Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Skills for the Business Auditor Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas.

Similar presentations

Presentation on theme: "IT Skills for the Business Auditor Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas."— Presentation transcript:

1 IT Skills for the Business Auditor Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas For Houston Chapter Seminar November 3, 2014 Positioning Audit Skills for the Future Information Technology Risks and Controls

2 1 Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Audit Excellence – 11 years Adjunct Faculty, University of Texas at Dallas – 18 years Senior Vice President, Internet/Intranet Services, Bank of America – 2 years Director Information Technology Audit, SVP, Internal Audit, Bank of America – 18 years Senior Consultant, Accenture – 4 years Instructor, Accounting and IT, Central Michigan University – 3 years BS in BA and MBA – Central Michigan University One of six co-authors of Internal Audit textbook-Internal Auditing: Assurance and Consulting Services by IIA Research Foundation published Summer, 2007, Second Edition Summer, 2009 and, Third Edition Fall, 2013 Author of IIA International Books-Auditing Vendor Relationship, PC Management Best Practices, and Auditing Outsourced Functions Numerous IIA International Committees including Board of Trustees, Board Research and Educational Advisors and currently Learning Solutions 2005 IIA International Educator of the Year - Leon Radde Award Enjoy Running, Road and Mountain Cycling, Travel and Investment Analysis

3 ITEMS TO COVER -Background-Setting the Stage -Technology Expectations -IT Audit Model Curriculum -IT Technology Frameworks -Latest Technology Issues -Infrastructure Trends -Overview of GTAG’s -GTAG 1 – 2 nd Edition -Technology Adaption Curve for IA Groups -Summary 2

4 Synopsis An overview of Critical Success Factors’ for the 21st Century auditor including an understanding of IT control frameworks, functional areas of IT operations, and the ability to integrate technology into internal audit processes. 3

5 4 Survey and Understanding

6 Level of IT Understanding Business Auditors IT Auditors 5

7 Technology and Audit Infrastructure Audit Integrated Audit Use of Technology as Tool Audit Automation Data Analytics 6

8 7 Understand how technology fits into the overall business processes and its impact. Describe key risks and control techniques introduced by technology. Articulate the relationship between business transaction processing risks introduced by information technology risks. Find and interpret the leading sources of information related to technology control frameworks. Determine the significant technology issues to be considered as part of the review of a business unit. Integrate application controls as part of business unit audits. Understand the emerging technology risk issues. Some Reasonable Objectives for All Auditors

9 Model IT Controls Curriculum IIA The IIA’s Global Model Internal Audit Curriculum – IT Auditing course Integrated - 2012 – Schools recognized as part of IAEP ia/pages/participating-iaep-program- schools.aspx ia/pages/participating-iaep-program- schools.aspx ISACA Model Curriculum - 2012 Center/Academia/Pages/Programs-Aligned-with-Model- Curriculum-for-IS-Audit-and-Control.aspx 8

10 What does a University IT Audit and Risk Management Course Objectives look like? 1. Be able to identify key information technology risks and how to mitigate those risks. 2. Be able to develop a control checklist and key audit steps related to technology risks. 3. Be able to distinguish key user technology risks and controls. 4. Be able identify the key content areas and have knowledge of all areas covered by the Certified Information Systems Audit (CISA) exam. 5. Identify sources for research of technology risks and apply those techniques to an overall research paper. 6.Learn those areas of technology risks that are currently of most concern to the IIA, AICPA, and ISACA. 7. Be able to distinguish and evaluate key application controls along with auditing of application controls. 8. Identify and evaluate risks in an e-business environment. 9. Understand how to adapt audit coverage to areas of advanced and emerging technologies. 9

11 Cobit 5-What Should You Know? 10

12 11 “You need to understand where emerging technologies are going to best predict risks the company will face in the future” Mark Salamasick Technology “I don’t know what I don’t know” CAE

13 12 Start with One Premise! There are no barriers… Technology is an enabler….. It is how we adapt to it!

14 13 Critical Characteristics of the 21 st Century Internal Auditor Technologically Adept: The technology era is clearly transforming the globe Technology presents extraordinary risks and opportunities for all enterprises The nature of internal audit has been impacted in terms of: © The functions, programs, and processes to be audited © The techniques employed to carry out the internal audit mission **From – Robert McDonald – Past Chairman of the IIA

15 14 Critical Characteristics of the 21 st Century Internal Auditor Technologically Adept: 21 st century internal auditors must: © Understand IT control frameworks © Be knowledgeable of functional areas of IT operations © Be capable of auditing e-Commerce, EFT, EDI © Be knowledgeable of encryption, computer forensics, and Enterprise-wide resource planning (ERP) software In addition, internal auditors must be able to: © Integrate technology into internal audit processes Source: CIA Examination Syllabus – Part III **From – Robert McDonald – Past Chairman of the IIA

16 15 Critical Characteristics of the 21 st Century Internal Auditor Overview of Critical Traits: Risk-based orientation Global perspective Governance expertise Technologically adept Business acumen Creative Thinking and Problem Solving Strong ethical compass **From – Robert McDonald – Past Chairman of the IIA

17 16 2nd Generation IS Audit (1980s) 1st Generation EDP Audit (Pre-1980) 4th Generation IT Audit (2000s) 3rd Generation IT Audit (1990s) “Checklist”-based EDP Audits Compliance with Policies & procedures No IT Audit “Specialists” Compliance StageCharacteristics Focus Auditable IS areas Report Problems, Recommend solutions Certified EDP Auditors “CISA” Control Frameworks COBIT-Based Audits (1996) IT Control self-assessments “Integrated Audits” Risk / Control Facilitator of positive change Enterprise-wide risk management Impact of Sarbanes Oxley Benchmark performance against best practices Risk Management Process Evolution of IT Audit: Historical IT Audit Stages

18 Top Ten IT Priorities From a Top Notch State Information Organization ›› CloudCloud ›› Data ManagementData Management ›› Data SharingData Sharing ›› InfrastructureInfrastructure ›› Legacy ApplicationsLegacy Applications ›› MobilityMobility ›› NetworkNetwork ›› Open DataOpen Data ›› Security and PrivacySecurity and Privacy ›› Social MediaSocial Media 17


20 AICPA Top Ten Technology Issues 1.Managing and retaining data 2.Securing the IT environment 3.Managing IT risk and compliance 4.Ensuring privacy 5.Managing system implementations 6.Preventing and responding to computer fraud 7.Enabling decision support and analytics 8.Governing and managing IT investment/spending 9.Leveraging emerging technologies 10.Managing vendors and service providers

21 Emerging Technology Trends – EY Survey 2014 20

22 What are you doing for Internal Audit IT Integration? 21

23 22 Why are Global Technology Audit Guides (GTAG ’ s) more important?

24 BIG THREE TECHNOLOGY RISK CATEGORIES Information Security Business Continuity Change Management 23

25 24 Sixteen GTAGs Published Have you seen these? GTAG-1: IT Controls (Published in Mar 2005) 2 nd EDITION MARCH 2012 GTAG-2: Change and Patch Management Controls (Published in June 2005) 2 nd EDITION MARCH 2012 GTAG-3: Continuous Auditing (Published in Oct 2005) Update Coming Soon GTAG-5: Auditing Privacy Risks (Published in June 2006) 2 nd EDITION July 2012 GTAG-4: Management of IT Auditing (Published in Mar 2006) 2 nd EDITION January 2013 GTAG-6: Managing and Auditing IT Vulnerabilities (Published in Oct 2006) DELETED January 2013

26 25 Sixteen GTAGs Published Have you seen these? GTAG-7: Information Technology Outsourcing (Published in Mar 2007) GTAG-8: Auditing Application Controls (Published in July 2007) GTAG-9: Identity and Access Management (Published in July 2007) GTAG-10: Business Continuity Management (Published in July 2008) (Updated August 2014) GTAG-11: Developing the IT Audit Plan (Published in July 2008) GTAG-12: Auditing IT Projects (Published in March 2009)

27 26 Sixteen GTAGs Published Have you seen these? GTAG-13: Fraud Detection and Prevention in an Automated World (Published in December 2009) GTAG-14: Auditing User Developed Applications (Published in June 2010) GTAG-15:Information Security Governance (Published in July 2010) GTAG-16: Data Analysis Technologies (Published in August 2011) GTAG-17: Auditing IT Governance (Published in July 2012) GTAG-18 and 19: Cloud Computing and Social Media (Coming Soon)

28 27 What Every Business Auditor Should Understand Related to IT Controls Global Technology Auditing Guide 1-2 nd Edition

29 The Board should: Understand the strategic value of the IT function. Become informed of role and impact of IT on the enterprise. Set strategic direction and expect return. Consider how management assigns responsibilities. Oversee how transformation happens. Understand constraints within which management operates. Oversee enterprise alignment. Direct management to deliver measurable value through IT. Oversee enterprise risk. Support learning, growth, and management of resources. Oversee how performance is measured. Obtain assurance. 28

30 Executive management should: Become informed of role and impact of IT on the enterprise. Cascade strategy, policies, and goals down into the enterprise, and align the IT organization with the enterprise goals. Determine required capabilities and investments. Assign accountability. Sustain current operations. Provide needed organizational structures and resources. Embed clear accountabilities for risk management and control over IT. Measure performance. Focus on core business competencies IT must support. Focus on important IT processes that improve business value. Create a flexible and adaptive enterprise that leverages information and knowledge. Strengthen value delivery. Develop strategies to optimize IT costs. Have clear external sourcing strategies. 29

31 Senior management should: Manage business and executive expectations relative to IT. Drive IT strategy development and execute against it. Link IT budgets to strategic aims and objectives. Ensure measurable value is delivered on time and budget. Implement IT standards, policies and control framework as needed. Inform and educate executives on IT issues. Look into ways of increasing IT value contribution. Ensure good management over IT projects. Provide IT infrastructures that facilitate cost-efficient creation and sharing of business intelligence. Ensure the availability of suitable IT resources, skills, and infrastructure to meet objectives and create value. Assess risks, mitigate efficiently, and make risks transparent to the stakeholders. Ensure that roles critical for managing IT risks are appropriately defined and staffed. Ensure the day-to-day management and verification of IT processes and controls. Implement performance measures directly and demonstrably linked to the strategy. Focus on core IT competencies. 30

32 The internal audit activity should: Ensure a sufficient baseline level of IT audit expertise in the department. Include evaluation of IT in its planning process. Assess whether IT governance in the organization sustains and supports strategies and objectives. Identify and assess the risk exposures relating to the organization’s information systems. Assess controls responding to risks within the organization’s information systems. Ensure that the audit department has the IT expertise to fulfill its engagements. Consider use technology-based audit techniques as appropriate. 31

33 IT Control Framework Checklist (Sample from GTAG 1) 1.What legislation exists that impacts the need to IT controls? 2.Has management taken steps to ensure compliance with this legislation? 3.Have all relevant responsibilities for IT Controls been allocated to individual roles? 4.Is the allocation of responsibilities communicated to the whole organization? 5.Do individuals clearly understand their responsibilities in relation to IT controls? 6.Does internal audit employ sufficient IT audit specialists to address the IT control issue? 7.Do corporate policies and standards that describe the need for IT controls exist? 32

34 33 A top-down approach used when considering controls to implement and determining areas on which to focus. From Global Technology Audit Guide 1. Understanding IT Controls – Who should Understand What?

35 34 Monitoring: Monthly metrics from Technology Performance Technology Cost and Control performance analysis Periodic Technology management assessments Internal audit of technology enterprise Internal audit of high risk areas Control Activities: Review Board for Change Management Comparison of technology initiatives to plan and ROI Documentation and approval of IT plans and systems architecture Compliance with Information and Physical Security Standards Adherence to Business Continuity Risk Assessment Technology standards compliance enforcement Risk Assessment: IT risks included in overall corporate risk assessment IT integrated into Business Risk Assessments Differentiate IT controls for high risk business areas/functions IT Internal audit assessment IT Insurance assessment Control Environment: Tone from the Top – IT and Security Controls Considered Important Overall Technology Policy and Information Security Policy Corporate Technology Governance Committee Technology Architecture and Standards Committee Full Representation of All Business Units Information & Communication: Periodic corporate communications (intranet, e-mail, meetings, mailings) Ongoing technology awareness of best practices IT performance survey IT and security training Help desk ongoing issue resolution MONITORING INFORMATION AND COMMUNICATION CONTROL ACTIVITIES RISK ASSESSMENT CONTROL ENVIRONMENT COSO Model for Technology Controls

36 35 Global Technology Audit Guide that All Business Auditors should put into Practice Application controls and their benefits The role of internal auditors How to perform a risk assessment Application control review scoping Application review approaches Common application controls, suggested tests, and a sample review program


38 Technology Maturity Model Audit scheduling tool Automated work papers Data retrieval used on most audits Custom data mining / data analytics Initial ad hoc data mining Risk assessment tools Continuous controls testing and monitoring Formal technology strategy Standalone automated testing routines, e.g. fraud Online training programs available on demand Issues availability, tracking updating by management Intranet for audit knowledge sharing, training, and access to tools Automated sharing of audit programs and files Fully integrated audit management system Files, etc., in electronic format Highly skilled data team Technology specialist(s) Drill-down dashboards of all key audit activity Reusable programs and checklists Initial use of CAATs Access to external risk and control databases Continuous risk assessment Quality assessment tool Use of technology a core competency Expanded technical training for staff Expanded suite of data tools

39 Technology Process Gap Analysis: Example Core Technology Process (CTP) InitialAdequateEnhancedOptimized 1.Technology Strategy & Focus XX 2.Risk Assessment & Monitoring XX 3.Audit Planning & SchedulingX 4.Knowledge ManagementX 5.Data Analysis & Mining XX 6.Audit Reporting & Issue TrackingX 7.Audit Execution & DocumentationX 8.Training XX 9.Human Re sources XX 10.Quality Improvement XX Sets a clear priority Don’t have to move to Optimized for all May decide some areas are fine for now Red is current state, Green is desired next stage of maturity

40 39 IT Audit-Questions to Ponder What kind of technology audits should we be doing? How integrated should the audit group be? What technology should we be using in the Audit Group? What skills should the non-IT auditor have? What is the mix of audit coverage for projects versus ongoing audit work? Where are resources found for IT Audit? Should parts of IT Audit be outsourced? What parts of Information Technology should be outsourced? What about periodic vulnerability testing? How do individuals get started in IT Audit?

41 40 Summary and Next Steps Understand the technology in your environment Understand the GTAG Series and determine how it applies Utilize the business functions and technology within the enterprise Understand your technology controls framework Understand your key information technology risk Equate technical issue to business processes Provide business unit with perspective of how well the technology is doing that supports the business unit Perform high level mapping of applications to business units Provide CIO view of how his business is doing Determine technology training requirements for all levels

42 41 Mark Salamasick Contact Info Email: Office Phone: (972) 883-4729 Cell Phone: (972) 768-3016 Office: University of Texas at Dallas School of Management-4.218 800 West Campbell Road, SM 41 Richardson, TX. 75083-0688 Website:

Download ppt "IT Skills for the Business Auditor Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas."

Similar presentations

Ads by Google