nj isaca it audit director s roundtable
Skip this Video
Download Presentation
NJ ISACA IT Audit Director s Roundtable

Loading in 2 Seconds...

play fullscreen
1 / 31

NJ ISACA IT Audit Director s Roundtable - PowerPoint PPT Presentation

  • Uploaded on

Agenda. Introductions - FormatMajor Issues Facing Your Organization?World Class IA Organization - One ViewData Loss Prevention (DLP)

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'NJ ISACA IT Audit Director s Roundtable' - zeno

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
nj isaca it audit director s roundtable

IT Audit Director’s Roundtable

October 6, 2010

Michael P Cangemi CPA

Andy Ellsweig CPA, CGEIT

  • Introductions - Format
  • Major Issues Facing Your Organization?
  • World Class IA Organization - One View
  • Data Loss Prevention (DLP) & Privacy
  • Continuous Monitoring (CCM) & Macro
  • Cloud Computing & Third Party Processing


business career michael cangemi
Business Career – Michael Cangemi
  • Ernst & Young – CPA – Dir IT Audit
  • Phelps Dodge – CAE – VP - CIO
  • Professional work – IS Control Journal (87-07) & Books - Managing the Audit (Wiley)
  • BDO Seidman Ptr. IT Audit – IA Services
  • CFO/COO to CEO Etienne Aigner 91-04
  • CEO Financial Executives Intl 07-08
  • Advisory Boards – FASB; IASB; COSO private companies

Management, IT, Financial Governance 3 Cangemi Company, LLC

business career andy ellsweig
Business Career - Andy Ellsweig
  • Phelps Dodge – Financial/Integrated Auditor
  • Johnson & Johnson - IT Audit
  • PaineWebber - IT Audit
  • Echlin/Dana Corp
  • KPMG – Information Risk Management
  • Sony, Schering-Plough, Centennial Corp – IT Audit Director
  • Eisner/Amper – Risk Advisory Services
  • ISACA President, Board member since 1993


  • Lets customize the agenda!!!
  • We know some of your technical challenges from the pre-meeting survey.

But first:

  • What are the major issues facing your organization?


world class audit one view
World Class Audit – One View

What makes a world class audit organization?

  • Good people (an organization)
  • Following well thought out procedures
  • Focused on significant issues and positive deliverables
  • Team approach to management

Management, IT, Financial Governance 6 Cangemi Company, LLC

elements of a world class audit function organization chap 4
Elements of a world class audit function – Organization (Chap 4)
  • Audit consists of People & Procedures
  • Creating the organization - establish a Charter, Mission Statement
  • Build in positive deliverables in mission
  • When was your last SWOT analysis for Internal Audit? Corp Board - survey!
  • Document Policies & use to orient (177)

Management, IT, Financial Governance 7 Cangemi Company, LLC

essence of internal audit
Essence of Internal Audit


  • How do you contribute to the companies mission? - pages (137-138)
  • Not involved in products, customers

Managements periodically review audit contribution. (not everyday, but always someday)

  • Are you ready for the review and ROI

Management, IT, Financial Governance 8 Cangemi Company, LLC

In today’s economic climate, it has become increasingly necessary to manage audit functions and processes more efficiently.

The Impact of the Economy on Audit Departments – Discussion Points

  • What is the impact of the economy on executing our audit plans?
  • What techniques are being used to accomplish this goal?
  • Are there effective automation solutions available to help with this?
  • Are there audit areas that are candidates for elimination or reduced audit coverage to accommodate strained budgets?
  • Does management recognize that there is an increased motivation for fraud and data crimes, concurrent with expectations on audit departments to recognize such activities despite reduced budgets?


data loss prevention data privacy
Data Loss Prevention / Data Privacy

Data Loss Prevention (DLP): Detecting and preventing the unauthorized use and transmission of confidential information. Risks associated with data loss have significantly increased due to company’s having fragmented and porous network perimeters, the ability to move massive amounts of information easily, the value of multiple types of information, as well as new and emerging regulatory restrictions and marketplace liability for improperly protecting personal information.

Personally Identifiable Information (PII) includes: Name, Street Address, Social Security Number (or other National identification numbers), Credit Card Number, Expiration Date, Authorization Code, Telephone number, E-mail address, Driver's license number, Face, fingerprints, or handwriting, etc…..


regulations and statutes
Regulations and Statutes

European Data Privacy Directive (1995)

Gramm-Leach-Bliley Act (1999)

SEC’s Regulation S-P (2000)

California state law regarding data breaches (2003)

Massachusetts regulations regarding information security (2008 – 2009)

US Red Flag Rules (2010)

Payment Card Industry Standards (2008)

HIPAA (1996)/HITECH (2010) Acts


data breaches scope of the problem
Data Breaches – Scope of the Problem
  • The Privacy Rights Clearinghouse maintains a Chronology of Data Breaches
    • Since 2005 there were 1,720 data breaches made public which resulted in 510,535,937 records breached.
    • The numbers are not complete, many small breaches are not reported and the amounts of records breached in many cases is unknown
    • The reported data breaches includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers
    • Also includes some breaches that did not expose sensitive information.
    • Major causes of breaches include: lost or stolen computers or storage, hacking, programming/human error and lost backup tapes

Source: http://privacyrights.org/data-breach


examples of data breaches
Examples of Data Breaches

Heartland Payment Systems: intruders hacked over 100 million records

San Francisco, July, 2008: disgruntled employee sabotaged the city’s computers by changing all the Admin passwords.

Iowa recently learned that social security numbers of its residents were accessible on the Internet since 2005, through a website maintained by a County

TJX, ChoicePoint, CardSystems, Veterans Administration, and many more


Data Loss Prevention / Privacy – Discussion Points
  • Are audit plans and programs being modified / created to address data loss prevention?
  • How many companies have designated Privacy Officers?
  • Are Incident response plans documented?
  • Is a technical solution for data loss prevention – i.e., systems designed to automatically monitor for data leakage – considered essential to enterprise risk management?
  • Are there automated audit tools being used to determine the effectiveness of data loss prevention programs?
  • Are IT and executive management cognizant and being responsive to protecting organizations from data loss breaches?
  • How do we see data loss prevention evolving?


CCM technology provides an automated in-line means to effectively audit transactions and identify fraud and other exceptions in real time.

Continuous Controls Monitoring


continuous monitoring macro
Continuous Monitoring Macro
  • Automation – computers, new communications and surveillance devices leads to expansion of monitoring
  • There is an ever expanding “Orwellian” interest in monitoring
  • Government – National security; compliance – tax; motor vehicle monitoring


business monitoring
Business Monitoring
  • Business - Financial & IC Focus –
    • Most common terms CCM, CCM-T, CA
  • Start higher - CM – is more pervasive
    • Need for more clarity of CM objectives, benefits and definitions
  • CM adds value to IC system – COSO Monitoring – good step, not far enough
  • Hence – FERF Research paper


overview of continuous monitoring
Overview Of Continuous Monitoring


Business Monitoring








CCM-S of duties

CM -SecurityInfo Integrity

CCM-T & recs


Internal Audit / GRC


business monitoring19
Business Monitoring
  • Features expanded use of near real time – automated monitoring
  • We need to redefine the Control Community Role & CM terminology (EDPACS Article)
  • Operations in addition to Financial Focus
    • Bigger Focus on Controls – based in operations – FedExp to Easy pass
  • Finance & audit – to lead & educate


Continuous Controls Monitoring – Discussion Points
  • CM - What is your company doing to take advantage of automation to improve data & information integrity?
  • Who has implemented or is planning to implement CCM?
  • What are some notable successes and failures in using this technology?
  • What types of transactional activities and data mining are being used and where do we see the greatest potential benefits?
  • How has the use of CCM affected legacy audit planning and procedures?
  • Are there any other areas of CCM that could be used for more effective audits and timely identification of aberrant activities – e.g., monitoring IT controls?
  • Is the use of CCM destined to become an important and requisite audit methodology best practice?


Firms are moving at a tremendous pace to cloud computing based architectures and assignment of processing controls to third party processors to reap the cost savings.The NIST has defined Cloud computing as: a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Cloud Computing & Outsourcing


the nist cloud definition framework
The NIST Cloud Definition Framework

Hybrid Clouds





Public Cloud

Private Cloud





Software as a Service (SaaS)

Platform as a Service (PaaS)

Infrastructure as a Service (IaaS)

On Demand Self-Service



Source: NIST

Massive Scale

Resilient Computing

Broad Network Access

Rapid Elasticity


Geographic Distribution


Service Orientation

Resource Pooling

Measured Service

Low Cost Software

Advanced Security

cloud computing in financial terms
Cloud Computing in Financial Terms
  • No more buying servers (that will probably not ever be fully utilized and start losing value as soon as they’re delivered).
  • Companies will not need to spend money on switches and routers, backup power, redundant bandwidth, and expensive HVAC systems that servers require .
  • Can reduce expenses for IT staff specifically dedicated to server maintenance and server/computer rooms.
  • Servers become someone else’s responsibility. They buy it, and you rent it. You rent it by the megahertz, gigabyte, or bits per second.
  • Cloud service providers hire the server room staff and you rent their services.
  • Allows companies to reap great economies of scale and reduce capital expenditures and IT operating costs.

Source: Proformative


cloud economics cost savings
Cloud Economics – Cost Savings

Estimates vary widely on potential cost savings:

  • Brian Gammage, Gartner Fellow

“If you move your data center to a cloud provider, it will be a tenth of the cost.”

  • CTO of Washington D.C.
    • Use of cloud applications can reduce costs from 50% to 90%
  • Preferred Hotel
    • Traditional: $210k server refresh and $10k/month
    • Cloud: $10k implementation and $16k/month
  • Ted Alford and Gwen Morton of Booz Allen Hamilton
    • Government agencies moving to public or private clouds can save from 50 to 67 percent.
  • Merrill Lynch
    • Claimed that technology could make business applications “3 to 5 times cheaper,” meaning that organizations could save anywhere from 67 to 80%
  • William Forrest, McKinsey Analyst
    • In disputing some of the cost savings examples he indicated that: There would be few savings from cloud migrations and that moving to the cloud actually would cost 144 percent more than current expenditures.
six costly cloud mistakes
Six Costly Cloud Mistakes

There are a number of "hidden gotchas" when it comes to using cloud infrastructure providers

  • Not taking full account of financial commitments on existing hardware.
  • Not factoring in your unique requirements when signing up for a cloud service.
  • Signing an agreement that doesn't account for seasonal or variable demands.
  • Assuming you can move your apps to the cloud for free.
  • Assuming an incumbent vendor's new cloud offering is best for you.
  • Getting locked in to a cloud solution.

Source: CFO.com


provider due diligence
Provider Due Diligence
  • Before entering into an agreement with a cloud (or any outsourced) provider, organizations need to perform due diligence procedures, which should be based on the type of data/processes being outsourced or moved to the Cloud
  • Due diligence should be carried out by a multi-disciplinary team that could include members from the business area(s) affected, finance, legal, information security, privacy office, corporate security & audit
  • Many companies use questionnaires as a first step for assessing vendor’s controls
  • Because it does not fit in their cost model, most cloud providers will not allow on- site audits
  • If Type II SAS70s (or other certifications) are not available (e.g., for smaller providers or new entrants into Cloud Computing), then an “on-site” audit is recommended
  • Audits should be performed pre-contract execution where possible
  • Should also evaluate the vendors health, including review of D&B reports


sas70s reliance limitations
SAS70s Reliance & Limitations

SAS70 limitations include a general lack of security focus and the testing procedures are sometimes narrowly defined

When reviewing SAS70s, organizations should consider the following:

  • Was it a Type I or a type II?
  • Who performed the SAS70?
  • Did the entity receive a clean audit opinion?
  • What audit objectives were covered by the SAS70?
  • Were there any findings and how were they addressed?
  • What Client Control Considerations were included?
  • Is this enough to cover the organizations regulatory requirements (e.g., PCI, SOX, GLBA, Privacy Laws)

Organizations should look for additional assurances besides the SAS70s, which can include: ISO 27001/27002, TRUSTe, Safeharbor, SysTrust/WebTrust


Cloud Computing & Third Party Processing – Discussion Points
  • What are the risks associated with third party processing that are of most concern?
  • How is third party processing being audited by organizations – e.g., right to audit clauses vs. reliance on SAS 70 reports?
  • Are companies doing adequate due diligence before contracting with third party providers – particularly in regards to involving audit departments prior to contractual commitments?
  • How is the complex digital supply chain – where multiple downstream providers provide services for each other and data residence and transmission points are increasingly obscure – being dealt with from an audit perspective?
  • What types of controls and associated technologies are considered essential to auditing third party processing?
  • How has the economy impacted how we determine ongoing vendor viability?
wrap up
  • Other Topics or Focus area?
  • Major Takeaways
thank you
Thank You

To all participants


JH Cohn

for more information
For More Information:

Michael P Cangemi CPA CISA

President Cangemi Company LLC

[email protected]



Andy Ellsweig

Senior Manager

EisnerAmper LLP

[email protected]

732.287.1000, x- 1297