Collaborative Relationship Between IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President, Association of College & University Auditors voice (404) / fax (404) Robert N. Clark, Jr., C.I.A., Director of Internal Auditing, Georgia Tech June 2003
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Reporting Structure at GIT President Provost Sr. VP Admin & Finance Vice Chancellor for Audit Services Board of Regents Director of Internal Auditing Executive Staff CIO Director Info Security
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit Primary Mission Four Potential Orientations DETECTION Passive SCOPE Internal Control* Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence *Defined along the lines of COSO’s Integrated Framework APPROACH
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit Primary Mission Four Potential Orientations DETECTION PREVENTION Passive Active SCOPE Internal Control* Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence Active promotion of internal control agenda Recommending preventive measures to the campus unit and advice in making changes Maintain objectivity while eliminating unnecessary organizational barriers *Defined along the lines of COSO’s Integrated Framework APPROACH
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit Primary Mission Four Potential Orientations DETECTION ADVISORY PREVENTION Passive Active SCOPE Internal Control* Business Performance Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence Defining process improvement opportunities, if seen By-product of internal control assessment but not focusing on internal controls Moving away from compliance auditing (dangerous position…) Active promotion of internal control agenda Recommending preventive measures to the campus unit and advice in making changes Maintain objectivity while eliminating unnecessary organizational barriers *Defined along the lines of COSO’s Integrated Framework APPROACH
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit Primary Mission Four Potential Orientations DETECTION ADVISORY PREVENTIONSOLUTION Passive Active SCOPE Internal Control* Business Performance Focus on examination of past transactions Report past problems and recommend solutions Maintain rigid independence Defining process improvement opportunities, if seen By-product of internal control assessment but not focusing on internal controls Moving away from compliance auditing (dangerous position…) Active promotion of internal control agenda Recommending preventive measures to the campus unit and advice in making changes Maintain objectivity while eliminating unnecessary organizational barriers Target process improvements as a key goal Focus on Assessing Risk and Management’s Mitigation of Risk Work toward implementation of cost- beneficial internal controls & compliance Teamwork approach while maintaining objectivity and independent perspective *Defined along the lines of COSO’s Integrated Framework APPROACH
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Internal Audit’s Role… …it’s more than counting beans...
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risk… Internal Audit’s role: Identify key risks Identify key risks of the organization not just financial Look at all areas of exposure, not just financial Focus on the issues that matter most in safeguarding the assets of the Institute strength of processes to mitigate risks Develop audit procedures to examine high risk areas and verify strength of processes to mitigate risks effectiveness Provide feedback to mgmt on effectiveness of policies and procedures Promote awareness of policies and best practices bring Management together Help bring Management together on key risks Develop organizational approach to managing risk
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June What is RISK? … Anything that could prevent the organization from meeting its goals
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risk – with Management Talk with all members of Senior Management (one-on-one discussions) Ask key questions, such as: “Where are potential exposures?” “ What keeps you up at night? ” “Where do you see risks for your unit and GIT?” What are some of the potential adverse situations that could occur within…? “ What are some of the potential adverse situations that could occur within…? ” Goal is to identify and inventory RISKS
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risks: Description of adverse situation that could occur
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5)
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5) x Probability of this situation occurring (1-5) = Risk Ranking
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Risk Discussion Tool
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Audit Risk Universe
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Audit Focus -- Zeroing In Information Gathering Monitoring/ General Awareness (committees) Informal Reviews (surveying internal control) Risk-Based Audits (processes & risk) Process Improvement (reengineering) Strategy/Solution Development/ Partnering w/ Mgmt. as Key Resource Audits of compliance & controls
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Identifying Unit-level Information Systems Risks Logical Security Environmental and Physical Controls Data Security and Stewardship Management of IS Resources Equipment Maintenance Back-up and Recovery Training and Documentation Operations/ Administration Web Site Operation/ Development Software Licensing
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June IT Advising IA on audit coverage… CIO, Director of Information Security, and others in IT review draft of audit programs, in some cases helping to draft audit steps (“What would you, as CIO, look for if you were conducting these reviews?”) IT provides further insight, clarification, and direction to auditors Internal Auditing seeks IT’s opinion/support regarding feasibility of audit recommendations Ultimately, Internal Auditing’s decision – but collaborating with IT to ensure the most effective coverage of IT risks throughout the organization
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June The Audit Plan Focus on reviewing how each organization is moving toward effectively and efficiently mitigating each of the risks Independent verifications & attestations to determine strength of processes Conclusions are forward- looking - how well positioned are they to deal with risk ?
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Feedback to IT… Reports go not only to unit head but to senior management (including CIO) to show where opportunities for improvement exist Direct communication with CIO regarding areas in which more training/education/guidance or IT focus should be provided to campus units IA offers advice to senior mgmt on areas for policy enhancement
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Recommended best practices… IA provides trend analysis summaries to senior management (including CIO) showing common areas across campus requiring improvement Leads to targeted plans for action aimed at addressing the specific issues (as opposed to blanket policies which may be unnecessarily onerous)
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Recommended procedures… President assembled committee (chaired by CIO) to revise Computer Network Usage Policy VP for Finance, VP for HR, Chief Legal Advisor, Director of Internal Auditing, Associate Dean, Student Govt. rep, & others [Note: IA’s role was not to “set” policy, rather to advise committee on key areas the policy should address]
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Responding to Info Security Incidents Information on an incident may come from a variety of sources: OHR – personnel-related complaint Legal Affairs – person seeking legal advice Financial Services – questionable transaction(s) Campus Police – allegation of illegal behavior Information Security – analysis of questionable traffic or use, spurious bandwidth usage, intrusion detection system reports, etc. Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc.
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Responding to Info Security Incidents Challenge: ensuring a consistent approach to dealing with incidents Risk : If investigation not handled appropriately or consistently, puts Institute at risk Solution : IA recommended creation of ad-hoc task force and procedure to address Info Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 1 Incident is brought to attention of member of mgmt He/She convenes Ad-Hoc Group [CIO, AVP-OHR, Chief Legal Advisor, Director Internal Auditing, Director of Information Security] “What do we know now?” Group shares info to determine other resources that may need to be involved (e.g., Director Campus Security, AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.) Group determines needed resources
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 2 Group makes a determination on the potential outcome E.g., if the situation/allegations are proven true, will this likely result in (1) legal action, or (2) administrative/personnel action only? This determines procedures to be followed in conducting the investigation and standard of evidence to which to adhere Also determines whether law enforcement should be notified and/or involved
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 3 Group determines who will take the lead in facilitating the investigation. This person: Coordinates efforts, arranges meetings, initiates status reporting Initiates status reporting to the Office of the President Determines appropriate custodian of investigation data Facilitates reporting at the end of investigation
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 4 Investigation is conducted following appropriate procedures agreed-to by Group Regular communication with Group on status, observations, noteworthy issues Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Step 5 Group re-convenes to: evaluate effectiveness of process; document “lessons learned”; and discuss ways the situation may be prevented in the future, e.g., –Additional audit steps to examine for this elsewhere? –Need for policy enhancement? –Need for additional education/awareness?
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Opportunities for Collaboration: 1.Assessing Risk 2.Advising IA on audit coverage 3.Feedback to IT on effectiveness of IT policy 4.Input to IT on recommended controls, procedures, and best practices 5.Cooperation with response to Information Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June Results of Collaborative Approach IA and IT aligned on areas of high risk Common approach for responding to Information Security incidents IT becomes source of “education and awareness” for IA IA able to represent organizational perspective on IT issues across campus to audiences to which IT would not normally have access IA provides independent and objective feedback to IT on effectiveness of IT policies and procedures (within OIT and across the campus) Combining perspectives to establish best practices for Information Systems across organization
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June