State Performance & Technology Audits Overview of IT Reviews at Local Educational Agencies Presented...
-
Upload
gregory-crumble -
Category
Documents
-
view
216 -
download
0
Transcript of State Performance & Technology Audits Overview of IT Reviews at Local Educational Agencies Presented...
State Performance & Technology Audits
Overview of IT Reviews at Local Educational Agencies
Presented to:
Pennsylvania Association of School Business Officials
53rd Annual ConferenceMarch 6, 2008
Introduction Thomas E. Marks Deputy Auditor General for Audits CPA PA Department of the Auditor General
234 Finance BuildingHarrisburg, PA 17120(717) [email protected]
Introduction Michael A. Billo Assistant Director of IT Audits CISA, CGAP PA Department of the Auditor General
406 Finance BuildingHarrisburg, PA 17120(717) [email protected]
Department Structure
Bureau of School Audits Over 100 auditors statewide doing
performance audits of all LEAs Information Technology Audits
7 auditors assisting all audit bureaus with the more complex technology issues in their audits and training the financial and performance auditors in IT auditing
IT Audits Mission Statement
To be an innovative team providing support, analysis, problem-solving, training, and technical audits
Information Technology (IT) ATM POS LAN WAN Internet URL VPN Gigabyte/terabyte Ebay
ISP IP Address .com cell phone wii IM texting Ipod Xbox
Information Technology Auditing
Information Technology (IT) Auditing Electronic Data Processing (EDP)
Auditing Part of the review of internal control Internal controls related to information
technology, e.g., organizational placement of IT personnel, physical and logical access, SDLC, outsourcing, backups and contingency planning
Audit and IT Standards GAAS – promulgated by the Auditing Standards
Board (ASB) of the American Institute of Certified Public Accountants (AICPA); Statements on Auditing Standards (SASs)
GAGAS (Yellow Book) – promulgated by the U. S. Government Accountability Office (GAO)
ISACA – COBIT FISCAM CERT Best Practices
History of IT Reviews
Southwest region school had membership days changed inadvertently that affected membership subsidy
Outside vendor processing the membership and attendance data for the school
Controls relinquished to the outside vendor and overlooked by the school
Evolution of IT Reviews Consistency of audit procedures and
coverage Admittedly a new part of the audit Auditing in the 21st century Technology has changed some internal
controls Multiple vendors being used by schools for
processing membership and attendance data More than 50 reviews completed during 2007
Evolution of Reviews (cont’d.)
On-the-job training during 2007; more formal training for school auditors in the IT review procedures in the regions in the first quarter of 2008
School auditors to perform the reviews at all LEAs using an outside vendor for membership and attendance data processing after the training
Risk Membership not a high-risk area Mindset however is important Accounting Safe Schools Grades Social Security Numbers Student Numbers Other vulnerable IT areas
IT General Controls Segregation of duties Access
Physical (locks, security) Logical (user ID and passwords)
Systems Development Life Cycle (SDLC) Backups and Recovery Contingency planning Outsourcing Environmental
Audit Objective
Would you know if your membership and/or attendance data was changed (significantly or otherwise)?
Overview of Audit Procedures
Administer internal control questionnaire through inquiries of relevant management and personnel
Request and review applicable documentation
Rate weaknesses in a finding or observation based on severity of weaknesses and presence of manual compensating controls
Some specifics … Walkthrough of hardware, software, interface,
access method, etc. Review of IT contracts/maintenance
agreement Security policies and procedures User ID approval and maintenance
Separated employees/vendors Physical and logical access controls Vendor access
… and a few more
Remote access Vendors, LEA employees dial-up, Internet, VPN
System development and maintenance Program change control
Backups/Recovery Contingency Planning Environmental considerations
Manual Compensating Controls
Reconciliations Trends Rollforwards Data entry procedures and review Report Review Evidence of Review Management Oversight
Common Weaknesses Logical Access
Group IDs or Individual IDs Password policy and syntax requirements
Minimum Length Complexity
Alpha, numeric, special characters Upper and lower case
Forced to change; how often? How many failed attempts allowed?
Logged off after a period of inactivity?
Common Weaknesses Monitoring logs
Producing the log? If yes, is anyone looking at it?
Contracts and Maintenance Agreements LEA recourse for errors/non-performance
Security and Acceptable Use Policies Approvals and Authorizations Environmental (Smoke, Fire, Temperature)