1 / 21

TO CISD MEETING

TO CISD MEETING. WELCOME. Information Technology AUDITING. WITH THE LEGISLATIVE AUDITOR. Questions: Ask, but may defer or handle off-line. Common Goal. To Improve IT Controls in Louisiana State Government Same Team Asked to do more with less. Outline:. Audit Requirements

sanne
Download Presentation

TO CISD MEETING

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TOCISD MEETING WELCOME

  2. Information Technology AUDITING WITH THE LEGISLATIVE AUDITOR Questions: Ask, but may defer or handle off-line.

  3. Common Goal To Improve IT Controls in Louisiana State Government • Same Team • Asked to do more with less

  4. Outline: • Audit Requirements • Audit Law • Audit Standards for IT controls • Establishment of IT Audit And What We Do • How Are Entities Selected For IT Audits • Criteria Used—COBIT • Planning And Scoping • Approach And Basic Parts Of The IT Audit • CoMIT Tool • If/How Issues Found Are Reported

  5. I. Audits Are Required: Law • Audit Law requires financial and operational audits. (RS 24:511-523) • types of audits, how often & when, what we are to have access to (includes confidentiality requirements) • CAFR (Comprehensive Annual Financial Report)—the annual financial statement for the State of Louisiana as a whole • Single Audit (Federal) • Full Scope Audits—audit opinion on the entity’s FS • Your systems produce information needed for these reports so they are subject to audit

  6. Audit Standards: • Law dictates what we do…but governmental, financial & IT audit standards dictate “how” we audit • IT audits are done as part of the financial audits so separate audit reports are not produced. • The US Government Accountability Office (GAO) has issued Generally Accepted Governmental Auditing Standards known as GAGAS • Other standards are • American Institute of Certified Public Accountants (AICPA) • Information Systems Auditing and Control Association (ISACA) and other certification bodies

  7. Per GAGAS “Government audits provide key information to stakeholders and the public to maintain accountability…reduce costs; facilitate decision making; stimulate improvements; and identify current and projected crosscutting issues….”

  8. Standards • We must consider IT controls. IT controls are often involved when IT is used to • Initialize • Authorize • Record • Process and • Report financial data • Per GAGAS, specialized techniques or methods may be required to cover IT controls and may require a specialist.

  9. II. Our IT Audit Section • Was established to cover IT parts of audits with specialized knowledge and skills. We do other things as well that may affect or involve you, like • Extract data, create queries, data mining • Provide support for some applications like BO, Works, ACL, SAP, and PeopleSoft • Create audit programs to cover end user controls on systems under our audit • Monitor major implementations • Assist in examining audit evidence and any other assistance needed • It’s all about assurances we can provide to other auditors and about where the risk is

  10. IT Audit Section • The risk and level of assurances needed dictate how we get the evidence and the type of evidence that we must obtain. • Do we issue an audit report rendering an opinion (full scope)? • Do we perform procedures on only certain accounts because they are material to the CAFR or the Single Audit? • Do we interview you or do an observation or re-perform or interview a few people or test it in detail? • 3 Year rotation

  11. III. How Are Entities Selected? • We list out all the financial audits, the assurances needed (CAFR, SA, full scope, etc.) and determine the IT systems associated with those audits. • Things considered: • Do controls heavily rely on IT; or, are they more manual or hybrid • Size and complexity of the system • Distributed or centralized • Dollars processed or stored • How new is the system & if/when it was last audited • Previous problems with the system • What kind of information does it contain and how sensitive is it • Recent changes • Level of expertise needed to understand the controls • Then we prioritize by considering the risk and select auditees • Once the system and entities are selected, we begin planning

  12. IV. Criteria Used: COBIT

  13. Created by the IT Governance Institute • How is COBIT different and why do we use it? • The first document containing IT best practices that can be used by auditors and IT management • Generally acceptable with third parties and regulators • Fulfills the COSO requirements for the IT control environment • Agency IT management can obtain COBIT from the following site (register, free): https://www.isaca.org/Template.cfm?Section=Home&Template=/Security/Login.cfm

  14. V. Planning & Scoping • We would let you know that your agency has been selected & possibly provide the CoMIT Tool • Select the who and when for the audit procedures (currently building our resources) • The IT auditor would proceed to contact you or your staff for preliminary information in order to scope the audit. • Per standards we plan according to risk

  15. AICPA’s Top Tech Issues(Handout) • Top 10 on p.2 • Top 5 are • Information Security Management • Privacy Management • Secure Data File Storage, Transmission and Exchange • Business Process Improvement, Workflow, and Process Exceptions Alerts • Mobile and Remote Computing

  16. Plan & Scope:IT Audit Approach • Use of IT has grown and we are resource challenged • Standardize our procedures and have a common measuring tool • Goal was/is to obtain as much information up front as possible • Began as a self-assessment with a holistic approach for state agencies CoMIT Tool—Control Matrix for Information Technology • For assessment of IT Internal Controls • Used as a pilot last year (GSU, LCTCS) • Greatly revised for 2009

  17. VI. Reporting the Issues Found: • Not a separate audit; no IT audit report • List deficiencies/issues found in a chart • Evaluate issues individually and in the aggregate to determine significant deficiencies (example) • Standards require that “significant deficiencies” be reported. (Handout)

  18. Reporting the Issues Found: • According to SAS 112, par.9, “Significance… depends on the potential for a misstatement, not on whether a misstatement actually has occurred.” • Also, per GAGAS we report matters that may be significant for users or oversight bodies or of interest to the public • But specific exposures are not disclosed (example) • Traditionally, most is not reported

  19. Common Problems Found • Security issues: • Too much access (bus. need, seg. of duties) • Lack of monitoring of access • Lack of or inadequate procedures for granting access • Remote access • Lack of encryption • System settings • Lack of policies, etc. • Problems in change management or change control • Lack of QA or audit function • Lack of an up-to-date BC/DRP, not tested, not in central repository, location of backup • Lack of network scanning for monitoring • Issues with firewall rules

  20. Just for Fun: You Might Be An IT Auditor If… • You have more letters behind your name than in a can of alphabet soup • You have some gadget on your desk that you have fondly given a name • Bean counter references make you mad • Balancing your check book is FUN • When you have your computer repaired you ask for all the parts back, labeled and itemized • Your idea of a vacation is FIELD WORK • If you and your coworkers represent more nationalities than anywhere else in the office

  21. Conclusion Questions???

More Related