WHAT FINANCIAL EXECUTIVES ARE ASKING ABOUT IT AUDIT AND RISK MANAGEMENT Institute of Internal Auditors – LI Chapter Annual Information Technology Conference May 10, 2013 Joel Lanz, CPA/CITP, CGMA, CISA, CISM, CISSP, CFE Prior to starting his practice in 2001, Joel was a Technology Risk Partner in Arthur Andersen’s Business Risk Consulting and Assurance Practice, and was a Manager at Price Waterhouse. His industry experience includes Vice President and Audit Manager at The Chase Manhattan Bank and senior IT auditor positions at two insurance companies. He currently is an Adjunct Professor in the School of Business at The State University of New York – College at Old Westbury. He teaches graduate courses in Auditing, Advanced Assurance, Forensic Accounting ,Accounting Information Systems and Accounting Research. Joel is the Chair of the AICPA’s Certified Information Technology Professional (CITP) Specialist Credential committee, and serves on the Institute’s Cybersecurity, Forensic Technology Task Force. He co-chaired the 2010 and 2011 Top Technologies Task Force and previously served on the Institute’s IT Executive and CITP Credential Committees Joel is a member of the Editorial Board of “The CPA Journal.” Joel previously chaired both the New York State Society of Certified Public Accountants Technology Assurance and Information Technology Committees. He also serves on the Institute of Internal Auditors – Long Island Chapter Board of Governors. 2 SESSION DESCRIPTION • In this fast paced presentation closing our annual technology conference, Joel Lanz, who authors a monthly technology question and answer column for the New York State Society of CPAs “Trusted Professional” newspaper will discuss IT Audit and Risk Management issues frequently on the mind of the newspaper’s over 30,000 financial executive readers. Highlights of this year’s most popular columns will be reviewed providing participants with a briefing on key IT Audit and Risk Management areas. He will review sources of information that can be used by these Financial Executives and their Internal Auditors in trying to identify appropriate areas of interest so that they can add relevant value to the organization. WHAT IS THIS MONTHLY COLUMN THAT YOU ARE TALKING ABOUT? THE TRUSTED PROFESSIONAL TECH Q&A FOR TODAY’S CPA • • Monthly column addressing key IT Risk Management and Audit Issues – yet sometimes we discuss “the little technology challenges” that are faced on a daily basis. • Joel responds to reader questions about technology and the role of financial executives in managing information risk. • Usually each column addresses 2-4 questions and comprises 1000 words. • Is the voice of the New York State Society of CPAs (NYSSCPA), keeping readers up-to-date on legislative, regulatory and administrative developments, particularly as they concern tax and audit policies and accounting practices of New York State. The publication serves members of the NYSSCPA by providing in-depth coverage of NYSSCPA news and insight into key issues and changes affecting New York CPAs and information on regulatory and ethical standards of the profession. SO, WHAT’S ON THEIR MINDS? NO SURPRISES HERE • Information Security • Privacy Risk Management • Managing IT Vendors and Partners • Cloud Computing IT’s IMPACT ON CLIENTS • WE SHOULD NOT HAVE BEEN THAT SURPISED – BUT – THE ROLE OF THE FINANCIAL EXECUTIVE (CPA) IN MANAGING OR ADVISING CLIENTS ON IT OPERATIONS AND FINANCE WAS GREATER THAN EXPECTED. • BYOD Policy Challenges • Preparing the IT Budget • Managing the IT Department • Updating the Business Continuity Plan • “MORE THAN” SOMEWHAT SURPRISED • Access vs. Excel • How to integrate IT Audit • How to Secure a Microsoft Word Document • The recent Internet Explorer scare raised a number of issues related to patch management. What do my clients need to know about patch management? • • • • Many information security practitioners believe that an appropriate patch management is one of the most critical protection strategies that companies and personal users can employ to reduce logical security threats. To know what to patch, users must be aware of what is on their system. Microsoft provides a utility, Windows Server Update Services (WSUS) that according to the Microsoft website enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. Alternatively, companies will use an automated vulnerability scanning tool such as Nessus (Tenable Network Security) or Qualys to help identify required patches. • A number of my clients have implemented a “Bring Your Own Device” (BYOD) program to help their employees manage the number of handheld devices as well as reduce expenses for the businesses. Should I adapt a similar program for my practice? • • • • As with so many other things in business, the answer is it depends. Companies have implemented BYOD programs in response to the “consumerization of IT.” So in implementing BYOD programs, companies are trying to respond in a timely manner to the introduction of rapidly developing technologies adapted by the consumer sector (e.g.,employees) but have yet to be – or are not being adapted by business or corporate IT (e.g., Tablets). As with many other technology-related decisions a lot is going to depend on which industry you are in and the extent of regulatory requirements that need to be addressed to protect confidential and nonpublic information. CIO Magazine has produced “The Consumerization of IT and BYOD Guide” (http://www.cio.com/article/705880/The_Consumeri zation_of_IT_and_BYOD_Guide) that provides a very useful toolkit in evaluating the issues. • What are some of the key issues that should be included in our IT vendor management oversight efforts? • • • • Depending on the particular business and the industry it serves, each IT vendor represents a different risk to the business, and due to the reality of resource constraint faced by all businesses efforts will need to be prioritized. Appropriate contract provisions including specifying expectations as to service delivery and right-to-audit are key. In many, but not all situations, a thorough review of the IT Vendor’s Service Organization Report (especially SOC 2) can facilitate the review. Preparing contract abstracts summarizing key contract provisions can also help with oversight efforts. Understanding IT vendor plans for security breaches and business continuity can also help determine that the IT vendor will facilitate business operations in a crisis situation. The Defense Contract Audit Agency’s “Contract Audit Manual” available at http://www.dcaa.mil/cam.htm to be an excellent source of ideas • I’m getting ready to prepare/review the IT budget for next year – what should I be considering? • • • In many ways, although complex, budgeting for IT does not differ materially from budgeting for other significant business investments and expenses. Based on my reviews of IT budgets, I continue to find that implementing basic financial discipline can go a long way in identifying “excess” resources. For example appropriately planning for infrastructure maintenance, including the impact of changes to architectures including but not limited to cloud computing, confirming contract compliance and use of technology paid for, and reducing the complexity and variability of technology used. Perhaps most important, is that financial people should not be intimidated by the vocabulary used in IT budgeting and do what is needed, to obtain the understanding of issues represented in the budget to fulfill their financial responsibilities. • I’m the controller for a “midsize” distribution company and have just been assigned responsibilities for the Information Technology function. What question should I be asking? • • • • • Is the effectiveness of provided services accumulated and monitored? Is the IT function appropriately placed within the organization and does the function have the necessary leadership and management assets to satisfy and deliver upon executive management expectations? To what extent have financial management practices been implemented by IT (e.g., managerial finance issues including ROI for new projects and key investments). Are critical applications and “core” application systems effectively implemented within the business area and are system features utilized to the extent possible to enhance the ability of business users of the system to achieve their objectives? Is IT risk being managed to an acceptable level given the business objectives identified above? • It’s been awhile since we reviewed our business continuity plan. Any suggestions to jumpstart our efforts? • • • • BCP is on the agenda of most business leaders, but due to other pressing concerns does not receive the urgency or funding to help ensure that appropriate plans are developed, implemented and maintained. BCP is a business issue and includes significant decisions that go beyond information technology concerns. Being able to recover data does not mean that you would also be able to reroute your telecommunications capability to a different facility that will now house your business. The Federal Emergency Management Agency (FEMA) through its Ready.gov website provides significant guidance and tools to help facilitate this process. Of particular note is the “Business Continuity Planning Suite” available at http://www.ready.gov/business-continuityplanning-suite. • When to use Excel vs. when to use Access? • • • • • For many practitioners the response to this question has more to do with their familiarity with the applications rather than the features themselves. New versions of Excel have significantly increased the analytical capabilities and presentation of financial analysis including the use of Pivot Tables, statistical techniques and graphing/charting tools. Access is a more sophisticated application that is better suited to managing information. Access requires a more disciplined approach as the various relationships within the database need to be defined during database design and generally provides less flexibility for modification than does Excel. Access can also provide a report of all actions taken on the database including the types of queries that were run. • How can we effectively leverage IT Auditing into our audits? • • • Firms of all sizes face the challenge of how technology needs to be assessed, and how to translate technology risk into the audit decision. Remember it's all about understanding and addressing the risk in an effective and efficient manner. Don't get confused with the technical jargon involved. Obtain a sufficient understanding of IT so you can determine how it impacts the audit risk model. Assess whether the IT controls are in place and functioning so that you can adjust your overall testing in accordance with the audit risk model. • How can I secure Microsoft Word documents? • • • • Although this question appears to be simple, it's answer is quite complex. Basic protection includes the use of password and encryption features within word. A variety of access permission options including encrypted the document with a password and limiting further distribution of the document. In addition to access privileges, another major threat is the unintended use of the metadata that is contained in the document. BONUS SLIDE (“December Stocking Stuffers”) • What should I be reading to enhance my skills? • • • • • • “IT Risk”, by George Westernmen, Harvard Business School Press, 2007. (General IT Risk Management). “The Adventures of an IT Leader,” by Austin, Nolan and O'Donnell, Harvard Business School Press, 2009. (CXO and Leadership). “The Art of Intrusion,” by Kevin Mitnick, John Wiley & Sons, 2005. (Information Security and Fraud Prevention). “Forensic Analytics,” Mark Nigrini, John Wiley & Sons, 2011. (IT Audit, Computer Facilitated Fraud Prevention and Detection) “The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes “, Cappelli, Moore and Trzeciak, Addison-Wesley Professional, 2012. (IT Audit, Information Security, Fraud Prevention and Risk Management). A Practical Guide to Reducing IT Costs, Cassidy and Cassidy, J Ross publishing, 2010. (CXO and Financial Managers). FOR FURTHER INFORMATION • Contact Joel directly at: Joel Lanz, CPA/CITP, CFF Joel Lanz, CPA, P.C. 471 N. Broadway-pmb 395 Jericho, NY 11753 (516) 933-3662 jlanz@joellanzcpa.com www.joellanzcpa.com • Visit www. joellanzcpa.com for related articles and other related presentations