IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee [email protected]@talgov.com

IIA_Tampa_2-3-2004 Beth Breier, City of Tallahassee 1

IT Auditing in the Small Audit Shop

Beth Breier, CPA, CISA

City of [email protected]

http://talgov.com/citytlh/auditing/index.html


Outline

Using IT in Audits vs. IT Audits Types of IT Audits Determining What Audits to Do IT Audit Examples Successful Strategies References


Using IT in Audits

Using IT tools to analyze data within

a performance or financial audit


Using IT in Audits

Exporting data from application systems

Using IT software to identify trends, “outliers”, exceptions, etc.

Entire populations can be analyzed


Using IT in Audits

MS Access ACL IDEA SQL Business Objects Focus


Using IT in Audits

Disbursement data– Benford Analysis

– Invoices between or over a specified dollar amount

– Duplicate invoices

Fleet data – Total work order costs by vehicle for year

Transactions conducted by an individual user or vendor


IT Audit

Conducting an audit or review of information technology “to ensure the productivity, usefulness, and availability of the IT systems that serve organizations.”

IT Audits, Xenia Ley Parker (2003)


IT Audits

Separate audit

Combined with performance or financial audit


Types of IT Audits

IT General Controls Application Controls - Software

IT Project Progress


IT General Controls

General Controls are the structure, policies, and procedures that apply to an entity’s overall computer operations.

Federal Information System Controls Audit Manual, GAO, 1999


IT General Controls Entity-wide Security Planning and

Management Access Controls Application Development/Change Controls System Software Segregation of Duties Service Continuity IT Governance


Software ApplicationAny Application that affects the

Financial Statements or provides information that management relies on to measure performance or make decisions.


Software Application

Input– Including interfaces

Processing Output

– Including Interfaces


IT Project Progress

Conducting an assurance and consulting audit during a specified phase of a major IT project.


IT Project Progress

Audit Phases:– Planning

– Acquisition

– Implementation

– Post-Implementation


Determining What Audits to Do

Gain an understanding of IT in Organization: Environments

Connectivity Locations Operating Systems Application Systems


DATA

Remote

Network

Operating System

Database

Application

ISS Provides

Department-Owner Provides

Environments


ISS Computer Room

Multiple ServersMainframes

FTP

In te rne t

V is itW eb sites

F ileT ransferP ro toco lused to

D ownloadfiles

S end/R ece iveE -m ail and

attached files

R em oteaccess via

M odem

N etworkA ccess

to o ther C ityB u ild ings

Inside C ity H a ll

W orksta tion

ExampleNetwork 1


ExampleNetwork 2


Put in an example diagram of network

ExampleNetwork 3


Determining What Audits to Do

Listing of Operating Systems

Windows 95, 98, NT Windows 2000, XP UNIX LINUX


Determining what audits to do

Listing of all Software Applications and their Owners:

Financial statement related systems

Other systems

23Beth Breier, City of Tallahassee IIA_Tampa_2-3-2004

Treasurer-ClerkManagement &Administration

Electric Doc MngtSystem (EDMS)

Check-Printing / FMS(DMS-2 on Unisys)

Still active???

Payments/Receiptsin CIS/Billing

CIS OccupationalLicenses

(Access DB)

FinancialsPeopleSoft

Fixed Asset System(FMA) Still Active??

Payroll Module ofHRMS

City Network &Personal

Computers

Telecommunications

GeographicInformation System

(GIS)

Broken Line BoxNot Critical

(FY 98 Audit Report

Bold Box - Critical(FY 98 Audit Report)

Round cornersAccess DB

Paula CookRec MngtJay Collins, ISS

Retirement Module ofHRMS

Round or Sqare Dots -Not sure

HaroldLane

Gil BrucePeopleSoft

LEGEND:

Terry Baker,Joe Kaparak

Integration Project

New System/Project

Data Warehouse &Web Project

RodneyRegister

Otherapplications:

-Tech Data-PARAGON

(Bonds)-RetirementCalculation

-DP500RemittanceProcessing

HR- IVR AnnualBenefits Enrollment

Jay Johnson,(Arc Info)

Risk ManagementSystem

CORE RevenueCollection

Gordon Klein

Web Server

Terry Baker,Joe Kaparak

Example


Safety and NeighborhoodServices

Assistant to the City Manager

Development &Transportation Services

Comp Aided Dispatch/ Records Mngt

(CAD/RMS)

800 MHZ Radio /Communications

Animal Center(Chameleon)

Y2-OK

Traffic System

Permit EnforcementTracking System(PETS) - Y2-OK

Fleet MaintenanceSystem

(FASTER)

Facilities Maint.Program (City Hall)

MBE - AccessStill Active??

ParkMaloy

Safety OfficeAccess ?

Being upgradedTraffic Engin

Broken Line BoxNot Critical

(FY 98 Audit Report

Bold Box - Critical(FY 98 Audit Report)

Round cornersAccess DB

Round or Square dots not sure

LEGEND:

Street SweepingMonitoring SystemNot sure?

SabrinaHolloman

New System/Project

Jay Collins

Levin MagruderISS ProjectManager (otheragencies usetoo)

TRACKS (Gastracking system)

TALTRANTraffic Routing

TALTRANBus Display System

800 MHZ DataSystem

Levin MagruderISS ProjectManager

ParkMaloy

Mobile DataComputers

Streets & Drainage -new program 2002

ParkMaloy

ParkMaloy

Example


Customer InquiryTracking System (CITS)

Utilities Services

Wastewater PlantMonitoring & Control

System

Water Utilities

Laboratory Info MngtSystem (LIMS)

Work Ticket Systemfor Gas & Water

CIS PeopleSoft

RouteSmart(Solid Waste)

Solid WasteGas Operations Electric Utilities

Parking Ticket System(to be enhanced)

CMMS(Facility Maintenance)

Supervisory Control &Data Acquisitio Sys

(SCADA)

Energy Mngt System(EMS)

Proprietary

Mobile Data Mngt.System(MDMS)

Meter ChangeOut/ WorkOrder System

Supervisory Control &Data Acquisitio Sys

(SCADA)

Mail-In Receipt System(feeds CIS)

Meter Reading System(Feeds CIS)

DOS-Based Application

RouteSmart(Meter Reading)

Automated RouteControl System

(ARCS)

Safety & TrainingSoftware

Loan ProgramAccess DatabaseEnergy Services

Numerous AccessDBs (leaks, taps,

hydrant)

Access DBs for workorders (usually 2 days

behind)

Access DBs to trackout of service areas

(Waste Mngt)

Utilities Rate Estimation(Proprietary)

Substation ComponentsSubsystem (not surewhere or what this is)

Example



Do a Risk Assessment and Consider impact on: Business Operations

RevenuesExpendituresManagement Decision-makingPolitical and public crisis



Other Areas that impact Risk Assessment:

Available Staffing w/ needed skills

Meets Current Standards

Formal Business owner

Maturity of IS operations


Audit Planning

Based on your risk assessment, outline a potential progression of audits:

1. Start Broad 2. Narrow down into

specific areas


New IT System

Infrastructure and Security

IS General Operations

PerformanceMeasures

Financial Statements

Consider All the Pieces


Develop your IT Audit Plan

IS General Operations

Infrastructure and Security

Financial Statements

PerformanceMeasures

New IT System


IT Audit Examples

1. General Control - Logical Security

2. Application Control – Fleet Management System

3. IT Project Progress – Planning and Acquisition


General Controls - Audit Example

Logical Security Objectives:

– General understanding of the network– Logical access paths– Adequacy of policies and procedures– Security controls management believed

were in place



Logical Security Objectives (Continued):

– Controls in place to prevent unauthorized access in the City’s LAN

– accessibility to confidential information



Logical Security Procedures:

– Interview IS Staff and Business staff– Review network schema – Examine network security system settings, user

specific settings– Examine relevant laws, ordinances, policies, etc

re: confidential information – Examine and test user security at network,

databases, applications– Conduct vulnerability assessment procedures


Issues - FederalAgencies


Application Controls – Audit Example

Fleet Application Objectives

– Understand the internal control components– Evaluate application controls – Evaluate selected general controls



Fleet Application Procedures

– Review documentation– Identify and prioritize controls – Test effectiveness of controls – Examine interface programs and test interfaces– Test accuracy and completeness of reports



Fleet Application Issues:

– Poor input controls (validation, etc.)– Specific controls not working– Calculations not accurate– Reports not complete or accurate – Interfaces not working as intended



Fleet Application Issues (Continued)

– Lack of segregation of duties – users and IS staff

– No software change management procedures– No written backup and recovery procedures


IT Project Progress – Audit Example

Public Safety Systems Integration Phase: Planning and Acquisition Objectives:

– Compliance with City policies and procedures and contract requirements

– Independent assessment of risk management and project controls

– Project status and accomplishments– Significant issues and status



Public Safety Systems Integration Procedures:

– Advisory (non-voting) member of project teams and committees

– Review key documentation (RFPs, contracts)– Test transactions for appropriateness– Interview key IS and user department staff – Observe contract negotiations



Public Safety Systems Integration Issues:

– No cost benefit analysis conducted– Needs assessment not documented– No documentation of major decisions– Lack of budget monitoring– Lack of management oversight– Lack of communication among project team

and/or management



Public Safety Systems Integration Issues (Continued):

– Needs and expectations exceed scope– Lack of communication among projects– No plan to address insufficient infrastructure to

support new system– New system will require more technical

expertise than City or department has


3 Recommended Strategies

Start broad and then narrow the focus

Limit scope for a reasonable time frame

Plan specific IT training for staff


References - Audit Programs

GAO Federal Information System Controls Audit Manual (FISCAM) (http://www.gao.gov/policy/guidance.htm)– General Controls– Currently developing Chapter 4 on Application

Controls NASACT Information Systems Security Audit

Forum (ISSAF) web page (http://www.nasact.org/IISAF/about.html)


References - Audit programs CoBIT - Information Systems Audit and

Control Association (ISACA) (http://www.isaca.org/)

ISACA Systems Auditability and Control IT Audits, Xenia Ley Parker, published by

Aspen, 2003 Handbook on IT Auditing (Warren, Edelson

& Parker) www.ITAudit.org


References - Audit programs

Federal Information Processing Standards (FIPS), http://csrc.nist.gov/publications/fips/index.html, including:

– FIPS 46-3, Data Encryption Standard (DES); – FIPS 112 , Password Usage

Computer Security Resource Center, http://csrc.nist.gov/index.html


“Do what you can with what you have where you are.”

Theodore Roosevelt

QUESTIONS …..??

Documents

IIA_Tampa_2-3-2004Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee [email protected]@talgov.com