TAKING THE MYSTERY OUT OF IT AUDIT

Transcription

1 TAKING THE MYSTERY OUT OF IT AUDIT What Every Non-IT Auditor Should Know and Every IT Auditor Should Be Able To Tell The Presentation Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates The Conference that Counts, Albany New York Monday March 19, 2018 ROSS WESCOTT is Principle of Wescott and Associates, established in 2016 to provide IT audit, risk, governance, and control consulting to a variety of industries and government. He has experience in IT audit program development and implementation using leading standards including Cobit5 IT governance Internal Audit strategy, policy, standards, procedures, and guidelines development and maintenance Risk identification and assessment Controls identification, design and evaluation Data analytics End-to-end IT audit management and execution IT SOX program development and operation Disaster recovery plan development and review, scenario/exercise development and testing Recruiting, team building, development, teaching. Ross Wescott graduated from Portland State University in 1975 with a major in Mathematics/Computer Science. He also graduated in 1986 from Marylhurst University with a Master in Management. He is a Certified Internal Auditor, Certified Information Systems Auditor, Certified Computer Professional, and a Credit Union Enterprise Risk Management Expert. He is a current and active member of the Institute of Internal Auditors and the Information Systems Audit and Control Association. He has been published in the major Internal Auditing publications and has been a speaker at conventions and conferences on many Internal Audit topics. 2 1

2 Many internal audit stakeholders continue to view Information Technology (IT) audits as a mysterious world that requires highly specialized skills. However, regulatory requirements, such as the Sarbanes-Oxley Act, highlight that organizations financial reporting and operational performance are dependent on complex information technology. Cybersecurity efforts (not just an IT issue) show that it is difficult to conduct effective audits that do not include an aspect of IT auditing. The days of auditing around the computer are over. This session peels away some of the mystery surrounding IT audits by presenting a plain English, straightforward discussion of risks, control objectives, and control techniques for selected high payback IT audit areas that do not require a large degree of technical expertise. In this session, you will learn: the context for IT Auditing in the realm of internal auditing a base knowledge of the IT control set and auditing and governance some key terms used in IT Auditing 3 The guy who knows about computers is the last person you want to have create documentation for people who do not understand computers. Adam Osborn best known for creating the first commercially available portable computer, the Osborne 1, released in April

3 It is not about accounting controls. Accounting systems and their associated controls promote a source of process and data risk that requires someone who understands the related risk and can help the business mitigate it. It is not about financial auditing. That s reserved for financial auditors including the public accountants. It is not about compliance testing. Believe it or not, in general, there are no international or national rules that IT MUST follow. There are many guidelines, a few targeted regulations, but no set of conforming rules. IT Auditors cannot make IT comply with anything. 5 IT audits are all about determining that the design and function of systems, IT processes, and business processes are effective in reducing the risk to achieving business objectives. 6 3

4 Even though this is from 2010, the sentiment still is valid for today! 7 There are 10 kinds of people in the world: those who understand binary numerals, and those who don't. From Cabinet of Mathematical Curiosities Ian Stewart a professor of mathematics at the University of Warwick, England, and a widely known popular-science and science-fiction writer. 8 4

5 9 IIA Standard 1210 Proficiency 1210.A3 Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. 10 5

6 GTAG-I Categories of IT Knowledge Category I: Knowledge of IT needed by all professional auditors, from new recruits up through the CAE Category II: Knowledge of IT needed by audit supervisors Category III: Knowledge of IT needed by IT Audit Specialists (Editorial Comment: no kidding!) 11 GTAG-I Category I: Knowledge Understanding concepts such as application software, operating systems and system software, and networks IT security and control components such as perimeter defenses, intrusion detection, authentication, and application system controls. Understanding how business controls and assurance objectives can be impacted by vulnerabilities in business operations and the related and supporting systems, networks, and data components. Understanding IT risks without necessarily possessing significant technical knowledge. 12 6

7 There are a number of frameworks COBIT5 ITIL ISO Standard COSO 2012 ISACA. All rights reserved. COBIT 5 is a registered trademark. ITIL, PRINCE2, MSP, MoR, P3M3, P3O, MoP and MoV are registered trade marks of AXELOS Limited 2013ISO/IEC All rights reserved Copyright The Committee of Sponsoring Organizations of the Treadway Commission. All rights reserved

8

9

10 19 Consists of three volumes: Executive Summary Framework and Appendices Illustrative Tools for Assessing Effectiveness of a System of Internal Control Sets out: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness 20 10

11 Environments changes... Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud have driven Framework updates 21 Proscriptive: Describes how processes should work and focuses on effectiveness and efficiency. Descriptive: Describes what objectives processes ought to achieve. Focus on effectiveness and alignment

12 Traditionally, there are really only 2 groupings of controls in IT IT General Controls IT Application Controls However, there are others that do not traditionally fit Interface controls (control between systems) Database controls Data Configuration Controls IT Governance and Entity Controls 23 Let s start at the very top, most broadly defined set of controls that affect the risk of all IT controls

13 Entity-Level Controls Based on COSO Examples of Entity-Level IT Controls: Integrity and Ethical Values Management Philosophy and Managing Style HR Policies, specifically applied to IT Board and Audit Committee Oversight of IT Communication On-Going Monitoring Many more Not much different from the rest of the organization 25 IT Governance Controls fit within the scope and scheme of the organization s entity-level controls and, again, is driven by COSO. What is IT Governance? Is a subset discipline of corporate governance, focused on IT and its performance and risk management. Not to be confused with IT management, compliance, or controls. The primary focus is stewardship of IT resources for creating value for stakeholders

14 IT Governance is facilitated through the following components: 27 The Five Elements of IT Governance, as defined within Cobit5 s EDM practices, should be used by an audit team to identify the specific governance practices and goals to be reviewed: Strategic Alignment Risk Management Performance Management Resource Management Value Delivery 28 14

15 To err is human - and to blame it on a computer is even more so. Robert Orben an American is an American professional comedy writer, although he also worked as a magician. He has written multiple books on comedy, mostly collections of gags and "one-liners" originally written for his newsletter, Orben's Current Comedy, and has also written books for magicians. In 1973, he was head speechwriter to Vice President Gerald R. Ford

16 By definition, IT General Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon. In other words, they are the umbrella under which IT applications systems operate. 31 They are important because: Systems hardware and software applications support all business processes General control concepts can be applied regardless of industry, business line, size, or complexity of the environment. Without effective IT General Controls, reliance on business information is not possible. That s why, in the SOX world, IT SOx concerns itself primarily with IT general controls with some application controls thrown in for good measure

17 Typical Examples Access Control Physical access security Logical access Systems Development and Implementation (SDLC) Change Control Computer Operations Control Backup and Recovery Control Disaster Recovery Control 33 But also: Polices and Procedures IT Training IT Governance Operating and Capital Budgets Audit Trails Encryption Anti-Virus Software And on, and on, and on. Anything that is not application related

18 By definition, IT Application Controls are electronic, manual, or automated controls that typically operate at a detailed business process (cycle or transaction) level and are designed to ensure the integrity of the processed records. 35 There are typically only three kinds of application controls: Input Processing Output But modern systems have necessitated a fourth category: data configuration controls 36 18

19 The purpose of application controls, All input is accurate, complete, authorized, and correct All data is processed as intended All data stored is accurate, secure, and complete All output is accurate and complete All workflow occurs as intended 37 Examples: Input Selection from a drop-down box (e.g., States) Numbers are validated (e.g., number vs. characters) Selections are restricted to a selection (e.g., valid account numbers) 38 19

20 Examples: Processing All records from an interfaced system have been received and processed All disbursements are recorded All accruals meet specified guidelines Depreciation is calculated properly Accruals are accounted for correctly 39 Examples: Output Reports are complete, accurate, and timely Monthly financial statements are accurate Authorized recipients have received their reports, checks, or other critical documents

21 Examples: Configurable Controls Configurable parameters within the application system. Most of the current commercial application systems are heavily dependent on the configuration of various parameter tables. It is appropriate to consider the design of controls over the configuration tables as a separate element of the control design. Mainly for real-time (not batch) systems Combination edits that result in an optional processing path Inventory pulls are routed to the appropriate storeroom for issuing Changes to accounts at receipt of goods are reauthorized by the requesting manager Static data (e.g., CPI index) change is manually reviewed. 41 What makes data configuration activities different and more dangerous? Typically, they fall outside of IT purview and normal control systems Generally, 100% controlled by the business Can be changed at any time without oversight or use of change tracking Changes can be done in secret and changed back with no trace

22 These too are included on the application side: Segregation of Duties using application security access Control overrides Application documentation Data retention cycles

23 Never trust a computer you can't throw out a window. Steve Wozniak nicknamed "The Woz", an American inventor, electronics engineer, programmer, philanthropist, and technology entrepreneur who cofounded Apple Inc. He is known as a pioneer of the personal computer revolution of the 1970s and 1980s, along with Apple co-founder Steve Jobs.Wozniak single-handedly developed the 1976 Apple I and primarily designed the 1977 Apple II, known as one of the first highly successful mass-produced microcomputers. 45 A computer lets you make more mistakes faster than any other invention with the possible exceptions of handguns and Tequila. Mitch Ratcliffe a veteran journalist, media executive and entrepreneur. Author of Extreme Democracy 46 23

24 IT has come back full circle. Computing is more about business not IT; more about achieving objectives than controls (although controls help achieve objectives) There is no mystery that computer hardware and software must serve the business purpose or it has no reason for being. All auditors need to understand that first. The rest will follow. 47 Let Me Make A Bold Statement Except for the most technical of database, security, or operating systems audit work, an experienced auditor could do an audit of IT with an understanding of the business, knowledge of IT components and risk, and The tools offered with COSO and Cobit

25 Any Final Questions? 49 If you have any questions, please feel free to call and have a meaningful conversation: Ross Wescott MA CISA CIA CCP CUERME Principal Wescott and Associates rew5@comcast.net 50 25

26 Thank You! 51 26