Presentation is loading. Please wait.

Presentation is loading. Please wait.

Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,

Similar presentations


Presentation on theme: "Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,"— Presentation transcript:

1 Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President, Association of College & University Auditors voice (404) / fax (404) Robert N. Clark, Jr., C.I.A., Director of Internal Auditing, Georgia Tech June 2003

2 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

3 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk

4 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage

5 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy

6 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices

7 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

8 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Reporting Structure at GIT President Provost Sr. VP Admin & Finance Vice Chancellor for Audit Services Board of Regents Director of Internal Auditing Executive Staff CIO Director Info Security

9 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit Primary Mission Four Potential Orientations DETECTION Passive SCOPE Internal Control* Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence *Defined along the lines of COSO’s Integrated Framework APPROACH

10 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit Primary Mission Four Potential Orientations DETECTION PREVENTION Passive Active SCOPE Internal Control* Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence Active promotion of internal control agenda Recommending preventive measures to the campus unit and advice in making changes Maintain objectivity while eliminating unnecessary organizational barriers *Defined along the lines of COSO’s Integrated Framework APPROACH

11 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit Primary Mission Four Potential Orientations DETECTION ADVISORY PREVENTION Passive Active SCOPE Internal Control* Business Performance Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence Defining process improvement opportunities, if seen By-product of internal control assessment but not focusing on internal controls Moving away from compliance auditing (dangerous position…) Active promotion of internal control agenda Recommending preventive measures to the campus unit and advice in making changes Maintain objectivity while eliminating unnecessary organizational barriers *Defined along the lines of COSO’s Integrated Framework APPROACH

12 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit Primary Mission Four Potential Orientations DETECTION ADVISORY PREVENTIONSOLUTION Passive Active SCOPE Internal Control* Business Performance Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence Defining process improvement opportunities, if seen By-product of internal control assessment but not focusing on internal controls Moving away from compliance auditing (dangerous position…) Active promotion of internal control agenda Recommending preventive measures to the campus unit and advice in making changes Maintain objectivity while eliminating unnecessary organizational barriers Target process improvements as a key goal Focus on Assessing Risk and Management’s Mitigation of Risk Work toward implementation of cost- beneficial internal controls & compliance Teamwork approach while maintaining objectivity and independent perspective *Defined along the lines of COSO’s Integrated Framework APPROACH

13 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit’s Role… …it’s more than counting beans...

14 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risk… Internal Audit’s role:  Identify key risks  Identify key risks of the organization not just financial  Look at all areas of exposure, not just financial  Focus on the issues that matter most in safeguarding the assets of the Institute strength of processes to mitigate risks  Develop audit procedures to examine high risk areas and verify strength of processes to mitigate risks effectiveness  Provide feedback to mgmt on effectiveness of policies and procedures  Promote awareness of policies and best practices bring Management together  Help bring Management together on key risks  Develop organizational approach to managing risk

15 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June What is RISK? … Anything that could prevent the organization from meeting its goals

16 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risk – with Management  Talk with all members of Senior Management (one-on-one discussions)  Ask key questions, such as:  “Where are potential exposures?”  “ What keeps you up at night? ”  “Where do you see risks for your unit and GIT?” What are some of the potential adverse situations that could occur within…?  “ What are some of the potential adverse situations that could occur within…? ”  Goal is to identify and inventory RISKS

17 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risks: Description of adverse situation that could occur

18 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5)

19 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5) x Probability of this situation occurring (1-5) = Risk Ranking

20 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Risk Discussion Tool

21 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Audit Risk Universe

22 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Audit Focus -- Zeroing In Information Gathering Monitoring/ General Awareness (committees) Informal Reviews (surveying internal control) Risk-Based Audits (processes & risk) Process Improvement (reengineering) Strategy/Solution Development/ Partnering w/ Mgmt. as Key Resource Audits of compliance & controls

23 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Identifying Unit-level Information Systems Risks  Logical Security  Environmental and Physical Controls  Data Security and Stewardship  Management of IS Resources  Equipment Maintenance  Back-up and Recovery  Training and Documentation  Operations/ Administration  Web Site Operation/ Development  Software Licensing

24 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

25 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June IT Advising IA on audit coverage…  CIO, Director of Information Security, and others in IT review draft of audit programs, in some cases helping to draft audit steps (“What would you, as CIO, look for if you were conducting these reviews?”)  IT provides further insight, clarification, and direction to auditors  Internal Auditing seeks IT’s opinion/support regarding feasibility of audit recommendations  Ultimately, Internal Auditing’s decision – but collaborating with IT to ensure the most effective coverage of IT risks throughout the organization

26 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June The Audit Plan  Focus on reviewing how each organization is moving toward effectively and efficiently mitigating each of the risks  Independent verifications & attestations to determine strength of processes  Conclusions are forward- looking - how well positioned are they to deal with risk ?

27 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June

28 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

29 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Feedback to IT…  Reports go not only to unit head but to senior management (including CIO) to show where opportunities for improvement exist  Direct communication with CIO regarding areas in which more training/education/guidance or IT focus should be provided to campus units  IA offers advice to senior mgmt on areas for policy enhancement

30 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

31 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Recommended best practices…  IA provides trend analysis summaries to senior management (including CIO) showing common areas across campus requiring improvement  Leads to targeted plans for action aimed at addressing the specific issues (as opposed to blanket policies which may be unnecessarily onerous)

32 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Recommended procedures…  President assembled committee (chaired by CIO) to revise Computer Network Usage Policy VP for Finance, VP for HR, Chief Legal Advisor, Director of Internal Auditing, Associate Dean, Student Govt. rep, & others [Note: IA’s role was not to “set” policy, rather to advise committee on key areas the policy should address]

33 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

34 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Responding to Info Security Incidents  Information on an incident may come from a variety of sources: OHR – personnel-related complaint Legal Affairs – person seeking legal advice Financial Services – questionable transaction(s) Campus Police – allegation of illegal behavior Information Security – analysis of questionable traffic or use, spurious bandwidth usage, intrusion detection system reports, etc. Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc.

35 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Responding to Info Security Incidents  Challenge: ensuring a consistent approach to dealing with incidents  Risk : If investigation not handled appropriately or consistently, puts Institute at risk  Solution : IA recommended creation of ad-hoc task force and procedure to address Info Security incidents

36 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 

37 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 1  Incident is brought to attention of member of mgmt  He/She convenes Ad-Hoc Group [CIO, AVP-OHR, Chief Legal Advisor, Director Internal Auditing, Director of Information Security]  “What do we know now?”  Group shares info to determine other resources that may need to be involved (e.g., Director Campus Security, AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.)  Group determines needed resources

38 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 2  Group makes a determination on the potential outcome E.g., if the situation/allegations are proven true, will this likely result in (1) legal action, or (2) administrative/personnel action only? This determines procedures to be followed in conducting the investigation and standard of evidence to which to adhere Also determines whether law enforcement should be notified and/or involved

39 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 3  Group determines who will take the lead in facilitating the investigation. This person: Coordinates efforts, arranges meetings, initiates status reporting Initiates status reporting to the Office of the President Determines appropriate custodian of investigation data Facilitates reporting at the end of investigation

40 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 4  Investigation is conducted following appropriate procedures agreed-to by Group  Regular communication with Group on status, observations, noteworthy issues  Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues

41 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 5  Group re-convenes to: evaluate effectiveness of process; document “lessons learned”; and discuss ways the situation may be prevented in the future, e.g., –Additional audit steps to examine for this elsewhere? –Need for policy enhancement? –Need for additional education/awareness?

42 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents

43 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Results of Collaborative Approach  IA and IT aligned on areas of high risk  Common approach for responding to Information Security incidents  IT becomes source of “education and awareness” for IA  IA able to represent organizational perspective on IT issues across campus to audiences to which IT would not normally have access  IA provides independent and objective feedback to IT on effectiveness of IT policies and procedures (within OIT and across the campus)  Combining perspectives to establish best practices for Information Systems across organization

44 Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June


Download ppt "Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President,"

Similar presentations


Ads by Google