IT Skills for the Business Auditor Positioning Audit Skills for the Future Information Technology Risks and Controls Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas For Houston Chapter Seminar November 3, 2014 Mark Salamasick, CIA, CISA, CRMA, CSP •Director of Center for Internal Audit Excellence – 11 years •Adjunct Faculty, University of Texas at Dallas – 18 years •Senior Vice President, Internet/Intranet Services, Bank of America – 2 years •Director Information Technology Audit, SVP, Internal Audit, Bank of America – 18 years •Senior Consultant, Accenture – 4 years •Instructor, Accounting and IT, Central Michigan University – 3 years •BS in BA and MBA – Central Michigan University •One of six co-authors of Internal Audit textbook-Internal Auditing: Assurance and Consulting Services by IIA Research Foundation published Summer, 2007, Second Edition Summer, 2009 and , Third Edition Fall, 2013 •Author of IIA International Books-Auditing Vendor Relationship, PC Management Best Practices , and Auditing Outsourced Functions •Numerous IIA International Committees including Board of Trustees, Board Research and Educational Advisors and currently Learning Solutions •2005 IIA International Educator of the Year - Leon Radde Award •Enjoy Running, Road and Mountain Cycling, Travel and Investment Analysis 1 ITEMS TO COVER - Background-Setting the Stage - Technology Expectations - IT Audit Model Curriculum - IT Technology Frameworks - Latest Technology Issues - Infrastructure Trends - Overview of GTAG’s - GTAG 1 – 2nd Edition - Technology Adaption Curve for IA Groups - Summary 2 Synopsis An overview of Critical Success Factors’ for the 21st Century auditor including an understanding of IT control frameworks, functional areas of IT operations, and the ability to integrate technology into internal audit processes. 3 Survey and Understanding 4 Level of IT Understanding • Business Auditors • IT Auditors 5 Technology and Audit • Infrastructure Audit • Integrated Audit • Use of Technology as Tool • Audit Automation • Data Analytics 6 Some Reasonable Objectives for All Auditors • Understand how technology fits into the overall business processes and its impact. • Describe key risks and control techniques introduced by technology. • Articulate the relationship between business transaction processing risks introduced by information technology risks. • Find and interpret the leading sources of information related to technology control frameworks. • Determine the significant technology issues to be considered as part of the review of a business unit. • Integrate application controls as part of business unit audits. • Understand the emerging technology risk issues. 7 Model IT Controls Curriculum • IIA The IIA’s Global Model Internal Audit Curriculum – IT Auditing course Integrated 2012 – Schools recognized as part of IAEP • https://na.theiia.org/about-us/aboutia/pages/participating-iaep-programschools.aspx • ISACA Model Curriculum - 2012 http://www.isaca.org/KnowledgeCenter/Academia/Pages/Programs-Aligned-with-ModelCurriculum-for-IS-Audit-and-Control.aspx 8 What does a University IT Audit and Risk Management Course Objectives look like? 1. Be able to identify key information technology risks and how to mitigate those risks. 2. Be able to develop a control checklist and key audit steps related to technology risks. 3. Be able to distinguish key user technology risks and controls. 4. Be able identify the key content areas and have knowledge of all areas covered by the Certified Information Systems Audit (CISA) exam. 5. Identify sources for research of technology risks and apply those techniques to an overall research paper. 6. Learn those areas of technology risks that are currently of most concern to the IIA, AICPA, and ISACA. 7. Be able to distinguish and evaluate key application controls along with auditing of application controls. 8. Identify and evaluate risks in an e-business environment. 9. Understand how to adapt audit coverage to areas of advanced and emerging technologies. 9 Cobit 5-What Should You Know? 10 Technology “I don’t know what I don’t know” CAE “You need to understand where emerging technologies are going to best predict risks the company will face in the future” Mark Salamasick 11 Start with One Premise! There are no barriers… Technology is an enabler….. It is how we adapt to it! 12 Critical Characteristics of the 21st Century Internal Auditor Technologically Adept: • The technology era is clearly transforming the globe • Technology presents extraordinary risks and opportunities for all enterprises • The nature of internal audit has been impacted in terms of: The functions, programs, and processes to be audited The techniques employed to carry out the internal audit mission **From – Robert McDonald – Past Chairman of the IIA 13 Critical Characteristics of the 21st Century Internal Auditor Technologically Adept: • 21st century internal auditors must: Understand IT control frameworks Be knowledgeable of functional areas of IT operations Be capable of auditing e-Commerce, EFT, EDI Be knowledgeable of encryption, computer forensics, and Enterprise-wide resource planning (ERP) software • In addition, internal auditors must be able to: Integrate technology into internal audit processes **From – Robert McDonald – Past Chairman of the IIA Source: CIA Examination Syllabus – Part III 14 Critical Characteristics of the 21st Century Internal Auditor Overview of Critical Traits: • Risk-based orientation • Global perspective • Governance expertise • Technologically adept • Business acumen • Creative Thinking and Problem Solving • Strong ethical compass **From – Robert McDonald – Past Chairman of the IIA 15 Evolution of IT Audit: Historical IT Audit Stages Stage 1st Generation EDP Audit (Pre-1980) 2nd Generation IS Audit (1980s) 3rd Generation IT Audit (1990s) 4th Generation IT Audit (2000s) Characteristics Focus • “Checklist”-based EDP Audits • Compliance with Policies & procedures • No IT Audit “Specialists” Compliance • Auditable IS areas • Report Problems, Recommend solutions • Certified EDP Auditors “CISA” Control Frameworks • COBIT-Based Audits (1996) • IT Control self-assessments • “Integrated Audits” Risk / Control • • • • Facilitator of positive change Enterprise-wide risk management Impact of Sarbanes Oxley Benchmark performance against best practices Risk Management Process 16 Top Ten IT Priorities From a Top Notch State Information Organization ›› Cloud ›› Data Management ›› Data Sharing ›› Infrastructure ›› Legacy Applications ›› Mobility ›› Network ›› Open Data ›› Security and Privacy ›› Social Media 17 LATEST TRENDS ... AICPA Top Ten Technology Issues 1. Managing and retaining data 2. Securing the IT environment 3. Managing IT risk and compliance 4. Ensuring privacy 5. Managing system implementations 6. Preventing and responding to computer fraud 7. Enabling decision support and analytics 8. Governing and managing IT investment/spending 9. Leveraging emerging technologies 10.Managing vendors and service providers Emerging Technology Trends – EY Survey 2014 20 What are you doing for Internal Audit IT Integration? 21 Why are Global Technology Audit Guides (GTAG’s) more important? 22 BIG THREE TECHNOLOGY RISK CATEGORIES • Information Security • Business Continuity • Change Management 23 Sixteen GTAGs Published Have you seen these? • GTAG-1: IT Controls 2nd (Published in Mar 2005) EDITION MARCH 2012 • GTAG-4: Management of IT Auditing 2nd • GTAG-2: Change and Patch Management Controls 2nd (Published in June 2005) EDITION MARCH 2012 • GTAG-3: Continuous Auditing (Published in Oct 2005) Update Coming Soon (Published in Mar 2006) EDITION January 2013 • GTAG-5: Auditing Privacy Risks (Published in June 2006) 2nd EDITION July 2012 • GTAG-6: Managing and Auditing IT Vulnerabilities (Published in Oct 2006) DELETED January 2013 24 Sixteen GTAGs Published Have you seen these? • GTAG-7: Information Technology Outsourcing (Published in Mar 2007) • GTAG-10: Business Continuity Management (Published in July 2008) (Updated August 2014) • GTAG-8: Auditing Application Controls (Published in July 2007) • GTAG-11: Developing the IT Audit Plan (Published in July 2008) • GTAG-9: Identity and Access Management (Published in July 2007) • GTAG-12: Auditing IT Projects (Published in March 2009) 25 Sixteen GTAGs Published Have you seen these? • GTAG-13: Fraud Detection and Prevention in an Automated World • GTAG-16: Data Analysis Technologies • GTAG-14: Auditing User Developed Applications • GTAG-17: Auditing IT Governance (Published in December 2009) (Published in August 2011) (Published in July 2012) (Published in June 2010) • GTAG-15:Information Security Governance (Published in July 2010) • GTAG-18 and 19: Cloud Computing and Social Media (Coming Soon) 26 What Every Business Auditor Should Understand Related to IT Controls Global Technology Auditing Guide 1-2nd Edition 27 The Board should: • Understand the strategic value of the IT function. • Become informed of role and impact of IT on the enterprise. • Set strategic direction and expect return. • Consider how management assigns responsibilities. • Oversee how transformation happens. • Understand constraints within which management operates. • Oversee enterprise alignment. • Direct management to deliver measurable value through IT. • Oversee enterprise risk. • Support learning, growth, and management of resources. • Oversee how performance is measured. • Obtain assurance. 28 Executive management should: • Become informed of role and impact of IT on the enterprise. • Cascade strategy, policies, and goals down into the enterprise, and align the IT organization with the enterprise goals. • Determine required capabilities and investments. • Assign accountability. • Sustain current operations. • Provide needed organizational structures and resources. • Embed clear accountabilities for risk management and control over IT. • Measure performance. • Focus on core business competencies IT must support. • Focus on important IT processes that improve business value. • Create a flexible and adaptive enterprise that leverages information and knowledge. • Strengthen value delivery. • Develop strategies to optimize IT costs. • Have clear external sourcing strategies. 29 Senior management should: • Manage business and executive expectations relative to IT. • Drive IT strategy development and execute against it. • Link IT budgets to strategic aims and objectives. • Ensure measurable value is delivered on time and budget. • Implement IT standards, policies and control framework as needed. • Inform and educate executives on IT issues. • Look into ways of increasing IT value contribution. • Ensure good management over IT projects. • Provide IT infrastructures that facilitate cost-efficient creation and sharing of business intelligence. • Ensure the availability of suitable IT resources, skills, and infrastructure to meet objectives and create value. • Assess risks, mitigate efficiently, and make risks transparent to the stakeholders. • Ensure that roles critical for managing IT risks are appropriately defined and staffed. • Ensure the day-to-day management and verification of IT processes and controls. • Implement performance measures directly and demonstrably linked to the strategy. • Focus on core IT competencies. 30 The internal audit activity should: • Ensure a sufficient baseline level of IT audit expertise in the department. • Include evaluation of IT in its planning process. • Assess whether IT governance in the organization sustains and supports strategies and objectives. • Identify and assess the risk exposures relating to the organization’s information systems. • Assess controls responding to risks within the organization’s information systems. • Ensure that the audit department has the IT expertise to fulfill its engagements. • Consider use technology-based audit techniques as appropriate. 31 IT Control Framework Checklist (Sample from GTAG 1) 1. What legislation exists that impacts the need to IT controls? 2. Has management taken steps to ensure compliance with this legislation? 3. Have all relevant responsibilities for IT Controls been allocated to individual roles? 4. Is the allocation of responsibilities communicated to the whole organization? 5. Do individuals clearly understand their responsibilities in relation to IT controls? 6. Does internal audit employ sufficient IT audit specialists to address the IT control issue? 7. Do corporate policies and standards that describe the need for IT controls exist? 32 Understanding IT Controls – Who should Understand What? A top-down approach used when considering controls to implement and determining areas on which to focus. From Global Technology Audit Guide 1. 33 COSO Model for Technology Controls Monitoring: Information & Communication: • Monthly metrics from Technology Performance • Technology Cost and Control performance analysis • Periodic Technology management assessments • Internal audit of technology enterprise • Internal audit of high risk areas MONITORING INFORMATION AND COMMUNICATION • Periodic corporate communications (intranet, e-mail, meetings, mailings) • Ongoing technology awareness of best practices • IT performance survey • IT and security training • Help desk ongoing issue resolution CONTROL ACTIVITIES Control Activities: • Review Board for Change Management • Comparison of technology initiatives to plan and ROI • Documentation and approval of IT plans and systems architecture • Compliance with Information and Physical Security Standards • Adherence to Business Continuity Risk Assessment • Technology standards compliance enforcement Risk Assessment: RISK ASSESSMENT CONTROL ENVIRONMENT • IT risks included in overall corporate risk assessment • IT integrated into Business Risk Assessments • Differentiate IT controls for high risk business areas/functions • IT Internal audit assessment • IT Insurance assessment Control Environment: • • • • • Tone from the Top – IT and Security Controls Considered Important Overall Technology Policy and Information Security Policy Corporate Technology Governance Committee Technology Architecture and Standards Committee Full Representation of All Business Units 34 Global Technology Audit Guide that All Business Auditors should put into Practice • Application controls and their benefits • The role of internal auditors • How to perform a risk assessment • Application control review scoping • Application review approaches • Common application controls, suggested tests, and a sample review program 35 USE OF TECHNOLOGY AS A TOOL 36 Technology Maturity Model Drill-down dashboards of all key audit activity Quality assessment tool Continuous controls testing and monitoring Automated sharing of audit programs and files Intranet for audit knowledge sharing, training, and access Formal technology strategy to tools Highly skilled data team Expanded technical training for staff Expanded suite of data tools Automated work papers Data retrieval used on most audits Reusable programs and checklists Initial use of CAATs Access to external risk and control databases Technology specialist(s) Files, etc., in electronic format Custom data mining / data analytics Use of technology a core competency Standalone automated testing routines, e.g. fraud Online training programs available on demand Risk assessment tools Audit scheduling tool Initial ad hoc data mining Fully integrated audit management system Issues availability, tracking updating by management Continuous risk assessment Technology Process Gap Analysis: Example Red is current state, Green is desired next stage of maturity Core Technology Process (CTP) Initial 1. Technology Strategy & Focus X 2. Risk Assessment & Monitoring X 3. Audit Planning & Scheduling 4. Knowledge Management 5. Data Analysis & Mining 6. Audit Reporting & Issue Tracking 7. Audit Execution & Documentation 8. Training 9. Human Re sources 10. Quality Improvement Adequate Enhanced Optimized X X Sets a clear priority XX XX X May decide some areas are fine for now X X XX XX X X X X X Don’t have to move to Optimized for all IT Audit-Questions to Ponder • What kind of technology audits should we be doing? • How integrated should the audit group be? • What technology should we be using in the Audit Group? • What skills should the non-IT auditor have? • What is the mix of audit coverage for projects versus ongoing audit work? • Where are resources found for IT Audit? • Should parts of IT Audit be outsourced? • What parts of Information Technology should be outsourced? • What about periodic vulnerability testing? • How do individuals get started in IT Audit? 39 Summary and Next Steps • • • • • • • • • • Understand the technology in your environment Understand the GTAG Series and determine how it applies Utilize the business functions and technology within the enterprise Understand your technology controls framework Understand your key information technology risk Equate technical issue to business processes Provide business unit with perspective of how well the technology is doing that supports the business unit Perform high level mapping of applications to business units Provide CIO view of how his business is doing Determine technology training requirements for all levels 40 Mark Salamasick Contact Info •Email: Mark.Salamasick@utdallas.edu •Office Phone: (972) 883-4729 •Cell Phone: (972) 768-3016 •Office: University of Texas at Dallas • School of Management-4.218 • 800 West Campbell Road, SM 41 • Richardson, TX. 75083-0688 •Website: www.utdallas.edu/~msalam Jindal.utdallas.edu/iaep 41