440 likes | 594 Views
Collaborative Relationship Between IT and Internal Auditing. Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President, Association of College & University Auditors rob.clark@business.gatech.edu voice (404) 894-4606/ fax (404) 894-6990
E N D
Collaborative RelationshipBetween IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President, Association of College & University Auditors rob.clark@business.gatech.edu voice (404) 894-4606/ fax (404) 894-6990 www.audit.gatech.edu Robert N. Clark, Jr., C.I.A., Director of Internal Auditing, Georgia Tech June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Reporting Structure at GIT Vice Chancellorfor Audit Services Board of Regents President Provost Sr. VP Admin & Finance Director ofInternal Auditing CIO Director Info Security Executive Staff Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Internal Audit Primary MissionFour Potential Orientations APPROACH DETECTION • Focus on examination of past transactions • Report past problems and recommend solutions • Maintain rigid independence Passive Internal Control* SCOPE *Defined along the lines of COSO’s Integrated Framework Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Internal Audit Primary MissionFour Potential Orientations PREVENTION • Active promotion of internal control agenda • Recommending preventive measures to the campus unit and advice in making changes • Maintain objectivity while eliminating unnecessary organizational barriers Active APPROACH DETECTION • Focus on examination of past transactions • Report past problems and recommend solutions • Maintain rigid independence Passive Internal Control* SCOPE *Defined along the lines of COSO’s Integrated Framework Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Internal Audit Primary MissionFour Potential Orientations PREVENTION • Active promotion of internal control agenda • Recommending preventive measures to the campus unit and advice in making changes • Maintain objectivity while eliminating unnecessary organizational barriers Active APPROACH ADVISORY DETECTION • Defining process improvement opportunities, if seen • By-product of internal control assessment but not focusing on internal controls • Moving away from compliance auditing (dangerous position…) • Focus on examination of past transactions • Report past problems and recommend solutions • Maintain rigid independence Passive Internal Control* SCOPE Business Performance *Defined along the lines of COSO’s Integrated Framework Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Internal Audit Primary MissionFour Potential Orientations PREVENTION SOLUTION • Active promotion of internal control agenda • Recommending preventive measures to the campus unit and advice in making changes • Maintain objectivity while eliminating unnecessary organizational barriers • Target process improvements as a key goal • Focus on Assessing Risk and Management’s Mitigation of Risk • Work toward implementation of cost-beneficial internal controls & compliance • Teamwork approach while maintaining objectivity and independent perspective Active APPROACH ADVISORY DETECTION • Defining process improvement opportunities, if seen • By-product of internal control assessment but not focusing on internal controls • Moving away from compliance auditing (dangerous position…) • Focus on examination of past transactions • Report past problems and recommend solutions • Maintain rigid independence Passive Internal Control* SCOPE Business Performance *Defined along the lines of COSO’s Integrated Framework Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Internal Audit’s Role… • …it’s more than counting beans... Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Assessing Risk… Internal Audit’s role: • Identify key risks of the organization • Look at all areas of exposure, not just financial • Focus on the issues that matter most in safeguarding the assets of the Institute • Develop audit procedures to examine high risk areas and verify strength of processes to mitigate risks • Provide feedback to mgmt on effectiveness of policies and procedures • Promote awareness of policies and best practices • Help bring Management together on key risks • Develop organizational approach to managing risk Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
What is RISK? Strategic Plan in year 2010 … Anything that could prevent the organization from meeting its goals Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Assessing Risk – with Management • Talk with all members of Senior Management (one-on-one discussions) • Ask key questions, such as: • “Where are potential exposures?” • “What keeps you up at night?” • “Where do you see risks for your unit and GIT?” • “What are some of the potential adverse situations that could occur within…?” • Goal is to identify and inventory RISKS Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Assessing Risks: Description of adverse situation that could occur Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5) Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5) x Probability of this situation occurring (1-5) = Risk Ranking Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Risk Discussion Tool Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Audit Risk Universe Info Systems Public Relations Financial Human Resources Health & Safety Legal Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Audit Focus -- Zeroing In Information Gathering Monitoring/ General Awareness(committees) Informal Reviews (surveying internal control) Audits of compliance & controls - Auditor's Traditional Comfort Zone + Risk-Based Audits(processes & risk) - Perceived Value to Mgmt. + Process Improvement (reengineering) Strategy/Solution Development/ Partnering w/ Mgmt. as Key Resource Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Identifying Unit-level Information Systems Risks • Logical Security • Environmental and PhysicalControls • Data Security and Stewardship • Management of IS Resources • Equipment Maintenance • Back-up and Recovery • Training and Documentation • Operations/ Administration • Web Site Operation/ Development • Software Licensing Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
IT Advising IA on audit coverage… • CIO, Director of Information Security, and others in IT review draft of audit programs, in some cases helping to draft audit steps (“What would you, as CIO, look for if you were conducting these reviews?”) • IT provides further insight, clarification, and direction to auditors • Internal Auditing seeks IT’s opinion/support regarding feasibility of audit recommendations • Ultimately, Internal Auditing’s decision – but collaborating with IT to ensure the most effective coverage of IT risks throughout the organization Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
The Audit Plan • Focus on reviewing how each organization is moving toward effectively and efficiently mitigating each of the risks • Independent verifications & attestations to determinestrength of processes • Conclusions are forward-looking - how well positionedare they to deal with risk ? Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Feedback to IT… • Reports go not only to unit head but to senior management (including CIO) to show where opportunities for improvement exist • Direct communication with CIO regarding areas in which more training/education/guidance or IT focus should be provided to campus units • IA offers advice to senior mgmt on areas for policy enhancement Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Recommended best practices… • IA provides trend analysis summariesto senior management (including CIO) showing common areas acrosscampus requiring improvement • Leads to targeted plans for action aimed at addressing the specific issues (as opposed to blanket policies which may be unnecessarily onerous) Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Recommended procedures… • President assembled committee (chaired by CIO) to revise Computer Network Usage Policy • VP for Finance, VP for HR, Chief Legal Advisor, Director of Internal Auditing, Associate Dean, Student Govt. rep, & others • [Note: IA’s role was not to “set” policy, rather to advise committee on key areas the policy should address] Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Responding to Info Security Incidents • Information on an incident may come from a variety of sources: • OHR – personnel-related complaint • Legal Affairs – person seeking legal advice • Financial Services – questionable transaction(s) • Campus Police – allegation of illegal behavior • Information Security – analysis of questionable traffic or use, spurious bandwidth usage, intrusion detection system reports, etc. • Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc. Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Responding to Info Security Incidents • Challenge: ensuring a consistent approach to dealing with incidents • Risk: If investigation not handled appropriately or consistently, puts Institute at risk • Solution: IA recommended creation of ad-hoc task force and procedure to address Info Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
http://www.audit.gatech.edu/IAcollabrative2.wmf Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Step 1 • Incident is brought to attention of member of mgmt • He/She convenes Ad-Hoc Group [CIO, AVP-OHR, Chief Legal Advisor, Director Internal Auditing, Director of Information Security] • “What do we know now?” • Group shares info to determine other resources that may need to be involved (e.g., Director Campus Security, AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.) • Group determines needed resources Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Step 2 • Group makes a determination on the potential outcome • E.g., if the situation/allegations are proven true, will this likely result in (1) legal action, or (2) administrative/personnel action only? • This determines procedures to be followed in conducting the investigation and standard of evidence to which to adhere • Also determines whether law enforcement should be notified and/or involved Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Step 3 • Group determines who will take the lead in facilitating the investigation. This person: • Coordinates efforts, arranges meetings, initiates status reporting • Initiates status reporting to the Office of the President • Determines appropriate custodian of investigation data • Facilitates reporting at the end of investigation Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Step 4 • Investigation is conducted following appropriate procedures agreed-to by Group • Regular communication with Group on status, observations, noteworthy issues • Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Step 5 • Group re-convenes to: • evaluate effectiveness of process; • document “lessons learned”; and • discuss ways the situation may be prevented in the future, e.g., • Additional audit steps to examine for this elsewhere? • Need for policy enhancement? • Need for additional education/awareness? Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Results of Collaborative Approach • IA and IT aligned on areas of high risk • Common approach for responding to Information Security incidents • IT becomes source of “education and awareness” for IA • IA able to represent organizational perspective on IT issues across campus to audiences to which IT would not normally have access • IA provides independent and objective feedback to IT on effectiveness of IT policies and procedures (within OIT and across the campus) • Combining perspectives to establish best practices for Information Systems across organization Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Questions/ Discussion Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003