NSAA Information Technology Conference Planning the Scope of Your IT Audit _____________________________________ October 1, 2014 Jennifer Schreck, Audit Director Strategic Risk Management Auditor of Public Accounts Planning the Scope of your IT Audit What we are going to discuss • Case studies (Michigan) • Frame of reference for IT audits at the APA • Where we want to be (Auditor Planning Utopia) • How do we get there - Our keys to Success http://www.apa.virginia.gov Page 2 Planning the Scope of your IT Audit Quick reminder of who we are . . . The APA • Serves as the external auditor for the executive and legislative branches of the Commonwealth • Performs financial statement and performance audits • Manages the Commonwealth’s transparency website, Data Point http://www.apa.virginia.gov Page 3 Planning the Scope of your IT Audit Quick reminder of who we are . . . The APA • Works with local, agency and institutional internal audit shops investigating fraud • Reviews the entire court system from the Supreme Court to each local court • Examines the state accounts and records of every locality handling state funds http://www.apa.virginia.gov Page 4 Planning the Scope of your IT Audit Quick reminder of who we are . . . The APA • Maintains oversight responsibility for local government audits performed by public accounting firms. • Provides systems development and public private partnership project monitoring where risk dictates. • Performs technology-related vulnerability and penetration testing when requested. http://www.apa.virginia.gov Page 5 Planning the Scope of your IT Audit Quick reminder of who we are . . . • Divided into areas of expertise to support our mission and audit projects Human Resources & Business Operations http://www.apa.virginia.gov Reporting & Standards Acquisition & Contract Mgmt Budgeting & Performance Management Strategic Risk Management Local Government and Judicial Systems Capital Asset Management Our teams work together to support our Projects Systems Security Compliance Assurance Data Analysis IT Project Management Higher Education Programs Page 6 Planning the Scope of your IT Audit Auditor IT Planning Utopia • You know which systems are the key systems . . . • You know the delineation of responsibility if part of the system is outsourced . . . • You easily identify the controls within your system . . . • You can easily determine what has been audited by other groups • Its easy to define the scope of your audit . . . • You know the data elements you need to do your work . . . • You have the various types of resources you need to do the audit . . . • Every auditor is an “integrated” auditor . . . http://www.apa.virginia.gov Page 7 Planning the Scope of your IT Audit Auditor IT Planning Utopia Reality can bring things to a crashing halt But it doesn’t have to. . . . http://www.apa.virginia.gov Page 8 Planning the Scope of your IT Audit Quick reminder of who we are . . . • Most of our “trained” IT knowledge lies within three of our specialty teams Reporting & Standards Acquisition & Contract Mgmt Budgeting & Performance Management Strategic Risk Management Local Government and Judicial Systems Capital Asset Management Our teams work together to support our Projects Systems Security Data Analysis IT Project Mgmt http://www.apa.virginia.gov Compliance Assurance Higher Education Programs Page 9 Planning the Scope of your IT Audit To achieve Auditor Planning Utopia . . . • All of our teams need to have an IT mindset because all of our audit clients use Information Technology to support what they do. Reporting & Standards Acquisition & Contract Mgmt Strategic Risk Management Local Government and Judicial Systems Capital Asset Management Our teams work together to support our Projects Systems Security Compliance Assurance Data Analysis IT Project Management http://www.apa.virginia.gov Budgeting & Performance Management Higher Education Programs Page 10 Planning the Scope of your IT Audit Perspective . . . • The APA performs financial statement and performance audits of executive branch entities • The majority of our performance audits still have a financial related slant • Our IT audit work generally supports broader financially driven objectives. http://www.apa.virginia.gov Page 11 Planning the Scope of your IT Audit Keys to Success • Setting the “Tone at the Top” • Challenging our staff to think innovatively • Making the connections http://www.apa.virginia.gov Page 12 Planning the Scope of your IT Audit Setting the “Tone at the Top” Refocused Strategic Planning Initiatives Staffing and Workplan Project Processes Innovative Audit Approaches Focus on Staff Office Structure Reporting Results Methods of Communication http://www.apa.virginia.gov Page 13 Planning the Scope of your IT Audit Setting the “Tone at the Top” Shift in planning mindset 10/80/10 Plan 10% Report 10% Execute 80% http://www.apa.virginia.gov Page 14 Planning the Scope of your IT Audit Setting the “Tone at the Top” Shift in planning mindset 10/80/10 40/40/20 Plan 10% Report 10% Report 20% Plan 40% Execute 80% Execute 40% http://www.apa.virginia.gov Page 15 Planning the Scope of your IT Audit Challenging our staff to think Innovatively http://www.apa.virginia.gov Page 16 Planning the Scope of your IT Audit Challenging our staff to think Innovatively http://www.apa.virginia.gov Page 17 Planning the Scope of your IT Audit Challenging our staff to think Innovatively Application Controls (What are they?) Green Book: 11.08 Application controls, sometimes referred to as business process controls, are those controls that are incorporated directly into computer applications to achieve validity, completeness, accuracy, and confidentiality of transactions and data during application processing. Validity, Completeness, and Accuracy: Management Assertions? http://www.apa.virginia.gov Page 18 Planning the Scope of your IT Audit Challenging our staff to think Innovatively Management’s Use of Application Controls 1. Does management have applications to process business transactions? 2. How should management use application controls to achieve validity, completeness, and accuracy of their business transactions? http://www.apa.virginia.gov Page 19 Planning the Scope of your IT Audit Challenging our staff to think Innovatively Management’s Use of Application Controls 3. How is management using its applications to enforce the business rules? 4. What information will I need to validate that business rules were working? http://www.apa.virginia.gov Page 20 Planning the Scope of your IT Audit Challenging our staff to think Innovatively • Example – Time and Effort Applications – Business Rule: Employees should NOT approve their own time sheet. – Application Control: Employee cannot view or select their timesheet within the approval screen. – Auditors Test: Does the employee id equal the approval id on any timesheets? (Caveat: Assumes that Application is operating in an environment with sound general controls.) http://www.apa.virginia.gov Page 21 Planning the Scope of your IT Audit Challenging our staff to think Innovatively http://www.apa.virginia.gov Page 22 Planning the Scope of your IT Audit Challenging our staff to think Innovatively • We host Brown Bag lunches, to informally discuss issues around implementing innovative approaches and share new ideas http://www.apa.virginia.gov Page 23 Planning the Scope of your IT Audit Challenging our staff to think Innovatively • Systems Security • Data Analysis • IT Project Management http://www.apa.virginia.gov • Acquisition & Contract Mgmt • Budgeting & Performance Mgmt • Capital Asset Management • Compliance Assurance • Higher Education Programs • Local Government & Judicial Systems • Strategic Risk Management • Reporting & Standards Page 24 Planning the Scope of your IT Audit Making the Connections • Building contact points into our audit programs http://www.apa.virginia.gov Page 25 Planning the Scope of your IT Audit Making the Connections • Creating audit tools that help our IT staff think like our other staff and vice versa Executive Dashboard Internal Control Worksheet http://www.apa.virginia.gov Fraud Assessment ISS Financial Statement Integration Tool Page 26 Planning the Scope of your IT Audit Making the Connections – IS Planning Tools • Supports a Risk-based approach • Provides a clearer view of technical testwork (infrastructure, software, etc.) • Encourages an iterative planning process involving both IS and Financial auditors • Addresses all major areas of data security (integrity, confidentiality, reliability http://www.apa.virginia.gov Page 27 Planning the Scope of your IT Audit Making the Connections • Highlighting success http://www.apa.virginia.gov Page 28 Planning the Scope of your IT Audit Auditor Planning Utopia http://www.apa.virginia.gov Page 29