1 / 27

Preparing for an IT Audit

Preparing for an IT Audit. September 11, 2007 2:00pm EDT, 11:00am PDT George Spafford, Principal Consultant Pepperweed Consulting, LLC “Optimizing The Business Value of IT” www.pepperweed.com. Housekeeping. Submitting questions to speaker

philana
Download Presentation

Preparing for an IT Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preparing for an IT Audit September 11, 2007 2:00pm EDT, 11:00am PDT George Spafford, Principal Consultant Pepperweed Consulting, LLC “Optimizing The Business Value of IT” www.pepperweed.com

  2. Housekeeping • Submitting questions to speaker • Submit question at any time by using the “Ask a question” section located on lower left-hand side of your console. • Questions about presentation content will be answered during 10 minute Q&A session at end of webcast. • Technical difficulties? • Click on “Help” button • Use “Ask a question” interface

  3. Main Presentation

  4. Agenda • Background on Audit • Why audits are part of the Deming cycle of plan-do-check-act • How to prepare for audits • What auditors look for • For a copy of today’s webcast PPT, please email: • George at: George.Spafford@Pepperweed.com • Kendra at: webcasts@jupitermedia.com

  5. The Shewhart Cycle • Popularized by Deming • We plan • We do • We check results • We take corrective action • How can we objectively check? • Audit • Auditors must be objective • The process is necessary for improvement

  6. IA - Risk Management & Control • Reliability and integrity of financial and operational information • Effectiveness and efficiency of operations • Safeguarding of assets • Compliance with laws, regulations, and contracts. Source: International Standards for the Professional Practice of Internal Auditing, http://www.theiia.org/?doc_id=1499

  7. IA - Governance • Promoting appropriate ethics and values within the organization. • Ensuring effective organizational performance management and accountability. • Effectively communicating risk and control information to appropriate areas of the organization. • Effectively coordinating the activities of and communicating information among the board, external and internal auditors and management. Source: International Standards for the Professional Practice of Internal Auditing, http://www.theiia.org/?doc_id=1499

  8. External Audit • Is driven by the regulatory requirement to have an independent third party certify the financial information provided to stockholders is reasonably accurate. • Some feel that internal review of external audit reports creates another layer of protection for financial reporting. • Primarily reports to the audit committee on the accuracy of the financial reports, attests to management’s assessment of internal controls over financial reporting. Source: “Common Misconceptions”, Tone From the Top, Institute of Internal Auditors, March 2005.

  9. Work with Audit, not around Audit

  10. Important: Establish Key Controls • Review risks • Management’s current risk assessment • Use of a control framework as a proxy (verify with audit if acceptable) • If nothing to go on, the auditor will impose his/her belief system • Review key controls • Auditor may want to understand the state of the overall control environment – be sure to plan in advance • The emphasis and testing will be on key controls • Want as few key controls as possible grounded in risks • You want to be clear • Doesn’t benefit IT or audit if guessing or misinterpretation happens

  11. 100% You can spend a fortune and you will never truly hit a 100% level of assurance. The objective is to lower risk to an acceptable level, not eliminate it because you can’t! Level of Assurance Level of Investment Cost of Control

  12. Preparing (1) • Emphasis – talk to your audit group ahead of time • Auditing is not a science • Practices will vary between audit firms, within firms and between auditors • Work with Internal Audit closely to understand company requirements and External Audit Requirements • Put everything in writing and get approval – do not rely on verbal communications • Summarize your conversations in the form of meeting minutes and send them to the other party for confirmation. • Bear in mind that auditors leave firms and so do audit partners • Who you deal with can change year to year.

  13. Preparing (2) • Determine a formal documentation plan • Policies and Procedures • Evidence of activity / compliance • Clearly identify what IT services/systems are in scope • Materiality • Guide to the Assessment of IT General Controls Scope Based on Risk • Take care in documenting control activity, test plans, etc. If they are ambiguous or inaccurate, deficiencies may well result • Documenting controls that don’t exist will guarantee findings • Be sure to document exceptions along with risks, the business case and management’s approval • It is better for management to disclose known exceptions than for auditors to find them. • How exceptions are documented and handled vary from auditor to auditor so be sure to understand what to do, ramifications, etc.

  14. During the Audit (1) • Never lie to an auditor - the repercussions can be severe • Do not tamper with evidence - the repercussions can be severe • Be sure to outline the process for making any urgent remediation or changes during an audit with the auditor. • Be prompt in replying or providing samples • Delays may be interpreted as a lack of controls or that evidence is being created or altered • Auditors will follow the key controls and test plans verbatim if things go as planned • Do not be antagonistic

  15. During the Audit (2) • Auditors make mistakes like everyone else. • Be sure to help them with any requested quality assurance processes that they have to make sure that the findings are accurate • The management response is the proper place to voice disagreements about findings • Do not get into senseless arguments

  16. The Audit Process (1) • Coordinate Auditors • Internal Audit should coordinate with External Audit (This coordination is typically done by the Chief Audit Executive.) • Faster audits • Lower costs • Fewer interruptions • Schedule the audit • IT’s availability • Internal Audit’s availability • External audit’s availability • Kick off meeting • Goals of the audit • Scope • Roles and Responsibilities • Schedule / Plan

  17. The Audit Process (2) • Review • Risks • Key Controls • Documentation (Requirements will vary so inquire as to what is needed) • Policies and Procedures • What systems are in scope • Narratives (An audit device used when documentation doesn’t exist) • Flowcharts • Test Plans (These should have been developed between management and internal audit. Care must be taken that they are very clear and concise.) • Execute Tests • Observe • Inquire • Obtain samples according to the test plan

  18. Sample Size Example

  19. The Audit Process (3) • Organize Work Papers • Management/IA should determine what documentation to retain from audits. • Part of the document retention is driven by what External Audit can leverage • The more management testing that External Audit can leverage, the faster the external audit goes and the lower the costs. • Document Results • The auditor will record results of tests and relate scores to work papers. • Make recommendations • Control Improvement Opportunities • Remediation Recommendations • Exit Meeting • Review rough draft of results as a QA step • Review any open items

  20. Example Test Plan and Test Results

  21. The Audit Process (4) • Generate Management Letter • Once the testing is finished, the auditor reviews the audit documentation and develops a formal letter for management summarizing findings and recommendations. • Solicit Management Response • Management can then review and respond to the findings. • Finalize the audit documentation • Share Results with Management, Audit Committee and External Audit

  22. Audit Findings • Audits always generate findings • Management can • Agree with a given finding and remediate • Dispute the finding • Accept the risk and do nothing • Remediation depends on the auditor and situation. • They may, or may not, wish to see remediation of audit findings. • Some external auditors leave remediation up to management • Bear in mind, that if this year’s audit turned up the control deficiencies, then there is a strong likelihood that next year’s audit will turn up the same things unless there are changes to scope, key controls, etc. • If the same deficiencies show up over and over again, the auditor may choose to increase their severity

  23. Continuous Improvement • Audits are vital • Provide objective opinions • Look at audit as another tool for process improvement • Set the proper tone from the top • If you think audits are a waste, then so will your team • The idea is to take their findings, and review what to do * Adapted from ITIL Service Support Graphic

  24. Learning More About Audit • Institute of Internal Auditorshttp://www.theiia.org/GAIThttp://www.theiia.org/guidance/technology/gait/ • Information Systems Audit and Control Associationhttp://www.isaca.org • IT Compliance Institutehttp://www.itcinstitute.com/ • Jim Kaplan’s Audit Nethttp://www.auditnet.org/ • Subscribe to Dan Swanson’s Email Listshttp://www.securitybenchmark.com/

  25. Thank you for the privilege of facilitating this webcast George Spafford Principal Consultant Pepperweed Consulting Optimizing the Value of IT George.Spafford@Pepperweed.com http://www.pepperweed.com Daily News Archive and Subscription Instructions http://www.spaffordconsulting.com/dailynews.html

  26. Questions?

  27. If you have any further questions, e-mail webcasts@jupitermedia.com For future ITSM Watch Webcasts, visit www.jupiterwebcasts.com/itsm Thank you again for attending

More Related