State Performance - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

State Performance

Description:

History of IT Reviews ... Admittedly a new part of the audit. Auditing in the 21st century ... Social Security Numbers. Student Numbers. Other vulnerable IT ... – PowerPoint PPT presentation

Number of Views:26
Avg rating:3.0/5.0
Slides: 24
Provided by: mikeb108
Category:

less

Transcript and Presenter's Notes

Title: State Performance


1
State Performance Technology AuditsOverview
of IT Reviews at Local Educational Agencies
  • Presented to
  • Pennsylvania Association of
  • School Business Officials
  • 53rd Annual Conference
  • March 6, 2008

2
Introduction
  • Thomas E. Marks
  • Deputy Auditor General for Audits
  • CPA
  • PA Department of the Auditor General
  • 234 Finance Building
  • Harrisburg, PA 17120
  • (717) 705-4126
  • tmarks_at_auditorgen.state.pa.us

3
Introduction
  • Michael A. Billo
  • Assistant Director of IT Audits
  • CISA, CGAP
  • PA Department of the Auditor General
  • 406 Finance Building
  • Harrisburg, PA 17120
  • (717) 787-0557
  • mbillo_at_auditorgen.state.pa.us

4
Department Structure
  • Bureau of School Audits
  • Over 100 auditors statewide doing performance
    audits of all LEAs
  • Information Technology Audits
  • 7 auditors assisting all audit bureaus with the
    more complex technology issues in their audits
    and training the financial and performance
    auditors in IT auditing

5
IT Audits Mission Statement
  • To be an innovative team providing support,
    analysis, problem-solving, training, and
    technical audits

6
Information Technology (IT)
  • ATM
  • POS
  • LAN
  • WAN
  • Internet
  • URL
  • VPN
  • Gigabyte/terabyte
  • Ebay
  • ISP
  • IP Address
  • .com
  • cell phone
  • wii
  • IM
  • texting
  • Ipod
  • Xbox

7
Information Technology Auditing
  • Information Technology (IT) Auditing
  • Electronic Data Processing (EDP) Auditing
  • Part of the review of internal control
  • Internal controls related to information
    technology, e.g., organizational placement of IT
    personnel, physical and logical access, SDLC,
    outsourcing, backups and contingency planning

8
Audit and IT Standards
  • GAAS promulgated by the Auditing Standards
    Board (ASB) of the American Institute of
    Certified Public Accountants (AICPA) Statements
    on Auditing Standards (SASs)
  • GAGAS (Yellow Book) promulgated by the U. S.
    Government Accountability Office (GAO)
  • ISACA COBIT
  • FISCAM
  • CERT
  • Best Practices

9
History of IT Reviews
  • Southwest region school had membership days
    changed inadvertently that affected membership
    subsidy
  • Outside vendor processing the membership and
    attendance data for the school
  • Controls relinquished to the outside vendor and
    overlooked by the school

10
Evolution of IT Reviews
  • Consistency of audit procedures and coverage
  • Admittedly a new part of the audit
  • Auditing in the 21st century
  • Technology has changed some internal controls
  • Multiple vendors being used by schools for
    processing membership and attendance data
  • More than 50 reviews completed during 2007

11
Evolution of Reviews (contd.)
  • On-the-job training during 2007 more formal
    training for school auditors in the IT review
    procedures in the regions in the first quarter of
    2008
  • School auditors to perform the reviews at all
    LEAs using an outside vendor for membership and
    attendance data processing after the training

12
Risk
  • Membership not a high-risk area
  • Mindset however is important
  • Accounting
  • Safe Schools
  • Grades
  • Social Security Numbers
  • Student Numbers
  • Other vulnerable IT areas

13
IT General Controls
  • Segregation of duties
  • Access
  • Physical (locks, security)
  • Logical (user ID and passwords)
  • Systems Development Life Cycle (SDLC)
  • Backups and Recovery
  • Contingency planning
  • Outsourcing
  • Environmental

14
Audit Objective
  • Would you know if your membership and/or
    attendance data was changed (significantly or
    otherwise)?

15
IT Application Controls
  • Data Origination
  • Data Input
  • Data Processing
  • Data Output

16
Overview of Audit Procedures
  • Administer internal control questionnaire through
    inquiries of relevant management and personnel
  • Request and review applicable documentation
  • Rate weaknesses in a finding or observation based
    on severity of weaknesses and presence of manual
    compensating controls

17
Some specifics
  • Walkthrough of hardware, software, interface,
    access method, etc.
  • Review of IT contracts/maintenance agreement
  • Security policies and procedures
  • User ID approval and maintenance
  • Separated employees/vendors
  • Physical and logical access controls
  • Vendor access

18
and a few more
  • Remote access
  • Vendors, LEA employees
  • dial-up, Internet, VPN
  • System development and maintenance
  • Program change control
  • Backups/Recovery
  • Contingency Planning
  • Environmental considerations

19
Manual Compensating Controls
  • Reconciliations
  • Trends
  • Rollforwards
  • Data entry procedures and review
  • Report Review
  • Evidence of Review
  • Management Oversight

20
Common Weaknesses
  • Logical Access
  • Group IDs or Individual IDs
  • Password policy and syntax requirements
  • Minimum Length
  • Complexity
  • Alpha, numeric, special characters
  • Upper and lower case
  • Forced to change how often?
  • How many failed attempts allowed?
  • Logged off after a period of inactivity?

21
Common Weaknesses
  • Monitoring logs
  • Producing the log?
  • If yes, is anyone looking at it?
  • Contracts and Maintenance Agreements
  • LEA recourse for errors/non-performance
  • Security and Acceptable Use Policies
  • Approvals and Authorizations
  • Environmental (Smoke, Fire, Temperature)

22
Sources
  • www.isaca.org
  • www.gao.gov
  • www.cert.org

23
Questions and Comments
  • Thank you for your attention!
Write a Comment
User Comments (0)
About PowerShow.com