420 likes | 458 Views
IT Skills for the Business Auditor. Positioning Audit Skills for the Future Information Technology Risks and Controls. Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas For Houston Chapter Seminar November 3, 2014.
E N D
IT Skills for the Business Auditor • Positioning Audit Skills for the FutureInformation Technology Risks and Controls Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas For Houston Chapter Seminar November 3, 2014
Mark Salamasick, CIA, CISA, CRMA, CSP • Director of Center for Internal Audit Excellence – 11 years • Adjunct Faculty, University of Texas at Dallas – 18 years • Senior Vice President, Internet/Intranet Services, Bank of America – 2 years • Director Information Technology Audit, SVP, Internal Audit, Bank of America – 18 years • Senior Consultant, Accenture – 4 years • Instructor, Accounting and IT, Central Michigan University – 3 years • BS in BA and MBA – Central Michigan University • One of six co-authors of Internal Audit textbook-Internal Auditing: Assurance and Consulting Services by IIA Research Foundation published Summer, 2007, Second Edition Summer, 2009 and , Third Edition Fall, 2013 • Author of IIA International Books-Auditing Vendor Relationship, PC Management Best Practices , and Auditing Outsourced Functions • Numerous IIA International Committees including Board of Trustees, Board Research and Educational Advisors and currently Learning Solutions • 2005 IIA International Educator of the Year - Leon Radde Award • Enjoy Running, Road and Mountain Cycling, Travel and Investment Analysis
ITEMS TO COVER Background-Setting the Stage Technology Expectations IT Audit Model Curriculum IT Technology Frameworks Latest Technology Issues Infrastructure Trends Overview of GTAG’s GTAG 1 – 2nd Edition Technology Adaption Curve for IA Groups Summary
Synopsis An overview of Critical Success Factors’ for the 21st Century auditor including an understanding of IT control frameworks, functional areas of IT operations, and the ability to integrate technology into internal audit processes.
Level of IT Understanding Business Auditors IT Auditors
Technology and Audit Infrastructure Audit Integrated Audit Use of Technology as Tool • Audit Automation • Data Analytics
Some Reasonable Objectives for All Auditors • Understand how technology fits into the overall business processes and its impact. • Describe key risks and control techniques introduced by technology. • Articulate the relationship between business transaction processing risks introduced by information technology risks. • Find and interpret the leading sources of information related to technology control frameworks. • Determine the significant technology issues to be considered as part of the review of a business unit. • Integrate application controls as part of business unit audits. • Understand the emerging technology risk issues.
Model IT Controls Curriculum IIA The IIA’s Global Model Internal Audit Curriculum – IT Auditing course Integrated -2012 – Schools recognized as part of IAEP https://na.theiia.org/about-us/about-ia/pages/participating-iaep-program-schools.aspx ISACA Model Curriculum - 2012 http://www.isaca.org/Knowledge-Center/Academia/Pages/Programs-Aligned-with-Model-Curriculum-for-IS-Audit-and-Control.aspx
What does a University IT Audit and Risk Management Course Objectives look like? 1. Be able to identify key information technology risks and how to mitigate those risks. 2. Be able to develop a control checklist and key audit steps related to technology risks. 3. Be able to distinguish key user technology risks and controls. 4. Be able identify the key content areas and have knowledge of all areas covered by the Certified Information Systems Audit (CISA) exam. 5. Identify sources for research of technology risks and apply those techniques to an overall research paper. 6. Learn those areas of technology risks that are currently of most concern to the IIA, AICPA, and ISACA. 7. Be able to distinguish and evaluate key application controls along with auditing of application controls. 8. Identify and evaluate risks in an e-business environment. 9. Understand how to adapt audit coverage to areas of advanced and emerging technologies.
Technology “I don’t know what I don’t know” CAE • “You need to understand where • emerging technologies are going • to best predict risks the • company will face in the future” • Mark Salamasick
Start with One Premise! • There are no barriers… • Technology is an enabler….. • It is how we adapt to it!
Critical Characteristics of the 21st Century Internal Auditor • Technologically Adept: • The technology era is clearly transforming the globe • Technology presents extraordinary risks and opportunities for all enterprises • The nature of internal audit has been impacted in terms of: • The functions, programs, and processes to be audited • The techniques employed to carry out the internal audit mission **From – Robert McDonald – Past Chairman of the IIA
Critical Characteristics of the 21st Century Internal Auditor • Technologically Adept: • 21st century internal auditors must: • Understand IT control frameworks • Be knowledgeable of functional areas of IT operations • Be capable of auditing e-Commerce, EFT, EDI • Be knowledgeable of encryption, computer forensics, and Enterprise-wide resource planning (ERP) software • In addition, internal auditors must be able to: • Integrate technology into internal audit processes **From – Robert McDonald – Past Chairman of the IIA • Source: CIA Examination Syllabus – Part III
Critical Characteristics of the 21st Century Internal Auditor • Overview of Critical Traits: • Risk-based orientation • Global perspective • Governance expertise • Technologically adept • Business acumen • Creative Thinking and Problem Solving • Strong ethical compass • **From – Robert McDonald – Past Chairman of the IIA
Evolution of IT Audit:Historical IT Audit Stages • Focus • Stage • Characteristics 1st Generation EDP Audit (Pre-1980) • “Checklist”-based EDP Audits • Compliance with Policies & • procedures • No IT Audit “Specialists” Compliance 2nd Generation IS Audit (1980s) • Auditable IS areas • Report Problems, Recommend • solutions • Certified EDP Auditors “CISA” Control Frameworks 3rd Generation IT Audit (1990s) • COBIT-Based Audits (1996) • IT Control self-assessments • “Integrated Audits” Risk / Control 4th Generation IT Audit (2000s) • Facilitator of positive change • Enterprise-wide risk management • Impact of Sarbanes Oxley • Benchmark performance against • best practices Risk Management Process
Top Ten IT Priorities From a Top Notch State Information Organization ›› Cloud ›› Data Management ›› Data Sharing ›› Infrastructure ›› Legacy Applications ›› Mobility ›› Network ›› Open Data ›› Security and Privacy ›› Social Media
AICPA Top Ten Technology Issues • Managing and retaining data • Securing the IT environment • Managing IT risk and compliance • Ensuring privacy • Managing system implementations • Preventing and responding to computer fraud • Enabling decision support and analytics • Governing and managing IT investment/spending • Leveraging emerging technologies • Managing vendors and service providers
Why are Global Technology Audit Guides (GTAG’s) more important?
BIG THREE TECHNOLOGY RISK CATEGORIES Information Security Business Continuity Change Management
Sixteen GTAGs PublishedHave you seen these? • GTAG-4: Management of IT Auditing (Published in Mar 2006) 2nd EDITION January 2013 • GTAG-1: IT Controls (Published in Mar 2005) 2nd EDITION MARCH 2012 • GTAG-5: Auditing Privacy Risks (Published in June 2006) 2nd EDITION July 2012 • GTAG-2: Change and Patch Management Controls (Published in June 2005) 2nd EDITION MARCH 2012 • GTAG-6: Managing and Auditing IT Vulnerabilities (Published in Oct 2006) DELETED January 2013 • GTAG-3: Continuous Auditing (Published in Oct 2005) Update Coming Soon
Sixteen GTAGs PublishedHave you seen these? • GTAG-10: Business Continuity Management (Published in July 2008) (Updated August 2014) • GTAG-7: Information Technology Outsourcing (Published in Mar 2007) • GTAG-8: Auditing Application Controls (Published in July 2007) • GTAG-11: Developing the IT Audit Plan (Published in July 2008) • GTAG-9: Identity and Access Management (Published in July 2007) • GTAG-12: Auditing IT Projects (Published in March 2009)
Sixteen GTAGs PublishedHave you seen these? • GTAG-16: Data Analysis Technologies (Published in August 2011) • GTAG-13: Fraud Detection and Prevention in an Automated World (Published in December 2009) • GTAG-17: Auditing IT Governance (Published in July 2012) • GTAG-14: Auditing User Developed Applications (Published in June 2010) • GTAG-15:Information Security Governance (Published in July 2010) • GTAG-18 and 19: Cloud Computing and Social Media (Coming Soon)
What Every Business Auditor Should Understand Related to IT Controls • Global Technology Auditing Guide 1-2nd Edition
The Board should: • Understand the strategic value of the IT function. • Become informed of role and impact of IT on the enterprise. • Set strategic direction and expect return. • Consider how management assigns responsibilities. • Oversee how transformation happens. • Understand constraints within which management operates. • Oversee enterprise alignment. • Direct management to deliver measurable value through IT. • Oversee enterprise risk. • Support learning, growth, and management of resources. • Oversee how performance is measured. • Obtain assurance.
Executive management should: • Become informed of role and impact of IT on the enterprise. • Cascade strategy, policies, and goals down into the enterprise, and align the IT organization with the enterprise goals. • Determine required capabilities and investments. • Assign accountability. • Sustain current operations. • Provide needed organizational structures and resources. • Embed clear accountabilities for risk management and control over IT. • Measure performance. • Focus on core business competencies IT must support. • Focus on important IT processes that improve business value. • Create a flexible and adaptive enterprise that leverages information and knowledge. • Strengthen value delivery. • Develop strategies to optimize IT costs. • Have clear external sourcing strategies.
Senior management should: • Manage business and executive expectations relative to IT. • Drive IT strategy development and execute against it. • Link IT budgets to strategic aims and objectives. • Ensure measurable value is delivered on time and budget. • Implement IT standards, policies and control framework as needed. • Inform and educate executives on IT issues. • Look into ways of increasing IT value contribution. • Ensure good management over IT projects. • Provide IT infrastructures that facilitate cost-efficient creation and sharing of business intelligence. • Ensure the availability of suitable IT resources, skills, and infrastructure to meet objectives and create value. • Assess risks, mitigate efficiently, and make risks transparent to the stakeholders. • Ensure that roles critical for managing IT risks are appropriately defined and staffed. • Ensure the day-to-day management and verification of IT processes and controls. • Implement performance measures directly and demonstrably linked to the strategy. • Focus on core IT competencies.
The internal audit activity should: • Ensure a sufficient baseline level of IT audit expertise in the department. • Include evaluation of IT in its planning process. • Assess whether IT governance in the organization sustains and supports strategies and objectives. • Identify and assess the risk exposures relating to the organization’s information systems. • Assess controls responding to risks within the organization’s information systems. • Ensure that the audit department has the IT expertise to fulfill its engagements. • Consider use technology-based audit techniques as appropriate.
IT Control Framework Checklist (Sample from GTAG 1) What legislation exists that impacts the need to IT controls? Has management taken steps to ensure compliance with this legislation? Have all relevant responsibilities for IT Controls been allocated to individual roles? Is the allocation of responsibilities communicated to the whole organization? Do individuals clearly understand their responsibilities in relation to IT controls? Does internal audit employ sufficient IT audit specialists to address the IT control issue? Do corporate policies and standards that describe the need for IT controls exist?
Understanding IT Controls – Who should Understand What? • A top-down approach used when considering controls to implement and determining areas on which to focus. From Global Technology Audit Guide 1.
COSO Model for Technology Controls • Monitoring: • Monthly metrics from Technology Performance • Technology Cost and Control performance analysis • Periodic Technology management assessments • Internal audit of technology enterprise • Internal audit of high risk areas • Information & Communication: • Periodic corporate communications (intranet, e-mail, meetings, mailings) • Ongoing technology awareness of best practices • IT performance survey • IT and security training • Help desk ongoing issue resolution • MONITORING • INFORMATION AND • COMMUNICATION • CONTROL ACTIVITIES • Control Activities: • Review Board for Change Management • Comparison of technology initiatives to plan and ROI • Documentation and approval of IT plans and systems architecture • Compliance with Information and Physical Security Standards • Adherence to Business Continuity Risk Assessment • Technology standards compliance enforcement • Risk Assessment: • IT risks included in overall corporate risk assessment • IT integrated into Business Risk Assessments • Differentiate IT controls for high risk business areas/functions • IT Internal audit assessment • IT Insurance assessment • RISK ASSESSMENT • CONTROL ENVIRONMENT • Control Environment: • Tone from the Top – IT and Security Controls Considered Important • Overall Technology Policy and Information Security Policy • Corporate Technology Governance Committee • Technology Architecture and Standards Committee • Full Representation of All Business Units
Global Technology Audit Guide that All Business Auditors should put into Practice • Application controls and their benefits • The role of internal auditors • How to perform a risk assessment • Application control review scoping • Application review approaches • Common application controls, suggested tests, and a sample review program
Technology Maturity Model • Drill-down dashboards of all key audit activity • Quality assessment tool • Continuous controls testing and monitoring • Automated sharing of audit programs and files • Intranet for audit knowledge sharing, training, and access to tools • Formal technology strategy • Highly skilled data team • Use of technology a core competency • Expanded technical training for staff • Custom data mining / data analytics • Standalone automated testing routines, e.g. fraud • Expanded suite of data tools • Automated work papers • Online training programs available on demand • Data retrieval used on most audits • Reusable programs and checklists • Fully integrated audit management system • Access to external risk and control databases • Risk assessment tools • Initial use of CAATs • Issues availability, tracking updating by management • Audit scheduling tool • Technology specialist(s) • Continuous risk assessment • Files, etc., in electronic format • Initial ad hoc data mining *From GAM Conference – Mike Gowell and Dick Anderson
Technology Process Gap Analysis: Example • Red is current state, Green is desired next stage of maturity • Sets a clear priority • May decide some areas are fine for now • Don’t have to move to Optimized for all *From GAM Conference – Mike Gowell and Dick Anderson
IT Audit-Questions to Ponder • What kind of technology audits should we be doing? • How integrated should the audit group be? • What technology should we be using in the Audit Group? • What skills should the non-IT auditor have? • What is the mix of audit coverage for projects versus ongoing audit work? • Where are resources found for IT Audit? • Should parts of IT Audit be outsourced? • What parts of Information Technology should be outsourced? • What about periodic vulnerability testing? • How do individuals get started in IT Audit?
Summary and Next Steps • Understand the technology in your environment • Understand the GTAG Series and determine how it applies • Utilize the business functions and technology within the enterprise • Understand your technology controls framework • Understand your key information technology risk • Equate technical issue to business processes • Provide business unit with perspective of how well the technology is doing that supports the business unit • Perform high level mapping of applications to business units • Provide CIO view of how his business is doing • Determine technology training requirements for all levels
Mark Salamasick Contact Info • Email: Mark.Salamasick@utdallas.edu • Office Phone: (972) 883-4729 • Cell Phone: (972) 768-3016 • Office: University of Texas at Dallas • School of Management-4.218 • 800 West Campbell Road, SM 41 • Richardson, TX. 75083-0688 • Website: www.utdallas.edu/~msalam Jindal.utdallas.edu/iaep