Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September."— Presentation transcript:

1 1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September 15, 2008 Presented by Doug Tinch, Illinois Office of Internal Audit Steve Gerschoffer, Crowe Horwath

2 2 2 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 2 Agenda Understanding the Standards: What is at risk? Auditing Standards Scope of IT Audits Pre / Post Implementation Audits Risk Assessment Questions?

3 3 3 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 3 DISCLAIMER Any opinions expressed by Steve and/or Doug (even though they are usually correct) are their own and do not reflect the official positions of either the State of Illinois Office of Internal Audit or Crowe Horwath.

4 4 4 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 4 Highlights of 12 th Annual CSI Survey – source CSI Survey 2007 Average annual loss reported was $350,424 – highest average loss since 2004, up from $168,000 last year 194 responses reported total losses of $66,930,950, up from $52,494,290 (for 313 respondents) in 2006 132 of 454 respondents have cyber insurance policies The top 3 attacks detected were insider abuse of net access, virus, and laptop/mobile device theft Viruses was the leading cause of losses for the last seven years – financial fraud overtook it in 2007

5 5 5 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 5 Top 5 Losses by Type of Attack – source CSI Survey 2007 194 Respondents

6 6 6 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 6 Current Landscape – Costs of a Breach Ponemon Institute Study (November 2007) found that the total cost of a data breach averaged $198 per lost customer record Detection and escalation - $9 Notification - $15 Response and actions taken - $46 Lost business - $128

7 7 7 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 7 Current Landscape – Causes of a Breach From Ponemon Institute, 2007 Annual Study: U.S. Cost of a Data Breach Understanding Financial Impact, Customer Turnover, and Preventative Solutions

8 8 8 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 8 Standards.... What is FCIAA? Fiscal Control and Internal Auditing Act (30 ILCS 10/) Article 1. General Provisions – Section 1002 – CEO of “every State agency is responsible for effectively and efficiently managing the agency and estab- lishing and maintaining an effective system of internal control.”

9 9 9 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 9 Fiscal Control and Internal Auditing Act (30 ILCS 10/) Article 3. Fiscal Controls – “All State agencies shall establish and maintain a system, or systems, of internal and fiscal administrative controls, which shall provide assurance that:…”

10 10 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 10 Fiscal Control and Internal Auditing Act (30 ILCS 10/) Article 2. Internal Auditing – establishes a program of internal auditing, qualifications of chief internal auditor, and internal auditing program require- ments. Section 2003 (a) (3) mandates: “Reviews of the design of major new electronic data processing systems and major modifications of those systems before their installation to ensure the systems provide for adequate audit trails and accountability.”

11 11 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 11 WARNING IF A PRE-IMPLEMENTATION AUDIT IS REQUIRED, AND IS NOT TIMELY PERFORMED, THE OFFICE OF THE AUDITOR GENERAL WILL ISSUE TWO (2) FINDINGS. THE AGENCY WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT HAVING AN AUDIT COMPLETED BEFORE IMPLEMEN- TATION, AND THE IOIA WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT PERFORMING THE AUDIT.

12 12 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 12 Standard Scope of an IT Audit IS General Controls Management and Organization Development and Acquisition On-Line Security (Core Application Systems) Business Contingency Planning Physical Security Computer Operations Outsourced Technology Service Providers

13 13 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 13 Standard Scope of an IT Audit Network Security Assessment Methodology ‘Good Guy’ Approach Standard Scope Policies and Procedures (Security, Incident Response, etc) Anti-Virus Standards Workstation Security Review Network Architecture Network Operating System Security Review Windows Novell Unix

14 14 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 14 Standard Scope of an IT Audit Network Security Assessment Voice Over IP Database Security Mobile Device Security Web Server Security Email Server Security Etc…

15 15 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 15 Internal Penetration Assessment Methodology ‘Bad Guy’ Approach Disgruntled Internal Employee, Unauthorized Individual with Internal Network Access Standard Scope Technical Assessment Physical Social Engineering Document Disposal

16 16 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 16 Internal Penetration Assessment

17 17 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 17 External Penetration Assessment Methodology ‘Bad Guy’ Approach External Hacker Standard Scope Technical Assessment Phone Social Engineering Email Social Engineering Phone Sweep

18 18 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 18 External Penetration Assessment

19 19 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 19 SAS 70 (Statement on Accounting Standards – No. 70) Types of SAS 70’s Level I, Report on Controls Placed in Operation Level II, Report on Controls Placed in Operation & Tests of Operating Effectiveness

20 20 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 20 What Is Evaluated During SAS 70 Audit? A typical SAS 70 Report includes oGeneral Controls oApplication Controls oProcess Controls Organization and Administration Application Maintenance Documentation Computer Operations Hardware and System Software On-Line Security Physical Security Back-up and Contingency Planning e-Business Policies and Procedures

21 21 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 21 SAS 70 – User Control Considerations User Control Considerations Controls which the User Organization should consider but that the Service Provider either: Can not do, Does not take responsibility for, or Is not cost effective.

22 22 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 22 Pre-Implementation Audit Process The Risk Assessment Process Document request 1) RFP (Request for Proposal) 2) Project Charter 3) Design Documents 4) System Objectives 5) Cost/Benefit Analysis 6) Project Time-line

23 23 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 23 Pre-Implementation Audit Process The Risk Assessment Process Management Interview 1) Management synopsis of the project. 2) Details of the project and changes (if any) in time- lines, scope, funding, resources etc. that may not be reflected in original documentation. 3) Any other relevant information that germane to the project.

24 24 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 24 Pre-Implementation Audit Process The Risk Assessment Process IOIA Determination 1) Determination by auditor 2) Review by Supervisor 3) Review by Manager 4) Review by Chief Internal Auditor 5) Issuance of Determination Letter to Agency Director

25 25 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 25 Pre-Implementation Audit Process The Audit Audit Program 1) Audit Trails and Accountability 2) Functionality

26 26 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 26 Pre-Implementation Audit Process The Audit Test Matrix 1) Audit Trails and Accountability a) Logging b) Access controls c) Transmission security d) Application controls (third party hosting) e) Disaster recovery/business continuity 2) Functionality a) With business rules (tech and non-tech) b) User expectations and needs

27 27 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 27 Pre-Implementation Audit Process The Audit Testing 1) Part of User Acceptance Testing Team (UAT) 2) Access to Change (Bug) Control 3) Notify Program Manager of failures immediately 4) Follow-up to determine that all “bugs” are closed 5) Final acceptance by all appropriate parties

28 28 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 28 Pre-Implementation Audit Process The Audit Review and Approval Process 1) Informal pre-Letter issuance conference with management. 2) IOIA Review and Letter issuance to Director prior to implementation 3) Draft report issuance to Director. Formal exit conference if required 4) Agency responses to draft, included verbatim in final report to Director. 5) Subsequent Recommendation follow-up.

29 29 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 29 Questions?

Download ppt "1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Internal Audit Awareness

Internal Audit Awareness
Introduction to the Investigative Audit Services Group.

Introduction to the Investigative Audit Services Group.
Auditing Computer Systems

Auditing Computer Systems
Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL.

Forensic and Investigative Accounting Chapter 15 Cybercrime Management: Legal Issues © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Systems Security Officer

Information Systems Security Officer
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Computer Security: Principles and Practice

Computer Security: Principles and Practice
1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >

1 Pertemuan 9 Network Security and E-Commerce Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi: >
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.
Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.

Session 6: Data Integrity and Inspection of e-Clinical Computerized Systems May 15, 2011 | Beijing, China Kim Nitahara Principal Consultant and CEO META.
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google