Technology

1
Technology Security Risk Services
TSRS 10/12/05

• October 12, 2005
• CSUN MISA Meeting

2
Introductions

• Debbie Lew
• Manager 4
• School Attended York University (yes, thats in
  Canada)
• With the Firm 1 year
• Over 15 years in industry IT Audit, Project
  Management, Strategic Planning, Marketing
• Past President of the Los Angeles Chapter of the
  Information Systems Audit and Control Association
  (ISACA). Currently on the International ISACA
  Audit Committee representing membership.
• Isaac Clarke
• Staff 2
• School Attended - BYU and UVA
• With the Firm - 1 years

3
Overview of Ernst Young
Relationships
Brand

• Global professional services firm with over
  100,000 people in 700 locations and 140 countries
• We operate under a global market strategy and
  have a strong value system
• Our culture is Peoplefirst
• We believe in Quality in Everything We Do.
• We have diverse business career opportunities
  available

Market Leadership
Reputation
Share
Q U A L I T Y
P E O P L E
G R O W T H
EXECUTION
EXECUTION
OPERATIONAL EXCELLENCE
ACCOUNT-CENTRICITY
SHARED VALUES
GLOBAL MINDSET
4
Where is TSRS within Ernst Young?
5
What Does TSRS Do?

• Computer Control Reviews
• ERP Integrity Reviews
• Continuity Availability
• IT Effectiveness Reviews
• SAS No. 70
• Business Risk Services
• Risk Assessment Methodology
• Data Analysis Review
• Sarbanes-Oxley Section 404

6
Computer Control Reviews (CCR)

• Also known as General Controls Review (GCR) or
  General Network Controls (GNC)
• Performed as part of the financial statement
  audit to identify and evaluate the information
  technology controls that impact the preparation
  of the companys financial statements
• Significant Areas
• Program Change Controls
• User Access Controls
• Logical Security
• Application Controls
• Computer Operations

7
ERP Integrity Reviews

• Review ERP Solutions such as SAP, Oracle,
  PeopleSoft and J.D. Edwards
• Review other less commercialized software
• Review the integrity of the key business
  processes, the application, and the underlying
  infrastructure
• Key focus on the design of the controls form a
  roles and responsibilities perspective at the
  application level
• Deliverables Include
• Detailed observations and recommendations report
• Specific vulnerabilities related to security
  parameters
• Suggestions to mitigate identified weaknesses

8
Continuity Availability (CA)

• Also known as Business Continuity Planning (BCP)
• Review a clients business to ensure that
  critical systems, processes or data will not be
  substantially impacted should a disaster occur
• EY makes recommendations on current CA
  practices and documentation
• EY also develops both automated and manual
  solutions to help the company maintain the
  availability of critical business processes and
  data

9
IT Effectiveness Reviews

• EY determines if IT is properly aligned with the
  clients business strategies
• Includes a formal review of current business
  requirements, key business processes, the current
  IT infrastructure, including hardware, software,
  and personnel
• Also a review of IT related budgeted and spending
  can be performed.

10
SAS No. 70 Service Auditor Examinations

• Examine processes and controls at third party
  service organizations that are relevant to user
  organizations and their auditors.
• EY renders an opinion regarding the design and
  operating effectiveness of the service
  organizations controls.
• EYs service auditors report is then available
  for distribution to the clients customers and
  their auditors

11
Business Risk Services (BRS)

• Engagements include the following
• Assessing the clients current IT internal audit
  function
• Supplementing existing resources in specific
  areas
• Providing a full IT audit function
• Some types of engagements that fall under the BRS
  umbrella include
• Application reviews
• Process reviews
• Disaster Recovery Plan reviews

12
Risk Assessment Methodology

• Engagements consist of gaining client
  requirements, understanding current security
  programs, and identifying current controls in
  place to create a customized risk assessment
  methodology.
• The methodology uses a weighted,
  questionnaire-based tool, supported by a detailed
  methodology that specifies the logistics of the
  program to help the client identify risks at the
  people, process, and technology levels

13
Data Analysis Review

• Data Analysis services are designed to improve
  decision-making, reduce project delivery
  time/costs, and effectively manage and analyze
  risks.
• Engagements consist of examining raw client data
  and producing reports for client management that
  summarize and analyze the data.
• Routine computer assisted audit techniques
  (CAATs) are processed at our shared analysis
  center (ISAC) in Cleveland, Ohio.
• Tools used
• ACL and Microsoft Access

14
Sarbanes-Oxley Section 404 Assistance

• EY reviews a Companys current internal controls
  documentation.
• Recommendations are made on ways to improve their
  documentation.
• For certain clients, EY can assist the client in
  documenting the clients current internal
  controls.
• Reviews are performed in preparation for SOA
  Section 404 requirement for FY after 6/15/04.

15
TSRS Geographic Coverage

• 4 Primary Marketplace Areas
• West Coast
• Central, including Canada
• North East
• South
• 13 Geographic TSRS Areas
• West Coast Marketplace
• Security Technology Solutions Team
• Pacific Northwest IT Risk Team
• Pacific Southwest IT Risk Team
• We have approximately125 PNW and 85 PSW TSRS
  professionals in the West Zone

16
West Zone Industry Focus

• Technology, Communication Entertainment
• Life Sciences
• Retail, Manufacturing and Distribution
• Financial Service Industries
• Real Estate
• Health Care

17
Pacific Southwest Office Locations

• Offices
• Woodland Hills
• Los Angeles
• Irvine
• San Diego
• Denver
• Phoenix
• Las Vegas
• Honolulu

18
Ernst Youngs Values

• Our values reflect how we work and interact with
  our colleagues, serve our clients, and engage our
  stakeholders.

19
People FirstBuilding a Culture

• Talent
• Motivation
• Satisfaction
• Business Success

20
Praise for EY culture
21
As a Part of Our Team

• You will be challenged
• as much as you can handle as soon as you can
  handle it
• You will learn
• School after school
• You will have choices
• Career opportunities in all areas of the firm
• You will make friends
• Co-workers, clients, etc.
• You will have fun
• what its really all about

22
Education at Ernst Young

• Orientation TSRS Training
• New hire orientation
• TSRS training locally
• Continuing Education
• Re-imbursement for CPA fees and other TSRS
  certifications
• Audit focus on the COBIT framework
• Certifications CISA, CISSP, CPA
• Financial audit rotation available in order to
  obtain CPA hours
• Increased training on Sarbanes Oxley Section 404

23
Questions?