Presentation is loading. Please wait.

Presentation is loading. Please wait.

“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010.

Similar presentations

Presentation on theme: "“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010."— Presentation transcript:

1 “Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010

2 Your Presenters Thomas Luccock, CPA, CIA Director of Internal Audit Steve Kurncz, CISA, CISM Information Technology Audit Manager Michael Chandel, CISA Senior Information Technology Auditor

3 Our Mission “ To assist University units in effectively discharging their duties while ensuring proper control over University assets. ”

4 Internal Audit at MSU History of Internal Audit function at MSU Our Charter ―Introduction ―Purpose ―Authority ―Responsibility ―Independence ―Audit Scope ―Special Investigations ―Reporting ―Audit Standards and Ethics

5 Organization of Internal Audit

6 Internal Auditing Defined Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. - Courtesy of the Institute of Internal Auditors (IIA)

7 Your Perception of an Auditor “Oh, those > insert your best insult here <” “They’re out to get us!” “They’re going to snoop through our data!” #@*#$%$&$#*%!!! “The Matrix”, 1999

8 Our Perception of an Auditor “The Blues Brothers”, 1980

9 The Reality of your Internal Auditors Internal Audit Approach –Objective members of “Team MSU” –Act as an independent internal assurance and consulting function designed to help add value to and improve the operation of our University. –We are here to assist you and help protect our University as a whole. –We try to view audit projects as a partnership with you and your department. –We attempt to be as “transparent” as possible.

10 Certified Auditors Certified Information Systems Auditor (CISA) designation ― Globally accepted and recognized standard of achievement among information technology (IT) audit, control and security professionals ―Sponsored and governed by the Information Systems Audit and Control Association (ISACA) o More than 86,000 members in more than 160 countries. ―Accredited by the American National Standards Institute (ANSI) under ISO/IEC 17024 ―Requirements of Certification: o Successful Completion of the CISA Examination.  200 Question exam with a four (4) hour time limit. o Equivalent of a minimum five (5) years professional information systems auditing, control and security work experience. o Adherence to the ISACA Code of Professional Ethics. o Continuing Professional Education (CPE) Policy observance.  Must complete a minimum of 120 CPE Hours every three (3) years for continued certification. o Adherence to the Information Technology Assurance Framework (ITAF) Auditing Standards adopted by ISACA

11 Audit Plan Development “C’mon, why us???” University-Wide Risk Assessment ―Inherent Risk: The nature of your business. ―Incident Response Procedures ―By Special Request Tom Izzo, Head Men’s Basketball Coach

12 Audit Plan Approval University President Review and Approval ―Monthly Meetings ―Reporting University Audit Committee Review and Approval ―University Board of Trustees ―Audit Committee Quarterly Meetings ―Annual Meetings ―Reporting

13 Audit Process


15 Stage 1: Planning Audit Engagement ―Engagement Letter ―Preliminary Information Request Opening Meeting ―Project Overview Given to the Management Group ―Designate a Primary Contact Person ―Official Project Start Date Inquiry of Management & Staff ―Interviews & Internal Controls Questionnaires (ICQ) ―Tours Scope Definition ―Risk Assessment ―Six (6) Month “Snap-Shot”

16 Audit Process

17 Stage 2: Fieldwork & Documentation Observations of Processes & Procedures ―Determining & Documenting the Flow of Data o Data Entry through Data Deletion ―General Information Technology Controls ―Unit Level Application Controls Sampling & Testing ―Select Specific System Components, Processes and Reports to Review and Compare ―Collaboration with Unit Staff ―Nothing Done Without IT Personnel Assistance or Knowledge Verification of Statement Made ―Sample the Verbal Statements Made During the Planning Process to Verify Accuracy

18 Audit Process

19 Stage 3: Issue Discovery & Validation Risk Exposure Discovery & Evaluation ―Risk Identification Process Based on ICQ’s & Fieldwork ―Risk Validation & Mitigating Controls Discussion with IT Personnel Risk Exposure Presentation to Management ―Discussion with Management Regarding Identified Risk & Potential Mitigating Controls Management Solution Development ―Risk Mitigation vs. Risk Acceptance ―Risk Considerations in Strategic Planning

20 Audit Process

21 Stage 4: Reporting Draft Report Development & Distribution ―Based on Levels of Identified Risk (Verbal vs. Written) ―Closing Meeting Discussion ―Limited Draft Distribution Management Response Opportunity ―Due 30 Days from Issuance of Draft Report ―Short Description of Management's Plans and Timeline to Address Identified Risk Final Report Distribution ―Standard Executive Distribution List with Additional Unit Requests ―Management Responses Included

22 Audit Process

23 Stage 5: Issue Tracking Post Audit Review & Follow Up ―Three (3) to Six (6) Months After Final Report is Issued ―Review of Management Response Status ―Written Status Report Issued to Final Distribution List Periodic Status Updates ―Potential Second Post Audit Review ―Otherwise, We May Request Periodic Progress Updates

24 Audit Project Time Table Just how long will this all take? ―Standard Audit Fieldwork takes approximately one (1) to three (3) months depending on the scope of the audit and complexity of area under review. ―Limited Review Fieldwork is less time intensive and may only last one to two weeks. Mark Dantonio, Head Football Coach

25 IT Audit Scope MSU Policies, Best Practices, Guidelines and Resources: ― Libraries, Computing & Technology ― ( - Keyword Search: Computing & Technology ) ―Department Policies and Guidelines IT Industry Standards and Best Practices: ― Information Systems Audit and Control Association (ISACA) ― C ontrol Ob jectives for I nformation and related T echnology (COBIT) ― National Institute of Standards and Technology (NIST) ― – Information Technology \ Computer Security Portal ― ― Computer Security Training, Network Research and Resources ― International Organization for Standardization (ISO) ―ISO 17799 / 27000

26 University Standards & Guidelines LCT Guidelines and Policies ― Managing Sensitive Data ― ―Securing Enterprise Data Disaster Recovery Planning ―

27 Industry Best Practices ISACA- Information System Audit and Control Association NIST 800 Series ―NIST 800- 53 General Controls ― ―Risk Assessment Framework: SANS – SysAdmin, Audit, Network, Security ― ―Audit Focus Site: ―20 Critical Security Controls for Effective Cyber Defense ISO 27000 (Formally ISO 17799-2005) ― ― (tool)

28 Summary of Topics Internal Audit Overview Audit Plan Selection Audit Process Timetable Best Practices

29 Questions

30 Thank You!

Download ppt "“Walking Through an Internal IT Audit” MSU IT Exchange Conference August 12, 2010."

Similar presentations

Ads by Google