Internal Audit - Information Technology, Governance, Risks, and Controls

Internet of Things (IoT)

The network connection and transmission of information or data from physical devices, objects, or fixtures

Pace and type of IT change...

increases business risk

Types of IT Changes

- System enhancements

- New technologies

- Patches and system upgrades

- Application code revisions

Cybersecurity

The technologies, processes, and practices designed to protect an organization's information assets - computers, networks, programs, and data from unauthorized access

What is the number one technology risk in an organization?

Cybersecurity

Technology's top 10 risks

1.

Cybersecurity

2.

Information Security

3.

IT Systems Development Projects

4.

IT Governance

5.

Outsourced IT services

6.

Social Media Use

7.

Mobile Computing

8.

IT Skills among internal auditors

9.

Emerging technologies

10.

Board and audit committee technology awareness

Effective controls to address cybersecurity

-strong security frameworks

-identifying and controlling top risks to the organization related to cybersecurity, including external and internal threats

-awareness programs directed to all employees

-strong IT governance and robust protocols in case of a serious breach

IT Auditor

Works extensively in the area of computerized information systems and should have a deep IT risk, control, and audit expertise

Standard 3.1

- The standard of competency

- Includes competency in information technology

What are the top IT skills all internal auditors should possess?

- Data analytics

- Cybersecurity

- Business continuity and disaster recovery

- Change management

- Newer technologies

Data analytics

How to analyze data and use audit software tools

Cybersecurity

Key components of information security, including technology terminology applications, operating systems, network and physical security, and key risks

Business continuity and disaster recovery

Understanding the most significant business areas and practices for recovery

Change management

Knowledge of project management and change processes and the corresponding impact on the organization

Newer technologies

Being tech savvy with current issues on emerging technolgoes and their potential impact on the business

It is virtually impossible in todays business world....

for any internal audit function to provide value-adding services to its organization unless the function is highly proficient with its knowledge of IT risks and controls and has the capability to effectively apply technology-based audit techniques

Certified Information System Auditor

Globally recognized certification for IS audit control, assurance, and cybersecurity officials

Standard 10.3

Technological resources

Information Technology Governance

The leadership, structure, and oversight processes that ensure the organization's IT supports the objectives and strategies of the organization

Standard 9.4

- Internal Audit Plan

- Consider coverage of IT governance, fraud risk

REVIEW IT GOVERNANCE FRAMEWORK

REVIEW IT GOVERNANCE FRAMEWORK

COBIT 2019

Internationally accepted IT governance framework. It is the best-known control and governance framework that addresses information technology

COBIT stands for...

Control Objectives for Information and Related Technology

Risks of computer hardware

Susceptible for power outages that interrup transaction processing. Infected hardware may also be purchased

Risks of networks

They transmit information that may be intercepted, stolen, or misused

Risks of computer software

inaccurately programmed software may produce invalid, incomplete, or inaccurate information. creates inefficient, performance, security, or capacity risks

Risks of databases

They may be infiltrated for the purpose of misappropriation or misusing information

Risks of information

Invalid, incomplete, or inaccurate information may result in poor decision making or inaccurate reporting

Common types of IT risks

- Selection risk

- Development/acquisition and deployment risk

- Availability risk

- Hardware/software risk

- Access Risk

- Confidentiality and privacy risk

- System reliability and information integrity risk

- Fraud and malicious acts risk

Availability Risk

Unavailability of the system when needed may cause delays in decision-making, business interruptions, lost revenue, and customer dissatisfaction

Causes of availability risk

Hardware/software failures, unscheduled maintenance, natural disasters, viruses

Hardware/software risk

Failure of hardware/software to perform properly may cause business interruptions, temporary or permanent damage to or destruction of data, and hardware/software repair or replacement costs

Causes of hardware/software risk

natural wear and tear, environmental damage, disasters, not patching hardware/software, viruses

Access Risk

Unauthorized physical or logical access to the system may result in theft or misuse of hardware, malicious software modifications, and theft, misuse, or destruction of data

Causes of access risk

Use of smartphones to access, modify, and store corporate data and open use of wireless networks for guest access to business data and lack of strong user access of authentication

Confidentiality and privacy risk

Unauthorized disclosure of business partners' proprietary information or individuals' personal information may result in a loss of business, lawsuits, negative press, and reputation impairment.

Causes of confidentiality and privacy risk

Unimpeded access to system networks, software, and databases

System reliability and information integrity risk

Systematic errors or inconsistencies in processing may produce irrelevant, incomplete, inaccurate, and/or untimely information

Causes of system reliability and integrity risk

programming errors, wreak edit or data verification controls, and unauthorized changes to software

Fraud and Malicious Acts Risk

Theft of IT resources, intentional misuse of IT resources, or intentional distortion or destruction of information may result in financial losses and/or misstated information that decision makers rely upon

Causes of fraud and malicious acts risk

Disgruntled employees and hackers intent on harming the organization for personal gain

Information technology controls

Categorized as a top-down hierarchy of IT governance, management, and technical controls

The top 6 layers of IT controls represent ...

IT general controls

The bottom layer of IT controls represent...

application controls

General controls

Apply to all computerized systems or applications. They include a mixture of software, hardware, and manual procedures that shape an overall control environment

Application Controls

Specific controls that differ with each computerized application

What are the general controls within governance?

Policies

What are the general controls within management?

- Standards

- Organization and management

- Physical and environmental controls

What are the general controls within technical?

- Systems software controls

- Systems development controls

What are commonly included in general controls? Controls over...

- Data center and network operations

- Systems software acquisition, change, and maintenance

- Access security

- Application system acquisition, development, and maintenance

The objectives of IT general controls...

to ensure the appropriate development and implementation of applications, as well as the integrity of program and data files and of computer operations

The most common IT general controls

- Logical access controls

- Systems development life cycle (SDLC) controls

- Program change management controls

- Physical security controls

- System and data backup and recovery controls

Logical Access Controls

limit access in accordance with the principle that all persons should have access only to the elements of the organization's information system that are necessary to perform their job duties

The dual focus of logical controls

- Authentication

- Authorization

Systems development life cycle controls and program change management controls

Ensure that operating systems, utilities, and database management systems are acquired and changed only under close supervision and that vendor updates are routinely installed

Physical Security controls

controls over the data center that limit physical access and environmental damage to computer equipment, data, and important documents

System and data backup and recovery controls

ensure access to data communications, work areas, and other business processes can be restored

Application Controls are designed to...

ensure that only correct, authorized data enter the systems and that data are processed and reported property

Application controls include...

input, processing, and output controls

The most common types of application controls

- Source document controls

- Batch input controls

- Online (real time) input controls

- Processing Controls

- Output controls

- Management trail controls

Batch Input Controls

- Financial totals

- Record counts

- Hash totals

Financial Totals

summarize monetary amounts in an information field in a group of records. The total produced by the system after the batch has been processed is compared to the total produced manually beforehand.

Record counts

track the number of records processed by the system for comparison to the number that the user expected to be processed

Hash Totals

an otherwise meaningless total that are used to verify the completeness of data

Batch Total

total of an amount included in each record batched for processing

Online (real time) input controls

- Completeness check

- Field/format checks

- Sign check

- Preformating

-Validity checks

- Check digits

- Limit (reasonableness) checks

- Range Check

- Sequence Checks

- Zero balance checks

- Input error correction

Processing Controls

Designed to prevent or detect and correct errors that occur during processing

Types of processing controls

- Run-to-run control totals

- Error listings

- Concurrency controls

Run-to-run control totals

Control totals are calculated and checked at designated points as transactions are processed

Error listings

automatically generated by the computer and errors identified are remediated expeditiously

Concurrency Controls

manage situations where two or more users attempt to access or update a file or database simultaneously. These controls ensure the correct results are generated while getting those results as quickly as possible.

Output controls

designed to ensure that application system outputs are valid, complete, and accurate and that security over outputs is properly maintained

Types of output controls

- Output review controls

- Distribution Controls

- End user controls

Output review controls

application system outputs are reviewed for validity, completeness, and accuracy before being distributed to users

distribution controls

Distribution of application system outputs is restricted to authorized recipients

end-user controls

end users review the application system outputs they receive for validity, completeness, and accuracy

Management trail controls

designed to provide a permanent record of input, processing, and output activity

Types of management trail controls

- Transaction Logging

- Programmed control logging

- Error listing retention

Transaction logging

the application system automatically logs the transactions processed

Programmed control logging

The application system automatically logs the imbedded controls executed during input, processing, and output

Error listing retention

The error listings generated and remediated during processing are retained

How many Global Technology Audit guides?

17