IT Skills for the Business Auditor - Austin

IT Skills for the Business
Auditor
Positioning Audit Skills for the Future
Information Technology Risks and Controls
Mark Salamasick, CIA, CISA, CRMA, CSP
Director of Center for Internal Auditing Excellence
University of Texas at Dallas
For Austin Chapter Seminar
April 14, 2015
Mark Salamasick, CIA, CISA, CRMA, CSP
•Director of Center for Internal Audit Excellence – 12 years
•Adjunct Faculty, University of Texas at Dallas – 18 years
•Senior Vice President, Internet/Intranet Services, Bank of America – 2 years
•Director Information Technology Audit, SVP, Internal Audit, Bank of
America – 18 years
•Senior Consultant, Accenture – 4 years
•Instructor, Accounting and IT, Central Michigan University – 3 years
•BS in BA and MBA – Central Michigan University
•One of six co-authors of Internal Audit textbook-Internal Auditing:
Assurance and Consulting Services by IIA Research Foundation published
Summer, 2007, Second Edition Summer, 2009 and , Third Edition Fall, 2013
•Author of IIA International Books-Auditing Vendor Relationship, PC
Management Best Practices , and Auditing Outsourced Functions
•Numerous IIA International Committees including Board of Trustees, Board
Research and Educational Advisors and currently Learning Solutions
•2005 IIA International Educator of the Year - Leon Radde Award
•Enjoy Running, Road and Mountain Cycling, and Traveling
1
ITEMS TO COVER
-
Background-Setting the Stage
-
IT Risk From the Boardroom
-
Technology Expectations for All Auditors
-
IT Audit Model Curriculum
-
Latest Technology Issues
-
Infrastructure Trends
-
Overview of GTAG’s
-
GTAG 1 – 2nd Edition
-
Technology Adaption Curve for IA Groups
-
Summary
2
Synopsis
An overview of Critical Success Factors’ for the
21st Century auditor including an understanding
of IT control frameworks, functional areas of IT
operations, and the ability to integrate technology
into internal audit processes.
3
Survey
and
Understanding
4
Level of IT Understanding
• Business Auditors
• IT Auditors
5
Technology
“I don’t know what
I don’t know”
CAE
“You need to understand where
emerging technologies are going
to best predict risks the
company will face in the future”
Mark Salamasick
6
Start with One Premise!
There are no barriers…
Technology is an enabler…..
It is how we adapt to it!
7
Critical Characteristics of the 21st
Century Internal Auditor
Technologically Adept:
• The technology era is clearly transforming the globe
• Technology presents extraordinary risks and opportunities
for all enterprises
• The nature of internal audit has been impacted in terms of:
 The functions, programs, and processes to be audited
 The techniques employed to carry out the internal audit
mission
**From – Robert McDonald – Past Chairman of the IIA
8
Critical Characteristics of the 21st
Century Internal Auditor
Technologically Adept:
• 21st century internal auditors must:
 Understand IT control frameworks
 Be knowledgeable of functional areas of IT operations
 Be capable of auditing e-Commerce, EFT, EDI
 Be knowledgeable of encryption, computer forensics, and
Enterprise-wide resource planning (ERP) software
• In addition, internal auditors must be able to:
 Integrate technology into internal audit processes
**From – Robert McDonald – Past Chairman of the IIA
Source: CIA Examination Syllabus – Part III
9
Critical Characteristics of the 21st
Century Internal Auditor
Overview of Critical Traits:
• Risk-based orientation
• Global perspective
• Governance expertise
• Technologically adept
• Business acumen
• Creative Thinking and Problem Solving
• Strong ethical compass
**From – Robert McDonald – Past Chairman of the IIA
10
Evolution of IT Audit:
Historical IT Audit Stages
Stage
1st Generation EDP
Audit
(Pre-1980)
2nd Generation IS
Audit
(1980s)
3rd Generation IT
Audit
(1990s)
4th Generation IT
Audit
(2000s)
Characteristics
Focus
• “Checklist”-based EDP Audits
• Compliance with Policies &
procedures
• No IT Audit “Specialists”
Compliance
• Auditable IS areas
• Report Problems, Recommend
solutions
• Certified EDP Auditors “CISA”
Control Frameworks
• COBIT-Based Audits (1996)
• IT Control self-assessments
• “Integrated Audits”
Risk / Control
•
•
•
•
Facilitator of positive change
Enterprise-wide risk management
Impact of Sarbanes Oxley
Benchmark performance against
best practices
Risk Management Process
11
Technology and Audit
• Infrastructure Audit
• Integrated Audit
• Use of Technology as Tool
• Audit Automation
• Data Analytics
12
Top Down Approach For IT Risk
13
IT Risk Profile
14
Questions Board Should Ask related to IT Risk
15
Some Reasonable Objectives
for All Auditors
• Understand how technology fits into the overall business
processes and its impact.
• Describe key risks and control techniques introduced by
technology.
• Articulate the relationship between business transaction
processing risks introduced by information technology risks.
• Find and interpret the leading sources of information related to
technology control frameworks.
• Determine the significant technology issues to be considered
as part of the review of a business unit.
• Integrate application controls as part of business unit audits.
• Understand the emerging technology risk issues.
16
Model IT Controls Curriculum
• IIA The IIA’s Global Model Internal Audit
Curriculum – IT Auditing course Integrated 2012 – Schools recognized as part of IAEP
•
https://na.theiia.org/about-us/aboutia/pages/participating-iaep-programschools.aspx
• ISACA Model Curriculum - 2012
http://www.isaca.org/KnowledgeCenter/Academia/Pages/Programs-Aligned-with-ModelCurriculum-for-IS-Audit-and-Control.aspx
17
What does a University IT Audit and Risk
Management Course Objectives look like?
1.
Be able to identify key information technology risks and how to mitigate
those risks.
2.
Be able to develop a control checklist and key audit steps related to
technology risks.
3.
Be able to distinguish key user technology risks and controls.
4.
Be able identify the key content areas and have knowledge of all areas
covered by the Certified Information Systems Audit (CISA) exam.
5.
Identify sources for research of technology risks and apply those techniques
to an overall research paper.
6.
Learn those areas of technology risks that are currently of most concern to
the IIA, AICPA, and ISACA.
7.
Be able to distinguish and evaluate key application controls along with
auditing of application controls.
8.
Identify and evaluate risks in an e-business environment.
9.
Understand how to adapt audit coverage to areas of advanced and
emerging technologies.
18
LATEST TRENDS ...
Top Ten IT Priorities
From a Top Notch State Information Technology Organization
›› Cloud
›› Data Management
›› Data Sharing
›› Infrastructure
›› Legacy Applications
›› Mobility
›› Network
›› Open Data
›› Security and Privacy
›› Social Media
20
AICPA Top Ten Technology Issues
1. Managing and retaining data
2. Securing the IT environment
3. Managing IT risk and compliance
4. Ensuring privacy
5. Managing system implementations
6. Preventing and responding to computer fraud
7. Enabling decision support and analytics
8. Governing and managing IT investment/spending
9. Leveraging emerging technologies
10.Managing vendors and service providers
Emerging Technology Trends – EY Survey 2014
22
NEXT
Need Your Assistance
for CBOK Survey on
Technology Risk
Survey IIA CBOK Study of Top IT Risks 2015/2016
Cyber Security/Crisis Management
IT Systems Development Projects (includes SDLC)
Information Security (includes Confidentiality, Integrity Availability
and Privacy
Electronic Records Retention/Data Classification
Third Party IT Services/Outsourcing (includes Procurement and
Monitoring)
IT Governance
Mobile Devices/Computing
Cloud Services
24
Survey IIA CBOK Study of Top IT Risks 2015/2016
Social Media/Reputation Risk
Continuous Monitoring/Auditing
Broad IT Knowledge
Predictive Data Analytics
Risk Management/Business Continuity(BCP)/Disaster
Recovery
Enterprise Messaging
Emerging/Future Technologies (Impact on the Business)
IT Asset Management
BOTS(Web Robots)
IT Contract/Contract Management
Web Collaboration
25
What are you
doing for Internal
Audit IT
Integration?
26
Why are Global Technology Audit
Guides (GTAG’s) more important?
27
BIG THREE TECHNOLOGY RISK
CATEGORIES
• Information Security
• Business Continuity
• Change Management
28
Seventeen GTAGs Published
Have you seen these?
• GTAG-1: IT Controls
2nd
(Published in Mar 2005)
EDITION MARCH 2012
• GTAG-4:
Management of IT
Auditing
2nd
• GTAG-2: Change and
Patch Management
Controls
2nd
(Published in June 2005)
EDITION MARCH 2012
• GTAG-3:
Continuous
Auditing
(Published in Oct 2005)
Update Coming Soon
(Published in Mar 2006)
EDITION January 2013
• GTAG-5: Auditing
Privacy Risks
(Published in June 2006)
2nd EDITION July 2012
• GTAG-6: Managing
and Auditing IT
Vulnerabilities
(Published in Oct 2006)
DELETED January 2013
29
Seventeen GTAGs Published
Have you seen these?
• GTAG-7: Information
Technology Outsourcing
(Published in Mar 2007)
• GTAG-10: Business
Continuity
Management
(Published in July 2008)
(Updated August 2014)
• GTAG-8: Auditing
Application Controls
(Published in July 2007)
• GTAG-11:
Developing the IT
Audit Plan
(Published in July 2008)
• GTAG-9: Identity and
Access Management
(Published in July 2007)
• GTAG-12:
Auditing IT
Projects
(Published in March
2009)
30
Seventeen GTAGs Published
Have you seen these?
• GTAG-13: Fraud Detection
and Prevention in an
Automated World
• GTAG-16: Data
Analysis
Technologies
• GTAG-14: Auditing
User Developed
Applications
• GTAG-17: Auditing
IT Governance
(Published in December 2009)
(Published in August
2011)
(Published in July 2012)
(Published in June 2010)
• GTAG-15:Information
Security Governance
(Published in July 2010)
• GTAG-18 and 19:
Cloud Computing
and Social Media
(Coming Soon)
31
What Every Business Auditor Should
Understand Related to IT Controls
Global Technology Auditing Guide 1-2nd Edition
32
The Board should:
• Understand the strategic value of the IT function.
• Become informed of role and impact of IT on the enterprise.
• Set strategic direction and expect return.
• Consider how management assigns responsibilities.
• Oversee how transformation happens.
• Understand constraints within which management operates.
• Oversee enterprise alignment.
• Direct management to deliver measurable value through IT.
• Oversee enterprise risk.
• Support learning, growth, and management of resources.
• Oversee how performance is measured.
• Obtain assurance.
33
Executive management should:
• Become informed of role and impact of IT on the enterprise.
• Cascade strategy, policies, and goals down into the enterprise, and align
the IT organization with the enterprise goals.
• Determine required capabilities and investments.
• Assign accountability.
• Sustain current operations.
• Provide needed organizational structures and resources.
• Embed clear accountabilities for risk management and control over IT.
• Measure performance.
• Focus on core business competencies IT must support.
• Focus on important IT processes that improve business value.
• Create a flexible and adaptive enterprise that leverages information and
knowledge.
• Strengthen value delivery.
• Develop strategies to optimize IT costs.
• Have clear external sourcing strategies.
34
Senior management should:
• Manage business and executive expectations relative to IT.
• Drive IT strategy development and execute against it.
• Link IT budgets to strategic aims and objectives.
• Ensure measurable value is delivered on time and budget.
• Implement IT standards, policies and control framework as needed.
• Inform and educate executives on IT issues.
• Look into ways of increasing IT value contribution.
• Ensure good management over IT projects.
• Provide IT infrastructures that facilitate cost-efficient creation and sharing of business
intelligence.
• Ensure the availability of suitable IT resources, skills, and infrastructure to meet objectives
and create value.
• Assess risks, mitigate efficiently, and make risks transparent to the stakeholders.
• Ensure that roles critical for managing IT risks are appropriately defined and staffed.
• Ensure the day-to-day management and verification of IT processes and controls.
• Implement performance measures directly and demonstrably linked to the strategy.
• Focus on core IT competencies.
35
The internal audit activity should:
• Ensure a sufficient baseline level of IT audit expertise in the
department.
• Include evaluation of IT in its planning process.
• Assess whether IT governance in the organization sustains and
supports strategies and objectives.
• Identify and assess the risk exposures relating to the
organization’s information systems.
• Assess controls responding to risks within the organization’s
information systems.
• Ensure that the audit department has the IT expertise to fulfill its
engagements.
• Consider use technology-based audit techniques as appropriate.
36
IT Control Framework Checklist
(Sample from GTAG 1)
1. What legislation exists that impacts the need to IT controls?
2. Has management taken steps to ensure compliance with
this legislation?
3. Have all relevant responsibilities for IT Controls been
allocated to individual roles?
4. Is the allocation of responsibilities communicated to the
whole organization?
5. Do individuals clearly understand their responsibilities in
relation to IT controls?
6. Does internal audit employ sufficient IT audit specialists to
address the IT control issue?
7. Do corporate policies and standards that describe the need
for IT controls exist?
37
Understanding IT Controls – Who
should Understand What?
A top-down approach used when considering controls to implement and determining areas on
which to focus. From Global Technology Audit Guide 1.
38
COSO Model for Technology Controls
Monitoring:
Information &
Communication:
• Monthly metrics from
Technology Performance
• Technology Cost and Control
performance analysis
• Periodic Technology
management assessments
• Internal audit of technology
enterprise
• Internal audit of high risk
areas
MONITORING
INFORMATION AND
COMMUNICATION
• Periodic corporate communications
(intranet, e-mail, meetings, mailings)
• Ongoing technology awareness of
best practices
• IT performance survey
• IT and security training
• Help desk ongoing issue resolution
CONTROL ACTIVITIES
Control Activities:
• Review Board for Change
Management
• Comparison of technology
initiatives to plan and ROI
• Documentation and approval of
IT plans and systems
architecture
• Compliance with Information
and Physical Security
Standards
• Adherence to Business
Continuity Risk Assessment
• Technology standards
compliance enforcement
Risk Assessment:
RISK ASSESSMENT
CONTROL ENVIRONMENT
• IT risks included in overall corporate
risk assessment
• IT integrated into Business Risk
Assessments
• Differentiate IT controls for high risk
business areas/functions
• IT Internal audit assessment
• IT Insurance assessment
Control Environment:
•
•
•
•
•
Tone from the Top – IT and Security Controls Considered Important
Overall Technology Policy and Information Security Policy
Corporate Technology Governance Committee
Technology Architecture and Standards Committee
Full Representation of All Business Units
39
Technology Maturity Model
Drill-down dashboards
of all key audit activity
Quality assessment tool
Continuous controls
testing and monitoring
Automated sharing of
audit programs and files
Intranet for audit knowledge
sharing,
training, and access
Formal technology strategy
to tools
Highly skilled data team
Expanded technical
training for staff
Expanded suite of data tools
Automated work papers
Data retrieval used on most audits
Reusable programs and checklists
Initial use of CAATs
Access to external risk
and control databases
Technology specialist(s)
Files, etc., in electronic format
Custom data mining / data
analytics
Use of technology a core
competency
Standalone automated
testing routines, e.g. fraud
Online training programs available
on demand
Risk assessment tools
Audit scheduling tool
Initial ad hoc data mining
Fully integrated audit management
system
Issues availability, tracking
updating by management
Continuous risk assessment
Global Technology Audit Guide that All Business
Auditors should put into Practice
•
Application controls and their benefits
• The role of internal auditors
• How to perform a risk assessment
• Application control review scoping
• Application review approaches
• Common application controls, suggested tests,
and a sample review program
41
Cobit 5-What Should You Know?
42
USE OF
TECHNOLOGY
AS A TOOL
43
Technology Process Gap Analysis: Example
Red is current state, Green is desired next stage of maturity
Core Technology
Process (CTP)
Initial
1.
Technology Strategy &
Focus
X
2.
Risk Assessment &
Monitoring
X
3.
Audit Planning &
Scheduling
4.
Knowledge
Management
5.
Data Analysis & Mining
6.
Audit Reporting &
Issue Tracking
7.
Audit Execution &
Documentation
8.
Training
9.
Human Re sources
10. Quality Improvement
Adequate
Enhanced
Optimized
X
X
Sets a clear priority
XX
XX
X
May
decide
some
areas are
fine for
now
X
X
XX
XX
X
X
X
X
X
Don’t have
to move to
Optimized
for all
IT Audit-Questions to Ponder
•
What kind of technology audits should we be doing?
•
How integrated should the audit group be?
•
What technology should we be using in the Audit
Group?
•
What skills should the non-IT auditor have?
•
What is the mix of audit coverage for projects
versus ongoing audit work?
•
Where are resources found for IT Audit?
•
Should parts of IT Audit be outsourced?
•
What parts of Information Technology should be
outsourced?
•
What about periodic vulnerability testing?
•
How do individuals get started in IT Audit?
45
Summary and Next Steps
•
•
•
•
•
•
•
•
•
•
Understand the technology in your environment
Understand the GTAG Series and determine how it
applies
Utilize the business functions and technology within the
enterprise
Understand your technology controls framework
Understand your key information technology risk
Equate technical issue to business processes
Provide business unit with perspective of how well the
technology is doing that supports the business unit
Perform high level mapping of applications to business
units
Provide CIO view of how his business is doing
Determine technology training requirements for all
levels of audit staff and determine gaps
46
Mark Salamasick Contact Info
•Email: [email protected]
•Office Phone: (972) 883-4729
•Cell Phone: (972) 768-3016
•Office: University of Texas at Dallas
•
School of Management-4.218
•
800 West Campbell Road, SM 41
•
Richardson, TX. 75083-0688
•Website: www.utdallas.edu/~msalam
Jindal.utdallas.edu/iaep
47