Embed Size (px)
Citation preview
11
TOTO
CISD MEETING CISD MEETING
WELCOMWELCOMEE
22
Information Technology Information Technology AUDITING AUDITING
WITH THE WITH THE
LEGISLATIVE AUDITORLEGISLATIVE AUDITOR
Questions: Ask, but may defer or handle off-line.Questions: Ask, but may defer or handle off-line.
33
Common GoalCommon Goal
To Improve IT Controls To Improve IT Controls in Louisiana State in Louisiana State Government Government
• Same TeamSame Team• Asked to do more with Asked to do more with
lessless
44
Outline:Outline:
I.I. Audit RequirementsAudit Requirements– Audit LawAudit Law– Audit Standards for IT controlsAudit Standards for IT controls
II.II. Establishment of IT Audit And What We Establishment of IT Audit And What We DoDo
III.III. How Are Entities Selected For IT AuditsHow Are Entities Selected For IT AuditsIV.IV. Criteria Used—COBITCriteria Used—COBITV.V. Planning And ScopingPlanning And Scoping
– Approach And Basic Parts Of The IT Audit Approach And Basic Parts Of The IT Audit – CoMIT ToolCoMIT Tool
VI.VI. If/How Issues Found Are ReportedIf/How Issues Found Are Reported
55
I. Audits Are Required: I. Audits Are Required: LawLaw• Audit Law requires financial and operational Audit Law requires financial and operational
audits. (RS 24:511-523) audits. (RS 24:511-523) – types of audits, how often & when, what we are to have types of audits, how often & when, what we are to have
access to (includes confidentiality requirements)access to (includes confidentiality requirements)
• CAFR (CCAFR (Comprehensiveomprehensive A Annualnnual F Financialinancial R Reporteport)—the )—the annual financial statement for the State of annual financial statement for the State of Louisiana as a whole Louisiana as a whole
• Single Audit (Federal)Single Audit (Federal)• Full Scope Audits—audit opinion on the entity’s FSFull Scope Audits—audit opinion on the entity’s FS Your systems produce information needed for Your systems produce information needed for
these reports so they are subject to audit these reports so they are subject to audit
66
Audit Standards:Audit Standards:• Law dictates what we do…but governmental, Law dictates what we do…but governmental,
financial & IT audit standards dictate “how” we financial & IT audit standards dictate “how” we auditaudit
• IT audits are done as part of the financial audits so IT audits are done as part of the financial audits so separate audit reports are not produced.separate audit reports are not produced.
• The US Government Accountability Office (GAO) The US Government Accountability Office (GAO) has issued Generally Accepted Governmental has issued Generally Accepted Governmental Auditing Standards known as GAGASAuditing Standards known as GAGAS
• Other standards areOther standards are– American Institute of Certified Public American Institute of Certified Public
Accountants (AICPA)Accountants (AICPA)– Information Systems Auditing and Control Information Systems Auditing and Control
Association (ISACA) and other certification Association (ISACA) and other certification bodiesbodies
77
Per GAGASPer GAGAS
““Government audits provide key Government audits provide key information to stakeholders and information to stakeholders and the public to maintain the public to maintain accountability…reduce costs; accountability…reduce costs; facilitate decision making; facilitate decision making; stimulate improvements; and stimulate improvements; and identify current and projected identify current and projected crosscutting issues….”crosscutting issues….”
88
StandardsStandards• We must consider IT controls. IT controls We must consider IT controls. IT controls
are often involved when IT is used to are often involved when IT is used to – InitializeInitialize– AuthorizeAuthorize– RecordRecord– Process andProcess and– ReportReport
financial datafinancial data
• Per GAGAS, specialized techniques or Per GAGAS, specialized techniques or methods may be required to cover IT methods may be required to cover IT controls and may require a specialist.controls and may require a specialist.
99
II. II. Our IT Audit SectionOur IT Audit Section
• Was established to cover IT parts of audits with Was established to cover IT parts of audits with specialized knowledge and skills. We do other specialized knowledge and skills. We do other things as well that may affect or involve you, likethings as well that may affect or involve you, like– Extract data, create queries, data miningExtract data, create queries, data mining– Provide support for some applications like BO, Works, ACL, Provide support for some applications like BO, Works, ACL,
SAP, and PeopleSoftSAP, and PeopleSoft– Create audit programs to cover end user controls on systems Create audit programs to cover end user controls on systems
under our auditunder our audit– Monitor major implementationsMonitor major implementations– Assist in examining audit evidence and any other assistance Assist in examining audit evidence and any other assistance
neededneeded It’s all about assurances we can provide to other It’s all about assurances we can provide to other
auditors and about where the risk isauditors and about where the risk is
1010
IT Audit SectionIT Audit Section
• The risk and level of assurances needed The risk and level of assurances needed dictate how we get the evidence and the dictate how we get the evidence and the type of evidence that we must obtain.type of evidence that we must obtain.– Do we issue an audit report rendering an Do we issue an audit report rendering an
opinion (full scope)?opinion (full scope)?– Do we perform procedures on only certain Do we perform procedures on only certain
accounts because they are material to the accounts because they are material to the CAFR or the Single Audit?CAFR or the Single Audit?
– Do we interview you or do an observation or Do we interview you or do an observation or re-perform or interview a few people or test it re-perform or interview a few people or test it in detail?in detail?
• 3 Year rotation3 Year rotation
1111
III. How Are Entities III. How Are Entities Selected?Selected?• We list out all the financial audits, the assurances needed We list out all the financial audits, the assurances needed
(CAFR, SA, full scope, etc.) and determine the IT systems (CAFR, SA, full scope, etc.) and determine the IT systems associated with those audits. associated with those audits.
• Things considered:Things considered:– Do controls heavily rely on IT; or, are they more manual or hybridDo controls heavily rely on IT; or, are they more manual or hybrid– Size and complexity of the systemSize and complexity of the system– Distributed or centralizedDistributed or centralized– Dollars processed or storedDollars processed or stored– How new is the system & if/when it was last auditedHow new is the system & if/when it was last audited– Previous problems with the system Previous problems with the system – What kind of information does it contain and how sensitive is it What kind of information does it contain and how sensitive is it – Recent changes Recent changes – Level of expertise needed to understand the controlsLevel of expertise needed to understand the controls
• Then we prioritize by considering the risk and select auditeesThen we prioritize by considering the risk and select auditees• Once the system and entities are selected, we begin planning Once the system and entities are selected, we begin planning
1212
IV. Criteria Used: COBITIV. Criteria Used: COBIT
1313
• Created by the IT Governance InstituteCreated by the IT Governance Institute
• How is COBIT different and why do we use it?How is COBIT different and why do we use it?– The first document containing IT best practices that The first document containing IT best practices that
can be used by can be used by auditorsauditors and and IT managementIT management – Generally acceptable with third parties and regulators– Fulfills the COSO requirements for the IT control
environment– Agency IT management can obtain COBIT from the Agency IT management can obtain COBIT from the
following site (register, free): following site (register, free): https://www.isaca.org/Template.cfm?Section=Home&Template=/Security/https://www.isaca.org/Template.cfm?Section=Home&Template=/Security/Login.cfmLogin.cfm
1414
V. Planning & ScopingV. Planning & Scoping• We would let you know that your We would let you know that your
agency has been selected & possibly agency has been selected & possibly provide the CoMIT Toolprovide the CoMIT Tool
• Select the who and when for the audit Select the who and when for the audit procedures (currently building our procedures (currently building our resources) resources)
• The IT auditor would proceed to contact The IT auditor would proceed to contact you or your staff for preliminary you or your staff for preliminary information in order to scope the audit.information in order to scope the audit.
• Per standards we plan according to riskPer standards we plan according to risk
1515
AICPA’s Top Tech IssuesAICPA’s Top Tech Issues (Handout)(Handout)
Top 10 on p.2
Top 5 are
1. Information Security Management
2. Privacy Management
3. Secure Data File Storage, Transmission and Exchange
4. Business Process Improvement, Workflow, and Process Exceptions Alerts
5. Mobile and Remote Computing
1616
Plan & Scope:Plan & Scope:IT Audit ApproachIT Audit Approach • Use of IT has grown and we are resource Use of IT has grown and we are resource
challenged challenged • Standardize our procedures and have a common Standardize our procedures and have a common
measuring toolmeasuring tool• Goal was/is to obtain as much information up Goal was/is to obtain as much information up
front as possiblefront as possible• Began as a self-assessment with a holistic Began as a self-assessment with a holistic
approach for state agenciesapproach for state agencies CoM CoMIITT Tool— Tool—CoControl ntrol MMatrix for atrix for IInformation nformation TTechnology echnology
• For assessment of IT Internal ControlsFor assessment of IT Internal Controls• Used as a pilot last year (GSU, LCTCS)Used as a pilot last year (GSU, LCTCS)• Greatly revised for 2009Greatly revised for 2009
1717
VI. Reporting the Issues VI. Reporting the Issues Found:Found:• Not a separate audit; no IT audit Not a separate audit; no IT audit
reportreport
• List deficiencies/issues found in a List deficiencies/issues found in a chartchart
• Evaluate issues individually and in the Evaluate issues individually and in the aggregate to determine significant aggregate to determine significant deficiencies (example)deficiencies (example)
• Standards require that “significant Standards require that “significant deficiencies” be reported. (Handout)deficiencies” be reported. (Handout)
1818
Reporting the Issues Reporting the Issues Found:Found:• According to SAS 112, par.9, According to SAS 112, par.9,
“Significance… depends on the “Significance… depends on the potentialpotential for a misstatement, not on whether a for a misstatement, not on whether a misstatement actually has occurred.” misstatement actually has occurred.”
• Also, per GAGAS we report matters that Also, per GAGAS we report matters that may be significant for users or oversight may be significant for users or oversight bodies or of interest to the public bodies or of interest to the public
• But specific exposures are not disclosed But specific exposures are not disclosed (example)(example)
• Traditionally, most is not reported Traditionally, most is not reported
1919
• Security issues:Security issues:– Too much access (bus. need, seg. of duties) Too much access (bus. need, seg. of duties) – Lack of monitoring of accessLack of monitoring of access– Lack of or inadequate procedures for granting accessLack of or inadequate procedures for granting access– Remote accessRemote access– Lack of encryptionLack of encryption– System settingsSystem settings
• Lack of policies, etc.Lack of policies, etc.
• Problems in change management or change Problems in change management or change controlcontrol
• Lack of QA or audit functionLack of QA or audit function
• Lack of an up-to-date BC/DRP, not tested, not in Lack of an up-to-date BC/DRP, not tested, not in central repository, location of backupcentral repository, location of backup
• Lack of network scanning for monitoringLack of network scanning for monitoring
• Issues with firewall rulesIssues with firewall rules
Common Problems Common Problems FoundFound
2020
Just for Fun: Just for Fun: You Might Be An IT Auditor If…You Might Be An IT Auditor If…• You have more letters behind your name than You have more letters behind your name than
in a can of alphabet soupin a can of alphabet soup
• You have some gadget on your desk that you You have some gadget on your desk that you have fondly given a namehave fondly given a name
• Bean counter references make you madBean counter references make you mad
• Balancing your check book is FUNBalancing your check book is FUN
• When you have your computer repaired you When you have your computer repaired you ask for all the parts back, labeled and itemizedask for all the parts back, labeled and itemized
• Your idea of a vacation is FIELD WORKYour idea of a vacation is FIELD WORK
• If you and your coworkers represent more If you and your coworkers represent more nationalities than anywhere else in the officenationalities than anywhere else in the office
2121
Questions???Questions???
ConclusionConclusion
