Contracting for an IT General Controls Audit Lori Schubert, C.P.A. Internal Audit Manager age Waukesha County (WI) lschubert@waukeshacounty.gov Overview of Presentation Description of Waukesha County Information Technology Division Summary of Waukesha County RFP process RFP development tips Development of scope for IT General Controls Audit Contracted audit process Audit results Lessons learned 1
Waukesha County Information Technology Division Centralized technology services for all County departments Solutions Program Business Services Program IT Infrastructure Program (primary focus of audit) Approximately 38 FTE s, 6 contracted employees and 4 limited term employees Waukesha County Information Technology Division (continued) Annual operating budget $8 million plus $2.5 million in capital projects $6 million charged back to user departments Charges based on: Replacement cost of equipment over useful life # of devices maintained on network Amount of server usage 2
Waukesha County RFP Process RFP process required for professional service projects with estimated cost > $20,000. Evaluation criteria: General requirements (25%) Technical Requirements (50%) Cost (25%) Questions / Answers posted Waukesha County RFP Process (cont.) Evaluation of technical proposals (independent of cost) by committee members individually Vendors with highest technical scores may be interviewed and proposals rescored Final scores (including cost) determined Highest scoring vendor selected 3
RFP Development Tips Adequate background information to ensure vendors can prepare response Requirements of vendor CISA certification or equivalent Compliance with audit standards Independence Personnel / background checks Confidentiality RFP Development Tips (continued) Assumptions Comprehensive and measureable deliverables section Tie payments directly to deliverables General vs. specific audit scope / objectives 4
Scope Development ALGA resources and contacts Internet sources ISACA (www.isaca.org) IT Governance Institute (www.itgi.org) Audit Net (www.auditnet.org) IT auditing standards Scope Development (continued) IT General Controls as a starting point Defined control structure within scope Organization environment controls System access and security controls Application development controls System software controls Processing controls Disaster planning and contingency controls 5
Scope Development (continued) Build upon other work performed SAS 109 work in annual financial audit Vulnerability assessments Maintain confidentiality of this information Optional objectives IT Risk Assessment Audit development project Cost Summary All Proposals 450,000 400,000 350,000 300,000 250,000 200,000 150,000 100,000 50,000 0 A B C D E F G H I J K General Controls Audit Risk Assessment Audit Development 6
Cost Summary Proposals Reviewed 100,000 90,000 80,000 70,000 60,000 50,000 40,000 30,000 20,000 10,000 0 C D E F G I J K General Controls Audit Risk Assessment Audit Development Cost Summary Firms Interviewed 100,000000 90,000 80,000 70,000 60,000 50,000 40,000 30,000000 20,000 10,000 0 C D E K General Controls Audit Risk Assessment Audit Development 7
Audit Process Entrance conference Periodic project updates Reporting process Audit presentations Audit Results Separate confidential report issued with security related details Security planning recommendations Update policies to reflect current / rapidly changing technologies Access control recommendations Improve user access reviews 8
Audit Results (continued) Improve visitor badge access controls and logging Improve security awareness training Improve user and administrator access controls Improve password parameters Encrypt all portable devices Log disposal of hard drives Audit Results (continued) Application software development and change control recommendations Establish change management policy Ensure logging is enabled for source code management and version control systems Implement consistent t application development process documentation across divisions 9
Audit results (continued) System software recommendations Formalize and monitor patch management process Segregation of duties recommendations Improve segregation of duties (application vs. network access) due to staffing levels or implement compensating controls Audit results (continued) Service continuity recommendations Modify plan to accommodate HIPAA considerations Improve documentation related to testing processes 10
Lessons Learned Stand on the shoulders of giants Educate your evaluation committee members Vendor interviews are not optional If it sounds too good to be true.it may be Prepare your auditees for process changes It may be a vendor s report, but your name is on it Question & Answers Email if you would like copies of RFP and/or audit report : lschubert@waukeshacounty.gov 11