Integrating the IT Specialist into the Audit Team

Daniel J. O’Keefe, CPA, MBA, CFEMoore Stephens Lovelace, P.A.

Chris Ghosio, CCNP, CCDA, TMCSM, TMCSEMSL Technologies

2

AgendaNational Security Risks

Why Use IT Audit Specialists?

What IS Data Security?

Audit Standards and IT

Auditing IT Controls

Common IT Findings in a Financial Statement Audit

PCI DSS Compliance

3

National Security RisksTitan RainState Department’s East Asia BureauOffices of Representative Frank WolfCommerce DepartmentNaval War College Commerce Secretary Carlos Gutierrez and the 2003

Blackout McCain and Obama Presidential CampaignsOffice of Senator Bill NelsonGhostnetLockheed Martin’s F-35 Program

4

National Security Risks (cont’d.)DOE Encounters Over 10 Million Cyber Attacks a DayNASA Victim of 13 Mayor Cyber Attacks Last YearNumber of Computer Viruses:

2000 Over 50,000 2005 Over 100,000 2010 Over 1,000,000

World Economic Forum puts Cyber Attacks in Top Five Biggest Global Risks for 2012

Cyber Command was created in 2010 at Fort Meade, next to the operations center for the NSA, the nation’s largest spy agency

5

Why Use IT Audit Specialists?Audit Standards Require a “Risked-based Approach”

OLD SCHOOL – Garbage in, Garbage out

NEW SCHOOL – Assess IT Risk by Evaluating Risk Factors

Most CPA’s are not Adequately Trained to Assess IT Risks

IT Specialists can Effectively Communicate with IT Personnel

6

Why Use IT Audit Specialists? (cont’d.)

BENEFITS Reduces Audit Risk

Provides the Ability to use Computer Assisted Audit Techniques

Provides Value-added Service

Completes the Audit Loop

7

BURDENS May Add Additional Cost to Audit

Would Need to Apply “Use of a Specialist” Procedures if Outsourced

Locating a Qualified IT Specialist

Monitoring IT Specialist’s Activities

Why Use IT Audit Specialists? (cont’d.)

8

Think of Security as Being Similar to Castle Defenses

Tower

Moat

Narrow Bridge

Arrow Slits

BattlementsGatehouse

Flanking Towers

Curtain Wall

9

The focus of the IT evaluation is to determine if defenses are in place to ensure financial data maintains:Confidentiality – Preventing the disclosure of information to unauthorized individuals or systems

Integrity – Ensuring that data or information cannot be changed undetectably

Availability – Ensuring the information is available when needed

10

IT Considerations in a Financial Statement Audit

Audit Standards and IT

Auditor’s primary interest is in an entity’s use of IT to:

Initiate Authorize Record Process and, Report transactions or other financial data

11

IT Considerations in a Financial Statement Audit

Audit Standards and IT (cont’d.)

IT may provide efficient and effective controls by:

Enhanced timeliness and availability, and accuracy of information

Facilitation of information analysis Enhanced monitoring of policies and procedures Reduced Risk of Circumvention of Controls Report transactions or other financial data

12

IT may pose risks to internal control by: Unauthorized access to data (destruction, changes,

unauthorized transactions)

Unauthorized changes to master files

Unauthorized changes to systems or programs

Failure to make proper changes to systems or programs

Potential loss of data or inability to recover data

IT Considerations in a Financial Statement Audit

Audit Standards and IT (cont’d.)

13

Starts with the IT survey: Helps provide a baseline of the environment

Identifies financial applications and supporting components.

IT Organization

IT Security Controls

IT Operations

Auditing IT Controls

14

Auditing IT Controls (cont’d.)Perimeter protection configurations:

Firewalls IPS / IDS DMZ Wireless Web Content Filtering Remote Access (VPN)

Desktop Security: Local Administration Permissions Anti-malware Software

15

Server Security: Application and Folder Permissions Server Security Hardening

Financial Applications Security: User Permissions On-line Payments

User Administration: Controls for Adding and Removing Users

Auditing IT Controls (cont’d.)

16

Data Backup:

Backup Jobs

Backup Storage

Data Encryption

Restore Testing

Auditing IT Controls (cont’d.)

17

Policies and Procedures: IT Security Policy Physical Security Policy Firewall Policy Encryption Policy User Management Policies Acceptable Use Policies Security Awareness Program

Auditing IT Controls (cont’d.)

18

Patch Management: How are patches approved? How are patches applied? Is patch management automated?

Vulnerability Management: Internal vulnerabilities External vulnerabilities How are each identified? Remediation efforts?

Auditing IT Controls (cont’d.)

19

Change Management: How are changes tested? How are changes approved? Are all changes documented?

Business Continuity Planning and Execution: Are plans in place to restore the financial

applications? Have the plans been tested?

Auditing IT Controls (cont’d.)

20

Common IT Findings in a Financial Statement Audit

Controls to be Evaluated Physical Security User Account Management AntiVirus and Malware Data Backup Application Security Network Security Policies and Procedures Business Continuity/Disaster Recovery

21

Common IT Findings in a Financial Statement Audit

Physical Security Excessive staff access to the computer room No access logs to the computer room – Who was in there? When?

Why? No video surveillance in computer room – What were they doing? Security lacking in Telecom closets - Could bring down your network!

Terminated employees still in the systems Shared administrator user ID’s Password complexity rules not used or only partially implemented End users configured as power users or administrators Password-protected screensavers, network and application timeouts

not enforced

User Management

22

AutoRun or AutoPlay functionality enabled

Lack of centralized control and management of AntiVirus software

Backups not stored out-of-area Backups not stored in a secure, offsite location Transport of backup tapes not logged Backups not encrypted Backup tapes not tested No formal procedure in place to “age” backup tapes

Data Backup

Common IT Findings in a Financial Statement Audit

AntiVirus and Malware

23

Common IT Findings in a Financial Statement Audit

Application Security Inadequate user password rules No interface with Active Directory (requires

multiple logons) Lack of activity logging, reporting and monitoring

capabilities IT staff with excessive access to production data Decentralized security administration (no

separation of duties)

24

Common IT Findings in a Financial Statement Audit

Network Security Administration of network devices over unsecured

protocols Shared and local administrator ID’s on network

devices Firewall rules need tightening Intrusion Prevention Systems either not installed or

not maintained No formal procedure for monitoring server and

network device events No log aggregation

25

Common IT Findings in a Financial Statement Audit

Policies and Procedures Common Deficiencies in Policies and Procedures

Security Awareness Program Acceptable Use Policies and Procedures User Account Management Policies (HR) Change Control Policies and Procedures Patch Management Policies and Procedures Data Backup Management Encryption Management and Personal Computing Device Management Policies

26

Lack of fully documented Disaster Recovery Plan Lack of fully documented Business Continuity Plan Lack of exercising or testing of plans

Common IT Findings in a Financial Statement Audit

Business Continuity and Disaster Recovery

27

IT Personnel RisksRisks vary depending upon the size of your business:

Small Business – Do you need a full-time IT person? If you have one, do they have the proverbial “keys to the kingdom”?

Medium Business – Attracting and retaining skilled technicians is a challenge, as is maintaining their technical skill levels and certifications.

Enterprise – Are the number of technicians on staff adequate to support the needs of the enterprise and are their skill levels appropriate?

28

Outsourcing IT FunctionsOne option to mitigating some of the personnel risks associated with IT is to outsource some or all functions to a third party.

Small Business – A lot of small businesses are outsourcing all IT functions to IT vendors.

Medium Business – Typically outsource on a regular basis, as their IT staff has limited skill sets.

Enterprise – Utilize IT consultants for specialized projects.

29

Common Risks in Outsourcing IT

Outsourcing a critical process. Someone other than an internal

employee handling your data and IT. IT vendor misrepresented skill level

and expertise of staff. IT vendor does not adhere to Service

Level Agreements (SLAs).

30

Evaluating & Selecting Outsourcers Types of technical competencies the

outsourcer possesses. Experience in your industry. Agreement terms. SLAs. Is the “Cloud” a good option…do your due

diligence

31

Payment Card Industry (PCI) Data Security Standard (DSS)

PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data.

PCI DSS applies wherever account data is stored, processed or transmitted.

The primary account number is the defining factor in the applicability of PCI DSS requirements. If a primary account number (PAN) is stored, processed or transmitted, PCI DSS requirements apply.

32

PCI DSS High-level Overview

Build and Maintain a Secure Network1. Install and maintain a firewall configuration to protect

cardholder data.2. Do not use vendor-supplied defaults for system passwords

and other security parameters.

Protect Cardholder Data3. Protect stored cardholder data.4. Encrypt transmission of cardholder data across open,

public networks.

33

PCI-DSS High-level Overview (cont’d.)

Maintain a Vulnerability Management Program5. Use and regularly update anti-virus software or programs.6. Develop and maintain secure systems and applications.

Implement Strong Access Control Measures7. Restrict access to cardholder data by business need to know.8. Assign a unique ID to each person with computer access.9. Restrict physical access to cardholder data.

34

Regularly Monitor and Test Networks10. Track and monitor all access to network resources and

cardholder data.11. Regularly test security systems and processes.

Maintain an Information Security Policy12. Maintain a policy that addresses information security for

all personnel.

PCI-DSS High-level Overview (cont’d.)

35

In SummaryData is the lifeblood of an organization;

are the right controls in place to protect it?

QUESTIONS?

Daniel J. O’KeefeMoore Stephens Lovelace, P.A.dokeefe@mslcpa.com407-740-5400

Chris GhosioMSL Technologiescghosio@msltechnologies.com321-214-2223

Schedule at a Glance• Tuesday, May 8, 2012

8:00 a.m. - 9:40 a.m. Local Government Accountability Update – Marilyn Rosetti and David Ward

• 8:00 a.m. - 9:40 a.m. Auditing Small Governments – Debbie Goode

• 8:00 a.m. - 9:40 a.m. GFOA Budget Award Program – Eric Johnson

• 8:00 a.m. - 9:40 a.m. Economic Update – Mark Vitner

• 8:00 a.m. - 9:40 a.m. Current Treasury Management Practices and Tools – Keith Henry, Nancy Mirfin and David Witthohn

• 10:00 a.m. - 11:40 a.m. GFOA CAFR Award Program – Linda Dufresne and Sarah Koser

• 10:00 a.m. - 11:40 a.m. How to Invest With Fewer Dollars? – Jeff Larson, Linda Senne and Jeffrey Yates

• 10:00 a.m. - 11:40 a.m. Strategies to Address Aging Infrastructure – Celine Hyer

• 10:00 a.m. - 11:40 a.m. Making Technology Work for You! – Steve Murray and Darrel Thomas

• 10:00 a.m. - 11:40 a.m. Debt Affordability & Policies – Mickey Miller