Download presentation
Presentation is loading. Please wait.
1
1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September 15, 2008 Presented by Doug Tinch, Illinois Office of Internal Audit Steve Gerschoffer, Crowe Horwath
2
2 2 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 2 Agenda Understanding the Standards: What is at risk? Auditing Standards Scope of IT Audits Pre / Post Implementation Audits Risk Assessment Questions?
3
3 3 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 3 DISCLAIMER Any opinions expressed by Steve and/or Doug (even though they are usually correct) are their own and do not reflect the official positions of either the State of Illinois Office of Internal Audit or Crowe Horwath.
4
4 4 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 4 Highlights of 12 th Annual CSI Survey – source CSI Survey 2007 Average annual loss reported was $350,424 – highest average loss since 2004, up from $168,000 last year 194 responses reported total losses of $66,930,950, up from $52,494,290 (for 313 respondents) in 2006 132 of 454 respondents have cyber insurance policies The top 3 attacks detected were insider abuse of net access, virus, and laptop/mobile device theft Viruses was the leading cause of losses for the last seven years – financial fraud overtook it in 2007
5
5 5 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 5 Top 5 Losses by Type of Attack – source CSI Survey 2007 194 Respondents
6
6 6 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 6 Current Landscape – Costs of a Breach Ponemon Institute Study (November 2007) found that the total cost of a data breach averaged $198 per lost customer record Detection and escalation - $9 Notification - $15 Response and actions taken - $46 Lost business - $128
7
7 7 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 7 Current Landscape – Causes of a Breach From Ponemon Institute, 2007 Annual Study: U.S. Cost of a Data Breach Understanding Financial Impact, Customer Turnover, and Preventative Solutions
8
8 8 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 8 Standards.... What is FCIAA? Fiscal Control and Internal Auditing Act (30 ILCS 10/) Article 1. General Provisions – Section 1002 – CEO of “every State agency is responsible for effectively and efficiently managing the agency and estab- lishing and maintaining an effective system of internal control.”
9
9 9 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 9 Fiscal Control and Internal Auditing Act (30 ILCS 10/) Article 3. Fiscal Controls – “All State agencies shall establish and maintain a system, or systems, of internal and fiscal administrative controls, which shall provide assurance that:…”
10
10 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 10 Fiscal Control and Internal Auditing Act (30 ILCS 10/) Article 2. Internal Auditing – establishes a program of internal auditing, qualifications of chief internal auditor, and internal auditing program require- ments. Section 2003 (a) (3) mandates: “Reviews of the design of major new electronic data processing systems and major modifications of those systems before their installation to ensure the systems provide for adequate audit trails and accountability.”
11
11 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 11 WARNING IF A PRE-IMPLEMENTATION AUDIT IS REQUIRED, AND IS NOT TIMELY PERFORMED, THE OFFICE OF THE AUDITOR GENERAL WILL ISSUE TWO (2) FINDINGS. THE AGENCY WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT HAVING AN AUDIT COMPLETED BEFORE IMPLEMEN- TATION, AND THE IOIA WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT PERFORMING THE AUDIT.
12
12 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 12 Standard Scope of an IT Audit IS General Controls Management and Organization Development and Acquisition On-Line Security (Core Application Systems) Business Contingency Planning Physical Security Computer Operations Outsourced Technology Service Providers
13
13 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 13 Standard Scope of an IT Audit Network Security Assessment Methodology ‘Good Guy’ Approach Standard Scope Policies and Procedures (Security, Incident Response, etc) Anti-Virus Standards Workstation Security Review Network Architecture Network Operating System Security Review Windows Novell Unix
14
14 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 14 Standard Scope of an IT Audit Network Security Assessment Voice Over IP Database Security Mobile Device Security Web Server Security Email Server Security Etc…
15
15 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 15 Internal Penetration Assessment Methodology ‘Bad Guy’ Approach Disgruntled Internal Employee, Unauthorized Individual with Internal Network Access Standard Scope Technical Assessment Physical Social Engineering Document Disposal
16
16 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 16 Internal Penetration Assessment
17
17 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 17 External Penetration Assessment Methodology ‘Bad Guy’ Approach External Hacker Standard Scope Technical Assessment Phone Social Engineering Email Social Engineering Phone Sweep
18
18 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 18 External Penetration Assessment
19
19 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 19 SAS 70 (Statement on Accounting Standards – No. 70) Types of SAS 70’s Level I, Report on Controls Placed in Operation Level II, Report on Controls Placed in Operation & Tests of Operating Effectiveness
20
20 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 20 What Is Evaluated During SAS 70 Audit? A typical SAS 70 Report includes oGeneral Controls oApplication Controls oProcess Controls Organization and Administration Application Maintenance Documentation Computer Operations Hardware and System Software On-Line Security Physical Security Back-up and Contingency Planning e-Business Policies and Procedures
21
21 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 21 SAS 70 – User Control Considerations User Control Considerations Controls which the User Organization should consider but that the Service Provider either: Can not do, Does not take responsibility for, or Is not cost effective.
22
22 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 22 Pre-Implementation Audit Process The Risk Assessment Process Document request 1) RFP (Request for Proposal) 2) Project Charter 3) Design Documents 4) System Objectives 5) Cost/Benefit Analysis 6) Project Time-line
23
23 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 23 Pre-Implementation Audit Process The Risk Assessment Process Management Interview 1) Management synopsis of the project. 2) Details of the project and changes (if any) in time- lines, scope, funding, resources etc. that may not be reflected in original documentation. 3) Any other relevant information that germane to the project.
24
24 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 24 Pre-Implementation Audit Process The Risk Assessment Process IOIA Determination 1) Determination by auditor 2) Review by Supervisor 3) Review by Manager 4) Review by Chief Internal Auditor 5) Issuance of Determination Letter to Agency Director
25
25 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 25 Pre-Implementation Audit Process The Audit Audit Program 1) Audit Trails and Accountability 2) Functionality
26
26 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 26 Pre-Implementation Audit Process The Audit Test Matrix 1) Audit Trails and Accountability a) Logging b) Access controls c) Transmission security d) Application controls (third party hosting) e) Disaster recovery/business continuity 2) Functionality a) With business rules (tech and non-tech) b) User expectations and needs
27
27 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 27 Pre-Implementation Audit Process The Audit Testing 1) Part of User Acceptance Testing Team (UAT) 2) Access to Change (Bug) Control 3) Notify Program Manager of failures immediately 4) Follow-up to determine that all “bugs” are closed 5) Final acceptance by all appropriate parties
28
28 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 28 Pre-Implementation Audit Process The Audit Review and Approval Process 1) Informal pre-Letter issuance conference with management. 2) IOIA Review and Letter issuance to Director prior to implementation 3) Draft report issuance to Director. Formal exit conference if required 4) Agency responses to draft, included verbatim in final report to Director. 5) Subsequent Recommendation follow-up.
29
29 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 29 Questions?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.