Information Technology Audit
Association of Government Accountants – Boston Chapter
2014 Regional Professional Development Conference
Bentley University
March 13, 2014
With You Today
Geoff W. Clarke CISA CISSP
Manager KPMG Advisory Services
Geoff has been with the firm for seven years and is a manager in the KPMG LLP Information
Technology Advisory Services (ITAS) Practice. He has over 30 years of business experience
in both the MIS and IT Audit disciplines. Prior to joining KPMG, Mr. Clarke worked for several
Fortune 500 Companies where he held MIS and IT Audit executive positions including those of
Global IT Audit Director and CIO of Asia Pacific Region MIS. As a CIO, he lived in Singapore
and had responsibility for sales, manufacturing and supply chain MIS development and support
of his employer’s sales, manufacturing and logistical operations in Greater China, Australia,
Japan and S.E. Asia.
During his KPMG career, Geoff has provided assistance to private and public sector clients and
has managed MIS Projects, IT Risk and Security Assessments, IT Auditing, SSAE16
examinations and IT controls over Financial Reporting.
gclarke@kpmg.com
(617) 998 1408
1
Agenda

IT Auditing – what, who and why

IT Control Frameworks and IT General Control Domains

IT Audit Challenges
2
What is IT Auditing?

Information systems or technology audit is a part of the overall audit process which is
one of the facilitators of good organizational governance

While there is no single universal definition of IT audit, Prof. Ron Weber (author of
“Information Systems Control and Audit”) defined it as "the process of collecting and
evaluating evidence to determine whether a computer system (information system)
safeguards assets, maintains data integrity, achieves organizational goals effectively and
consumes resources efficiently."
3
Internal and External IT Audit – Some Differences
Internal Audit
External Audit
The internal auditor is most often an employee of
the organization
The external auditor is an external contractor and
not an employee of the organization.
Internal audit seeks to advise management on
whether its major operations have sound systems
of risk management and internal controls
The external auditor seeks to test the underlying
transactions that form the basis of the financial
statements
The IT auditor supports the goals of the Enterprise
and being part of Internal Audit reports to the audit
committee.
The external IT auditor supports the external
financial audit by providing insight into the reliance
to be placed on automated financial systems
through the testing of General IT controls and
when requested, IT automated controls.
Internal audit forms an opinion on the adequacy
and effectiveness of systems of risk management
and internal control, many of which fall outside the
main accounting systems.
The external auditor (including supporting IT audit
process) seeks to provide an opinion on whether
the accounts show a true and fair view,
Besides addressing risk, internal Audit groups play
a key role in identifying opportunities to improve
operating efficiency in an organization.
While external auditors may comment on potential
efficiencies to be made it is generally not a primary
focus of their activity.
Internal audits are most often time independent
with a goal to be ‘forward looking’ leading to
control improvement.
External audits are ‘backward looking’ and most
often are focused on the operation of controls
during past financial periods
4
The IT Auditor
“Plans and participates in a broad internal auditing program, and in particular audits of an
entity’s information technology functions to assure adherence to established entity policies
and procedures and to offer constructive analysis and appraisal of the entity’s IT operations,
its technology policies and procedures and systems of internal control”.
5
ISACA

ISACA is an international professional association focused on IT Governance.

It is an affiliate member of the Int’l Federation of Accountants(IFAC).

Previously known as the Information Systems Audit and Control Association, ISACA now goes by
its acronym only, to reflect the broad range of IT governance professionals it serves .

ISACA was informally established in the US in 1967 and incorporated formally in 1969 as the
Electronic Data Processing (EDP) Auditors Association

ISACA currently has over 110,000 constituents in 200 chapters located in more than 180 countries.

ISACA awards the certification of Certified Information Systems Auditor (CISA) following a
successful examination result and 5 years of appropriate and recordable work experience.
 Other ISACA certifications related to IT governance include Certified Information Security
Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and
Information Systems Control (CRISC)
6
IT Audit as a Career

A number of schools now offer undergraduate degrees in Information Technology Auditing, including
Bentley University

There is a shortfall of trained and experienced IT auditors

IT Auditors can come from both IT and business/accounting backgrounds
7
Impact of Information and Information Technology

Information is a key resource for all enterprises. In some cases, it is all they produce.

Enterprises constantly collect or create information, use it, store it, share it and eventually destroy it.

Information Technology (IT) is a key enabler of the above.

IT is pervasive and ubiquitous in all areas of public and private enterprise, and personal life.

IT has the potential to dramatically change organizational and business operating models, create new
opportunities and reduce costs.

High dependency on information requires that it be safeguarded from unauthorized access or
misappropriation, have integrity and be made available when required.

Information value brings with it increased internal and external risks and threats of loss or compromise.

Increasing information risks and threats bring with it new statutory requirements specific to the management
of information technology

The recognition that while “it is human to err, it requires a computer to really screw up”.
8
The role of IT in Enterprise operations

IT is a key enabler in supporting what organizations most want

to accomplish positive business outcomes
» Achieving business goals
» Meeting corporate governance responsibilities and legal requirements
» Administering and managing business activity efficiently and cost effectively

to minimize business risk and avoid issues and problems
» Business
» Operational
» IT
» Statutory and legal
9
Examples of IT Objectives to be achieved and Risks to be mitigated
IT Objectives
IT Risks

Efficient and successful operations

Information Loss (accidental or malicious)

Data integrity

Financial Reporting Errors

Protected systems

Loss of data and/or system integrity confidence

Safeguarded assets

Computer fraud

Data and system availability

System failure and downtime

Positive ROI

Increased cost of operation

Competitive advantage

Inaccurate data = poor business decisions

Enhanced reputation

Reputational loss

Statutory Compliance

Compliance failure
10
Management’s Requirements from its IT Organization

Governance and Risk Management

Security and Confidentiality

Availability

Integrity

Efficiency and Effectiveness

Compliance

Managed cost and ROI
11
Management’s Objective
What it has
What it wants
PROCESSES
•
•
•
•
•
•
•
INFORMATION
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT RESOURCES
•
•
•
•
Applications
Data
Infrastructure
People
12
The role of IT Audit
To help meet Management’s objective, IT systems and processing environments need to be appropriately
managed, controlled and periodically assessed to ensure that:

Organizational objectives that are dependant on IT are achieved

Systems and applications function as expected

Data and systems have integrity and are reliable

Adequate safeguards are in place to protect data, information and other IT resources from unauthorized
access, disclosure or misappropriation

Systems, applications and their information assets are kept available for authorized persons

Federal, state and other statutory regulations are complied with
13
IT Controls – Achieving Objectives and Avoiding Risk
To Achieve
Business
Objectives
To Avoid
Risks,
Threats and
Exposures
Control (as defined by CobIT)
The policies, procedures, practices and organizational
structures designed to provide reasonable assurance that
business objectives will be achieved and that undesired events
will be prevented or detected and corrected.
Source: COBIT Control Objectives.
14
Characteristics of Good Internal Control Environment

Well-defined operational control objectives

Appropriate supporting controls

Risk assessment and risk management

Policies, standards, defined expectations

Documentation

Competent and trustworthy people

Monitoring, measurement and evaluation
15
CobIT framework as a model for Enterprise IT Governance

CobIT = Control Objectives for Information and Related Technology

IT Audit’s COSO cousin

First issued in 1997, CobIT5 published in 2012 is the latest iteration. Developed and maintained by ISACA
and the IT Governance Institute (ITGI).

Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for
day-to-day use by business managers, IT organizations and auditors

The framework supports governance of IT by defining and aligning business goals with IT goals and IT
processes. The COBIT components include:





Framework: Organize IT governance objectives and good practices by IT domains and processes, and
links them to business requirements
Process descriptions: A reference process model and common language for everyone in an
organization. The processes map to responsibility areas of plan, build, run and monitor.
Control objectives: Provide a complete set of high-level requirements to be considered by management
for effective control of each IT process.
Management guidelines: Help assign responsibility, agree on objectives, measure performance, and
illustrate interrelationship with other processes
Maturity models: Assess maturity and capability per process and helps to address gaps.
16
CobIT – Intended to be “all things to all people”

Business Management and User Community

IT Management and IT Organizations

IT Auditors

The Enterprise
17
Other IT Control Frameworks

Information Technology Infrastructure Library (ITIL)

Security Code of Conduct – DTI

Security Handbook – NIST

Federal Information Processing Standards (FIPS)

Organization for Standardization (ISO) 27001/2 (Security)
18
IT Auditor Areas of Interest

Business Information Characteristics and Information Management

IT Resources and Resource Management

IT Processes and Process Management
19
Information Characteristics

Effective
— information should be relevant and pertinent to the business process as well as being delivered in
a timely, correct, consistent, usable and complete manner
 Efficient
— provision of information through the optimal (most productive and economical) use of resources
 Confidential
—
protection of sensitive information from unauthorized disclosure.

Integrity
— relates to the accuracy and completeness of information as well as its validity in accordance with
business values and expectations
 Available
— requires that information be available when required by the business process now and in the
future.
 Compliant
— compliance with those laws, regulations and contractual arrangements to which the business
process is subject; i.e., externally imposed statutory or business criteria
 Reliable
— the provision of appropriate and accurate information to management to operate the entity and
exercise its fiduciary and governance responsibilities.
20
IT Resources and Resource Management

IT resources need to be managed in order to provide organizations with type and quality of information
required to achieve organizational objectives. Resources comprise:

Application Systems
» are the automated user systems and associated manual procedures that process the information
» Can be in-house or externally hosted (e.g. Software-as-a-Service applications)

Information
» is data in all its forms that when compiled has intelligence and meaning.

Infrastructure and Facilities
» is the technology (hardware, operating systems, database management systems, networking,
multimedia, etc.), and the facilities that house and support it, that enable the processing of data
through the applications

People
» are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and
evaluate the information systems and services. They may be internal, contracted or totally
outsourced as necessary
21
Information Processes and Process Management
Domains
Natural grouping of processes, often
matching an organizational domain
of responsibility
Processes
A series of joined tasks and activities
with natural (control) breaks.
Tasks &
Activities
Actions needed to achieve a
measurable result. Activities
have a life-cycle whereas tasks
are discrete
22
3)
Information Processes and Key General IT Control Domains

Domain 1 – IT Management, Planning, Organization and Risk Management

Domain 2 – Technical Infrastructure and IT Operational Practices

Domain 3 – Protection of Information Assets

Domain 4 – Disaster Recovery and Business Continuity

Domain 5 – Business Application Systems Development, Acquisition, Implementation and Maintenance
23
Domain 1 – IT Management, Planning, Organization and Risk Management
IT Auditor Tasks, e.g.
Conduct an Enterprise risk assessment to determine key risk areas for discussion with Management and use it to
develop an appropriate IT audit plan.
Evaluate the organization’s IT strategy and the processes for its development, deployment and maintenance to
ensure that its supports the organization’s business objectives
Evaluate the IT organization’s implementation of risk management and governance
Evaluate IT organization and structure (e.g. roles and responsibilities, SOD) to ensure appropriate and adequate
and controlled support of the organization’s business requirements
Evaluate the IT policies, standards and procedures (e.g. risk management, change management, project
management, security policies) and the processes for their development, deployment and maintenance
Evaluate IT management practices (e.g. staffing practices, training, info sec management, certifications) to ensure
compliance with IT policies, standards and procedures
Evaluate the selection and management of 3rd party services to ensure that they support the organization’s IT
strategy
24
Domain 2 – Technical Infrastructure and IT Operational Practices
IT Auditor Tasks, e.g.
Evaluate the acquisition, installation and maintenance of hardware, system software and utilities (e.g. o/s, DB
management systems, security packages) and network infrastructure components (e.g. voice and data comms,
Internet, extranet) to ensure that that they efficiently support the organization’s IT processing and business
requirements and is compatible with the organization’s strategies.
Evaluate the use of system performance and monitoring processes, tools and techniques (e.g. capacity
planning, problem management, system management) to ensure that computer systems continue to meet the
organization's business objectives.
Evaluate IT operational practices (e.g. help desk, user support functions, computer operations, scheduling,
data transmission,) to ensure efficient and effective utilization of the technical resources which are used to
support the organization’s IT processing and business requirements.
25
Domain 3 – Protection of Information Assets
IT Auditor Tasks, e.g.
Evaluate the design, and implementation of an Information Security organization and associated practices to
ensure that it is effective and capable of protecting safeguarding the organization’s information assets.
Evaluate the design, implementation and monitoring of physical access controls to ensure the level of protection
for assets and facilities is sufficient to meet the organization’s business objectives.
Evaluate the design, implementation and monitoring of environmental controls (e.g. HVAC, smoke/heat/water
detectors, fire suppression, uninterrupted power supply [UPS], backup generator) to prevent and/or minimize
potential losses.
Evaluate network infrastructure security to ensure integrity, confidentiality, availability and authorized use of the
network and the information transmitted.
Evaluate the design, implementation and monitoring of logical access controls to ensure the integrity,
confidentiality and availability of information assets (e.g. programs and data).
Evaluate IT’s safeguards over sensitive data at rest, during transmission and transportation including the copying
and storage of data offsite.
Evaluate the Enterprise’s security posture and safeguards against external information threats such as social
engineering and ‘phishing’.
26
Domain 4 – Disaster Recovery and Business Continuity
IT Auditor Tasks, e.g.
Evaluate the adequacy of backup and recovery provisions to ensure the resumption of normal information
processing in the event of a short-term disruption and/or the need to rerun or restart a process.
Evaluate the organization’s ability to continue to provide information system processing capabilities in the event
that the primary information processing facilities are not available (e.g. disaster recovery).
Evaluate the organization’s ability to ensure business continuity in the event of a business disruption.
27
Domain 5 – Business Solution Systems Development, Acquisition,
Implementation and Maintenance
IT Auditor Tasks, e.g.
Evaluate the processes by which business solutions are developed and implemented to ensure that they
contribute to the attainment of the organization’s business objectives
Evaluate the processes by which business solutions are acquired and implemented to ensure that they
contribute to the attainment of the organization’s business objectives
Evaluate the processes by which business solutions are maintained to ensure the continued support of the
organization’s business objectives.
Evaluate the Enterprise policies, standards and procedures related to the acquisition, management and
monitoring of 3rd party outsourced or hosted key applications, e.g. SaaS solutions.
Evaluate the processes by which system software and utilities are maintained to ensure the continued support
of the organization’s business objectives.
28
What comprises a traditional IT audit?
The major elements of IT audit as defined by ISACA and laid out in CobIT can be broadly classified:
Physical and environmental review—This includes physical security, power supply, air conditioning, humidity
control and other environmental factors.
System administration review—This includes security review of the operating systems, database
management systems, all system administration procedures and compliance.
Application software review—The business application could be payroll, invoicing, a web-based customer
order processing system or an enterprise resource planning system that actually runs the business. Review of
such application software includes access control and authorizations, validations, error and exception handling,
business process flows within the application software and complementary manual controls and procedures.
Additionally, a review of the system development lifecycle should be completed.
Network security review—Review of internal and external connections to the system, perimeter security,
firewall review, router access control lists, port scanning and intrusion detection are some typical areas of
coverage.
Business continuity review—This includes existence and maintenance of fault tolerant and redundant
hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity
plan.
Data integrity review—The purpose of this is scrutiny of live data to verify adequacy of controls and impact of
weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized
audit software (e.g., computer assisted audit techniques).
29
IT Audit Challenges

Inaccessible and untouchable computer solutions – Cloud based systems

Involvement at inception

Business owned and driven

Reliance on 3rd party service auditor reports

Year-to-year oversight

Remaining relevant

Effective vendor evaluations, e.g. FedRAMP

Statutory Compliance demands

Data lifecycle management

Keeping ahead of the curve - understanding new technologies, solutions and their risks

End user computing – the ubiquitous mobile device and its vulnerability

Acquiring and retaining qualified staff
30
Questions