IT Skills for the Business Auditor Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas.

IT Skills for the Business Auditor

Mark Salamasick, CIA, CISA, CRMA, CSPDirector of Center for Internal Auditing Excellence

University of Texas at Dallas

For Houston Chapter Seminar

November 3, 2014

Positioning Audit Skills for the FutureInformation Technology Risks and Controls

2

Mark Salamasick, CIA, CISA, CRMA, CSP

•Director of Center for Internal Audit Excellence – 11 years•Adjunct Faculty, University of Texas at Dallas – 18 years•Senior Vice President, Internet/Intranet Services, Bank of America – 2 years•Director Information Technology Audit, SVP, Internal Audit, Bank of America – 18 years•Senior Consultant, Accenture – 4 years•Instructor, Accounting and IT, Central Michigan University – 3 years

•BS in BA and MBA – Central Michigan University

•One of six co-authors of Internal Audit textbook-Internal Auditing: Assurance and Consulting Services by IIA Research Foundation published Summer, 2007, Second Edition Summer, 2009 and , Third Edition Fall, 2013 •Author of IIA International Books-Auditing Vendor Relationship, PC Management Best Practices , and Auditing Outsourced Functions•Numerous IIA International Committees including Board of Trustees, Board Research and Educational Advisors and currently Learning Solutions •2005 IIA International Educator of the Year - Leon Radde Award•Enjoy Running, Road and Mountain Cycling, Travel and Investment Analysis

ITEMS TO COVER- Background-Setting the Stage

- Technology Expectations

- IT Audit Model Curriculum

- IT Technology Frameworks

- Latest Technology Issues

- Infrastructure Trends

- Overview of GTAG’s

- GTAG 1 – 2nd Edition

- Technology Adaption Curve for IA Groups

- Summary

3

Synopsis

An overview of Critical Success Factors’ for the 21st Century auditor including an understanding of IT control frameworks, functional areas of IT operations, and the ability to integrate technology into internal audit processes.

4

5

Survey andUnderstanding

Level of IT Understanding

• Business Auditors

• IT Auditors

6

Technology and Audit

• Infrastructure Audit

• Integrated Audit

• Use of Technology as Tool•Audit Automation•Data Analytics

7

8

• Understand how technology fits into the overall business processes and its impact.

• Describe key risks and control techniques introduced by technology.

• Articulate the relationship between business transaction processing risks introduced by information technology risks.

• Find and interpret the leading sources of information related to technology control frameworks.

• Determine the significant technology issues to be considered as part of the review of a business unit.

• Integrate application controls as part of business unit audits.

• Understand the emerging technology risk issues.

Some Reasonable Objectives for All Auditors

Model IT Controls Curriculum

• IIA The IIA’s Global Model Internal Audit Curriculum – IT Auditing course Integrated -2012 – Schools recognized as part of IAEP

• https://na.theiia.org/about-us/about-ia/pages/participating-iaep-program-schools.aspx

• ISACA Model Curriculum - 2012

http://www.isaca.org/Knowledge-Center/Academia/Pages/Programs-Aligned-with-Model-Curriculum-for-IS-Audit-and-Control.aspx

9

What does a University IT Audit and Risk Management Course Objectives look like?

1. Be able to identify key information technology risks and how to mitigate those risks.

2. Be able to develop a control checklist and key audit steps related to technology risks.

3. Be able to distinguish key user technology risks and controls.

4. Be able identify the key content areas and have knowledge of all areas covered by the Certified Information Systems Audit (CISA) exam.

5. Identify sources for research of technology risks and apply those techniques to an overall research paper.

6. Learn those areas of technology risks that are currently of most concern to the IIA, AICPA, and ISACA.

7. Be able to distinguish and evaluate key application controls along with auditing of application controls.

8. Identify and evaluate risks in an e-business environment.

9. Understand how to adapt audit coverage to areas of advanced and emerging technologies.

10

Cobit 5-What Should You Know?

11

12

“You need to understand whereemerging technologies are going

to best predict risks the company will face in the future”

Mark Salamasick

Technology“I don’t know what

I don’t know”CAE

13

Start with One Premise!

There are no barriers…

Technology is an enabler…..

It is how we adapt to it!

14

Critical Characteristics of the 21st Century Internal Auditor

Technologically Adept:• The technology era is clearly transforming the globe

• Technology presents extraordinary risks and opportunities for all enterprises

• The nature of internal audit has been impacted in terms of: The functions, programs, and processes to be audited The techniques employed to carry out the internal audit

mission

**From – Robert McDonald – Past Chairman of the IIA

15

Critical Characteristics of the 21st Century Internal Auditor

Technologically Adept:

• 21st century internal auditors must: Understand IT control frameworks Be knowledgeable of functional areas of IT operations Be capable of auditing e-Commerce, EFT, EDI Be knowledgeable of encryption, computer forensics, and

Enterprise-wide resource planning (ERP) software

• In addition, internal auditors must be able to: Integrate technology into internal audit processes

Source: CIA Examination Syllabus – Part III

**From – Robert McDonald – Past Chairman of the IIA

16

Critical Characteristics of the 21st Century Internal Auditor

Overview of Critical Traits:

• Risk-based orientation

• Global perspective

• Governance expertise

• Technologically adept

• Business acumen

• Creative Thinking and Problem Solving

• Strong ethical compass

**From – Robert McDonald – Past Chairman of the IIA

17

2nd Generation IS2nd Generation ISAuditAudit (1980s)

1st Generation EDP1st Generation EDPAuditAudit

(Pre-1980)

4th Generation IT 4th Generation IT AuditAudit

(2000s)

3rd Generation IT 3rd Generation IT AuditAudit

(1990s)

• “Checklist”-based EDP Audits• Compliance with Policies & procedures• No IT Audit “Specialists”

Compliance

Stage Characteristics Focus

• Auditable IS areas• Report Problems, Recommend solutions• Certified EDP Auditors “CISA”

Control Frameworks

• COBIT-Based Audits (1996)• IT Control self-assessments• “Integrated Audits”

Risk / Control

• Facilitator of positive change• Enterprise-wide risk management• Impact of Sarbanes Oxley• Benchmark performance against best practices

Risk Management Process

Evolution of IT Audit:Historical IT Audit Stages

Top Ten IT Priorities From a Top Notch State Information Organization

›› Cloud

›› Data Management

›› Data Sharing

›› Infrastructure

›› Legacy Applications

›› Mobility

›› Network

›› Open Data

›› Security and Privacy

›› Social Media

18

LATEST TRENDS ...

AICPA Top Ten Technology Issues

1. Managing and retaining data

2. Securing the IT environment

3. Managing IT risk and compliance

4. Ensuring privacy

5. Managing system implementations

6. Preventing and responding to computer fraud

7. Enabling decision support and analytics

8. Governing and managing IT investment/spending

9. Leveraging emerging technologies

10.Managing vendors and service providers

Emerging Technology Trends – EY Survey 2014

21

What are you doing for Internal

Audit IT Integration?

22

23

Why are Global Technology Audit Guides (GTAG’s) more important?

BIG THREE TECHNOLOGY RISK CATEGORIES

• Information Security

• Business Continuity

• Change Management

24

25

Sixteen GTAGs PublishedHave you seen these?

• GTAG-1: IT Controls (Published in Mar 2005)2nd EDITION MARCH 2012

• GTAG-2: Change and Patch Management Controls

(Published in June 2005)2nd EDITION MARCH 2012

• GTAG-3: Continuous Auditing

(Published in Oct 2005)Update Coming Soon

• GTAG-5: Auditing Privacy Risks

(Published in June 2006)2nd EDITION July 2012

• GTAG-4: Management of IT Auditing

(Published in Mar 2006)2nd EDITION January 2013

• GTAG-6: Managing and Auditing IT Vulnerabilities

(Published in Oct 2006)DELETED January 2013

26

Sixteen GTAGs PublishedHave you seen these?

• GTAG-7: Information Technology Outsourcing

(Published in Mar 2007)

• GTAG-8: Auditing Application Controls

(Published in July 2007)

• GTAG-9: Identity and Access Management(Published in July 2007)

• GTAG-10: BusinessContinuity Management

(Published in July 2008)(Updated August 2014)

• GTAG-11: Developing the IT Audit Plan

(Published in July 2008)

• GTAG-12: Auditing IT Projects

(Published in March 2009)

27

Sixteen GTAGs PublishedHave you seen these?

• GTAG-13: Fraud Detectionand Prevention in an Automated World

(Published in December 2009)

• GTAG-14: Auditing User Developed Applications

(Published in June 2010)

• GTAG-15:InformationSecurity Governance(Published in July 2010)

• GTAG-16: Data Analysis Technologies

(Published in August 2011)

• GTAG-17: Auditing IT Governance (Published in July 2012)

• GTAG-18 and 19: Cloud Computing and Social Media (Coming Soon)

28

What Every Business Auditor Should Understand Related to IT Controls

Global Technology Auditing Guide 1-2nd Edition

The Board should:

• Understand the strategic value of the IT function.

• Become informed of role and impact of IT on the enterprise.

• Set strategic direction and expect return.

• Consider how management assigns responsibilities.

• Oversee how transformation happens.

• Understand constraints within which management operates.

• Oversee enterprise alignment.

• Direct management to deliver measurable value through IT.

• Oversee enterprise risk.

• Support learning, growth, and management of resources.

• Oversee how performance is measured.

• Obtain assurance.

29

Executive management should:• Become informed of role and impact of IT on the enterprise.

• Cascade strategy, policies, and goals down into the enterprise, and align the IT organization with the enterprise goals.

• Determine required capabilities and investments.

• Assign accountability.

• Sustain current operations.

• Provide needed organizational structures and resources.

• Embed clear accountabilities for risk management and control over IT.

• Measure performance.

• Focus on core business competencies IT must support.

• Focus on important IT processes that improve business value.

• Create a flexible and adaptive enterprise that leverages information and knowledge.

• Strengthen value delivery.

• Develop strategies to optimize IT costs.

• Have clear external sourcing strategies.

30

Senior management should:• Manage business and executive expectations relative to IT.

• Drive IT strategy development and execute against it.

• Link IT budgets to strategic aims and objectives.

• Ensure measurable value is delivered on time and budget.

• Implement IT standards, policies and control framework as needed.

• Inform and educate executives on IT issues.

• Look into ways of increasing IT value contribution.

• Ensure good management over IT projects.

• Provide IT infrastructures that facilitate cost-efficient creation and sharing of business intelligence.

• Ensure the availability of suitable IT resources, skills, and infrastructure to meet objectives and create value.

• Assess risks, mitigate efficiently, and make risks transparent to the stakeholders.

• Ensure that roles critical for managing IT risks are appropriately defined and staffed.

• Ensure the day-to-day management and verification of IT processes and controls.

• Implement performance measures directly and demonstrably linked to the strategy.

• Focus on core IT competencies.

31

The internal audit activity should:

• Ensure a sufficient baseline level of IT audit expertise in the department.

• Include evaluation of IT in its planning process.

• Assess whether IT governance in the organization sustains and supports strategies and objectives.

• Identify and assess the risk exposures relating to the organization’s information systems.

• Assess controls responding to risks within the organization’s information systems.

• Ensure that the audit department has the IT expertise to fulfill its engagements.

• Consider use technology-based audit techniques as appropriate.

32

IT Control Framework Checklist(Sample from GTAG 1)

1. What legislation exists that impacts the need to IT controls?

2. Has management taken steps to ensure compliance with this legislation?

3. Have all relevant responsibilities for IT Controls been allocated to individual roles?

4. Is the allocation of responsibilities communicated to the whole organization?

5. Do individuals clearly understand their responsibilities in relation to IT controls?

6. Does internal audit employ sufficient IT audit specialists to address the IT control issue?

7. Do corporate policies and standards that describe the need for IT controls exist?

33

34

A top-down approach used when considering controls to implement and determining areas on which to focus. From Global Technology Audit Guide 1.

Understanding IT Controls – Who should Understand What?

35

Monitoring:• Monthly metrics from Technology

Performance • Technology Cost and Control performance

analysis• Periodic Technology management

assessments• Internal audit of technology enterprise • Internal audit of high risk areas

Control Activities:• Review Board for Change Management• Comparison of technology initiatives to plan and

ROI• Documentation and approval of IT plans and

systems architecture• Compliance with Information and Physical Security

Standards• Adherence to Business Continuity Risk

Assessment• Technology standards compliance enforcement

Risk Assessment:• IT risks included in overall corporate risk assessment• IT integrated into Business Risk Assessments• Differentiate IT controls for high risk business areas/functions• IT Internal audit assessment• IT Insurance assessment

Control Environment:• Tone from the Top – IT and Security Controls Considered Important• Overall Technology Policy and Information Security Policy• Corporate Technology Governance Committee• Technology Architecture and Standards Committee• Full Representation of All Business Units

Information & Communication:• Periodic corporate communications (intranet, e-

mail, meetings, mailings)• Ongoing technology awareness of best practices• IT performance survey• IT and security training • Help desk ongoing issue resolution

MONITORING

INFORMATION AND COMMUNICATION

CONTROL ACTIVITIES

RISK ASSESSMENT

CONTROL ENVIRONMENT

COSO Model for Technology Controls

36

Global Technology Audit Guide that All Business Auditors should put into Practice

• Application controls and their benefits• The role of internal auditors• How to perform a risk assessment • Application control review scoping• Application review approaches• Common application controls, suggested tests, and a sample review program

USE OF USE OF TECHNOLOGY TECHNOLOGY

AS A TOOLAS A TOOL

37

Technology Maturity Model

Audit scheduling tool

Automated work papers

Data retrieval used on most audits

Custom data mining / data analytics

Initial ad hoc data mining

Risk assessment tools

Continuous controls testing and monitoring

Formal technology strategy

Standalone automated testing routines, e.g. fraud

Online training programs available on demand

Issues availability, tracking updating by management

Intranet for audit knowledge sharing, training, and access

to tools

Automated sharing of audit programs and files

Fully integrated audit management system

Files, etc., in electronic format

Highly skilled data team

Technology specialist(s)

Drill-down dashboards of all key audit activity

Reusable programs and checklists

Initial use of CAATs Access to external risk and control databases

Continuous risk assessment

Quality assessment tool

Use of technology a core competency

Expanded technical training for staff

Expanded suite of data tools

Technology Process Gap Analysis: Example

Core Technology Process (CTP)

Initial Adequate Enhanced Optimized

1. Technology Strategy & Focus X X

2. Risk Assessment & Monitoring X X

3. Audit Planning & Scheduling XX

4. Knowledge Management XX

5. Data Analysis & Mining X X

6. Audit Reporting & Issue Tracking XX

7. Audit Execution & Documentation XX

8. Training X X9. Human Re sources X X

10. Quality Improvement X X

Sets a clear priority

Don’t have to move to Optimized

for all

May decide some

areas are fine for

now

Red is current state, Green is desired next stage of maturity

40

IT Audit-Questions to Ponder

• What kind of technology audits should we be doing?

• How integrated should the audit group be?

• What technology should we be using in the Audit Group?

• What skills should the non-IT auditor have?

• What is the mix of audit coverage for projects versus ongoing audit work?

• Where are resources found for IT Audit?

• Should parts of IT Audit be outsourced?

• What parts of Information Technology should be outsourced?

• What about periodic vulnerability testing?

• How do individuals get started in IT Audit?

41

Summary and Next Steps• Understand the technology in your environment

• Understand the GTAG Series and determine how it applies

• Utilize the business functions and technology within the enterprise

• Understand your technology controls framework

• Understand your key information technology risk

• Equate technical issue to business processes

• Provide business unit with perspective of how well the technology is doing that supports the business unit

• Perform high level mapping of applications to business units

• Provide CIO view of how his business is doing

• Determine technology training requirements for all levels

42

Mark Salamasick Contact Info

•Email: [email protected]

•Office Phone: (972) 883-4729

•Cell Phone: (972) 768-3016

•Office: University of Texas at Dallas

• School of Management-4.218

• 800 West Campbell Road, SM 41

• Richardson, TX. 75083-0688

•Website: www.utdallas.edu/~msalam Jindal.utdallas.edu/iaep