Nj isaca it audit director s roundtable l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

NJ ISACA IT Audit Director’s Roundtable PowerPoint PPT Presentation


  • 129 Views
  • Uploaded on
  • Presentation posted in: General

NJ ISACA IT Audit Director’s Roundtable. October 6, 2010. Michael P Cangemi CPA Andy Ellsweig CPA, CGEIT. Agenda. Introductions - Format Major Issues Facing Your Organization? World Class IA Organization - One View Data Loss Prevention (DLP) & Privacy Continuous Monitoring (CCM) & Macro

Download Presentation

NJ ISACA IT Audit Director’s Roundtable

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Nj isaca it audit director s roundtable l.jpg

NJ ISACA

IT Audit Director’s Roundtable

October 6, 2010

Michael P Cangemi CPA

Andy Ellsweig CPA, CGEIT


Agenda l.jpg

Agenda

  • Introductions - Format

  • Major Issues Facing Your Organization?

  • World Class IA Organization - One View

  • Data Loss Prevention (DLP) & Privacy

  • Continuous Monitoring (CCM) & Macro

  • Cloud Computing & Third Party Processing

2


Business career michael cangemi l.jpg

Business Career – Michael Cangemi

  • Ernst & Young – CPA – Dir IT Audit

  • Phelps Dodge – CAE – VP - CIO

  • Professional work – IS Control Journal (87-07) & Books - Managing the Audit (Wiley)

  • BDO Seidman Ptr. IT Audit – IA Services

  • CFO/COO to CEO Etienne Aigner 91-04

  • CEO Financial Executives Intl 07-08

  • Advisory Boards – FASB; IASB; COSO private companies

Management, IT, Financial Governance 3 Cangemi Company, LLC


Business career andy ellsweig l.jpg

Business Career - Andy Ellsweig

  • Phelps Dodge – Financial/Integrated Auditor

  • Johnson & Johnson - IT Audit

  • PaineWebber - IT Audit

  • Echlin/Dana Corp

  • KPMG – Information Risk Management

  • Sony, Schering-Plough, Centennial Corp – IT Audit Director

  • Eisner/Amper – Risk Advisory Services

  • ISACA President, Board member since 1993

4


Discussion l.jpg

Discussion

  • Lets customize the agenda!!!

  • We know some of your technical challenges from the pre-meeting survey.

    But first:

  • What are the major issues facing your organization?

5


World class audit one view l.jpg

World Class Audit – One View

What makes a world class audit organization?

  • Good people (an organization)

  • Following well thought out procedures

  • Focused on significant issues and positive deliverables

  • Team approach to management

Management, IT, Financial Governance 6 Cangemi Company, LLC


Elements of a world class audit function organization chap 4 l.jpg

Elements of a world class audit function – Organization (Chap 4)

  • Audit consists of People & Procedures

  • Creating the organization - establish a Charter, Mission Statement

  • Build in positive deliverables in mission

  • When was your last SWOT analysis for Internal Audit? Corp Board - survey!

  • Document Policies & use to orient (177)

Management, IT, Financial Governance 7 Cangemi Company, LLC


Essence of internal audit l.jpg

Essence of Internal Audit

Challenges

  • How do you contribute to the companies mission? - pages (137-138)

  • Not involved in products, customers

    Managements periodically review audit contribution. (not everyday, but always someday)

  • Are you ready for the review and ROI

Management, IT, Financial Governance 8 Cangemi Company, LLC


Slide9 l.jpg

In today’s economic climate, it has become increasingly necessary to manage audit functions and processes more efficiently.

The Impact of the Economy on Audit Departments – Discussion Points

  • What is the impact of the economy on executing our audit plans?

  • What techniques are being used to accomplish this goal?

  • Are there effective automation solutions available to help with this?

  • Are there audit areas that are candidates for elimination or reduced audit coverage to accommodate strained budgets?

  • Does management recognize that there is an increased motivation for fraud and data crimes, concurrent with expectations on audit departments to recognize such activities despite reduced budgets?

9


Data loss prevention data privacy l.jpg

Data Loss Prevention / Data Privacy

Data Loss Prevention (DLP): Detecting and preventing the unauthorized use and transmission of confidential information. Risks associated with data loss have significantly increased due to company’s having fragmented and porous network perimeters, the ability to move massive amounts of information easily, the value of multiple types of information, as well as new and emerging regulatory restrictions and marketplace liability for improperly protecting personal information.

Personally Identifiable Information (PII) includes: Name, Street Address, Social Security Number (or other National identification numbers), Credit Card Number, Expiration Date, Authorization Code, Telephone number, E-mail address, Driver's license number, Face, fingerprints, or handwriting, etc…..

10


Regulations and statutes l.jpg

Regulations and Statutes

European Data Privacy Directive (1995)

Gramm-Leach-Bliley Act (1999)

SEC’s Regulation S-P (2000)

California state law regarding data breaches (2003)

Massachusetts regulations regarding information security (2008 – 2009)

US Red Flag Rules (2010)

Payment Card Industry Standards (2008)

HIPAA (1996)/HITECH (2010) Acts

11


Data breaches scope of the problem l.jpg

Data Breaches – Scope of the Problem

  • The Privacy Rights Clearinghouse maintains a Chronology of Data Breaches

    • Since 2005 there were 1,720 data breaches made public which resulted in 510,535,937 records breached.

    • The numbers are not complete, many small breaches are not reported and the amounts of records breached in many cases is unknown

    • The reported data breaches includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers

    • Also includes some breaches that did not expose sensitive information.

    • Major causes of breaches include: lost or stolen computers or storage, hacking, programming/human error and lost backup tapes

      Source: http://privacyrights.org/data-breach

12


Examples of data breaches l.jpg

Examples of Data Breaches

Heartland Payment Systems: intruders hacked over 100 million records

San Francisco, July, 2008: disgruntled employee sabotaged the city’s computers by changing all the Admin passwords.

Iowa recently learned that social security numbers of its residents were accessible on the Internet since 2005, through a website maintained by a County

TJX, ChoicePoint, CardSystems, Veterans Administration, and many more

13


Slide14 l.jpg

Data Loss Prevention / Privacy – Discussion Points

  • Are audit plans and programs being modified / created to address data loss prevention?

  • How many companies have designated Privacy Officers?

  • Are Incident response plans documented?

  • Is a technical solution for data loss prevention – i.e., systems designed to automatically monitor for data leakage – considered essential to enterprise risk management?

  • Are there automated audit tools being used to determine the effectiveness of data loss prevention programs?

  • Are IT and executive management cognizant and being responsive to protecting organizations from data loss breaches?

  • How do we see data loss prevention evolving?

14


Slide15 l.jpg

CCM technology provides an automated in-line means to effectively audit transactions and identify fraud and other exceptions in real time.

Continuous Controls Monitoring

15


Continuous monitoring macro l.jpg

Continuous Monitoring Macro

  • Automation – computers, new communications and surveillance devices leads to expansion of monitoring

  • There is an ever expanding “Orwellian” interest in monitoring

  • Government – National security; compliance – tax; motor vehicle monitoring

16


Business monitoring l.jpg

Business Monitoring

  • Business - Financial & IC Focus –

    • Most common terms CCM, CCM-T, CA

  • Start higher - CM – is more pervasive

    • Need for more clarity of CM objectives, benefits and definitions

  • CM adds value to IC system – COSO Monitoring – good step, not far enough

  • Hence – FERF Research paper

17


Overview of continuous monitoring l.jpg

Overview Of Continuous Monitoring

Society

Business Monitoring

Government

Operations

NationalSecurityMonitoring

ComplianceMonitoring(IRS)

HR

IT

Finance

CCM-S of duties

CM -SecurityInfo Integrity

CCM-T & recs

CCM-T

Internal Audit / GRC

18


Business monitoring19 l.jpg

Business Monitoring

  • Features expanded use of near real time – automated monitoring

  • We need to redefine the Control Community Role & CM terminology (EDPACS Article)

  • Operations in addition to Financial Focus

    • Bigger Focus on Controls – based in operations – FedExp to Easy pass

  • Finance & audit – to lead & educate

19


Slide20 l.jpg

Continuous Controls Monitoring – Discussion Points

  • CM - What is your company doing to take advantage of automation to improve data & information integrity?

  • Who has implemented or is planning to implement CCM?

  • What are some notable successes and failures in using this technology?

  • What types of transactional activities and data mining are being used and where do we see the greatest potential benefits?

  • How has the use of CCM affected legacy audit planning and procedures?

  • Are there any other areas of CCM that could be used for more effective audits and timely identification of aberrant activities – e.g., monitoring IT controls?

  • Is the use of CCM destined to become an important and requisite audit methodology best practice?

20


Slide21 l.jpg

Firms are moving at a tremendous pace to cloud computing based architectures and assignment of processing controls to third party processors to reap the cost savings.The NIST has defined Cloud computing as: a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cloud Computing & Outsourcing

21


The nist cloud definition framework l.jpg

The NIST Cloud Definition Framework

Hybrid Clouds

Deployment

Models

Community

Cloud

Public Cloud

Private Cloud

Service

Models

Essential

Characteristics

Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

On Demand Self-Service

Common

Characteristics

Source: NIST

Massive Scale

Resilient Computing

Broad Network Access

Rapid Elasticity

Homogeneity

Geographic Distribution

Virtualization

Service Orientation

Resource Pooling

Measured Service

Low Cost Software

Advanced Security


Cloud computing in financial terms l.jpg

Cloud Computing in Financial Terms

  • No more buying servers (that will probably not ever be fully utilized and start losing value as soon as they’re delivered).

  • Companies will not need to spend money on switches and routers, backup power, redundant bandwidth, and expensive HVAC systems that servers require .

  • Can reduce expenses for IT staff specifically dedicated to server maintenance and server/computer rooms.

  • Servers become someone else’s responsibility. They buy it, and you rent it. You rent it by the megahertz, gigabyte, or bits per second.

  • Cloud service providers hire the server room staff and you rent their services.

  • Allows companies to reap great economies of scale and reduce capital expenditures and IT operating costs.

    Source: Proformative

23


Cloud economics cost savings l.jpg

Cloud Economics – Cost Savings

Estimates vary widely on potential cost savings:

  • Brian Gammage, Gartner Fellow

    “If you move your data center to a cloud provider, it will be a tenth of the cost.”

  • CTO of Washington D.C.

    • Use of cloud applications can reduce costs from 50% to 90%

  • Preferred Hotel

    • Traditional: $210k server refresh and $10k/month

    • Cloud: $10k implementation and $16k/month

  • Ted Alford and Gwen Morton of Booz Allen Hamilton

    • Government agencies moving to public or private clouds can save from 50 to 67 percent.

  • Merrill Lynch

    • Claimed that technology could make business applications “3 to 5 times cheaper,” meaning that organizations could save anywhere from 67 to 80%

  • William Forrest, McKinsey Analyst

    • In disputing some of the cost savings examples he indicated that: There would be few savings from cloud migrations and that moving to the cloud actually would cost 144 percent more than current expenditures.


Six costly cloud mistakes l.jpg

Six Costly Cloud Mistakes

There are a number of "hidden gotchas" when it comes to using cloud infrastructure providers

  • Not taking full account of financial commitments on existing hardware.

  • Not factoring in your unique requirements when signing up for a cloud service.

  • Signing an agreement that doesn't account for seasonal or variable demands.

  • Assuming you can move your apps to the cloud for free.

  • Assuming an incumbent vendor's new cloud offering is best for you.

  • Getting locked in to a cloud solution.

    Source: CFO.com

25


Provider due diligence l.jpg

Provider Due Diligence

  • Before entering into an agreement with a cloud (or any outsourced) provider, organizations need to perform due diligence procedures, which should be based on the type of data/processes being outsourced or moved to the Cloud

  • Due diligence should be carried out by a multi-disciplinary team that could include members from the business area(s) affected, finance, legal, information security, privacy office, corporate security & audit

  • Many companies use questionnaires as a first step for assessing vendor’s controls

  • Because it does not fit in their cost model, most cloud providers will not allow on- site audits

  • If Type II SAS70s (or other certifications) are not available (e.g., for smaller providers or new entrants into Cloud Computing), then an “on-site” audit is recommended

  • Audits should be performed pre-contract execution where possible

  • Should also evaluate the vendors health, including review of D&B reports

26


Sas70s reliance limitations l.jpg

SAS70s Reliance & Limitations

SAS70 limitations include a general lack of security focus and the testing procedures are sometimes narrowly defined

When reviewing SAS70s, organizations should consider the following:

  • Was it a Type I or a type II?

  • Who performed the SAS70?

  • Did the entity receive a clean audit opinion?

  • What audit objectives were covered by the SAS70?

  • Were there any findings and how were they addressed?

  • What Client Control Considerations were included?

  • Is this enough to cover the organizations regulatory requirements (e.g., PCI, SOX, GLBA, Privacy Laws)

    Organizations should look for additional assurances besides the SAS70s, which can include: ISO 27001/27002, TRUSTe, Safeharbor, SysTrust/WebTrust

27


Slide28 l.jpg

Cloud Computing & Third Party Processing – Discussion Points

  • What are the risks associated with third party processing that are of most concern?

  • How is third party processing being audited by organizations – e.g., right to audit clauses vs. reliance on SAS 70 reports?

  • Are companies doing adequate due diligence before contracting with third party providers – particularly in regards to involving audit departments prior to contractual commitments?

  • How is the complex digital supply chain – where multiple downstream providers provide services for each other and data residence and transmission points are increasingly obscure – being dealt with from an audit perspective?

  • What types of controls and associated technologies are considered essential to auditing third party processing?

  • How has the economy impacted how we determine ongoing vendor viability?


Wrap up l.jpg

WRAP-UP

  • Other Topics or Focus area?

  • Major Takeaways


Thank you l.jpg

Thank You

To all participants

&

JH Cohn


For more information l.jpg

For More Information:

Michael P Cangemi CPA CISA

President Cangemi Company LLC

[email protected]

www.canco.us

732.662.4868

Andy Ellsweig

Senior Manager

EisnerAmper LLP

[email protected]

732.287.1000, x- 1297


  • Login