Introduction to IT Auditing

1
Introduction to IT Auditing

• Kevin B. Weston, CPA, CISA, CITP, CGEIT
• Director, Risk Management Services

2
The BOX
3
Agenda

• Applications
• Computer Operations
• Change Management
• IT Audit Software
• Audit Process
• IT Audit Body of Knowledge

• History
• Governance
• Physical Security
• Environmental Controls
• Network / Telecommunications
• Operating Systems

4
History

• Auditing Around the Box
• Input into Computer Environment
• Output from Computer Environment
• Auditing Through the Box
• Computer Environment

5
The IT Environment
6
Governance

• Frameworks
• Policies, Procedures and Practices
• Strategic Planning
• Risk Assessment
• Risk Mitigation
• External Requirements

7
Governance (continued)

• Steering Committees
• Management / Board Reporting
• Incident Reporting / Follow-up
• Project Management
• Maturity Model
• User Education

8
Physical Protection

• Protection of Physical Assets
• Exterior Building
• Prevention
• Detection
• Entrance Security
• Video Cameras
• Security Guards

9
Physical Protection

• Walls
• Windows
• Floors
• Ceilings
• Entry Logs

10
Environmental Protection

• Building Location
• Leaking
• Flooding
• Fire Protection
• Gas Systems
• Water Pipe (wet / dry)
• Hand Held

11
Environmental Protection

• Air Cleaning
• Temperature Control
• Humidity Control
• Static Control

12
The IT Environment
13
Network

• Architecture
• LAN / WAN
• DMZ (demilitarized zone)
• VLANS (virtual local area networks)
• VoIP (voice over IP)
• Firewalls
• Administration
• Parameters
• Access Control Lists

14
Network (continued)

• Routers / Switches / Hubs
• Filtering
• Access Control
• Logging
• Remote Access
• Access granting / review / termination
• Access control
• Logging

15
Network (continued)

• Intrusion Detection Systems (IDS)
• Network Based
• Host Based
• Intrusion Prevention Systems (IPS)
• Honeypots

16
Network (continued)

• External Network Security Scans
• Internal Network Security Scans
• Patch Management
• Network Device Parameters

17
Telecommunications

• Protocols
• OSI model (7 layer)
• TCP/IP
• Technologies
• LAN/WAN
• Internet / Intranet / Extranet

18
Telecommunications(continued)

• Transmissions
• Analog and Digital
• Asynchronous and Synchronous
• Broadband and Baseband
• Wireless
• Hardware
• Cables
• Telecommunications Devices

19
Telecommunications(continued)

• Completeness
• Accuracy
• Security
• Encryption
• Value Added Networks (VAN)

20
Operating Systems

• OS Settings and Parameters
• OS Security
• OS Features
• System Administrator vs. General User
• User Security
• Group Policies
• Password Settings

21
Operating Systems (continued)

• System Logging
• Log Review / Monitoring
• Accounting Records
• OS Special Utilities
• Alteration of data
• Alteration of operating environment
• Virus Protection

22
Applications

• Application Parameters
• Application Controls
• Application Security
• Master Files / Databases

23
Application Parameters

• Function of parameter
• Initial settings
• Effect of changing
• Access to set / change
• Process for change

24
Application Controls

• Validation
• Completeness
• Accuracy
• Check Digit
• Matching / Dependency
• Reasonableness

• Point
• Input
• Maintenance
• Processing
• Output

25
Application Security

• Role Based Access
• Granting, changing, terminating
• Periodic Review
• Segregation of Duties
• Single Application
• Multiple Applications
• Manual and Automated

26
Master Files

• Input
• Update
• Deletion
• Security
• Logging

27
Databases

• Administration
• Structure
• Backup / Recovery
• Security
• Logging
• Data Warehouse

28
The IT Environment
29
Computer Operations

• Scheduling / Execution
• Monitoring of Computer Environment
• Incident Response
• Maintenance / Performance Monitoring
• Control of Output

30
Computer Operations (continued)

• Back-up
• Business Continuity Planning / Disaster Recovery
  Planning
• Outsource Services
• SAS 70
• Service Level Agreements
• Ongoing evaluation

31
Change Management

• Network
• Operating System
• Application
• System Development Life Cycle
• Maintenance
• Database
• Telecommunications

32
Change Management (continued)

• Review of Change
• Testing of Change
• Test Environment
• Backup of original
• Change
• Monitoring of operation

33
Systems Development Life Cycle (SDLC)

• Initiation / Planning
• Requirements gathering / analysis
• Design
• Build or Buy
• Testing

• Implementation
• Operations
• Maintenance
• Post-Implementation Review
• Disposition

34
The IT Environment
35
IT Audit Software

• Assistance with financial audit
• Sampling
• Confirmations
• Re-calculation
• Assistance with IT audit
• Application Controls
• Operating System Parameters
• Network Security Reviews
• Automated Work Papers

36
Audit Process

• Organization of Department
• Charter / Function
• Policies / Procedures
• IT Risk Assessment
• IT Audit Plan
• Priority
• Frequency

37
Audit Phases

• Identify audit area
• Identify purpose of audit
• Determine scope of audit
• Pre-planning of audit
• Audit Procedures
• Work Paper Review
• Communication of Results

38
IT AuditBody of Knowledge

• Information Technology Governance Institute
  (ITGI)
• COBIT (Control Objectives for IT)
• The Institute of Internal Auditors (IIA)
• GAIT (Guide to the Assessment of IT Risk)
• GTAG (Global Technology Audit Guide)

39
Questions?
40
THANK YOU

• Kevin B. Weston, CPA, CISA, CITP, CGEIT
• Director, Risk Management Services
• RSM McGladrey
• One US Bank Plaza, Suite 1900
• 505 North 7th Street
• St. Louis, MO 63101
• Phone 314.241.4100
• Email kevin.weston_at_rsmi.com