IT Auditing and the Challenge of New Technologies June 16, 2011
-
Upload
tamesis-tanith -
Category
Documents
-
view
16 -
download
1
description
Transcript of IT Auditing and the Challenge of New Technologies June 16, 2011
![Page 1: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/1.jpg)
IT Auditing and the Challenge of New
Technologies
June 16, 2011
Presented by: Jay Bowman, CISA, CISM
![Page 2: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/2.jpg)
•Evolution of technology and its applications
•What this means in terms of opportunities
•What this means in terms of risks
•What this means in terms of providing internal audit coverage.
•Actions you and your institution can take
This Morning’s Topics
2
![Page 3: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/3.jpg)
The rapid changes in technology during our lifetimes has made possible services our parents couldn’t even dream of.
•Building Blocks
•Computers
•Telephones
•Technology-Based Services
Evolution of Technology
3
![Page 4: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/4.jpg)
Technology Building Blocks
4
![Page 5: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/5.jpg)
Technology Building Blocks
5
![Page 6: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/6.jpg)
Technology Building Blocks
6
![Page 7: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/7.jpg)
Technology Building Blocks
7
![Page 8: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/8.jpg)
Technology Building Blocks
8
![Page 9: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/9.jpg)
Technology Building Blocks
9
![Page 10: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/10.jpg)
Computers
10
![Page 11: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/11.jpg)
Computers
11
![Page 12: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/12.jpg)
Computers
12
![Page 13: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/13.jpg)
Computers
13
![Page 14: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/14.jpg)
Computers
14
![Page 15: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/15.jpg)
Computers
15
![Page 16: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/16.jpg)
Computers
16
![Page 17: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/17.jpg)
Computers
17
![Page 18: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/18.jpg)
Computers
18
![Page 19: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/19.jpg)
Telephones
19
![Page 20: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/20.jpg)
Telephones
20
![Page 21: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/21.jpg)
Telephones
21
![Page 22: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/22.jpg)
Telephones
22
![Page 23: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/23.jpg)
Telephones
23
![Page 24: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/24.jpg)
Telephones
24
![Page 25: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/25.jpg)
Telephones
25
![Page 26: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/26.jpg)
Telephones
26
![Page 27: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/27.jpg)
Telephones
27
![Page 28: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/28.jpg)
Telephones
28
![Page 29: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/29.jpg)
Telephones
29
![Page 30: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/30.jpg)
Telephones
30
![Page 31: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/31.jpg)
Telephones
31
![Page 32: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/32.jpg)
The Atlanta Payments Project
Technology-Based Services
32
![Page 33: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/33.jpg)
The Atlanta Payments Project
•Electronic Payments Services
•Implementation Considerations and Obstacles
Technology-Based Services
33
![Page 34: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/34.jpg)
The Atlanta Payments Project
• Electronic Payments Services• Check Authorization• Telephone Banking• Point-of-Sale Transactions• Automated Clearinghouse (ACH)• Check Truncation
Technology-Based Services
34
![Page 35: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/35.jpg)
The Atlanta Payments Project
• Implementation Considerations & Obstacles• Technology
• Storage Limitations and Costs• Communications Speeds and Costs• Processor Speeds and Costs
• Consumer Acceptance
Technology-Based Services
35
![Page 36: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/36.jpg)
•Storage Limitations and Costs
Considerations and Obstacles
36
![Page 37: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/37.jpg)
•Communications Speeds and Costs
Considerations and Obstacles
37
![Page 38: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/38.jpg)
•Processor Speeds and Costs
Considerations and Obstacles
38
![Page 39: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/39.jpg)
• Consumer Acceptance
Considerations and Obstacles
39
![Page 40: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/40.jpg)
• Consumer Acceptance
Older consumers are generally much slower to adopt new technology/services.
Considerations and Obstacles
40
![Page 41: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/41.jpg)
• Consumer Acceptance
Considerations and Obstacles
41
![Page 42: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/42.jpg)
The Atlanta Payments Project
• Electronic Payments Services• Check Authorization• Telephone Banking• Point-of-Sale Transactions• Automated Clearinghouse (ACH)• Check Truncation
Technology-Based Services
42
![Page 43: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/43.jpg)
• Check Authorization
Technology-Based Services
43
![Page 44: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/44.jpg)
• Check Authorization
Technology-Based Services
44
![Page 45: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/45.jpg)
• Telephone Banking
Technology-Based Services
45
![Page 46: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/46.jpg)
• Point-of-Sale Transactions
Technology-Based Services
46
![Page 47: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/47.jpg)
• Automated Clearinghouse (ACH)
Technology-Based Services
47
![Page 48: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/48.jpg)
• Check Truncation
Technology-Based Services
48
![Page 49: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/49.jpg)
What does all this mean in terms of IT internal audit?
_____________
49
![Page 50: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/50.jpg)
What does all this mean in terms of IT internal audit?
_____________
50
![Page 51: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/51.jpg)
New technologies carry the same risks challenges and rewards as the old
technologies!
_____________
51
![Page 52: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/52.jpg)
New technologies carry the same risks challenges and rewards as the old
technologies!And the same audit requirements!
_____________
52
![Page 53: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/53.jpg)
First, what we’re really talking about is new applications of existing technologies.
• Cloud Computing
• Mobile Banking
New Technologies?
53
![Page 54: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/54.jpg)
Cloud Computing
54
![Page 55: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/55.jpg)
The “new” cloud computing is an evolution of the “old” distributed computing
• Relies on the Internet instead of private networks
• All resources may not be “owned” or “controlled” by the user of the cloud
Cloud Computing
55
![Page 56: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/56.jpg)
Cloud Computing
56
![Page 57: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/57.jpg)
An evolution the “old” telephone banking
• Un-tethered
• Technology and cost impediments disappearing
• Potential limited only by imagination and the ability of management to allocate time to plan,
implement and market
Mobile Banking
57
![Page 58: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/58.jpg)
Mobile Banking
58
![Page 59: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/59.jpg)
Mobile Banking
59
![Page 60: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/60.jpg)
Mobile Banking
60
![Page 61: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/61.jpg)
Mobile Banking
61
![Page 62: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/62.jpg)
• Reduce (or keep the lid on) costs
• Attract new members
• Retain existing members
Opportunities
62
![Page 63: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/63.jpg)
• Increased costs (without corresponding increases in members and/or revenues)
• Loss of members
• Security and/or privacy breaches
• Access control
• Regulatory criticism
Risks
63
![Page 64: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/64.jpg)
How do we audit the new technology applications?
_____________
64
![Page 65: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/65.jpg)
By following the same
methodical, risk-based approach
that has successfully been applied
in earlier phases
of the evolution of
technology and its applications.
How do we audit the new technology applications?
65
![Page 66: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/66.jpg)
• To provide “appropriate” Information Technology (IT) coverage that complements internal audits of financial and operational areas in a timely and cost-effective manner.
• To present complex technical findings in business terms that Management and Directors can understand and properly respond to.
The Challenges
66
![Page 67: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/67.jpg)
• Internal Auditor performs IT audits• Full-time IT internal auditor on staff• Co-source IT internal audits• Rely on external auditors• Other
The Alternatives
67
![Page 68: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/68.jpg)
• Internal Auditor performs IT audits• Full-time IT internal auditor on staff• Co-source IT internal audits• Rely on external auditors• Other
The Alternatives
68
![Page 69: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/69.jpg)
• Adequacy of Coverage– Subject Matter Expertise– Depth of coverage– Availability of time
• Maintenance of Requisite Knowledge• Awareness of Best Practices• Continuity/Institutional Knowledge• Regulatory Environment• Cost
Issues Surrounding Alternatives
69
![Page 70: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/70.jpg)
• Risk Assessment
• IT Internal Audits
• Monitoring and Follow-up
IT Audit Approach
70
![Page 71: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/71.jpg)
• IT Internal Audit Risk Assessment
IT Audit Approach
71
![Page 72: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/72.jpg)
• Risk Categories– Financial– Operational– Technology– Reputational– Regulatory Compliance
• Evaluation Process/Management Involvement• Risk Ratings/Allocation of Resources
IT Internal Audit Risk Assessment
72
![Page 73: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/73.jpg)
• Risk Categories– Financial– Operational– Technology– Reputational– Regulatory Compliance
• Evaluation Process/Management Involvement• Risk Ratings/Allocation of Resources
IT Internal Audit Risk Assessment
73
![Page 74: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/74.jpg)
IT Risk Assessment Model is composed of nine major dimensions:
– Strategy and Planning– Outsourced Vendor Management– Disaster Recovery/Business Continuity Planning– Infrastructure Support and Maintenance– Information Security– Systems Development & Maintenance– Systems Support & Operations– Governance– Critical Applications
IT Risk Assessment Model
74
![Page 75: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/75.jpg)
Planning is critical to ensure that IT goals support the overall goals of the institution
Strategy and Planning
75
![Page 76: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/76.jpg)
Planning is critical to ensure that IT goals support the overall goals of the institution
• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)
Strategy and Planning
76
![Page 77: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/77.jpg)
Planning is critical to ensure that IT goals support the overall goals of the institution
• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)
• Short-range IT (annual) plans describe the implementation steps/ projects, identifies appropriate resources, and includes detailed budgets.
Strategy and Planning
77
![Page 78: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/78.jpg)
Planning is critical to ensure that IT goals support the overall goals of the institution
• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)
• Short-range IT (annual) plans describe the implementation steps/ projects, identifies appropriate resources, and includes detailed budgets.
• Plans should consider technological changes and opportunities, and will define the information systems architecture for the institution.
78
Strategy and Planning
![Page 79: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/79.jpg)
Planning is critical to ensure that IT goals support the overall goals of the institution
• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)
• Short-range IT (annual) plans describe the implementation steps/ projects, identifies appropriate resources, and includes detailed budgets.
• Plans should consider technological changes and opportunities, and will define the information systems architecture for the institution.
• Progress against the plans is monitored by senior management
79
Strategy and Planning
![Page 80: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/80.jpg)
Management of the institution retains responsibility regardless of whether functions are outsourced
• A VM policy establishing ownership and procedures has been approved by the Board
• Risk assessments are performed prior to outsourcing• Vendor evaluation and selection procedures are formalized• Standard for contracts and service level agreements have been
established• Existing service providers are reviewed and monitored• A VM program report is presented annually to the Board
80
Outsourced Vendor Management (VM)
![Page 81: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/81.jpg)
The institution has developed and documented a comprehensive IT Disaster Recovery Plan and associated Business Continuity Plans.
• The Plan includes a Risk Assessment of likely threat scenarios• Threat scenarios address impact on systems, facilities and people• Business Impact Analyses (BIAs) have been prepared for all
departments and functions• Qualified personnel are responsible for maintaining the Plan current• The plan is tested regularly with feedback to address “failures”• The Board receives an annual report on the plan and testing results
Disaster Recovery/Business Continuity Planning
81
![Page 82: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/82.jpg)
Infrastructure Support and Maintenance includes those components of information technology, which support computer operations and business applications and consist of:
• Operating Systems• Networks• Databases• Hardware• Software
82
Infrastructure Support and Maintenance
![Page 83: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/83.jpg)
The institution has resources and procedures in place to provide a stable, serviceable IT environment
• A current and complete inventory of hardware, software, and network (data and voice) devices is maintained
• Qualified resources monitor and maintain the network infrastructure• There is a formal plan to ensure the IT infrastructure is stable, and meets
business requirements in terms of cost, availability, scalability, redundancy, interoperability, functionality etc.
• There is formal equipment maintenance plans for all hardware, software, and network devices
• Monitoring mechanisms are in place to alert management of device and system failures.
• There are service contracts to provide back-up equipment and assistance in the event of an infrastructure failure.
Infrastructure Support and Maintenance
83
![Page 84: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/84.jpg)
Information security policies, procedures, standards, and guidance and/or the information security architecture will define how security features and functionality are to be administered.
• Tools and Techniques• Access Restrictions• Authentication• Password Strengths• Security Monitoring and Logon Attempts
Information Security
84
![Page 85: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/85.jpg)
The institution has resources and procedures in place to appropriately secure infrastructure and information•There is a Board-approved information security policy. •The policy has been distributed to all employees who annually sign an affirmation of their understanding•There is an information security officer who is independent of IT functions.•Users are assigned formal roles/profiles for the network and system that are based on job responsibilities.•The organization maintains virus detection software for all workstations and servers •There have been no security breaches.
Information Security
85
![Page 86: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/86.jpg)
Many institutions do not develop or maintain applications in-house. For those institutions that do develop software, the areas of focus consist of:
• Systems Development Life Cycle (SDLC)
• Application Version Control
• Change Control Procedures
• User Acceptance Testing
Systems Development & Maintenance
86
![Page 87: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/87.jpg)
The institution has the necessary organization, tools and procedures to ensure reliable systems are developed timely and securely
• The institution has adopted a Systems Development Life Cycle (SDLC) methodology
• There is a centralized Project Management function to coordinate and manage IT resources across the institution.
• Separate environments are maintained for testing new systems and/or system enhancement and modifications.
• A controlled process is used to move changes into production
Systems Development & Maintenance
87
![Page 88: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/88.jpg)
Those IT functions that support processing:
• Job Scheduling
• Data and Software Back-up
• Production Control
• Media Management
• Help Desk
• Procedural Documentation
• Anti-virus Measures
System Support and Operations
88
![Page 89: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/89.jpg)
The institutions has the organization, tools and procedures to scheduled and operate systems timely and reliably•An Operations Procedural Manual has been developed which includes escalation procedures to be performed in the event of a systems failure.•Automated job schedulers ensure batch jobs are processed timely and in the correct order.•Monitoring devices ensure operational failures are detected for corrective action. Production failures are recorded and analyzed.•All software and data are back-up on a routine basis•An Operations Committee meets regularly to review systems performance agaiand discuss ways to improve overall operations.•A centralized help desk responds to system problems.
System Support and Operations
89
![Page 90: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/90.jpg)
IT policies and practices should align with applicable statutory and regulatory guidance such as:
• HIPAA (personnel-related requirements)
• Sarbanes-Oxley (not credit unions…yet)
• Gramm-Leach-Bliley Act
• NCUA guidance
• FFIEC IT Handbooks
Governance
90
![Page 91: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/91.jpg)
The institution has the organization, tools and procedures to ensure compliance with applicable guidance•The institution has developed a process to identify IT statutory and regulatory requirements.•An IT governance committee focuses on the development of standards and employee education to foster compliance with external guidance and internal policies.•Documented, comprehensive IT Policies and Procedures are reviewed, updated and approved at least annually•An IT Control Self Assessment Process to evaluate compliance with documented IT Policies and Procedures.•A Privacy/Security Risk Assessment and Privacy/Security Audit are conducted annually.
Governance
91
![Page 92: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/92.jpg)
For applications critical to its mission and ongoing operations, the institution has instituted appropriate procedures and controls.•The institution had developed and maintains an inventory of mission critical applications
•The organization has identified and/or developed specific controls for each critical applications related to:
– Security
– Data Validation and Control
– Error Processing
– Interface Controls
– Accounting Controls
– Error Reporting
– System Testing
•A Systems Control Self Evaluation is periodically performed for each critical system.
Critical Applications
92
![Page 93: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/93.jpg)
• IT Internal Audits
IT Audit Approach
93
![Page 94: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/94.jpg)
• Derived from Risk Assessment– Specific Audits/Frequency
• IT audits are sequenced and cycled based on relative risk• Timetable for Deliverables
– Other Considerations• Alignment with financial / operational audit plan• Significant Change (e.g. new processing system)• Support of External Auditors• Key Management/Staff Availability• Regulatory Examination Schedule
• Major issue: Granular IT audits vs. “IT General Controls” audit
IT Internal Audit Schedule
94
![Page 95: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/95.jpg)
• Risk assessment results• Size of institution and IT shop• Infrastructure complexity• In-house vs. outsourced core processing• Regulatory atmosphere and guidance• Available funding
General Controls vs. Granular
95
![Page 96: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/96.jpg)
• Core Application Admin & Security
• Network Admin & Security
• e-Banking/Mobile Banking
• Computer Operations
• Disaster Recovery/Business Continuity
• Third-Party Vendor Management
• GLBA 501(b) Customer Information Privacy
• FedLine Advantage
IT Internal Audits
96
![Page 97: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/97.jpg)
• Logical Access Controls– Procedures for granting, removing and changing access– Review sample of access control requests– Test for separated employees still on system– Evaluate granting of administrator/high-level access
• New Releases and Fixes– Timely installation– Appropriate user testing and signoff– Updating of IT and user documentation
• System-specific requirements– Changing default IDs and passwords– Tailoring system settings
• Review and Action upon System Exception Reports
Core Application Admin & Security
97
![Page 98: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/98.jpg)
• Logical Access Controls– Procedures for granting, removing and changing access– Review sample of access control requests– Test for separated employees still on network– Evaluate granting of administrator/high-level access
• New Equipment, Software Releases and Fixes– Timely installation– Appropriate user testing and signoff– Updating of Network documentation
• Network-specific requirements– Changing default IDs and passwords– Tailoring system settings
• Network Vulnerability Assessments (Penetration Tests)– Frequency, Independence, Rotation, Due Diligence– Scope/depth/focus of findings; actions in response
Network Admin & Security
98
![Page 99: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/99.jpg)
• Logical Access Controls (Members and employees)– Procedures for granting, removing and changing access– Review sample of access control requests– Test for separated employees– Evaluate granting of administrator/high-level access– Monitoring of adjustments, password resets, etc.– Multi-factor Authentication
• New Releases and Fixes– Timely installation– Appropriate user testing and signoff– Updating of documentation
• System-specific requirements– Changing default IDs and passwords– Tailoring system settings
• Member Support – Help Desk, Educational Materials
e-Banking/Mobile Banking
99
![Page 100: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/100.jpg)
• Physical Access Controls– Procedures/basis for granting, removing access
• Operations employees• Senior management• Housekeeping/Building Maintenance/Security
– Access Control Mechanisms/Monitors– Visitor Access Procedures/Controls
• Physical Infrastructure– Temperature/humidity sensors and alarms– Threat/motion sensors and alarms– Overall housekeeping
• Operations Staff– Training– Background checks
Computer Operations
100
![Page 101: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/101.jpg)
• Operating Policies/Procedures/Manuals– Current– Complete
• Job Scheduling/Monitoring– Automatic sequences– Manual scheduling– Logging of operator activities/intervention– Management review of logs
• Computer Room Equipment– Current Inventory– Maintenance scheduling and logging– Failure logging and remediation
• Sensitive Materials Handling and Disposal– Negotiable instruments– Confidential reports
Computer Operations (continued)
101
![Page 102: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/102.jpg)
• Plan Development and Support– Qualified Individual(s) in Charge– Appropriate skill sets and sufficient time– Designated individuals through institution– Involvement of key vendors– Board/Management support
For each of the following areas, determine• Existence• Completeness• Currency
Disaster Recovery/Business Continuity
102
![Page 103: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/103.jpg)
• Risk Assessment– Reasonably foreseeable threats– Likelihood, severity, impact– Systems, infrastructure, staff– Must address pandemic flu
• Business Impact Analyses (BIAs)– All departments and functions– Impact on their functions, other departments, members, overall
institution• Detailed Plans
– IT: Disaster Recovery Plan– Other Departments: Business Continuity Plans– Contents:
• Equipment and software lists• Inventories of forms and supplies• Procedures
Disaster Recovery/Business Continuity (continued)
103
![Page 104: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/104.jpg)
• Alternate Location(s)– Designated– Stocked with pre-staged procedures, supplies, equipment
• Administrative Components– Designated Individuals who can Declare Disaster– Disaster/Damage Assessment Procedures– Employee Notification Procedures/Calling Trees– Other Notification Lists
• Directors/Supervisory Committee Chair• Public Safety Officials• Regulators• Key Vendors• Key Members
Disaster Recovery/Business Continuity (continued)
104
![Page 105: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/105.jpg)
• Testing– Administrative aspects
• Disaster declaration and assessment• Appropriate notifications
– Information Technology• All systems or critical systems• Ability to locate and retrieve backups and restore from them• Network(s)• Key processing vendors
– Other departments• Prioritized by function• Tabletop tests• Tests in conjunction with IT test
– Frequency – at least annually– Audit participation– Post-test analyses and reviews– Remediation plans
Disaster Recovery/Business Continuity (continued)
105
![Page 106: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/106.jpg)
• Policy– Fixes responsibility and accountability– Establishes procedures for major components
• Risk Assessment – pre-decision to outsource
– Potential Impact on Strategic Goals – Management Oversight and Evaluation– Contingency Plans– Regulatory Requirements & Guidance
• Vendor Selection Process– Identification of Potential Vendors– Due Diligence and Selection– Contract Negotiation and Award
Third Party Vendor Management
106
![Page 107: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/107.jpg)
• Current Vendor Evaluation– Frequency depends on ranking– Topics
• Financial Stability• Performance against SLAs• Key Personnel turnover• Insurance coverage• Type II SAS 70 (service providers)• Disaster recovery testing & results• Protection of member information
• Annual Board Report– VM policy (any recommended changes)– New critical vendors– Summary of review of current vendors– Other key information
Third Party Vendor Management (continued)
107
![Page 108: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/108.jpg)
GLBA 501 (b) Customer Information Privacy• Board-approved Privacy Policy
– Fixes responsibility– Establishes program– Requires reporting
• Privacy Program• Privacy Risk Assessment
– Assess and document risk of unauthorized access to non-public member information
– Scope should include:• IT infrastructure• Manual (i.e. paper) instances• Third party processors
– Is it sufficiently granular? Specific?• Third-party processors
– Explicit contractual provision– Due diligence on effectiveness of controls
108
![Page 109: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/109.jpg)
• Third-party processors– Explicit contractual provision– Due diligence on effectiveness of controls
• Employee training– All employees– Annual– Relevant– Documented
• Annual Report to Board– Summary of program over previous year– Recommended policy changes (if any)– Incidents (if any)– Specific contents per guidance
GLBA 501 (b) Customer Information Privacy (cont.)
109
![Page 110: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/110.jpg)
The FedLine Advantage audit complements audits of Funds Transfers and other Accounting-related audits
•Logical Access Controls– Procedures for granting, removing and changing access– Review sample of access control requests– Appropriate separation of duties– Test for separated employees still on system
•Physical Access Controls– Secure location for FedLine-capable PCs– Controls over FedLine Advantage access tokens
•Others as specified in Fed guidance– Creation and review of control reports
FedLine Advantage
110
![Page 111: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/111.jpg)
• Monitoring and Follow-up
IT Audit Approach
111
![Page 112: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/112.jpg)
• Follow-up Matrix
– Should contain all findings that were not “closed” at the time audit report was presented to Supervisory Committee
– Used by Supervisory Committee to track progress against stated plans and target dates
– Can/should also be used by Management to supervise and guide efforts
Monitoring and Follow-Up
112
![Page 113: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/113.jpg)
• Issues revisited– Coverage– Competence– Currency (of technical information)– Continuity– Climate (regulatory)– Cost
• Using this template, and based on their knowledge of credit union, Management and the Supervisory Committee can arrive at the right approach
Choosing the Right Approach
113
![Page 114: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/114.jpg)
One more thing…
114
![Page 115: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/115.jpg)
One more thing…
Should we be auditing Governance?
115
![Page 116: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/116.jpg)
One more thing…
Should we be auditing Governance?
116
![Page 117: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/117.jpg)
The institution has the organization, tools and procedures to ensure compliance with applicable guidance•The institution has developed a process to identify IT statutory and regulatory requirements.•An IT governance committee focuses on the development of standards and employee education to foster compliance with external guidance and internal policies.•Documented, comprehensive IT Policies and Procedures are reviewed, updated and approved at least annually•An IT Control Self Assessment Process to evaluate compliance with documented IT Policies and Procedures.•A Privacy/Security Risk Assessment and Privacy/Security Audit are conducted annually.
Governance Redux
117
![Page 118: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/118.jpg)
Which of these areas are likely to undergo change as• New legislation is passed?• New regulations are promulgated?• New technologies are investigated and implemented?
Governance Redux
118
![Page 119: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/119.jpg)
ALL OF THEM
Governance Redux
119
The institution has the organization, tools and procedures to ensure compliance with applicable guidance•The institution has developed a process to identify IT statutory and regulatory requirements. •An IT governance committee focuses on the development of standards and employee education to foster compliance with external guidance and internal policies.•Documented, comprehensive IT Policies and Procedures are reviewed, updated and approved at least annually•An IT Control Self Assessment Process to evaluate compliance with documented IT Policies and Procedures.•A Privacy/Security Risk Assessment and Privacy/Security Audit are conducted annually.
![Page 120: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/120.jpg)
Understand the new technologies and services• Maturity and potential• Costs• Security and privacy implications• Competitive landscape—what are other institutions in our trade area doing?• Other risks
• Loss due to fraud or theft• Regulatory criticism• Reputational
Actions You and Your Institution Can Take
120
![Page 121: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/121.jpg)
Know your member base (and potential member base)• What are their access needs (bricks and mortar vs.
hand-held devices)• Is membership aging? Becoming younger?• How do we know needs?
• Surveys? • Anecdotal data?
• Understand your institution’s vision and strategic • What markets (segments, communities) are we in?• Where do we want to go?
Actions You and Your Institution Can Take
121
![Page 122: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/122.jpg)
• Understand the strengths of management and staff
•Do we have the in-house expertise to embrace, exploit and control new technologies?• If yes, let’s set a timetable • If no, we either need to develop it or find a third-party vendor
Actions You and Your Institution Can Take
122
![Page 123: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/123.jpg)
• Ensure Development/Implementation is orderly and controlled
• Planning is critical• Realistic timeframes• Milestones/checkpoints• Progress reporting as appropriate• Metrics (usage, costs)• Policies and procedures• Marketing and Educational materials• Staff training• Roll-out sequencing
Actions You and Your Institution Can Take
123
![Page 124: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/124.jpg)
Post-Rollout Oversight
• Projected vs. Actual• Usage• Costs• Revenues
• Anecdotal information on• Overall progress• Member reaction• Unexpected things that went right/wrong
• Plans for activities prior to next status report• Management’s assessment
Actions You and Your Institution Can Take
124
![Page 125: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/125.jpg)
IT Internal Audit coverage should include the guidance and oversight received from the Board (i.e. Governance)
This coverage can be accomplished in “pieces” throughout the other IT audit areas
Governance Redux
125
![Page 126: IT Auditing and the Challenge of New Technologies June 16, 2011](https://reader035.fdocuments.in/reader035/viewer/2022070402/568137d9550346895d9f789b/html5/thumbnails/126.jpg)
Technology will continue to evolve
Credit Unions can choose to adopt new technologies and offer new services or not, but
Competitors and members will be watching and evaluating
Risks and challenges remain relatively the same
Your IT Internal Audit program can and must evolve, too.
Conclusions________________________
126