IT Auditing

1
IT Auditing

• Rick Livingood, Ph.D., MCSE, CCNP/DP, CISSP

2
Defining IT Auditing

• Assesses the controls in use on Information
  Technology assets
• Should include hardware, software, and network
  infrastructure components
• Reports on an organization's information systems,
  practices, and operations

3
What are Internal Controls

• Auditing emphasizes the evaluation of internal
  controls
• Financial internal controls prevent fraud or
  misrepresentation
• A financial audit provides outside interests with
  a report of the adequate level of controls
  maintained by an organization

4
Audit Reporting

• In the financial realm, the audit report is
  typically known as an Opinion and written as an
  open memo or letter
• The Opinion offers the auditors evaluation and
  validity of observed controls, including any
  remediation suggested to enhance controls
  considered lacking

5
Difference of IT versus Financial Auditing

• Though some similarity exists, differences are
  important to understand
• Financial audits test a control to determine if
  it is sufficient to avoid additional testing of a
  process
• An IT audit tends to focus on determining risks
  that are relevant to information assets, and in
  assessing controls in order to reduce or mitigate
  these risks

6
Two Major Focuses of an IT Audit

• General IT Audit covers
• Hardware, Operating Systems, Network
  Infrastructure, security
• Application Audits
• Review controls associated with third-party
  (COTS) and custom, in-house developed software
• Database applications

7
Typical IT Audit Concerns

• Availability use of IT assets, typically based
  on a Service Level Agreement (SLA)
• Integrity that the data is acceptably accurate,
  reliable, trustworthy, and timely
• Confidentiality is the data only accessible to
  authorized users

8
Understanding IT Controls

• IT control is a process that provides assurance
  for information and information services, and
  helps to mitigate risks associated with use of
  technology.
• Two components
• Automation of business controls
• Control of IT

http//www.theiia.org/guidance/technology/gtag/gta
g1/
9
Understanding Controls

• Classification
• General Controls
• Application Controls
• Classification
• Preventative
• Detective
• Corrective
• Classification
• Governance controls
• Management controls
• Technical controls

http//www.theiia.org/guidance/technology/gtag/gta
g1/
10
Hierarchy of Audit Activity
http//www.theiia.org/guidance/technology/gtag/gta
g1/
11
Importance of IT Controls

• Needs for IT controls, such as
• controlling cost
• remaining competitive
• protecting of information assets
• complying with laws and regulation
• Implementing effective IT control will improve
  efficiency, reliability, flexibility and
  availability of assurance evidence

http//www.theiia.org/guidance/technology/gtag/gta
g1/
12
Roles and Responsibilities

• Board of Directors /Governing Body
• Management define, approve, implement IT
  controls or understand the use of IT controls
• Auditor
• Internal Auditors assurance
• External Auditors periodic for validation

http//www.theiia.org/guidance/technology/gtag/gta
g1/
13
Based On Risk

• Analyzing Risk
• Identify risks
• Consider risk in determining the adequacy of IT
  controls
• Define risk mitigation strategy
  accept/eliminate/share/control/mitigate
• Consider Baseline IT controls

http//www.theiia.org/guidance/technology/gtag/gta
g1/
14
Monitoring Techniques

• Monitoring Assessing IT Controls
• Choose a control framework
• Use proper audit methodology
• Ongoing monitoring/special review/automated
  continuous auditing

http//www.theiia.org/guidance/technology/gtag/gta
g1/
15
Assessment

• Assessing IT controls is an ongoing process,
  because business processes are constantly
  changing
• Technology continues to advance
• Threats evolve as new vulnerabilities emerge
• Audit methods keep improving

http//www.theiia.org/guidance/technology/gtag/gta
g1/
16
Types of IT Audits

• Systems and Applications Relevancy verifies the
  IT system in place is appropriate across the IT
  concerns of the organization
• Business Continuity assesses ability to operate
  in disruptive periods
• Systems Development assures development of
  software meets internal and generally accepted
  practices of software development

17
Types of IT Audits - Continued

• IT Management Architecture reviews IT
  management practices and processes
• Network Infrastructure reviews controls in
  place throughout the networked environment,
  including security of systems, devices, and
  connectivity

18
Collaboration of Effort

• Where IT Auditing is done in parallel with
  financial auditing, leverage the findings of both
  efforts
• Financial audits provide insight into IT
  concerns, while IT auditing reviews controls that
  influence financial issues
• Be proactive, encourage sharing audit information
  and data

19
Legal and Legislative Requirements for IT Auditing

• SOX Sarbanes Oxley Act of 2002
• GLBA Gramm, Leach, Bliley Act
• HIPAA Health Insurance Portability and
  Accountability Act
• FERPA Family Educational Rights and Privacy Act
• FCPA Foreign Corrupt Practices Act

20
Elements of an IT Audit

• Planning
• Fieldwork and Documentation
• Issue Discovery and Validation
• Solution Development
• Report Drafting and Issuance
• Issue Tracking and Post-Audit Follow-up

21
Planning for the Audit

• Review the requirements of the audit what type
  of audit and at what level
• Assess the Internal Controls that need to be
  reviewed
• Determine what reporting is necessary and
  assemble any checklists or other tools (software,
  etc.) necessary
• Prepare audit schedule and know who you need to
  interview

22
Fieldwork Documentation

• Record all information that provides relevant
  data and preserves history (Working Papers).
  Provides a trail of activity and discovery
• Interview relevant participants and review system
  elements
• Re-evaluate activity as necessary to provide a
  deeper evaluation of concerns
• Review of third-party providers, as necessary

23
Discovery, Validation, and Solution Development

• Review with parties findings to validate your
  observations and discuss issues
• Remediate those concerns that are immediately
  repairable or easily re-configured
• Where possible, work with the IT staff to
  negotiate changes that fulfill the requirements
  of a control

24
Reporting

• Prepare a draft Opinion regarding findings
• Review the draft with associates
• Prepare a final Opinion for release to the
  customer and other outside concerns
• Statement of Audit Scope
• Executive Summary
• List of Issues and Action Plan

25
Post Audit Follow-Up

• Where possible, provide follow-up support to IT
  personnel in remediating issues
• Schedule follow-up audit reviews
• Develop a policy for reporting remediation and
  incomplete controls

26
Broad Scope of an IT Audit

• Entity-Level Controls
• Data Centers and Disaster Recovery
• Network Infrastructure and Devices
• Operating Systems
• Application, Database, and User Interactive
  Services
• Mobile Services
• Company Projects Assessment

27
Entity-Level Controls

• Overall IT posture of organization
• Management buy-in to controls, strategic IT
  plans, roadmaps, budgets, etc.
• General policies in place for IT utilization
• Risk-assessment measures, IT governance and
  adherence to legal concerns, and licensing policy

28
Data Centers and Disaster Recovery

• Physical and environmental conditions
• Physical security, power, natural and man-made
  threats, emergency services
• Capacity planning and services availability
• Data recovery Backup on and off site
• Recovery planning and operational continuance
  planning

29
Network Infrastructure

• Routers, switches, firewalls, and other net
  devices and applications (IDS, SPAM Filtering)
• Configuration evaluation and recovery
• Security and monitoring
• Physical security
• Detection system analysis

30
Operating Systems

• Operating system selection and administration
• Patch management
• Security policy and administration
• Group policy, password admin, share admin
• Services lockdown disabling unnecessary
  services
• Logging characteristics and evaluation

31
Application, Database, and User Interactive
Services

• Evaluation of applications, including licensing,
  usage, and updates
• Database server analysis, including security,
  performance, and utilization
• Web and Internet-based applications, including
  logging and security
• User education related to Internet and Email usage

32
Mobile Services

• Evaluate WLAN system upgrade policy, status, and
  encryption/security method in use
• Verify access methods and security
• Evaluate delivery area of the signals

33
Company Projects

• Audit project requirements gathering processes
• Project documentation and change management
• Investigate schedule, budgets, and project
  reporting for consistency and credibility
• Evaluate project testing and security planning

34
Audit Concerns at a High Level

• There are a number of concerns that should be
  reviewed at a high level
• Adequate retirement and replacement programs
• Licensing and software reporting concerns
• Change Review Board (CRB) management
• Staff experience and expertise
• Threat, breach, and disaster recovery plans and
  ability to perform

35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
Questions

• Rick Livingood
• Email RickL_at_1hand.net or Rick.Livingood_at_vwestcu.o
  rg
• PES (Professional Enterprise Solutions)
• Terry Mongalier (tmongalier_at_pes-it.com)
• Info on Altiris Enterprise Software