Transcription
Information TechnologyAuditing IT ControlsJames D. Boyd, MBA, CPA, CIA, CISA, CIGInspector GeneralFlorida Dept. of Health
Understanding IT ControlsImportance of IT ControlsEffective IT ControlsIT Roles and ResponsibilitiesAnalyzing Risk
General Information security ion of key IT functionsManagement of systems acquisition and implementationChange managementBackup/RecoveryBusiness continuity Data editsBalancing of processing totalsTransaction loggingError reportingApplication
Governance ControlsEffective information management, security principles, policies, andprocesses.Performance and compliance.Mandated and controlled by board, in conjunction with management.Linked with organizational goals and strategies and outside bodies e.g.regulators.Management ControlsManagement responsible for internal controls; All areas of the organization Collaboration among board members and management is essential.Management must ensure IT controls are deployed to recognize risks toorganization, processes and assets.Mechanisms and processes to mitigate and manage risks (protect, monitor,and measure results).
Technical ControlsEnsure the reliability of virtually every other control.Protect against unauthorized access and intrusion.Basis for reliance on the integrity of information.Should include evidence of all changes and theirauthenticity. Specific to technologies in use. Implement and demonstrate compliance with policies
Policies Should Include General Policy StatementClassification StatementDefinitions of ConceptsPersonnel PoliciesBusiness Continuity Requirements
Standards Systems Development ProcessSystems Software ConfigurationApplication ControlsData StructuresDocumentation
Organization and Management Separation of DutiesFinancial ControlsChange ManagementOther Management Controls
Physical and Environmental Controls Physical Locks, Limiting Access to Servers Restricting Physical Access to SpecificIndividuals Fire Detection and Suppression Equipment Storing Equipment Away from EnvironmentalHazards
Systems Software Controls Access rights allocated and controlled according to theorganization’s stated policy. Division of duties enforced through systems software andother configuration controls. Intrusion and vulnerability assessment, prevention, anddetection in place and continuously monitored. Intrusion testing performed on a regular basis. Encryption services applied where confidentiality is astated requirement. Change management processes — including patchmanagement — in place to ensure a tightly controlledprocess for applying all changes and patches to software,systems, network components, and data.
Systems Development and AcquisitionControls User requirements should be documented, and theirachievement measured. Systems design should follow a formal process to ensure userrequirements and controls are designed into the system. Systems development should be conducted in a structuredmanner to ensure requirements and design features areincorporated into the finished product. Testing should ensure that individual system elements workas required, system interfaces operate as expected, users areinvolved in the testing process, and the intended functionalityhas been provided. Application maintenance processes should ensure thatchanges in application systems follow a consistent pattern ofcontrol and are subject to validation. Where systems development is outsourced, the outsourcer orprovider contracts should require similar controls.
Application Based Controls Data is accurate, complete, authorized andcorrect Data is processed as intended Output is accurate and complete Record tracking data from input toprocessing to output
Input Controls Checks integrity of data entered into a businessapplication. Input is checked to ensure that it remains withinspecified parameters. Processing Controls Provide automated means to ensure processing iscomplete, accurate, and authorized. Output Controls Address what is done with the data. Should compareactual result with intended result and check themagainst the input.
Integrity Controls Management Audit Trail Can monitor data in process and/or instorage to ensure data remains consistentand correct. Enable tracking of transactions from thesource to the ultimate result and to tracebackward to identify transactions andevents. These controls should monitor theeffectiveness of overall controls andidentify the source of errors.
Elements of Information Security Confidentiality Integrity Availability
Key Components Regulatory and Statutory Compliance Consistency with organization goals andobjectives Assurance activities comply with policies andan organizations risk appetite
Ability to execute new upgrades,products and servicesProjects delivered on time, and withinbudgetPredictable resource allocationConsistency in availability and reliabilityof information and services
Clear communication to management ofeffective controls Ability to protect against new threats andrecover from any disruptions Efficient use of customer support center orhelp desk Security consciousness throughoutorganization
Overall Objectives of IT: Delivery of reliable information securely andefficiently Protect stakeholders interests Enable mutually beneficial relationships thataccomplish business objectives Identify and respond to threats and potentialviolations appropriately
Board of Directors/Governing Body Awareness of key IT topics Understanding of IT infrastructure andcomponents Approval of data classifications and relatedaccess rights
Audit Committee Understanding of financial managementand organizations reliance on IT forfinancial processing and reporting Ensuring IT is covered in committeemeetings Overseeing assessment of IT controls Reviewing business and control issuesrelated to new system development andacquisition
Audit Committee(cont.) Examining internal and external audit plansand ensuring IT is adequately covered. Reviewing audit results and monitoringresolution of issues.
Governance Committee Ensure potential and current board membershave suitable IT knowledge Assess board committee performance in IToversight Review external regulatory governanceassessments as related to IT Ensure board review IT policies periodically
Chief Executive Officer Define IT related objectives and performancemeasures. Custodian over organizations IT related criticalsuccess factors Understand and approve short and long-rangeIT strategy. Approve IT resources, including structure andoversight/monitoring. Identify IT issues for periodic management,board, and staff discussion. Ultimate level of responsibility.
Chief Information Officer Understand business requirements that drive theneed to implement IT. Develop IT partnerships with business managementto: Ensure IT strategy is aligned with the business strategy.Ensure compliance.Benefit from improvements to process-efficiency.Mitigate assessed risks Design, implement, and maintain an IT internalcontrol framework. Plan, hire/contract, and control IT resources. Explore, assess, select, and implement technologyadvances (e.g. wireless communications).
Chief Information Officer(cont.) Provide training for IT personnel to ensure that levelsof knowledge and skills remain current. Operate as the highest-level data/system custodianand IT control owner. Measure the operational performance of IT insupport of business objectives by: Setting expectations. Evaluating results. Develop means to verify that IT is providing servicesand support as expected.
Chief Information Security Officer Develops and implements the information securitypolicy. Controls and coordinates information securityresources, ensuring they are allocated adequately tomeet the organization’s security objectives. Ensures alignment of information security andbusiness objectives. Manages operational information risks throughoutthe organization. Oversees IT security within the organization. Provides education and awareness on informationsecurity issues and new best practices.
Chief Information Security Officer (cont.) Develops end-user policies for the usage of ITinformation, in conjunction with the humanresources function. Coordinates information security work with theCIO. Advises the CEO, CIO, and Board on IT riskissues. Acts as a key link for the CAE when internalauditing performs IT control-related audits
Risk Appetite and TolerancePerforming Risk AnalysisValue of InformationAppropriate IT ControlsRisk Mitigation Strategies Accept the riskEliminate the riskShare the riskControl/mitigate the risk
Control Characteristics to Consider Is the control effective? Does it achieve the desired result? Is the mix of preventive, detective, andcorrective controls effective? Do controls provide evidence whenparameters are exceeded or controls fail? How is management alerted to failures, andwhich steps are expected to be taken? Is evidence retained (audit or managementtrail)?
Control Characteristics to Consider(cont.) Do IT policies — including for IT controls —exist? Have responsibilities for IT and IT controlsbeen defined, assigned, and accepted? Are IT infrastructure equipment and toolslogically and physically secured? Are access and authentication controlmechanisms used? Is antivirus software used and updated? Are security patches up-to-date?
Control Characteristics to Consider(cont.) Is firewall technology implemented inaccordance with policy? Are external and internal vulnerabilityassessments completed and risks identifiedand appropriately resolved? Are change and configuration managementand quality assurance processes in place? Are structured monitoring and servicemeasurement processes in place? Are specialist IT audit skills available (eitherinternally or outsourced)?
Control Characteristics to Consider(cont.) Is stored data adequately protected? Is sensitive data, sent across public networks,encrypted? Are security systems, and processes, regularlytested? Have the default security settings andpasswords been changed?
AuditInternal Auditing – CAE and Audit Staff Advising the audit committee and senior management on IT internalcontrol issues. Ensuring IT is included in the audit universe and annual plan(selecting topics). Ensuring IT risks are considered when assigning resources andpriorities to audit activities. Ensuring that audit planning considers IT issues for each audit. Performing IT risk assessments. Performing IT enterprise-level controls audits. Performing IT general controls audits. Performing IT applications controls audits. During systems development or analysis activities, operating asexperts who understand how controls can be implemented andcircumvented.
Audit (cont.) External Auditor The extent of the external auditor’s responsibilities forunderstanding and evaluating the IT system and relatedIT controls during financial audits. The scope of the external auditor’s responsibilities forexamining the IT system and controls during any formalattestation that may be required by statute orregulation, such as internal controls over financialreporting and other regulatory requirements.
James D. Boyd, MBA, CPA, CIA, CISA, CIGInspector GeneralFlorida Dept. of Health4052 Bald Cypress WayBin #A03Tallahassee, FL 32399-1704(850)245-4141
Governance Controls Effective information management, security principles, policies, and processes. Performance and compliance. Mandated and controlled by board, in conjunction with management. Linked with organizational goals and strategies and outside bodies e.g. regulators. Management Controls Management responsible for internal controls;
