Fill This Form To Receive Instant Help
Fill This Form To Receive Instant Help
Homework answers / question archive / The assignment generally covers weeks 1-5 in the course (week 6 is also helpful
The assignment generally covers weeks 1-5 in the course (week 6 is also helpful...). When referring to articles or other sources of information to support your short answers, please include a footnote reference. You should cite where in your short answer you are using the source by including a reference number, included in parenthesis at the end of the sentence, for example (1). Immediately following your answer, include a “Works Cited / Reference Section” that provides information about your source. Here is an example: Works Cited / Reference Section (1) Piper, Arthur. “A Matter of Trust.” IA Internal Auditor (On-line Magazine), April, 2016. Accessed April 6, 2016. https://iaonline.theiia.org/. © 2016 The Institute of Internal Auditors. All rights reserved. Please refer to the Grading Rubric and Criteria that we reviewed and discussed in week 1. Please note, there is no minimum or maximum “word count” included. Rather, use your best judgment and simply write well thought out answers with an eye for concise and logically supported expository composition. As a rule of thumb, students should strive to answer questions with a maximum of 400 words total (i.e., all sub-questions of each question included)1. Statement on Academic Integrity | In taking this exam, you acknowledge your understanding of DePaul’s Academic Integrity policy, which can be found at the following link: https://offices.depaul.edu/academic-affairs/faculty-resources/academic-integrity/Pages/default.aspx You are encouraged to ensure your work is original and to note, Turnitin® has been enabled in D2L which provides tools, reports, and data to help identify many forms of potential misconduct. 1. [25 points] ~ Learning Objective: To demonstrate an understanding of the role of the IT auditor in today’s economy. Global pandemic. Technology disruption. Cybercrime and ransomware. Mergers and acquisitions. Heightened legal, regulatory and compliance requirements. Socio-political and economic climate. Change in the business world is a constant. Jack Welch, the former chairman and CEO of General Electric, stated: “When the rate of change on the outside exceeds the rate of change on the inside, the end is near.” You have scheduled a meeting with the Chief Information Officer (CIO) to review your proposed changes to your 2021 IT audit plan. Explain how you would use the IT audit function to add value to the organization. In your answer, consider the following short answer prompts: 1. a) Drawing from our lecture and discussion, what is information assurance and why is it needed in today’s business environment? 2. b) The COSO internal control framework2 emphasizes the need for companies to implement effective 3. monitoring activities to support its overall system of controls, including “separate valuations” (Principle 16). Explain how IT auditors support this component of the COSO framework thereby providing information assurance. c) Consider the concept of continuous auditing we discussed in week 5. How can a future-focused IT auditor apply these concepts to add value? A 400-word count will create approximately 0.8 pages single-spaced or 1.6 pages double-spaced when using normal margins (1′′) and 12 pt. Times New Roman font. 2 https://www.coso.org/Documents/COSO-ICIF-11x17-Cube-Graphic.pdf 1 2. [25 points] ~ Learning Objective: To demonstrate an understanding of key IT governance concepts. The Chief Audit Executive has asked you to perform some preliminary research as it relates to an upcoming audit of your company’s approach to IT governance. Write a response back to the Chief Audit Executive stating the key areas that the team should focus on for this important IT audit project. In your answer, consider the following short answer prompts: 1. 3. a) There are many different frameworks that define IT governance. Drawing from our lecture and discussion, in your own words, what are the key elements of IT governance and why should we consider this the starting point for the IT assurance and audit professional? 2. b) How do you know when IT governance is not working? Scan through today’s headlines and consider providing an example. What facets of IT governance were lacking? 3. c) What are the different roles of boards versus management? – As these roles relate to IT governance, why is clearly defining roles, responsibilities, and accountability important? [25 points] ~ Learning Objective: To demonstrate an understanding of the important role of risk management in today’s economy, including the importance of establishing a common risk language. Why does a car have brakes? In class, when I asked this question, the majority of you immediately thought: “To slow the car down.” We emphasized the importance of implementing improved risk management practices and establishing a common risk language to enhance value, and proactively seize business opportunities (i.e., “The car can go faster if you know you have effective brakes!”). Consider the following scenario: Maria Alvarez, the Chief Operating Officer (COO) of a global manufacturing company, recently attended a virtual conference on corporate governance. One of the topics discussed was the subject of Enterprise Risk Management, or ERM for short. She could not believe what she heard ... At lunch, later that day, she spoke to her company’s Chief Compliance Officer (COO): “Mihal,” she said, “this ERM concept is all wrong. Hire a Chief Risk Officer and let that person have responsibility for risk – no way. It’s another example of academics, accounting and consulting firms dreaming up some idea to sell to corporate America. They’re just out to fatten their wallets. Risk management is part of our day-to-day operations – it’s embedded in our daily decision-making. If we set up a separate group to monitor a list of risks, we are only going to cause more troubles. It’s no wonder why only 30% of companies polled in the 2020 The State of Risk Oversight report (April 2020) indicate they have complete formal ERM processes in place.” Building upon this point-of-view, Bob Kaplan, Senior Fellow and Marvin Bower Professor of Leadership Development, Emeritus at the Harvard Business School, in an article titled, Risk Management, the Revealing Hand, states, “After the global financial crisis, consultants and policy makers reached the conclusion that, as articulated by Ernst & Young Partner Randall Miller, “companies with more mature risk management practices outperform their peers financially.” Consultants offered to show less risk-savvy companies how to reap the “likely profit margin increase” that has accrued to “risk management leaders... over the last three years” and to achieve the spectacular EBITDAdifferentialsbetweenthe“top”and“bottom”oftheriskmanagementmaturityscale. Despitesuchclaims, academic studies have yet to confirm whether and how risk management practices add value.” In your answer, consider the following short answer prompts: a) Do you agree or disagree with the Maria Alvarez, the COO – is the concept of ERM “all wrong”? b) Often, when we think about risk, we immediately focus on “potential harms” – how can ERM, or more effective risk management practices, focus on value added versus value preserved? c) Building on the topic of risk management, explain why it is vitally important for the IT auditor to establish a common risk language with management? 4. [25 points] ~ Learning Objective: To demonstrate an understanding of key IT assurance professional standards. Internal audit and IT assurance professional standards emphasize the importance of performing engagements with due diligence and professional care – exercising appropriate levels of objectivity and professional skepticism. Cynthia Cooper, WorldCom whistleblower and internationally recognized expert on ethics and leadership offers some timeless lessons for risk, compliance and assurance professionals. In this article in CFO magazine – WorldCom Whistle-blower Cynthia Cooper – she states, “My feelings changed from curiosity to discomfort to suspicion based on some of the accounting entries my team and I had identified, and also on the odd reactions I was getting from some of the finance executives.” After reading this short article, consider the following short answer prompts: 1. 2. 5. a) What elements of due professional care were exhibited in her actions? b) Why are these elements of the professional standards vital to the profession of internal audit? 3. c) Although the IT assurance standards do not include the concept of “ethical courage” – why is it important for an IT assurance professional to understand their personal “ethical courage”? [25 points] ~ Learning Objective: To demonstrate an understanding of the IT audit process, with a focus on the importance of risk-based planning. A well thought out approach to planning an IT audit provides for an orderly, structured approach to perform the audit. You are preparing to conduct an IT audit of a mission critical application. Consider the following information: The Commercial Lending Application (CLA) is a vendor-based package that supports the commercial lending operations of a global bank. This system processed $367,000,000 USD in loans in Q1, 2021, which represents 63% of the banks global revenue. The CLA system has had minimal customization to date. There are two developers that support this application; given the small size of the development team, they have direct unrestricted access to production for support purposes. The changes that have taken place to this application are primarily to the reports, however, some customization to the source code has been made. In early 2021, one of the developers responsible for supporting CLA was fired for cause. The servers are housed in the corporate main office support center in Moline, Illinois. Since this is a vendor-based application, the support team does not follow standard corporate change management policies. There have been fifty changes to this application this past year. Ten of these changes were emergency changes. End users total about sixty-two people and the business users have recently reported some repeated concerns about application availability due to two recent outages. Describe the key elements of IT audit engagement level planning3 and explain why each element is important. In your answer, consider the following short answer prompts: 1. a) What is your assessment of the business impact of this system if there were an outage or data integrity issue? 2. b) What is your preliminary assessment of the likelihood of a risk event occurring? What specific 3. facts caused you to reach this conclusion? c) Why is risk assessment a vital and important component of performing an IT audit? Engagement level planning means you are planning to perform a specific IT audit of an application, IT process or component of the IT infrastructure. 3 IS 444 ? IT Auditing Spring 2021 Week-5 | Thursday, April 29, 2021 Week 1 Week 5 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 DePaul University – IS 444 IT Auditing Week 8 Week 9 Week 10 1 Today’s Class Outline Topic Est. Duration Est. Times Class Admin Items: Homework Assignments and Mid-Term Exam 5 min 5:45 pm (start) Review Last Week’s Key Learning Points 10 min IT audit process – Planning a specific IT audit project (con’t from last week) 60 min BREAK Fraud, data analytics and continuous assurance/auditing Week 1 DePaul University – IS344/444 IT Auditing 15 min 7:00 – 7:15 pm 75 min 8:30 pm (end)** 2 Various Classroom Administrative Updates ? Week 4 – Zoom video issue ? Week 6 – Professor Phillips begins to lecturing – Topic: Auditing Systems Development and Maintenance ? Mid-Term – Consult class syllabus for timing - more to follow on next slides ? Homework #3 Consult class syllabus for timing ? Please continue to post comments in our on-line Discussion Forum Week 5 DePaul University ? IS344/IS444 IT Auditing 3 Week 4 Audit universe – classroom activity Answer Key ? Zoom Breakout Activity #1 – Refer to the case study – Lesson 2, Part 1 IT audit universe examples: IT Processes: Software Development 3rd Party Vendor Management BCP Applications: Credit Underwriting System BDI General Ledger Infrastructure: Network Unix Database Additional Resource: Developing the IT Audit Plan Using COBIT 2019 https://www.isaca.org/resources/isaca-journal/issues/2019/volume-3/developing-the-it-auditplan-using-cobit-2019 Week 4 DePaul University – IS 344/ IS444 IT Auditing 4 (cont’d) (1) Third party vendor management/cloud computing (2) Credit Underwriting System (CUS) Application (3) BDI email and mobile computing BUSINESS IMPACT X LIKELIHOOD = RISK SCORE 3 X 3 = 9 4 X 4 = 12 2 X 2 = 4 High CUS Business Impact to BDI 3rd party email Low ? Zoom Breakout Activity #2 - Using BDI’s “Audit Universe” conduct a risk assessment on the items that have been listed – refer to case study Lesson 2, Part 2 Auditable Entity Low Week 4 Likelihood of Risk Occurrence DePaul University – IS 344/ IS444 IT Auditing High 5 Mid-term overview ? ? ? Questions will require some research, analysis and development of persuasively written answers – the focus is on the application or understanding of the concepts – the “why” and the “how” – not just the “what” this concept is … Worth 125 points Couple of hints or suggestions: – Use examples, self-check answers, budget your time - i.e., do not rush and wait to the last day – Auditing requires effective communication – building a persuasive argument – writing is key to our success – From the course syllabus: Writing Center – Need help with writing? This course will require the completion of several writing assignments, as part of the homework assignments and final examination. The Writing Center provides help free-of-charge to all members of the DePaul University community. Please click this link for more information: http://condor.depaul.edu/writing/locations-and-hours.html REMINDER: The integrity of our work is critical to why we are all at DePaul, both as students and as faculty. It is through this integrity that we maintain a culture of continued learning, as well as personal and professional growth and development. You are reminded of our Academic Integrity Policy at this link: https://offices.depaul.edu/academic-affairs/faculty-resources/academicintegrity/Documents/Academic%20Integrity%20Policy_Spring%202016.pdf Week 5 DePaul University ? IS 344/ IS444 IT Auditing 6 Illustrative Example | Characteristics of a Strong Answer Clear thesis, point of view, established for the reader Use of authoritative source to support answer Logical presentation of argument Examples that explain the concept and support the argument/ analysis – complexity of the issue is addressed “opposite side of the coin” No errors in grammatical writing and spelling to distract the reader Clear, concise conclusion paragraph; Entire answer less than 600 words Reference cited Week 5 DePaul University ? IS 344/IS444 IT Auditing 7 Grading Rubric – for midterm and final Grade and Level Above average “A” grade Sufficient “B” grade Developing “C” grade Needs Improvement “D” or below grades Week 5 Organization Evidence The reader is quickly able to understand the logical flow and construct of the persuasive argument. Information is presented logically and naturally. Provides the reader with an “ah-ha” moment, a thoughtful insight with compelling evidence. Expresses concepts and ideas through use of strong supporting examples to demonstrate understanding of question purpose and key Learning Outcomes. Recognizes and thoughtfully addresses complexities associated with argument. Appropriate use of citations when reference to facts, ideas, or outside sources. The reader is able to identify the focus of More limited use of examples to express the student work which is supported by concepts, ideas, and connections to relevant ideas and supporting details, question purpose and key Learning however, ideas may be more limited in Outcomes. Recognizes and partially depth. Organized but may have minor addresses complexities associated with lapses in unity or coherence. argument. Appropriate use of citations when reference to facts, ideas, or outside sources. The answer attempts to establish a clear Limited use of evidence and/or examples to thesis, however, the reader may not quickly express concepts, ideas, and connections understanding the central ideas or purpose to question purpose and key Learning of the student work. Writing is not Outcomes. May recognize, yet does not organized and lacks unity and coherence. address complexities associated with argument. Incomplete or partial use of citations when reference to facts, ideas, or outside sources. No clear thesis or logical construct difficult Information is presented in a disorganized to understand. The reader cannot clearly fashion causing the reader to have difficulty or easily identify the central ideas or following the concepts, ideas, and purpose of the student work. connections to question purpose and key Learning Outcomes. A trivial argument or analysis. Fails to cite sources used in the answer. DePaul University – IS 344/ IS444 IT Auditing Clarity / Readability No errors in grammatical writing and spelling to distract the reader. Uses style and tone appropriate to the audience and purpose. Sophisticated sentence variety and paragraph development. Few, if any, errors in grammatical writing and spelling to distract the reader, however, writing lacks the organizational strength, clarity and readability of an “A” response. Multiple errors in grammar and spelling that distract the reader. Writing is too general, with flaws in logic and/or organization. There are many misspellings and/or mechanical errors that negatively affect the ability to read and understand and comprehend the work. Writing is far too general, with flaws in logic and/or organization. 8 Build the foundation Apply IT risk and control assessment concepts Corporate governance summation IT Auditing: Learning Map Week 3 Professor Phillips & Enstrom Governance, Risk and Compliance Week 10 Auditing systems development Cybersecurity Part 1– risks, IAM, BCP/DR Week 6 Week 7 Cybersecurity Part 2 – CSF & IRP 3rd party risk – cloudy days Week 8 Week 9 Professor Phillips Business, IT environment, corporate governance IT governance, ERM and IT risk Audit standards & frameworks (tools of the trade) IT assessment process (how we conduct an audit) Application controls, data analytics and fraud Week 1 Week 2 Week 3 Week 4 Week 5 DePaul University ? IS 344/444 IT Auditing Professor Enstrom 9 Today’s Learning Outcomes ? Develop an understanding of the IT audit process ? Develop an understanding of the considerations related to fraud, investigations, continuous monitoring, auditing, data analytics and the role of the IT auditor Week 5 DePaul University ? IS 444 IT Auditing 10 TOPIC – IT AUDIT PROCESS – PLANNING A SPECIFIC IT AUDIT Week 4 DePaul University – IS 344/ IS444 IT Auditing 11 The detailed Audit Process ? ? ? ? Plan the engagement Do the audit fieldwork Check the controls Act by communicating results and following up on recommendations … Week 4 A simple way to remember PDCA (plan-do-check-act) is an iterative four-step problem-solving process made popular by Dr. Deming that focuses on continuous business process improvement. DePaul University – IS 344/ IS444 IT Auditing 12 Plan Week 5 Preliminary review and risk analysis Develop the scope and objectives Assess resources Design audit procedures DePaul University – IS 344/ IS444 IT Auditing 13 Step 1: (cont’d) The Problem = Identify the business risk We start by defining the risks related to the IT environment, for example, due to ongoing software and maintenance changes. ? ? ? IT 3rd party vendors (cloud) SAP Accounting Companies may make Application thousands of changes to Network their production Internet Windows environments. These changes introduce Remote Firewall risks related to the access confidentiality, integrity and Unix Oracle availability of its systems and information. Oracle Are these risks high, Database moderate or low? How will this risk assessment help inform how you approach the audit? Week 6 DePaul University – IS 444 IT Auditing Types of changes: • Application • Operating System • Database • LAN / WAN • 3rd Party 14 Plan Preliminary review and risk analysis Develop the scope and objectives Assess resources Design audit procedures Preliminary review and evaluation of risk and related key controls: ? Methods: – Interviews, questionnaires or existing documentation such as policies, procedures, past audit reports ? Determine the key risks related to the area under review and which controls are key or essential to the achievement of management’s control objectives – i.e., perform a preliminary evaluation of the design of the control structure Week 4 ? ? ? Design audit procedures: Assessing the risk of the applications, IT supporting infrastructure Testing procedures should be more rigorous for higher risk areas After assessing the risks and designing audit procedures, you can then determine the level and type of technical resources needed to perform the audit This step results in the creation of the engagement planning memo or completion of a planning checklist DePaul University – IS 344/ IS444 IT Auditing 15 Audit Engagement Planning Considerations The Engagement Planning Considerations should include: ? The scope defines the area to be reviewed (e.g., the Web-based sales system) – Need to consider use of third parties ? The objective is what we are trying to accomplish or the nature of the assurance we are providing in performing this audit. There are many different types of audit objectives that can be developed for an IT audit. For example, – The objective of this audit is to assess: ? the adequacy of internal controls regarding security, change management or data availability, etc.; ? the extent of compliance of each area with applicable laws, regulations, policies and procedures; ? opportunities for cost savings; or ? investigate concerns related to fraud or illegal activities; ? A particular audit may have multiple objectives ? Must document a preliminary assessment of the risks relevant to the activity under review ? Include an analysis of resources required to conduct the review, timing and reporting (communication protocols) ? May include a reference to the internal audit being performed in accordance with certain standards (e.g., Institute of Internal Audit standards) ? May results in a planning memo or planning checklist – as example audit artifacts Week 4 DePaul University – IS 344/ IS444 IT Auditing 16 Planning A Look at Our Standards… IIA Reference: “Internal auditors must develop and document a plan for each engagement, including the engagement's objectives, scope, timing, and resource allocations. • • • • • States the objectives of the engagement. Identifies technical requirements, objectives, risks, processes, and transactions that are to be examined. States the nature and extent of testing required. Documents the internal auditor’s procedures for collecting, analyzing, interpreting, and documenting information during the engagement. Is modified, as appropriate, during the engagement with the approval of the chief audit executive (CAE), or his or her designee. Week 4 ISACA S5 Planning Standard: • 03 The IS auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards. • 04 The IS auditor should develop and document a risk-based audit approach. • 05 The IS auditor should develop and document an audit plan that lists the audit detailing the nature and objectives, timing and extent, objectives and resources required. • 06 The IS auditor should develop an audit program and/or plan and detailing the nature, timing and extent of the audit procedures required to complete the audit. DePaul University – IS 344/ IS444 IT Auditing 17 Planning A Look at Our Standards… IIA: 2210-Engagement Objectives ? 2210.A1 - Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment. ? 2210.A2 - Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives. ? 2210.A3 - Adequate criteria are needed to evaluate controls. Internal auditors must ascertain the extent to which management has established adequate criteria to determine whether objectives and goals have been accomplished. If adequate, internal auditors must use such criteria in their evaluation. If inadequate, internal auditors must work with management to develop appropriate evaluation criteria. Week 4 IIA: 2201- Planning Considerations ? In planning the engagement, internal auditors must consider: – The objectives of the activity being reviewed and the means by which the activity controls its performance; – The significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level; – The adequacy and effectiveness of the activity's risk management and control processes compared to a relevant control framework or model; and – The opportunities for making significant improvements to the activity's risk management and control processes. DePaul University – IS 344/ IS444 IT Auditing 18 Planning A Look at Our Standards… From ISACA: S5: Additional key points include the following: ? The IS auditor should perform a risk assessment to provide reasonable assurance that all material items will be adequately covered during the audit. Audit strategies, materiality levels and resources can then be developed. ? The audit program and/or plan may require adjustment during the course of the audit to address issues that arise (new risks, incorrect assumptions, or findings from the procedures already performed) during the audit. Week 4 DePaul University – IS 344/ IS444 IT Auditing 19 Do Test controls Document results ? Test the “design” and “operating” effectiveness of the controls ? The level of testing should be greater for areas that are considered to have a higher risk profile ? Generally Accepted Auditing Standards (GAAS) state that audit tests should include: – Inquiry, corroborated by either ? Observation of the control ? Re-performance of the control ? Inspection of evidence ? Sample sizes should also vary based on risk ? Document the results in the Work Program – Typically Microsoft Word or Excel templates Week 4 DePaul University – IS 344/ IS444 IT Auditing High Risk? Test procedures may cover all three layers of the IT environment: governance, IT process, and the technical configuration – human factors should also be considered 20 Sources of IT Risk Week 1 DePaul University – IS 344/444 IT Auditing 21 Performing (DO) A Look at Our Standards… ISACA: S6 Performance of Audit Work 03 Supervision—IS audit staff should be supervised to provide reasonable assurance that audit objectives are accomplished and applicable professional auditing standards are met. 04 Evidence—During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. 05 Documentation—The audit process should be documented, describing the audit work performed and the audit evidence that supports the IS auditor's findings and conclusions. Week 4 IIA Standards: 2240.A1- Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly. 2300 – Performing the Engagement Internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement's objectives. DePaul University – IS 344/ IS444 IT Auditing 22 Analyzing & Testing Controls ? Step 1: Assess the Design of the Controls – Identify and document the key risks related to the process ? Consider developing a flow chart – Identify the controls that Management uses to mitigate these risks – Determine if there are missing controls ? Cross reference Management’s design to COBIT or other similar frameworks – Given the assessed level of risk, determine if there should be more controls – e.g., should Management consider adding a monitoring control Week 4 ? Step 2: Test the Operating Effectiveness of the Controls Examples: – If a control step requires an approval from Management, test to confirm that the approval is being obtained on a consistent basis by requesting a random sample. – If the policy requires passwords that are 8 characters long, test to confirm that the actual system is configured to comply with the corporate password policy by inspecting the password settings on-line with the assistance of the Sys Admin. DePaul University – IS 344/ IS444 IT Auditing 23 Sampling ? Defined: The application of an audit procedure to less than 100% of the items in the population ? There are two basic approaches to audit sampling: non-statistical and statistical – Both approaches require that the IT auditor use professional judgment when planning and performing the tests and analyzing the results of the tests ? Sampling risk is defined as the risk that the IT auditors conclusions may be different if the audit test were performed to the entire population ? When determining sample size, the IT auditor should consider the audit test objective, the nature of the population being tested, sampling risk, and other risk factors ? The population is the entire set of data that the IT auditor wishes to sample in order to reach a conclusion; therefore, the IT auditor must very the population is complete and accurate. ? For many IT controls, sampling does not apply, or is difficult to apply in practice (e.g., a user ID and password) Week 4 DePaul University – IS 344/ IS444 IT Auditing 24 Sampling (cont’d) Guiding Principles ? Must define population (e.g., all changes to systems) and consider the source of the population (system based versus Excel spreadsheet) – As a starting point, you need to have assurance that you have a complete and accurate population ? For IT controls, I typically use “judgmental” sampling – this is not a statistical method, however, this allows you to focus your testing on higher risk changes, for example. – Often, in practice, it is difficult to derive a statistically valid means of testing IT controls ? Tolerable error is the maximum error in the population that you are willing to accept and still conclude that the audit objective has been achieved – In practice, >5% error rate should be reported by the IT auditor – However, I typically communicate ALL exceptions to Management so that Management can also make a determination on the risk and potential impact to the business ? Working papers should document sufficient detail to explain sampling approach used and how this supported your conclusions Week 4 DePaul University – IS 344/ IS444 IT Auditing 25 Documenting Test Results – Risk and Control Matrix No. Risk Statement and Key Control Description Audit Testing Plan Results of Audit Test Procedures Performed Key Control Conclusion Sign-Off / Date of Completion 1 Risk | Changes are not properly authorized, causing system integrity or availability issues. 1. Interview Change Control Manager and confirm all requests for changes to application, networking, database, and operating systems are categorized, prioritized, and authorized. 1. Not Effective – Exception noted. CJE 4/15/2015 2. Select a sample of changes and confirm the changes were categorized, prioritized, and authorized. 1. Key Control | All requests for changes to application, networking, database, and operating systems are categorized, prioritized, and authorized. Per inquiry with Frank Costello, Change Control Manager, on April 1, 2011, IT staff must submit all changes to the Remedy change tracking tool. The changes are categorizes as Project Release, Minor Maintenance, or Critical. The changes are authorized by the manager of the area requesting the change. When the change is ready to be implemented, Operations approves the change in Remedy. Mr. Costella further stated that a policy is not in place to govern changes to production. Please refer to final audit report for disposition of audit finding. JTE 4/30/2015 Internal Audit identified a population of 256 changes to the environment. Internal Audit judgmentally selected 25 changes (approx. 10% of the population) to sample compliance with corporate policies. Internal Audit inspected the sample of 25 changes and noted that for 4 out of 25, the change was not properly authorized. Exception noted. Week 4 DePaul University – IS 344/ IS444 IT Auditing 26 Conducting interviews ? ? ? ? ? Conducting meaningful interviews is critical Establish high trust interaction Auditors should use open ended questions Probe and ask questions about the risks and controls Ask the “what if” – e.g., what if someone circumvented the process? How would you know? Week 4 DePaul University – IS 344/ IS444 IT Auditing 27 Check Issue evaluation Validation ? Issue evaluation should consider: – What is the level of risk – potential impact to the business – What is the root cause? – In addition, the following should also be considered: ? Validate: – The facts – The level of risk ? Entity policies ? Best practices (use of frameworks such as COBIT or ITIL) ? Compliance with laws and regulations ? Use of standards Week 4 DePaul University – IS 344/ IS444 IT Auditing 28 Act Communicating results Audit follow up and tracking Identifying reportable issues: ?Understanding and reporting on the root cause ?Should have sufficient and appropriate audit evidence to support the results reported ?Measuring the exposure and severity of issues – what’s the potential business impact? ?Points during the audit process when issues are communicated – – – – Control owner Manager of control owner VP or senior management Other stakeholders (e.g., Audit Committee, Regulators, others) ?Recommendations should be clear, concise and actionable ?Maintain a database of all audit findings and track progress – Status should be reported to the Audit Committee on a periodic basis Week 4 DePaul University – IS 344/ IS444 IT Auditing 29 Writing the Recommendation Recommendation should highlight the root cause! The IT Audit Senior tested a sample of changes to the Unix environment. From the sample, 4 out of the 25 sampled did not have any evidence of approvals. Management has not developed a patch management policy. Which recommendation addresses the root cause and will help to achieve sustainable improvement in the controls? Recommendation A BDI Management should ensure appropriate approvals are made prior to Addresses the human Assigns Addresses a risk the rating policy Adds a “new” Addresses the implementing Unix patch changes. element ––will by training monitoring control to – help which Management direct process by creating people to comply with since this is behavior athe high risk an automated control understand employee the new policy area mechanism potential going forward impact Week 4 Recommendation B High Risk Internal Audit recommends the following: (1) Develop a patch management policy to reflect appropriate approvals; (2) Configure BDI’s change tracking tool to systematically enforce the new policy; (3) Develop a training and awareness program to communicate new policy and related process requirements; and, (4) Develop a monthly review procedure to monitor compliance with the policy. DePaul University – IS 344/ IS444 IT Auditing 30 Communicating Results (Act) A Look at Our Standards… ISACA: S7 Reporting 03 The IS auditor should provide a report, in an appropriate form, upon completion of the audit. The report should identify the organization, the intended recipients and any restrictions on circulation. 04 The audit report should state the scope, objectives, period of coverage and the nature, timing and extent of the audit work performed. 05 The report should state the findings, conclusions and recommendations and any reservations, qualifications or limitations in scope that the IS auditor has with respect to the audit. 06 The IS auditor should have sufficient and appropriate audit evidence to support the results reported. 07When issued, the IS auditor’s report should be signed, dated and distributed according to the terms of the audit charter or engagement letter. Week 4 IIA Standards: 2410.A1- Final communication of engagement results must, where appropriate, contain the internal auditors’ opinion and/or conclusions. When issued, an opinion or conclusion must take account of the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information. DePaul University – IS 344/ IS444 IT Auditing 31 The detailed Audit Process ? ? ? ? Plan the engagement Do the audit fieldwork Check the controls Act by communicating results and following up on recommendations … Week 4 A simple way to remember PDCA (plan-do-check-act) is an iterative four-step problem-solving process made popular by Dr. Deming that focuses on continuous business process improvement. DePaul University – IS 344/ IS444 IT Auditing 32 TOPIC: FRAUD Week 5 DePaul University ? IS344/ IS444 IT Auditing 33 What is fraud? ? Fraud consists of some deceitful practice or willful device, resorted to with intent to deprive another of his right, or in some manner to do him an injury. – Source: Law Dictionary: What is FRAUD? definition of FRAUD (Black's Law Dictionary) ? Fraud is generally categorized as follows: – Asset misappropriation – May include employee theft – typically cash, physical assets (computers), or intellectual property – Corruption – May encompass a variety of wrongful acts, such as, among others, bribes or kickbacks – Financial statement fraud – deliberate misrepresentation of the financial Law Dictionary: thelawdictionary.org/fraud/ statements ? Although the auditor may suspect or, in rare cases, identify the occurrence of fraud, the auditor does not make legal determinations of whether fraud has actually occurred. – Source: AICPA, Professional Standards Week 5 DePaul University ? IS344/ IS444 IT Auditing 34 Sources of Fraud Risk | Fraud Triangle The fraud triangle is a model for explaining fraud risk factors ? Financial Pressure or Financial Need ? Perceived Opportunity ? Rationalization The fraud triangle originated from Dr. Cressey's hypothesis: Trusted persons become trust violators when they conceive of themselves as having a financial problem which is nonshareable, are aware this problem can be secretly resolved by violation of the position of financial trust, and are able to apply to their own conduct in that situation verbalizations which enable them to adjust their conceptions of themselves as trusted persons with their conceptions of themselves as users of the entrusted funds or property.1 1Donald R. Cressey, Other People's Money (Montclair: Patterson Smith, 1973) p. 30. Week 5 DePaul University ? IS344/ IS444 IT Auditing 35 The Fraud Triangle - Perceived Unshareable Financial Need (Pressure) ? Motivates the crime ? Typically due to financial problems one is unable to solve through legitimate means. ? Can be professional or personal in nature ? What are some examples? – – – – Week 5 Inability to pay one’s bills Drug or gambling addiction Need to meet productivity targets Desire for status symbols (e.g. bigger house, nicer car, etc.) DePaul University ? IS344/ IS444 IT Auditing 36 The Fraud Triangle - Perceived Opportunity ? Method by which the crime can be committed. ? Typically, one perceives a way to abuse their position of trust to solve financial problems with a low risk of getting caught. ? Must be able to abuse the position in secret. ? Key to understand the benefits and a focus on not being detected. Week 5 DePaul University ? IS344/ IS444 IT Auditing 37 The Fraud Triangle - Rationalization ? The majority of fraudsters are first time offenders with no criminal history. ? Consider themselves as ordinary, honest people in a bad situation. – Consequently, the fraudster must justify in a way that makes the crime acceptable. ? What are some examples of rationalizations? – – – – – Week 5 “I was only borrowing the money” “I was entitled to the money” “I had to steal to provide for my family” “I was underpaid, my employer cheated me” “My employer was dishonest to others and deserved it” DePaul University ? IS344/ IS444 IT Auditing 38 Current Trends in Corporate Fraud Summary of Findings ? Occupational frauds can be classified into three primary categories: asset misappropriations, corruption and financial statement fraud. – 86% Asset Misappropriations – Median Loss of $100,000 – Less than 10% Financial Statement Fraud - Median Loss of $9540,000 ? Tips are consistently the most common detection method (33%). ? Organizations with hotlines were much more likely to catch fraud by a tip (43%). ? The smallest organizations tend to suffer a greater impact. ? The banking and financial services, government and public administration, and manufacturing industries continue to have the greatest number of cases reported. ? The presence of anti-fraud controls is associated with reduced fraud losses and shorter fraud duration. Source: 2020 Report to the Nations on Occupational Fraud and Abuse. Week 5 DePaul University ? IS344/ IS444 IT Auditing 39 Fraud – Important Focus for Boards, Management and Internal Audit ? COSO Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. ? The International Standards for the Professional Practice of Internal Auditing state the following: 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. ? The AICPA Audit Committee guide states, “The members of the audit committee should understand their role of ensuring that the organization has a strong internal control environment in place, including the design and implementation of programs and controls to prevent and detect fraud. The audit committee also needs to be prepared to aid in the discovery of fraud, investigate, and report on its findings to the board.” Week 5 DePaul University ? IS344/ IS444 IT Auditing 40 Data analytics process and tools: ? Data analytics (DA) is the use of computer assisted techniques to extract “information” from a population of data ? Two Part Process: – Part 1 – Define, Extract, and Validate ? Often completed by, or with the assistance of IT operations or business analysts ? Can include “BIG Data”, significant additional data filtering and “cleansing” using and various data management steps Week 5 DePaul University – IS344/ IS444 IT Auditing 41 Data analytics process and tools (continued): ? Two Part Process: – Part 2 – Analysis, Modeling and Reporting ? Data analysis tools (SQL, ACCESS, EXCEL … SAS, ACL, …) ? Considerations include: familiarity with the tool, data sizing, purpose and/or sophistication of the review, downstream uses of the data, etc. Week 5 DePaul University –IS344/ IS444 IT Auditing 42 TOPIC: CONTINUOUS MONITORING/AUDITING/DATA ANALYTICS Week 5 DePaul University ? IS344/ IS444 IT Auditing 43 Where are we today? Data analytics Continuous auditing Computer assisted audit techniques “CAATs” Automated controls testing Manual testing of controls – retrospective Published, March 2015 Week 5 DePaul University ? IS344/ IS444 IT Auditing 44 Data disruption Growth of “big data” Enterprise data quality Need for data assurance QUESTION: How can the Internal Audit profession respond to these challenges? Week 5 DePaul University – IS344/ IS444 IT Auditing 45 Data analytics/visualizations Identify patterns, trends, and outliers Develop relationships in data and understand the business Tell a story/reach a conclusion - Gregor Aisch, Graphics Designer and Contributor to The New York Times Week 5 DePaul University – IS344/ IS444 IT Auditing 46 Key definitions ? Computer-assisted Audit Techniques (CAATs) — automated audit techniques, such as generalized audit software, utility software, test data, application software tracking and mapping, and audit expert systems, that help internal auditors directly test controls built into computerized information systems and data contained in computer files ? Continuous Auditing — the combination of technology- enabled ongoing risk and control assessments. Continuous auditing is designed to enable the internal auditor to report on subject matter within a much shorter timeframe than under the traditional retrospective approach. ? Continuous Monitoring — a management process that monitors on an ongoing basis whether internal controls are operating effectively (PA 2320-4: Continuous Assurance). SOURCE: Global Technology Audit Guide (GTAG®) 3 Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition, March 2015 Week 5 DePaul University ? IS344/ IS444 IT Auditing 47 Monitoring v. Continuous Auditing − Applying the 3-lines of Defense Model SOURCE: Global Technology Audit Guide (GTAG®) 3 Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition, March 2015 Week 5 DePaul University ? IS344/ IS444 IT Auditing 48 Continuous Monitoring Creates Opportunities for Internal Audit ? Where 1st and 2nd lines focus on continuous monitoring, Internal Audit may focus on more strategic activities: – Review of detected anomalies and management’s responses – Review of management’s resolve to enact and sustain remediation – Review and testing of controls over the continuous monitoring process its, such as: ? security ? change control ? IT operations SOURCE: Global Technology Audit Guide (GTAG®) 3 Coordinating Continuous Auditing and Monitoring to Provide Continuous Assurance, 2nd Edition, March 2015 Week 5 DePaul University ? IS344/ IS444 IT Auditing 49 From data analytics to continuous auditing ? Data analytics (DA) is the use of computer assisted techniques to extract “information” from a population of data ? Often ad hoc analysis using tools such as Excel, Access, SAS, SQL, or ACL to name a few – Typically manual steps involved in performing the analysis ? Information may be used to understand source data, underlying patterns, potential for fraud, among others ? Think of “continuous auditing” as performing DA in a continuous or pre-defined scheduled manner (e.g., daily, weekly or monthly) – Use of automated scripts or testing routines – More frequent reporting and insights provided Week 5 DePaul University ? IS344/ IS444 IT Auditing 50 A data analytics maturity continuum Diagram taken from white paper titled, “Data Analytics – A Practical Approach,” An ISACA White Paper, August, 2011 Week 5 ? The application of data analytics ranges from ad hoc analysis to continuous monitoring ? Question for discussion – as audit departments move to a continuous auditing approach, what impact does this have on their independence? DePaul University – IS344/ IS444 IT Auditing 51 Keeping proper focus Week 5 DePaul University ? IS344/ IS444 IT Auditing 52 Every pattern has a story Week 5 DePaul University ? IS344/ IS444 IT Auditing 53 Not all visuals have to be a bar chart Week 5 DePaul University ? IS344/ IS444 IT Auditing 54 Squeezing more out of our data Week 5 DePaul University ? IS344/ IS444 IT Auditing 55 Geolocation Week 5 DePaul University ? IS344/ IS444 IT Auditing 56 Why geolocation works so well Week 5 DePaul University ? IS344/ IS444 IT Auditing 57 Steps to developing continuous auditing Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 This 6-step model can be used to build an approach to continuous auditing: ? Steps 1 and 2 are critical to the success of the project: – What objectives are you trying to accomplish. – Understand the data! This step typically involves numerous discussions with IT and business owners. ? ? ? ? Step 3 is often the most time consuming. It is critical to tie out the data to the source files – often, issues are identified that take you back to step 2. Step 4 involves programming the tool to meet the objectives of the test. Step 5 is when the fun begins – this step involves analyzing the reports and output of your queries to support your test objectives – which may include looking for fraud, data quality issues, etc. The key concept when analyzing data is focusing on the root cause of the issues! Step 6 involves the process of automating the testing scripts and routines. Week 5 DePaul University – IS344/ IS444 IT Auditing 58 Benefits & Challenges ? Faster identification of risk and controls assurance ? Resource allocation ? Test 100% of transactions versus samples Week 5 ? Cost to implement – time and resources needed ? Skills ? Lack of defined goals and objectives related to continuous auditing DePaul University – IS344/ IS444 IT Auditing 59 Professional standards ? The International Standards for the Professional Practice of Internal Auditing state the following: – 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud. – 1220.A2 – In exercising due professional care internal auditors must consider the use of technology-based audit and other data analysis techniques. ? The American Institute of Certified Public Accountants (AICPA) Statement on Auditing Standards No. 99 (SAS99) is the consideration of fraud in a financial statement audit. – SAS99 requires “…procedures to further address the risk of material misstatement due to fraud involving management override of controls”. Week 5 DePaul University – IS344/ IS444 IT Auditing 60 Application controls – what are they? ? First, let’s discuss the question – what are the risks at the “application layer?” – – – – Inappropriate access (segregation of duties) Erroneous data Fraudulent data Untimely information for decision-making ? Now, let’s discuss, what are application controls? – Input Controls: focus on the risks related to data that is input into the application; examples include pre-defined fields such as states, edit checks for valid data type, etc. – Processing Controls: focus on the risks related to the processing of the information or interface files (batch or on-line/real-time processing); examples include balancing totals or record counts – Output Controls: focus on the risks relate to the data output, including timeliness and confidentiality; examples include error handling procedures Week 5 DePaul University – IS 344/ IS444 IT Auditing 61 Key Controls To Review – IT Audits IT Controls ITGC General Controls ITAC Application Controls Change Management Input Controls SDLC Processing Controls Logical Access Output Controls Computer Operations Authentication / Authorization DRP / Backup Asset Management Week 5 DePaul University ? IS344/ IS444 IT Auditing 62 REVIEW LEARNING POINTS AND PREVIEW NEXT WEEK Week 5 DePaul University ? IS 344/444 IT Auditing 63 Review Learning Outcomes ? Developed an understanding of the IT audit process ? Developed an understanding of the considerations related to continuous monitoring, data analytics, fraud and the role of the IT auditor Week 5 DePaul University ? IS444 IT Auditing 64 Preview Week 6 ? Topic: – Auditing Systems Development and Maintenance ? Reading Assignments – Consult class syllabus for timing ? Students should post their comments to this week’s questions in the Discussion Forum within D2L. Week 5 DePaul University ? IS444 IT Auditing 65 IS344/444 ? IT Auditing Spring 2021 Week-1 | Thurs. April 1, 2021 Week 1 Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 DePaul University – IS 344/444 IT Auditing Week 8 Week 9 Week 10 1 Today’s Class Outline Topic Est. Duration Introductions 10 min Class Overview and Expectations 15 min Corporate Governance 25 min BREAK 10 min IT Risk in Today’s Business Environment | Establishing a Common Risk Language 50 min BREAK 10 min COSO, Internal Controls and IT Governance 50 min Wrap up, preview next week 10 min Week 1 DePaul University – IS344/444 IT Auditing 2 INTRODUCTIONS Week 1 DePaul University – IS344/444 IT Auditing 3 Introductions – Prof. Jim Enstrom (Weeks 1-5) ? University of Illinois, Urbana-Champaign, Bachelor of Liberal Arts and Sciences ? Arizona State University, Master of Accountancy ? 13 years in public accounting / consulting – Arthur Andersen & Co. and Deloitte & Touche LLP ? Senior Vice President, Chief Audit Executive, at Cboe Global Markets, Inc. (2009 to present) – – – – – Certified Internal Auditor (CIA) Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Control (CRISC) ISACA Volunteer IIA Volunteer ? Contact me via email jenstrom@depaul.edu ? ****IMPORTANT***Please do not use my Yahoo personal email account ? Office Hours – preference is to schedule time with me Week 1 DePaul University – IS 344/444 IT Auditing 4 Introductions – Prof. Michael Phillips (Weeks 6-10) • Contact via email mphilli8@cdm.depaul.edu • Office Hours - Thursdays, 5:00-5:45 pm or by arrangement. Week 1 DePaul University – IS 344/444 IT Auditing 5 COURSE LEARNING OUTCOMES AND EXPECTATIONS Week 1 DePaul University – IS 344/444 IT Auditing 6 Course Learning Outcomes ? Through the application of COBIT® and other similar IT governance frameworks, students will develop a common vocabulary for understanding sources of IT risk and performing an evaluation of IT controls. Students will further gain hands-on experience in analyzing and assessing IT risks and controls through various case studies, lectures, and discussions. The primary learning outcomes of the course include: ? ? ? ? Week 1 Establishing an understanding of the IT environment and analyzing why the IT assurance is vitally important in today's business environment, Recognizing and evaluating how corporate and IT governance practices impact a company’s IT risk and control profile, and IT assurance processes, Developing an understanding of the IT Audit and Assurance Process (i.e., risk assessment, planning, fieldwork, reporting and communication) and further evaluating how the IT auditor should apply relevant standards, guidelines, and best practices, and Surveying IT audit approaches to the following IT domains, and synthesizing key risks: o Systems development and maintenance, o IT service delivery and support, o Business continuity and disaster recovery, o Data analytics, fraud detection and application controls and o IT Security. DePaul University – IS 344/444 IT Auditing 7 Class Requirements Grading Breakdown: Grade Item Percentage Point Allocation Homework Assignments (50 points each x 4) 40% 200 points Mid Term Exam 25% 125 points 25% 125 points 10% 50 points 100% 500 points (details in class syllabus) Final Exam (details in class syllabus) Participation – in class or via on-line communication (details in class syllabus) Total Grading Scale: Grade A Percentage 93% – 100% Grade B– Percentage 80% – 82% Grade D+ Percentage 67% – 69% A– 90% – 92% C+ 77% – 79% D 60% – 66% B+ 87% – 89% C 73% – 76% F Less than 60% B 83% – 86% C– 70% – 72% Week 1 DePaul University – IS 344/444 IT Auditing 8 Other Important Information Participation: ? Classes are a combination of asynchronous and synchronous online work. Students will find content, assignments, and schedules in D2L. In addition, the class meets synchronously on-line via Zoom on Thursdays, 5:45-9 pm. Live participation is available to all students. However, – – Asynchronous students MUST participate in the online Discussion Forum in D2L each week. Discussion Forums will lock out any further posts after two weeks; no exceptions. Synchronous (real-time) students are encouraged to participate in the Discussion Forum in D2L Homework, Discussion Forum Participation or Exams ? Subject to pre-approval, only students granted an official excused absence will be allowed to make up a missed homework, Discussion Forum entry or examination. Any uncoordinated, unexcused missed exam, Discussion Forum entry or homework assignment will result in a score of a -0-. Academic Integrity: ? This course will be subject to the Academic Integrity Policy passed by Faculty Council. Work done for this course must adhere to the DePaul University Academic Integrity Policy, which you can review in the Student Handbook or by visiting Academic Integrity at DePaul University (http://academicintegrity.depaul.edu). Week 1 DePaul University – IS 344/444 IT Auditing 9 Other Important Information Communications: ? Class lecture, D2L and email will be the primary means of communication. Attendance/Participation Verification Policy ? VI. Policy: Beginning on the last day to add a course, the primary instructor will have two (2) business days to report whether each student on his/her rosters has begun attending the course. It is up to the instructor to establish what constitutes attendance in each course. When assigning a grade of FX (a grade reserved for students who have stopped attending, see graduate and undergraduate handbook), the instructor is required to indicate the date the student stopped attending and/or the reason for assigning the FX. IS 444 Attendance/Participation Verification Procedure: ? All students: If you are planning to drop the class, you must let me know. Otherwise, I will assume you are attending the class. ? ***I am required to report attendance in BlueStar after week 1.*** Week 1 DePaul University – IS 344/444 IT Auditing 10 Class Participation Criteria – 50 points or 10% of your grade ? For students participating in weekly, synchronous Zoom-based discussions: Attitude, effort and contributions to classroom discussions – both during lecture and in small group breakouts. ? Asynchronous students MUST participate in the online Discussion Forum in D2L each week. Discussion Forums will lock out any further posts after two weeks; no exceptions. ? Synchronous (real-time) students are encouraged to participate in the Discussion Forum in D2L ? Instructor discretion Week 1 DePaul University – IS 344/444 IT Auditing 11 Important Dates ? Homework Assignments, Mid-Term and Final Examination – refer to syllabus ? Please refer to the academic catalog for other important dates such as the last date to drop the class, select pass/fail, withdraw, etc. Week 1 DePaul University – IS 344/444 IT Auditing 12 Desire 2 Learn (D2L) ? D2L will be used to manage course content (e.g., weekly lecture materials, etc.) – For Professor Enstrom, typically, each week I will post the day’s PowerPoint slides on the day of class (sometimes sooner). These documents will be located in the “Content” section of D2L (Week-1 Folder, Week-2 Folder, etc.); it is not expected that you read the PowerPoint prior to class; however, you should read the reading assignments ahead of each class ? D2L will also be used for our homework assignments ? Zoom video recordings of each week’s lecture will be posted in the News section of D2L on the next business day ? Please let me know if you have any questions or feedback regarding our use of D2L Week 1 DePaul University – IS 344/444 IT Auditing 13 Desire 2 Learn (D2L) “Discussion Forum” for asynchronous students The “Content” section is where you will find our class materials. Week 1 DePaul University – IS 344/444 IT Auditing 14 Homework Assignments ? We will have 4 homework assignments this semester (50 points * 4 = 200 points) ? The homework assignments are located in the “Homework” section of D2L ? The assignment due dates are noted on the course syllabus ? The homework assignments are designed as formative assessments of your progress to understand key concepts ? The homework assignments are designed as on-line quizzes ? For each homework, you will have 75 minutes to complete ? You can take the homework/quiz twice, and your final score will be the HIGHER of the two grades Week 1 DePaul University – IS 344/444 IT Auditing 15 Communicating with Impact ? Effective writing and communication/speaking skills are an important component of auditing ? Through the audit report writing process, our job is to “persuade management” to accept a recommendation – ? Although the job description is “IT Auditor” – in many respects we are “sales people” – attempting to sell management an idea – a way to improve the company’s operations by adopting or accepting our audit recommendations ? So, how do we do that? Let’s discuss the power of persuasive writing ? IMPORTANT POINT – if you need help with your writing, reaching out to the DePaul Writing Center. Use of the Center is highly recommended: https://condor.depaul.edu/writing/ Week 1 DePaul University – IS 344/444 IT Auditing 16 Grading Rubric – for midterm and final Grade and Level Above average “A” grade Sufficient “B” grade Developing “C” grade Needs Improvement “D” or below grades Week 1 Organization Evidence The reader is quickly able to understand the logical flow and construct of the persuasive argument. Information is presented logically and naturally. Provides the reader with an “ah-ha” moment, a thoughtful insight with compelling evidence. Expresses concepts and ideas through use of strong supporting examples to demonstrate understanding of question purpose and key learning objectives. Recognizes and thoughtfully addresses complexities associated with argument. Appropriate use of citations when reference to facts, ideas, or outside sources. The reader is able to identify the focus of More limited use of examples to express the student work which is supported by concepts, ideas, and connections to relevant ideas and supporting details, question purpose and key learning however, ideas may be more limited in objectives. Recognizes and partially depth. Organized but may have minor addresses complexities associated with lapses in unity or coherence. argument. Appropriate use of citations when reference to facts, ideas, or outside sources. The answer attempts to establish a clear Limited use of evidence and/or examples to argument, however, the reader may not express concepts, ideas, and connections quickly understanding the central ideas or to question purpose and key learning purpose of the student work. Writing is not objectives. May recognize, yet does not organized and lacks unity and coherence. address complexities associated with argument. Incomplete or partial use of citations when reference to facts, ideas, or outside sources. No clear argument or logical construct; Information is presented in a disorganized difficult to understand. The reader cannot fashion causing the reader to have difficulty clearly or easily identify the central ideas or following the concepts, ideas, and purpose of the student work. connections to question purpose and key learning objectives. A trivial argument or analysis. Fails to cite sources used in the answer. DePaul University – IS 344/444 IT Auditing Clarity / Readability No errors in grammatical writing and spelling to distract the reader. Uses style and tone appropriate to the audience and purpose. Sophisticated sentence variety and paragraph development. Few, if any, errors in grammatical writing and spelling to distract the reader, however, writing lacks the organizational strength, clarity and readability of an “A” response. Multiple errors in grammar and spelling that distract the reader. Writing is too general, with flaws in logic and/or organization. There are many misspellings and/or mechanical errors that negatively affect the ability to read and understand and comprehend the work. Writing is far too general, with flaws in logic and/or organization. 17 Other Thoughts & Expectations ? Scan the headlines for news relevant to our weekly topics and share this information in class via Zoom and/or in our Discussion Forums. ? For those students participating in Zoom-based classes: – Ask questions and share your experiences – we learn from each other! – We will challenge you through discussion, numerous opportunities to speak in front of your peers and by debating and challenging ideas & concepts we discuss in class. ? We recognize that not all of you will enter a career in IT auditing – however, the concepts, principles and other ideas we share this semester will benefit your professional development. ? Provide feedback on the class – lectures, discussions, materials – don’t wait until the class is over … We want to hear from you now!!! Week 1 DePaul University – IS 344/444 IT Auditing 18 Today's Learning Objectives ? Develop an understanding of corporate governance and why IT assurance is needed in today’s economy ? Develop a common language: – – – – – – Information Assurance COSO – Internal Control Framework Risk Root Cause Internal Control IT Governance Each week we will establish and discuss learning outcomes – big picture, keep these in mind as we discuss each topic tonight … Week 1 DePaul University – IS 344/444 IT Auditing 19 Build the foundation Apply IT risk and control assessment concepts Corporate governance summation IT Auditing: Learning Map Week 9 Professor Phillips & Enstrom Governance, Risk and Compliance Week 10 Auditing systems development Cybersecurity Part 1– risks, IAM, BCP/DR Week 6 Week 7 Cybersecurity Part 2 – CSF & IRP 3rd party risk – cloudy days Week 8 Week 9 Professor Phillips Business, IT environment, corporate governance IT risk, legal & regulatory issues Audit standards & frameworks (tools of the trade) IT assessment process (how we conduct an audit) Application controls, data analytics and fraud Week 1 Week 2 Week 3 Week 4 Week 5 DePaul University ? IS 344/444 IT Auditing Professor Enstrom 20 BREAK – 10 minutes Week 1 DePaul University – IS 344/444 IT Auditing 21 CORPORATE GOVERNANCE AND ROLE OF THE IT AUDITOR Week 1 DePaul University – IS 344/444 IT Auditing 22 Today’s Headlines: Week 1 DePaul University – IS 344/444 IT Auditing 23 Defining Corporate Governance From the archive – 2013 … 21.3 million Google hits Over 47 million Google hits! Week 1 DePaul University – IS 344/444 IT Auditing 24 Let’s start with a quote Corporate Governance According to Mr. Munger “A lot of people think if you just had more process and more compliance—checks and doublechecks and so forth—you could create a better result in the world. Well, Berkshire has had practically no process. We had hardly any internal auditing until they forced it on us. We just try to operate in a seamless web of deserved trust and be careful whom we trust.” Source: Stanford Closer Look Series: Corporate Governance According to Charles T. Munger,” March 3, 2014 — Berkshire Hathaway Vice Chairman Charlie Munger is well known as the partner of CEO Warren Buffett and also for his advocacy of “multidisciplinary thinking”— the application of fundamental concepts from across various academic disciplines to solve complex real-world problem Week 1 DePaul University – IS 344/444 IT Auditing 25 Corporate Governance Establishing a Common Language ? Discuss the term “corporate governance” – What does this term mean to you – in your own words? – What are some of the key elements that makeup an effective corporate governance structure? – How do you know when a company’s corporate governance structure is NOT working? – Mr. Munger states, “The right culture, the highest and best culture, is a seamless web of deserved trust.” – Do you agree with this statement – yes or no? Discuss. ? Asynchronous students, listen along to the discussion and provide input to the Week-1 DISCUSSION Forum in D2L. Week 1 DePaul University – IS 344/444 IT Auditing 26 Corporate Governance Defined According to the Organization for Economic Cooperation and Development (OECD): ? ? ? The purpose of corporate governance is to help build an environment of trust, transparency and accountability necessary for fostering long-term investment, financial stability and business integrity, thereby supporting stronger growth and more inclusive societies. Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Week 1 … good corporate governance will reassure shareholders and other stakeholders that their rights are protected and make it possible for corporations to decrease the cost of capital and to facilitate their access to the capital market. DePaul University – IS 344/444 IT Auditing 27 Corporate Governance (cont’d) The need for assurance – independent board, monitoring the system of controls and the role of audit ? ? ? Monitoring and managing potential conflicts of interest of management, board members and shareholders, including misuse of corporate assets… It is an important function of the board to oversee the internal control systems covering financial reporting and the use of corporate assets … The board will also need to ensure that there is appropriate oversight by senior management. Normally, this includes the establishment of an internal audit system directly reporting to the board. Week 1 … good corporate governance will reassure shareholders and other stakeholders that their rights are protected and make it possible for corporations to decrease the cost of capital and to facilitate their access to the capital market. DePaul University – IS 344/444 IT Auditing 28 Three lines (of defense) – A model for more effective corporate governance The Three Lines Model Video Source: IIA Week 1 DePaul University – IS 344/444 IT Auditing 29 The Pattern is Clear … Increasingly sophisticated use of technology introduces new business risks … Ever evolving regulatory and compliance landscape adds to the risk management challenge … Management, Boards, regulators, shareholders, customers and other stakeholders want assurance that risks are appropriately managed … This is a key tenet of effective corporate governance! Week 1 DePaul University – IS 344/444 IT Auditing 30 When you hear the word “auditor” what comes to mind? Value added Control inspectors Independence Gotcha Trusted advisor Assistanc e Objectivity Investigator Time wasted Pain Week 1 DePaul University – IS 344/444 IT Auditing 31 So, what is an IT audit? ? IT auditing is an integral part of the internal audit (IA) function (3rd line) ? IT risk and compliance professionals, within the 2nd line, also play assurance roles, and conduct IT audits ? IT auditors provide assurance that information assets are safeguarded (confidentiality, integrity and availability) by evaluating IT risks and controls ? IT auditors must remain independent (3rd line) and objective (2nd and 3rd line) (there are other professional standards too) Week 1 DePaul University – IS 344/444 IT Auditing 32 So, what is an IT audit? (cont’d) An IT audit is an objective analysis of: •IT Governance Practices IT auditors play a key role in helping organizations evaluate, monitor and report on the design and effectiveness of IT-related controls for the extended enterprise •IT Processes •IT Technical Configurations Are the risks related to the use and deployment of information technology appropriately managed? – this is the question we seek to answer … Week 1 DePaul University – IS 344/444 IT Auditing 33 The IT Audit Profession ? New profession for the technology generations ? What constitutes a profession? – – – – – Common body of knowledge Code of ethics and standards Certification and training requirements Educational institutions provide courses in the field Professional associations (e.g., Information Systems Audit & Control Association – ISACA) ? About ISACA: – ISACA was incorporated in 1969 by a small group of individuals who recognized a need for a centralized source of information and guidance in the growing field of auditing controls for computer systems. Today, ISACA has more than 95,000 members worldwide. Week 1 DePaul University – IS 344/444 IT Auditing 34 Certified Information Systems Auditor (CISA) ? More than 75,000 professionals in nearly 160 countries have earned the Certified Information Systems Auditor (CISA) certification since its inception in 1978. ? The CISA designation was created for professionals with work experience in information systems auditing, control or security that include: – – – – – – Information Systems (IS) audit process IT Governance Systems and Infrastructure Lifecycle Management IT Service Delivery and Support Protection of Information Assets Business Continuity and Disaster Recovery ? More information at: http://www.isaca.org/Certification/CISA-CertifiedInformation-Systems-Auditor/Pages/default.aspx Week 1 DePaul University – IS 344/444 IT Auditing 35 Role of the IT Auditor – How We Add Value ? IT Auditor as an objective risk-based assurance provider ? IT Auditor as an insightful, proactive, and future-focused risk investigator ? IT Auditor as a partner and trusted advisor for Senior Management Week 1 DePaul University – IS 344/444 IT Auditing 36 The Future of IT Audit ? IT Auditors with Technical Skills Will Be in High Demand – 67% if audit departments have difficulty recruiting auditors with the required technical skills – 64% of auditors say the technical skills gap has at least a moderate impact on performing IT audits with a high degree of confidence ? IT Auditors will Be Increasingly Involved in Major Tech Projects – 35% of auditors are brought in during the planning phase of major tech projects – 44% say they have a significant impact on tech projects in their organizations – 47% say IT auditors will be significantly more involved in major tech projects in the next 3-5 years Source: “The Future of IT Audit”, Information Systems Audit and Control Association (ISACA) Week 1 DePaul University – IS 344/444 IT Auditing 37 BREAK – 10 minutes Week 1 DePaul University – IS 344/444 IT Auditing 38 IT RISK IN TODAY’S ENVIRONMENT – ESTABLISHING A COMMON RISK LANGUAGE Week 1 DePaul University – IS 344/444 IT Auditing 39 Business Risk versus IT Risk What do these terms mean to you? What examples come to mind? Let’s discuss … Week 1 DePaul University – IS 344/444 IT Auditing 40 Today’s Global Environment ? ? ? ? ? ? ? Global economic challenges Wars Natural disasters Legal and regulatory environment Mergers, acquisitions, divestitures Outsourcing …the list goes on … Week 1 DePaul University – IS 344/444 IT Auditing 41 Today’s IT Environment ? ? ? ? ? ? ? Impact of economic challenges Increased business expectations Cost focus Layoffs Regulations and compliance Outsourcing Advancements in technologies and architecture (e.g., cloud computing, virtualization, etc.). Week 1 DePaul University – IS 344/444 IT Auditing 42 Today’s Legal/Regulatory Environment ? Health Insurance Portability & Accountability Act (HIPAA) 1996, HITECH (2009) ? Gramm-Leach-Bliley Act (privacy and safeguards rules) ? Sarbanes-Oxley Act of 2002 ? Payment Card Industry Data Security Standard (PCI DSS) ? Proliferation of data privacy laws, US and global (EU General Data Protection Regulation (GDPR)) ? California Consumer Privacy Act of 2018 (CCPA) ? California Privacy Rights Act of 2020 (CPRA) ? State privacy/breach laws ? Industry specific laws – e.g., Reg SCI Week 1 DePaul University – IS 344/444 IT Auditing 43 What does an IT Department look like? 40,000 foot view ? IT departments primarily perform two key functions: – Develop and maintain applications that support business objectives – Develop and support the underlying IT infrastructure that “runs” the applications that support business objectives ? What else do they do? Let’s take a brief look at COBIT to understand … To learn more about COBIT 2019 refer to this link… http://www.isaca.org/cobit/pages/default.aspx Week 1 DePaul University – IS 344/444 IT Auditing 44 What Is/Is Not COBIT? ? COBIT: – Defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviors, skills and infrastructure. – Defines the design factors that should be considered by the enterprise to build a best-fit governance system. – Addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels. ? COBIT is not: – – – – Week 1 Full description of the whole IT environment of an enterprise. Framework to organize business processes. IT technical framework to manage all technology. Does not prescribe any IT-related decisions. It will not decide what is the best IT strategy, architecture, cost, etc. DePaul University – IS 344/444 IT Auditing 45 COBIT – Process Model Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. Week 1 DePaul University – IS 344/444 IT Auditing 46 COBIT – An IT Process Detailed Reference High level process Tool AP010 Manage Suppliers Sub processes AP010.01 – Identify and evaluate supplier relationships AP010.02 – Select suppliers AP010.03 – Manage supplier relationships and contracts AP010.04 – Manage supplier risk AP010.05 – Monitor supplier performance and compliance 1. 2. Control “Activities” 3. 4. 5. 6. Define and document criteria to monitor supplier performance Monitor and review service delivery in relation to contract Review against market conditions Request independence reviews, if necessary Record and assess review results and discuss with vendor Monitor and evaluate externally available data about the supplier Source: COBIT® 5, © 2012 ISACA® All rights reserved. Week 1 DePaul University – IS 344/444 IT Auditing 47 COBIT 2019 Source: COBIT 2019, figure 1.1 © 2019 ISACA® All rights reserved. Week 1 DePaul University – IS 344/444 IT Auditing 48 Governance vs. Management ? Governance ensures that: – Stakeholder needs, conditions and options are evaluated to determine balanced, agreed-upon enterprise objectives. – Defines the design factors that should be considered by the enterprise to build a best-fit governance system. – Addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels. ? Management: – Plans, builds, runs and monitors activities, in alignment with the direction set by the governance body, to achieve the enterprise objectives. Full description of the whole IT environment of an enterprise. – In most enterprises, management is the responsibility of the executive management, under the leadership of the Chief Executive Officer (CEO). Week 1 DePaul University – IS 344/444 IT Auditing 49 IT Risk Defined : ? From ISACA1: “IT risk is business risk—specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.” ? From NIST2: “Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.” 1http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=47967 2http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Week 1 DePaul University – IS 344/444 IT Auditing 50 What keeps you up at night? CEO •Shareholder Demands •Economic Forces •Business Innovation •Legal & Regulatory •Talent Management Week 1 CFO •Finance Transformation •Cash Management •Credit / Counterparty •Sarbanes–Oxley •Financial Reporting MGT CIO •Business Operations •Employee Morale •Workforce Reductions •Cycle Time •Training •Business Demands •Technology Evolution •Cost Pressures •Third Parties •Solution Delivery DePaul University – IS 344/444 IT Auditing Stakeholders can have different perspectives on business priorities and risk. Key Point: There is a need for a common language (definition) of risk. 51 IT Risk – a P&L Taxonomy Profit & Loss (P&L) Statement Revenue $1,000,000 Expenses ($500,000) Net Income Week 1 $500,000 Defined Examples Business risks, derived from the use and deployment of IT assets, that impact the ability of the organization to maximize revenue. How will this IT risk impact my company’s ability to generate revenue? ? Data quality / information for decision–making ? Customer experience ? Product innovation ? Sales efficiency and effectiveness Business risks, derived from the use and deployment of IT assets, that negatively impact expenses. How will this IT risk impact my company’s expenses? ? ? ? ? DePaul University – IS 344/444 IT Auditing Security/data breaches IT compliance fines Business interruption Operational efficiency and effectiveness 52 IT Risk – a P&L Taxonomy (cont’d) Profit & Loss (P&L) Statement Revenue $1,000,000 Expenses ($500,000) Net Income $500,000 IT risk can cause lost opportunity – think poor web customer experience that causes customers to choose a competitor … IT risk can cause a direct expense to the bottom line – think fine or legal costs associated with a breach … The bottom line: IT risk may result in the loss of business value to stakeholders – lost opportunity, or excessive costs. This is the common language we need to use. Week 1 DePaul University – IS 344/444 IT Auditing 53 Assessing Risk and Understanding the IT Risk Profile ? Think of a “risk profile” as a holistic understanding of the varied types of risks that a company must address: – Human capital – Legal, compliance, government – Socio-economic / environmental – Business size, complexity – Pace of change – Use of technology ? Let’s discuss the risk profile of these two different organizations: Full-year sales and revenues in 2020 were $41.7 billion, down 22% compared with $53.8 billion in 2019. Caterpillar is the world’s leading manufacturer of construction and mining equipment, diesel and natural gas engines, industrial gas turbines and dieselelectric locomotives. Week 1 DePaul University – IS 344/444 IT Auditing The Berghoff is a rarity in America’s restaurant industry— 100% family-owned and familyoperated for more than 121 years. The legacy can be traced back to 1870, when Herman Berghoff emmigrated from Germany to America. The Berghoff opened doors in 1898. Beers were sold for a nickel and they came with a side sandwich, free! 54 Now that we have defined IT risk … ? Let’s gain a better understanding of what can cause risk events to occur in the business world ? Throughout our semester, we will refer to this concept as “SOURCES of IT risk” ? To analyze sources of IT risk, we will use the “root cause framework” Week 1 DePaul University – IS 344/444 IT Auditing 55 Sources of IT Risk Week 1 DePaul University – IS 344/444 IT Auditing 56 What is root cause analysis? ? The Institute of Internal Auditors (IIA) issued a Practice Advisory in December 2011 that states: – “Root cause analysis is defined as the identification of why an issue occurred (versus only identifying or reporting on the issue itself). In this context, an issue is defined as a problem, error, instance of noncompliance, or missed opportunity…A core competency necessary for delivering insights is the ability to identify the need for root cause analysis and, as appropriate, actually facilitate, review, and/or conduct a root cause(s) analysis.” – An example: The computer system suffered an outage 5 Whys! Week 1 ? ? ? ? 1st why – the system settings were not up to date – (technical) 2nd why – because the systems engineer failed to apply a patch – (process) 3rd why – because the process to patch the system is ad hoc – (process) 4th why – because Management failed to establish clear expectations via a policy – (IT governance) ? 5th why – No need for question #5 …We found the answer …IT governance was lacking – this is the root cause! DePaul University – IS 344/444 IT Auditing 57 BREAK – 10 minutes Week 1 DePaul University – IS 344/444 IT Auditing 58 COSO, INTERNAL CONTROLS AND IT GOVERANCE Week 1 DePaul University – IS 344/444 IT Auditing 59 COSO Internal Control—Integrated Framework Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework (2013) KEY POINT: Auditing is a component of an effective system of internal controls http://www.coso.org/ Week 1 ? ? ? ? ? The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Control activities are the policies and procedures that help ensure management directives are carried out. Information [and communication] systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. Monitoring activities includes ongoing or separate evaluations (i.e., auditing) and taking corrective actions to address weaknesses in the system of controls. DePaul University – IS 344/444 IT Auditing 60 2013 Revised Framework Principle #11 focuses on the importance of IT controls Principle #16 focuses on monitoring and periodically evaluating the system of controls http://www.coso.org/ Week 1 DePaul University – IS 344/444 IT Auditing 61 Internal Controls ? Internal Control may mean different things to different people – here are two commonly used definitions: – Policies, procedures, practices, and organization structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected (COBIT definition). – Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories (COSO definition): ? Effectiveness and efficiency of operations. ? Reliability of financial reporting. ? Compliance with applicable laws and regulations. ? Notice the words “reasonable assurance” – we’ll discuss this term more throughout the semester Week 1 DePaul University – IS 344/444 IT Auditing 62 Types of Internal Controls Soft Controls: The policies and actions of senior management such as: ? Tone at the top (in words and deeds) ? Culture and management style ? Organization structure Week 1 Hard Controls: A step or action taken in a procedure that serves to mitigate a risk such as: ? Supervisory approval ? Supervisory review A hard control can also be embedded in a computer or application such as: ? Unique user ID and password ? On-line edit check DePaul University – IS 344/444 IT Auditing 63 Types of Internal Controls (cont’d) Preventive Controls: This is another way to think about controls – certain controls are designed to prevent bad things from happening, such as: ? Passwords ? On-line edit check ? Virus prevention/detection software Week 1 Detective or Monitoring Controls: These types of controls are designed to identify issues so management can take action after the occurrence. Examples include: ? Weekly change management ? Access review by Management ? Unauthorized access alert in command center DePaul University – IS 344/444 IT Auditing 64 Internal Controls as an Ecosystem Information Security Policy IT controls may include (a) the policy that establishes the security requirements, (b) the ID and passwords, (c) the process and related approvals needed to gain access, and (d) the monitoring procedures used by Management to evaluate user access rights. Step 3: Assess the design of the controls: Now that you have gained an understanding of the controls in place, ask the question – is the system of controls designed properly to mitigate the identified risks? Week 1 Preventive Step 2: Next, determine what controls mitigate this risk: Accounting Management approves all access to the General Ledger 2 Preventive Unauthorized or inappropriate access to the General Ledger could result in inaccurate financial statements. 1 Unique user IDs and passwords are assigned 3 Detective Step 1: Begin by defining the risk: Quarterly, the Controller reviews all access to the General Ledger for appropriateness Policies outline Management’s expectations regarding how to manage risk. 4 Multiple control activities in an organization make up a system of controls or ecosystem. In this example, 4 controls have been identified that mitigate the defined risk to the business. If the risk profile is high, as IT auditors, we should expect to see a more robust system of controls. DePaul University – IS 344/444 IT Auditing 65 Internal Controls as an Ecosystem (cont’d) Week 1 Preventive Accounting Management approves all access to the General Ledger Preventive Unique user IDs and passwords are assigned Detective Information Security Policy Quarterly, the Controller reviews all access to the General Ledger for appropriateness Let’s discuss for a moment – what other controls are part of this ecosystem? How are these controls related? DePaul University – IS 344/444 IT Auditing 66 Internal Controls and Risk Assessment – why it matters! Risk goal = risk aligned policies, processes and technical IT controls Risk insights 5/16/2021 DePaul University – IS 344/444 IT Auditing – Fall 2012 67 Independent and Objective “Assurance” ? IT auditing provides a means to gain independent and objective assurance that risks related to the use and deployment of IT assets are appropriately managed. These IT-related risks include: – Confidentiality – Sensitive information (e.g., personally identifiable information, intellectual property) is protected from unauthorized access and disclosure. – Integrity – Information is accurate and complete as well as valid in accordance with business rules and expectations. – Availability – Information is available when required to meet business objectives. – Compliance – Information complies with those laws, regulations, contractual arrangements to which the business is subject. ? IT auditors play a key role in helping organizations evaluate, monitor and report on the design and effectiveness of ITrelated controls for the extended enterprise Week 1 DePaul University – IS 344/444 IT Auditing 68 IT Governance Defined ? IT governance is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. (Source: Gartner, http://www.gartner.com/it-glossary/it-governance) ? Earlier, we talked about the concepts of “corporate governance” ? Why does “IT governance” require its own definition – should the concepts and principles be the same as “corporate governance? ? Let’s discuss … Week 1 DePaul University – IS 344/444 IT Auditing 69 Key Takeaways – the BIG IDEAS! ? IT auditors assist organizations by evaluating business and ITrelated risks and the effectiveness of the organization’s system of internal controls thereby providing assurance to key stakeholders ? COSO provides a framework for the design of a company’s system of internal controls ? Business risk, specifically, IT related risk, is mitigated through a company’s system of internal controls ? Governance vs. Management ? Taken together, these concepts can be viewed as a key component of a company’s overall corporate and IT governance structure Week 1 DePaul University – IS 344/444 IT Auditing 70 REVIEW LEARNING POINTS AND PREVIEW NEXT WEEK Week 1 DePaul University – IS 344/444 IT Auditing 71 Review Learning Outcomes ? Developed an understanding of corporate governance and why IT audit and assurance (from the 2nd and 3rd line) is important in today’s economy ? Developed a common language: – – – – – – – Week 1 IT Processes Assurance COSO – Internal Control Framework Internal Control Risk Root Cause Analysis IT Governance DePaul University – IS 344/444 IT Auditing 72 Preview Next Week ? Topics: – Understanding business risk – case study – IT governance – the starting point – Legal and regulatory mandates (SOX, Privacy, PCI, etc.) ? Refer to syllabus for relevant reading assignments and due date for Homework #1 ? Students should post their comments to this week’s questions in the Discussion Forum within D2L. Forum will lock after 2 weeks. Week 1 DePaul University – IS 344/444 IT Auditing 73 IS 444 ? IT Auditing Spring 2021 Week-2 | Thurs, April 8th Week 1 Week 2 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 DePaul University ? IS444 IT Auditing Week 8 Week 9 Week 10 1 Build the foundation Apply IT risk and control assessment concepts Corporate governance summation IT Auditing: Learning Map Week 2 Professor Phillips & Enstrom Governance, Risk and Compliance Week 10 Auditing systems development Cybersecurity Part 1– risks, IAM, BCP/DR Week 6 Week 7 Cybersecurity Part 2 – CSF & IRP 3rd party risk – cloudy days Week 8 Week 9 Professor Phillips Business, IT environment, corporate governance IT governance, ERM and IT risk Audit standards & frameworks (tools of the trade) IT assessment process (how we conduct an audit) Application controls, data analytics and fraud Week 1 Week 2 Week 3 Week 4 Week 5 DePaul University ? IS 344/444 IT Auditing Professor Enstrom 2 Today’s Class Outline Topic Est. Duration Est. Times Review Last Week’s Key Learning Points 10 min 5:45 pm (start) IT Governance – Preview Topic 5 min Small Group Activity: IT Is From Venus, Non-IT Is From Mars* 25 min IT Governance, through the COBIT Lens 25 min BREAK Enterprise Risk Management (ERM) 10 min 6:50 – 7:00 pm 50 min BREAK 10 min Small Group Activity: BDI Case Study* 35 min Wrap up, homework #1, preview next week 10 min 7:50 – 8:00 pm 8:45 pm (end) * Materials in Content section of D2L for Week 2 Week 1 DePaul University – IS344/444 IT Auditing 3 Today’s Learning Outcomes ? Develop an understanding of why IT governance is the starting point for the IT auditor ? Develop an understanding of how Enterprise Risk Management can support a more effective corporate governance structure Week 2 DePaul University ? IS344/IS444 IT Auditing 4 Review Last Week’s Key Takeaways ? Big Idea #1 – IT auditors and assurance professionals assist organizations by evaluating business and IT-related risks and the ________ of the organization’s system of internal controls thereby providing _________ to key stakeholders ? Big Idea #2 – COSO and COBIT provide _______ for the design of a company’s system of internal controls ? Big Idea #3 – Business risk, specifically, IT related risk, is mitigated through a company’s system of ______ ? Big Idea #4 – Taken together, these concepts can be viewed as a key component of a company’s overall _______ structure Week 2 DePaul University ? IS 344/ IS444 IT Auditing 5 Key Takeaways – the BIG IDEAS! ? IT auditors and assurance professionals assist organizations by evaluating business and IT-related risks and the effectiveness of the organization’s system of internal controls thereby providing assurance to key stakeholders ? COSO and COBIT provide frameworks for the design of a company’s system of internal controls ? Business risk, specifically, IT related risk, is mitigated through a company’s system of internal controls ? Taken together, these concepts can be viewed as a key component of a company’s overall IT governance structure Week 1 DePaul University – IS 344/IS444 IT Auditing 6 Other takeaways (cont’d) ? An emerging corporate governance paradigm, the three lines (of defense), is also gaining traction, both in the US and internationally … ? The Organisation for Economic Co-operation and Development (OECD) and the “Committee of Sponsoring Organisations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework” highlights the importance of monitoring a company’s system of internal controls → This role can be per...
Already member? Sign In
