The Role of IT Audit

1
The Role of IT Audit At Cornell University
Presented by Craig Adams, CISA, CISM Clayton
Dow, CPA, CISA, CIA Geoffrey Yearwood, CISA
2
Agenda

• Stakeholders
• Auditing in General
• University Audit Office
• Information Technology Audit
• IT Policies
• The Changing Face of IT Audit
• IT Controls

3
Stakeholders

• Board of Directors
• Audit Committee
• Senior Management
• External Audit
• Internal Audit
• Audit Clients

4
Stakeholder Roles

• Joint effort
• Board of Directors determines and approves
  strategies, sets objectives and ensures the
  objectives are being met.
• Audit Committee responsible for overseeing the
  internal control structure (operations,
  compliance, and financial reporting)
• Senior Management defines, develops, implements,
  and documents the internal control structure
• External Audit attests to the fair statement of
  financial results
• Internal Audit - validate the internal control
  structure by analyzing the effectiveness of
  internal controls

5
Definition of Internal Audit

• Institute of Internal Auditors (IIA) Standard
  effective January 2002
• Internal auditing is an independent, objective
  assurance and consulting activity designed to add
  value and improve an organizations operations.
  It helps an organization accomplish its
  objectives by bringing a systematic, disciplined
  approach to evaluate and improve the
  effectiveness of risk management, control, and
  governance processes.

6
University Audit Office
7
University Audit Office Charter

• The University Audit Office exists to assist
  university management and the Audit Committee of
  the Board of Trustees in the effective discharge
  of their responsibilities. The University Audit
  Office is responsible for examining and
  evaluating the adequacy and effectiveness of (1)
  the systems of internal control and their related
  accounting, financial, computer, and operational
  policies and (2) the procedures for financial and
  compliance monitoring and reporting and to make
  recommendations for the improvement thereof.
• The scope of the University Audit Office's
  responsibilities includes examining and
  evaluating the policies, procedures, and systems
  which are in place to ensure
• reliability and integrity of information
• compliance with policies, plans, procedures,
  laws, and regulations
• safeguarding of assets and
• economical and efficient use of resources.
• The University Audit Office shall have direct
  access to all university books and records
  necessary for the effective discharge of its
  responsibilities. The reporting relationships
  duties, and responsibilities of the University
  Auditor (Audit Director) are contained in the
  University Bylaws Article XI.

8
University Audit Office Mission

• The Audit Office supports the mission of the
  university by helping protect its assets and
  reputation.
• We provide objective assurance and advice on
  behalf of the Board of Trustees and Cornell
  University.
• We review operations and controls, provide
  relevant analyses, recommend improvements, and
  promote ethical behavior and compliance with
  policies and regulations.

9
University Audit Office Responsibilities

• The scope of the University Audit Offices
  responsibilities includes examining and
  evaluating the policies, procedures, and systems
  to ensure
• Reliability and integrity of information
• Compliance with policies, plans, procedures,
  laws, and regulations
• Safeguarding of assets and
• Economical and efficient use of resources.

10
Cornell University Audit Office
11
Cyclical Process of Auditing
Risk Assessment
Audit Schedule
Reporting
2 Year Cycle
Audit Results
Budget
Audit Program
Analysis
Audit Tests
12
Information Technology Risk Ranking Results
Legend Bold Business Process Blue
Institutional Concerns Red Senior Staff
Concerns
13
Information Technology Audit
14
IT Audit Role

• Advising the Audit Committee and senior
  management on IT internal control issues
• Performing IT Risk Assessments
• Performing
• Institutional Risk Area Audits
• General Controls Audits
• Application Controls Audits
• Technical IT Controls Audits
• Internal Controls advisors during systems
  development and analysis activities.

15
IT Audit Process

• Words that come to mind when you hear Audit
• Proctology
• Chinese Water Torture
• Root Canal
• You may be wondering "why me?"
• Understanding the reasons for an audit and the
  process involved can help alleviate your fears
• The audit process is generally a ten-step
  procedure
• Notification Request for Preliminary
  Information
• Planning
• Opening Meeting
• Fieldwork
• Communication
• Draft Report
• Management Responses
• Closing Meeting

16
IT General Controls
IT Concerns and Issues

• Physical Security
• Physical Access
• HVAC
• Fire Protection
• UPS

IT Controls
General Controls

• Backup/Contingency Planning
• Data Backups
• Restore Procedures
• Offsite Storage

• Change Management
• Program Change Controls
• Tracking
• Change Approvals

• Disaster Recovery
• Business Resumption Plans
• BRP Testing
• Alternate Processing

17
IT Application Controls
IT Concerns and Issues
IT Controls

• Input Controls
• Data Entry Controls
• System Edits
• Segregation of Duties
• Transaction Authorization

Application Controls
General Controls

• Processing Controls
• Audit Trails
• Interface Controls
• Control Totals

• Access Controls
• User-IDs/Passwords
• Data Security
• Network Security
• Security Administration
• Access Authorization

• Output Controls
• Reconciliation
• Distribution
• Access

18
IT Policies
19
Cornell University IT Policies

• Interim Policies
• Authentication of IT Resources
• Privacy of the Network
• Established Policies In the University Library
  of Policies, information technologies occupies
  Volume 5.
• Abuse of Computers and Network Systems, June 1990
• Policy 5.1 Responsible Use of Electronic
  Communications, October 1995
• Policy 5.2 Mass Electronic Mailing, January 2003
  
• Policy 5.3 Use of Escrowed Encryption Keys,
  January 2003
• Policy 5.4.1 Security of Information Technology
  Resources, June 2004
• Policy 5.4.2 Reporting Electronic Security
  Incidents, June 2004
• Policy 5.5 Stewardship and Custodianship of
  Electronic Mail, Feb. 2005
• Policy 5.6 Recording and Registration of Domain
  Names, April 2004
• Policy 5.7 Network Registry, June 2004
• Related Policy
• Policy 4.12 Data Stewardship and Custodianship,
  May 2003

20
The Changing Face of IT Audit
21
The Changing Role of the IT Auditor

• IT Audit plays a major role in development of IT
  Governance framework
• Moving away from policing role into a specialist
  role in the areas of risks and control
• Adding value at strategic and operational levels
  through the provision of business risk-focused
  advice and assurance
• Legislation is having a profound impact on IT
  Auditing
• (SOx, GLBA, HIPAA, FERPA, Privacy Notification
  Regulations )
• The continuously changing technology environment
  brings new risks (i.e. Cyber security, wireless
  )

22
Emerging Prevalent IT Audit Issues

• Inadequate or Lack of Management Oversight
• Poor Segregation of Duties
• Inadequate or Lack of Supporting Documentation
• No Business Continuity/Disaster Recovery Plan
• Change Management
• Data Security
• Data Loss Incidents

23
What you can do to prepare for an IT Audit?

• Read all relevant University IT Policies
• Perform a risk assessment
• Know your IT vulnerabilities
• Identify the internal controls that would
  mitigate inherent risk
• Document your business processes, systems,
  policies and procedures
• Keep Current on the Laws and Regulations
• Call the Audit Office for advice

24
IT Controls
25
Understanding IT Controls

• A top-down approach -used when considering IT
  controls.

26
Understanding IT Controls

• IT control is a process that provides assurance
  for information and information services, and
  help to mitigate risks associated with use of
  technology.

27
Importance of IT Controls

• Needs for IT controls, such as
• controlling cost
• protecting information assets
• complying with laws and regulations
• Implementing effective IT controls will improve
  efficiency, reliability, and flexibility.

28
Roles and Responsibilities

• Board of Directors /Governing Body
• Management define, approve, implement IT
  controls
• Auditor

29
Based On Risk

• Analyzing Risk
• Identify and prioritize risks
• Consider risk in determining the adequacy of IT
  controls
• Define risk mitigation strategy
  accept/mitigate/ share

30
Monitoring

• Monitoring IT Controls
• Ongoing monitoring/special review/automated
  continuous auditing

31
Assessment

• Assessing IT controls is an ongoing process
• Technology continues to advance
• New vulnerabilities emerge

32
How can I determine if the Internal Controls in
my area are adequate?

• The central theme of internal control is (1) to
  identify risks to the achievement of the
  organizations objectives, and (2) to do what is
  necessary to manage these risks.
• Identify the business objectives of your area.
• Identify the risks that could prevent your
  department from achieving these objectives.
• Identify the controls that will manage the risks
  identified above.
• Implement the controls that were identified which
  minimize risk in a cost effective manner.
• Periodic review of objectives and controls to
  determine if they still apply

33
A car has brakes to allow it to go faster
34
University Audit Office Contact Information
Phone 255-9300 email audit_at_cornell.edu Web
Page http//audit.cornell.edu/