“Walking Through an Internal IT Audi t”

MSU IT Exchange Con fe rence

A u g u s t 1 2 , 2 0 1 0

Your Presenters

Thomas Luccock, CPA, CIA Director of Internal Audit

Steve Kurncz, CISA, CISM Information Technology Audit Manager

Michael Chandel, CISASenior Information Technology Auditor

Our Mission

“ To ass is t Un ivers i ty un i ts in e ffec t ive ly d ischarg ing the i r dut ies whi le ensur ing proper cont ro l over Univers i ty assets . ”

Internal Audit at MSU

History of Internal Audit function at MSU

Our Charter―Introduction―Purpose―Authority―Responsibility―Independence―Audit Scope―Special Investigations―Reporting―Audit Standards and Ethics

Organization of Internal Audit

Internal Auditing Defined

Internal auditing is an independent, objective assurance and consulting activity designed to

add value and improve an organization’s operations. It helps an organization accomplish

its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control,

and governance processes. - Courtesy of the Institute of Internal Auditors (IIA)

Your Perception of an Auditor

“Oh, those >insert your best insult here<”

“They’re out to get us!”

“They’re going to snoop through our data!”

#@*#$%$&$#*%!!!

“The Matrix”, 1999

Our Perception of an Auditor

“The Blues Brothers”, 1980

The Reality of your Internal Auditors

Internal Audit Approach–Objective members of “Team MSU”

–Act as an independent internal assurance and consulting function designed to help add value to and improve the operation of our University.

–We are here to assist you and help protect our University as a whole.

–We try to view audit projects as a partnership with you and your department.

–We attempt to be as “transparent” as possible.

Certified Auditors

Certified Information Systems Auditor (CISA) designation―Globally accepted and recognized standard of achievement among information technology (IT) audit, control and security professionals

―Sponsored and governed by the In format ion Systems Audit and Control Associat ion ( ISACA)

oMore than 86,000 members in more than 160 countr ies.

―Accredited by the American Nat ional Standards Inst i tute (ANSI) under ISO/IEC 17024

―Requirements of Cert i f icat ion:

oSuccessful Completion of the CISA Examination.

200 Question exam with a four (4) hour time limit.

oEquivalent of a minimum five (5) years professional information systems auditing, control and security work

experience.

oAdherence to the ISACA Code of Professional Ethics.

oContinuing Professional Education (CPE) Policy observance.

Must complete a minimum of 120 CPE Hours every three (3) years for continued certification.

oAdherence to the Information Technology Assurance Framework (ITAF) Auditing Standards adopted by ISACA

Audit Plan Development

“C’mon, why us???”

University-Wide Risk Assessment―Inherent Risk: The nature of your business.

―Incident Response Procedures

―By Special Request

Tom Izzo, Head Men’s Basketball Coach

Audit Plan Approval

University President Review and Approval ―Monthly Meetings

―Reporting

University Audit Committee Review and Approval―University Board of Trustees

―Audit Committee Quarterly Meetings

―Annual Meetings

―Reporting

Audit Process

Audit Process

Stage 1: Planning

Audit Engagement―Engagement Letter―Preliminary Information Request

Opening Meeting―Project Overview Given to the Management Group―Designate a Primary Contact Person―Official Project Start Date

Inquiry of Management & Staff―Interviews & Internal Controls Questionnaires (ICQ) ―Tours

Scope Definition―Risk Assessment―Six (6) Month “Snap-Shot”

Audit Process

Stage 2: Fieldwork & Documentation

Observations of Processes & Procedures―Determining & Documenting the Flow of Data

oData Entry through Data Deletion―General Information Technology Controls―Unit Level Application Controls

Sampling & Testing―Select Specific System Components, Processes and Reports

to Review and Compare―Collaboration with Unit Staff―Nothing Done Without IT Personnel Assistance or Knowledge

Verification of Statement Made―Sample the Verbal Statements Made During the Planning

Process to Verify Accuracy

Audit Process

Stage 3: Issue Discovery & Validation

Risk Exposure Discovery & Evaluation―Risk Identification Process Based on ICQ’s & Fieldwork

―Risk Validation & Mitigating Controls Discussion with IT Personnel

Risk Exposure Presentation to Management―Discussion with Management Regarding Identified Risk &

Potential Mitigating Controls

Management Solution Development―Risk Mitigation vs. Risk Acceptance

―Risk Considerations in Strategic Planning

Audit Process

Stage 4: Reporting

Draft Report Development & Distribution―Based on Levels of Identified Risk (Verbal vs. Written)

―Closing Meeting Discussion

―Limited Draft Distribution

Management Response Opportunity―Due 30 Days from Issuance of Draft Report

―Short Description of Management's Plans and Timeline to Address Identified Risk

Final Report Distribution―Standard Executive Distribution List with Additional Unit

Requests

―Management Responses Included

Audit Process

Stage 5: Issue Tracking

Post Audit Review & Follow Up―Three (3) to Six (6) Months After Final Report is Issued

―Review of Management Response Status

―Written Status Report Issued to Final Distribution List

Periodic Status Updates―Potential Second Post Audit Review

―Otherwise, We May Request Periodic Progress Updates

Audit Project Time Table

Just how long will this all take?―Standard Audit Fieldwork takes approximately one (1) to

three (3) months depending on the scope of the audit and complexity of area under review.

―Limited Review Fieldwork is less time intensive and may only last one to two weeks.

Mark Dantonio, Head Football Coach

IT Audit ScopeMSU Policies, Best Practices, Guidelines and Resources:

―Libraries, Computing & Technology

―http://computing.msu.edu/ (www.msu.edu - Keyword Search: Computing & Technology)

―Department Policies and Guidelines

IT Industry Standards and Best Practices:

―Information Systems Audit and Control Associat ion (ISACA)

―Contro l Ob ject ives for Informat ion and re lated Technology (COBIT)

―National Inst itute of Standards and Technology (NIST)

―www.nist .gov – In format ion Technology \ Computer Secur i ty Porta l

―SANS.org

―Computer Secur i ty Train ing, Network Research and Resources

―International Organization for Standardizat ion ( ISO)

―ISO 17799 / 27000

University Standards & Guidelines

LCT Guidelines and Policies―http://www.lct.msu.edu/guidelines-policies/

Managing Sensitive Data―http://computing.msu.edu/msd/

―Securing Enterprise Data

h t tp : / / compu t i ng .msu .edu /ms d /doc umen ts /Secu r i ng_En te rp r i se_Da ta_a t_MSU_w_ISO_17799_check l i s t_14_Apr_07.pd f

Disaster Recovery Planning―http://www.drp.msu.edu/

Industry Best Practices

ISACA- Information System Audit and Control Association

NIST 800 Series

―NIST 800- 53 General Controls―http://csrc.nist.gov/publications/PubsSPs.html―Risk Assessment Framework:

http://csrc.nist.gov/groups/SMA/fisma/framework.html

SANS – SysAdmin, Audit, Network, Security

―www.sans.org―Audit Focus Site: http://blogs.sans.org/it-audit/―20 Critical Security Controls for Effective Cyber Defense

ISO 27000 (Formally ISO 17799-2005) ―http://www.27000.org/―http://www.sharedassessments.org/ (tool)

Summary of Topics

Internal Audit Overview

Audit Plan Selection

Audit Process

Timetable

Best Practices

Ques t i ons

Steve KurnczInformation Technology Audit Manager

309 Olds HallEast Lansing, MI 48824-1047

Phone: (517) 355-5030 Fax: (517) 432-1997Website: www.msu.edu/~intauditEmail: kurncz@msu.edu

Michael ChandelSenior Information Technology Auditor

309 Olds HallEast Lansing, MI 48824-1047

Phone: (517) 355-5030 Fax: (517) 432-1997Website: www.msu.edu/~intauditEmail: chandel@msu.edu

Thank You!