IT Audits

1

• IT Audits Understanding the StandardsIllinois
  Digital Government Summit
• September 15, 2008
• Presented by
• Doug Tinch, Illinois Office of Internal Audit
• Steve Gerschoffer, Crowe Horwath

2
Agenda

• Understanding the Standards
• What is at risk?
• Auditing Standards
• Scope of IT Audits
• Pre / Post Implementation Audits
• Risk Assessment
• Questions?

3
DISCLAIMER

• Any opinions expressed by Steve and/or Doug
  (even though they are usually correct) are their
  own and do not reflect the official positions of
  either the State of Illinois Office of Internal
  Audit or Crowe Horwath.

4
Highlights of 12th Annual CSI Survey source CSI
Survey 2007

• Average annual loss reported was 350,424
  highest average loss since 2004, up from 168,000
  last year
• 194 responses reported total losses of
  66,930,950, up from 52,494,290 (for 313
  respondents) in 2006
• 132 of 454 respondents have cyber insurance
  policies
• The top 3 attacks detected were insider abuse of
  net access, virus, and laptop/mobile device theft
• Viruses was the leading cause of losses for the
  last seven years financial fraud overtook it in
  2007

5
Top 5 Losses by Type of Attack source CSI
Survey 2007
194 Respondents
6
Current Landscape Costs of a Breach

• Ponemon Institute Study (November 2007) found
  that the total cost of a data breach averaged
  198 per lost customer record
• Detection and escalation - 9
• Notification - 15
• Response and actions taken - 46
• Lost business - 128

7
Current Landscape Causes of a Breach
From Ponemon Institute, 2007 Annual Study U.S.
Cost of a Data Breach Understanding Financial
Impact, Customer Turnover, and Preventative
Solutions
8
Standards. . . .

• What is FCIAA?
• Fiscal Control and Internal Auditing Act
• (30 ILCS 10/)
• Article 1. General Provisions Section 1002
  CEO of every State agency is responsible
  for effectively and efficiently managing
  the agency and estab- lishing and
  maintaining an effective system of
  internal control.

9

• Fiscal Control and Internal Auditing Act
• (30 ILCS 10/)
• Article 3. Fiscal Controls All State
  agencies shall establish and maintain a
  system, or systems, of internal and fiscal
  administrative controls, which shall
  provide assurance that

10

• Fiscal Control and Internal Auditing Act
• (30 ILCS 10/)
• Article 2. Internal Auditing establishes a
  program of internal auditing,
  qualifications of chief internal auditor,
  and internal auditing program require-
  ments. Section 2003 (a) (3) mandates Reviews
  of the design of major new electronic data
  processing systems and major modifications
  of those systems before their installation
  to ensure the systems provide for adequate
  audit trails and accountability.

11
WARNING

• IF A PRE-IMPLEMENTATION AUDIT IS REQUIRED, AND
  IS NOT TIMELY PERFORMED, THE OFFICE OF THE
  AUDITOR GENERAL WILL ISSUE TWO (2) FINDINGS. THE
  AGENCY WILL RECEIVE A FINDING FOR NON-COMPLIANCE
  WITH STATE STATUTE FOR NOT HAVING AN AUDIT
  COMPLETED BEFORE IMPLEMEN-TATION, AND THE IOIA
  WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH
  STATE STATUTE FOR NOT PERFORMING THE AUDIT.

12
Standard Scope of an IT Audit

• IS General Controls
• Management and Organization
• Development and Acquisition
• On-Line Security (Core Application Systems)
• Business Contingency Planning
• Physical Security
• Computer Operations
• Outsourced Technology Service Providers

13
Standard Scope of an IT Audit

• Network Security Assessment
• Methodology
• Good Guy Approach
• Standard Scope
• Policies and Procedures (Security, Incident
  Response, etc)
• Anti-Virus Standards
• Workstation Security Review
• Network Architecture
• Network Operating System Security Review
• Windows
• Novell
• Unix

14
Standard Scope of an IT Audit

• Network Security Assessment
• Voice Over IP
• Database Security
• Mobile Device Security
• Web Server Security
• Email Server Security
• Etc

15
Internal Penetration Assessment

• Internal Penetration Assessment
• Methodology
• Bad Guy Approach
• Disgruntled Internal Employee, Unauthorized
  Individual with Internal Network Access
• Standard Scope
• Technical Assessment
• Physical Social Engineering
• Document Disposal

16
Internal Penetration Assessment
17
External Penetration Assessment

• External Penetration Assessment
• Methodology
• Bad Guy Approach
• External Hacker
• Standard Scope
• Technical Assessment
• Phone Social Engineering
• Email Social Engineering
• Phone Sweep

18

External Penetration Assessment

19
SAS 70 (Statement on Accounting Standards No.
70)

• Types of SAS 70s
• Level I, Report on Controls Placed in Operation
• Level II, Report on Controls Placed in Operation
  Tests of Operating Effectiveness

20
What Is Evaluated During SAS 70 Audit?

• A typical SAS 70 Report includes
• General Controls
• Application Controls
• Process Controls

• Organization and Administration
• Application Maintenance
• Documentation
• Computer Operations
• Hardware and System Software
• On-Line Security
• Physical Security
• Back-up and Contingency Planning
• e-Business Policies and Procedures 

21
SAS 70 User Control Considerations

• User Control Considerations
• Controls which the User Organization should
  consider but that the Service Provider either
• Can not do,
• Does not take responsibility for, or
• Is not cost effective.

22
Pre-Implementation Audit Process

• The Risk Assessment Process
• Document request
• 1) RFP (Request for Proposal)
• 2) Project Charter
• 3) Design Documents
• 4) System Objectives
• 5) Cost/Benefit Analysis
• 6) Project Time-line

23
Pre-Implementation Audit Process

• The Risk Assessment Process
• Management Interview
• 1) Management synopsis of the project.
• 2) Details of the project and changes (if any)
  in time- lines, scope, funding, resources
  etc. that may not be reflected in original
  documentation.
• 3) Any other relevant information that germane
  to the project.

24
Pre-Implementation Audit Process

• The Risk Assessment Process
• IOIA Determination
• 1) Determination by auditor
• 2) Review by Supervisor
• 3) Review by Manager
• 4) Review by Chief Internal Auditor
• 5) Issuance of Determination Letter to Agency
  Director

25
Pre-Implementation Audit Process

• The Audit
• Audit Program
• 1) Audit Trails and Accountability
• 2) Functionality

26
Pre-Implementation Audit Process

• The Audit
• Test Matrix
• 1) Audit Trails and Accountability
• a) Logging
• b) Access controls
• c) Transmission security
• d) Application controls (third party
  hosting)
• e) Disaster recovery/business continuity
• 2) Functionality
• a) With business rules (tech and non-tech)
• b) User expectations and needs

27
Pre-Implementation Audit Process

• The Audit
• Testing
• 1) Part of User Acceptance Testing Team (UAT)
• 2) Access to Change (Bug) Control
• 3) Notify Program Manager of failures
  immediately
• 4) Follow-up to determine that all bugs are
  closed
• 5) Final acceptance by all appropriate parties

28
Pre-Implementation Audit Process

• The Audit
• Review and Approval Process
• 1) Informal pre-Letter issuance conference with
  management.
• 2) IOIA Review and Letter issuance to Director
  prior to implementation
• 3) Draft report issuance to Director. Formal
  exit conference if required
• 4) Agency responses to draft, included verbatim
  in final report to Director.
• 5) Subsequent Recommendation follow-up.

29
Questions?