Information Technology Audit Association of Government Accountants – Boston Chapter 2014 Regional Professional Development Conference Bentley University March 13, 2014 With You Today Geoff W. Clarke CISA CISSP Manager KPMG Advisory Services Geoff has been with the firm for seven years and is a manager in the KPMG LLP Information Technology Advisory Services (ITAS) Practice. He has over 30 years of business experience in both the MIS and IT Audit disciplines. Prior to joining KPMG, Mr. Clarke worked for several Fortune 500 Companies where he held MIS and IT Audit executive positions including those of Global IT Audit Director and CIO of Asia Pacific Region MIS. As a CIO, he lived in Singapore and had responsibility for sales, manufacturing and supply chain MIS development and support of his employer’s sales, manufacturing and logistical operations in Greater China, Australia, Japan and S.E. Asia. During his KPMG career, Geoff has provided assistance to private and public sector clients and has managed MIS Projects, IT Risk and Security Assessments, IT Auditing, SSAE16 examinations and IT controls over Financial Reporting. gclarke@kpmg.com (617) 998 1408 1 Agenda IT Auditing – what, who and why IT Control Frameworks and IT General Control Domains IT Audit Challenges 2 What is IT Auditing? Information systems or technology audit is a part of the overall audit process which is one of the facilitators of good organizational governance While there is no single universal definition of IT audit, Prof. Ron Weber (author of “Information Systems Control and Audit”) defined it as "the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently." 3 Internal and External IT Audit – Some Differences Internal Audit External Audit The internal auditor is most often an employee of the organization The external auditor is an external contractor and not an employee of the organization. Internal audit seeks to advise management on whether its major operations have sound systems of risk management and internal controls The external auditor seeks to test the underlying transactions that form the basis of the financial statements The IT auditor supports the goals of the Enterprise and being part of Internal Audit reports to the audit committee. The external IT auditor supports the external financial audit by providing insight into the reliance to be placed on automated financial systems through the testing of General IT controls and when requested, IT automated controls. Internal audit forms an opinion on the adequacy and effectiveness of systems of risk management and internal control, many of which fall outside the main accounting systems. The external auditor (including supporting IT audit process) seeks to provide an opinion on whether the accounts show a true and fair view, Besides addressing risk, internal Audit groups play a key role in identifying opportunities to improve operating efficiency in an organization. While external auditors may comment on potential efficiencies to be made it is generally not a primary focus of their activity. Internal audits are most often time independent with a goal to be ‘forward looking’ leading to control improvement. External audits are ‘backward looking’ and most often are focused on the operation of controls during past financial periods 4 The IT Auditor “Plans and participates in a broad internal auditing program, and in particular audits of an entity’s information technology functions to assure adherence to established entity policies and procedures and to offer constructive analysis and appraisal of the entity’s IT operations, its technology policies and procedures and systems of internal control”. 5 ISACA ISACA is an international professional association focused on IT Governance. It is an affiliate member of the Int’l Federation of Accountants(IFAC). Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves . ISACA was informally established in the US in 1967 and incorporated formally in 1969 as the Electronic Data Processing (EDP) Auditors Association ISACA currently has over 110,000 constituents in 200 chapters located in more than 180 countries. ISACA awards the certification of Certified Information Systems Auditor (CISA) following a successful examination result and 5 years of appropriate and recordable work experience. Other ISACA certifications related to IT governance include Certified Information Security Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT), and Certified in Risk and Information Systems Control (CRISC) 6 IT Audit as a Career A number of schools now offer undergraduate degrees in Information Technology Auditing, including Bentley University There is a shortfall of trained and experienced IT auditors IT Auditors can come from both IT and business/accounting backgrounds 7 Impact of Information and Information Technology Information is a key resource for all enterprises. In some cases, it is all they produce. Enterprises constantly collect or create information, use it, store it, share it and eventually destroy it. Information Technology (IT) is a key enabler of the above. IT is pervasive and ubiquitous in all areas of public and private enterprise, and personal life. IT has the potential to dramatically change organizational and business operating models, create new opportunities and reduce costs. High dependency on information requires that it be safeguarded from unauthorized access or misappropriation, have integrity and be made available when required. Information value brings with it increased internal and external risks and threats of loss or compromise. Increasing information risks and threats bring with it new statutory requirements specific to the management of information technology The recognition that while “it is human to err, it requires a computer to really screw up”. 8 The role of IT in Enterprise operations IT is a key enabler in supporting what organizations most want to accomplish positive business outcomes » Achieving business goals » Meeting corporate governance responsibilities and legal requirements » Administering and managing business activity efficiently and cost effectively to minimize business risk and avoid issues and problems » Business » Operational » IT » Statutory and legal 9 Examples of IT Objectives to be achieved and Risks to be mitigated IT Objectives IT Risks Efficient and successful operations Information Loss (accidental or malicious) Data integrity Financial Reporting Errors Protected systems Loss of data and/or system integrity confidence Safeguarded assets Computer fraud Data and system availability System failure and downtime Positive ROI Increased cost of operation Competitive advantage Inaccurate data = poor business decisions Enhanced reputation Reputational loss Statutory Compliance Compliance failure 10 Management’s Requirements from its IT Organization Governance and Risk Management Security and Confidentiality Availability Integrity Efficiency and Effectiveness Compliance Managed cost and ROI 11 Management’s Objective What it has What it wants PROCESSES • • • • • • • INFORMATION Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT RESOURCES • • • • Applications Data Infrastructure People 12 The role of IT Audit To help meet Management’s objective, IT systems and processing environments need to be appropriately managed, controlled and periodically assessed to ensure that: Organizational objectives that are dependant on IT are achieved Systems and applications function as expected Data and systems have integrity and are reliable Adequate safeguards are in place to protect data, information and other IT resources from unauthorized access, disclosure or misappropriation Systems, applications and their information assets are kept available for authorized persons Federal, state and other statutory regulations are complied with 13 IT Controls – Achieving Objectives and Avoiding Risk To Achieve Business Objectives To Avoid Risks, Threats and Exposures Control (as defined by CobIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives. 14 Characteristics of Good Internal Control Environment Well-defined operational control objectives Appropriate supporting controls Risk assessment and risk management Policies, standards, defined expectations Documentation Competent and trustworthy people Monitoring, measurement and evaluation 15 CobIT framework as a model for Enterprise IT Governance CobIT = Control Objectives for Information and Related Technology IT Audit’s COSO cousin First issued in 1997, CobIT5 published in 2012 is the latest iteration. Developed and maintained by ISACA and the IT Governance Institute (ITGI). Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers, IT organizations and auditors The framework supports governance of IT by defining and aligning business goals with IT goals and IT processes. The COBIT components include: Framework: Organize IT governance objectives and good practices by IT domains and processes, and links them to business requirements Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run and monitor. Control objectives: Provide a complete set of high-level requirements to be considered by management for effective control of each IT process. Management guidelines: Help assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes Maturity models: Assess maturity and capability per process and helps to address gaps. 16 CobIT – Intended to be “all things to all people” Business Management and User Community IT Management and IT Organizations IT Auditors The Enterprise 17 Other IT Control Frameworks Information Technology Infrastructure Library (ITIL) Security Code of Conduct – DTI Security Handbook – NIST Federal Information Processing Standards (FIPS) Organization for Standardization (ISO) 27001/2 (Security) 18 IT Auditor Areas of Interest Business Information Characteristics and Information Management IT Resources and Resource Management IT Processes and Process Management 19 Information Characteristics Effective — information should be relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, usable and complete manner Efficient — provision of information through the optimal (most productive and economical) use of resources Confidential — protection of sensitive information from unauthorized disclosure. Integrity — relates to the accuracy and completeness of information as well as its validity in accordance with business values and expectations Available — requires that information be available when required by the business process now and in the future. Compliant — compliance with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed statutory or business criteria Reliable — the provision of appropriate and accurate information to management to operate the entity and exercise its fiduciary and governance responsibilities. 20 IT Resources and Resource Management IT resources need to be managed in order to provide organizations with type and quality of information required to achieve organizational objectives. Resources comprise: Application Systems » are the automated user systems and associated manual procedures that process the information » Can be in-house or externally hosted (e.g. Software-as-a-Service applications) Information » is data in all its forms that when compiled has intelligence and meaning. Infrastructure and Facilities » is the technology (hardware, operating systems, database management systems, networking, multimedia, etc.), and the facilities that house and support it, that enable the processing of data through the applications People » are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, contracted or totally outsourced as necessary 21 Information Processes and Process Management Domains Natural grouping of processes, often matching an organizational domain of responsibility Processes A series of joined tasks and activities with natural (control) breaks. Tasks & Activities Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discrete 22 3) Information Processes and Key General IT Control Domains Domain 1 – IT Management, Planning, Organization and Risk Management Domain 2 – Technical Infrastructure and IT Operational Practices Domain 3 – Protection of Information Assets Domain 4 – Disaster Recovery and Business Continuity Domain 5 – Business Application Systems Development, Acquisition, Implementation and Maintenance 23 Domain 1 – IT Management, Planning, Organization and Risk Management IT Auditor Tasks, e.g. Conduct an Enterprise risk assessment to determine key risk areas for discussion with Management and use it to develop an appropriate IT audit plan. Evaluate the organization’s IT strategy and the processes for its development, deployment and maintenance to ensure that its supports the organization’s business objectives Evaluate the IT organization’s implementation of risk management and governance Evaluate IT organization and structure (e.g. roles and responsibilities, SOD) to ensure appropriate and adequate and controlled support of the organization’s business requirements Evaluate the IT policies, standards and procedures (e.g. risk management, change management, project management, security policies) and the processes for their development, deployment and maintenance Evaluate IT management practices (e.g. staffing practices, training, info sec management, certifications) to ensure compliance with IT policies, standards and procedures Evaluate the selection and management of 3rd party services to ensure that they support the organization’s IT strategy 24 Domain 2 – Technical Infrastructure and IT Operational Practices IT Auditor Tasks, e.g. Evaluate the acquisition, installation and maintenance of hardware, system software and utilities (e.g. o/s, DB management systems, security packages) and network infrastructure components (e.g. voice and data comms, Internet, extranet) to ensure that that they efficiently support the organization’s IT processing and business requirements and is compatible with the organization’s strategies. Evaluate the use of system performance and monitoring processes, tools and techniques (e.g. capacity planning, problem management, system management) to ensure that computer systems continue to meet the organization's business objectives. Evaluate IT operational practices (e.g. help desk, user support functions, computer operations, scheduling, data transmission,) to ensure efficient and effective utilization of the technical resources which are used to support the organization’s IT processing and business requirements. 25 Domain 3 – Protection of Information Assets IT Auditor Tasks, e.g. Evaluate the design, and implementation of an Information Security organization and associated practices to ensure that it is effective and capable of protecting safeguarding the organization’s information assets. Evaluate the design, implementation and monitoring of physical access controls to ensure the level of protection for assets and facilities is sufficient to meet the organization’s business objectives. Evaluate the design, implementation and monitoring of environmental controls (e.g. HVAC, smoke/heat/water detectors, fire suppression, uninterrupted power supply [UPS], backup generator) to prevent and/or minimize potential losses. Evaluate network infrastructure security to ensure integrity, confidentiality, availability and authorized use of the network and the information transmitted. Evaluate the design, implementation and monitoring of logical access controls to ensure the integrity, confidentiality and availability of information assets (e.g. programs and data). Evaluate IT’s safeguards over sensitive data at rest, during transmission and transportation including the copying and storage of data offsite. Evaluate the Enterprise’s security posture and safeguards against external information threats such as social engineering and ‘phishing’. 26 Domain 4 – Disaster Recovery and Business Continuity IT Auditor Tasks, e.g. Evaluate the adequacy of backup and recovery provisions to ensure the resumption of normal information processing in the event of a short-term disruption and/or the need to rerun or restart a process. Evaluate the organization’s ability to continue to provide information system processing capabilities in the event that the primary information processing facilities are not available (e.g. disaster recovery). Evaluate the organization’s ability to ensure business continuity in the event of a business disruption. 27 Domain 5 – Business Solution Systems Development, Acquisition, Implementation and Maintenance IT Auditor Tasks, e.g. Evaluate the processes by which business solutions are developed and implemented to ensure that they contribute to the attainment of the organization’s business objectives Evaluate the processes by which business solutions are acquired and implemented to ensure that they contribute to the attainment of the organization’s business objectives Evaluate the processes by which business solutions are maintained to ensure the continued support of the organization’s business objectives. Evaluate the Enterprise policies, standards and procedures related to the acquisition, management and monitoring of 3rd party outsourced or hosted key applications, e.g. SaaS solutions. Evaluate the processes by which system software and utilities are maintained to ensure the continued support of the organization’s business objectives. 28 What comprises a traditional IT audit? The major elements of IT audit as defined by ISACA and laid out in CobIT can be broadly classified: Physical and environmental review—This includes physical security, power supply, air conditioning, humidity control and other environmental factors. System administration review—This includes security review of the operating systems, database management systems, all system administration procedures and compliance. Application software review—The business application could be payroll, invoicing, a web-based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed. Network security review—Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage. Business continuity review—This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan. Data integrity review—The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques). 29 IT Audit Challenges Inaccessible and untouchable computer solutions – Cloud based systems Involvement at inception Business owned and driven Reliance on 3rd party service auditor reports Year-to-year oversight Remaining relevant Effective vendor evaluations, e.g. FedRAMP Statutory Compliance demands Data lifecycle management Keeping ahead of the curve - understanding new technologies, solutions and their risks End user computing – the ubiquitous mobile device and its vulnerability Acquiring and retaining qualified staff 30 Questions