CObIT Implementation in BC Credit Unions

1
CObIT Implementation in BC Credit Unions

• and Other Random Thoughts
• Presented by Scott Starnaman, MBA, CISA
• Practice Leader, IS Services and Wealth
  Management,PRA Group
• ISACA Luncheon, March 14, 2006

2

PRA Group is an organization
of 20 risk management and business intelligence
professionals serving nearly 40 organizations
throughout Western Canada. Our team of consists
of CISAs, CISSPs, CAs, CMAs, CFAs, CIAs, Wealth
Management, and Forensic Audit professionals.
Our financial services customer asset base
exceeds 12 billion and includes some of Canada's
largest credit unions, securities regulators, as
well as federally chartered banks. We began
operations in 1985 and recognized the value of
outsourcing our skill sets and leveraging common
industry insights long before the recent trends
in Enterprise Risk Management (ERM) and Internal
Audit.
3
Who Am I?

• Financial services industry and IT VAR background
• Information systems auditor of BC Credit Unions,
  financial industry regulators, and other
  companies
• Work for a management consulting firm that
  provides outsourced internal audit, ERM
  consulting, continuous monitoring services,
  forensic audit, data warehousing and reporting,
  and management consulting services

4
Welcome and Thank You for Coming!

• And you are?

5
What Are We Going to Discuss Today?

• Challenges to CObIT implementation and audit in
  the real world
• How do IT auditors facilitate the implementation
  of CObIT governance and control in an
  organization?
• I have my CISA, now how do I create and
  implement an audit program?
• ERM, ERA, and electronic audit tools
• This is why we do what we do!

6
Lets Start the Session with an Argument!

• Is it IT or IS?
• Why?

7
Why Was CObIT Selected for BC Credit Unions?

• Audit and control focus
• CObIT covers all areas of IT risk
• CObIT auditing is easily scalable from
  single-branch operations to large financial
  institutions

8
Why Is CObIT Implementation Difficult?

• IT people arent auditors by training or nature
  risk and control may be foreign concepts to them
• Auditors and IT people speak different languages
  and sometimes have difficulty understanding each
  others needs
• IT staff are generally very busy with project
  work (because thats the fun part of their job
  maintenance and control is boring).
• There are other options CObIT has competition

9
Why We Must Reject Those Reasons!

• Historically, IT practitioner training has not
  covered the subjects of risk, control, and audit
  very well. Experience has taught us that these
  subjects are of the utmost importance!
• Viruses, worms, phishing attacks, and the like,
  have opened the worlds eyes to IT risks
• Sound corporate governance and ERM mandates
  review of risks and controls, and demands
  reporting thereof
• IT control frameworks other than CObIT offer
  modules for various operational requirements, but
  still do not necessarily address risk assessment,
  control design and implementation, and monitoring
  sufficiently
• It is no longer acceptable for an IT department
  to say it is so busy with project work that it
  has no time to mind the store.

10
How Do We Approach IT Management with CObIT?

• Start by asking IT Management if they have
  reviewed the various IT control frameworks and
  selected and implemented one of them. One of two
  things will happen
• Management will say something like, Of course,
  we use the principles of ITIL, or, We have
  selected the appropriate MetaGroup (now part of
  Gartner Group) modules that apply to our
  operations or
• Management will say, What do you mean by
  control framework?

11
If Management Claims to Be Using a Framework

• Then its easy. Just overlay the CObIT audit
  framework.
• Do a complete audit using CObIT and determine if
  there are material risk areas that are not
  covered in the existing control framework
• Discuss control weaknesses with IT Management
  obtain their buy-in that these risks are
  significant enough to warrant creation of better
  controls
• Have It Management provide Audit with its
  time-specific action plans
• Report on control weaknesses and IT Managements
  action plans to executive management and the
  Board as would normally be done. Make a
  statement about the overall state of control in
  the IT department. Follow-up on action plan
  status

12
If IT Management Doesnt Understand the Concept
of a Control Framework

• Then you really have your work cut out for you!
• Discuss the control framework concept with IT
  Management and assess the likelihood of buy-in.
  If IT Management buys in, move directly to the
  top of the food chain the Board.
• If IT Management doesnt buy in, move up to the
  next reporting level, hopefully a member of the
  executive, and explain the importance of IT
  control frameworks. Determine if the
  organization has undertaken ERM or some form of
  risk assessment so that youre speaking the same
  language and have a common interest.
• Move on to the Board and have your work trickle
  back down the chain of command to IT Management

13
Educating the Board

• Determine the Boards appetite for risk and sound
  corporate governance
• Is the Board aware of the IT risks are that face
  the organization?
• If the whole Board isnt interested in the
  subject, try to at least engage the Chair of the
  Audit Committee
• Arrange to do a presentation to the Audit
  Committee about IT risks and potential outcomes
• Obtain buy-in from the Board that risk and
  strategy go hand-in-hand that strategy should
  never cause the organization to take on risk
  beyond its comfort limit
• Outline the Boards responsibility in providing
  oversight to the firm concerning IT risk
  management
• Help the Board create an IT governance policy

14
Board Level IT Governance

• What is the Boards Role?
• This is the toughest question in the whole
  process!
• Most directors dont know much about IT yet they
  have the oversight responsibility for IT in the
  firm. This scares them a little
• Creating a Board-level IT policy is also daunting
• How do you delineate Board vs. Management
  responsibility?

15
Board Level IT Governance Policy

• Objective is to outline a structure for IT
  governance, policy, control structure, and
  procedures that will allow the organization to
  meet its strategic goals without undertaking
  excess risk
• In short, the Board defines its means of
  oversight of IT through management project- and
  exception reporting, and review of
  management-created IT policies
• The Board requires management to create IT
  policy and supporting procedures, establish safe
  and reliable facilities, research and select the
  IT infrastructure to be used, and select,
  install, and maintain applications to be used
• IT management should participate in the creation
  of the firms strategic plan and create IT
  operating plans to help achieve strategic goals
• IT management should report to the Board through
  the CEO about project success and how progression
  through the IT operating plan is helping the firm
  achieve its strategic goals
• Delegation of responsibility to ensure things get
  done is paramount.

16
So Much for the Perfect World!

• Well, that was easy, wasnt it?

17
Welcome Back to Reality

• Lets look at some real life issues and scenarios
  that keep the lives of IT auditors interesting...

18
Buy or Build an IT Audit Program?

• A little of both - build on CObIT!
• Make your audits customizable for use with any
  client remember IT risks and potential
  consequences are constantly changing
• Create several different audits that cover the
  CObIT domains, covering the key risk areas in
  your organization
• Planning CObIT Plan Organize
• IT Infrastructure CObIT Acquire Implement
• IT Operations CObIT Deliver Support
• IT Monitoring and Control CObIT Monitor
  Evaluate

19
IT Audit Program

• Make it ongoing perhaps a 2- or 3-year rotation
  focusing more often on key risk areas, i.e. weak
  management/ capacity/ resource issues
• Maintain records of all findings and track
  Managements action plan progression
• Participate in ongoing risk assessments, even if
  just as a reviewer of Managements risk
  assessment
• Ensure sufficient audit budget! Sometimes
  testing requires IT staff for access. Sometimes
  it requires provision of administrator level
  reporting or data extraction. Sometimes it
  requires expensive audit tools.

20
Our Challenges in IT Audit Program Development

• Before building upon CObIT, we built each audits
  plan, testing, and workpapers from scratch ?
  excess customization, and somewhat inefficient
• We were constantly reinventing the wheel ?
  created potential for missed audit steps and
  identification of key risk issues
• Early on, we focused on the right risks for the
  wrong reasons ? key IT risks have changed between
  1999 and 2006

21
Auditee Challenges 1. Deferral

• Deferral happens even after the annual audit plan
  has been approved
• Its a game of cat and mouse
• There isnt much you can do about it

22
Auditee Challenges 2. Scope Change

• This is a sneaky variation on deferral
• It also happens after the annual audit plan has
  been approved
• Meet the auditee halfway ensure that
  significant risks are addressed within the
  changed scope of the audit
• Revise the audit plan to cover missed areas in
  the next audit cycle

23
Auditee Challenges 3. Ignorance

• Beware of the IT manager who thinks that the
  biggest risk to the firm is malware
• Be even more vigilant if senior management tells
  you that, We trust our staff implicitly.
• The biggest IT risk facing companies was, is, and
  always will be their employees
• 70 of all IT risks including fraud are
  introduced and/or perpetrated by trusted
  insiders.
• IT risks can be introduced accidentally or
  intentionally

24
How Do We Deal with Ignorance?

• Educate IT Management and the Executive
• Turn them on to IT knowledge sites like ZD Net,
  TechRepublic, and the SANS Institute to name a
  few
• Give them time to see the errors in their ways.
  (Go ahead, ask me to tell you the Mr. A55h0le
  story now.)

25
Auditee Challenges 4. Ego

• IT people tend to have Dr. Frankenstein-like
  egos. (Ask me why and about the research thats
  been done.)

• Auditors also have egos, or at least thick skins
  developed from years of abuse at the hands of
  auditees!
• Succeed by winning the battle, not the war.
  Dont get into an ego fight with an auditee.
  Odds are youll lose
• (Insensitive sports metaphor) When it comes to
  improving the overall risk environment, just try
  to move the ball up the field with each audit
  dont try to score game winning goals all the
  time!

26
Auditee Challenges 5. Politics

• Determine if the top IT manager has higher
  aspirations for his place in the firm. It is not
  unheard of for IT executives to become CEOs these
  days.
• Exercise caution if this is the case. Ensure
  your findings are all valid no reporting on
  potential vulnerabilities allowed
• Are the daggers out? Is someone gunning for the
  head(s) of IT Management?

27
How to Survive the Politics

• Hold an exit interview with IT Management so that
  the draft report doesnt deliver any surprises
• Accurately report on issues in plain language.
  Do not use any jargon, TLAs or EFLAs in the Audit
  Committee Report
• Dont allow your language to hang the auditee
  encourage IT Management to use the discussion
  draft to provide wordsmithing input
• When reporting to audit committees, dont discuss
  any issue that isnt worth a five minute round
  table discussion amongst the directors. Be
  sensitive to other concerns.
• If IT Management is thoroughly uneducated or
  incompetent, it is your duty to report this
  upward to next level Management and if necessary,
  to the Board

28
Auditee Challenges 6. Disagreement

• Try to determine why your auditee disagrees with
  your findings.
• If Management takes a finding under advisement
  what do you do next? ? Talk to them and determine
  if your meaning came across clearly in print
• Are you comfortable with the residual risk of
  Management taking no action?
• If not, discuss the issue with the auditee again,
  explaining your position. The if necessary,
  discuss the issue with next level up management
• If that doesnt work, in plain language, discuss
  the risk and potential outcomes at the present
  control level in the next Audit Committee report
  and advise that, Management has accepted the
  risk, at which point, your job as auditor is
  done.

29
Drop-Dead Assignments I.e. Your Boss Wants You
to Conduct a Firewall Audit in Two Weeks

• Youve never audited a firewall before and
• Your company/ audit department doesnt have
  firewall audit plan/ test templates available or
  a knowledge base.
• What do you do?

30
First, Admit Personal Defeat

• It is unethical to conduct an audit for which you
  have no skill, training, or practitioner
  background.

31
Second, Find Someone Who Has the Necessary
Background

• Get a co-worker to help, or co-source a competent
  firewall expert or auditor
• Ensure your co-sourced assistant follows CObIT
  domain/ sub-domain/ control objectives guidelines

32
Third, Lead the Assignment

• Be the boss! Guide the co-sourcers work edit
  the co-sourcers report to expected deliverable
  format
• Learn at least enough about the subject matter to
  be able to explain all findings, good and bad, in
  laymans terms to senior management and the Board
• Follow through on managements action plans
  dont rely on your co-sourced auditor to do it.

33
Modern ERM and Audit Tools

• Myth Theyre expensive. Who needs em?
• Reality Good ones arent necessarily expensive.
  They change the way you use your time.
• They make planning easier and allow for more face
  time with auditees because they automate most of
  the reporting process.
• They also provide a means to keep electronic
  workpapers that allow compliance with IIA
  Standards and passing of IIA QAR reviews.

34
Audit Tool Usein the CObIT Environment

• We use Methodware

35
(No Transcript)
36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
(No Transcript)
42
ERM Software Executive Dashboard
43
ERM Software Executive Dashboard
44
ERM Software Tracking Key Risk Indicators
45
Why We Do This!

• This is the slide thats supposed be at the
  beginning of the presentation containing Enron,
  Tyco, and Worldcom logos, right?
• Nope.

46
Why We Do This!

• A brief history of the actions of computer bad
  guys in a single bullet point
• Outsiders Telephone phreakers (30-35 years ago)
  ? early computer viruses (20 years ago) ?
  jokeware ? dialers ? backdoors, Trojan horses,
  and rootkits ? worms and macro viruses ? remote
  control programs ? spyware and adware including
  keystroke loggers and browser hijackers ?
  identity theft (phishing) ? bot nets
• With the exception of jokeware, this list also
  indicates an increasing level of risk.

47
Lets Have Some FunSpot the Real Hacker
48
Lets Play Again
49
The Risks of Greatest Concern to FIs

• External Risks
• Hackers are no longer pimply-faced kids who
  just want to format your C-drive for kicks.
• Now theyre pimply-faced teenagers and young
  adults who want to take control of your computer
  and rent out its CPU and communications time for
  use by organized crime. In short, theyre coming
  for your money.

50
The Risks of Greatest Concern to FIs

• External Risks
• Phishing ? Identity Theft
• Spyware Rootkits
• Remote Control apps/ Bot Nets
• Spam and Other Bandwidth Thieves
• The latest breed of externally placed malware
  tries to keep a low profile

51
The Risks of Greatest Concern to FIs

• External/ Internal RisksOrganisms That Inhabit
  Your Computer
• Viruses
• Trojan horses
• Worms

52
The Risks of Greatest Concern to FIs

• Internal Risks - Employees
• Unauthorized Data Access
• Trojan Horses
• Sale of Customer Information
• Unauthorized Use of Bandwidth (Ask me about the
  most expensive songs ever stolen!)

53
Computer Crime How Much Money Are We Talking
About?

• The FBI advised that computer crime cost US
  businesses 67.2 billion in 2005. Results from
  a survey of 2066 organizations where 64 - 1324
  suffered financial loss from computer crime over
  the past 12 months
• Average cost was 24,000 per company. Adjusted
  for likelihood of response, the FBI estimated 20
  of all firms would have been affected by one
  incident in 2005.
• Respondents spent 12 million on malware
  incidents,3.2 million on theft, 2.8 million on
  financial fraud, and2.7 million on network
  intrusions
• Preventative measures 4 of firms used
  biometrics 7 smartcards 24 use IPS/ IDS and
  46 use VPNs
• 84 of firms had virus problems 80 had spyware
  trouble and 33 indicated hackers used port
  scans on them
• 44 reported intrusions within the company
• Source TechRepublic article, 19-Jan-06

54
Are There Any Questions?

• Thank you all for your attendance and
  participation!