Contracting for an IT General Controls Audit

Similar documents
Information Technology General Control Review

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Introduction To IS Auditing

Data Classification, Security, and Privacy

General Information System Controls Review

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Business Continuity Planning

The Common Controls Framework BY ADOBE

EXHIBIT A. - HIPAA Security Assessment Template -

FOLLOW-UP REPORT Industrial Control Systems Audit

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

A Global Look at IT Audit Best Practices

ACM Retreat - Today s Topics:

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

BOARD OF COUNTY COMMISSIONERS

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

CCISO Blueprint v1. EC-Council

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Altius IT Policy Collection

Information Security Policy

Altius IT Policy Collection Compliance and Standards Matrix

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

Integrating HIPAA into Your Managed Care Compliance Program

Securing the cloud ISACA Korea. Han Ther, Lee CISA, CISM, CISSP, CRISC, ITILF, MCSA

The Future of HITRUST

Altius IT Policy Collection Compliance and Standards Matrix

The SOC 2 Compliance Handbook:

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

IS Audit and Assurance Guideline 2001 Audit Charter

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Employee Security Awareness Training Program

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

SAC PA Security Frameworks - FISMA and NIST

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

New Jersey State Legislature Office of Legislative Services Office of the State Auditor. November 16, 2015 to November 30, 2017

Objectives of the Security Policy Project for the University of Cyprus

Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan

Data Security and Privacy Principles IBM Cloud Services

Request for Proposal (RFP)

ISE Canada Executive Forum and Awards

SALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually

CLOUD COMPUTING READINESS CHECKLIST

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

ISACA Cincinnati Chapter March Meeting

Protecting your data. EY s approach to data privacy and information security

01.0 Policy Responsibilities and Oversight

Oracle Data Cloud ( ODC ) Inbound Security Policies

TEL2813/IS2820 Security Management

CITY OF MONTEBELLO SYSTEMS MANAGER

COURSE BROCHURE CISA TRAINING

IT Audits at Penn. IT Orientation

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Healthcare Privacy and Security:

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

REPORT 2015/149 INTERNAL AUDIT DIVISION

STATE OF NORTH CAROLINA

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

QuickBooks Online Security White Paper July 2017

Certified Information Systems Auditor (CISA)

Information Security in Corporation

26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC

The Evolving Threat to Corporate Cyber & Data Security

PISMO BEACH COUNCIL AGENDA REPORT

The simplified guide to. HIPAA compliance

Mitigating Risk with Ongoing Cybersecurity Risk Assessment. Scott Moser CISO Caesars Entertainment

San Francisco Chapter. What an auditor needs to know

Security Architecture

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Session ID: CISO-W22 Session Classification: General Interest

TUFTS HEALTH PLAN CORPORATE CONTINUITY STRATEGY

Healthcare Security Success Story

PeopleSoft Finance Access and Security Audit

Plenary Session: Branch Cybersecurity Controls Thursday, February 22 1:15 p.m. 2:15 p.m.

Certified Information Security Manager (CISM) Course Overview

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

NYDFS Cybersecurity Regulations

MEETING: DATE: TYPE OF ACTION: STAFF CONTACT: PHONE:

CISA Training.

Workshop Item 1 - ISO 9001: 2008 migration

AUTHORITY FOR ELECTRICITY REGULATION

Information Technology Audit

E-guide Getting your CISSP Certification

Cloud Computing. Presentation to AGA April 20, Mike Teller Steve Wilson

Transcription:

Contracting for an IT General Controls Audit Lori Schubert, C.P.A. Internal Audit Manager age Waukesha County (WI) lschubert@waukeshacounty.gov Overview of Presentation Description of Waukesha County Information Technology Division Summary of Waukesha County RFP process RFP development tips Development of scope for IT General Controls Audit Contracted audit process Audit results Lessons learned 1

Waukesha County Information Technology Division Centralized technology services for all County departments Solutions Program Business Services Program IT Infrastructure Program (primary focus of audit) Approximately 38 FTE s, 6 contracted employees and 4 limited term employees Waukesha County Information Technology Division (continued) Annual operating budget $8 million plus $2.5 million in capital projects $6 million charged back to user departments Charges based on: Replacement cost of equipment over useful life # of devices maintained on network Amount of server usage 2

Waukesha County RFP Process RFP process required for professional service projects with estimated cost > $20,000. Evaluation criteria: General requirements (25%) Technical Requirements (50%) Cost (25%) Questions / Answers posted Waukesha County RFP Process (cont.) Evaluation of technical proposals (independent of cost) by committee members individually Vendors with highest technical scores may be interviewed and proposals rescored Final scores (including cost) determined Highest scoring vendor selected 3

RFP Development Tips Adequate background information to ensure vendors can prepare response Requirements of vendor CISA certification or equivalent Compliance with audit standards Independence Personnel / background checks Confidentiality RFP Development Tips (continued) Assumptions Comprehensive and measureable deliverables section Tie payments directly to deliverables General vs. specific audit scope / objectives 4

Scope Development ALGA resources and contacts Internet sources ISACA (www.isaca.org) IT Governance Institute (www.itgi.org) Audit Net (www.auditnet.org) IT auditing standards Scope Development (continued) IT General Controls as a starting point Defined control structure within scope Organization environment controls System access and security controls Application development controls System software controls Processing controls Disaster planning and contingency controls 5

Scope Development (continued) Build upon other work performed SAS 109 work in annual financial audit Vulnerability assessments Maintain confidentiality of this information Optional objectives IT Risk Assessment Audit development project Cost Summary All Proposals 450,000 400,000 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 A B C D E F G H I J K General Controls Audit Risk Assessment Audit Development 6

Cost Summary Proposals Reviewed 100,000 90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 0 C D E F G I J K General Controls Audit Risk Assessment Audit Development Cost Summary Firms Interviewed 100,000000 90,000 80,000 70,000 60,000 50,000 40,000 30,000000 20,000 10,000 0 C D E K General Controls Audit Risk Assessment Audit Development 7

Audit Process Entrance conference Periodic project updates Reporting process Audit presentations Audit Results Separate confidential report issued with security related details Security planning recommendations Update policies to reflect current / rapidly changing technologies Access control recommendations Improve user access reviews 8

Audit Results (continued) Improve visitor badge access controls and logging Improve security awareness training Improve user and administrator access controls Improve password parameters Encrypt all portable devices Log disposal of hard drives Audit Results (continued) Application software development and change control recommendations Establish change management policy Ensure logging is enabled for source code management and version control systems Implement consistent t application development process documentation across divisions 9

Audit results (continued) System software recommendations Formalize and monitor patch management process Segregation of duties recommendations Improve segregation of duties (application vs. network access) due to staffing levels or implement compensating controls Audit results (continued) Service continuity recommendations Modify plan to accommodate HIPAA considerations Improve documentation related to testing processes 10

Lessons Learned Stand on the shoulders of giants Educate your evaluation committee members Vendor interviews are not optional If it sounds too good to be true.it may be Prepare your auditees for process changes It may be a vendor s report, but your name is on it Question & Answers Email if you would like copies of RFP and/or audit report : lschubert@waukeshacounty.gov 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback