Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 215 times |
Download: | 2 times |
“Walking Through an Internal IT Audi t”
MSU IT Exchange Con fe rence
A u g u s t 1 2 , 2 0 1 0
Your Presenters
Thomas Luccock, CPA, CIA Director of Internal Audit
Steve Kurncz, CISA, CISM Information Technology Audit Manager
Michael Chandel, CISASenior Information Technology Auditor
Our Mission
“ To ass is t Un ivers i ty un i ts in e ffec t ive ly d ischarg ing the i r dut ies whi le ensur ing proper cont ro l over Univers i ty assets . ”
Internal Audit at MSU
History of Internal Audit function at MSU
Our Charter―Introduction―Purpose―Authority―Responsibility―Independence―Audit Scope―Special Investigations―Reporting―Audit Standards and Ethics
Organization of Internal Audit
Internal Auditing Defined
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control,
and governance processes. - Courtesy of the Institute of Internal Auditors (IIA)
Your Perception of an Auditor
“Oh, those >insert your best insult here<”
“They’re out to get us!”
“They’re going to snoop through our data!”
#@*#$%$&$#*%!!!
“The Matrix”, 1999
Our Perception of an Auditor
“The Blues Brothers”, 1980
The Reality of your Internal Auditors
Internal Audit Approach–Objective members of “Team MSU”
–Act as an independent internal assurance and consulting function designed to help add value to and improve the operation of our University.
–We are here to assist you and help protect our University as a whole.
–We try to view audit projects as a partnership with you and your department.
–We attempt to be as “transparent” as possible.
Certified Auditors
Certified Information Systems Auditor (CISA) designation―Globally accepted and recognized standard of achievement among information technology (IT) audit, control and security professionals
―Sponsored and governed by the In format ion Systems Audit and Control Associat ion ( ISACA)
oMore than 86,000 members in more than 160 countr ies.
―Accredited by the American Nat ional Standards Inst i tute (ANSI) under ISO/IEC 17024
―Requirements of Cert i f icat ion:
oSuccessful Completion of the CISA Examination.
200 Question exam with a four (4) hour time limit.
oEquivalent of a minimum five (5) years professional information systems auditing, control and security work
experience.
oAdherence to the ISACA Code of Professional Ethics.
oContinuing Professional Education (CPE) Policy observance.
Must complete a minimum of 120 CPE Hours every three (3) years for continued certification.
oAdherence to the Information Technology Assurance Framework (ITAF) Auditing Standards adopted by ISACA
Audit Plan Development
“C’mon, why us???”
University-Wide Risk Assessment―Inherent Risk: The nature of your business.
―Incident Response Procedures
―By Special Request
Tom Izzo, Head Men’s Basketball Coach
Audit Plan Approval
University President Review and Approval ―Monthly Meetings
―Reporting
University Audit Committee Review and Approval―University Board of Trustees
―Audit Committee Quarterly Meetings
―Annual Meetings
―Reporting
Audit Process
Audit Process
Stage 1: Planning
Audit Engagement―Engagement Letter―Preliminary Information Request
Opening Meeting―Project Overview Given to the Management Group―Designate a Primary Contact Person―Official Project Start Date
Inquiry of Management & Staff―Interviews & Internal Controls Questionnaires (ICQ) ―Tours
Scope Definition―Risk Assessment―Six (6) Month “Snap-Shot”
Audit Process
Stage 2: Fieldwork & Documentation
Observations of Processes & Procedures―Determining & Documenting the Flow of Data
oData Entry through Data Deletion―General Information Technology Controls―Unit Level Application Controls
Sampling & Testing―Select Specific System Components, Processes and Reports
to Review and Compare―Collaboration with Unit Staff―Nothing Done Without IT Personnel Assistance or Knowledge
Verification of Statement Made―Sample the Verbal Statements Made During the Planning
Process to Verify Accuracy
Audit Process
Stage 3: Issue Discovery & Validation
Risk Exposure Discovery & Evaluation―Risk Identification Process Based on ICQ’s & Fieldwork
―Risk Validation & Mitigating Controls Discussion with IT Personnel
Risk Exposure Presentation to Management―Discussion with Management Regarding Identified Risk &
Potential Mitigating Controls
Management Solution Development―Risk Mitigation vs. Risk Acceptance
―Risk Considerations in Strategic Planning
Audit Process
Stage 4: Reporting
Draft Report Development & Distribution―Based on Levels of Identified Risk (Verbal vs. Written)
―Closing Meeting Discussion
―Limited Draft Distribution
Management Response Opportunity―Due 30 Days from Issuance of Draft Report
―Short Description of Management's Plans and Timeline to Address Identified Risk
Final Report Distribution―Standard Executive Distribution List with Additional Unit
Requests
―Management Responses Included
Audit Process
Stage 5: Issue Tracking
Post Audit Review & Follow Up―Three (3) to Six (6) Months After Final Report is Issued
―Review of Management Response Status
―Written Status Report Issued to Final Distribution List
Periodic Status Updates―Potential Second Post Audit Review
―Otherwise, We May Request Periodic Progress Updates
Audit Project Time Table
Just how long will this all take?―Standard Audit Fieldwork takes approximately one (1) to
three (3) months depending on the scope of the audit and complexity of area under review.
―Limited Review Fieldwork is less time intensive and may only last one to two weeks.
Mark Dantonio, Head Football Coach
IT Audit ScopeMSU Policies, Best Practices, Guidelines and Resources:
―Libraries, Computing & Technology
―http://computing.msu.edu/ (www.msu.edu - Keyword Search: Computing & Technology)
―Department Policies and Guidelines
IT Industry Standards and Best Practices:
―Information Systems Audit and Control Associat ion (ISACA)
―Contro l Ob ject ives for Informat ion and re lated Technology (COBIT)
―National Inst itute of Standards and Technology (NIST)
―www.nist .gov – In format ion Technology \ Computer Secur i ty Porta l
―SANS.org
―Computer Secur i ty Train ing, Network Research and Resources
―International Organization for Standardizat ion ( ISO)
―ISO 17799 / 27000
University Standards & Guidelines
LCT Guidelines and Policies―http://www.lct.msu.edu/guidelines-policies/
Managing Sensitive Data―http://computing.msu.edu/msd/
―Securing Enterprise Data
h t tp : / / compu t i ng .msu .edu /ms d /doc umen ts /Secu r i ng_En te rp r i se_Da ta_a t_MSU_w_ISO_17799_check l i s t_14_Apr_07.pd f
Disaster Recovery Planning―http://www.drp.msu.edu/
Industry Best Practices
ISACA- Information System Audit and Control Association
NIST 800 Series
―NIST 800- 53 General Controls―http://csrc.nist.gov/publications/PubsSPs.html―Risk Assessment Framework:
http://csrc.nist.gov/groups/SMA/fisma/framework.html
SANS – SysAdmin, Audit, Network, Security
―www.sans.org―Audit Focus Site: http://blogs.sans.org/it-audit/―20 Critical Security Controls for Effective Cyber Defense
ISO 27000 (Formally ISO 17799-2005) ―http://www.27000.org/―http://www.sharedassessments.org/ (tool)
Summary of Topics
Internal Audit Overview
Audit Plan Selection
Audit Process
Timetable
Best Practices
Ques t i ons
Steve KurnczInformation Technology Audit Manager
309 Olds HallEast Lansing, MI 48824-1047
Phone: (517) 355-5030 Fax: (517) 432-1997Website: www.msu.edu/~intauditEmail: [email protected]
Michael ChandelSenior Information Technology Auditor
309 Olds HallEast Lansing, MI 48824-1047
Phone: (517) 355-5030 Fax: (517) 432-1997Website: www.msu.edu/~intauditEmail: [email protected]
Thank You!