Walking Free. Doesn't step back And catch it… Yeah, but I ain't happy about it…
“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.
-
date post
19-Dec-2015 -
Category
Documents
-
view
222 -
download
2
Transcript of “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.
![Page 1: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/1.jpg)
“Walking Through an Internal IT Audi t”
MSU IT Exchange Con fe rence
A u g u s t 1 2 , 2 0 1 0
![Page 2: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/2.jpg)
Your Presenters
Thomas Luccock, CPA, CIA Director of Internal Audit
Steve Kurncz, CISA, CISM Information Technology Audit Manager
Michael Chandel, CISASenior Information Technology Auditor
![Page 3: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/3.jpg)
Our Mission
“ To ass is t Un ivers i ty un i ts in e ffec t ive ly d ischarg ing the i r dut ies whi le ensur ing proper cont ro l over Univers i ty assets . ”
![Page 4: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/4.jpg)
Internal Audit at MSU
History of Internal Audit function at MSU
Our Charter―Introduction―Purpose―Authority―Responsibility―Independence―Audit Scope―Special Investigations―Reporting―Audit Standards and Ethics
![Page 5: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/5.jpg)
Organization of Internal Audit
![Page 6: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/6.jpg)
Internal Auditing Defined
Internal auditing is an independent, objective assurance and consulting activity designed to
add value and improve an organization’s operations. It helps an organization accomplish
its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control,
and governance processes. - Courtesy of the Institute of Internal Auditors (IIA)
![Page 7: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/7.jpg)
Your Perception of an Auditor
“Oh, those >insert your best insult here<”
“They’re out to get us!”
“They’re going to snoop through our data!”
#@*#$%$&$#*%!!!
“The Matrix”, 1999
![Page 8: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/8.jpg)
Our Perception of an Auditor
“The Blues Brothers”, 1980
![Page 9: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/9.jpg)
The Reality of your Internal Auditors
Internal Audit Approach–Objective members of “Team MSU”
–Act as an independent internal assurance and consulting function designed to help add value to and improve the operation of our University.
–We are here to assist you and help protect our University as a whole.
–We try to view audit projects as a partnership with you and your department.
–We attempt to be as “transparent” as possible.
![Page 10: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/10.jpg)
Certified Auditors
Certified Information Systems Auditor (CISA) designation―Globally accepted and recognized standard of achievement among information technology (IT) audit, control and security professionals
―Sponsored and governed by the In format ion Systems Audit and Control Associat ion ( ISACA)
oMore than 86,000 members in more than 160 countr ies.
―Accredited by the American Nat ional Standards Inst i tute (ANSI) under ISO/IEC 17024
―Requirements of Cert i f icat ion:
oSuccessful Completion of the CISA Examination.
200 Question exam with a four (4) hour time limit.
oEquivalent of a minimum five (5) years professional information systems auditing, control and security work
experience.
oAdherence to the ISACA Code of Professional Ethics.
oContinuing Professional Education (CPE) Policy observance.
Must complete a minimum of 120 CPE Hours every three (3) years for continued certification.
oAdherence to the Information Technology Assurance Framework (ITAF) Auditing Standards adopted by ISACA
![Page 11: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/11.jpg)
Audit Plan Development
“C’mon, why us???”
University-Wide Risk Assessment―Inherent Risk: The nature of your business.
―Incident Response Procedures
―By Special Request
Tom Izzo, Head Men’s Basketball Coach
![Page 12: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/12.jpg)
Audit Plan Approval
University President Review and Approval ―Monthly Meetings
―Reporting
University Audit Committee Review and Approval―University Board of Trustees
―Audit Committee Quarterly Meetings
―Annual Meetings
―Reporting
![Page 13: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/13.jpg)
Audit Process
![Page 14: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/14.jpg)
Audit Process
![Page 15: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/15.jpg)
Stage 1: Planning
Audit Engagement―Engagement Letter―Preliminary Information Request
Opening Meeting―Project Overview Given to the Management Group―Designate a Primary Contact Person―Official Project Start Date
Inquiry of Management & Staff―Interviews & Internal Controls Questionnaires (ICQ) ―Tours
Scope Definition―Risk Assessment―Six (6) Month “Snap-Shot”
![Page 16: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/16.jpg)
Audit Process
![Page 17: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/17.jpg)
Stage 2: Fieldwork & Documentation
Observations of Processes & Procedures―Determining & Documenting the Flow of Data
oData Entry through Data Deletion―General Information Technology Controls―Unit Level Application Controls
Sampling & Testing―Select Specific System Components, Processes and Reports
to Review and Compare―Collaboration with Unit Staff―Nothing Done Without IT Personnel Assistance or Knowledge
Verification of Statement Made―Sample the Verbal Statements Made During the Planning
Process to Verify Accuracy
![Page 18: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/18.jpg)
Audit Process
![Page 19: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/19.jpg)
Stage 3: Issue Discovery & Validation
Risk Exposure Discovery & Evaluation―Risk Identification Process Based on ICQ’s & Fieldwork
―Risk Validation & Mitigating Controls Discussion with IT Personnel
Risk Exposure Presentation to Management―Discussion with Management Regarding Identified Risk &
Potential Mitigating Controls
Management Solution Development―Risk Mitigation vs. Risk Acceptance
―Risk Considerations in Strategic Planning
![Page 20: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/20.jpg)
Audit Process
![Page 21: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/21.jpg)
Stage 4: Reporting
Draft Report Development & Distribution―Based on Levels of Identified Risk (Verbal vs. Written)
―Closing Meeting Discussion
―Limited Draft Distribution
Management Response Opportunity―Due 30 Days from Issuance of Draft Report
―Short Description of Management's Plans and Timeline to Address Identified Risk
Final Report Distribution―Standard Executive Distribution List with Additional Unit
Requests
―Management Responses Included
![Page 22: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/22.jpg)
Audit Process
![Page 23: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/23.jpg)
Stage 5: Issue Tracking
Post Audit Review & Follow Up―Three (3) to Six (6) Months After Final Report is Issued
―Review of Management Response Status
―Written Status Report Issued to Final Distribution List
Periodic Status Updates―Potential Second Post Audit Review
―Otherwise, We May Request Periodic Progress Updates
![Page 24: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/24.jpg)
Audit Project Time Table
Just how long will this all take?―Standard Audit Fieldwork takes approximately one (1) to
three (3) months depending on the scope of the audit and complexity of area under review.
―Limited Review Fieldwork is less time intensive and may only last one to two weeks.
Mark Dantonio, Head Football Coach
![Page 25: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/25.jpg)
IT Audit ScopeMSU Policies, Best Practices, Guidelines and Resources:
―Libraries, Computing & Technology
―http://computing.msu.edu/ (www.msu.edu - Keyword Search: Computing & Technology)
―Department Policies and Guidelines
IT Industry Standards and Best Practices:
―Information Systems Audit and Control Associat ion (ISACA)
―Contro l Ob ject ives for Informat ion and re lated Technology (COBIT)
―National Inst itute of Standards and Technology (NIST)
―www.nist .gov – In format ion Technology \ Computer Secur i ty Porta l
―SANS.org
―Computer Secur i ty Train ing, Network Research and Resources
―International Organization for Standardizat ion ( ISO)
―ISO 17799 / 27000
![Page 26: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/26.jpg)
University Standards & Guidelines
LCT Guidelines and Policies―http://www.lct.msu.edu/guidelines-policies/
Managing Sensitive Data―http://computing.msu.edu/msd/
―Securing Enterprise Data
h t tp : / / compu t i ng .msu .edu /ms d /doc umen ts /Secu r i ng_En te rp r i se_Da ta_a t_MSU_w_ISO_17799_check l i s t_14_Apr_07.pd f
Disaster Recovery Planning―http://www.drp.msu.edu/
![Page 27: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/27.jpg)
Industry Best Practices
ISACA- Information System Audit and Control Association
NIST 800 Series
―NIST 800- 53 General Controls―http://csrc.nist.gov/publications/PubsSPs.html―Risk Assessment Framework:
http://csrc.nist.gov/groups/SMA/fisma/framework.html
SANS – SysAdmin, Audit, Network, Security
―www.sans.org―Audit Focus Site: http://blogs.sans.org/it-audit/―20 Critical Security Controls for Effective Cyber Defense
ISO 27000 (Formally ISO 17799-2005) ―http://www.27000.org/―http://www.sharedassessments.org/ (tool)
![Page 28: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/28.jpg)
Summary of Topics
Internal Audit Overview
Audit Plan Selection
Audit Process
Timetable
Best Practices
![Page 29: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/29.jpg)
Ques t i ons
![Page 30: “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.](https://reader030.fdocuments.net/reader030/viewer/2022032703/56649d2e5503460f94a05f5f/html5/thumbnails/30.jpg)
Steve KurnczInformation Technology Audit Manager
309 Olds HallEast Lansing, MI 48824-1047
Phone: (517) 355-5030 Fax: (517) 432-1997Website: www.msu.edu/~intauditEmail: [email protected]
Michael ChandelSenior Information Technology Auditor
309 Olds HallEast Lansing, MI 48824-1047
Phone: (517) 355-5030 Fax: (517) 432-1997Website: www.msu.edu/~intauditEmail: [email protected]
Thank You!