Presentation on theme: "State Performance & Technology Audits Overview of IT Reviews at Local Educational Agencies Presented to: Pennsylvania Association of School Business Officials."— Presentation transcript:
State Performance & Technology Audits Overview of IT Reviews at Local Educational Agencies Presented to: Pennsylvania Association of School Business Officials 53 rd Annual Conference March 6, 2008
Introduction Thomas E. Marks Deputy Auditor General for Audits CPA PA Department of the Auditor General 234 Finance Building Harrisburg, PA (717)
Introduction Michael A. Billo Assistant Director of IT Audits CISA, CGAP PA Department of the Auditor General 406 Finance Building Harrisburg, PA (717)
Department Structure Bureau of School Audits Over 100 auditors statewide doing performance audits of all LEAs Information Technology Audits 7 auditors assisting all audit bureaus with the more complex technology issues in their audits and training the financial and performance auditors in IT auditing
IT Audits Mission Statement To be an innovative team providing support, analysis, problem-solving, training, and technical audits
Information Technology (IT) ATM POS LAN WAN Internet URL VPN Gigabyte/terabyte Ebay ISP IP Address.com cell phone wii IM texting Ipod Xbox
Information Technology Auditing Information Technology (IT) Auditing Electronic Data Processing (EDP) Auditing Part of the review of internal control Internal controls related to information technology, e.g., organizational placement of IT personnel, physical and logical access, SDLC, outsourcing, backups and contingency planning
Audit and IT Standards GAAS – promulgated by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA); Statements on Auditing Standards (SASs) GAGAS (Yellow Book) – promulgated by the U. S. Government Accountability Office (GAO) ISACA – COBIT FISCAM CERT Best Practices
History of IT Reviews Southwest region school had membership days changed inadvertently that affected membership subsidy Outside vendor processing the membership and attendance data for the school Controls relinquished to the outside vendor and overlooked by the school
Evolution of IT Reviews Consistency of audit procedures and coverage Admittedly a new part of the audit Auditing in the 21 st century Technology has changed some internal controls Multiple vendors being used by schools for processing membership and attendance data More than 50 reviews completed during 2007
Evolution of Reviews (cont’d.) On-the-job training during 2007; more formal training for school auditors in the IT review procedures in the regions in the first quarter of 2008 School auditors to perform the reviews at all LEAs using an outside vendor for membership and attendance data processing after the training
Risk Membership not a high-risk area Mindset however is important Accounting Safe Schools Grades Social Security Numbers Student Numbers Other vulnerable IT areas
IT General Controls Segregation of duties Access Physical (locks, security) Logical (user ID and passwords) Systems Development Life Cycle (SDLC) Backups and Recovery Contingency planning Outsourcing Environmental
Audit Objective Would you know if your membership and/or attendance data was changed (significantly or otherwise)?
IT Application Controls Data Origination Data Input Data Processing Data Output
Overview of Audit Procedures Administer internal control questionnaire through inquiries of relevant management and personnel Request and review applicable documentation Rate weaknesses in a finding or observation based on severity of weaknesses and presence of manual compensating controls
Some specifics … Walkthrough of hardware, software, interface, access method, etc. Review of IT contracts/maintenance agreement Security policies and procedures User ID approval and maintenance Separated employees/vendors Physical and logical access controls Vendor access
… and a few more Remote access Vendors, LEA employees dial-up, Internet, VPN System development and maintenance Program change control Backups/Recovery Contingency Planning Environmental considerations
Manual Compensating Controls Reconciliations Trends Rollforwards Data entry procedures and review Report Review Evidence of Review Management Oversight
Common Weaknesses Logical Access Group IDs or Individual IDs Password policy and syntax requirements Minimum Length Complexity Alpha, numeric, special characters Upper and lower case Forced to change; how often? How many failed attempts allowed? Logged off after a period of inactivity?
Common Weaknesses Monitoring logs Producing the log? If yes, is anyone looking at it? Contracts and Maintenance Agreements LEA recourse for errors/non-performance Security and Acceptable Use Policies Approvals and Authorizations Environmental (Smoke, Fire, Temperature)
Questions and Comments Thank you for your attention!