State Performance

1
State Performance Technology AuditsOverview
of IT Reviews at Local Educational Agencies

• Presented to
• Pennsylvania Association of
• School Business Officials
• 53rd Annual Conference
• March 6, 2008

2
Introduction

• Thomas E. Marks
• Deputy Auditor General for Audits
• CPA
• PA Department of the Auditor General
• 234 Finance Building
• Harrisburg, PA 17120
• (717) 705-4126
• tmarks_at_auditorgen.state.pa.us

3
Introduction

• Michael A. Billo
• Assistant Director of IT Audits
• CISA, CGAP
• PA Department of the Auditor General
• 406 Finance Building
• Harrisburg, PA 17120
• (717) 787-0557
• mbillo_at_auditorgen.state.pa.us

4
Department Structure

• Bureau of School Audits
• Over 100 auditors statewide doing performance
  audits of all LEAs
• Information Technology Audits
• 7 auditors assisting all audit bureaus with the
  more complex technology issues in their audits
  and training the financial and performance
  auditors in IT auditing

5
IT Audits Mission Statement

• To be an innovative team providing support,
  analysis, problem-solving, training, and
  technical audits

6
Information Technology (IT)

• ATM
• POS
• LAN
• WAN
• Internet
• URL
• VPN
• Gigabyte/terabyte
• Ebay

• ISP
• IP Address
• .com
• cell phone
• wii
• IM
• texting
• Ipod
• Xbox

7
Information Technology Auditing

• Information Technology (IT) Auditing
• Electronic Data Processing (EDP) Auditing
• Part of the review of internal control
• Internal controls related to information
  technology, e.g., organizational placement of IT
  personnel, physical and logical access, SDLC,
  outsourcing, backups and contingency planning

8
Audit and IT Standards

• GAAS promulgated by the Auditing Standards
  Board (ASB) of the American Institute of
  Certified Public Accountants (AICPA) Statements
  on Auditing Standards (SASs)
• GAGAS (Yellow Book) promulgated by the U. S.
  Government Accountability Office (GAO)
• ISACA COBIT
• FISCAM
• CERT
• Best Practices

9
History of IT Reviews

• Southwest region school had membership days
  changed inadvertently that affected membership
  subsidy
• Outside vendor processing the membership and
  attendance data for the school
• Controls relinquished to the outside vendor and
  overlooked by the school

10
Evolution of IT Reviews

• Consistency of audit procedures and coverage
• Admittedly a new part of the audit
• Auditing in the 21st century
• Technology has changed some internal controls
• Multiple vendors being used by schools for
  processing membership and attendance data
• More than 50 reviews completed during 2007

11
Evolution of Reviews (contd.)

• On-the-job training during 2007 more formal
  training for school auditors in the IT review
  procedures in the regions in the first quarter of
  2008
• School auditors to perform the reviews at all
  LEAs using an outside vendor for membership and
  attendance data processing after the training

12
Risk

• Membership not a high-risk area
• Mindset however is important
• Accounting
• Safe Schools
• Grades
• Social Security Numbers
• Student Numbers
• Other vulnerable IT areas

13
IT General Controls

• Segregation of duties
• Access
• Physical (locks, security)
• Logical (user ID and passwords)
• Systems Development Life Cycle (SDLC)
• Backups and Recovery
• Contingency planning
• Outsourcing
• Environmental

14
Audit Objective

• Would you know if your membership and/or
  attendance data was changed (significantly or
  otherwise)?

15
IT Application Controls

• Data Origination
• Data Input
• Data Processing
• Data Output

16
Overview of Audit Procedures

• Administer internal control questionnaire through
  inquiries of relevant management and personnel
• Request and review applicable documentation
• Rate weaknesses in a finding or observation based
  on severity of weaknesses and presence of manual
  compensating controls

17
Some specifics

• Walkthrough of hardware, software, interface,
  access method, etc.
• Review of IT contracts/maintenance agreement
• Security policies and procedures
• User ID approval and maintenance
• Separated employees/vendors
• Physical and logical access controls
• Vendor access

18
and a few more

• Remote access
• Vendors, LEA employees
• dial-up, Internet, VPN
• System development and maintenance
• Program change control
• Backups/Recovery
• Contingency Planning
• Environmental considerations

19
Manual Compensating Controls

• Reconciliations
• Trends
• Rollforwards
• Data entry procedures and review
• Report Review
• Evidence of Review
• Management Oversight

20
Common Weaknesses

• Logical Access
• Group IDs or Individual IDs
• Password policy and syntax requirements
• Minimum Length
• Complexity
• Alpha, numeric, special characters
• Upper and lower case
• Forced to change how often?
• How many failed attempts allowed?
• Logged off after a period of inactivity?

21
Common Weaknesses

• Monitoring logs
• Producing the log?
• If yes, is anyone looking at it?
• Contracts and Maintenance Agreements
• LEA recourse for errors/non-performance
• Security and Acceptable Use Policies
• Approvals and Authorizations
• Environmental (Smoke, Fire, Temperature)

22
Sources

• www.isaca.org
• www.gao.gov
• www.cert.org

23
Questions and Comments

• Thank you for your attention!