1 / 44

Collaborative Relationship Between IT and Internal Auditing

This presentation by Robert Clark, Jr. explores the opportunities for collaboration between IT and internal auditing, including assessing risk, advising on audit coverage, providing feedback on IT policy effectiveness, and recommending controls and best practices.

rosasm
Download Presentation

Collaborative Relationship Between IT and Internal Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Collaborative RelationshipBetween IT and Internal Auditing Presented by: Robert Clark, Jr., CIA, CBM Director of Internal Auditing, Georgia Tech President, Association of College & University Auditors rob.clark@business.gatech.edu voice (404) 894-4606/ fax (404) 894-6990 www.audit.gatech.edu Robert N. Clark, Jr., C.I.A., Director of Internal Auditing, Georgia Tech June 2003

  2. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  3. Opportunities for Collaboration: • Assessing Risk Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  4. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  5. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  6. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  7. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  8. Reporting Structure at GIT Vice Chancellorfor Audit Services Board of Regents President Provost Sr. VP Admin & Finance Director ofInternal Auditing CIO Director Info Security Executive Staff Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  9. Internal Audit Primary MissionFour Potential Orientations APPROACH DETECTION • Focus on examination of past transactions • Report past problems and recommend solutions • Maintain rigid independence Passive Internal Control* SCOPE *Defined along the lines of COSO’s Integrated Framework Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  10. Internal Audit Primary MissionFour Potential Orientations PREVENTION • Active promotion of internal control agenda • Recommending preventive measures to the campus unit and advice in making changes • Maintain objectivity while eliminating unnecessary organizational barriers Active APPROACH DETECTION • Focus on examination of past transactions • Report past problems and recommend solutions • Maintain rigid independence Passive Internal Control* SCOPE *Defined along the lines of COSO’s Integrated Framework Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  11. Internal Audit Primary MissionFour Potential Orientations PREVENTION • Active promotion of internal control agenda • Recommending preventive measures to the campus unit and advice in making changes • Maintain objectivity while eliminating unnecessary organizational barriers Active APPROACH ADVISORY DETECTION • Defining process improvement opportunities, if seen • By-product of internal control assessment but not focusing on internal controls • Moving away from compliance auditing (dangerous position…) • Focus on examination of past transactions • Report past problems and recommend solutions • Maintain rigid independence Passive Internal Control* SCOPE Business Performance *Defined along the lines of COSO’s Integrated Framework Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  12. Internal Audit Primary MissionFour Potential Orientations PREVENTION SOLUTION • Active promotion of internal control agenda • Recommending preventive measures to the campus unit and advice in making changes • Maintain objectivity while eliminating unnecessary organizational barriers • Target process improvements as a key goal • Focus on Assessing Risk and Management’s Mitigation of Risk • Work toward implementation of cost-beneficial internal controls & compliance • Teamwork approach while maintaining objectivity and independent perspective Active APPROACH ADVISORY DETECTION • Defining process improvement opportunities, if seen • By-product of internal control assessment but not focusing on internal controls • Moving away from compliance auditing (dangerous position…) • Focus on examination of past transactions • Report past problems and recommend solutions • Maintain rigid independence Passive Internal Control* SCOPE Business Performance *Defined along the lines of COSO’s Integrated Framework Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  13. Internal Audit’s Role… • …it’s more than counting beans... Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  14. Assessing Risk… Internal Audit’s role: • Identify key risks of the organization • Look at all areas of exposure, not just financial • Focus on the issues that matter most in safeguarding the assets of the Institute • Develop audit procedures to examine high risk areas and verify strength of processes to mitigate risks • Provide feedback to mgmt on effectiveness of policies and procedures • Promote awareness of policies and best practices • Help bring Management together on key risks • Develop organizational approach to managing risk Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  15. What is RISK? Strategic Plan in year 2010 … Anything that could prevent the organization from meeting its goals Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  16. Assessing Risk – with Management • Talk with all members of Senior Management (one-on-one discussions) • Ask key questions, such as: • “Where are potential exposures?” • “What keeps you up at night?” • “Where do you see risks for your unit and GIT?” • “What are some of the potential adverse situations that could occur within…?” • Goal is to identify and inventory RISKS Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  17. Assessing Risks: Description of adverse situation that could occur Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  18. Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5) Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  19. Assessing Risks: Description of adverse situation that could occur Potential impact of this situation were to occur (1-5) x Probability of this situation occurring (1-5) = Risk Ranking Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  20. Risk Discussion Tool Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  21. Audit Risk Universe Info Systems Public Relations Financial Human Resources Health & Safety Legal Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  22. Audit Focus -- Zeroing In Information Gathering Monitoring/ General Awareness(committees) Informal Reviews (surveying internal control) Audits of compliance & controls - Auditor's Traditional Comfort Zone + Risk-Based Audits(processes & risk) - Perceived Value to Mgmt. + Process Improvement (reengineering) Strategy/Solution Development/ Partnering w/ Mgmt. as Key Resource Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  23. Identifying Unit-level Information Systems Risks • Logical Security • Environmental and PhysicalControls • Data Security and Stewardship • Management of IS Resources • Equipment Maintenance • Back-up and Recovery • Training and Documentation • Operations/ Administration • Web Site Operation/ Development • Software Licensing Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  24. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  25. IT Advising IA on audit coverage… • CIO, Director of Information Security, and others in IT review draft of audit programs, in some cases helping to draft audit steps (“What would you, as CIO, look for if you were conducting these reviews?”) • IT provides further insight, clarification, and direction to auditors • Internal Auditing seeks IT’s opinion/support regarding feasibility of audit recommendations • Ultimately, Internal Auditing’s decision – but collaborating with IT to ensure the most effective coverage of IT risks throughout the organization Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  26. The Audit Plan • Focus on reviewing how each organization is moving toward effectively and efficiently mitigating each of the risks • Independent verifications & attestations to determinestrength of processes • Conclusions are forward-looking - how well positionedare they to deal with risk ? Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  27. Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  28. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  29. Feedback to IT… • Reports go not only to unit head but to senior management (including CIO) to show where opportunities for improvement exist • Direct communication with CIO regarding areas in which more training/education/guidance or IT focus should be provided to campus units • IA offers advice to senior mgmt on areas for policy enhancement Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  30. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  31. Recommended best practices… • IA provides trend analysis summariesto senior management (including CIO) showing common areas acrosscampus requiring improvement • Leads to targeted plans for action aimed at addressing the specific issues (as opposed to blanket policies which may be unnecessarily onerous) Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  32. Recommended procedures… • President assembled committee (chaired by CIO) to revise Computer Network Usage Policy • VP for Finance, VP for HR, Chief Legal Advisor, Director of Internal Auditing, Associate Dean, Student Govt. rep, & others • [Note: IA’s role was not to “set” policy, rather to advise committee on key areas the policy should address] Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  33. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  34. Responding to Info Security Incidents • Information on an incident may come from a variety of sources: • OHR – personnel-related complaint • Legal Affairs – person seeking legal advice • Financial Services – questionable transaction(s) • Campus Police – allegation of illegal behavior • Information Security – analysis of questionable traffic or use, spurious bandwidth usage, intrusion detection system reports, etc. • Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc. Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  35. Responding to Info Security Incidents • Challenge: ensuring a consistent approach to dealing with incidents • Risk: If investigation not handled appropriately or consistently, puts Institute at risk • Solution: IA recommended creation of ad-hoc task force and procedure to address Info Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  36. http://www.audit.gatech.edu/IAcollabrative2.wmf Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  37. Step 1 • Incident is brought to attention of member of mgmt • He/She convenes Ad-Hoc Group [CIO, AVP-OHR, Chief Legal Advisor, Director Internal Auditing, Director of Information Security] • “What do we know now?” • Group shares info to determine other resources that may need to be involved (e.g., Director Campus Security, AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.) • Group determines needed resources Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  38. Step 2 • Group makes a determination on the potential outcome • E.g., if the situation/allegations are proven true, will this likely result in (1) legal action, or (2) administrative/personnel action only? • This determines procedures to be followed in conducting the investigation and standard of evidence to which to adhere • Also determines whether law enforcement should be notified and/or involved Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  39. Step 3 • Group determines who will take the lead in facilitating the investigation. This person: • Coordinates efforts, arranges meetings, initiates status reporting • Initiates status reporting to the Office of the President • Determines appropriate custodian of investigation data • Facilitates reporting at the end of investigation Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  40. Step 4 • Investigation is conducted following appropriate procedures agreed-to by Group • Regular communication with Group on status, observations, noteworthy issues • Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  41. Step 5 • Group re-convenes to: • evaluate effectiveness of process; • document “lessons learned”; and • discuss ways the situation may be prevented in the future, e.g., • Additional audit steps to examine for this elsewhere? • Need for policy enhancement? • Need for additional education/awareness? Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  42. Opportunities for Collaboration: • Assessing Risk • Advising IA on audit coverage • Feedback to IT on effectiveness of IT policy • Input to IT on recommended controls, procedures, and best practices • Cooperation with response to Information Security incidents Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  43. Results of Collaborative Approach • IA and IT aligned on areas of high risk • Common approach for responding to Information Security incidents • IT becomes source of “education and awareness” for IA • IA able to represent organizational perspective on IT issues across campus to audiences to which IT would not normally have access • IA provides independent and objective feedback to IT on effectiveness of IT policies and procedures (within OIT and across the campus) • Combining perspectives to establish best practices for Information Systems across organization Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

  44. Questions/ Discussion Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003

More Related