Presentation is loading. Please wait.

Presentation is loading. Please wait.

So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.

Similar presentations


Presentation on theme: "So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations."— Presentation transcript:

1 So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations

2 2 BACKGROUND What is SAS No. 94? – Standard requiring “…the auditor considers how an entity’s use of information technology (IT) and manual procedures may affect controls relevant to the audit.” – AU Section – Effect of Information Technology on Internal Control – Became effective on June 1, 2001

3 3 BACKGROUND Why is SAS No. 94 important? – An entity’s use of IT may affect any of the five components of internal control relevant to the achievement of the entity’s financial reporting, operations, or compliance objectives, and its operating units or business functions. – The use of IT also affects the fundamental manner in which transactions are initiated, recorded, processed, and reported.

4 4 REQUIREMENTS What professional skills are required to assess the effect of IT on internal control? – Determined by the NPO’s use of IT and the scope of the audit – Minimally, the auditor should have the knowledge of the IT audit process and be able to assess the following: Protection of Information Assets IT Governance Systems and Infrastructure Lifecycle Management – Certified Information Systems Auditors are qualified to assess all three (see

5 5 TYPICAL NPO ISSUES Issue #1:Poor Protection of Information Assets – Poor access controls, security architectures, encryption and/or virus prevention and detection Examples From Our Case Study – Blank administrative password to the database provided access to sensitive data including names, addresses, preferences, online donation history, and credit card numbers – Objectionable material, contrary to the NPO’s mission, could be added into the body of the web site by a malicious user

6 6 TYPICAL NPO ISSUES Issue #2:Lack of IT Governance – Poor strategic alignment, – Value delivery, – Resource management, – Risk management, and/or – Performance measurement of IT Example(s) From Our Case Study – Senior management failed to define security objectives – Corporate politics impaired the Technology Oversight Committee’s performance

7 7 TYPICAL NPO ISSUES Issue #3:Weaknesses in Systems and Infrastructure Lifecycle Management – Specifically, weaknesses in benefits management, project management, risk management, change management, system architectures, requirements analysis, acquisition and contract management, system development methodologies, quality assurance, data conversion and/or system migration Examples From Our Case Study – Failure to adhere to system development methodology – Formal requirements were not developed – The security of the 3rd party organization hosting the site was not reviewed prior to executing a contract – Security was not tested prior to implementation

8 8 SCHOOL-SPECIFIC ISSUES Poor Protection of Information Assets – Poor data classification can lead to exposure of sensitive information without proper segregation of shared infrastructure Lack of IT Governance – Fiefdoms – Schools’ IT staffs place each other at risk by developing their own disparate control environments using shared infrastructure

9 9 BENEFITS Win-Win for Auditors and Clients – Provides clients and their stakeholders a higher level of assurance – Provides value-added services to clients in an area where guidance is likely needed – Protects client relationship from firms that offer financial and IT audit services


Download ppt "So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations."

Similar presentations


Ads by Google