Internal Audit Quality Assessment Presented to: Harris County
Presented by - The Institute of Internal Auditor Relations... · Presented by: Mark Salamasick, ......
Transcript of Presented by - The Institute of Internal Auditor Relations... · Presented by: Mark Salamasick, ......
Academic Relations
Opportunities to Integrate Technology Into the Classroom
Presented by:Mark Salamasick, CIA, CISA, CRMA, CSPExecutive Director of AuditUniversity of Texas System
Academic Relations
Discussion Topics
• Internal Audit Textbook Update First• Internal Audit Class and Technology • Approach to IT Audit Class• Data Analytics• Cybersecurity Program• Questions
2
Internal Auditing: Assurance & Advisory
Services, Fourth Edition
Revision History
• First Edition – July 2007• Second Edition – October 2009• Third Edition – April 2013• Fourth Edition – April 2017
Textbook Chapters
• Chapter 1: Introduction to Internal Auditing• Chapter 2: The International Professional Practices Framework• Chapter 3: Governance• Chapter 4: Risk Management• Chapter 5: Business Processes and Risk• Chapter 6: Internal Control• Chapter 7: Information Technology Risks and Controls• Chapter 8: Risk of Fraud and Illegal Acts• Chapter 9: Managing the Internal Audit Function• Chapter 10: Audit Evidence & Workpapers• Chapter 11: Data Analytics and Audit Sampling• Chapter 12: Introduction to the Engagement Process• Chapter 13: Conducting the Assurance Engagement• Chapter 14: Communicating Assurance Engagement Outcomes• Chapter 15: The Consulting Engagement
Download the Table of Contents Below
IA 4th Edition TOC.pdf
Case Studies
• Case Study 1: Auditing Entity-wide Controls
• Case Study 2: Auditing the Compliance and Ethics Program
• Case Study 3: Performing a Blended Consulting Engagement
Textbook Product Integration
ACL
Idea
KnowledgeLeader
TeamMate +
Check out the resources here:www.theiia.org/IAtextbook
Significant Updates-3rd Edition
• Integration of TeamMate and TeamMate Case Studies• Addition of Value Proposition• COSO Internal Control 2013• Updates to Standards, Implementation Guides, and
Practice Guides(19 GTAGs) • Inclusion of 3 Lines of Defense • New material on Risk Management• New technologies(i.e., cloud computing, smartphones)• Expansion on Audit Management including combined
assurance
TeamMate +® and TeamMate Analytics an award-winning audit management system, has been integrated throughout the applicable textbook chapters. Specific case studies have been developed and are embedded at the end of chapter material to introduce the ways that TeamMate + can be used to streamline internal audit processes. Streamlined for student online access.
TeamMate +® and TeamMate Analytics an award-winning audit management system, has been integrated throughout the applicable textbook chapters. Specific case studies have been developed and are embedded at the end of chapter material to introduce the ways that TeamMate + can be used to streamline internal audit processes. Streamlined for student online access.
Introduction of the KnowledgeLeader with case studies throughout the text. Access available to all faculty and students.Introduction of the KnowledgeLeader with case studies throughout the text. Access available to all faculty and students.
Expanded instructor materials with 100 sample multiple choice questions, sample exam, along with expanded PowerPoint slides.Expanded instructor materials with 100 sample multiple choice questions, sample exam, along with expanded PowerPoint slides.
Internal Auditing: Assurance & Advisory Services, 4th Edition
What’s new in the 4th Edition?
Published by The Internal Audit FoundationInstructors interested in ordering a desk copy may contact The IIA Bookstore, powered by the Internal Audit
Foundation, by email at [email protected]. Requests are limited to one per instructor and two per institution.
Significant Updates – 4th Edition
• IPPF updates including Standards • Internal Audit New Mission Statement• Expansion of COSO Framework 2013• New Fraud Risk Management Guide • Current Technology including Cybersecurity focus • Data analytics added to Audit Sampling Chapter• Integration of Protiviti KnowledgeLeader throughout• TeamMate Hosting streamlined process• Online distribution of material versus CD• Expanded instructor material
Internal Auditing: Assurance & Consulting Services, Fourth Edition with TeamMate
for Universities
Polling Question #2
Are you using TeamMate+ in the Internal Audit course this semester?
Do you plan on using TeamMate+ sometime in the future?
How To Order The Textbook
Instructors interested in ordering a desk copy may download and submit the Textbook 4th Edition Desk Copy Request Form. Requests are limited to one per instructor and two per institution.
ISBN-13: 978-0-89413-987-1
For further information and Access to Instructor Material, contact [email protected]
https://bookstore.theiia.org/internal-auditing-assurance-advisory-services-fourth-edition-instructors
Internal Audit Class and Technology Options
• How much do you have time for?• Chapter on IT Audit – Chapter 7• Chapter on Data Analytics – Chapter 11
(Focus on Audit Data Analytics Strategies)• TeamMate Integration• Hands on Technology – (IDEA, ACL,
TeamMate Analytics)
On to Technology….
Academic Relations
Level of IT Understanding
• Business Auditors• IT Auditors
Academic Relations
What to call the a separate IT Audit class?
• Computer Audit• Information System Audit• Information Technology Audit• Information Technology Audit and Risk
Management• Computer Audit and System Security:
Compliance and Advisory Perspective
17
Academic Relations
Course Objectives
• Prepare students to have a meaningful career as an IT Auditor:– Technical Knowledge– Analytical Ability– Communication Skills– Interpersonal Skills
• Pass professional certification exams – CISA exams, CPA, and CIA.
Academic Relations
What does a University IT Audit and Risk Management Course Objectives look like?
1. Be able to identify key information technology risks and how to mitigate those risks.
2. Be able to develop a control checklist and key audit steps related to technology risks.
3. Be able to distinguish key user technology risks and controls.
4. Be able identify the key content areas and have knowledge of all areas covered by the Certified Information Systems Audit (CISA) exam.
5. Identify sources for research of technology risks and apply those techniques to an overall research paper.
6. Learn those areas of technology risks that are currently of most concern to the IIA, AICPA, and ISACA.
7. Be able to distinguish and evaluate key application controls along with auditing of application controls.
8. Identify and evaluate risks in an e-business environment.
9. Understand how to adapt audit coverage to areas of advanced and emerging technologies. 19
Academic Relations
First Day of Class
• Demystifying IT Audit• Profile of class• Certified Information Systems Auditor(CISA)
possibility• Encourage local ISACA participation
20
Academic Relations
Definition of Information Technology Audit
• An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives.
21
Academic Relations
• Understand how technology fits into the overall business processes and its impact.
• Describe key risks and control techniques introduced by technology.
• Articulate the relationship between business transaction processing risks introduced by information technology risks.
• Find and interpret the leading sources of information related to technology control frameworks.
• Determine the significant technology issues to be considered as part of the review of a business unit.
• Integrate application controls as part of business unit audits.
• Understand the emerging technology risk issues.
Some Reasonable Objectives for All Auditors
Academic Relations
Technology and Audit
• Infrastructure Audit • Integrated Audit• Use of Technology as Tool
• Audit Automation• Data Analytics
23
Academic Relations
Big Three Technology Risk Categories
• Information Security• Business Continuity • Change Management
24
Academic Relations
Sample Syllabus
Academic Relations
Chapter 7: Information Technology Risks and Controls
17 GTAGs published
26
• GTAG: IT Controls(Published in Mar 2005)
2nd EDITION MARCH 2012
• GTAG: Change and Patch Management Controls(Published in June 2005)
2nd EDITION MARCH 2012
• GTAG: Continuous Auditing(Published in Oct 2005)
Update Coming Soon
• GTAG: Management of IT Auditing(Published in Mar 2006)
2nd EDITION January 2013
• GTAG: Information Technology Outsourcing(Published in Mar 2007)
• GTAG: Auditing Application Controls(Published in July 2007)
Academic Relations
Chapter 7: Information Technology Risks and Controls
27
17 GTAGs published
• GTAG: Developing the IT Audit Plan(Published in July 2008)
• GTAG: Auditing IT Projects(Published in March 2009)
• GTAG: Fraud Detectionand Prevention in an Automated World(Published in December 2009)
• GTAG: Auditing User Developed Applications(Published in June 2010)
• GTAG: Identity and Access Management(Published in July 2007)
Academic Relations
Chapter 7: Information Technology Risks and Controls
28
17 GTAGS published• GTAG: Information
Security Governance(Published in July 2010)
• GTAG: Data Analysis Technologies(Published in August 2011)
• GTAG: Auditing IT Governance(Published in July 2012)
• GTAG: Auditing Smart Devices(August 2016)
• GTAG: Assessing Cybersecurity Risk(September 2016)
• GTAG: Understanding and Auditing Big Data(May 2017)
Academic Relations29
What Every Business Auditor Should Understand Related to IT Controls
Global Technology Auditing Guide 1-2nd Edition
Academic Relations
Model IT Controls Curriculum
• IIA The IIA’s Global Model Internal Audit Curriculum – IT Auditing course Integrated -2012 – Schools recognized as part of IAEP
• https://na.theiia.org/about-us/about-ia/pages/participating-iaep-program-schools.aspx
• ISACA Model Curriculum - 2012http://www.isaca.org/Knowledge-Center/Academia/Pages/Programs-Aligned-with-Model-Curriculum-for-IS-Audit-and-Control.aspx
Academic Relations
ISACA - Cobit 5-Another Approach
31
Academic Relations
Example of Case Studies
• Exploring technology risk and IT audit• Business tied to technology risk • Social Media• Experiential Learning
Academic Relations
Certified Information Systems Auditor (CISA) Exam
• One part exam• Exam three testing windows• Integrate topics into class• Provide access to local CISA review if
available• Improves student career potential
immediately
33
Academic Relations
Next Steps
• If you are teaching an IT Audit and Risk Management courses – Great!
• Take advantage of various case studies• Utilize resources available from the IIA
and ISACA• Cross list course Accounting and MIS• Become a program recognized by
ISACA
34
Academic Relations
Use Of Technology As A Tool
35
Academic Relations
A couple of Different Approach’s to Audit Analytics
- Integrate into Courses
- Internal Audit/Operational Audit Course- Financial Audit Class- IT Audit Course- Other Courses
- Separate Course in Audit Analytics- Course or Program in Data Analytics in MIS
Program
36
Academic Relations
Sample Course Syllabus
Academic Relations
Cybersecurity Certificate Program
• Developed to meet the increasing need of risk management and technical personnel in the area of cybersecurity
• Joint program with business school and computer science engineering
• Program at the graduate level• Individuals receive Certificate in
Cybersecurity systems (CCSS)• All students would take this core
Cybersecurity Fundamentals course
Academic Relations
Certificate in Cyber Security
SystemsCyber Security Fundamentals
(course taken by all students)
Students take a total of four courses (12 credit hours) consisting of one common
fundamentals course and three other courses in one of four specified Tracks
Remaining courses takenwithin a selected Track
Computer Science TrackCyber Security with Computer Science
EmphasisChoose three (3) courses
from:• Information Security (CS 6324)
• Network Security (CS 6349)• Data/App Security (CS 6348)• One approved CS Elective in Cyber Security
Internal Audit TrackCyber Security with
Internal AuditEmphasis
Take the following courses:• IT Security (MIS 6330) • Internal Audit (ACCT 6380) • IT Audit & Risk Management (ACCT 6336)
Systems Engineering Track
Cyber Security with Systems Engineering
EmphasisChoose three (3) courses
from:• Systems Engineering (SYSM 6301)
• CS 6324 or MIS 6330• One approved Cyber Security course from CS, IA, or IM track
Track #1: Computer Science (CS)
Track #2: Systems Engineering (SYSE)Track #3: Internal Audit (IA)
Track #4: Information Management (IM)
Information Management Track
Cyber Security with Information
Management Emphasis
Take the following courses:• IT Security (MIS 6330) • Cloud Computing (MIS 6363)• IT Audit & Risk Management (ACCT 6336)
Cyber Security Tracks
Academic Relations
Contact Information
– Mark SalamasickExecutive Director of AuditThe University of Texas System(512) 499-4535 [email protected]