7 Your Perception of an Auditor “Oh, those > insert your best insult here <” “They’re out to get us!” “They’re going to snoop through our data!” #@*#$%$&$#*%!!! “The Matrix”, 1999

8 Our Perception of an Auditor “The Blues Brothers”, 1980

9 The Reality of your Internal Auditors Internal Audit Approach –Objective members of “Team MSU” –Act as an independent internal assurance and consulting function designed to help add value to and improve the operation of our University. –We are here to assist you and help protect our University as a whole. –We try to view audit projects as a partnership with you and your department. –We attempt to be as “transparent” as possible.

10 Certified Auditors Certified Information Systems Auditor (CISA) designation ― Globally accepted and recognized standard of achievement among information technology (IT) audit, control and security professionals ―Sponsored and governed by the Information Systems Audit and Control Association (ISACA) o More than 86,000 members in more than 160 countries. ―Accredited by the American National Standards Institute (ANSI) under ISO/IEC 17024 ―Requirements of Certification: o Successful Completion of the CISA Examination.  200 Question exam with a four (4) hour time limit. o Equivalent of a minimum five (5) years professional information systems auditing, control and security work experience. o Adherence to the ISACA Code of Professional Ethics. o Continuing Professional Education (CPE) Policy observance.  Must complete a minimum of 120 CPE Hours every three (3) years for continued certification. o Adherence to the Information Technology Assurance Framework (ITAF) Auditing Standards adopted by ISACA

11 Audit Plan Development “C’mon, why us???” University-Wide Risk Assessment ―Inherent Risk: The nature of your business. ―Incident Response Procedures ―By Special Request Tom Izzo, Head Men’s Basketball Coach

12 Audit Plan Approval University President Review and Approval ―Monthly Meetings ―Reporting University Audit Committee Review and Approval ―University Board of Trustees ―Audit Committee Quarterly Meetings ―Annual Meetings ―Reporting

13 Audit Process

14

15 Stage 1: Planning Audit Engagement ―Engagement Letter ―Preliminary Information Request Opening Meeting ―Project Overview Given to the Management Group ―Designate a Primary Contact Person ―Official Project Start Date Inquiry of Management & Staff ―Interviews & Internal Controls Questionnaires (ICQ) ―Tours Scope Definition ―Risk Assessment ―Six (6) Month “Snap-Shot”

16 Audit Process

17 Stage 2: Fieldwork & Documentation Observations of Processes & Procedures ―Determining & Documenting the Flow of Data o Data Entry through Data Deletion ―General Information Technology Controls ―Unit Level Application Controls Sampling & Testing ―Select Specific System Components, Processes and Reports to Review and Compare ―Collaboration with Unit Staff ―Nothing Done Without IT Personnel Assistance or Knowledge Verification of Statement Made ―Sample the Verbal Statements Made During the Planning Process to Verify Accuracy

18 Audit Process

19 Stage 3: Issue Discovery & Validation Risk Exposure Discovery & Evaluation ―Risk Identification Process Based on ICQ’s & Fieldwork ―Risk Validation & Mitigating Controls Discussion with IT Personnel Risk Exposure Presentation to Management ―Discussion with Management Regarding Identified Risk & Potential Mitigating Controls Management Solution Development ―Risk Mitigation vs. Risk Acceptance ―Risk Considerations in Strategic Planning

20 Audit Process

21 Stage 4: Reporting Draft Report Development & Distribution ―Based on Levels of Identified Risk (Verbal vs. Written) ―Closing Meeting Discussion ―Limited Draft Distribution Management Response Opportunity ―Due 30 Days from Issuance of Draft Report ―Short Description of Management's Plans and Timeline to Address Identified Risk Final Report Distribution ―Standard Executive Distribution List with Additional Unit Requests ―Management Responses Included

22 Audit Process

23 Stage 5: Issue Tracking Post Audit Review & Follow Up ―Three (3) to Six (6) Months After Final Report is Issued ―Review of Management Response Status ―Written Status Report Issued to Final Distribution List Periodic Status Updates ―Potential Second Post Audit Review ―Otherwise, We May Request Periodic Progress Updates

24 Audit Project Time Table Just how long will this all take? ―Standard Audit Fieldwork takes approximately one (1) to three (3) months depending on the scope of the audit and complexity of area under review. ―Limited Review Fieldwork is less time intensive and may only last one to two weeks. Mark Dantonio, Head Football Coach

25 IT Audit Scope MSU Policies, Best Practices, Guidelines and Resources: ― Libraries, Computing & Technology ―http://computing.msu.edu/ (www.msu.edu - Keyword Search: Computing & Technology ) ―Department Policies and Guidelines IT Industry Standards and Best Practices: ― Information Systems Audit and Control Association (ISACA) ― C ontrol Ob jectives for I nformation and related T echnology (COBIT) ― National Institute of Standards and Technology (NIST) ―www.nist.gov – Information Technology \ Computer Security Portal ― SANS.org ― Computer Security Training, Network Research and Resources ― International Organization for Standardization (ISO) ―ISO 17799 / 27000

26 University Standards & Guidelines LCT Guidelines and Policies ―http://www.lct.msu.edu/guidelines-policies/http://www.lct.msu.edu/guidelines-policies/ Managing Sensitive Data ―http://computing.msu.edu/msd/http://computing.msu.edu/msd/ ―Securing Enterprise Data http://computing.msu.edu/msd/documents/Securing_Enterprise_Data_at_MSU_w_ISO_17799_checklist_14_Apr_07.pdf Disaster Recovery Planning ―http://www.drp.msu.edu/http://www.drp.msu.edu/

27 Industry Best Practices ISACA- Information System Audit and Control Association NIST 800 Series ―NIST 800- 53 General Controls ―http://csrc.nist.gov/publications/PubsSPs.htmlhttp://csrc.nist.gov/publications/PubsSPs.html ―Risk Assessment Framework: http://csrc.nist.gov/groups/SMA/fisma/framework.html SANS – SysAdmin, Audit, Network, Security ―www.sans.orgwww.sans.org ―Audit Focus Site: http://blogs.sans.org/it-audit/http://blogs.sans.org/it-audit/ ―20 Critical Security Controls for Effective Cyber Defense ISO 27000 (Formally ISO 17799-2005) ―http://www.27000.org/http://www.27000.org/ ―http://www.sharedassessments.org/ (tool)http://www.sharedassessments.org/

28 Summary of Topics Internal Audit Overview Audit Plan Selection Audit Process Timetable Best Practices

29 Questions

30 Thank You!

Download ppt "“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010."

Similar presentations

. . . key messages for CAEs, Senior Management and the Board

. . . key messages for CAEs, Senior Management and the Board
. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Internal Audit Awareness

Internal Audit Awareness
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
INTERNAL AUDIT PROCESS Pre-Audit Presentation. OBJECTIVES OF PRESENTATION  Provide a basic understanding of internal audit  Provide a basic awareness.

INTERNAL AUDIT PROCESS Pre-Audit Presentation. OBJECTIVES OF PRESENTATION  Provide a basic understanding of internal audit  Provide a basic awareness.
Service Agency Accreditation Recognizing Quality Educational Service Agencies Mike Bugenski 866-642-4622.

Service Agency Accreditation Recognizing Quality Educational Service Agencies Mike Bugenski
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.

Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Certification Programs CISA/CISM/CGEIT DoD Overview Update: 1 May 2009.

Certification Programs CISA/CISM/CGEIT DoD Overview Update: 1 May 2009.
CISA/CISM Programs DoD and Component Overview June 29, 2006.

CISA/CISM Programs DoD and Component Overview June 29, 2006.
Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,

Preparing for an External Quality Assessment of your Quality Assurance and Improvement Program Institute of Internal Auditors El Paso Chapter August 29,
The Role of the Internal Audit Department

The Role of the Internal Audit Department
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
External Quality Assessments

External Quality Assessments

Similar presentations

Ads by Google