No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
Learning Objectives After this session, participants will be able to: Devise an IT audit universe for their institution Conduct a high-level IT audit risk assessment, including defining applicable risk categories Identify IT audit resources to help in the development of an IT audit risk assessment
What is the Process IT Audit Plan IT Audit Universe IT Risk Assessment
Drilling Down on IT Database Application Operating System Network
Management Controls Control Environment Review IT structure, strategy, governance and policies Change Management Review how the organization implements and manages changes General Computing Controls Logical Security Inspect O/S, network folder, remote access and application security Back-up and Restore Inspect back-up system configuration settings and ability to restore data Vendor Management Review the due diligence, risk assessment, and monitoring of key 3 rd parties Risk Assessment Provide recommendations to identify and assess vulnerabilities BCP/DRP Evaluate your business continuity and disaster recovery plan Access Management Evaluate onboarding, changes and termination procedures Physical Security Inspect access points to the facility and data center Network Security Inspect switches, firewalls, printers, wireless access points, and SAN configuration settings Interfaces & Job Scheduling Inspect job scheduler configuration settings Incident Management Inspect process to determine if IT is effectively capturing and promptly addressing issues
Output Review / Error Handling Inspect procedures to ensure that output is handled in an authorized manner, delivered to the appropriate recipient and protected during transmission; that verification, detection and correction of the accuracy of output occur; and that information provided in the output is used. Application Controls Segregation of Duties Inspect requirements for entry, modification and authorization of transactions as well as for validation rules. Confidentiality Inspect that sensitive data is identified, classified and monitored Authentication Check it for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport. Integrity Inspect integrity and validity of data throughout the processing cycle Configuration Settings Ensure that transaction data, whether people-generated, system-generated or interfaced inputs, are subject to controls to check for accuracy, completeness and validity. Back-up and Restore Inspect back-up system configuration settings and ability to restore data
Defining an IT Audit Universe The audit universe is a living document that has to be updated on a periodic basis. It should capture departments and processes that make up the institution. There has to be collaboration between key stakeholders and internal audit to come up with this audit universe, but it should be primarily driven by the audit function.
Defining an IT Audit Universe Consider the institutions processes Identify significant applications that support the business operations Identify critical infrastructure for the significant applications Identify major projects and initiatives Understand the role of supporting technologies
Conducting a High-Level IT Risk Assessment Identify and understand the institution s objectives Understand the IT strategy Consider the IT audit universe you just assessed Consider IT security frameworks Rank the risk
Conducting a High- Level IT Risk Assessment Perform a risk assessment o Risk = Likelihood * Impact Develop the audit scope o Focus on the high risk areas identified during the risk assessment o Assess risk and rank subjects using business risk factors
What Frameworks Should You Consider/Reference COBIT o Control Objectives for Information Technology- IT governance framework issued by ISACA COSO o Most widely used internal control framework (commonly used for SOX compliance) ISO 27001 o Detailed information security standards (commonly used to benchmark a company s policies/standards) GAIT Methodology (IIA) o Focused on IT general controls
IT Audit Considerations For Non-IT Auditors Perform a IT general controls review, especially around financial systems o Obtain a System Inventory For In-house (ERP or best of breed) o Who has access to the code to make changes? o Package vs a customized package vs configured service package, or licensed with a maintenance agreement For a hosted solution (Software as a Service), review the SOC report
IT Audit Considerations For Non-IT Auditors Inspect whether the IT Security Policy incorporates key elements from IT security frameworks. Inspect IT s risk assessment in order to identify high risk areas for review. Inspect whether IT has performed a vulnerability assessments and penetration tests. Do see recurring critical vulnerabilities?
Common IT Audit Issues Passwords not complex, not changed, unlimited sign-on attempts allowed Software implementation or changes do not follow the necessary stage gates Lack of / out of date IT documented policies & procedures SOC reports are not reviewed and User Considerations not evaluated No user access reviews especially privileged access
Common IT Audit Issues No Business Continuity Plan or testing of the Disaster Recover Plan No audit trail of changes
Emerging and Evolving IT Risk Business Continuity Plan doesn t address emerging and evolving risks Cyber-attacks (e.g. ransomware, DDoS, phishing) Privacy / EU General Data Protection Data Management / Governance Third Party Risk Management
Identifying Audit Resources Consider the educational background of your team Does anyone have a Information Technology or Information Security degree? Has anyone on your team performed an IT Audit before? Does anyone have a CISA or comparable certification? Consider rotating IT staff into Internal Audit Do you need to go externally for support?
Likelihood Scale H 3 High Probability that the risk will occur. M 2 Medium probability that the risk will occur. L 1 Low probability that the risk will occur. Level H M Composite Risk Score Range Based on # of Risk Factors Recommended Annual Cycle Every 1 to 2 years Every 2 to 3 years Impact Scale (Financial) H 3 There is a potential for material impact on the organization s earnings, assets, reputation, or stakeholders. M 2 The potential impact may be significant to the audit unit, but moderate in terms of the total organization. L 1 The potential impact on the organization is minor in size or limited in scope. L Every 3 to 5 years Source: GTAG Developing the IT Audit Plan-Appendix: Hypothetical Company Example, Pg. 24
Area From IT Audit Universe Financial Impact Quality of Internal Controls Changes in Audit Unit IT Risks Data Sensitivity Integrity Availability L I L I L I L I L I L I Score and Level ERP application & General Controls 3 3 2 3 3 3 2 3 2 3 2 3 42 H Treasury EFT Systems 3 3 3 3 3 3 3 2 3 2 2 1 41 H Data Center - Main 2 2 3 2 3 3 3 3 3 2 2 2 38 H Corp. Privacy Compliance 3 1 3 3 3 3 2 1 2 1 3 3 34 M/H L: Likelihood I: Impact Source: GTAG Developing the IT Audit Plan-Appendix: Hypothetical Company Example, Pg. 24
Contact Info: Mark Bednarz, MS, CPA, CISA, CFE PKF O Connor Davies, LLP Partner, Head of Risk Advisory P: 646-449-6376 E: mbednarz@pkfod.com