Homework answers / question archive / DePaul University IS 444 (Graduate) | Midterm Exam | Spring 2021 This take-home midterm examination is worth 125 points or 25% of your final grade

DePaul University IS 444 (Graduate) | Midterm Exam | Spring 2021 This take-home midterm examination is worth 125 points or 25% of your final grade

Computer Science

Share With

DePaul University IS 444 (Graduate) | Midterm Exam | Spring 2021 This take-home midterm examination is worth 125 points or 25% of your final grade. The mid-term generally covers weeks 1-5 in the course (week 6 is also helpful…). When referring to articles or other sources of information to support your short answers, please include a footnote reference. You should cite where in your short answer you are using the source by including a reference number, included in parenthesis at the end of the sentence, for example (1). Immediately following your answer, include a “Works Cited / Reference Section” that provides information about your source. Here is an example: Works Cited / Reference Section (1) Piper, Arthur. “A Matter of Trust.” IA Internal Auditor (On-line Magazine), April, 2016. Accessed April 6, 2016. https://iaonline.theiia.org/. © 2016 The Institute of Internal Auditors. All rights reserved. Please refer to the Grading Rubric and Criteria that we reviewed and discussed in week 1. Please note, there is no minimum or maximum “word count” included. Rather, use your best judgment and simply write well thought out answers with an eye for concise and logically supported expository composition. As a rule of thumb, students should strive to answer questions with a maximum of 400 words total (i.e., all sub-questions of each question included) 1. Statement on Academic Integrity | In taking this exam, you acknowledge your understanding of DePaul’s Academic Integrity policy, which can be found at the following link: https://offices.depaul.edu/academic-affairs/faculty-resources/academic-integrity/Pages/default.aspx You are encouraged to ensure your work is original and to note, Turnitin® has been enabled in D2L which provides tools, reports, and data to help identify many forms of potential misconduct. 1. [25 points] ~ Learning Objective: To demonstrate an understanding of the role of the IT auditor in today’s economy. Global pandemic. Technology disruption. Cybercrime and ransomware. Mergers and acquisitions. Heightened legal, regulatory and compliance requirements. Socio-political and economic climate. Change in the business world is a constant. Jack Welch, the former chairman and CEO of General Electric, stated: “When the rate of change on the outside exceeds the rate of change on the inside, the end is near.” You have scheduled a meeting with the Chief Information Officer (CIO) to review your proposed changes to your 2021 IT audit plan. Explain how you would use the IT audit function to add value to the organization. In your answer, consider the following short answer prompts: a) Drawing from our lecture and discussion, what is information assurance and why is it needed in today’s business environment? b) The COSO internal control framework2 emphasizes the need for companies to implement effective monitoring activities to support its overall system of controls, including “separate valuations” (Principle 16). Explain how IT auditors support this component of the COSO framework thereby providing information assurance. c) Consider the concept of continuous auditing we discussed in week 5. How can a future-focused IT auditor apply these concepts to add value? 1 A 400-word count will create approximately 0.8 pages single-spaced or 1.6 pages double-spaced when using normal margins (1″) and 12 pt. Times New Roman font. 2 https://www.coso.org/Documents/COSO-ICIF-11x17-Cube-Graphic.pdf 1 DePaul University IS 444 (Graduate) | Midterm Exam | Spring 2021 2. [25 points] ~ Learning Objective: To demonstrate an understanding of key IT governance concepts. The Chief Audit Executive has asked you to perform some preliminary research as it relates to an upcoming audit of your company’s approach to IT governance. Write a response back to the Chief Audit Executive stating the key areas that the team should focus on for this important IT audit project. In your answer, consider the following short answer prompts: a) There are many different frameworks that define IT governance. Drawing from our lecture and discussion, in your own words, what are the key elements of IT governance and why should we consider this the starting point for the IT assurance and audit professional? b) How do you know when IT governance is not working? Scan through today’s headlines and consider providing an example. What facets of IT governance were lacking? c) 3. What are the different roles of boards versus management? – As these roles relate to IT governance, why is clearly defining roles, responsibilities, and accountability important? [25 points] ~ Learning Objective: To demonstrate an understanding of the important role of risk management in today’s economy, including the importance of establishing a common risk language. Why does a car have brakes? In class, when I asked this question, the majority of you immediately thought: “To slow the car down.” We emphasized the importance of implementing improved risk management practices and establishing a common risk language to enhance value, and proactively seize business opportunities (i.e., “The car can go faster if you know you have effective brakes!”). Consider the following scenario: Maria Alvarez, the Chief Operating Officer (COO) of a global manufacturing company, recently attended a virtual conference on corporate governance. One of the topics discussed was the subject of Enterprise Risk Management, or ERM for short. She could not believe what she heard … At lunch, later that day, she spoke to her company’s Chief Compliance Officer (COO): “Mihal,” she said, “this ERM concept is all wrong. Hire a Chief Risk Officer and let that person have responsibility for risk – no way. It’s another example of academics, accounting and consulting firms dreaming up some idea to sell to corporate America. They’re just out to fatten their wallets. Risk management is part of our day-to-day operations – it’s embedded in our daily decision-making. If we set up a separate group to monitor a list of risks, we are only going to cause more troubles. It’s no wonder why only 30% of companies polled in the 2020 The State of Risk Oversight report (April 2020) indicate they have complete formal ERM processes in place.” Building upon this point-of-view, Bob Kaplan, Senior Fellow and Marvin Bower Professor of Leadership Development, Emeritus at the Harvard Business School, in an article titled, Risk Management, the Revealing Hand, states, “After the global financial crisis, consultants and policy makers reached the conclusion that, as articulated by Ernst & Young Partner Randall Miller, “companies with more mature risk management practices outperform their peers financially.” Consultants offered to show less risk-savvy companies how to reap the “likely profit margin increase” that has accrued to “risk management leaders… over the last three years” and to achieve the spectacular EBITDAdifferentials between the “top” and “bottom” of the risk management maturity scale. Despite such claims, academic studies have yet to confirm whether and how risk management practices add value.” In your answer, consider the following short answer prompts: a) Do you agree or disagree with the Maria Alvarez, the COO – is the concept of ERM “all wrong”? b) Often, when we think about risk, we immediately focus on “potential harms” – how can ERM, or more effective risk management practices, focus on value added versus value preserved? 2 DePaul University IS 444 (Graduate) | Midterm Exam | Spring 2021 c) 4. Building on the topic of risk management, explain why it is vitally important for the IT auditor to establish a common risk language with management? [25 points] ~ Learning Objective: To demonstrate an understanding of key IT assurance professional standards. Internal audit and IT assurance professional standards emphasize the importance of performing engagements with due diligence and professional care – exercising appropriate levels of objectivity and professional skepticism. Cynthia Cooper, WorldCom whistleblower and internationally recognized expert on ethics and leadership offers some timeless lessons for risk, compliance and assurance professionals. In this article in CFO magazine – WorldCom Whistle-blower Cynthia Cooper – she states, “My feelings changed from curiosity to discomfort to suspicion based on some of the accounting entries my team and I had identified, and also on the odd reactions I was getting from some of the finance executives.” After reading this short article, consider the following short answer prompts: a) What elements of due professional care were exhibited in her actions? b) Why are these elements of the professional standards vital to the profession of internal audit? c) 5. Although the IT assurance standards do not include the concept of “ethical courage” – why is it important for an IT assurance professional to understand their personal “ethical courage”? [25 points] ~ Learning Objective: To demonstrate an understanding of the IT audit process, with a focus on the importance of risk-based planning. A well thought out approach to planning an IT audit provides for an orderly, structured approach to perform the audit. You are preparing to conduct an IT audit of a mission critical application. Consider the following information: The Commercial Lending Application (CLA) is a vendor-based package that supports the commercial lending operations of a global bank. This system processed $367,000,000 USD in loans in Q1, 2021, which represents 63% of the banks global revenue. The CLA system has had minimal customization to date. There are two developers that support this application; given the small size of the development team, they have direct unrestricted access to production for support purposes. The changes that have taken place to this application are primarily to the reports, however, some customization to the source code has been made. In early 2021, one of the developers responsible for supporting CLA was fired for cause. The servers are housed in the corporate main office support center in Moline, Illinois. Since this is a vendor-based application, the support team does not follow standard corporate change management policies. There have been fifty changes to this application this past year. Ten of these changes were emergency changes. End users total about sixty-two people and the business users have recently reported some repeated concerns about application availability due to two recent outages. Describe the key elements of IT audit engagement level planning3 and explain why each element is important. In your answer, consider the following short answer prompts: a) What is your assessment of the business impact of this system if there were an outage or data integrity issue? b) What is your preliminary assessment of the likelihood of a risk event occurring? What specific facts caused you to reach this conclusion? c) Why is risk assessment a vital and important component of performing an IT audit? 3 Engagement level planning means you are planning to perform a specific IT audit of an application, IT process or component of the IT infrastructure. 3 IS344/444 ? IT Auditing Spring 2021 Week-1 | Thurs. April 1, 2021 Week 1 Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 DePaul University – IS 344/444 IT Auditing Week 8 Week 9 Week 10 1 Today’s Class Outline Topic Est. Duration Introductions 10 min Class Overview and Expectations 15 min Corporate Governance 25 min BREAK 10 min IT Risk in Today’s Business Environment | Establishing a Common Risk Language 50 min BREAK 10 min COSO, Internal Controls and IT Governance 50 min Wrap up, preview next week 10 min Week 1 DePaul University – IS344/444 IT Auditing 2 INTRODUCTIONS Week 1 DePaul University – IS344/444 IT Auditing 3 Introductions – Prof. Jim Enstrom (Weeks 1-5) ? University of Illinois, Urbana-Champaign, Bachelor of Liberal Arts and Sciences ? Arizona State University, Master of Accountancy ? 13 years in public accounting / consulting – Arthur Andersen & Co. and Deloitte & Touche LLP ? Senior Vice President, Chief Audit Executive, at Cboe Global Markets, Inc. (2009 to present) – – – – – Certified Internal Auditor (CIA) Certified Information Systems Auditor (CISA) Certified in Risk and Information Systems Control (CRISC) ISACA Volunteer IIA Volunteer ? Contact me via email jenstrom@depaul.edu ? ****IMPORTANT***Please do not use my Yahoo personal email account ? Office Hours – preference is to schedule time with me Week 1 DePaul University – IS 344/444 IT Auditing 4 Introductions – Prof. Michael Phillips (Weeks 6-10) • Contact via email mphilli8@cdm.depaul.edu • Office Hours - Thursdays, 5:00-5:45 pm or by arrangement. Week 1 DePaul University – IS 344/444 IT Auditing 5 COURSE LEARNING OUTCOMES AND EXPECTATIONS Week 1 DePaul University – IS 344/444 IT Auditing 6 Course Learning Outcomes ? Through the application of COBIT® and other similar IT governance frameworks, students will develop a common vocabulary for understanding sources of IT risk and performing an evaluation of IT controls. Students will further gain hands-on experience in analyzing and assessing IT risks and controls through various case studies, lectures, and discussions. The primary learning outcomes of the course include: ? ? ? ? Week 1 Establishing an understanding of the IT environment and analyzing why the IT assurance is vitally important in today's business environment, Recognizing and evaluating how corporate and IT governance practices impact a company’s IT risk and control profile, and IT assurance processes, Developing an understanding of the IT Audit and Assurance Process (i.e., risk assessment, planning, fieldwork, reporting and communication) and further evaluating how the IT auditor should apply relevant standards, guidelines, and best practices, and Surveying IT audit approaches to the following IT domains, and synthesizing key risks: o Systems development and maintenance, o IT service delivery and support, o Business continuity and disaster recovery, o Data analytics, fraud detection and application controls and o IT Security. DePaul University – IS 344/444 IT Auditing 7 Class Requirements Grading Breakdown: Grade Item Percentage Point Allocation Homework Assignments (50 points each x 4) 40% 200 points Mid Term Exam 25% 125 points 25% 125 points 10% 50 points 100% 500 points (details in class syllabus) Final Exam (details in class syllabus) Participation – in class or via on-line communication (details in class syllabus) Total Grading Scale: Grade A Percentage 93% – 100% Grade B– Percentage 80% – 82% Grade D+ Percentage 67% – 69% A– 90% – 92% C+ 77% – 79% D 60% – 66% B+ 87% – 89% C 73% – 76% F Less than 60% B 83% – 86% C– 70% – 72% Week 1 DePaul University – IS 344/444 IT Auditing 8 Other Important Information Participation: ? Classes are a combination of asynchronous and synchronous online work. Students will find content, assignments, and schedules in D2L. In addition, the class meets synchronously on-line via Zoom on Thursdays, 5:45-9 pm. Live participation is available to all students. However, – – Asynchronous students MUST participate in the online Discussion Forum in D2L each week. Discussion Forums will lock out any further posts after two weeks; no exceptions. Synchronous (real-time) students are encouraged to participate in the Discussion Forum in D2L Homework, Discussion Forum Participation or Exams ? Subject to pre-approval, only students granted an official excused absence will be allowed to make up a missed homework, Discussion Forum entry or examination. Any uncoordinated, unexcused missed exam, Discussion Forum entry or homework assignment will result in a score of a -0-. Academic Integrity: ? This course will be subject to the Academic Integrity Policy passed by Faculty Council. Work done for this course must adhere to the DePaul University Academic Integrity Policy, which you can review in the Student Handbook or by visiting Academic Integrity at DePaul University (http://academicintegrity.depaul.edu). Week 1 DePaul University – IS 344/444 IT Auditing 9 Other Important Information Communications: ? Class lecture, D2L and email will be the primary means of communication. Attendance/Participation Verification Policy ? VI. Policy: Beginning on the last day to add a course, the primary instructor will have two (2) business days to report whether each student on his/her rosters has begun attending the course. It is up to the instructor to establish what constitutes attendance in each course. When assigning a grade of FX (a grade reserved for students who have stopped attending, see graduate and undergraduate handbook), the instructor is required to indicate the date the student stopped attending and/or the reason for assigning the FX. IS 444 Attendance/Participation Verification Procedure: ? All students: If you are planning to drop the class, you must let me know. Otherwise, I will assume you are attending the class. ? ***I am required to report attendance in BlueStar after week 1.*** Week 1 DePaul University – IS 344/444 IT Auditing 10 Class Participation Criteria – 50 points or 10% of your grade ? For students participating in weekly, synchronous Zoom-based discussions: Attitude, effort and contributions to classroom discussions – both during lecture and in small group breakouts. ? Asynchronous students MUST participate in the online Discussion Forum in D2L each week. Discussion Forums will lock out any further posts after two weeks; no exceptions. ? Synchronous (real-time) students are encouraged to participate in the Discussion Forum in D2L ? Instructor discretion Week 1 DePaul University – IS 344/444 IT Auditing 11 Important Dates ? Homework Assignments, Mid-Term and Final Examination – refer to syllabus ? Please refer to the academic catalog for other important dates such as the last date to drop the class, select pass/fail, withdraw, etc. Week 1 DePaul University – IS 344/444 IT Auditing 12 Desire 2 Learn (D2L) ? D2L will be used to manage course content (e.g., weekly lecture materials, etc.) – For Professor Enstrom, typically, each week I will post the day’s PowerPoint slides on the day of class (sometimes sooner). These documents will be located in the “Content” section of D2L (Week-1 Folder, Week-2 Folder, etc.); it is not expected that you read the PowerPoint prior to class; however, you should read the reading assignments ahead of each class ? D2L will also be used for our homework assignments ? Zoom video recordings of each week’s lecture will be posted in the News section of D2L on the next business day ? Please let me know if you have any questions or feedback regarding our use of D2L Week 1 DePaul University – IS 344/444 IT Auditing 13 Desire 2 Learn (D2L) “Discussion Forum” for asynchronous students The “Content” section is where you will find our class materials. Week 1 DePaul University – IS 344/444 IT Auditing 14 Homework Assignments ? We will have 4 homework assignments this semester (50 points * 4 = 200 points) ? The homework assignments are located in the “Homework” section of D2L ? The assignment due dates are noted on the course syllabus ? The homework assignments are designed as formative assessments of your progress to understand key concepts ? The homework assignments are designed as on-line quizzes ? For each homework, you will have 75 minutes to complete ? You can take the homework/quiz twice, and your final score will be the HIGHER of the two grades Week 1 DePaul University – IS 344/444 IT Auditing 15 Communicating with Impact ? Effective writing and communication/speaking skills are an important component of auditing ? Through the audit report writing process, our job is to “persuade management” to accept a recommendation – ? Although the job description is “IT Auditor” – in many respects we are “sales people” – attempting to sell management an idea – a way to improve the company’s operations by adopting or accepting our audit recommendations ? So, how do we do that? Let’s discuss the power of persuasive writing ? IMPORTANT POINT – if you need help with your writing, reaching out to the DePaul Writing Center. Use of the Center is highly recommended: https://condor.depaul.edu/writing/ Week 1 DePaul University – IS 344/444 IT Auditing 16 Grading Rubric – for midterm and final Grade and Level Above average “A” grade Sufficient “B” grade Developing “C” grade Needs Improvement “D” or below grades Week 1 Organization Evidence The reader is quickly able to understand the logical flow and construct of the persuasive argument. Information is presented logically and naturally. Provides the reader with an “ah-ha” moment, a thoughtful insight with compelling evidence. Expresses concepts and ideas through use of strong supporting examples to demonstrate understanding of question purpose and key learning objectives. Recognizes and thoughtfully addresses complexities associated with argument. Appropriate use of citations when reference to facts, ideas, or outside sources. The reader is able to identify the focus of More limited use of examples to express the student work which is supported by concepts, ideas, and connections to relevant ideas and supporting details, question purpose and key learning however, ideas may be more limited in objectives. Recognizes and partially depth. Organized but may have minor addresses complexities associated with lapses in unity or coherence. argument. Appropriate use of citations when reference to facts, ideas, or outside sources. The answer attempts to establish a clear Limited use of evidence and/or examples to argument, however, the reader may not express concepts, ideas, and connections quickly understanding the central ideas or to question purpose and key learning purpose of the student work. Writing is not objectives. May recognize, yet does not organized and lacks unity and coherence. address complexities associated with argument. Incomplete or partial use of citations when reference to facts, ideas, or outside sources. No clear argument or logical construct; Information is presented in a disorganized difficult to understand. The reader cannot fashion causing the reader to have difficulty clearly or easily identify the central ideas or following the concepts, ideas, and purpose of the student work. connections to question purpose and key learning objectives. A trivial argument or analysis. Fails to cite sources used in the answer. DePaul University – IS 344/444 IT Auditing Clarity / Readability No errors in grammatical writing and spelling to distract the reader. Uses style and tone appropriate to the audience and purpose. Sophisticated sentence variety and paragraph development. Few, if any, errors in grammatical writing and spelling to distract the reader, however, writing lacks the organizational strength, clarity and readability of an “A” response. Multiple errors in grammar and spelling that distract the reader. Writing is too general, with flaws in logic and/or organization. There are many misspellings and/or mechanical errors that negatively affect the ability to read and understand and comprehend the work. Writing is far too general, with flaws in logic and/or organization. 17 Other Thoughts & Expectations ? Scan the headlines for news relevant to our weekly topics and share this information in class via Zoom and/or in our Discussion Forums. ? For those students participating in Zoom-based classes: – Ask questions and share your experiences – we learn from each other! – We will challenge you through discussion, numerous opportunities to speak in front of your peers and by debating and challenging ideas & concepts we discuss in class. ? We recognize that not all of you will enter a career in IT auditing – however, the concepts, principles and other ideas we share this semester will benefit your professional development. ? Provide feedback on the class – lectures, discussions, materials – don’t wait until the class is over … We want to hear from you now!!! Week 1 DePaul University – IS 344/444 IT Auditing 18 Today's Learning Objectives ? Develop an understanding of corporate governance and why IT assurance is needed in today’s economy ? Develop a common language: – – – – – – Information Assurance COSO – Internal Control Framework Risk Root Cause Internal Control IT Governance Each week we will establish and discuss learning outcomes – big picture, keep these in mind as we discuss each topic tonight … Week 1 DePaul University – IS 344/444 IT Auditing 19 Build the foundation Apply IT risk and control assessment concepts Corporate governance summation IT Auditing: Learning Map Week 9 Professor Phillips & Enstrom Governance, Risk and Compliance Week 10 Auditing systems development Cybersecurity Part 1– risks, IAM, BCP/DR Week 6 Week 7 Cybersecurity Part 2 – CSF & IRP 3rd party risk – cloudy days Week 8 Week 9 Professor Phillips Business, IT environment, corporate governance IT risk, legal & regulatory issues Audit standards & frameworks (tools of the trade) IT assessment process (how we conduct an audit) Application controls, data analytics and fraud Week 1 Week 2 Week 3 Week 4 Week 5 DePaul University ? IS 344/444 IT Auditing Professor Enstrom 20 BREAK – 10 minutes Week 1 DePaul University – IS 344/444 IT Auditing 21 CORPORATE GOVERNANCE AND ROLE OF THE IT AUDITOR Week 1 DePaul University – IS 344/444 IT Auditing 22 Today’s Headlines: Week 1 DePaul University – IS 344/444 IT Auditing 23 Defining Corporate Governance From the archive – 2013 … 21.3 million Google hits Over 47 million Google hits! Week 1 DePaul University – IS 344/444 IT Auditing 24 Let’s start with a quote Corporate Governance According to Mr. Munger “A lot of people think if you just had more process and more compliance—checks and doublechecks and so forth—you could create a better result in the world. Well, Berkshire has had practically no process. We had hardly any internal auditing until they forced it on us. We just try to operate in a seamless web of deserved trust and be careful whom we trust.” Source: Stanford Closer Look Series: Corporate Governance According to Charles T. Munger,” March 3, 2014 — Berkshire Hathaway Vice Chairman Charlie Munger is well known as the partner of CEO Warren Buffett and also for his advocacy of “multidisciplinary thinking”— the application of fundamental concepts from across various academic disciplines to solve complex real-world problem Week 1 DePaul University – IS 344/444 IT Auditing 25 Corporate Governance Establishing a Common Language ? Discuss the term “corporate governance” – What does this term mean to you – in your own words? – What are some of the key elements that makeup an effective corporate governance structure? – How do you know when a company’s corporate governance structure is NOT working? – Mr. Munger states, “The right culture, the highest and best culture, is a seamless web of deserved trust.” – Do you agree with this statement – yes or no? Discuss. ? Asynchronous students, listen along to the discussion and provide input to the Week-1 DISCUSSION Forum in D2L. Week 1 DePaul University – IS 344/444 IT Auditing 26 Corporate Governance Defined According to the Organization for Economic Cooperation and Development (OECD): ? ? ? The purpose of corporate governance is to help build an environment of trust, transparency and accountability necessary for fostering long-term investment, financial stability and business integrity, thereby supporting stronger growth and more inclusive societies. Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined. Week 1 … good corporate governance will reassure shareholders and other stakeholders that their rights are protected and make it possible for corporations to decrease the cost of capital and to facilitate their access to the capital market. DePaul University – IS 344/444 IT Auditing 27 Corporate Governance (cont’d) The need for assurance – independent board, monitoring the system of controls and the role of audit ? ? ? Monitoring and managing potential conflicts of interest of management, board members and shareholders, including misuse of corporate assets… It is an important function of the board to oversee the internal control systems covering financial reporting and the use of corporate assets … The board will also need to ensure that there is appropriate oversight by senior management. Normally, this includes the establishment of an internal audit system directly reporting to the board. Week 1 … good corporate governance will reassure shareholders and other stakeholders that their rights are protected and make it possible for corporations to decrease the cost of capital and to facilitate their access to the capital market. DePaul University – IS 344/444 IT Auditing 28 Three lines (of defense) – A model for more effective corporate governance The Three Lines Model Video Source: IIA Week 1 DePaul University – IS 344/444 IT Auditing 29 The Pattern is Clear … Increasingly sophisticated use of technology introduces new business risks … Ever evolving regulatory and compliance landscape adds to the risk management challenge … Management, Boards, regulators, shareholders, customers and other stakeholders want assurance that risks are appropriately managed … This is a key tenet of effective corporate governance! Week 1 DePaul University – IS 344/444 IT Auditing 30 When you hear the word “auditor” what comes to mind? Value added Control inspectors Independence Gotcha Trusted advisor Assistanc e Objectivity Investigator Time wasted Pain Week 1 DePaul University – IS 344/444 IT Auditing 31 So, what is an IT audit? ? IT auditing is an integral part of the internal audit (IA) function (3rd line) ? IT risk and compliance professionals, within the 2nd line, also play assurance roles, and conduct IT audits ? IT auditors provide assurance that information assets are safeguarded (confidentiality, integrity and availability) by evaluating IT risks and controls ? IT auditors must remain independent (3rd line) and objective (2nd and 3rd line) (there are other professional standards too) Week 1 DePaul University – IS 344/444 IT Auditing 32 So, what is an IT audit? (cont’d) An IT audit is an objective analysis of: •IT Governance Practices IT auditors play a key role in helping organizations evaluate, monitor and report on the design and effectiveness of IT-related controls for the extended enterprise •IT Processes •IT Technical Configurations Are the risks related to the use and deployment of information technology appropriately managed? – this is the question we seek to answer … Week 1 DePaul University – IS 344/444 IT Auditing 33 The IT Audit Profession ? New profession for the technology generations ? What constitutes a profession? – – – – – Common body of knowledge Code of ethics and standards Certification and training requirements Educational institutions provide courses in the field Professional associations (e.g., Information Systems Audit & Control Association – ISACA) ? About ISACA: – ISACA was incorporated in 1969 by a small group of individuals who recognized a need for a centralized source of information and guidance in the growing field of auditing controls for computer systems. Today, ISACA has more than 95,000 members worldwide. Week 1 DePaul University – IS 344/444 IT Auditing 34 Certified Information Systems Auditor (CISA) ? More than 75,000 professionals in nearly 160 countries have earned the Certified Information Systems Auditor (CISA) certification since its inception in 1978. ? The CISA designation was created for professionals with work experience in information systems auditing, control or security that include: – – – – – – Information Systems (IS) audit process IT Governance Systems and Infrastructure Lifecycle Management IT Service Delivery and Support Protection of Information Assets Business Continuity and Disaster Recovery ? More information at: http://www.isaca.org/Certification/CISA-CertifiedInformation-Systems-Auditor/Pages/default.aspx Week 1 DePaul University – IS 344/444 IT Auditing 35 Role of the IT Auditor – How We Add Value ? IT Auditor as an objective risk-based assurance provider ? IT Auditor as an insightful, proactive, and future-focused risk investigator ? IT Auditor as a partner and trusted advisor for Senior Management Week 1 DePaul University – IS 344/444 IT Auditing 36 The Future of IT Audit ? IT Auditors with Technical Skills Will Be in High Demand – 67% if audit departments have difficulty recruiting auditors with the required technical skills – 64% of auditors say the technical skills gap has at least a moderate impact on performing IT audits with a high degree of confidence ? IT Auditors will Be Increasingly Involved in Major Tech Projects – 35% of auditors are brought in during the planning phase of major tech projects – 44% say they have a significant impact on tech projects in their organizations – 47% say IT auditors will be significantly more involved in major tech projects in the next 3-5 years Source: “The Future of IT Audit”, Information Systems Audit and Control Association (ISACA) Week 1 DePaul University – IS 344/444 IT Auditing 37 BREAK – 10 minutes Week 1 DePaul University – IS 344/444 IT Auditing 38 IT RISK IN TODAY’S ENVIRONMENT – ESTABLISHING A COMMON RISK LANGUAGE Week 1 DePaul University – IS 344/444 IT Auditing 39 Business Risk versus IT Risk What do these terms mean to you? What examples come to mind? Let’s discuss … Week 1 DePaul University – IS 344/444 IT Auditing 40 Today’s Global Environment ? ? ? ? ? ? ? Global economic challenges Wars Natural disasters Legal and regulatory environment Mergers, acquisitions, divestitures Outsourcing …the list goes on … Week 1 DePaul University – IS 344/444 IT Auditing 41 Today’s IT Environment ? ? ? ? ? ? ? Impact of economic challenges Increased business expectations Cost focus Layoffs Regulations and compliance Outsourcing Advancements in technologies and architecture (e.g., cloud computing, virtualization, etc.). Week 1 DePaul University – IS 344/444 IT Auditing 42 Today’s Legal/Regulatory Environment ? Health Insurance Portability & Accountability Act (HIPAA) 1996, HITECH (2009) ? Gramm-Leach-Bliley Act (privacy and safeguards rules) ? Sarbanes-Oxley Act of 2002 ? Payment Card Industry Data Security Standard (PCI DSS) ? Proliferation of data privacy laws, US and global (EU General Data Protection Regulation (GDPR)) ? California Consumer Privacy Act of 2018 (CCPA) ? California Privacy Rights Act of 2020 (CPRA) ? State privacy/breach laws ? Industry specific laws – e.g., Reg SCI Week 1 DePaul University – IS 344/444 IT Auditing 43 What does an IT Department look like? 40,000 foot view ? IT departments primarily perform two key functions: – Develop and maintain applications that support business objectives – Develop and support the underlying IT infrastructure that “runs” the applications that support business objectives ? What else do they do? Let’s take a brief look at COBIT to understand … To learn more about COBIT 2019 refer to this link… http://www.isaca.org/cobit/pages/default.aspx Week 1 DePaul University – IS 344/444 IT Auditing 44 What Is/Is Not COBIT? ? COBIT: – Defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviors, skills and infrastructure. – Defines the design factors that should be considered by the enterprise to build a best-fit governance system. – Addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels. ? COBIT is not: – – – – Week 1 Full description of the whole IT environment of an enterprise. Framework to organize business processes. IT technical framework to manage all technology. Does not prescribe any IT-related decisions. It will not decide what is the best IT strategy, architecture, cost, etc. DePaul University – IS 344/444 IT Auditing 45 COBIT – Process Model Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. Week 1 DePaul University – IS 344/444 IT Auditing 46 COBIT – An IT Process Detailed Reference High level process Tool AP010 Manage Suppliers Sub processes AP010.01 – Identify and evaluate supplier relationships AP010.02 – Select suppliers AP010.03 – Manage supplier relationships and contracts AP010.04 – Manage supplier risk AP010.05 – Monitor supplier performance and compliance 1. 2. Control “Activities” 3. 4. 5. 6. Define and document criteria to monitor supplier performance Monitor and review service delivery in relation to contract Review against market conditions Request independence reviews, if necessary Record and assess review results and discuss with vendor Monitor and evaluate externally available data about the supplier Source: COBIT® 5, © 2012 ISACA® All rights reserved. Week 1 DePaul University – IS 344/444 IT Auditing 47 COBIT 2019 Source: COBIT 2019, figure 1.1 © 2019 ISACA® All rights reserved. Week 1 DePaul University – IS 344/444 IT Auditing 48 Governance vs. Management ? Governance ensures that: – Stakeholder needs, conditions and options are evaluated to determine balanced, agreed-upon enterprise objectives. – Defines the design factors that should be considered by the enterprise to build a best-fit governance system. – Addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels. ? Management: – Plans, builds, runs and monitors activities, in alignment with the direction set by the governance body, to achieve the enterprise objectives. Full description of the whole IT environment of an enterprise. – In most enterprises, management is the responsibility of the executive management, under the leadership of the Chief Executive Officer (CEO). Week 1 DePaul University – IS 344/444 IT Auditing 49 IT Risk Defined : ? From ISACA1: “IT risk is business risk—specifically, the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.” ? From NIST2: “Risk is the net negative impact of the exercise of a vulnerability, considering both the probability and the impact of occurrence. Risk management is the process of identifying risk, assessing risk, and taking steps to reduce risk to an acceptable level.” 1http://www.isaca.org/ContentManagement/ContentDisplay.cfm?ContentID=47967 2http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf Week 1 DePaul University – IS 344/444 IT Auditing 50 What keeps you up at night? CEO •Shareholder Demands •Economic Forces •Business Innovation •Legal & Regulatory •Talent Management Week 1 CFO •Finance Transformation •Cash Management •Credit / Counterparty •Sarbanes–Oxley •Financial Reporting MGT CIO •Business Operations •Employee Morale •Workforce Reductions •Cycle Time •Training •Business Demands •Technology Evolution •Cost Pressures •Third Parties •Solution Delivery DePaul University – IS 344/444 IT Auditing Stakeholders can have different perspectives on business priorities and risk. Key Point: There is a need for a common language (definition) of risk. 51 IT Risk – a P&L Taxonomy Profit & Loss (P&L) Statement Revenue $1,000,000 Expenses ($500,000) Net Income Week 1 $500,000 Defined Examples Business risks, derived from the use and deployment of IT assets, that impact the ability of the organization to maximize revenue. How will this IT risk impact my company’s ability to generate revenue? ? Data quality / information for decision–making ? Customer experience ? Product innovation ? Sales efficiency and effectiveness Business risks, derived from the use and deployment of IT assets, that negatively impact expenses. How will this IT risk impact my company’s expenses? ? ? ? ? DePaul University – IS 344/444 IT Auditing Security/data breaches IT compliance fines Business interruption Operational efficiency and effectiveness 52 IT Risk – a P&L Taxonomy (cont’d) Profit & Loss (P&L) Statement Revenue $1,000,000 Expenses ($500,000) Net Income $500,000 IT risk can cause lost opportunity – think poor web customer experience that causes customers to choose a competitor … IT risk can cause a direct expense to the bottom line – think fine or legal costs associated with a breach … The bottom line: IT risk may result in the loss of business value to stakeholders – lost opportunity, or excessive costs. This is the common language we need to use. Week 1 DePaul University – IS 344/444 IT Auditing 53 Assessing Risk and Understanding the IT Risk Profile ? Think of a “risk profile” as a holistic understanding of the varied types of risks that a company must address: – Human capital – Legal, compliance, government – Socio-economic / environmental – Business size, complexity – Pace of change – Use of technology ? Let’s discuss the risk profile of these two different organizations: Full-year sales and revenues in 2020 were $41.7 billion, down 22% compared with $53.8 billion in 2019. Caterpillar is the world’s leading manufacturer of construction and mining equipment, diesel and natural gas engines, industrial gas turbines and dieselelectric locomotives. Week 1 DePaul University – IS 344/444 IT Auditing The Berghoff is a rarity in America’s restaurant industry— 100% family-owned and familyoperated for more than 121 years. The legacy can be traced back to 1870, when Herman Berghoff emmigrated from Germany to America. The Berghoff opened doors in 1898. Beers were sold for a nickel and they came with a side sandwich, free! 54 Now that we have defined IT risk … ? Let’s gain a better understanding of what can cause risk events to occur in the business world ? Throughout our semester, we will refer to this concept as “SOURCES of IT risk” ? To analyze sources of IT risk, we will use the “root cause framework” Week 1 DePaul University – IS 344/444 IT Auditing 55 Sources of IT Risk Week 1 DePaul University – IS 344/444 IT Auditing 56 What is root cause analysis? ? The Institute of Internal Auditors (IIA) issued a Practice Advisory in December 2011 that states: – “Root cause analysis is defined as the identification of why an issue occurred (versus only identifying or reporting on the issue itself). In this context, an issue is defined as a problem, error, instance of noncompliance, or missed opportunity…A core competency necessary for delivering insights is the ability to identify the need for root cause analysis and, as appropriate, actually facilitate, review, and/or conduct a root cause(s) analysis.” – An example: The computer system suffered an outage 5 Whys! Week 1 ? ? ? ? 1st why – the system settings were not up to date – (technical) 2nd why – because the systems engineer failed to apply a patch – (process) 3rd why – because the process to patch the system is ad hoc – (process) 4th why – because Management failed to establish clear expectations via a policy – (IT governance) ? 5th why – No need for question #5 …We found the answer …IT governance was lacking – this is the root cause! DePaul University – IS 344/444 IT Auditing 57 BREAK – 10 minutes Week 1 DePaul University – IS 344/444 IT Auditing 58 COSO, INTERNAL CONTROLS AND IT GOVERANCE Week 1 DePaul University – IS 344/444 IT Auditing 59 COSO Internal Control—Integrated Framework Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework (2013) KEY POINT: Auditing is a component of an effective system of internal controls http://www.coso.org/ Week 1 ? ? ? ? ? The control environment sets the tone of an organization, influencing the control consciousness of its people. It is the foundation for all other components of internal control, providing discipline and structure. Risk assessment is the identification and analysis of relevant risks to achievement of the objectives, forming a basis for determining how the risks should be managed. Control activities are the policies and procedures that help ensure management directives are carried out. Information [and communication] systems produce reports, containing operational, financial and compliance-related information, that make it possible to run and control the business. Monitoring activities includes ongoing or separate evaluations (i.e., auditing) and taking corrective actions to address weaknesses in the system of controls. DePaul University – IS 344/444 IT Auditing 60 2013 Revised Framework Principle #11 focuses on the importance of IT controls Principle #16 focuses on monitoring and periodically evaluating the system of controls http://www.coso.org/ Week 1 DePaul University – IS 344/444 IT Auditing 61 Internal Controls ? Internal Control may mean different things to different people – here are two commonly used definitions: – Policies, procedures, practices, and organization structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected (COBIT definition). – Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories (COSO definition): ? Effectiveness and efficiency of operations. ? Reliability of financial reporting. ? Compliance with applicable laws and regulations. ? Notice the words “reasonable assurance” – we’ll discuss this term more throughout the semester Week 1 DePaul University – IS 344/444 IT Auditing 62 Types of Internal Controls Soft Controls: The policies and actions of senior management such as: ? Tone at the top (in words and deeds) ? Culture and management style ? Organization structure Week 1 Hard Controls: A step or action taken in a procedure that serves to mitigate a risk such as: ? Supervisory approval ? Supervisory review A hard control can also be embedded in a computer or application such as: ? Unique user ID and password ? On-line edit check DePaul University – IS 344/444 IT Auditing 63 Types of Internal Controls (cont’d) Preventive Controls: This is another way to think about controls – certain controls are designed to prevent bad things from happening, such as: ? Passwords ? On-line edit check ? Virus prevention/detection software Week 1 Detective or Monitoring Controls: These types of controls are designed to identify issues so management can take action after the occurrence. Examples include: ? Weekly change management ? Access review by Management ? Unauthorized access alert in command center DePaul University – IS 344/444 IT Auditing 64 Internal Controls as an Ecosystem Information Security Policy IT controls may include (a) the policy that establishes the security requirements, (b) the ID and passwords, (c) the process and related approvals needed to gain access, and (d) the monitoring procedures used by Management to evaluate user access rights. Step 3: Assess the design of the controls: Now that you have gained an understanding of the controls in place, ask the question – is the system of controls designed properly to mitigate the identified risks? Week 1 Preventive Step 2: Next, determine what controls mitigate this risk: Accounting Management approves all access to the General Ledger 2 Preventive Unauthorized or inappropriate access to the General Ledger could result in inaccurate financial statements. 1 Unique user IDs and passwords are assigned 3 Detective Step 1: Begin by defining the risk: Quarterly, the Controller reviews all access to the General Ledger for appropriateness Policies outline Management’s expectations regarding how to manage risk. 4 Multiple control activities in an organization make up a system of controls or ecosystem. In this example, 4 controls have been identified that mitigate the defined risk to the business. If the risk profile is high, as IT auditors, we should expect to see a more robust system of controls. DePaul University – IS 344/444 IT Auditing 65 Internal Controls as an Ecosystem (cont’d) Week 1 Preventive Accounting Management approves all access to the General Ledger Preventive Unique user IDs and passwords are assigned Detective Information Security Policy Quarterly, the Controller reviews all access to the General Ledger for appropriateness Let’s discuss for a moment – what other controls are part of this ecosystem? How are these controls related? DePaul University – IS 344/444 IT Auditing 66 Internal Controls and Risk Assessment – why it matters! Risk goal = risk aligned policies, processes and technical IT controls Risk insights 5/7/2021 DePaul University – IS 344/444 IT Auditing – Fall 2012 67 Independent and Objective “Assurance” ? IT auditing provides a means to gain independent and objective assurance that risks related to the use and deployment of IT assets are appropriately managed. These IT-related risks include: – Confidentiality – Sensitive information (e.g., personally identifiable information, intellectual property) is protected from unauthorized access and disclosure. – Integrity – Information is accurate and complete as well as valid in accordance with business rules and expectations. – Availability – Information is available when required to meet business objectives. – Compliance – Information complies with those laws, regulations, contractual arrangements to which the business is subject. ? IT auditors play a key role in helping organizations evaluate, monitor and report on the design and effectiveness of ITrelated controls for the extended enterprise Week 1 DePaul University – IS 344/444 IT Auditing 68 IT Governance Defined ? IT governance is defined as the processes that ensure the effective and efficient use of IT in enabling an organization to achieve its goals. (Source: Gartner, http://www.gartner.com/it-glossary/it-governance) ? Earlier, we talked about the concepts of “corporate governance” ? Why does “IT governance” require its own definition – should the concepts and principles be the same as “corporate governance? ? Let’s discuss … Week 1 DePaul University – IS 344/444 IT Auditing 69 Key Takeaways – the BIG IDEAS! ? IT auditors assist organizations by evaluating business and ITrelated risks and the effectiveness of the organization’s system of internal controls thereby providing assurance to key stakeholders ? COSO provides a framework for the design of a company’s system of internal controls ? Business risk, specifically, IT related risk, is mitigated through a company’s system of internal controls ? Governance vs. Management ? Taken together, these concepts can be viewed as a key component of a company’s overall corporate and IT governance structure Week 1 DePaul University – IS 344/444 IT Auditing 70 REVIEW LEARNING POINTS AND PREVIEW NEXT WEEK Week 1 DePaul University – IS 344/444 IT Auditing 71 Review Learning Outcomes ? Developed an understanding of corporate governance and why IT audit and assurance (from the 2nd and 3rd line) is important in today’s economy ? Developed a common language: – – – – – – – Week 1 IT Processes Assurance COSO – Internal Control Framework Internal Control Risk Root Cause Analysis IT Governance DePaul University – IS 344/444 IT Auditing 72 Preview Next Week ? Topics: – Understanding business risk – case study – IT governance – the starting point – Legal and regulatory mandates (SOX, Privacy, PCI, etc.) ? Refer to syllabus for relevant reading assignments and due date for Homework #1 ? Students should post their comments to this week’s questions in the Discussion Forum within D2L. Forum will lock after 2 weeks. Week 1 DePaul University – IS 344/444 IT Auditing 73 IS 444 ? IT Auditing Spring 2021 Week-3 | Thurs. April 15, 2021 Week 1 Week 3 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 DePaul University – IS 444 IT Auditing Week 8 Week 9 Week 10 1 Today’s Class Outline Topic Est. Duration Est. Times Class Admin Items: Homework Assignments and Mid-Term Exam 5 min 5:45 pm (start) Review Last Week’s Key Learning Points 10 min IT Audit and Assurance Professional Standards of Practice 60 min BREAK Tools of the Trade – IT Audit Frameworks, a focus on COBIT 15 min 7:00 – 7:15 pm 45 min 8:00 pm (end)** Refer to SUPPLEMENTAL SELF-STUDY section for selfstudy / self-paced supplemental assignments related to today’s learning outcomes/objectives. Week 1 DePaul University – IS344/444 IT Auditing 2 Build the foundation Apply IT risk and control assessment concepts Corporate governance summation IT Auditing: Learning Map Week 3 Professor Phillips & Enstrom Governance, Risk and Compliance Week 10 Auditing systems development Cybersecurity Part 1– risks, IAM, BCP/DR Week 6 Week 7 Cybersecurity Part 2 – CSF & IRP 3rd party risk – cloudy days Week 8 Week 9 Professor Phillips Business, IT environment, corporate governance IT governance, ERM and IT risk Audit standards & frameworks (tools of the trade) IT assessment process (how we conduct an audit) Application controls, data analytics and fraud Week 1 Week 2 Week 3 Week 4 Week 5 DePaul University ? IS 344/444 IT Auditing Professor Enstrom 3 Admin items ? Homework #1 ? Homework #2 (begins 4/22 end 4/29 5:45 pm US Central) – Covers weeks 3 & 4 – Maximum points will be 50 – Consult class syllabus for timing of Homework #2 ? Mid-term Examination (covers weeks 1-5) – Available for download on 5/6 – Due / upload completed exam to D2L by Sunday, 16th May by 11:59 pm US Central time – More details next week ? Please continue to post your comments to our on-line discussion forums. Week 3 DePaul University – IS 344/IS444 IT Auditing 4 Last week’s lecture – Big Ideas IT Governance Enterprise Risk Management ? What is IT governance? ? Why is this subject important to Management? The IT Auditor? ? Explain how risk management is an important component of IT governance Week 3 ? What are the drivers that are leading organizations to adopt an ERM approach to corporate risk management? ? Understand the key terms – risk appetite, risk event, risk assessment, and risk response ? Why is developing a common risk language important? ? What are some other principles that companies should consider as they begin developing an ERM program? DePaul University – IS 344/IS444 IT Auditing 5 Mapping back to COBIT – What is IT governance? ? [the processes used to ] Evaluate, Direct and Monitor (EDM) EDM01 Ensure Governance Framework Setting and Maintenance Analyze and articulate the requirements for the governance of enterprise IT, and put in place and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise’s mission, goals and objectives. EDM02 Ensure Benefits Delivery Optimize the value contribution to the business from the business processes, IT services and IT assets resulting from investments made by IT at acceptable costs. EDM03 Ensure Risk Optimization Ensure that the enterprise’s risk appetite and tolerance are understood, articulated and communicated, and that risk to enterprise value related to the use of IT is identified and managed. EDM04 Ensure Resource Optimization Ensure that adequate and sufficient IT-related capabilities (people, process and technology) are available to support enterprise objectives effectively at optimal cost. EDM05 Ensure Stakeholder Transparency Make sure that the communication to stakeholders is effective and timely and the basis for reporting is established to increase performance, identify areas for improvement, and confirm that IT-related objectives and strategies are in line with the enterprise’s strategy. Week 2 DePaul University ? IS 344/IS444 IT Auditing 6 From IT governance to “Enterprise Governance of Information and Technology” ? From COBIT – governance objective = “value creation” ? Governance is about deciding amongst various stakeholder needs ? What are the benefits? ? What are the risks? ? What resources are required? Source: COBIT® 2019 Framework: Introduction and Methodology Week 3 DePaul University ? IS 344/IS444 IT Auditing 7 Performance Management ? Measuring IT performance is a key aspect of effective IT governance ? The graphic to the right shows example performance measures or metrics related to the risk responsibilities of IT governance ? Can you think of others? Week 3 Source: COBIT 2019, © 2019 ISACA® All rights reserved. DePaul University ? IS 344/IS 444 IT Auditing 8 Risk management – a renewed business imperative! ? ? ? In today’s complex and global business environment, risks are continually evolving – in response to this environment, organizations are looking for ways to improve their risk management capabilities Many companies have adopted formalized risk management programs, often referred to as Enterprise Risk Management (ERM) polices, and related procedures designed to drive continuous improvement in risk management capabilities given this changing business environment ERM, as a business discipline within the second line (of defense), seeks to increase a company’s understanding of, and response to, various enterprise level risks, and how these risks may impact the achievement of business objectives and strategies Week 3 DePaul University ? IS 344/IS 444 IT Auditing 9 What is risk? ? Risk is ever present – from your first cup of coffee in the morning, until you lay down to bed at night ? The risks that we are exposed to can be viewed as either: – Controllable – I am going to wear a bicycle helmet – Uncontrollable – that car came out of no where! ? What can you do with risk? Risk involves decisions – you can: – – – – Accept it and: (1) do nothing, (2) or manage it Avoid it altogether Transfer it to someone else, or insure it Seek it out (risk v. reward) The biggest risk is not taking any risk. In a world that's changing really quickly, the only strategy that is guaranteed to fail is not taking risks. ? Mark Zuckerberg, Facebook, Founder and CEO Source: By Steve Tobak, MoneyWatch, October 31, 2011, "Facebook's Mark Zuckerberg -- Insights For Entrepreneurs" Week 3 DePaul University ? IS 344/IS444 IT Auditing 10 Back to the risk and control seesaw Let’s discuss … Illustrative Example • Web application that supports on-line customer sales • High risk data (e.g., credit card info) Week 3 What is the inherent risk? What controls can management implement to reduce the residual risk? As the IT auditor, do you agree with the design and operating effectiveness of these controls? This is your task at hand … Help management optimize its risk profile DePaul University ? IS 344/ IS444 IT Auditing 11 Today’s Learning Outcomes ? Develop an understanding of audit standards and why these are important and fundamental to our profession ? Develop an understanding of control frameworks (such as COBIT) and how these can be used to help perform an IT audit Week 3 DePaul University – IS 344/IS444 IT Auditing 12 IT AUDIT PROFESSIONAL STANDARDS OF PRACTICE Week 3 DePaul University – IS 344/IS444 IT Auditing 13 The alphabet soup of audit standards… AICPA IIA SAS ISACA GAO GAAS NIST Week 3 FIPS DePaul University – IS 344/ IS444 IT Auditing 14 Professional Standards – Growth of the IT Audit Profession 1969 - Electronic 1978 - The Data Processing Certified Auditors Association Information (EDPAA)—the future Systems Auditor ISACA—is (CISA) certification incorporated in Los is introduced. Angeles, California, 1981 - The USA. organization moves 1976 - EDPAA into its first dedicated establishes the EDP office space on South Auditors Foundation. Schmale Road in Carol The organization Stream, Illinois, USA, reaches 1,500 and institutes its members across 19 Three-Year Long chapters. The first Range Plan. chapters outside of the United States are established, in Mexico City, Mexico, and Sydney, Australia. Week 3 1994 - The organization formally changes its name from EDPAA to Information Systems Audit and Control Association (ISACA). ISACA has more than 14,000 members, with 134 chapters in nearly 60 countries. ISACA celebrates its 25th anniversary. DePaul University – IS 344/ IS444 IT Auditing 2019 - ISACA turns 50. After five decades, the association has 135,000 members, 220+ chapters and nearly 200 staff members. 1996 - The Control Objectives for Information and Related Technology (COBIT) framework is introduced. 15 Standards – added context ? Numerous governing bodies provide standards that guide the work of the IT audit professional ? These standards, in many cases, overlap, however, in some areas, there are distinct differences ? Audit professionals must understand which standards apply to their body of work ? Audit professionals must continue to stay abreast of any changes related to professional standards, and apply those changes to their work efforts as required Before we dive further into this topic – why do you think standards are important for the IT audit professional? Week 3 DePaul University – IS 344/ IS444 IT Auditing 16 Who writes all these standards? It depends on your audit role ………….. External Auditing ? ? Public Company Accounting Oversight Board (PCAOB) American Institute of Certified Public Accountants (AICPA) – – ? ? Generally Accepted Accounting Principles (GAAP) Certified Public Accountants (CPAs) Week 3 The Institute of Internal Auditors (IIA) – ? ? Government Auditing • Statements on Internal Auditing Standards (SIAS) Information Systems Audit & Control Association (ISACA) – Financial Accounting Standards Board (FASB) – ? Generally Accepted Auditing Standards (GAAS) Statements of Auditing Standards (SAS) Internal Auditing – • COBIT: Control Objectives for Information Technology Certified Internal Auditor (CIA®) or Certified Information Systems Auditor (CISA®) DePaul University – IS 344/ IS444 IT Auditing Government Accountability Office (GAO) National Institute of Standards and Technology (NIST) – • The “Yellow Book” or Government Auditing Standards Federal Information Processing Standards (FIPS) Certified Government Auditing Professional® (CGAP®) 17 Internal Auditors (e.g., work for Boeing, Allstate, etc.) Key Takeaways……….. ? Internal Auditing ? The Institute of Internal Auditors (IIA) – ? ? International Standards for the Professional Practice of Internal Auditing (Standards) Information Systems Audit & Control Association (ISACA) – ? ? 1. IT Standards Certified Internal Auditor (CIA®) or Certified Information Systems Auditor (CISA®) 2. 3. 4. ? ? Week 3 Publicly-traded corporations typically have an internal auditing department, led by a Chief Audit Executive ("CAE") or Director of Internal Audit, who generally reports to the Audit Committee of the Board of Directors. The Internal Audit profession is not formally regulated like the external audit profession, however, the Institute of Internal Auditors ("IIA") has established International Standards for the Professional Practice of Internal Auditing (Standards). The purpose of the Standards is to: Delineate basic principles that represent the practice of internal auditing. Provide a framework for performing and promoting a broad range of value-added internal auditing. Establish the basis for the evaluation of internal audit performance. Foster improved organizational processes and operations. For the IT audit and assurance profession, ISACA has also developed standards of practice to support IT assurance activities. CIA or CISA designation can be obtained. Note – Internal Auditors can also be CPAs. DePaul University – IS 344/ IS444 IT Auditing 18 Internal Auditors ? The International Professional Practices Framework (IPPF) is the conceptual framework that organizes authoritative guidance promulgated by The Institute of Internal Auditors. IPPF guidance includes: ? Mandatory Guidance Definition of Internal Auditing Code of Ethics Standards Strongly Recommended Guidance Position Papers Practice Advisories Practice Guides ? https://www.theiia.org/sites/auditchannel/Pages/Videos.aspx?v=3805666 39 Week 3 DePaul University – IS 344/IS444 IT Auditing 19 Internal Auditors ? On July 6, 2015, the Institute of Internal Auditors (“IIA”) introduced enhancements to its International Professional Practices Framework (“IPPF”)®. These changes include: – The introduction of a Mission of Internal Audit and articulation of 10 Core Principles for the Professional Practice of Internal Auditing ? MISSION: To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. Week 3 DePaul University – IS 344/ IS444 IT Auditing 20 10 Core Principles for the Professional Practice of Internal Auditing ? The Core Principles, taken as a whole, articulate internal audit effectiveness. For an internal audit function to be considered effective, all Principles should be present and operating effectively. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. Week 3 Demonstrates integrity. Demonstrates competence and due professional care. Is objective and free from undue influence (independent). Aligns with the strategies, objectives, and risks of the organization. Is appropriately positioned and adequately resourced. Demonstrates quality and continuous improvement. Communicates effectively. Provides risk-based assurance. Is insightful, proactive, and future-focused. Promotes organizational improvement. DePaul University – IS 344/ IS444 IT Auditing 21 ISACA’s Information Technology Audit Framework (ITAF) ? ISACA’s Information Technology Audit Framework (ITAF) is a comprehensive IT audit framework that: – Establishes standards that address IT audit and assurance practitioners’ roles and responsibilities, ethics, expected professional behavior, and required knowledge and skills; – Defines terms and concepts specific to IT audit and assurance; – Provides guidance and techniques for planning, performing and reporting of IT audit and assurance engagements. – Based on ISACA material, ITAF provides a single source for IT audit and assurance practitioners to obtain guidance on the performance of audits and the development of effective audit reports. The 3rd Edition of ITAF incorporated IT audit and assurance standards and guidance effective 1 November 2013. Prior to issuing the 4th Edition of ITAF, ISACA released an exposure draft for comment, and more than 65 reviewers provided their feedback. The 4th Edition of ITAF is effective October 2020. IT Audit Framework (ITAFTM): A Professional Practices Framework for IT Audit, 4th Edition ISACA. All Rights Reserved. Week 3 DePaul University – IS 344/IS444 IT Auditing 22 ITAF - Frequently Asked Questions ? ? ? ? To whom does ITAF apply? ITAF applies to individuals who act in the capacity of IT audit and assurance practitioners and are engaged in providing assurance over IT processes, components of IT applications, systems and infrastructure. However, care has been taken to design these standards, guidelines and auditing techniques in a manner that also may be beneficial to a wider audience, including users of IT audit and assurance reports. When should ITAF be used? The application of the framework is a prerequisite to conducting IT audit and assurance work. The standards are mandatory. The guidelines, tools and techniques are designed to provide nonmandatory assistance in performing assurance work. In which circumstances should ITAF IT audit and assurance standards and related guidance be used? ITAF’s design recognizes that IT audit and assurance practitioners are faced with different requirements and types of assignments—ranging from leading an IT-focused audit to contributing to a financial, compliance or operational audit. ITAF is applicable to any IT audit or assessment engagement. Does ITAF address requirements for consultative and advisory work? In addition to performing audits, IT audit and assurance practitioners may undertake non-audit engagements for their employers or on behalf of clients. These consultative and advisory engagements usually involve review of a particular area. For a number of reasons, including the nature of the work (particularly the degree of testing and the scope of the engagement), the IT audit and assurance practitioner usually does not issue a formal audit report. Instead, the consultative and advisory work typically concludes with an opinion (possibly expressed via memorandum) on current performance and suggestions for improvement. IT Audit Framework (ITAFTM): A Professional Practices Framework for IT Audit, 4th Edition ISACA. All Rights Reserved. Week 3 DePaul University – IS 344/IS444 IT Auditing 23 ITAF – Overview of Standards ITAF standards are divided into three categories: ? ? ? General standards (1000 series)—Detail the IT assurance profession’s guiding principles. These principles apply to all engagements, including but not limited to the IT audit and assurance practitioner’s ethics, independence, objectivity and due care, as well as knowledge, competency and skill. Performance standards (1200 series)—Deal with the conduct of the engagement, such as planning and supervision, scoping, risk assessment, resource mobilization, engagement management, audit and assurance evidence, and the exercising of professional judgment and due care. Reporting standards (1400 series)—Address the types of reports, the means of communication, and the information communicated. IT Audit Framework (ITAFTM): A Professional Practices Framework for IT Audit, 4th Edition ISACA. All Rights Reserved. Week 3 DePaul University – IS 344/IS444 IT Auditing 24 Auditor Independence & Objectivity ? Independence – policies, reporting lines, and structures that provide for “independence” of the internal and IT auditor – typical example, an independent reporting line to the Audit Committee of the Board ? Objectivity – an individual behavior in which an auditor remains free of bias when performing the audit – ? Critical components so that audit adds value to the organization ? Reports and opinions need to be free of bias or influences Week 3 DePaul University – IS 344/ IS444 IT Auditing 25 Auditor Independence & Objectivity ? Why is this important to assurance audit professional? ? Let’s discuss the perspective from the external auditor angle … Week 3 DePaul University – IS 344/ IS444 IT Auditing 26 Due Professional Care ? Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. ? External Auditors1: – AU Section 230 - Due professional care imposes a responsibility upon each professional within an independent auditor's organization to observe the standards of field work and reporting. – Due professional care requires the auditor to exercise professional skepticism. Professional skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence. 1 http://pcaobus.org/Standards/Auditing/Pages/AU230.aspx Week 3 DePaul University – IS 344/ IS444 IT Auditing 27 Due Professional Care – IT Auditors ? 1005 – Due Professional Care 1005.1 In accordance with ISACA’s Code of Professional Ethics, auditors will exercise due diligence and professional care. They will maintain high standards of conduct and character, and they will refrain from engaging in acts that may discredit themselves or the profession. Privacy and confidentiality of information obtained during the course of the auditor’s duties should be maintained. Further, this information should not be used for personal benefit, nor should the information be disclosed unless required by legal authority. Week 3 DePaul University – IS 344/ IS444 IT Auditing 28 Due Professional Care – Internal Auditors ? 1220 – Due Professional Care Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility. 1220.A1 – Internal auditors must exercise due professional care by considering the: – Extent of work needed to achieve the engagement's objectives; – Relative complexity, materiality, or significance of matters to which assurance procedures are applied; – Adequacy and effectiveness of governance, risk management, and control processes; – Probability of significant errors, fraud, or noncompliance; and – Cost of assurance in relation to potential benefits. Week 3 DePaul University – IS 344/ IS444 IT Auditing 29 Ethical Standards ? To be an auditor, one must have high ethical standards ? Auditors are trusted individuals ? CPA, CIA, CISA certifications require auditors to adhere to a Code of Professional Ethics https://www.isaca.org/credentialing/code-of-professional-ethics Week 3 DePaul University – IS 344/ IS444 IT Auditing 30 Auditor Standards of Practice ? Auditors, as we have discussed, have standards of practice that must be followed ? These standards include guidance on conducting audits, ethics, and due professional care ? In addition, auditors should possess: – Experience with a particular industry and/or the specific business – Technical skills that provide the ability to understand and communicate technical information – Communication skills that enable the auditor to bridge the gap between IT professionals and business management Week 3 DePaul University – IS 344/ IS444 IT Auditing 31 Professional skepticism – does it matter? ? PCAOB Board Member Jeanette M. Franzel thinks it does: “The application of professional skepticism throughout the audit is a foundational aspect of audit quality and the integrity of the audit process.” “Yet, the PCAOB and other regulators around the world have expressed concern about the continued high rate of audit deficiencies identified in their inspections and other oversight activities. And many of these deficiencies appear to be associated with the insufficient exercise of professional skepticism.” ANSWER – If an auditor does not QUESTION – What does this issue appropriately apply professional really mean? skepticism, they may not obtain reliable and sufficient evidence to support their opinion! Source: http://pcaobus.org/News/Speech/Pages/08052013_AAA.aspx Week 3 DePaul University – IS 344/ IS444 IT Auditing 32 Professional skepticism – a continuum, based on risk …Apply to higher risk areas Source: Enhancing Auditor Professional Skepticism Week 3 DePaul University – IS 344/IS444 IT Auditing 33 Professional skepticism – how do you get better at this? ? Tone at the top – the Chief Audit Executive or Chief Information Security Officer (within the 2nd line) he/she is responsible for, among other things, setting an appropriate tone that emphasizes the need to maintain a questioning mind throughout the IT audit and to exercise professional skepticism in gathering and evaluating evidence ? However, it is the responsibility of each IT auditor to apply professional skepticism throughout each phase of the IT audit process ? Well thought out policies and procedures for performing IT audits, including appropriate supervision and engagement oversight ? Awareness of incentives or pressures that may impede the ability to exercise professional skepticism and objectivity ? Building and maintaining an appropriate system of quality control aligned with IT audit and/or internal audit professional standards Week 3 DePaul University – IS 344/ IS444 IT Auditing 34 What are the risks of a weak IT audit program? Where were the IT auditors? …As key providers of information assurance, this is the logical question that SHOULD be asked when an IT risk event (e.g., breach) occurs … ? IT audit failure = false assurance – – – – – Lack of quality assurance process IT audit risk assessment Engagement planning and review Lack of understanding of audit scope Lack of due professional care – professional skepticism, objectivity and independence – Communicating and monitoring results – Skill and competencies Steps to mitigate or manage these risks – protecting the internal audit brand ? Let’s discuss … Week 3 DePaul University – IS 344/ IS444 IT Auditing 35 How am I supposed to remember all these standards? ? Auditors must exercise due professional care ? Auditors must maintain independence and objectivity ? Auditors must have high ethical standards ? Auditors use a common definition of internal control ? Purpose is to – formulate opinions or provide assurance on internal controls ? Auditors must maintain possess the necessary technical skills Week 3 DePaul University – IS 344/ IS444 IT Auditing 36 BREAK – 15 minutes Week 3 DePaul University – IS 444 IT Auditing 37 IT FRAMEWORKS – TOOLS OF THE TRADE Week 3 DePaul University – IS 344/ IS444 IT Auditing 38 What’s the difference between a standard and a framework? ? Standards are the rules of the road for audit professionals – As discussed before break, standards provide the structure to perform an IT audit – from planning, performing fieldwork, and reporting – Standards also provide rules related to independence, objectivity, and professional skepticism ? An IT framework (such as COBIT) on the other hand, is a tool that can be used by management to improve IT operations and can also be used by an auditor to aid in the performance of an actual audit Week 3 DePaul University – IS 344/ IS444 IT Auditing 39 How do we use frameworks? ? Control frameworks such as COBIT can be used to conduct an entity-wide IT risk assessment, support a detailed audit, or to provide best practice guidance on the design of controls. Step 1 Evaluate the design of controls – e.g., how does a company manage user access administration Week 3 Step 2 Look to COBIT or other frameworks to determine if possible enhancements can be made to improve the design of controls DePaul University – IS 344/IS444 IT Auditing Step 3 Provide recommendations to Management using COBIT or other frameworks as a source of best practices 40 Let’s look at one framework in particular For an update based on COBIT 2019, check out: http://www.isaca.org/COBIT/Pages/COBIT-2019-FrameworkGovernance-and-ManagementObjectives.aspxhttp://www.isaca.org/COBIT/Pages/COBIT-2019Framework-Governance-and-Management-Objectives.aspx Week 3 DePaul University – IS 344/ IS444 IT Auditing 41 What Is/Is Not COBIT? ? COBIT: – Defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviors, skills and infrastructure. – Defines the design factors that should be considered by the enterprise to build a best-fit governance system. – Addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels. ? COBIT is not: – – – – Week 1 Full description of the whole IT environment of an enterprise. Framework to organize business processes. IT technical framework to manage all technology. Does not prescribe any IT-related decisions. It will not decide what is the best IT strategy, architecture, cost, etc. DePaul University – IS 344/444 IT Auditing 42 COBIT – Process Model Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved. Week 4 DePaul University – IS 344/ IS444 IT Auditing 43 COBIT – An IT Process Detailed Reference High level process Tool AP010 Manage Suppliers Sub processes AP010.01 – Identify and evaluate supplier relationships AP010.02 – Select suppliers AP010.03 – Manage supplier relationships and contracts AP010.04 – Manage supplier risk AP010.05 – Monitor supplier performance and compliance 1. 2. Control “Activities” 3. 4. 5. 6. Define and document criteria to monitor supplier performance Monitor and review service delivery in relation to contract Review against market conditions Request independence reviews, if necessary Record and assess review results and discuss with vendor Monitor and evaluate externally available data about the supplier Source: COBIT® 5, © 2012 ISACA® All rights reserved. Week 3 DePaul University – IS 344/ IS444 IT Auditing 44 Other tools of the trade ? The following frameworks can also be used by the IT auditor to identify opportunities for improvement: – – – – ITIL FFIEC ISO NIST (Professor Phillips will do a deep dive on this framework for IT cybersecurity) – And many more… Week 3 DePaul University – IS 344/ IS444 IT Auditing 45 Information Technology Infrastructure Library (ITIL) ? ITIL is a public framework that describes Best Practice in IT service management ? ITIL provides a framework for delivering IT services to customers ? ITIL was published between 1989 and 1995 by Her Majesty’s Stationery Office (HMSO) in the UK on behalf of the Central Communications and Telecommunications Agency (CCTA) – now subsumed within the Office of Government Commerce (OGC) ? In February, 2019, ITIL V4 superseded ITIL V3, consisting of five core books covering the service lifecycle, together with the Official Introduction ? Can be used in conjunction with frameworks such as COBIT and CMMI), and standards (such as ISO/IEC 20000 and ISO 9000) Week 3 DePaul University – IS 444 IT Auditing 46 ITIL V4 Components IT Service Value System ? Includes the ITIL: – – – – – – Week 3 Service Value Chain ITIL Practices ITIL Guiding Principles Governance Continual Improvement Service Management is a set of specialized organizational capabilities for providing value to customers in the form of services. 4 Dimension Model ? Organizations and People ? Information and technology products ? Partners and suppliers ? Value streams and processes DePaul University – IS 444 IT Auditing 47 FFIEC Guidance http://www.ffiec.gov/ffiecinfobase/index.html ? The Federal Financial Institutions Examination Council (FFIEC) InfoBase was established by the Congress in 1979 to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, to make recommendations to promote uniformity in the supervision of financial institutions, and to conduct schools for examiners ? The last version of the FFIEC IT Examination Handbook was issued in 1996 and includes two extensive volumes of over seven hundred pages ? An interagency working group, composed of representatives from each of the FFIEC's five member agencies, developed that version: – – – – – – Week 3 The Board of Governors of the Federal Reserve System (FRB), The Federal Deposit Insurance Corporation (FDIC), The National Credit Union Administration (NCUA), The Office of the Comptroller of the Currency (OCC), and The Office of Thrift Supervision (OTS). DePaul University – IS 344/IS444 IT Auditing 48 FFIEC IT Examination Handbook ? Includes 11 booklets across a range of IT topics ? Each booklet includes a narrative overview of the area, a work program and other supporting materials ? Can be used as a resource for the IT audit professional, as well as IT management Week 3 DePaul University – IS 344/ IS444 IT Auditing 49 ISO Standards International Organization for Standardization ? ISO has developed over 18,000 International Standards on a variety of subjects and some 1,100 new ISO standards are published every year ? E.g., 177 standards on Information Security listed http://www.iso.org/iso/home.htm Week 3 DePaul University – IS 344/ IS444 IT Auditing 50 PMBOK® Guide and Standards ? ? Project Management Body of Knowledge (PMBOK) PMBOK® Guide—Fourth Edition represents generally recognized good practice in the profession of project management ? ? ? ? ? ? ? ? ? Project Lifecycles and Organization Project Integration Management Project Scope Management Project Cost Management Project Quality Management Project Human Resources Management Project Communication Management Project Risk Management Project Procurement Management http://www.pmi.org/PMBOK-Guide-and-Standards.aspx Week 3 DePaul University – IS 344/ IS444 IT Auditing 51 SUPPLEMENTAL SELF-STUDY Week 3 DePaul University – IS 344/IS444 IT Auditing 52 #1 – Applying a framework - COBIT ? Learning Objective | Use COBIT to assess risks and opportunities for process improvement ? Refer to hand-out. Review questions in the case study materials ? Est. time = 15 minutes ? NEXT WEEK – be prepared to discuss … Week 3 DePaul University – IS 344/ IS444 IT Auditing 53 #2 – Video on COBIT and IT frameworks Introducing COBIT® 2019 ? Listen to video. https://youtu.be/KJLAJSZbfIM Est. time = video is 2 minutes CHOOSING THE RIGHT SECURITY FRAMEWORK(S) Is It NIST? ISO 27K? COBIT? Apples? Oranges? ? Listen to video. https://youtu.be/Cf27RkqxQUc ? Est. time = video is 17 minutes ? NEXT WEEK – be prepared to discuss … Week 3 DePaul University – IS 344/ IS444 IT Auditing 54 #3 – When IT audits fail This supplemental reading focuses on the importance of IT audit standards. – Read: ? OCC Assesses $80 Million Civil Money Penalty Against Capital One https://www.occ.gov/news-issuances/news-releases/2020/nr-occ2020-101.html ? UNITED STATES OF AMERICA DEPARTMENT OF THE TREASURY OFFICE OF THE COMPTROLLER OF THE CURRENCY – CONSENT ORDERT - https://www.occ.gov/static/enforcementactions/ea2020-036.pdf – Est. time = 10 minutes – NEXT WEEK – be prepared to discuss … Week 3 DePaul University – IS 344/ IS444 IT Auditing 55 REVIEW LEARNING POINTS AND PREVIEW NEXT WEEK Week 3 DePaul University – IS 344/ IS444 IT Auditing 56 Review Learning Outcomes ? Developed an understanding of audit standards and why these are important and fundamental to our profession ? Developed an understanding of control frameworks (such as COBIT) and how these can be used to help perform an IT audit Week 3 DePaul University – IS 344/ IS444 IT Auditing 57 Preview Next Week ? Topics: – Types of IT audit projects – The IT audit process ? Consult class syllabus for timing of Homework #2. ? Students should post their comments this week in the Discussion Forum within D2L. Week 3 DePaul University – IS 344/ IS444 IT Auditing 58 IS 444 ? IT Auditing Spring 2021 Week-2 | Thurs, April 8th Week 1 Week 2 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 DePaul University ? IS444 IT Auditing Week 8 Week 9 Week 10 1 Build the foundation Apply IT risk and control assessment concepts Corporate governance summation IT Auditing: Learning Map Week 2 Professor Phillips & Enstrom Governance, Risk and Compliance Week 10 Auditing systems development Cybersecurity Part 1– risks, IAM, BCP/DR Week 6 Week 7 Cybersecurity Part 2 – CSF & IRP 3rd party risk – cloudy days Week 8 Week 9 Professor Phillips Business, IT environment, corporate governance IT governance, ERM and IT risk Audit standards & frameworks (tools of the trade) IT assessment process (how we conduct an audit) Application controls, data analytics and fraud Week 1 Week 2 Week 3 Week 4 Week 5 DePaul University ? IS 344/444 IT Auditing Professor Enstrom 2 Today’s Class Outline Topic Est. Duration Est. Times Review Last Week’s Key Learning Points 10 min 5:45 pm (start) IT Governance – Preview Topic 5 min Small Group Activity: IT Is From Venus, Non-IT Is From Mars* 25 min IT Governance, through the COBIT Lens 25 min BREAK Enterprise Risk Management (ERM) 10 min 6:50 – 7:00 pm 50 min BREAK 10 min Small Group Activity: BDI Case Study* 35 min Wrap up, homework #1, preview next week 10 min 7:50 – 8:00 pm 8:45 pm (end) * Materials in Content section of D2L for Week 2 Week 1 DePaul University – IS344/444 IT Auditing 3 Today’s Learning Outcomes ? Develop an understanding of why IT governance is the starting point for the IT auditor ? Develop an understanding of how Enterprise Risk Management can support a more effective corporate governance structure Week 2 DePaul University ? IS344/IS444 IT Auditing 4 Review Last Week’s Key Takeaways ? Big Idea #1 – IT auditors and assurance professionals assist organizations by evaluating business and IT-related risks and the ________ of the organization’s system of internal controls thereby providing _________ to key stakeholders ? Big Idea #2 – COSO and COBIT provide _______ for the design of a company’s system of internal controls ? Big Idea #3 – Business risk, specifically, IT related risk, is mitigated through a company’s system of ______ ? Big Idea #4 – Taken together, these concepts can be viewed as a key component of a company’s overall _______ structure Week 2 DePaul University ? IS 344/ IS444 IT Auditing 5 Key Takeaways – the BIG IDEAS! ? IT auditors and assurance professionals assist organizations by evaluating business and IT-related risks and the effectiveness of the organization’s system of internal controls thereby providing assurance to key stakeholders ? COSO and COBIT provide frameworks for the design of a company’s system of internal controls ? Business risk, specifically, IT related risk, is mitigated through a company’s system of internal controls ? Taken together, these concepts can be viewed as a key component of a company’s overall IT governance structure Week 1 DePaul University – IS 344/IS444 IT Auditing 6 Other takeaways (cont’d) ? An emerging corporate governance paradigm, the three lines (of defense), is also gaining traction, both in the US and internationally … ? The Organisation for Economic Co-operation and Development (OECD) and the “Committee of Sponsoring Organisations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework” highlights the importance of monitoring a company’s system of internal controls → This role can be performed by 2nd line (Compliance, Risk or Information Security) or Internal Audit functions (3rd line) Week 2 DePaul University ? IS 344/IS444 IT Auditing 7 Sources of IT Risk Week 2 DePaul University – IS 344/IS444 IT Auditing 8 Evaluating the root cause ? Understand Sources of Risk – – – – – What human factors may have played a role? What is the policy related to making changes to their systems? What is the process used to make change to their systems? What is the technical configuration of their systems – e.g., is there a mirrored or duplicate version available? ? Remember to ask why? (5 times!) Week 2 DePaul University ? IS 344/IS 444 IT Auditing 9 Let’s Discuss Some More ? How does a lack of policy introduce risk into the IT environment? ? How does a weakness in operational procedures introduce risk into the IT environment? ? How does a weakness in the technical configuration introduce weakness into the IT environment? Key Question – How can Management implement changes that will result in sustainable improvement in operational controls? Week 2 DePaul University ? IS 344/IS 444 IT Auditing 10 Final Review Points ? The origin of the word “audit” means the act of hearing ? Why is this relevant for our discussion? As auditors, we must listen carefully to what management is telling us – and then, think critically and creatively about how to help Management improve the organization’s system of controls ? In the past (and in some internal audit departments today) internal audit is purely a “verification” function – checking the box so-to-speak ? However, the internal audit role is changing: auditors need to “Add Value” and assist in improving business processes Week 2 DePaul University ? IS 344/ IS444 IT Auditing 11 Final Review Points How do we add value? ? IT Auditors have the opportunity to add value to their organizations by focusing management’s attention on the root cause of weaknesses in their IT environment ? If our recommendations only focus on the symptoms (poor passwords) and not the root cause (weak IT governance, policy and a poorly design process to configure the passwords) we fail to provide management with insights that will help them improve both the efficiency and effectiveness of their operations over the longer term ? Often, these weaknesses are the result of poor or ineffective IT governance … this is our next topic! Week 2 DePaul University ? IS 344/ IS444 IT Auditing 12 IT GOVERNANCE Week 2 DePaul University ? IS 344/ IS444 IT Auditing 13 IT Governance, the Starting Point About 3 million Google hits What does this term actually mean in practice … We need to develop a common language Week 2 DePaul University ? IS 344/IS 444 IT Auditing 14 What IT Governance Means to You Zoom Small Group Discussion ? First, re-read the WSJ article titled, “IT Is From Venus, Non-IT Is From Mars” ? Define IT governance (in your own words), then discuss the following: 1. Who is responsible for IT governance? 2. Should IT ever say “no, we can’t do that”? 3. What role does IT governance play in today’s business environment? 4. Why is IT governance the starting point for the IT auditor (or IT risk management professional)? Week 2 DePaul University ? IS 344/ IS 444 IT Auditing 15 From IT governance to “Enterprise Governance of Information and Technology” ? From COBIT – governance objective = “value creation” ? Governance is about deciding amongst various stakeholder needs ? What are the benefits? ? What are the risks? ? What resources are required? Source: COBIT® 2019 Framework: Introduction and Methodology Week 2 DePaul University ? IS 344/IS444 IT Auditing 16 What Is/Is Not COBIT? ? COBIT: – Defines the components to build and sustain a governance system: processes, organizational structures, policies and procedures, information flows, culture and behaviors, skills and infrastructure. – Defines the design factors that should be considered by the enterprise to build a best-fit governance system. – Addresses governance issues by grouping relevant governance components into governance and management objectives that can be managed to the required capability levels. ? COBIT is not: – – – – Week 1 Full description of the whole IT environment of an enterprise. Framework to organize business processes. IT technical framework to manage all technology. Does not prescribe any IT-related decisions. It will not decide what is the best IT strategy, architecture, cost, etc. DePaul University – IS 344/444 IT Auditing 17 COBIT 2019 Source: COBIT 2019, figure 1.1 © 2019 ISACA® All rights reserved. Week 1 DePaul University – IS 344/444 IT Auditing 18 COBIT – Core “Process” or Reference Model The governance and management objectives in COBIT are grouped into five domains. The domains have names with verbs that express the key purpose and areas of activity of the objective contained in them. Governance objectives are grouped in the Evaluate, Direct and Monitor (EDM) domain. In this domain, the governing body evaluates strategic options, directs senior management on the chosen strategic options and monitors the achievement of the strategy. Management objectives are grouped in four domains: Align, Plan and Organize (APO) addresses the overall organization, strategy and supporting activities for information and technology (I&T). Build, Acquire and Implement (BAI) treats the definition, acquisition and implementation of I&T solutions and their integration in business processes. Deliver, Service and Support (DSS) addresses the operational delivery and support of I&T services, including security. Monitor, Evaluate and Assess (MEA) addresses performance monitoring and conformance of I&T with internal performance targets, internal control objectives and external requirements. Source: COBIT 2019, © 2019 ISACA® All rights reserved. Week 2 DePaul University – IS 344/444 IT Auditing 19 COBIT – An IT Process Detailed Reference Tool “EDM” is the domain – think governance processes = top of the house EDM05 – Ensured stakeholder engagement High level process Sub processes EDM01 – Ensured governance framework setting and maintenance EDM02 – Ensured benefits delivery EDM03 – Ensured risk optimization EDM04 – Ensured resource optimization EDM05 – Ensured stakeholder engagement Controls or “business activities” ? EDM05.01 Evaluate stakeholder engagement and reporting requirements. ? EDM05.02 Direct stakeholder engagement communication and reporting. ? EDM05.03 Monitor stakeholder engagement. Source: COBIT 2019, figure 4.1 © 2019 ISACA® All rights reserved. Week 2 DePaul University – IS 344/444 IT Auditing 20 Mapping back to COBIT – What is IT governance? ? [the processes used to ] Evaluate, Direct and Monitor (EDM) Source: COBIT 2019, figure 5.1 © 2019 ISACA® All rights reserved. Week 2 DePaul University ? IS 344/ IS444 IT Auditing 21 Governance vs. Management ? Governance ens...