Opportunities to Integrate Technology Into the Classroom Presented by: Mark Salamasick, CIA, CISA, CRMA, CSP Executive Director of Audit University of Texas System
Discussion Topics Internal Audit Textbook Update First Internal Audit Class and Technology Approach to IT Audit Class Data Analytics Cybersecurity Program Questions 2
Internal Auditing: Assurance & Advisory Services, Fourth Edition
Revision History First Edition July 2007 Second Edition October 2009 Third Edition April 2013 Fourth Edition April 2017
Textbook Chapters Chapter 1: Introduction to Internal Auditing Chapter 2: The International Professional Practices Framework Chapter 3: Governance Chapter 4: Risk Management Chapter 5: Business Processes and Risk Chapter 6: Internal Control Chapter 7: Information Technology Risks and Controls Chapter 8: Risk of Fraud and Illegal Acts Chapter 9: Managing the Internal Audit Function Chapter 10: Audit Evidence & Workpapers Chapter 11: Data Analytics and Audit Sampling Chapter 12: Introduction to the Engagement Process Chapter 13: Conducting the Assurance Engagement Chapter 14: Communicating Assurance Engagement Outcomes Chapter 15: The Consulting Engagement Download the Table of Contents Below IA 4th Edition TOC.pdf
Case Studies Case Study 1: Auditing Entity-wide Controls Case Study 2: Auditing the Compliance and Ethics Program Case Study 3: Performing a Blended Consulting Engagement
Textbook Product Integration Check out the resources here: www.theiia.org/iatextbook ACL Idea KnowledgeLeader TeamMate +
Significant Updates-3 rd Edition Integration of TeamMate and TeamMate Case Studies Addition of Value Proposition COSO Internal Control 2013 Updates to Standards, Implementation Guides, and Practice Guides(19 GTAGs) Inclusion of 3 Lines of Defense New material on Risk Management New technologies(i.e., cloud computing, smartphones) Expansion on Audit Management including combined assurance
Internal Auditing: Assurance & Advisory Services, 4th Edition What s new in the 4th Edition? TeamMate + and TeamMate Analytics an award-winning audit management system, has been integrated throughout the applicable textbook chapters. Specific case studies have been developed and are embedded at the end of chapter material to introduce the ways that TeamMate + can be used to streamline internal audit processes. Streamlined for student online access. Introduction of the KnowledgeLeader with case studies throughout the text. Access available to all faculty and students. Expanded instructor materials with 100 sample multiple choice questions, sample exam, along with expanded PowerPoint slides. Published by The Internal Audit Foundation Instructors interested in ordering a desk copy may contact The IIA Bookstore, powered by the Internal Audit Foundation, by email at iiatextbook@theiia.org. Requests are limited to one per instructor and two per institution.
Significant Updates 4th Edition IPPF updates including Standards Internal Audit New Mission Statement Expansion of COSO Framework 2013 New Fraud Risk Management Guide Current Technology including Cybersecurity focus Data analytics added to Audit Sampling Chapter Integration of Protiviti KnowledgeLeader throughout TeamMate Hosting streamlined process Online distribution of material versus CD Expanded instructor material
for Universities Internal Auditing: Assurance & Consulting Services, Fourth Edition with TeamMate
Polling Question #2 Are you using TeamMate+ in the Internal Audit course this semester? Do you plan on using TeamMate+ sometime in the future?
How To Order The Textbook Instructors interested in ordering a desk copy may download and submit the Textbook 4th Edition Desk Copy Request Form. Requests are limited to one per instructor and two per institution. ISBN-13: 978-0-89413-987-1 For further information and Access to Instructor Material, contact iiatextbook@theiia.org https://bookstore.theiia.org/internal-auditing-assuranceadvisory-services-fourth-edition-instructors
Internal Audit Class and Technology Options How much do you have time for? Chapter on IT Audit Chapter 7 Chapter on Data Analytics Chapter 11 (Focus on Audit Data Analytics Strategies) TeamMate Integration Hands on Technology (IDEA, ACL, TeamMate Analytics)
On to Technology.
Level of IT Understanding Business Auditors IT Auditors
What to call the a separate IT Audit class? Computer Audit Information System Audit Information Technology Audit Information Technology Audit and Risk Management Computer Audit and System Security: Compliance and Advisory Perspective 17
Course Objectives Prepare students to have a meaningful career as an IT Auditor: Technical Knowledge Analytical Ability Communication Skills Interpersonal Skills Pass professional certification exams CISA exams, CPA, and CIA.
What does a University IT Audit and Risk Management Course Objectives look like? 1. Be able to identify key information technology risks and how to mitigate those risks. 2. Be able to develop a control checklist and key audit steps related to technology risks. 3. Be able to distinguish key user technology risks and controls. 4. Be able identify the key content areas and have knowledge of all areas covered by the Certified Information Systems Audit (CISA) exam. 5. Identify sources for research of technology risks and apply those techniques to an overall research paper. 6. Learn those areas of technology risks that are currently of most concern to the IIA, AICPA, and ISACA. 7. Be able to distinguish and evaluate key application controls along with auditing of application controls. 8. Identify and evaluate risks in an e-business environment. 9. Understand how to adapt audit coverage to areas of advanced and emerging technologies. 19
First Day of Class Demystifying IT Audit Profile of class Certified Information Systems Auditor(CISA) possibility Encourage local ISACA participation 20
Definition of Information Technology Audit An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. 21
Some Reasonable Objectives for All Auditors Understand how technology fits into the overall business processes and its impact. Describe key risks and control techniques introduced by technology. Articulate the relationship between business transaction processing risks introduced by information technology risks. Find and interpret the leading sources of information related to technology control frameworks. Determine the significant technology issues to be considered as part of the review of a business unit. Integrate application controls as part of business unit audits. Understand the emerging technology risk issues.
Technology and Audit Infrastructure Audit Integrated Audit Use of Technology as Tool Audit Automation Data Analytics 23
Big Three Technology Risk Categories Information Security Business Continuity Change Management 24
Sample Syllabus
Chapter 7: Information Technology Risks and Controls 17 GTAGs published GTAG: IT Controls (Published in Mar 2005) 2 nd EDITION MARCH 2012 GTAG: Change and Patch Management Controls (Published in June 2005) 2 nd EDITION MARCH 2012 GTAG: Continuous Auditing (Published in Oct 2005) Update Coming Soon GTAG: Management of IT Auditing (Published in Mar 2006) 2 nd EDITION January 2013 GTAG: Information Technology Outsourcing (Published in Mar 2007) GTAG: Auditing Application Controls (Published in July 2007) 26
Chapter 7: Information Technology Risks and Controls GTAG: Identity and Access Management (Published in July 2007) GTAG: Auditing User Developed Applications (Published in June 2010) GTAG: Developing the IT Audit Plan (Published in July 2008) 17 GTAGs published GTAG: Auditing IT Projects (Published in March 2009) GTAG: Fraud Detection and Prevention in an Automated World (Published in December 2009) 27
Chapter 7: Information Technology Risks and Controls GTAG: Information Security Governance (Published in July 2010) 17 GTAGS published GTAG: Auditing Smart Devices (August 2016) GTAG: Data Analysis Technologies (Published in August 2011) GTAG: Assessing Cybersecurity Risk (September 2016) GTAG: Auditing IT Governance (Published in July 2012) GTAG: Understanding and Auditing Big Data (May 2017) 28
What Every Business Auditor Should Understand Related to IT Controls Global Technology Auditing Guide 1-2 nd Edition 29
Model IT Controls Curriculum IIA The IIA s Global Model Internal Audit Curriculum IT Auditing course Integrated - 2012 Schools recognized as part of IAEP https://na.theiia.org/about-us/aboutia/pages/participating-iaep-programschools.aspx ISACA Model Curriculum - 2012 http://www.isaca.org/knowledge- Center/Academia/Pages/Programs-Aligned- with-model-curriculum-for-is-audit-and- Control.aspx
ISACA - Cobit 5-Another Approach 31
Example of Case Studies Exploring technology risk and IT audit Business tied to technology risk Social Media Experiential Learning
Certified Information Systems Auditor (CISA) Exam One part exam Exam three testing windows Integrate topics into class Provide access to local CISA review if available Improves student career potential immediately 33
Next Steps If you are teaching an IT Audit and Risk Management courses Great! Take advantage of various case studies Utilize resources available from the IIA and ISACA Cross list course Accounting and MIS Become a program recognized by ISACA 34
Use Of Technology As A Tool 35
A couple of Different Approach s to Audit Analytics - Integrate into Courses - Internal Audit/Operational Audit Course - Financial Audit Class - IT Audit Course - Other Courses - Separate Course in Audit Analytics - Course or Program in Data Analytics in MIS Program 36
Sample Course Syllabus
Cybersecurity Certificate Program Developed to meet the increasing need of risk management and technical personnel in the area of cybersecurity Joint program with business school and computer science engineering Program at the graduate level Individuals receive Certificate in Cybersecurity systems (CCSS) All students would take this core Cybersecurity Fundamentals course
Cyber Security Tracks Computer Science Track Cyber Security with Computer Science Emphasis Choose three (3) courses from: Information Security (CS 6324) Network Security (CS 6349) Data/App Security (CS 6348) One approved CS Elective in Cyber Security Systems Engineering Track Cyber Security with Systems Engineering Emphasis Choose three (3) courses from: Systems Engineering (SYSM 6301) CS 6324 or MIS 6330 One approved Cyber Security course from CS, IA, or IM track Students take a total of four courses (12 credit hours) consisting of one common fundamentals course and three other courses in one of four specified Tracks Certificate in Cyber Security Systems Cyber Security Fundamentals (course taken by all students) Remaining courses taken within a selected Track Track #1: Computer Science (CS) Track #2: Systems Engineering (SYSE) Track #3: Internal Audit (IA) Track #4: Information Management (IM) Internal Audit Track Cyber Security with Internal Audit Emphasis Take the following courses: IT Security (MIS 6330) Internal Audit (ACCT 6380) IT Audit & Risk Management (ACCT 6336) Information Management Track Cyber Security with Information Management Emphasis Take the following courses: IT Security (MIS 6330) Cloud Computing (MIS 6363) IT Audit & Risk Management (ACCT 6336)
Contact Information Mark Salamasick Executive Director of Audit The University of Texas System (512) 499-4535 msalamasick@utsystem.edu