1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Internal Audit Awareness
Introduction to the Investigative Audit Services Group.
Auditing Computer Systems
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Systems Security Officer
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Office of Inspector General (OIG) Internal Audit
Computer Security: Principles and Practice
1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
Network security policy: best practices
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
QUALITY MANAGEMENT SYSTEM ACCORDING TO ISO
School Technology Solutions, LLC Technology Audits What's in it for you? 4 th Annual SW/WC Technology Conference March 11, 2010 Presenter: Lee Whitcraft.
SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
2015 ANNUAL TRAINING By: Denise Goff
Information Systems Security Computer System Life Cycle Security.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.
PwC Internal Control Reports: Facts, Myths and Best Practices FIRMA National Risk Management Training Conference – San Francisco, CA Wednesday March 31,
Case Study: Department of Revenue Data Breach National Association of State Auditors, Comptrollers and Treasurers March 21, 2013.
Auditing Internal Control over Financial Reporting
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
Roles and Responsibilities
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Note1 (Admi1) Overview of administering security.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 7-1 Chapter Seven Auditing Internal Control over Financial Reporting.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Auditing Internal Control over Financial Reporting Chapter Seven.
IT Summit November 4th, 2009 Presented by: IT Internal Audit Team Leroy Amos Sue Ann Lipinski Suzanne Lopez Janice Shelton.
Statement of Auditing Standard No. 94 The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement.
Web Portal – Security Overview Wyoming Machinery Company September 14, 2007 The Unique Alternative to the Big Four ®
© 2003 McGraw-Hill Australia Pty Ltd, PPTs t/a Accounting Information & Reporting Systems by A. Aseervatham and D. Anandarajah. Slides prepared by Kaye.
INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.
IT auditing in practice Marc Verdonk Eindhoven, November 27 th 2008.
Information Security tools for records managers Frank Rankin.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
May 5, 2016 May 5, Reporting obligations for  Investment banks,  Stockbrokers and dealers  FM and Investment advisers 2. Publication financial.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Information Systems Security
Cyber Protections: First Step, Risk Assessment
NYBA 2017 Technology, Compliance &
Securing Information Systems
I have many checklists: how do I get started with cyber security?
Computer-Based Processing: Developing an Audit Assessment Approach
Red Flags Rule An Introduction County College of Morris
What a non-IT auditor needs to know about IT & IT controls
1 Stadium Company Network. The Stadium Company Project Is a sports facility management company that manages a stadium. Stadium Company needs to upgrade.
Security week 1 Introductions Class website Syllabus review
TECHNOLOGY ASSESSMENT
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Presentation transcript:

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September 15, 2008 Presented by Doug Tinch, Illinois Office of Internal Audit Steve Gerschoffer, Crowe Horwath

2 2 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 2 Agenda Understanding the Standards: What is at risk? Auditing Standards Scope of IT Audits Pre / Post Implementation Audits Risk Assessment Questions?

3 3 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 3 DISCLAIMER Any opinions expressed by Steve and/or Doug (even though they are usually correct) are their own and do not reflect the official positions of either the State of Illinois Office of Internal Audit or Crowe Horwath.

4 4 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 4 Highlights of 12 th Annual CSI Survey – source CSI Survey 2007 Average annual loss reported was $350,424 – highest average loss since 2004, up from $168,000 last year 194 responses reported total losses of $66,930,950, up from $52,494,290 (for 313 respondents) in of 454 respondents have cyber insurance policies The top 3 attacks detected were insider abuse of net access, virus, and laptop/mobile device theft Viruses was the leading cause of losses for the last seven years – financial fraud overtook it in 2007

5 5 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 5 Top 5 Losses by Type of Attack – source CSI Survey Respondents

6 6 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 6 Current Landscape – Costs of a Breach Ponemon Institute Study (November 2007) found that the total cost of a data breach averaged $198 per lost customer record Detection and escalation - $9 Notification - $15 Response and actions taken - $46 Lost business - $128

7 7 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 7 Current Landscape – Causes of a Breach From Ponemon Institute, 2007 Annual Study: U.S. Cost of a Data Breach Understanding Financial Impact, Customer Turnover, and Preventative Solutions

8 8 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 8 Standards.... What is FCIAA? Fiscal Control and Internal Auditing Act (30 ILCS 10/) Article 1. General Provisions – Section 1002 – CEO of “every State agency is responsible for effectively and efficiently managing the agency and estab- lishing and maintaining an effective system of internal control.”

9 9 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 9 Fiscal Control and Internal Auditing Act (30 ILCS 10/) Article 3. Fiscal Controls – “All State agencies shall establish and maintain a system, or systems, of internal and fiscal administrative controls, which shall provide assurance that:…”

10 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 10 Fiscal Control and Internal Auditing Act (30 ILCS 10/) Article 2. Internal Auditing – establishes a program of internal auditing, qualifications of chief internal auditor, and internal auditing program require- ments. Section 2003 (a) (3) mandates: “Reviews of the design of major new electronic data processing systems and major modifications of those systems before their installation to ensure the systems provide for adequate audit trails and accountability.”

11 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 11 WARNING IF A PRE-IMPLEMENTATION AUDIT IS REQUIRED, AND IS NOT TIMELY PERFORMED, THE OFFICE OF THE AUDITOR GENERAL WILL ISSUE TWO (2) FINDINGS. THE AGENCY WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT HAVING AN AUDIT COMPLETED BEFORE IMPLEMEN- TATION, AND THE IOIA WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT PERFORMING THE AUDIT.

12 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 12 Standard Scope of an IT Audit IS General Controls Management and Organization Development and Acquisition On-Line Security (Core Application Systems) Business Contingency Planning Physical Security Computer Operations Outsourced Technology Service Providers

13 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 13 Standard Scope of an IT Audit Network Security Assessment Methodology ‘Good Guy’ Approach Standard Scope Policies and Procedures (Security, Incident Response, etc) Anti-Virus Standards Workstation Security Review Network Architecture Network Operating System Security Review Windows Novell Unix

14 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 14 Standard Scope of an IT Audit Network Security Assessment Voice Over IP Database Security Mobile Device Security Web Server Security Server Security Etc…

15 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 15 Internal Penetration Assessment Methodology ‘Bad Guy’ Approach Disgruntled Internal Employee, Unauthorized Individual with Internal Network Access Standard Scope Technical Assessment Physical Social Engineering Document Disposal

16 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 16 Internal Penetration Assessment

17 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 17 External Penetration Assessment Methodology ‘Bad Guy’ Approach External Hacker Standard Scope Technical Assessment Phone Social Engineering Social Engineering Phone Sweep

18 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 18 External Penetration Assessment

19 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 19 SAS 70 (Statement on Accounting Standards – No. 70) Types of SAS 70’s Level I, Report on Controls Placed in Operation Level II, Report on Controls Placed in Operation & Tests of Operating Effectiveness

20 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 20 What Is Evaluated During SAS 70 Audit? A typical SAS 70 Report includes oGeneral Controls oApplication Controls oProcess Controls Organization and Administration Application Maintenance Documentation Computer Operations Hardware and System Software On-Line Security Physical Security Back-up and Contingency Planning e-Business Policies and Procedures

21 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 21 SAS 70 – User Control Considerations User Control Considerations Controls which the User Organization should consider but that the Service Provider either: Can not do, Does not take responsibility for, or Is not cost effective.

22 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 22 Pre-Implementation Audit Process The Risk Assessment Process Document request 1) RFP (Request for Proposal) 2) Project Charter 3) Design Documents 4) System Objectives 5) Cost/Benefit Analysis 6) Project Time-line

23 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 23 Pre-Implementation Audit Process The Risk Assessment Process Management Interview 1) Management synopsis of the project. 2) Details of the project and changes (if any) in time- lines, scope, funding, resources etc. that may not be reflected in original documentation. 3) Any other relevant information that germane to the project.

24 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 24 Pre-Implementation Audit Process The Risk Assessment Process IOIA Determination 1) Determination by auditor 2) Review by Supervisor 3) Review by Manager 4) Review by Chief Internal Auditor 5) Issuance of Determination Letter to Agency Director

25 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 25 Pre-Implementation Audit Process The Audit Audit Program 1) Audit Trails and Accountability 2) Functionality

26 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 26 Pre-Implementation Audit Process The Audit Test Matrix 1) Audit Trails and Accountability a) Logging b) Access controls c) Transmission security d) Application controls (third party hosting) e) Disaster recovery/business continuity 2) Functionality a) With business rules (tech and non-tech) b) User expectations and needs

27 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 27 Pre-Implementation Audit Process The Audit Testing 1) Part of User Acceptance Testing Team (UAT) 2) Access to Change (Bug) Control 3) Notify Program Manager of failures immediately 4) Follow-up to determine that all “bugs” are closed 5) Final acceptance by all appropriate parties

28 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 28 Pre-Implementation Audit Process The Audit Review and Approval Process 1) Informal pre-Letter issuance conference with management. 2) IOIA Review and Letter issuance to Director prior to implementation 3) Draft report issuance to Director. Formal exit conference if required 4) Agency responses to draft, included verbatim in final report to Director. 5) Subsequent Recommendation follow-up.

29 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 29 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.