IT Auditing and the Challenge of New Technologies June 16, 2011 Presented by: Jay Bowman, CISA, CISM

IT Auditing and the Challenge of New

Technologies

June 16, 2011

Presented by: Jay Bowman, CISA, CISM

•Evolution of technology and its applications

•What this means in terms of opportunities

•What this means in terms of risks

•What this means in terms of providing internal audit coverage.

•Actions you and your institution can take

This Morning’s Topics

2

The rapid changes in technology during our lifetimes has made possible services our parents couldn’t even dream of.

•Building Blocks

•Computers

•Telephones

•Technology-Based Services

Evolution of Technology

3

Technology Building Blocks

4

Technology Building Blocks

5

Technology Building Blocks

6

Technology Building Blocks

7

Technology Building Blocks

8

Technology Building Blocks

9

Computers

10

Computers

11

Computers

12

Computers

13

Computers

14

Computers

15

Computers

16

Computers

17

Computers

18

Telephones

19

Telephones

20

Telephones

21

Telephones

22

Telephones

23

Telephones

24

Telephones

25

Telephones

26

Telephones

27

Telephones

28

Telephones

29

Telephones

30

Telephones

31

The Atlanta Payments Project

Technology-Based Services

32

The Atlanta Payments Project

•Electronic Payments Services

•Implementation Considerations and Obstacles

Technology-Based Services

33

The Atlanta Payments Project

• Electronic Payments Services• Check Authorization• Telephone Banking• Point-of-Sale Transactions• Automated Clearinghouse (ACH)• Check Truncation

Technology-Based Services

34

The Atlanta Payments Project

• Implementation Considerations & Obstacles• Technology

• Storage Limitations and Costs• Communications Speeds and Costs• Processor Speeds and Costs

• Consumer Acceptance

Technology-Based Services

35

•Storage Limitations and Costs

Considerations and Obstacles

36

•Communications Speeds and Costs

Considerations and Obstacles

37

•Processor Speeds and Costs

Considerations and Obstacles

38

• Consumer Acceptance

Considerations and Obstacles

39

• Consumer Acceptance

Older consumers are generally much slower to adopt new technology/services.

Considerations and Obstacles

40

• Consumer Acceptance

Considerations and Obstacles

41

The Atlanta Payments Project

• Electronic Payments Services• Check Authorization• Telephone Banking• Point-of-Sale Transactions• Automated Clearinghouse (ACH)• Check Truncation

Technology-Based Services

42

• Check Authorization

Technology-Based Services

43

• Check Authorization

Technology-Based Services

44

• Telephone Banking

Technology-Based Services

45

• Point-of-Sale Transactions

Technology-Based Services

46

• Automated Clearinghouse (ACH)

Technology-Based Services

47

• Check Truncation

Technology-Based Services

48

What does all this mean in terms of IT internal audit?

_____________

49

What does all this mean in terms of IT internal audit?

_____________

50

New technologies carry the same risks challenges and rewards as the old

technologies!

_____________

51

New technologies carry the same risks challenges and rewards as the old

technologies!And the same audit requirements!

_____________

52

First, what we’re really talking about is new applications of existing technologies.

• Cloud Computing

• Mobile Banking

New Technologies?

53

Cloud Computing

54

The “new” cloud computing is an evolution of the “old” distributed computing

• Relies on the Internet instead of private networks

• All resources may not be “owned” or “controlled” by the user of the cloud

Cloud Computing

55

Cloud Computing

56

An evolution the “old” telephone banking

• Un-tethered

• Technology and cost impediments disappearing

• Potential limited only by imagination and the ability of management to allocate time to plan,

implement and market

Mobile Banking

57

Mobile Banking

58

Mobile Banking

59

Mobile Banking

60

Mobile Banking

61

• Reduce (or keep the lid on) costs

• Attract new members

• Retain existing members

Opportunities

62

• Increased costs (without corresponding increases in members and/or revenues)

• Loss of members

• Security and/or privacy breaches

• Access control

• Regulatory criticism

Risks

63

How do we audit the new technology applications?

_____________

64

By following the same

methodical, risk-based approach

that has successfully been applied

in earlier phases

of the evolution of

technology and its applications.

How do we audit the new technology applications?

65

• To provide “appropriate” Information Technology (IT) coverage that complements internal audits of financial and operational areas in a timely and cost-effective manner.

• To present complex technical findings in business terms that Management and Directors can understand and properly respond to.

The Challenges

66

• Internal Auditor performs IT audits• Full-time IT internal auditor on staff• Co-source IT internal audits• Rely on external auditors• Other

The Alternatives

67

• Internal Auditor performs IT audits• Full-time IT internal auditor on staff• Co-source IT internal audits• Rely on external auditors• Other

The Alternatives

68

• Adequacy of Coverage– Subject Matter Expertise– Depth of coverage– Availability of time

• Maintenance of Requisite Knowledge• Awareness of Best Practices• Continuity/Institutional Knowledge• Regulatory Environment• Cost

Issues Surrounding Alternatives

69

• Risk Assessment

• IT Internal Audits

• Monitoring and Follow-up

IT Audit Approach

70

• IT Internal Audit Risk Assessment

IT Audit Approach

71

• Risk Categories– Financial– Operational– Technology– Reputational– Regulatory Compliance

• Evaluation Process/Management Involvement• Risk Ratings/Allocation of Resources

IT Internal Audit Risk Assessment

72

• Risk Categories– Financial– Operational– Technology– Reputational– Regulatory Compliance

• Evaluation Process/Management Involvement• Risk Ratings/Allocation of Resources

IT Internal Audit Risk Assessment

73

IT Risk Assessment Model is composed of nine major dimensions:

– Strategy and Planning– Outsourced Vendor Management– Disaster Recovery/Business Continuity Planning– Infrastructure Support and Maintenance– Information Security– Systems Development & Maintenance– Systems Support & Operations– Governance– Critical Applications

IT Risk Assessment Model

74

Planning is critical to ensure that IT goals support the overall goals of the institution

Strategy and Planning

75

Planning is critical to ensure that IT goals support the overall goals of the institution

• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)

Strategy and Planning

76

Planning is critical to ensure that IT goals support the overall goals of the institution

• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)

• Short-range IT (annual) plans describe the implementation steps/ projects, identifies appropriate resources, and includes detailed budgets.

Strategy and Planning

77

Planning is critical to ensure that IT goals support the overall goals of the institution

• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)

• Short-range IT (annual) plans describe the implementation steps/ projects, identifies appropriate resources, and includes detailed budgets.

• Plans should consider technological changes and opportunities, and will define the information systems architecture for the institution.

78

Strategy and Planning

Planning is critical to ensure that IT goals support the overall goals of the institution

• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)

• Short-range IT (annual) plans describe the implementation steps/ projects, identifies appropriate resources, and includes detailed budgets.

• Plans should consider technological changes and opportunities, and will define the information systems architecture for the institution.

• Progress against the plans is monitored by senior management

79

Strategy and Planning

Management of the institution retains responsibility regardless of whether functions are outsourced

• A VM policy establishing ownership and procedures has been approved by the Board

• Risk assessments are performed prior to outsourcing• Vendor evaluation and selection procedures are formalized• Standard for contracts and service level agreements have been

established• Existing service providers are reviewed and monitored• A VM program report is presented annually to the Board

80

Outsourced Vendor Management (VM)

The institution has developed and documented a comprehensive IT Disaster Recovery Plan and associated Business Continuity Plans.

• The Plan includes a Risk Assessment of likely threat scenarios• Threat scenarios address impact on systems, facilities and people• Business Impact Analyses (BIAs) have been prepared for all

departments and functions• Qualified personnel are responsible for maintaining the Plan current• The plan is tested regularly with feedback to address “failures”• The Board receives an annual report on the plan and testing results

Disaster Recovery/Business Continuity Planning

81

Infrastructure Support and Maintenance includes those components of information technology, which support computer operations and business applications and consist of:

• Operating Systems• Networks• Databases• Hardware• Software

82

Infrastructure Support and Maintenance

The institution has resources and procedures in place to provide a stable, serviceable IT environment

• A current and complete inventory of hardware, software, and network (data and voice) devices is maintained

• Qualified resources monitor and maintain the network infrastructure• There is a formal plan to ensure the IT infrastructure is stable, and meets

business requirements in terms of cost, availability, scalability, redundancy, interoperability, functionality etc.

• There is formal equipment maintenance plans for all hardware, software, and network devices

• Monitoring mechanisms are in place to alert management of device and system failures.

• There are service contracts to provide back-up equipment and assistance in the event of an infrastructure failure.

Infrastructure Support and Maintenance

83

Information security policies, procedures, standards, and guidance and/or the information security architecture will define how security features and functionality are to be administered.

• Tools and Techniques• Access Restrictions• Authentication• Password Strengths• Security Monitoring and Logon Attempts

Information Security

84

The institution has resources and procedures in place to appropriately secure infrastructure and information•There is a Board-approved information security policy. •The policy has been distributed to all employees who annually sign an affirmation of their understanding•There is an information security officer who is independent of IT functions.•Users are assigned formal roles/profiles for the network and system that are based on job responsibilities.•The organization maintains virus detection software for all workstations and servers •There have been no security breaches.

Information Security

85

Many institutions do not develop or maintain applications in-house. For those institutions that do develop software, the areas of focus consist of:

• Systems Development Life Cycle (SDLC)

• Application Version Control

• Change Control Procedures

• User Acceptance Testing

Systems Development & Maintenance

86

The institution has the necessary organization, tools and procedures to ensure reliable systems are developed timely and securely

• The institution has adopted a Systems Development Life Cycle (SDLC) methodology

• There is a centralized Project Management function to coordinate and manage IT resources across the institution.

• Separate environments are maintained for testing new systems and/or system enhancement and modifications.

• A controlled process is used to move changes into production

Systems Development & Maintenance

87

Those IT functions that support processing:

• Job Scheduling

• Data and Software Back-up

• Production Control

• Media Management

• Help Desk

• Procedural Documentation

• Anti-virus Measures

System Support and Operations

88

The institutions has the organization, tools and procedures to scheduled and operate systems timely and reliably•An Operations Procedural Manual has been developed which includes escalation procedures to be performed in the event of a systems failure.•Automated job schedulers ensure batch jobs are processed timely and in the correct order.•Monitoring devices ensure operational failures are detected for corrective action. Production failures are recorded and analyzed.•All software and data are back-up on a routine basis•An Operations Committee meets regularly to review systems performance agaiand discuss ways to improve overall operations.•A centralized help desk responds to system problems.

System Support and Operations

89

IT policies and practices should align with applicable statutory and regulatory guidance such as:

• HIPAA (personnel-related requirements)

• Sarbanes-Oxley (not credit unions…yet)

• Gramm-Leach-Bliley Act

• NCUA guidance

• FFIEC IT Handbooks

Governance

90

The institution has the organization, tools and procedures to ensure compliance with applicable guidance•The institution has developed a process to identify IT statutory and regulatory requirements.•An IT governance committee focuses on the development of standards and employee education to foster compliance with external guidance and internal policies.•Documented, comprehensive IT Policies and Procedures are reviewed, updated and approved at least annually•An IT Control Self Assessment Process to evaluate compliance with documented IT Policies and Procedures.•A Privacy/Security Risk Assessment and Privacy/Security Audit are conducted annually.

Governance

91

For applications critical to its mission and ongoing operations, the institution has instituted appropriate procedures and controls.•The institution had developed and maintains an inventory of mission critical applications

•The organization has identified and/or developed specific controls for each critical applications related to:

– Security

– Data Validation and Control

– Error Processing

– Interface Controls

– Accounting Controls

– Error Reporting

– System Testing

•A Systems Control Self Evaluation is periodically performed for each critical system.

Critical Applications

92

• IT Internal Audits

IT Audit Approach

93

• Derived from Risk Assessment– Specific Audits/Frequency

• IT audits are sequenced and cycled based on relative risk• Timetable for Deliverables

– Other Considerations• Alignment with financial / operational audit plan• Significant Change (e.g. new processing system)• Support of External Auditors• Key Management/Staff Availability• Regulatory Examination Schedule

• Major issue: Granular IT audits vs. “IT General Controls” audit

IT Internal Audit Schedule

94

• Risk assessment results• Size of institution and IT shop• Infrastructure complexity• In-house vs. outsourced core processing• Regulatory atmosphere and guidance• Available funding

General Controls vs. Granular

95

• Core Application Admin & Security

• Network Admin & Security

• e-Banking/Mobile Banking

• Computer Operations

• Disaster Recovery/Business Continuity

• Third-Party Vendor Management

• GLBA 501(b) Customer Information Privacy

• FedLine Advantage

IT Internal Audits

96

• Logical Access Controls– Procedures for granting, removing and changing access– Review sample of access control requests– Test for separated employees still on system– Evaluate granting of administrator/high-level access

• New Releases and Fixes– Timely installation– Appropriate user testing and signoff– Updating of IT and user documentation

• System-specific requirements– Changing default IDs and passwords– Tailoring system settings

• Review and Action upon System Exception Reports

Core Application Admin & Security

97

• Logical Access Controls– Procedures for granting, removing and changing access– Review sample of access control requests– Test for separated employees still on network– Evaluate granting of administrator/high-level access

• New Equipment, Software Releases and Fixes– Timely installation– Appropriate user testing and signoff– Updating of Network documentation

• Network-specific requirements– Changing default IDs and passwords– Tailoring system settings

• Network Vulnerability Assessments (Penetration Tests)– Frequency, Independence, Rotation, Due Diligence– Scope/depth/focus of findings; actions in response

Network Admin & Security

98

• Logical Access Controls (Members and employees)– Procedures for granting, removing and changing access– Review sample of access control requests– Test for separated employees– Evaluate granting of administrator/high-level access– Monitoring of adjustments, password resets, etc.– Multi-factor Authentication

• New Releases and Fixes– Timely installation– Appropriate user testing and signoff– Updating of documentation

• System-specific requirements– Changing default IDs and passwords– Tailoring system settings

• Member Support – Help Desk, Educational Materials

e-Banking/Mobile Banking

99

• Physical Access Controls– Procedures/basis for granting, removing access

• Operations employees• Senior management• Housekeeping/Building Maintenance/Security

– Access Control Mechanisms/Monitors– Visitor Access Procedures/Controls

• Physical Infrastructure– Temperature/humidity sensors and alarms– Threat/motion sensors and alarms– Overall housekeeping

• Operations Staff– Training– Background checks

Computer Operations

100

• Operating Policies/Procedures/Manuals– Current– Complete

• Job Scheduling/Monitoring– Automatic sequences– Manual scheduling– Logging of operator activities/intervention– Management review of logs

• Computer Room Equipment– Current Inventory– Maintenance scheduling and logging– Failure logging and remediation

• Sensitive Materials Handling and Disposal– Negotiable instruments– Confidential reports

Computer Operations (continued)

101

• Plan Development and Support– Qualified Individual(s) in Charge– Appropriate skill sets and sufficient time– Designated individuals through institution– Involvement of key vendors– Board/Management support

For each of the following areas, determine• Existence• Completeness• Currency

Disaster Recovery/Business Continuity

102

• Risk Assessment– Reasonably foreseeable threats– Likelihood, severity, impact– Systems, infrastructure, staff– Must address pandemic flu

• Business Impact Analyses (BIAs)– All departments and functions– Impact on their functions, other departments, members, overall

institution• Detailed Plans

– IT: Disaster Recovery Plan– Other Departments: Business Continuity Plans– Contents:

• Equipment and software lists• Inventories of forms and supplies• Procedures

Disaster Recovery/Business Continuity (continued)

103

• Alternate Location(s)– Designated– Stocked with pre-staged procedures, supplies, equipment

• Administrative Components– Designated Individuals who can Declare Disaster– Disaster/Damage Assessment Procedures– Employee Notification Procedures/Calling Trees– Other Notification Lists

• Directors/Supervisory Committee Chair• Public Safety Officials• Regulators• Key Vendors• Key Members

Disaster Recovery/Business Continuity (continued)

104

• Testing– Administrative aspects

• Disaster declaration and assessment• Appropriate notifications

– Information Technology• All systems or critical systems• Ability to locate and retrieve backups and restore from them• Network(s)• Key processing vendors

– Other departments• Prioritized by function• Tabletop tests• Tests in conjunction with IT test

– Frequency – at least annually– Audit participation– Post-test analyses and reviews– Remediation plans

Disaster Recovery/Business Continuity (continued)

105

• Policy– Fixes responsibility and accountability– Establishes procedures for major components

• Risk Assessment – pre-decision to outsource

– Potential Impact on Strategic Goals – Management Oversight and Evaluation– Contingency Plans– Regulatory Requirements & Guidance

• Vendor Selection Process– Identification of Potential Vendors– Due Diligence and Selection– Contract Negotiation and Award

Third Party Vendor Management

106

• Current Vendor Evaluation– Frequency depends on ranking– Topics

• Financial Stability• Performance against SLAs• Key Personnel turnover• Insurance coverage• Type II SAS 70 (service providers)• Disaster recovery testing & results• Protection of member information

• Annual Board Report– VM policy (any recommended changes)– New critical vendors– Summary of review of current vendors– Other key information

Third Party Vendor Management (continued)

107

GLBA 501 (b) Customer Information Privacy• Board-approved Privacy Policy

– Fixes responsibility– Establishes program– Requires reporting

• Privacy Program• Privacy Risk Assessment

– Assess and document risk of unauthorized access to non-public member information

– Scope should include:• IT infrastructure• Manual (i.e. paper) instances• Third party processors

– Is it sufficiently granular? Specific?• Third-party processors

– Explicit contractual provision– Due diligence on effectiveness of controls

108

• Third-party processors– Explicit contractual provision– Due diligence on effectiveness of controls

• Employee training– All employees– Annual– Relevant– Documented

• Annual Report to Board– Summary of program over previous year– Recommended policy changes (if any)– Incidents (if any)– Specific contents per guidance

GLBA 501 (b) Customer Information Privacy (cont.)

109

The FedLine Advantage audit complements audits of Funds Transfers and other Accounting-related audits

•Logical Access Controls– Procedures for granting, removing and changing access– Review sample of access control requests– Appropriate separation of duties– Test for separated employees still on system

•Physical Access Controls– Secure location for FedLine-capable PCs– Controls over FedLine Advantage access tokens

•Others as specified in Fed guidance– Creation and review of control reports

FedLine Advantage

110

• Monitoring and Follow-up

IT Audit Approach

111

• Follow-up Matrix

– Should contain all findings that were not “closed” at the time audit report was presented to Supervisory Committee

– Used by Supervisory Committee to track progress against stated plans and target dates

– Can/should also be used by Management to supervise and guide efforts

Monitoring and Follow-Up

112

• Issues revisited– Coverage– Competence– Currency (of technical information)– Continuity– Climate (regulatory)– Cost

• Using this template, and based on their knowledge of credit union, Management and the Supervisory Committee can arrive at the right approach

Choosing the Right Approach

113

One more thing…

114

One more thing…

Should we be auditing Governance?

115

One more thing…

Should we be auditing Governance?

116

The institution has the organization, tools and procedures to ensure compliance with applicable guidance•The institution has developed a process to identify IT statutory and regulatory requirements.•An IT governance committee focuses on the development of standards and employee education to foster compliance with external guidance and internal policies.•Documented, comprehensive IT Policies and Procedures are reviewed, updated and approved at least annually•An IT Control Self Assessment Process to evaluate compliance with documented IT Policies and Procedures.•A Privacy/Security Risk Assessment and Privacy/Security Audit are conducted annually.

Governance Redux

117

Which of these areas are likely to undergo change as• New legislation is passed?• New regulations are promulgated?• New technologies are investigated and implemented?

Governance Redux

118

ALL OF THEM

Governance Redux

119

The institution has the organization, tools and procedures to ensure compliance with applicable guidance•The institution has developed a process to identify IT statutory and regulatory requirements. •An IT governance committee focuses on the development of standards and employee education to foster compliance with external guidance and internal policies.•Documented, comprehensive IT Policies and Procedures are reviewed, updated and approved at least annually•An IT Control Self Assessment Process to evaluate compliance with documented IT Policies and Procedures.•A Privacy/Security Risk Assessment and Privacy/Security Audit are conducted annually.

Understand the new technologies and services• Maturity and potential• Costs• Security and privacy implications• Competitive landscape—what are other institutions in our trade area doing?• Other risks

• Loss due to fraud or theft• Regulatory criticism• Reputational

Actions You and Your Institution Can Take

120

Know your member base (and potential member base)• What are their access needs (bricks and mortar vs.

hand-held devices)• Is membership aging? Becoming younger?• How do we know needs?

• Surveys? • Anecdotal data?

• Understand your institution’s vision and strategic • What markets (segments, communities) are we in?• Where do we want to go?

Actions You and Your Institution Can Take

121

• Understand the strengths of management and staff

•Do we have the in-house expertise to embrace, exploit and control new technologies?• If yes, let’s set a timetable • If no, we either need to develop it or find a third-party vendor

Actions You and Your Institution Can Take

122

• Ensure Development/Implementation is orderly and controlled

• Planning is critical• Realistic timeframes• Milestones/checkpoints• Progress reporting as appropriate• Metrics (usage, costs)• Policies and procedures• Marketing and Educational materials• Staff training• Roll-out sequencing

Actions You and Your Institution Can Take

123

Post-Rollout Oversight

• Projected vs. Actual• Usage• Costs• Revenues

• Anecdotal information on• Overall progress• Member reaction• Unexpected things that went right/wrong

• Plans for activities prior to next status report• Management’s assessment

Actions You and Your Institution Can Take

124

IT Internal Audit coverage should include the guidance and oversight received from the Board (i.e. Governance)

This coverage can be accomplished in “pieces” throughout the other IT audit areas

Governance Redux

125

Technology will continue to evolve

Credit Unions can choose to adopt new technologies and offer new services or not, but

Competitors and members will be watching and evaluating

Risks and challenges remain relatively the same

Your IT Internal Audit program can and must evolve, too.

Conclusions________________________

126

Thank you!

Jay Bowman, CISA, CISM

Director

jbowman@accumepartners.com

Phone: (484) 844-7132

127