IT Skills for the Business Auditor Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas For Houston Chapter Seminar November 3, 2014 Positioning Audit Skills for the Future Information Technology Risks and Controls
42
Embed
IT Skills for the Business Auditor Mark Salamasick, CIA, CISA, CRMA, CSP Director of Center for Internal Auditing Excellence University of Texas at Dallas.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IT Skills for the Business Auditor
Mark Salamasick, CIA, CISA, CRMA, CSPDirector of Center for Internal Auditing Excellence
University of Texas at Dallas
For Houston Chapter Seminar
November 3, 2014
Positioning Audit Skills for the FutureInformation Technology Risks and Controls
2
Mark Salamasick, CIA, CISA, CRMA, CSP
•Director of Center for Internal Audit Excellence – 11 years•Adjunct Faculty, University of Texas at Dallas – 18 years•Senior Vice President, Internet/Intranet Services, Bank of America – 2 years•Director Information Technology Audit, SVP, Internal Audit, Bank of America – 18 years•Senior Consultant, Accenture – 4 years•Instructor, Accounting and IT, Central Michigan University – 3 years
•BS in BA and MBA – Central Michigan University
•One of six co-authors of Internal Audit textbook-Internal Auditing: Assurance and Consulting Services by IIA Research Foundation published Summer, 2007, Second Edition Summer, 2009 and , Third Edition Fall, 2013 •Author of IIA International Books-Auditing Vendor Relationship, PC Management Best Practices , and Auditing Outsourced Functions•Numerous IIA International Committees including Board of Trustees, Board Research and Educational Advisors and currently Learning Solutions •2005 IIA International Educator of the Year - Leon Radde Award•Enjoy Running, Road and Mountain Cycling, Travel and Investment Analysis
ITEMS TO COVER- Background-Setting the Stage
- Technology Expectations
- IT Audit Model Curriculum
- IT Technology Frameworks
- Latest Technology Issues
- Infrastructure Trends
- Overview of GTAG’s
- GTAG 1 – 2nd Edition
- Technology Adaption Curve for IA Groups
- Summary
3
Synopsis
An overview of Critical Success Factors’ for the 21st Century auditor including an understanding of IT control frameworks, functional areas of IT operations, and the ability to integrate technology into internal audit processes.
4
5
Survey andUnderstanding
Level of IT Understanding
• Business Auditors
• IT Auditors
6
Technology and Audit
• Infrastructure Audit
• Integrated Audit
• Use of Technology as Tool•Audit Automation•Data Analytics
7
8
• Understand how technology fits into the overall business processes and its impact.
• Describe key risks and control techniques introduced by technology.
• Articulate the relationship between business transaction processing risks introduced by information technology risks.
• Find and interpret the leading sources of information related to technology control frameworks.
• Determine the significant technology issues to be considered as part of the review of a business unit.
• Integrate application controls as part of business unit audits.
• Understand the emerging technology risk issues.
Some Reasonable Objectives for All Auditors
Model IT Controls Curriculum
• IIA The IIA’s Global Model Internal Audit Curriculum – IT Auditing course Integrated -2012 – Schools recognized as part of IAEP
What does a University IT Audit and Risk Management Course Objectives look like?
1. Be able to identify key information technology risks and how to mitigate those risks.
2. Be able to develop a control checklist and key audit steps related to technology risks.
3. Be able to distinguish key user technology risks and controls.
4. Be able identify the key content areas and have knowledge of all areas covered by the Certified Information Systems Audit (CISA) exam.
5. Identify sources for research of technology risks and apply those techniques to an overall research paper.
6. Learn those areas of technology risks that are currently of most concern to the IIA, AICPA, and ISACA.
7. Be able to distinguish and evaluate key application controls along with auditing of application controls.
8. Identify and evaluate risks in an e-business environment.
9. Understand how to adapt audit coverage to areas of advanced and emerging technologies.
10
Cobit 5-What Should You Know?
11
12
“You need to understand whereemerging technologies are going
to best predict risks the company will face in the future”
Mark Salamasick
Technology“I don’t know what
I don’t know”CAE
13
Start with One Premise!
There are no barriers…
Technology is an enabler…..
It is how we adapt to it!
14
Critical Characteristics of the 21st Century Internal Auditor
Technologically Adept:• The technology era is clearly transforming the globe
• Technology presents extraordinary risks and opportunities for all enterprises
• The nature of internal audit has been impacted in terms of: The functions, programs, and processes to be audited The techniques employed to carry out the internal audit
mission
**From – Robert McDonald – Past Chairman of the IIA
15
Critical Characteristics of the 21st Century Internal Auditor
Technologically Adept:
• 21st century internal auditors must: Understand IT control frameworks Be knowledgeable of functional areas of IT operations Be capable of auditing e-Commerce, EFT, EDI Be knowledgeable of encryption, computer forensics, and
Enterprise-wide resource planning (ERP) software
• In addition, internal auditors must be able to: Integrate technology into internal audit processes
Source: CIA Examination Syllabus – Part III
**From – Robert McDonald – Past Chairman of the IIA
16
Critical Characteristics of the 21st Century Internal Auditor
Overview of Critical Traits:
• Risk-based orientation
• Global perspective
• Governance expertise
• Technologically adept
• Business acumen
• Creative Thinking and Problem Solving
• Strong ethical compass
**From – Robert McDonald – Past Chairman of the IIA
Risk Assessment:• IT risks included in overall corporate risk assessment• IT integrated into Business Risk Assessments• Differentiate IT controls for high risk business areas/functions• IT Internal audit assessment• IT Insurance assessment
Control Environment:• Tone from the Top – IT and Security Controls Considered Important• Overall Technology Policy and Information Security Policy• Corporate Technology Governance Committee• Technology Architecture and Standards Committee• Full Representation of All Business Units
Information & Communication:• Periodic corporate communications (intranet, e-
mail, meetings, mailings)• Ongoing technology awareness of best practices• IT performance survey• IT and security training • Help desk ongoing issue resolution
MONITORING
INFORMATION AND COMMUNICATION
CONTROL ACTIVITIES
RISK ASSESSMENT
CONTROL ENVIRONMENT
COSO Model for Technology Controls
36
Global Technology Audit Guide that All Business Auditors should put into Practice
• Application controls and their benefits• The role of internal auditors• How to perform a risk assessment • Application control review scoping• Application review approaches• Common application controls, suggested tests, and a sample review program
USE OF USE OF TECHNOLOGY TECHNOLOGY
AS A TOOLAS A TOOL
37
Technology Maturity Model
Audit scheduling tool
Automated work papers
Data retrieval used on most audits
Custom data mining / data analytics
Initial ad hoc data mining
Risk assessment tools
Continuous controls testing and monitoring
Formal technology strategy
Standalone automated testing routines, e.g. fraud
Online training programs available on demand
Issues availability, tracking updating by management
Intranet for audit knowledge sharing, training, and access
to tools
Automated sharing of audit programs and files
Fully integrated audit management system
Files, etc., in electronic format
Highly skilled data team
Technology specialist(s)
Drill-down dashboards of all key audit activity
Reusable programs and checklists
Initial use of CAATs Access to external risk and control databases
Continuous risk assessment
Quality assessment tool
Use of technology a core competency
Expanded technical training for staff
Expanded suite of data tools
Technology Process Gap Analysis: Example
Core Technology Process (CTP)
Initial Adequate Enhanced Optimized
1. Technology Strategy & Focus X X
2. Risk Assessment & Monitoring X X
3. Audit Planning & Scheduling XX
4. Knowledge Management XX
5. Data Analysis & Mining X X
6. Audit Reporting & Issue Tracking XX
7. Audit Execution & Documentation XX
8. Training X X9. Human Re sources X X
10. Quality Improvement X X
Sets a clear priority
Don’t have to move to Optimized
for all
May decide some
areas are fine for
now
Red is current state, Green is desired next stage of maturity
40
IT Audit-Questions to Ponder
• What kind of technology audits should we be doing?
• How integrated should the audit group be?
• What technology should we be using in the Audit Group?
• What skills should the non-IT auditor have?
• What is the mix of audit coverage for projects versus ongoing audit work?
• Where are resources found for IT Audit?
• Should parts of IT Audit be outsourced?
• What parts of Information Technology should be outsourced?
• What about periodic vulnerability testing?
• How do individuals get started in IT Audit?
41
Summary and Next Steps• Understand the technology in your environment
• Understand the GTAG Series and determine how it applies
• Utilize the business functions and technology within the enterprise
• Understand your technology controls framework
• Understand your key information technology risk
• Equate technical issue to business processes
• Provide business unit with perspective of how well the technology is doing that supports the business unit
• Perform high level mapping of applications to business units
• Provide CIO view of how his business is doing
• Determine technology training requirements for all levels