Planning the Scope of your IT Audit

advertisement
NSAA Information Technology Conference
Planning the Scope of Your IT Audit
_____________________________________
October 1, 2014
Jennifer Schreck, Audit Director
Strategic Risk Management
Auditor of Public Accounts
Planning the Scope of your IT Audit
What we are going to discuss
• Case studies (Michigan)
• Frame of reference for IT audits at the
APA
• Where we want to be (Auditor Planning
Utopia)
• How do we get there - Our keys to
Success
http://www.apa.virginia.gov
Page 2
Planning the Scope of your IT Audit
Quick reminder of who we are . . . The APA
• Serves as the external auditor for the
executive and legislative branches of the
Commonwealth
• Performs financial statement and
performance audits
• Manages the Commonwealth’s
transparency website, Data Point
http://www.apa.virginia.gov
Page 3
Planning the Scope of your IT Audit
Quick reminder of who we are . . . The APA
• Works with local, agency and
institutional internal audit shops
investigating fraud
• Reviews the entire court system from
the Supreme Court to each local court
• Examines the state accounts and
records of every locality handling state
funds
http://www.apa.virginia.gov
Page 4
Planning the Scope of your IT Audit
Quick reminder of who we are . . . The APA
• Maintains oversight responsibility for
local government audits performed by
public accounting firms.
• Provides systems development and
public private partnership project
monitoring where risk dictates.
• Performs technology-related vulnerability
and penetration testing when requested.
http://www.apa.virginia.gov
Page 5
Planning the Scope of your IT Audit
Quick reminder of who we are . . .
• Divided into
areas of
expertise to
support our
mission and
audit
projects
Human
Resources
& Business
Operations
http://www.apa.virginia.gov
Reporting &
Standards
Acquisition &
Contract
Mgmt
Budgeting &
Performance
Management
Strategic
Risk
Management
Local
Government
and Judicial
Systems
Capital Asset
Management
Our teams work
together to support
our Projects
Systems
Security
Compliance
Assurance
Data Analysis
IT Project
Management
Higher
Education
Programs
Page 6
Planning the Scope of your IT Audit
Auditor IT Planning Utopia
• You know which systems are the key systems . . .
• You know the delineation of responsibility if part of the
system is outsourced . . .
• You easily identify the controls within your system . . .
• You can easily determine what has been audited by other
groups
• Its easy to define the scope of your audit . . .
• You know the data elements you need to do your work . . .
• You have the various types of resources you need to do the
audit . . .
• Every auditor is an “integrated” auditor . . .
http://www.apa.virginia.gov
Page 7
Planning the Scope of your IT Audit
Auditor IT Planning Utopia
Reality can bring things
to a crashing halt
But it doesn’t have to. . . .
http://www.apa.virginia.gov
Page 8
Planning the Scope of your IT Audit
Quick reminder of who we are . . .
• Most of our
“trained” IT
knowledge lies
within three of
our specialty
teams
Reporting &
Standards
Acquisition &
Contract
Mgmt
Budgeting &
Performance
Management
Strategic
Risk
Management
Local
Government
and Judicial
Systems
Capital Asset
Management
Our teams work
together to support
our Projects
Systems
Security
Data
Analysis
IT
Project
Mgmt
http://www.apa.virginia.gov
Compliance
Assurance
Higher
Education
Programs
Page 9
Planning the Scope of your IT Audit
To achieve Auditor Planning Utopia . . .
• All of our teams
need to have
an IT mindset
because all of
our audit clients
use Information
Technology to
support what
they do.
Reporting &
Standards
Acquisition &
Contract
Mgmt
Strategic
Risk
Management
Local
Government
and Judicial
Systems
Capital Asset
Management
Our teams work
together to support
our Projects
Systems
Security
Compliance
Assurance
Data Analysis
IT Project
Management
http://www.apa.virginia.gov
Budgeting &
Performance
Management
Higher
Education
Programs
Page 10
Planning the Scope of your IT Audit
Perspective . . .
• The APA performs financial statement
and performance audits of executive
branch entities
• The majority of our performance audits
still have a financial related slant
• Our IT audit work generally supports
broader financially driven objectives.
http://www.apa.virginia.gov
Page 11
Planning the Scope of your IT Audit
Keys to Success
• Setting the “Tone at the Top”
• Challenging our staff to think
innovatively
• Making the connections
http://www.apa.virginia.gov
Page 12
Planning the Scope of your IT Audit
Setting the “Tone at the Top”
Refocused
Strategic
Planning
Initiatives
Staffing
and
Workplan
Project
Processes
Innovative
Audit
Approaches
Focus on
Staff
Office
Structure
Reporting
Results
Methods
of
Communication
http://www.apa.virginia.gov
Page 13
Planning the Scope of your IT Audit
Setting the “Tone at the Top”
Shift in planning mindset
10/80/10
Plan
10%
Report
10%
Execute
80%
http://www.apa.virginia.gov
Page 14
Planning the Scope of your IT Audit
Setting the “Tone at the Top”
Shift in planning mindset
10/80/10
40/40/20
Plan
10%
Report
10%
Report
20%
Plan
40%
Execute
80%
Execute
40%
http://www.apa.virginia.gov
Page 15
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
http://www.apa.virginia.gov
Page 16
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
http://www.apa.virginia.gov
Page 17
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Application Controls (What are they?)
Green Book: 11.08
Application controls, sometimes referred to as
business process controls, are those controls
that are incorporated directly into computer
applications to achieve validity, completeness,
accuracy, and confidentiality of transactions
and data during application processing.
Validity, Completeness, and Accuracy:
Management Assertions?
http://www.apa.virginia.gov
Page 18
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Management’s Use of Application Controls
1. Does management have applications to
process business transactions?
2. How should management use
application controls to achieve validity,
completeness, and accuracy of their
business transactions?
http://www.apa.virginia.gov
Page 19
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
Management’s Use of Application Controls
3. How is management using its
applications to enforce the business
rules?
4. What information will I need to validate
that business rules were working?
http://www.apa.virginia.gov
Page 20
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
• Example – Time and Effort Applications
– Business Rule: Employees should NOT
approve their own time sheet.
– Application Control: Employee cannot view
or select their timesheet within the approval
screen.
– Auditors Test: Does the employee id equal
the approval id on any timesheets?
(Caveat: Assumes that Application is operating in
an environment with sound general controls.)
http://www.apa.virginia.gov
Page 21
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
http://www.apa.virginia.gov
Page 22
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
• We host Brown
Bag lunches, to
informally discuss
issues around
implementing
innovative
approaches and
share new ideas
http://www.apa.virginia.gov
Page 23
Planning the Scope of your IT Audit
Challenging our staff to think Innovatively
• Systems
Security
• Data Analysis
• IT Project
Management
http://www.apa.virginia.gov
• Acquisition & Contract Mgmt
• Budgeting & Performance Mgmt
• Capital Asset
Management
• Compliance
Assurance
• Higher Education
Programs
• Local
Government &
Judicial Systems
• Strategic Risk Management
• Reporting & Standards
Page 24
Planning the Scope of your IT Audit
Making the Connections
• Building
contact points
into our audit
programs
http://www.apa.virginia.gov
Page 25
Planning the Scope of your IT Audit
Making the Connections
• Creating audit tools that help our IT staff
think like our other staff and vice versa
Executive Dashboard
Internal Control Worksheet
http://www.apa.virginia.gov
Fraud Assessment
ISS Financial Statement
Integration Tool
Page 26
Planning the Scope of your IT Audit
Making the Connections – IS Planning Tools
• Supports a Risk-based approach
• Provides a clearer view of technical
testwork (infrastructure, software, etc.)
• Encourages an iterative planning process
involving both IS and Financial auditors
• Addresses all major areas of data
security (integrity, confidentiality,
reliability
http://www.apa.virginia.gov
Page 27
Planning the Scope of your IT Audit
Making the Connections
• Highlighting success
http://www.apa.virginia.gov
Page 28
Planning the Scope of your IT Audit
Auditor Planning Utopia
http://www.apa.virginia.gov
Page 29
Download