1 / 38

Integrating the IT Specialist into the Audit Team

Integrating the IT Specialist into the Audit Team. Daniel J. O’Keefe, CPA, MBA, CFE Moore Stephens Lovelace, P.A. Chris Ghosio, CCNP, CCDA, TMCSM, TMCSE MSL Technologies. Agenda. National Security Risks Why Use IT Audit Specialists? What IS Data Security? Audit Standards and IT

gus
Download Presentation

Integrating the IT Specialist into the Audit Team

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating the IT Specialist into the Audit Team Daniel J. O’Keefe, CPA, MBA, CFE Moore Stephens Lovelace, P.A. Chris Ghosio, CCNP, CCDA, TMCSM, TMCSE MSL Technologies

  2. Agenda • National Security Risks • Why Use IT Audit Specialists? • What IS Data Security? • Audit Standards and IT • Auditing IT Controls • Common IT Findings in a Financial Statement Audit • PCI DSS Compliance

  3. National Security Risks • Titan Rain • State Department’s East Asia Bureau • Offices of Representative Frank Wolf • Commerce Department • Naval War College • Commerce Secretary Carlos Gutierrez and the 2003 Blackout • McCain and Obama Presidential Campaigns • Office of Senator Bill Nelson • Ghostnet • Lockheed Martin’s F-35 Program

  4. National Security Risks (cont’d.) • DOE Encounters Over 10 Million Cyber Attacks a Day • NASA Victim of 13 Mayor Cyber Attacks Last Year • Number of Computer Viruses: • 2000 Over 50,000 • 2005 Over 100,000 • 2010 Over 1,000,000 • World Economic Forum puts Cyber Attacks in Top Five Biggest Global Risks for 2012 • Cyber Command was created in 2010 at Fort Meade, next to the operations center for the NSA, the nation’s largest spy agency

  5. Why Use IT Audit Specialists? • Audit Standards Require a “Risked-based Approach” • OLD SCHOOL – Garbage in, Garbage out • NEW SCHOOL – Assess IT Risk by Evaluating Risk Factors • Most CPA’s are not Adequately Trained to Assess IT Risks • IT Specialists can Effectively Communicate with IT Personnel

  6. Why Use IT Audit Specialists? (cont’d.) • BENEFITS • Reduces Audit Risk • Provides the Ability to use Computer Assisted Audit Techniques • Provides Value-added Service • Completes the Audit Loop

  7. Why Use IT Audit Specialists? (cont’d.) • BURDENS • May Add Additional Cost to Audit • Would Need to Apply “Use of a Specialist” Procedures if Outsourced • Locating a Qualified IT Specialist • Monitoring IT Specialist’s Activities

  8. Think of Security as Being Similar to Castle Defenses Flanking Towers Battlements Gatehouse Tower Arrow Slits Curtain Wall Moat Narrow Bridge

  9. The focus of the IT evaluation is to determine if defenses are in place to ensure financial data maintains: Confidentiality– Preventing the disclosure of information to unauthorized individuals or systems Integrity – Ensuring that data or information cannot be changed undetectably Availability– Ensuring the information is available when needed

  10. IT Considerations in a Financial Statement AuditAudit Standards and IT Auditor’s primary interest is in an entity’s use of IT to: • Initiate • Authorize • Record • Process and, • Report transactions or other financial data

  11. IT Considerations in a Financial Statement AuditAudit Standards and IT (cont’d.) IT may provide efficient and effective controls by: • Enhanced timeliness and availability, and accuracy of information • Facilitation of information analysis • Enhanced monitoring of policies and procedures • Reduced Risk of Circumvention of Controls • Report transactions or other financial data

  12. IT Considerations in a Financial Statement AuditAudit Standards and IT (cont’d.) IT may pose risks to internal control by: • Unauthorized access to data (destruction, changes, unauthorized transactions) • Unauthorized changes to master files • Unauthorized changes to systems or programs • Failure to make proper changes to systems or programs • Potential loss of data or inability to recover data

  13. Auditing IT Controls Starts with the IT survey: • Helps provide a baseline of the environment • Identifies financial applications and supporting components. • IT Organization • IT Security Controls • IT Operations

  14. Auditing IT Controls (cont’d.) Perimeter protection configurations: • Firewalls • IPS / IDS • DMZ • Wireless • Web Content Filtering • Remote Access (VPN) Desktop Security: • Local Administration Permissions • Anti-malware Software

  15. Auditing IT Controls (cont’d.) Server Security: • Application and Folder Permissions • Server Security Hardening Financial Applications Security: • User Permissions • On-line Payments User Administration: • Controls for Adding and Removing Users

  16. Auditing IT Controls (cont’d.) Data Backup: • Backup Jobs • Backup Storage • Data Encryption • Restore Testing

  17. Auditing IT Controls (cont’d.) Policies and Procedures: • IT Security Policy • Physical Security Policy • Firewall Policy • Encryption Policy • User Management Policies • Acceptable Use Policies • Security Awareness Program

  18. Auditing IT Controls (cont’d.) Patch Management: • How are patches approved? • How are patches applied? • Is patch management automated? Vulnerability Management: • Internal vulnerabilities • External vulnerabilities • How are each identified? • Remediation efforts?

  19. Auditing IT Controls (cont’d.) Change Management: • How are changes tested? • How are changes approved? • Are all changes documented? Business Continuity Planning and Execution: • Are plans in place to restore the financial applications? • Have the plans been tested?

  20. Common IT Findings in a Financial Statement AuditControls to be Evaluated • Physical Security • User Account Management • AntiVirus and Malware • Data Backup • Application Security • Network Security • Policies and Procedures • Business Continuity/Disaster Recovery

  21. Common IT Findings in a Financial Statement AuditPhysical Security • Excessive staff access to the computer room • No access logs to the computer room – Who was in there? When? Why? • No video surveillance in computer room – What were they doing? • Security lacking in Telecom closets - Could bring down your network! User Management • Terminated employees still in the systems • Shared administrator user ID’s • Password complexity rules not used or only partially implemented • End users configured as power users or administrators • Password-protected screensavers, network and application timeouts not enforced

  22. Common IT Findings in a Financial Statement AuditAntiVirus and Malware • AutoRun or AutoPlay functionality enabled • Lack of centralized control and management of AntiVirus software Data Backup • Backups not stored out-of-area • Backups not stored in a secure, offsite location • Transport of backup tapes not logged • Backups not encrypted • Backup tapes not tested • No formal procedure in place to “age” backup tapes

  23. Common IT Findings in a Financial Statement AuditApplication Security • Inadequate user password rules • No interface with Active Directory (requires multiple logons) • Lack of activity logging, reporting and monitoring capabilities • IT staff with excessive access to production data • Decentralized security administration (no separation of duties)

  24. Common IT Findings in a Financial Statement AuditNetwork Security • Administration of network devices over unsecured protocols • Shared and local administrator ID’s on network devices • Firewall rules need tightening • Intrusion Prevention Systems either not installed or not maintained • No formal procedure for monitoring server and network device events • No log aggregation

  25. Common IT Findings in a Financial Statement AuditPolicies and Procedures • Common Deficiencies in Policies and Procedures • Security Awareness Program • Acceptable Use Policies and Procedures • User Account Management Policies (HR) • Change Control Policies and Procedures • Patch Management Policies and Procedures • Data Backup Management • Encryption Management and • Personal Computing Device Management Policies

  26. Common IT Findings in a Financial Statement AuditBusiness Continuity and Disaster Recovery • Lack of fully documented Disaster Recovery Plan • Lack of fully documented Business Continuity Plan • Lack of exercising or testing of plans

  27. IT Personnel Risks Risks vary depending upon the size of your business: Small Business – Do you need a full-time IT person? If you have one, do they have the proverbial “keys to the kingdom”? Medium Business – Attracting and retaining skilled technicians is a challenge, as is maintaining their technical skill levels and certifications. Enterprise – Are the number of technicians on staff adequate to support the needs of the enterprise and are their skill levels appropriate?

  28. Outsourcing IT Functions One option to mitigating some of the personnel risks associated with IT is to outsource some or all functions to a third party. Small Business – A lot of small businesses are outsourcing all IT functions to IT vendors. Medium Business – Typically outsource on a regular basis, as their IT staff has limited skill sets. Enterprise – Utilize IT consultants for specialized projects.

  29. Common Risks in Outsourcing IT • Outsourcing a critical process. • Someone other than an internal employee handling your data and IT. • IT vendor misrepresented skill level and expertise of staff. • IT vendor does not adhere to Service Level Agreements (SLAs).

  30. Evaluating & Selecting Outsourcers • Types of technical competencies the outsourcer possesses. • Experience in your industry. • Agreement terms. • SLAs. • Is the “Cloud” a good option…do your due diligence

  31. Payment Card Industry (PCI) Data Security Standard (DSS) PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. PCI DSS applies wherever account data is stored, processed or transmitted. The primary account number is the defining factor in the applicability of PCI DSS requirements. If a primary account number (PAN) is stored, processed or transmitted, PCI DSS requirements apply.

  32. PCI DSS High-level Overview Build and Maintain a Secure Network Install and maintain a firewall configuration to protect cardholder data. Do not use vendor-supplied defaults for system passwords and other security parameters. Protect Cardholder Data Protect stored cardholder data. Encrypt transmission of cardholder data across open, public networks.

  33. PCI-DSS High-level Overview (cont’d.) Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs. 6. Develop and maintain secure systems and applications. Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know. 8. Assign a unique ID to each person with computer access. 9. Restrict physical access to cardholder data.

  34. PCI-DSS High-level Overview (cont’d.) • Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data. • Regularly test security systems and processes. • Maintain an Information Security Policy • 12. Maintain a policy that addresses information security for all personnel.

  35. In Summary Data is the lifeblood of an organization; are the right controls in place to protect it?

  36. Questions? Daniel J. O’Keefe Moore Stephens Lovelace, P.A. dokeefe@mslcpa.com 407-740-5400 Chris Ghosio MSL Technologies cghosio@msltechnologies.com 321-214-2223

  37. Schedule at a Glance • Tuesday, May 8, 20128:00 a.m. - 9:40 a.m. Local Government Accountability Update – Marilyn Rosetti and David Ward • 8:00 a.m. - 9:40 a.m. Auditing Small Governments – Debbie Goode • 8:00 a.m. - 9:40 a.m. GFOA Budget Award Program – Eric Johnson • 8:00 a.m. - 9:40 a.m. Economic Update – Mark Vitner • 8:00 a.m. - 9:40 a.m. Current Treasury Management Practices and Tools – Keith Henry, Nancy Mirfin and David Witthohn

  38. 10:00 a.m. - 11:40 a.m.  GFOA CAFR Award Program – Linda Dufresne and Sarah Koser • 10:00 a.m. - 11:40 a.m.  How to Invest With Fewer Dollars? – Jeff Larson, Linda Senne and Jeffrey Yates • 10:00 a.m. - 11:40 a.m.  Strategies to Address Aging Infrastructure – Celine Hyer • 10:00 a.m. - 11:40 a.m.  Making Technology Work for You! – Steve Murray and Darrel Thomas • 10:00 a.m. - 11:40 a.m.  Debt Affordability & Policies – Mickey Miller

More Related