STAYING RELEVANT: A NEW IT AUDITING EMPHASIS IN GAGAS AUDITS OPENING REMARKS

Transcription

1 STAYING RELEVANT: A NEW IT AUDITING EMPHASIS IN GAGAS AUDITS By Kenneth J. Mory, CPA, CIA, CISA, CRMA City Auditor City of Austin 1 OPENING REMARKS Moderator R. Kinney Poynter Executive Director NASACT Speaker Kenneth J. Mory, CPA, CIA, CISA, CRMA City Auditor City of Austin 2

2 SLIDE INTENTIONALLY LEFT BLANK 3 OBJECTIVES In this webinar, participants will learn how to: Understand the 2011 GAGAS emphasis on Information Technology Learn a common sense approach to IT auditing as a non IT auditor and make IT part of your everyday audits Comfortably delve into the world of zombies, clouds, Judas threats Identify resources available to incorporate IT auditing in all your audits 4

3 GASGAS RESTRUCTURING 2007 GAGAS 2011 GAGAS Chapter 1 Stds for Use and Application Govt Auditing Foundation and of GAGAS Ethical Principles Chapter 2 Ethical Principles Stds for Use and Application of GAGAS Chapter 3 General Standards General Standards Chapter 4 Fieldwork Stds Financial Standards for Financial Audits Chapter 5 Reporting Stds Financial Standards for Attestation Engagements Chapter 6 Gen, FW, Reptg Attestation Fieldwork Stds for Performance Audits Chapter 7 Fieldwork Stds Performance Reporting Stds for Performance Audits Chapter 8 Reporting Stds - Performance 5 MOVES DUE TO RESTRUCTURING OF GAGAS Internal Control Objectives moved and made more general (Specific examples now in Supplementary Guidance) Fieldwork Standards for Performance Audits related to Information Systems Controls were moved from Chapter 7 to Chapter 6 6

4 MOVES DUE TO RESTRUCTURING OF GAGAS Technical Knowledge Highlighted Under Competence 7 MOVES DUE TO RESTRUCTURING OF GAGAS Obtaining Sufficient, Appropriate Evidence was moved from Chapter 7 to Chapter 6 and it was also made more general Reference to paragraphs General wording on related to assessing the consideration of completeness effectiveness of and accuracy of information system controls the data for intended purposes. Gone Mainstream! 8

5 MOVES DUE TO RESTRUCTURING OF GAGAS Standards related to Confidentiality and Exclusion of Certain Information were renumbered due to changes in the Chapter numbers 9 CHANGES DUE TO GAGAS RESTRUCTURING 2011 Revision concentrates on Independence Threats and Safeguards removes advisory services example related to IT 2011 Revision very specific on 3.56 on IT services that would impair independence Revision combined references to establishing policies and procedures for safe custody and retention of IT audit documentation into the General Standards Financial Standards 3.91 and Attestation within the Quality Control and Performance Assurance section 10

6 ADDITIONS TO GAGAS Specific wording related to IT was added within the Using the Work of Others section of the Performance Audit Standards IT is highlighted to ensure it is addressed 11 ADDITIONS TO GAGAS Specific IT-related wording added to the Supplemental Guidance on: o o IT audit objectives for types of GAGAS Audits and Attestation Engagements related to audit objectives Types of Evidence IT is highlighted to ensure it is addressed 12

7 DELETIONS FROM GAGAS Deleted wording on what auditors should document when performing attestation engagements, which included evidence obtained from IT systems Attestation standards made less specific 13 WHY THE MYSTIQUE? IT is a technical area where the Shamans perpetrate the idea that the uninitiated can never understand. To reinforce this they have created their own cryptic codes. 14

8 SLIDE INTENTIONALLY LEFT BLANK 15 Snow Flake Theory MIM Attacks Scareware Shadow Systems Rogue Software Spoofing Whitelisting Cloud Computing Crackers Script Babies DOS Attacks Zombies Social Engineering Hackers Cross site Scripting Botnets Kill Disc Keyboard Capture Packet Sniffing SCAP Zero day Attacks Judas Threats 16

9 SOME BASIC FACTS To stay relevant all auditors must become IT audit savvy at some level The snowflake theory is true A large percentage of key controls are likely to be technology driven Technology control failures have bigger impact IT security is more dependent on non-technical policies, procedures and business process than on technical hardware and software solutions We are in the Cloud! 17 IT OBJECTIVES AND RISK CATEGORIES Objective 1. Availability 2. Security 3. Integrity 4. Confidentiality 5. Effectiveness 6. Efficiency Risk 1. Unavailable 2. Breached Security 3. Loss of Integrity 4. Loss of Confidentiality 5. Ineffective 6. Inefficient 18

10 KEY CONTROLS 1. Segregation of duties 2. Authorization 3. Supervision 4. Access restrictions 5. Reconciliation 6. Risk Assessment Management 7. Competence / knowledge 8. Accountability 19 SIMPLIFIED BASELINE APPROACH Use common sense Identify criteria & obtain documentation (policies, procedures, standards) Compare actual to policy (or other authority) Obtain performance reports and budgets Review QA, acceptance tests, peer reviews Interview knowledgeable users, IT resources, & vendors Obtain audit approaches/procedures from sources such as AuditNet, IIA GTAG, ISACA... 20

11 IT RISK FRAMEWORK IT Governance IT Strategy & Planning IT Processes Technology Project Management Change & Configuration Management Data Center Operations User & Vendor Support Enterprise Security Disaster Recovery & Business Continuity Infrastructure & Tools 21 SIMPLIFY APPROACH Obtain Audit approaches/procedures from sources such as: GAIT Methodology (FISCAM) Federal Information System Controls Audit Manual 22

12 2012 AUDITS Technology Audit (March 2012) IT Questionnaire (April 2012) High Tech ID Theft Fraud (March 2012) Information Security Governance Assessment (Feb 2012) Information Systems Controls Workbook (2004) Minimum Security Baseline Assessment (Feb 2012) Network Patch Management-Gov (Jan 2012) Remote Access Audit (Jan 2012) 23 RESOURCES AVAILABLE TO PLAN AND EXECUTE EFFECTIVE AUDITS (CONT D) Top-down, risk based evaluation of entity wide controls Evaluation of general controls and their pervasive impact application controls Evaluation of security management at all levels A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses. 24

13 RESOURCES AVAILABLE TO PLAN AND EXECUTE EFFECTIVE AUDITS IIA GLOBAL TECHNOLOGY AUDIT GUIDES written in straightforward business language to address a timely issue related to information technology (IT) management, control, and security. PG GTAG-01 PG GTAG-02 PG GTAG-03 PG GTAG-04 PG GTAG-05 PG GTAG-06 PG GTAG-07 PG GTAG-08 Information Technology Risks and Controls 2 nd Edition Change and Patch Management Controls: Critical for Organizational Success Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment Management of IT Auditing Managing and Auditing Privacy Risks Managing and Auditing IT Vulnerabilities Information Technology Outsourcing Auditing Application Controls 25 RESOURCES AVAILABLE TO PLAN AND EXECUTE EFFECTIVE AUDITS IIA GLOBAL TECHNOLOGY AUDIT GUIDES (CONT D) PG GTAG-09 Identity and Access Management PG GTAG-10 Business Continuity Management PG GTAG-11 Developing the IT Audit Plan PG GTAG-12 Auditing IT Projects PG GTAG-13 Fraud Prevention and Detection in an Automated World PG GTAG-14 Auditing User-developed Applications PG GTAG-15 Information Security Governance PG GTAG-16 Data Analysis Technologies PG GTAG-17 Auditing IT Governance 26

14 FOCUSING ON SECURITY 27 LOGICAL ACCESS SECURITY Anything that gives you access to data, programs, networks Key Components of Logical Access Control Who is it? What can they do? What did they do? How is security maintained? 28

15 STEPS TO AUDIT LOGICAL ACCESS SECURITY General Controls: Review security polices, procedures, standards Identify security product Evaluate options selected Identify known exposures Review reports from access control software Review monitor and follow logs Review Audit Trails 29 WHO ARE THE BEST CRACKERS IN THE WORLD? 30

16 CRACKER IS A CRIMINAL HACKER Famous Hackers Captain Crunch & Kevin Mitnick They know most organizations do not have formal data classifications, access control systems, incident response plans, security awareness programs. 31 IT IS CHANGING! FAST! South Korean government targeted in cyber attack. The government detected the first wave of the attack Thursday. It was coordinated from outside South Korea using "zombie" computers. Israel Cyber-Attacks Iranian Nuke Plant With Stuxnet Computer Virus. 32

17 STEPS TO PERFORM SOCIAL ENGINEERING Perform research of organization Build trust Exploit relationship Malicious use of information 33 SOCIAL ENGINEERING Just ask Inattentive security Location of security Unapproved security badges / key Failure to challenge stranger Intimidation by title, dress, demeanor Friendly / smiley I belong behavior Herd hiding Tailgating Blow the Buffer Default Password from Internet Key stroke capture device Use Security Audit Software Dictionary Attacks False employee False Vendor Hackers/Crackers/Script Babies New Employee False Support Phishing s Turn over the keyboard Mi casa es su casa Dumpster Diving False address Guess password Search Desk Shoulder Surfing 34

18 PASSWORD AUDIT CONCERNS Lack of strong passwords Not Changed every 6 to 12 months and terminated Lack of different P/W for each system Lack of Variable length Use of common slang or dictionary words Reuse of passwords Storing passwords Store in a usual location Do not enable security monitoring System patches not current Do not maintain user IDs Not automatically reset 35 RECAP We covered: 2011 GAGAS emphasis on Information Technology Common sense approach to IT auditing IT terms like zombies, clouds, Judas threats Resources available to incorporate IT auditing in all your audits 36

19 QUESTIONS? Moderator R. Kinney Poynter Executive Director NASACT Speaker Kenneth J. Mory, CPA, CIA, CISA, CRMA City Auditor City of Austin 37 SLIDE INTENTIONALLY LEFT BLANK 38