210 likes | 348 Vues
TO CISD MEETING. WELCOME. Information Technology AUDITING. WITH THE LEGISLATIVE AUDITOR. Questions: Ask, but may defer or handle off-line. Common Goal. To Improve IT Controls in Louisiana State Government Same Team Asked to do more with less. Outline:. Audit Requirements
E N D
TOCISD MEETING WELCOME
Information Technology AUDITING WITH THE LEGISLATIVE AUDITOR Questions: Ask, but may defer or handle off-line.
Common Goal To Improve IT Controls in Louisiana State Government • Same Team • Asked to do more with less
Outline: • Audit Requirements • Audit Law • Audit Standards for IT controls • Establishment of IT Audit And What We Do • How Are Entities Selected For IT Audits • Criteria Used—COBIT • Planning And Scoping • Approach And Basic Parts Of The IT Audit • CoMIT Tool • If/How Issues Found Are Reported
I. Audits Are Required: Law • Audit Law requires financial and operational audits. (RS 24:511-523) • types of audits, how often & when, what we are to have access to (includes confidentiality requirements) • CAFR (Comprehensive Annual Financial Report)—the annual financial statement for the State of Louisiana as a whole • Single Audit (Federal) • Full Scope Audits—audit opinion on the entity’s FS • Your systems produce information needed for these reports so they are subject to audit
Audit Standards: • Law dictates what we do…but governmental, financial & IT audit standards dictate “how” we audit • IT audits are done as part of the financial audits so separate audit reports are not produced. • The US Government Accountability Office (GAO) has issued Generally Accepted Governmental Auditing Standards known as GAGAS • Other standards are • American Institute of Certified Public Accountants (AICPA) • Information Systems Auditing and Control Association (ISACA) and other certification bodies
Per GAGAS “Government audits provide key information to stakeholders and the public to maintain accountability…reduce costs; facilitate decision making; stimulate improvements; and identify current and projected crosscutting issues….”
Standards • We must consider IT controls. IT controls are often involved when IT is used to • Initialize • Authorize • Record • Process and • Report financial data • Per GAGAS, specialized techniques or methods may be required to cover IT controls and may require a specialist.
II. Our IT Audit Section • Was established to cover IT parts of audits with specialized knowledge and skills. We do other things as well that may affect or involve you, like • Extract data, create queries, data mining • Provide support for some applications like BO, Works, ACL, SAP, and PeopleSoft • Create audit programs to cover end user controls on systems under our audit • Monitor major implementations • Assist in examining audit evidence and any other assistance needed • It’s all about assurances we can provide to other auditors and about where the risk is
IT Audit Section • The risk and level of assurances needed dictate how we get the evidence and the type of evidence that we must obtain. • Do we issue an audit report rendering an opinion (full scope)? • Do we perform procedures on only certain accounts because they are material to the CAFR or the Single Audit? • Do we interview you or do an observation or re-perform or interview a few people or test it in detail? • 3 Year rotation
III. How Are Entities Selected? • We list out all the financial audits, the assurances needed (CAFR, SA, full scope, etc.) and determine the IT systems associated with those audits. • Things considered: • Do controls heavily rely on IT; or, are they more manual or hybrid • Size and complexity of the system • Distributed or centralized • Dollars processed or stored • How new is the system & if/when it was last audited • Previous problems with the system • What kind of information does it contain and how sensitive is it • Recent changes • Level of expertise needed to understand the controls • Then we prioritize by considering the risk and select auditees • Once the system and entities are selected, we begin planning
Created by the IT Governance Institute • How is COBIT different and why do we use it? • The first document containing IT best practices that can be used by auditors and IT management • Generally acceptable with third parties and regulators • Fulfills the COSO requirements for the IT control environment • Agency IT management can obtain COBIT from the following site (register, free): https://www.isaca.org/Template.cfm?Section=Home&Template=/Security/Login.cfm
V. Planning & Scoping • We would let you know that your agency has been selected & possibly provide the CoMIT Tool • Select the who and when for the audit procedures (currently building our resources) • The IT auditor would proceed to contact you or your staff for preliminary information in order to scope the audit. • Per standards we plan according to risk
AICPA’s Top Tech Issues(Handout) • Top 10 on p.2 • Top 5 are • Information Security Management • Privacy Management • Secure Data File Storage, Transmission and Exchange • Business Process Improvement, Workflow, and Process Exceptions Alerts • Mobile and Remote Computing
Plan & Scope:IT Audit Approach • Use of IT has grown and we are resource challenged • Standardize our procedures and have a common measuring tool • Goal was/is to obtain as much information up front as possible • Began as a self-assessment with a holistic approach for state agencies CoMIT Tool—Control Matrix for Information Technology • For assessment of IT Internal Controls • Used as a pilot last year (GSU, LCTCS) • Greatly revised for 2009
VI. Reporting the Issues Found: • Not a separate audit; no IT audit report • List deficiencies/issues found in a chart • Evaluate issues individually and in the aggregate to determine significant deficiencies (example) • Standards require that “significant deficiencies” be reported. (Handout)
Reporting the Issues Found: • According to SAS 112, par.9, “Significance… depends on the potential for a misstatement, not on whether a misstatement actually has occurred.” • Also, per GAGAS we report matters that may be significant for users or oversight bodies or of interest to the public • But specific exposures are not disclosed (example) • Traditionally, most is not reported
Common Problems Found • Security issues: • Too much access (bus. need, seg. of duties) • Lack of monitoring of access • Lack of or inadequate procedures for granting access • Remote access • Lack of encryption • System settings • Lack of policies, etc. • Problems in change management or change control • Lack of QA or audit function • Lack of an up-to-date BC/DRP, not tested, not in central repository, location of backup • Lack of network scanning for monitoring • Issues with firewall rules
Just for Fun: You Might Be An IT Auditor If… • You have more letters behind your name than in a can of alphabet soup • You have some gadget on your desk that you have fondly given a name • Bean counter references make you mad • Balancing your check book is FUN • When you have your computer repaired you ask for all the parts back, labeled and itemized • Your idea of a vacation is FIELD WORK • If you and your coworkers represent more nationalities than anywhere else in the office
Conclusion Questions???