1 / 31

NJ ISACA IT Audit Director’s Roundtable

NJ ISACA IT Audit Director’s Roundtable. October 6, 2010. Michael P Cangemi CPA Andy Ellsweig CPA, CGEIT. Agenda. Introductions - Format Major Issues Facing Your Organization? World Class IA Organization - One View Data Loss Prevention (DLP) & Privacy Continuous Monitoring (CCM) & Macro

zeno
Télécharger la présentation

NJ ISACA IT Audit Director’s Roundtable

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NJ ISACA IT Audit Director’s Roundtable October 6, 2010 Michael P Cangemi CPA Andy Ellsweig CPA, CGEIT

  2. Agenda • Introductions - Format • Major Issues Facing Your Organization? • World Class IA Organization - One View • Data Loss Prevention (DLP) & Privacy • Continuous Monitoring (CCM) & Macro • Cloud Computing & Third Party Processing 2

  3. Business Career – Michael Cangemi • Ernst & Young – CPA – Dir IT Audit • Phelps Dodge – CAE – VP - CIO • Professional work – IS Control Journal (87-07) & Books - Managing the Audit (Wiley) • BDO Seidman Ptr. IT Audit – IA Services • CFO/COO to CEO Etienne Aigner 91-04 • CEO Financial Executives Intl 07-08 • Advisory Boards – FASB; IASB; COSO private companies Management, IT, Financial Governance 3 Cangemi Company, LLC

  4. Business Career - Andy Ellsweig • Phelps Dodge – Financial/Integrated Auditor • Johnson & Johnson - IT Audit • PaineWebber - IT Audit • Echlin/Dana Corp • KPMG – Information Risk Management • Sony, Schering-Plough, Centennial Corp – IT Audit Director • Eisner/Amper – Risk Advisory Services • ISACA President, Board member since 1993 4

  5. Discussion • Lets customize the agenda!!! • We know some of your technical challenges from the pre-meeting survey. But first: • What are the major issues facing your organization? 5

  6. World Class Audit – One View What makes a world class audit organization? • Good people (an organization) • Following well thought out procedures • Focused on significant issues and positive deliverables • Team approach to management Management, IT, Financial Governance 6 Cangemi Company, LLC

  7. Elements of a world class audit function – Organization (Chap 4) • Audit consists of People & Procedures • Creating the organization - establish a Charter, Mission Statement • Build in positive deliverables in mission • When was your last SWOT analysis for Internal Audit? Corp Board - survey! • Document Policies & use to orient (177) Management, IT, Financial Governance 7 Cangemi Company, LLC

  8. Essence of Internal Audit Challenges • How do you contribute to the companies mission? - pages (137-138) • Not involved in products, customers Managements periodically review audit contribution. (not everyday, but always someday) • Are you ready for the review and ROI Management, IT, Financial Governance 8 Cangemi Company, LLC

  9. In today’s economic climate, it has become increasingly necessary to manage audit functions and processes more efficiently. The Impact of the Economy on Audit Departments – Discussion Points • What is the impact of the economy on executing our audit plans? • What techniques are being used to accomplish this goal? • Are there effective automation solutions available to help with this? • Are there audit areas that are candidates for elimination or reduced audit coverage to accommodate strained budgets? • Does management recognize that there is an increased motivation for fraud and data crimes, concurrent with expectations on audit departments to recognize such activities despite reduced budgets? 9

  10. Data Loss Prevention / Data Privacy Data Loss Prevention (DLP): Detecting and preventing the unauthorized use and transmission of confidential information. Risks associated with data loss have significantly increased due to company’s having fragmented and porous network perimeters, the ability to move massive amounts of information easily, the value of multiple types of information, as well as new and emerging regulatory restrictions and marketplace liability for improperly protecting personal information. Personally Identifiable Information (PII) includes: Name, Street Address, Social Security Number (or other National identification numbers), Credit Card Number, Expiration Date, Authorization Code, Telephone number, E-mail address, Driver's license number, Face, fingerprints, or handwriting, etc….. 10

  11. Regulations and Statutes European Data Privacy Directive (1995) Gramm-Leach-Bliley Act (1999) SEC’s Regulation S-P (2000) California state law regarding data breaches (2003) Massachusetts regulations regarding information security (2008 – 2009) US Red Flag Rules (2010) Payment Card Industry Standards (2008) HIPAA (1996)/HITECH (2010) Acts 11

  12. Data Breaches – Scope of the Problem • The Privacy Rights Clearinghouse maintains a Chronology of Data Breaches • Since 2005 there were 1,720 data breaches made public which resulted in 510,535,937 records breached. • The numbers are not complete, many small breaches are not reported and the amounts of records breached in many cases is unknown • The reported data breaches includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers • Also includes some breaches that did not expose sensitive information. • Major causes of breaches include: lost or stolen computers or storage, hacking, programming/human error and lost backup tapes Source: http://privacyrights.org/data-breach 12

  13. Examples of Data Breaches Heartland Payment Systems: intruders hacked over 100 million records San Francisco, July, 2008: disgruntled employee sabotaged the city’s computers by changing all the Admin passwords. Iowa recently learned that social security numbers of its residents were accessible on the Internet since 2005, through a website maintained by a County TJX, ChoicePoint, CardSystems, Veterans Administration, and many more 13

  14. Data Loss Prevention / Privacy – Discussion Points • Are audit plans and programs being modified / created to address data loss prevention? • How many companies have designated Privacy Officers? • Are Incident response plans documented? • Is a technical solution for data loss prevention – i.e., systems designed to automatically monitor for data leakage – considered essential to enterprise risk management? • Are there automated audit tools being used to determine the effectiveness of data loss prevention programs? • Are IT and executive management cognizant and being responsive to protecting organizations from data loss breaches? • How do we see data loss prevention evolving? 14

  15. CCM technology provides an automated in-line means to effectively audit transactions and identify fraud and other exceptions in real time. Continuous Controls Monitoring 15

  16. Continuous Monitoring Macro • Automation – computers, new communications and surveillance devices leads to expansion of monitoring • There is an ever expanding “Orwellian” interest in monitoring • Government – National security; compliance – tax; motor vehicle monitoring 16

  17. Business Monitoring • Business - Financial & IC Focus – • Most common terms CCM, CCM-T, CA • Start higher - CM – is more pervasive • Need for more clarity of CM objectives, benefits and definitions • CM adds value to IC system – COSO Monitoring – good step, not far enough • Hence – FERF Research paper 17

  18. Overview Of Continuous Monitoring Society Business Monitoring Government Operations NationalSecurityMonitoring ComplianceMonitoring(IRS) HR IT Finance CCM-S of duties CM -SecurityInfo Integrity CCM-T & recs CCM-T Internal Audit / GRC 18

  19. Business Monitoring • Features expanded use of near real time – automated monitoring • We need to redefine the Control Community Role & CM terminology (EDPACS Article) • Operations in addition to Financial Focus • Bigger Focus on Controls – based in operations – FedExp to Easy pass • Finance & audit – to lead & educate 19

  20. Continuous Controls Monitoring – Discussion Points • CM - What is your company doing to take advantage of automation to improve data & information integrity? • Who has implemented or is planning to implement CCM? • What are some notable successes and failures in using this technology? • What types of transactional activities and data mining are being used and where do we see the greatest potential benefits? • How has the use of CCM affected legacy audit planning and procedures? • Are there any other areas of CCM that could be used for more effective audits and timely identification of aberrant activities – e.g., monitoring IT controls? • Is the use of CCM destined to become an important and requisite audit methodology best practice? 20

  21. Firms are moving at a tremendous pace to cloud computing based architectures and assignment of processing controls to third party processors to reap the cost savings.The NIST has defined Cloud computing as: a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. Cloud Computing & Outsourcing 21

  22. The NIST Cloud Definition Framework Hybrid Clouds Deployment Models Community Cloud Public Cloud Private Cloud Service Models Essential Characteristics Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) On Demand Self-Service Common Characteristics Source: NIST Massive Scale Resilient Computing Broad Network Access Rapid Elasticity Homogeneity Geographic Distribution Virtualization Service Orientation Resource Pooling Measured Service Low Cost Software Advanced Security

  23. Cloud Computing in Financial Terms • No more buying servers (that will probably not ever be fully utilized and start losing value as soon as they’re delivered). • Companies will not need to spend money on switches and routers, backup power, redundant bandwidth, and expensive HVAC systems that servers require . • Can reduce expenses for IT staff specifically dedicated to server maintenance and server/computer rooms. • Servers become someone else’s responsibility. They buy it, and you rent it. You rent it by the megahertz, gigabyte, or bits per second. • Cloud service providers hire the server room staff and you rent their services. • Allows companies to reap great economies of scale and reduce capital expenditures and IT operating costs. Source: Proformative 23

  24. Cloud Economics – Cost Savings Estimates vary widely on potential cost savings: • Brian Gammage, Gartner Fellow “If you move your data center to a cloud provider, it will be a tenth of the cost.” • CTO of Washington D.C. • Use of cloud applications can reduce costs from 50% to 90% • Preferred Hotel • Traditional: $210k server refresh and $10k/month • Cloud: $10k implementation and $16k/month • Ted Alford and Gwen Morton of Booz Allen Hamilton • Government agencies moving to public or private clouds can save from 50 to 67 percent. • Merrill Lynch • Claimed that technology could make business applications “3 to 5 times cheaper,” meaning that organizations could save anywhere from 67 to 80% • William Forrest, McKinsey Analyst • In disputing some of the cost savings examples he indicated that: There would be few savings from cloud migrations and that moving to the cloud actually would cost 144 percent more than current expenditures.

  25. Six Costly Cloud Mistakes There are a number of "hidden gotchas" when it comes to using cloud infrastructure providers • Not taking full account of financial commitments on existing hardware. • Not factoring in your unique requirements when signing up for a cloud service. • Signing an agreement that doesn't account for seasonal or variable demands. • Assuming you can move your apps to the cloud for free. • Assuming an incumbent vendor's new cloud offering is best for you. • Getting locked in to a cloud solution. Source: CFO.com 25

  26. Provider Due Diligence • Before entering into an agreement with a cloud (or any outsourced) provider, organizations need to perform due diligence procedures, which should be based on the type of data/processes being outsourced or moved to the Cloud • Due diligence should be carried out by a multi-disciplinary team that could include members from the business area(s) affected, finance, legal, information security, privacy office, corporate security & audit • Many companies use questionnaires as a first step for assessing vendor’s controls • Because it does not fit in their cost model, most cloud providers will not allow on- site audits • If Type II SAS70s (or other certifications) are not available (e.g., for smaller providers or new entrants into Cloud Computing), then an “on-site” audit is recommended • Audits should be performed pre-contract execution where possible • Should also evaluate the vendors health, including review of D&B reports 26

  27. SAS70s Reliance & Limitations SAS70 limitations include a general lack of security focus and the testing procedures are sometimes narrowly defined When reviewing SAS70s, organizations should consider the following: • Was it a Type I or a type II? • Who performed the SAS70? • Did the entity receive a clean audit opinion? • What audit objectives were covered by the SAS70? • Were there any findings and how were they addressed? • What Client Control Considerations were included? • Is this enough to cover the organizations regulatory requirements (e.g., PCI, SOX, GLBA, Privacy Laws) Organizations should look for additional assurances besides the SAS70s, which can include: ISO 27001/27002, TRUSTe, Safeharbor, SysTrust/WebTrust 27

  28. Cloud Computing & Third Party Processing – Discussion Points • What are the risks associated with third party processing that are of most concern? • How is third party processing being audited by organizations – e.g., right to audit clauses vs. reliance on SAS 70 reports? • Are companies doing adequate due diligence before contracting with third party providers – particularly in regards to involving audit departments prior to contractual commitments? • How is the complex digital supply chain – where multiple downstream providers provide services for each other and data residence and transmission points are increasingly obscure – being dealt with from an audit perspective? • What types of controls and associated technologies are considered essential to auditing third party processing? • How has the economy impacted how we determine ongoing vendor viability?

  29. WRAP-UP • Other Topics or Focus area? • Major Takeaways

  30. Thank You To all participants & JH Cohn

  31. For More Information: Michael P Cangemi CPA CISA President Cangemi Company LLC mpcangemi@msn.com www.canco.us 732.662.4868 Andy Ellsweig Senior Manager EisnerAmper LLP Andrew.ellsweig@eisneramper.com 732.287.1000, x- 1297

More Related