Presentation is loading. Please wait.

Presentation is loading. Please wait.

State Performance & Technology Audits Overview of IT Reviews at Local Educational Agencies Presented to: Pennsylvania Association of School Business Officials.

Published byGregory Crumble Modified over 9 years ago

Similar presentations

Presentation on theme: "State Performance & Technology Audits Overview of IT Reviews at Local Educational Agencies Presented to: Pennsylvania Association of School Business Officials."— Presentation transcript:

1 State Performance & Technology Audits Overview of IT Reviews at Local Educational Agencies Presented to: Pennsylvania Association of School Business Officials 53 rd Annual Conference March 6, 2008

2 Introduction Thomas E. Marks Deputy Auditor General for Audits CPA PA Department of the Auditor General 234 Finance Building Harrisburg, PA 17120 (717) 705-4126 tmarks@auditorgen.state.pa.us

3 Introduction Michael A. Billo Assistant Director of IT Audits CISA, CGAP PA Department of the Auditor General 406 Finance Building Harrisburg, PA 17120 (717) 787-0557 mbillo@auditorgen.state.pa.us

4 Department Structure Bureau of School Audits Over 100 auditors statewide doing performance audits of all LEAs Information Technology Audits 7 auditors assisting all audit bureaus with the more complex technology issues in their audits and training the financial and performance auditors in IT auditing

5 IT Audits Mission Statement To be an innovative team providing support, analysis, problem-solving, training, and technical audits

6 Information Technology (IT) ATM POS LAN WAN Internet URL VPN Gigabyte/terabyte Ebay ISP IP Address.com cell phone wii IM texting Ipod Xbox

7 Information Technology Auditing Information Technology (IT) Auditing Electronic Data Processing (EDP) Auditing Part of the review of internal control Internal controls related to information technology, e.g., organizational placement of IT personnel, physical and logical access, SDLC, outsourcing, backups and contingency planning

8 Audit and IT Standards GAAS – promulgated by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA); Statements on Auditing Standards (SASs) GAGAS (Yellow Book) – promulgated by the U. S. Government Accountability Office (GAO) ISACA – COBIT FISCAM CERT Best Practices

9 History of IT Reviews Southwest region school had membership days changed inadvertently that affected membership subsidy Outside vendor processing the membership and attendance data for the school Controls relinquished to the outside vendor and overlooked by the school

10 Evolution of IT Reviews Consistency of audit procedures and coverage Admittedly a new part of the audit Auditing in the 21 st century Technology has changed some internal controls Multiple vendors being used by schools for processing membership and attendance data More than 50 reviews completed during 2007

11 Evolution of Reviews (cont’d.) On-the-job training during 2007; more formal training for school auditors in the IT review procedures in the regions in the first quarter of 2008 School auditors to perform the reviews at all LEAs using an outside vendor for membership and attendance data processing after the training

12 Risk Membership not a high-risk area Mindset however is important Accounting Safe Schools Grades Social Security Numbers Student Numbers Other vulnerable IT areas

13 IT General Controls Segregation of duties Access Physical (locks, security) Logical (user ID and passwords) Systems Development Life Cycle (SDLC) Backups and Recovery Contingency planning Outsourcing Environmental

14 Audit Objective Would you know if your membership and/or attendance data was changed (significantly or otherwise)?

15 IT Application Controls Data Origination Data Input Data Processing Data Output

16 Overview of Audit Procedures Administer internal control questionnaire through inquiries of relevant management and personnel Request and review applicable documentation Rate weaknesses in a finding or observation based on severity of weaknesses and presence of manual compensating controls

17 Some specifics … Walkthrough of hardware, software, interface, access method, etc. Review of IT contracts/maintenance agreement Security policies and procedures User ID approval and maintenance Separated employees/vendors Physical and logical access controls Vendor access

18 … and a few more Remote access Vendors, LEA employees dial-up, Internet, VPN System development and maintenance Program change control Backups/Recovery Contingency Planning Environmental considerations

19 Manual Compensating Controls Reconciliations Trends Rollforwards Data entry procedures and review Report Review Evidence of Review Management Oversight

20 Common Weaknesses Logical Access Group IDs or Individual IDs Password policy and syntax requirements Minimum Length Complexity Alpha, numeric, special characters Upper and lower case Forced to change; how often? How many failed attempts allowed? Logged off after a period of inactivity?

21 Common Weaknesses Monitoring logs Producing the log? If yes, is anyone looking at it? Contracts and Maintenance Agreements LEA recourse for errors/non-performance Security and Acceptable Use Policies Approvals and Authorizations Environmental (Smoke, Fire, Temperature)

22 Sources www.isaca.org www.gao.gov www.cert.org

23 Questions and Comments Thank you for your attention!

Download ppt "State Performance & Technology Audits Overview of IT Reviews at Local Educational Agencies Presented to: Pennsylvania Association of School Business Officials."

Similar presentations

Enterprise Resource Planning It is not the end, it is just the beginning Mary Avery Finance Manager Nebraska Auditor of Public Accounts 2006 Joint NSAA/NASC.

Enterprise Resource Planning It is not the end, it is just the beginning Mary Avery Finance Manager Nebraska Auditor of Public Accounts 2006 Joint NSAA/NASC.
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder 12 - 1 The Impact of Information Technology on the Audit Process Chapter 12.

©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Software Quality Assurance Plan

Software Quality Assurance Plan
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Security Controls – What Works

Security Controls – What Works
“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.

“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.
1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
12 - 1 ©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
1 Sarbanes-Oxley IT Audits. 2 Sarbanes-Oxley 2002 Recommended “audit firms place a high priority on enhancing the overall effectiveness of auditors’ work.

1 Sarbanes-Oxley IT Audits. 2 Sarbanes-Oxley 2002 Recommended “audit firms place a high priority on enhancing the overall effectiveness of auditors’ work.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Information Systems Security Officer

Information Systems Security Officer
IT Security Auditing Martin Goldberg.

IT Security Auditing Martin Goldberg.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 1 The Impact of Information Technology on the Audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
Learning Objectives LO1 Describe the finance and investment process: risk assessment, typical transactions, source documents, controls, and account balances.

Learning Objectives LO1 Describe the finance and investment process: risk assessment, typical transactions, source documents, controls, and account balances.

Similar presentations

Ads by Google