What a non-IT auditor needs to know about IT & IT controls Presented by Ruben Garcia, CISA and Nick Oscari, CPA from ATR Advisory LLC

Agenda Why is this important? Core “Must Have” Knowledge Items: 1 through 10 Summary Nick

Why does a non-IT auditor need to know about IT? Auditors should gain an understanding of the design of specific controls by following a transaction from origination through the organization’s processes, including the applicable information systems, until it is reflected in the organization’s financial records (PCAOB AS 2201) IIA Standards requires that internal auditors must have sufficient knowledge of key information technology risk and controls to perform their assigned work (1210.A3). GTAG (Global Technology Audit Guide) defines three categories of IT knowledge for auditors as: Category 1: Knowledge of IT needed by all professional auditors Category II: Knowledge of IT needed by audit supervisors Category IIII: Knowledge of IT needed by IT audit specialists Category I includes understanding of IT concepts such as applications, operating systems/systems software, networks, IT security and the related controls components More efficient and effective non-IT audits!!! Nick

Core “Must Have” Knowledge #10 IT Assertions: Security Availability Confidentiality Integrity Scalability Reliability Effectiveness Efficiency Financial Assertions: Completeness Existence Accuracy Valuation Obligation/Rights Presentation/Disclosure Nick & Ruben

Core “Must Have” Knowledge #9 Understanding Technology Stack Layers Application (e.g. MS Word) Database Operating System (e.g. Windows, Unix, Linux) Network, Routers, Switches, Firewalls Servers Ruben

Core “Must Have” Knowledge #8 IT General Controls (ITGC) vs Application Controls ITGC (i.e. home foundation) Security Administration Physical Security/Environmental Change Management/System Development IT Operations (backups/job processing) Application Controls (i.e. indoor plumbing) Application controls are those controls that pertain to the scope of individual business processes within application systems, including input controls, data edits, automated approval requirements, transaction logging, and error reporting. Driven by business process need and should be owned by the business process owner Nick

Core “Must Have” Knowledge #7 System Development & Change Management (ITGC) What is it? Change Mgmt: includes changes to software configurations, software changes, patch management System Development: new system implementations, new feature added to existing system Primary Risk Unauthorized changes or poor system development results in unreliable information, security access issues, system availability/reliability issues Controls Change Mgmt Controls System Development Controls Ruben

Core “Must Have” Knowledge #6 Security Administration (ITGC) What it is? Establishes overall computer security for the IT environment Must be evaluated at each layer of technology (i.e. app, OS, DB) Primary Risk Unauthorized modification, deletion, addition to information assets (i.e. theft/damage of your most prized home possessions) Controls Access levels set to only allow personnel to perform their job duties Segregation of Duties User Access Administration Periodic Access Reviews (qtrly, semi-annual, annual) System Administrator privileges (limit and/or monitor) Nick

Core “Must Have” Knowledge #5 Physical: Security & Environmental (ITGC) What it is? Physical access to hardware Environmental protection of critical physical IT assets Primary Risk Unauthorized access to IT information assets Physical assets damaged due to lack of controlled temperature, exposure to water, a power loss, or fire Controls Physical access to sensitive areas restricted through badge access/biometric locks HVAC, fire suppression, flood monitoring, back-up battery (UPS)/generators Nick

Core “Must Have” Knowledge #4 Data Back Up (ITGC) What it is? Periodic backing up of information assets to allow recovery for any number of reasons (e.g. software failure/hardware failure) Primary Risk Inability to recover information assets resulting in unreliable or missing information assets Controls Backups of critical data performed Procedures should be in place to periodically validate recovery process Business Continuity policies and procedures exist defining type of data and frequency of backups Nick

Core “Must Have” Knowledge #3 IT Operations (ITGC) What is it? Supervising and maintaining computer systems operations to include: Production Scheduling Problem logging, tracking & reporting Help desk Risks Undetected computer processing issues or inability to quickly recover from issues resulting in unreliable/inability to access information assets Controls Processing & Output controls Help Desk procedures Ruben

Core “Must Have” Knowledge #2 Outsourcing of Technology & IT Activities What is it? Includes software as service, platform as a service, infrastructure as a service, cloud computing, Risks Vendor does not have properly controlled environment User Requirements not adhered resulting in garage in/garbage out Controls Vendor Management Program Third Party Reviews (SOC/SSAE 18) & User Requirements Ruben

Core “Must Have” Knowledge #2 Outsourcing of Technology & IT Activities What is it? Includes software as service, platform as a service, infrastructure as a service, cloud computing, Risks Vendor does not have properly controlled environment User Requirements not adhered resulting in garage in/garbage out Controls Vendor Management Program Third Party Reviews (SOC/SSAE 18) & User Requirements IMPORTANT: You can’t outsource your responsibility for your information assets!!!!! Ruben

Core “Must Have” Knowledge #1 Cybersecurity Buzz Word Defined Equifax Controls: Risk Assessments Security Access Controls Change Mgmt Controls Physical Controls Ruben

Summary Understanding the basics of IT, IT risks and IT controls will make a non-IT auditor much more capable of: Nick

Summary Understanding the basics of IT, IT risks and IT controls will make a non-IT auditor much more capable of: identifying all the potential risks related to the processes under audit Nick

Summary Understanding the basics of IT, IT risks and IT controls will make a non-IT auditor much more capable of: identifying all the potential risks related to the processes under audit 2) Scoping a non-IT audit appropriately to account for the effectiveness or lack of effectiveness of the IT environment A. For example, A/P process audit assessed as low risk with an ineffective control environment for related IT systems and strong application controls. B. For example, revenue process assessed as high risk with an effective control environment and strong application controls. Nick

Summary Understanding the basics of IT, IT risks and IT controls will make a non-IT auditor much more capable of: identifying all the potential risks related to the processes under audit 2) Scoping a non-IT audit appropriately to account for the effectiveness or lack of effectiveness of the IT environment For example, A/P process audit assessed at low risk with an ineffective control environment for related IT systems and strong application controls. For example, revenue process assessed a high with an effective control environment and strong application controls. 3) Becoming a much better auditor than Nick was as a second year associate at KPMG Nick

Summary Challenge: Go look at your non-IT audits that you are currently working on and consider whether you understand the relevant IT systems, IT risks, IT controls and how they impact your planned audit approach for your non-IT audit Nick

Summary Challenge: Go look at your non-IT audits that you are currently working on and consider whether you understand the relevant IT systems, IT risks, IT controls and how they impact your planned audit approach for your non-IT audit 2. Interact with your IT auditor – they don’t bite Nick

Questions Nick