1 / 30

“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010

“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010. Your Presenters. Thomas Luccock , CPA, CIA Director of Internal Audit Steve Kurncz , CISA, CISM Information Technology Audit Manager Michael Chandel , CISA Senior Information Technology Auditor.

brinda
Download Presentation

“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Walking Through an Internal IT Audit”MSU IT Exchange ConferenceAugust 12, 2010

  2. Your Presenters Thomas Luccock, CPA, CIA Director of Internal Audit Steve Kurncz, CISA, CISM Information Technology Audit Manager Michael Chandel, CISA Senior Information Technology Auditor

  3. Our Mission “ To assist University units in effectively discharging their duties while ensuring proper control over University assets. ”

  4. Internal Audit at MSU • History of Internal Audit function at MSU • Our Charter • Introduction • Purpose • Authority • Responsibility • Independence • Audit Scope • Special Investigations • Reporting • Audit Standards and Ethics

  5. Organization of Internal Audit

  6. Internal Auditing Defined Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. • - Courtesy of the Institute of Internal Auditors (IIA)

  7. Your Perception of an Auditor “Oh, those >insert your best insult here<” “They’re out to get us!” “They’re going to snoop through our data!” #@*#$%$&$#*%!!! “The Matrix”, 1999

  8. Our Perception of an Auditor “The Blues Brothers”, 1980

  9. The Reality of your Internal Auditors • Internal Audit Approach • Objective members of “Team MSU” • Act as an independent internal assurance and consulting function designed to help add value to and improve the operation of our University. • We are here to assist you and help protect our University as a whole. • We try to view audit projects as a partnership with you and your department. • We attempt to be as “transparent” as possible.

  10. Certified Auditors • Certified Information Systems Auditor (CISA) designation • Globally accepted and recognized standard of achievement among information technology (IT) • audit, control and security professionals • Sponsored and governed by the Information Systems Audit and Control Association (ISACA) • More than 86,000 members in more than 160 countries. • Accredited by the American National Standards Institute (ANSI) under ISO/IEC 17024 • Requirements of Certification: • Successful Completion of the CISA Examination. • 200 Question exam with a four (4) hour time limit. • Equivalent of a minimum five (5) years professional information systems auditing, control and security work experience. • Adherence to the ISACA Code of Professional Ethics. • Continuing Professional Education (CPE) Policy observance. • Must complete a minimum of 120 CPE Hours every three (3) years for continued certification. • Adherence to the Information Technology Assurance Framework (ITAF) Auditing Standards adopted by ISACA

  11. Audit Plan Development • “C’mon, why us???” • University-Wide Risk Assessment • Inherent Risk: The nature of your business. • Incident Response Procedures • By Special Request Tom Izzo, Head Men’s Basketball Coach

  12. Audit Plan Approval • University President Review and Approval • Monthly Meetings • Reporting • University Audit Committee Review and Approval • University Board of Trustees • Audit Committee Quarterly Meetings • Annual Meetings • Reporting

  13. Audit Process

  14. Audit Process

  15. Stage 1: Planning • Audit Engagement • Engagement Letter • Preliminary Information Request • Opening Meeting • Project Overview Given to the Management Group • Designate a Primary Contact Person • Official Project Start Date • Inquiry of Management & Staff • Interviews & Internal Controls Questionnaires (ICQ) • Tours • Scope Definition • Risk Assessment • Six (6) Month “Snap-Shot”

  16. Audit Process

  17. Stage 2: Fieldwork & Documentation • Observations of Processes & Procedures • Determining & Documenting the Flow of Data • Data Entry through Data Deletion • General Information Technology Controls • Unit Level Application Controls • Sampling & Testing • Select Specific System Components, Processes and Reports to Review and Compare • Collaboration with Unit Staff • Nothing Done Without IT Personnel Assistance or Knowledge • Verification of Statement Made • Sample the Verbal Statements Made During the Planning Process to Verify Accuracy

  18. Audit Process

  19. Stage 3: Issue Discovery & Validation • Risk Exposure Discovery & Evaluation • Risk Identification Process Based on ICQ’s & Fieldwork • Risk Validation & Mitigating Controls Discussion with IT Personnel • Risk Exposure Presentation to Management • Discussion with Management Regarding Identified Risk & Potential Mitigating Controls • Management Solution Development • Risk Mitigation vs. Risk Acceptance • Risk Considerations in Strategic Planning

  20. Audit Process

  21. Stage 4: Reporting • Draft Report Development & Distribution • Based on Levels of Identified Risk (Verbal vs. Written) • Closing Meeting Discussion • Limited Draft Distribution • Management Response Opportunity • Due 30 Days from Issuance of Draft Report • Short Description of Management's Plans and Timeline to Address Identified Risk • Final Report Distribution • Standard Executive Distribution List with Additional Unit Requests • Management Responses Included

  22. Audit Process

  23. Stage 5: Issue Tracking • Post Audit Review & Follow Up • Three (3) to Six (6) Months After Final Report is Issued • Review of Management Response Status • Written Status Report Issued to Final Distribution List • Periodic Status Updates • Potential Second Post Audit Review • Otherwise, We May Request Periodic Progress Updates

  24. Audit Project Time Table • Just how long will this all take? • Standard Audit Fieldwork takes approximately one (1) to three (3) months depending on the scope of the audit and complexity of area under review. • Limited Review Fieldwork is less time intensive and may only last one to two weeks. Mark Dantonio, Head Football Coach

  25. IT Audit Scope • MSU Policies, Best Practices, Guidelines and Resources: • Libraries, Computing & Technology • http://computing.msu.edu/ (www.msu.edu - Keyword Search: Computing & Technology) • Department Policies and Guidelines • IT Industry Standards and Best Practices: • Information Systems Audit and Control Association (ISACA) • Control Objectives for Information and related Technology (COBIT) • National Institute of Standards and Technology (NIST) • www.nist.gov – Information Technology \ Computer Security Portal • SANS.org • Computer Security Training, Network Research and Resources • International Organization for Standardization (ISO) • ISO 17799 / 27000

  26. University Standards & Guidelines • LCT Guidelines and Policies • http://www.lct.msu.edu/guidelines-policies/ • Managing Sensitive Data • http://computing.msu.edu/msd/ • Securing Enterprise Data • http://computing.msu.edu/msd/documents/Securing_Enterprise_Data_at_MSU_w_ISO_17799_checklist_14_Apr_07.pdf • Disaster Recovery Planning • http://www.drp.msu.edu/

  27. Industry Best Practices • ISACA- Information System Audit and Control Association • NIST 800 Series • NIST 800- 53 General Controls • http://csrc.nist.gov/publications/PubsSPs.html • Risk Assessment Framework: http://csrc.nist.gov/groups/SMA/fisma/framework.html • SANS – SysAdmin, Audit, Network, Security • www.sans.org • Audit Focus Site: http://blogs.sans.org/it-audit/ • 20 Critical Security Controls for Effective Cyber Defense • ISO 27000 (Formally ISO 17799-2005) • http://www.27000.org/ • http://www.sharedassessments.org/ (tool)

  28. Summary of Topics Internal Audit Overview Audit Plan Selection Audit Process Timetable Best Practices

  29. Questions

  30. Steve Kurncz Information Technology Audit Manager 309 Olds Hall East Lansing, MI 48824-1047 Phone: (517) 355-5030 Fax: (517) 432-1997 Website: www.msu.edu/~intaudit Email:kurncz@msu.edu Thank You! Michael Chandel Senior Information Technology Auditor 309 Olds Hall East Lansing, MI 48824-1047 Phone: (517) 355-5030 Fax: (517) 432-1997 Website: www.msu.edu/~intaudit Email:chandel@msu.edu

More Related