NSAA Information Technology Conference
Planning the Scope of Your IT Audit_____________________________________
October 1, 2014
Jennifer Schreck, Audit Director
Strategic Risk Management
Auditor of Public Accounts
Planning the Scope of your IT Audit
What we are going to discuss
• Case studies (Michigan)• Frame of reference for IT audits at the
APA• Where we want to be (Auditor Planning
Utopia)• How do we get there - Our keys to
Success
Page 2http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Quick reminder of who we are . . . The APA
• Serves as the external auditor for the executive and legislative branches of the Commonwealth
• Performs financial statement and performance audits
• Manages the Commonwealth’s transparency website, Data Point
Page 3http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Quick reminder of who we are . . . The APA
• Works with local, agency and institutional internal audit shops investigating fraud
• Reviews the entire court system from the Supreme Court to each local court
• Examines the state accounts and records of every locality handling state funds
Page 4http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Quick reminder of who we are . . . The APA
• Maintains oversight responsibility for local government audits performed by public accounting firms.
• Provides systems development and public private partnership project monitoring where risk dictates.
• Performs technology-related vulnerability and penetration testing when requested.
Page 5http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Our teams work together to support
our Projects
Acquisition & Contract
Mgmt Budgeting & Performance Management
Capital Asset Management
Compliance Assurance
Data Analysis
Higher Education Programs
IT Project Management
Systems Security
Local Government and Judicial
Systems
Strategic Risk
Management
Reporting & Standards
Quick reminder of who we are . . .
• Divided into areas of expertise to support our mission and audit projects
Page 6http://www.apa.virginia.gov
Human Resources & Business Operations
Planning the Scope of your IT Audit
Auditor IT Planning Utopia
• You know which systems are the key systems . . . • You know the delineation of responsibility if part of the
system is outsourced . . .• You easily identify the controls within your system . . .• You can easily determine what has been audited by other
groups• Its easy to define the scope of your audit . . .• You know the data elements you need to do your work . . . • You have the various types of resources you need to do the
audit . . . • Every auditor is an “integrated” auditor . . .
Page 7http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Auditor IT Planning Utopia
Reality can bring things to a crashing halt
But it doesn’t have to. . . .
Page 8http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Quick reminder of who we are . . .
• Most of our “trained” IT knowledge lies within three of our specialty teams
Page 9http://www.apa.virginia.gov
Our teams work together to support
our Projects
Acquisition & Contract
Mgmt Budgeting & Performance Management
Capital Asset Management
Compliance Assurance
Data Analysis
Higher Education Programs
IT Project Mgmt
Systems Security
Local Government and Judicial
Systems
Strategic Risk
Management
Reporting & Standards
Planning the Scope of your IT Audit
To achieve Auditor Planning Utopia . . .
• All of our teams need to have an IT mindset because all of our audit clients use Information Technology to support what they do.
Page 10http://www.apa.virginia.gov
Our teams work together to support
our Projects
Acquisition & Contract
Mgmt Budgeting & Performance Management
Capital Asset Management
Compliance Assurance
Data Analysis
Higher Education Programs
IT Project Management
Systems Security
Local Government and Judicial
Systems
Strategic Risk
Management
Reporting & Standards
Planning the Scope of your IT Audit
Perspective . . .
• The APA performs financial statement and performance audits of executive branch entities
• The majority of our performance audits still have a financial related slant
• Our IT audit work generally supports broader financially driven objectives.
Page 11http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Keys to Success
• Setting the “Tone at the Top”
• Challenging our staff to think innovatively
• Making the connections
Page 12http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Setting the “Tone at the Top”
Refocused Strategic Planning Initiatives
Page 13http://www.apa.virginia.gov
Project Processes
Innovative Audit Approaches
Reporting Results
Methods of
Office Structure
Focus on Staff
Staffing and Workplan
Communication
Planning the Scope of your IT Audit
Setting the “Tone at the Top”
Page 14http://www.apa.virginia.gov
Shift in planning mindset
Plan10%
Execute80%
Report10%
10/80/10
Planning the Scope of your IT Audit
Setting the “Tone at the Top”
Page 15http://www.apa.virginia.gov
Shift in planning mindset
Plan10%
Execute80%
Report10%
10/80/10
Plan40%
Execute40%
Report20%
40/40/20
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Page 16http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Page 17http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Application Controls (What are they?)
Validity, Completeness, and Accuracy: Management Assertions?
Page 18http://www.apa.virginia.gov
Green Book: 11.08
Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to achieve validity, completeness, accuracy, and confidentiality of transactions and data during application processing.
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Management’s Use of Application Controls
1. Does management have applications to process business transactions?
2. How should management use application controls to achieve validity, completeness, and accuracy of their business transactions?
Page 19http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Management’s Use of Application Controls
3. How is management using its applications to enforce the business rules?
4. What information will I need to validate that business rules were working?
Page 20http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
• Example – Time and Effort Applications– Business Rule: Employees should NOT
approve their own time sheet.– Application Control: Employee cannot view
or select their timesheet within the approval screen.
– Auditors Test: Does the employee id equal the approval id on any timesheets?
(Caveat: Assumes that Application is operating in an environment with sound general controls.)
Page 21http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Page 22http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
• We host Brown Bag lunches, to informally discuss issues around implementing innovative approaches and share new ideas
Page 23http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Page 24http://www.apa.virginia.gov
• Systems Security
• Data Analysis
• IT Project Management
• Acquisition & Contract Mgmt
• Budgeting & Performance Mgmt
• Capital Asset Management
• Compliance Assurance
• Higher Education Programs
• Local Government & Judicial Systems
• Strategic Risk Management
• Reporting & Standards
Planning the Scope of your IT Audit
Making the Connections
• Building contact points into our audit programs
Page 25http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Making the Connections
• Creating audit tools that help our IT staff think like our other staff and vice versa
Page 26http://www.apa.virginia.gov
Exe
cutiv
e D
ash
bo
ard
Internal Control Worksheet
Fraud Assessment
ISS Financial Statement Integration Tool
Planning the Scope of your IT Audit
Making the Connections – IS Planning Tools
• Supports a Risk-based approach• Provides a clearer view of technical
testwork (infrastructure, software, etc.)• Encourages an iterative planning process
involving both IS and Financial auditors• Addresses all major areas of data security
(integrity, confidentiality, reliability
Page 27http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Making the Connections
• Highlighting success
Page 28http://www.apa.virginia.gov
Planning the Scope of your IT Audit
Auditor Planning Utopia
Page 29http://www.apa.virginia.gov