Audit Services - PowerPoint PPT Presentation

1 / 30

About This Presentation

Title:

Audit Services

Description:

173,000 social security numbers compromised ... Ophthalmology. Psychology. Brown Cancer Center. Family and Community Medicine Clinics ... – PowerPoint PPT presentation

Number of Views:38

Avg rating:3.0/5.0

Slides: 31

Provided by: auditse

Category:

more less

Transcript and Presenter's Notes

Title: Audit Services

1

Audit Services

2
Security Breaches in Higher Ed

Ohio University - 2006
The Damage
5 separate systems breached
173,000 social security numbers compromised
367,000 personal files exposed (some for over 13
months)
33 reports by alumni about possible identity
theft
The Reaction
8,000 calls to information hotline set up to
field concerns
800 e-mails and complaint letters received
34,000 hits on universitys data security web
site
The Cost
77,000 spent to notify students and alumni of
breach
750,000 in 21-day emergency response expenses
for hardware and consulting
4 million allotted by board of Trustees to
secure systems
2 IT administrators fired
1 CIO resigned
Source The Chronicle of Higher Education
September, 2006

3
Mission

To provide independent and objective assurance
and consulting services designed to add value and
improve the Universitys operations
and to help the University accomplish its
objectives by bringing a systematic, disciplined
approach for evaluating and improving the
effectiveness of risk management, control, and
governance processes.

4
Organization
5
Risk Assessment Process

Annual Process
Meet with President,VPs,Deans
Solicit suggestions for the audit plan
What do our peers audit?
Results of prior audits
How would it read in the paper
Experience

6
Risk Assessment Criteria

Internal Control Structure
Complexity of Activity
Dollar Volume/Materiality
Public Exposure/External Influences
Changes in Procedures/Personnel

7
Key Risk Categories

Compliance - Regulatory
Research Grants Contracts
Human Subjects
Medicare/Medicaid Billing
NCAA

8
Key Risk Categories

Information Technology
PeopleSoft Implementations
Information Security (Network,Wireless,Desktop,Ap
plication)
Departmental Information Systems
System and Data Backup Procedures
Compliance with Regulations

9
Key Risk Categories

Financial/Operational
Student Retention/Graduation Rates
Budgetary
Advancement
Health Science Center Clinics/Departments
Procurement/Construction Processes

10
Audit Plan2006/2007
Audit Name
Audit Name

Construction Contracts
IT Department
Athletics Capital Construction Funding
Sponsored Program Accounting
Equine Management
Expense/Cost Transfers
Ophthalmology
Psychology
Brown Cancer Center

Family and Community Medicine Clinics
PeopleSoft Application
Procurement Card Application
University Reports
Computer Account Management System
Firewalls
Institutional Compliance
PeopleSoft Consulting
Requested Audits

11
Audit Process

Planning
Budget
Risk Assessment
Scope and Objectives
Engagement Memorandum

12
Audit Process

Fieldwork
Policies and Procedures
Sampling
Testing
Assessment
Exceptions
Closing

13
Audit Process

Report
Summary of Work Performed
Issues
Action Plans
Implementation Dates
Issued to Audit Client, Directors, Deans, VPs,
Provost and President

14
Audit Process

Follow-up
Twice Yearly
Status of Open Issues
Issued to VPs, Provost and President
Annual Report to Audit Committee
Overview of Audit Activities
Summary of Audit Reports Issued

15
What Is IT Audit ?

Definition
An examination of the controls within an
entitys information technology infrastructure
Purpose
To review and evaluate an organizations
information technology availability,
confidentiality and integrity
Availability Is the technology accessible at
all times when required?
Confidentiality Is information disclosed only
to authorized users?
Integrity Is the information provided by the
technology complete, accurate, timely and
reliable?

16
Types of IT Audits

Systems and Applications
Verify that systems and applications are
appropriate to the entitys needs, process
efficiently and are adequately controlled to
ensure valid, reliable, timely and secure input,
processing and output.
Example Procurement Card Application Audit
Information Processing Facilities
Verify that processing facilities are
appropriately controlled to ensure timely,
accurate and secure processing of systems and
application under normal and potentially
disruptive conditions.
Example Data Center Security Audit

17
Types of IT Audits

Systems Development/Change Control
Verify that systems and applications are
developed and maintained in accordance with
established policies and procedures.
Example IT Application Change Control Audit
IT Management
Verify that management has established an
effective organization structure and has
implemented procedures to ensure a controlled and
efficient environment for information processing.
Example IT Operations Center Audit

18
Types of IT Audits

Telecommunications/Networks
Verify that controls are in place to ensure that
the entitys networks are properly managed and
secured. Includes wireless access, web access,
firewalls.
Example Wireless Network Audit
Security
Verify that systems, applications and data are
properly secured against unauthorized access,
disclosure and modification. May also include
physical security assessments.
Example Workstation Security Audit

19
Regulations and Legislation

Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability
Act (HIPAA)
Graham-Leach-Bliley Act (GLBA)
Sarbanes-Oxley Act (SOX)
Payment Card Industry Data Security Standards

20
Top IT Risk Areas at U of L

2006-2007 Audit Risk Assessment
PeopleSoft Grants Application
Network Security
Payroll Interfaces
Computer Account Management System
PeopleSoft Payroll Application
University Firewall System

21
Recent IT Audits

Departmental E-mail Systems
Assessed management and administration of
selected departmental e-mail systems
Evaluated security, back-up, disaster recovery
Recommended formal policies be established for
systems operated outside of enterprise framework
Request/approval process
Security standards logical and physical
System backup standards
Disaster recovery planning

22
Recent IT Audits

PeopleSoft Application Security
Evaluated security administration for PeopleSoft
financial management, student administration and
human resources applications
Tested selected security tables and user accesses
Recommended policies and procedures be improved
Process for modifying and monitoring access for
transferred and terminated employees
Standardization of access request and approval
process
Strengthen management of user accounts and access
capabilities

23
Recent IT Audits

Wireless Networks
Assessed the extent of wireless network
deployment (both authorized and unauthorized)
Evaluated the security of the wireless network
connectivity process
Scanned wireless network access points on Belknap
and HSC campuses
Detect and identify wireless network
Test for channels and Service Set Identifiers
(SSID)
Test for rogue access points and clients
Test for wireless network encryption

24
Recent IT Audits

Wireless Networks
Tools Used
Kismet wireless scanner and network sniffer for
Linux
NetStumber wireless scanner for Windows
DeLorme Street Atlas with GPS used with
NetStumbler to visualize located of access points
SuperScan network TCP and UDP port scanner
Ethereal packet sniffer

25
Recent IT Audits