NJ ISACA
IT Audit Director’s
Roundtable
October 6, 2010
Michael P Cangemi CPA
Andy Ellsweig CPA, CGEIT
Agenda

Introductions - Format

Major Issues Facing Your Organization?

World Class IA Organization - One View

Data Loss Prevention (DLP) & Privacy

Continuous Monitoring (CCM) & Macro

Cloud Computing & Third Party Processing
2
Business Career – Michael Cangemi







Ernst & Young – CPA – Dir IT Audit
Phelps Dodge – CAE – VP - CIO
Professional work – IS Control Journal (87-07) &
Books - Managing the Audit (Wiley)
BDO Seidman Ptr. IT Audit – IA Services
CFO/COO to CEO Etienne Aigner 91-04
CEO Financial Executives Intl 07-08
Advisory Boards – FASB; IASB; COSO private
companies
Management, IT, Financial Governance
3
Cangemi Company, LLC
Business Career - Andy Ellsweig

Phelps Dodge – Financial/Integrated Auditor
Johnson & Johnson - IT Audit
PaineWebber - IT Audit
Echlin/Dana Corp
KPMG – Information Risk Management
Sony, Schering-Plough, Centennial Corp – IT Audit
Director
Eisner/Amper – Risk Advisory Services

ISACA President, Board member since 1993






4
Discussion



Lets customize the agenda!!!
We know some of your technical challenges
from the pre-meeting survey.
But first:
What are the major issues facing your
organization?
5
World Class Audit – One View
What makes a world class audit organization?
 Good people (an organization)
 Following well thought out procedures
 Focused on significant issues and positive
deliverables
 Team approach to management
Management, IT, Financial Governance
6
Cangemi Company, LLC
Elements of a world class audit
function – Organization (Chap 4)





Audit consists of People & Procedures
Creating the organization - establish a Charter,
Mission Statement
Build in positive deliverables in mission
When was your last SWOT analysis for Internal
Audit? Corp Board - survey!
Document Policies & use to orient (177)
Management, IT, Financial Governance
7
Cangemi Company, LLC
Essence of Internal Audit
Challenges
 How do you contribute to the companies mission? pages (137-138)
 Not involved in products, customers
Managements periodically review audit
contribution. (not everyday, but always someday)
 Are you ready for the review and ROI
Management, IT, Financial Governance
8
Cangemi Company, LLC
The Impact of the Economy on Audit
Departments – Discussion Points
In today’s economic climate, it has become increasingly
necessary to manage audit functions and processes more
efficiently.





What is the impact of the economy on executing our audit plans?
What techniques are being used to accomplish this goal?
Are there effective automation solutions available to help with this?
Are there audit areas that are candidates for elimination or
reduced audit coverage to accommodate strained budgets?
Does management recognize that there is an increased motivation
for fraud and data crimes, concurrent with expectations on audit
departments to recognize such activities despite reduced budgets?
9
Data Loss Prevention / Data Privacy
Data Loss Prevention (DLP): Detecting and preventing the
unauthorized use and transmission of confidential information.
Risks associated with data loss have significantly increased due
to company’s having fragmented and porous network perimeters,
the ability to move massive amounts of information easily, the
value of multiple types of information, as well as new and
emerging regulatory restrictions and marketplace liability for
improperly protecting personal information.
Personally Identifiable Information (PII) includes: Name, Street
Address, Social Security Number (or other National identification
numbers), Credit Card Number, Expiration Date, Authorization
Code, Telephone number, E-mail address, Driver's license
number, Face, fingerprints, or handwriting, etc…..
10
Regulations and Statutes

European Data Privacy Directive (1995)

Gramm-Leach-Bliley Act (1999)

SEC’s Regulation S-P (2000)

California state law regarding data breaches (2003)

Massachusetts regulations regarding information security (2008 –
2009)

US Red Flag Rules (2010)

Payment Card Industry Standards (2008)

HIPAA (1996)/HITECH (2010) Acts
11
Data Breaches – Scope of the Problem
• The Privacy Rights Clearinghouse maintains a Chronology of
Data Breaches




Since 2005 there were 1,720 data breaches made public which resulted in
510,535,937 records breached.
The numbers are not complete, many small breaches are not reported and
the amounts of records breached in many cases is unknown
The reported data breaches includes data elements useful to identity
thieves, such as Social Security numbers, account numbers, and driver's
license numbers
Also includes some breaches that did not expose sensitive information.
• Major causes of breaches include: lost or stolen computers or
storage, hacking, programming/human error and lost backup
tapes
Source: http://privacyrights.org/data-breach
12
Examples of Data Breaches

Heartland Payment Systems: intruders hacked over 100 million
records

San Francisco, July, 2008: disgruntled employee sabotaged the
city’s computers by changing all the Admin passwords.

Iowa recently learned that social security numbers of its
residents were accessible on the Internet since 2005, through a
website maintained by a County

TJX, ChoicePoint, CardSystems, Veterans Administration, and
many more
13
Data Loss Prevention / Privacy –
Discussion Points

Are audit plans and programs being modified / created to address data
loss prevention?

How many companies have designated Privacy Officers?

Are Incident response plans documented?

Is a technical solution for data loss prevention – i.e., systems designed
to automatically monitor for data leakage – considered essential to
enterprise risk management?

Are there automated audit tools being used to determine the
effectiveness of data loss prevention programs?

Are IT and executive management cognizant and being responsive to
protecting organizations from data loss breaches?

How do we see data loss prevention evolving?
14
Continuous Controls Monitoring
CCM technology provides an automated in-line
means to effectively audit transactions and identify
fraud and other exceptions in real time.
15
Continuous Monitoring Macro



Automation – computers, new
communications and surveillance devices
leads to expansion of monitoring
There is an ever expanding “Orwellian”
interest in monitoring
Government – National security; compliance
– tax; motor vehicle monitoring
16
Business Monitoring

Business - Financial & IC Focus –
–

Start higher - CM – is more pervasive
–


Most common terms CCM, CCM-T, CA
Need for more clarity of CM objectives, benefits
and definitions
CM adds value to IC system – COSO
Monitoring – good step, not far enough
Hence – FERF Research paper
17
Overview Of Continuous Monitoring
Society
Business
Monitoring
Government
Operations
National
Security
Monitoring
Compliance
Monitoring
(IRS)
IT
Finance
HR
CM Security
Info
Integrity
CCM-T
& recs
CCM-S
of duties
CCM-T
Internal Audit / GRC
18
Business Monitoring



Features expanded use of near real time –
automated monitoring
We need to redefine the Control Community
Role & CM terminology (EDPACS Article)
Operations in addition to Financial Focus
–

Bigger Focus on Controls – based in operations –
FedExp to Easy pass
Finance & audit – to lead & educate
19
Continuous Controls Monitoring –
Discussion Points
•
CM - What is your company doing to take advantage of automation to improve
data & information integrity?
•
Who has implemented or is planning to implement CCM?
•
What are some notable successes and failures in using this technology?
•
What types of transactional activities and data mining are being used and where
do we see the greatest potential benefits?
•
How has the use of CCM affected legacy audit planning and procedures?
•
Are there any other areas of CCM that could be used for more effective audits and
timely identification of aberrant activities – e.g., monitoring IT controls?
•
Is the use of CCM destined to become an important and requisite audit
methodology best practice?
20
Cloud Computing & Outsourcing
Firms are moving at a tremendous pace to cloud computing
based architectures and assignment of processing controls
to third party processors to reap the cost savings.
The NIST has defined Cloud computing as: a model for
enabling convenient, on-demand network access to a shared
pool of configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal management
effort or service provider interaction.
21
The NIST Cloud Definition Framework
Hybrid Clouds
Community
Cloud
Deployment
Models
Private
Cloud
Service
Models
Software as a
Service (SaaS)
Public Cloud
Platform as a
Service (PaaS)
Infrastructure as a
Service (IaaS)
On Demand Self-Service
Essential
Characteristics
Common
Characteristics
Source: NIST
Broad Network Access
Rapid Elasticity
Resource Pooling
Measured Service
Massive Scale
Resilient Computing
Homogeneity
Geographic Distribution
Virtualization
Service Orientation
Low Cost Software
Advanced Security
22
Cloud Computing in Financial Terms






No more buying servers (that will probably not ever be fully utilized and start
losing value as soon as they’re delivered).
Companies will not need to spend money on switches and routers, backup
power, redundant bandwidth, and expensive HVAC systems that servers
require .
Can reduce expenses for IT staff specifically dedicated to server
maintenance and server/computer rooms.
Servers become someone else’s responsibility. They buy it, and you rent it.
You rent it by the megahertz, gigabyte, or bits per second.
Cloud service providers hire the server room staff and you rent their services.
Allows companies to reap great economies of scale and reduce capital
expenditures and IT operating costs.
Source: Proformative
23
Cloud Economics – Cost Savings
Estimates vary widely on potential cost savings:

Brian Gammage, Gartner Fellow
“If you move your data center to a cloud provider, it will be a tenth of the cost.”

CTO of Washington D.C.
–

Preferred Hotel
–
–

Government agencies moving to public or private clouds can save from 50 to 67 percent.
Merrill Lynch
–

Traditional: $210k server refresh and $10k/month
Cloud: $10k implementation and $16k/month
Ted Alford and Gwen Morton of Booz Allen Hamilton
–

Use of cloud applications can reduce costs from 50% to 90%
Claimed that technology could make business applications “3 to 5 times cheaper,” meaning that
organizations could save anywhere from 67 to 80%
William Forrest, McKinsey Analyst
–
In disputing some of the cost savings examples he indicated that: There would be
few savings from cloud migrations and that moving to the cloud actually would cost
24
144 percent more than current expenditures.
Six Costly Cloud Mistakes
There are a number of "hidden gotchas" when it comes to using cloud
infrastructure providers

Not taking full account of financial commitments on existing
hardware.

Not factoring in your unique requirements when signing up for a
cloud service.

Signing an agreement that doesn't account for seasonal or
variable demands.

Assuming you can move your apps to the cloud for free.

Assuming an incumbent vendor's new cloud offering is best for
you.

Getting locked in to a cloud solution.
Source: CFO.com
25
Provider Due Diligence

Before entering into an agreement with a cloud (or any outsourced) provider,
organizations need to perform due diligence procedures, which should be based on the
type of data/processes being outsourced or moved to the Cloud

Due diligence should be carried out by a multi-disciplinary team that could include
members from the business area(s) affected, finance, legal, information security,
privacy office, corporate security & audit

Many companies use questionnaires as a first step for assessing vendor’s controls

Because it does not fit in their cost model, most cloud providers will not allow on- site
audits

If Type II SAS70s (or other certifications) are not available (e.g., for smaller providers
or new entrants into Cloud Computing), then an “on-site” audit is recommended

Audits should be performed pre-contract execution where possible

Should also evaluate the vendors health, including review of D&B reports
26
SAS70s Reliance & Limitations
SAS70 limitations include a general lack of security focus and the testing
procedures are sometimes narrowly defined
When reviewing SAS70s, organizations should consider the following:
•
•
•
•
•
•
•
Was it a Type I or a type II?
Who performed the SAS70?
Did the entity receive a clean audit opinion?
What audit objectives were covered by the SAS70?
Were there any findings and how were they addressed?
What Client Control Considerations were included?
Is this enough to cover the organizations regulatory requirements (e.g., PCI, SOX,
GLBA, Privacy Laws)
Organizations should look for additional assurances besides the SAS70s, which
can include: ISO 27001/27002, TRUSTe, Safeharbor, SysTrust/WebTrust
27
Cloud Computing & Third Party
Processing – Discussion Points

What are the risks associated with third party processing that are of most
concern?

How is third party processing being audited by organizations – e.g., right to audit
clauses vs. reliance on SAS 70 reports?

Are companies doing adequate due diligence before contracting with third party
providers – particularly in regards to involving audit departments prior to
contractual commitments?

How is the complex digital supply chain – where multiple downstream providers
provide services for each other and data residence and transmission points are
increasingly obscure – being dealt with from an audit perspective?

What types of controls and associated technologies are considered essential to
auditing third party processing?

How has the economy impacted how we determine ongoing vendor viability?
28
WRAP-UP

Other Topics or Focus area?

Major Takeaways
29
Thank You
To all participants
&
JH Cohn
30
For More Information:
Michael P Cangemi CPA CISA
President Cangemi Company LLC
mpcangemi@msn.com
www.canco.us
732.662.4868
Andy Ellsweig
Senior Manager
EisnerAmper LLP
Andrew.ellsweig@eisneramper.com
732.287.1000, x- 1297