Academic Relations

Opportunities to Integrate Technology Into the Classroom

Presented by:Mark Salamasick, CIA, CISA, CRMA, CSPExecutive Director of AuditUniversity of Texas System

Academic Relations

Discussion Topics

• Internal Audit Textbook Update First• Internal Audit Class and Technology • Approach to IT Audit Class• Data Analytics• Cybersecurity Program• Questions

2

Internal Auditing: Assurance & Advisory

Services, Fourth Edition

Revision History

• First Edition – July 2007• Second Edition – October 2009• Third Edition – April 2013• Fourth Edition – April 2017

Textbook Chapters

• Chapter 1: Introduction to Internal Auditing• Chapter 2: The International Professional Practices Framework• Chapter 3: Governance• Chapter 4: Risk Management• Chapter 5: Business Processes and Risk• Chapter 6: Internal Control• Chapter 7: Information Technology Risks and Controls• Chapter 8: Risk of Fraud and Illegal Acts• Chapter 9: Managing the Internal Audit Function• Chapter 10: Audit Evidence & Workpapers• Chapter 11: Data Analytics and Audit Sampling• Chapter 12: Introduction to the Engagement Process• Chapter 13: Conducting the Assurance Engagement• Chapter 14: Communicating Assurance Engagement Outcomes• Chapter 15: The Consulting Engagement

Download the Table of Contents Below

IA 4th Edition TOC.pdf

Case Studies

• Case Study 1: Auditing Entity-wide Controls

• Case Study 2: Auditing the Compliance and Ethics Program

• Case Study 3: Performing a Blended Consulting Engagement

Textbook Product Integration

ACL

Idea

KnowledgeLeader

TeamMate +

Check out the resources here:www.theiia.org/IAtextbook

Significant Updates-3rd Edition

• Integration of TeamMate and TeamMate Case Studies• Addition of Value Proposition• COSO Internal Control 2013• Updates to Standards, Implementation Guides, and

Practice Guides(19 GTAGs) • Inclusion of 3 Lines of Defense • New material on Risk Management• New technologies(i.e., cloud computing, smartphones)• Expansion on Audit Management including combined

assurance

TeamMate +® and TeamMate Analytics an award-winning audit management system, has been integrated throughout the applicable textbook chapters. Specific case studies have been developed and are embedded at the end of chapter material to introduce the ways that TeamMate + can be used to streamline internal audit processes. Streamlined for student online access.

TeamMate +® and TeamMate Analytics an award-winning audit management system, has been integrated throughout the applicable textbook chapters. Specific case studies have been developed and are embedded at the end of chapter material to introduce the ways that TeamMate + can be used to streamline internal audit processes. Streamlined for student online access.

Introduction of the KnowledgeLeader with case studies throughout the text. Access available to all faculty and students.Introduction of the KnowledgeLeader with case studies throughout the text. Access available to all faculty and students.

Expanded instructor materials with 100 sample multiple choice questions, sample exam, along with expanded PowerPoint slides.Expanded instructor materials with 100 sample multiple choice questions, sample exam, along with expanded PowerPoint slides.

Internal Auditing: Assurance & Advisory Services, 4th Edition

What’s new in the 4th Edition?

Published by The Internal Audit FoundationInstructors interested in ordering a desk copy may contact The IIA Bookstore, powered by the Internal Audit

Foundation, by email at iiatextbook@theiia.org. Requests are limited to one per instructor and two per institution.

Significant Updates – 4th Edition

• IPPF updates including Standards • Internal Audit New Mission Statement• Expansion of COSO Framework 2013• New Fraud Risk Management Guide • Current Technology including Cybersecurity focus • Data analytics added to Audit Sampling Chapter• Integration of Protiviti KnowledgeLeader throughout• TeamMate Hosting streamlined process• Online distribution of material versus CD• Expanded instructor material

Internal Auditing: Assurance & Consulting Services, Fourth Edition with TeamMate

for Universities

Polling Question #2

Are you using TeamMate+ in the Internal Audit course this semester?

Do you plan on using TeamMate+ sometime in the future?

How To Order The Textbook

Instructors interested in ordering a desk copy may download and submit the Textbook 4th Edition Desk Copy Request Form. Requests are limited to one per instructor and two per institution.

ISBN-13: 978-0-89413-987-1

For further information and Access to Instructor Material, contact iiatextbook@theiia.org

https://bookstore.theiia.org/internal-auditing-assurance-advisory-services-fourth-edition-instructors

Internal Audit Class and Technology Options

• How much do you have time for?• Chapter on IT Audit – Chapter 7• Chapter on Data Analytics – Chapter 11

(Focus on Audit Data Analytics Strategies)• TeamMate Integration• Hands on Technology – (IDEA, ACL,

TeamMate Analytics)

On to Technology….

Academic Relations

Level of IT Understanding

• Business Auditors• IT Auditors

Academic Relations

What to call the a separate IT Audit class?

• Computer Audit• Information System Audit• Information Technology Audit• Information Technology Audit and Risk

Management• Computer Audit and System Security:

Compliance and Advisory Perspective

17

Academic Relations

Course Objectives

• Prepare students to have a meaningful career as an IT Auditor:– Technical Knowledge– Analytical Ability– Communication Skills– Interpersonal Skills

• Pass professional certification exams – CISA exams, CPA, and CIA.

Academic Relations

What does a University IT Audit and Risk Management Course Objectives look like?

1. Be able to identify key information technology risks and how to mitigate those risks.

2. Be able to develop a control checklist and key audit steps related to technology risks.

3. Be able to distinguish key user technology risks and controls.

4. Be able identify the key content areas and have knowledge of all areas covered by the Certified Information Systems Audit (CISA) exam.

5. Identify sources for research of technology risks and apply those techniques to an overall research paper.

6. Learn those areas of technology risks that are currently of most concern to the IIA, AICPA, and ISACA.

7. Be able to distinguish and evaluate key application controls along with auditing of application controls.

8. Identify and evaluate risks in an e-business environment.

9. Understand how to adapt audit coverage to areas of advanced and emerging technologies. 19

Academic Relations

First Day of Class

• Demystifying IT Audit• Profile of class• Certified Information Systems Auditor(CISA)

possibility• Encourage local ISACA participation

20

Academic Relations

Definition of Information Technology Audit

• An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives.

21

Academic Relations

• Understand how technology fits into the overall business processes and its impact.

• Describe key risks and control techniques introduced by technology.

• Articulate the relationship between business transaction processing risks introduced by information technology risks.

• Find and interpret the leading sources of information related to technology control frameworks.

• Determine the significant technology issues to be considered as part of the review of a business unit.

• Integrate application controls as part of business unit audits.

• Understand the emerging technology risk issues.

Some Reasonable Objectives for All Auditors

Academic Relations

Technology and Audit

• Infrastructure Audit • Integrated Audit• Use of Technology as Tool

• Audit Automation• Data Analytics

23

Academic Relations

Big Three Technology Risk Categories

• Information Security• Business Continuity • Change Management

24

Academic Relations

Sample Syllabus

Academic Relations

Chapter 7: Information Technology Risks and Controls

17 GTAGs published

26

• GTAG: IT Controls(Published in Mar 2005)

2nd EDITION MARCH 2012

• GTAG: Change and Patch Management Controls(Published in June 2005)

2nd EDITION MARCH 2012

• GTAG: Continuous Auditing(Published in Oct 2005)

Update Coming Soon

• GTAG: Management of IT Auditing(Published in Mar 2006)

2nd EDITION January 2013

• GTAG: Information Technology Outsourcing(Published in Mar 2007)

• GTAG: Auditing Application Controls(Published in July 2007)

Academic Relations

Chapter 7: Information Technology Risks and Controls

27

17 GTAGs published

• GTAG: Developing the IT Audit Plan(Published in July 2008)

• GTAG: Auditing IT Projects(Published in March 2009)

• GTAG: Fraud Detectionand Prevention in an Automated World(Published in December 2009)

• GTAG: Auditing User Developed Applications(Published in June 2010)

• GTAG: Identity and Access Management(Published in July 2007)

Academic Relations

Chapter 7: Information Technology Risks and Controls

28

17 GTAGS published• GTAG: Information

Security Governance(Published in July 2010)

• GTAG: Data Analysis Technologies(Published in August 2011)

• GTAG: Auditing IT Governance(Published in July 2012)

• GTAG: Auditing Smart Devices(August 2016)

• GTAG: Assessing Cybersecurity Risk(September 2016)

• GTAG: Understanding and Auditing Big Data(May 2017)

Academic Relations29

What Every Business Auditor Should Understand Related to IT Controls

Global Technology Auditing Guide 1-2nd Edition

Academic Relations

Model IT Controls Curriculum

• IIA The IIA’s Global Model Internal Audit Curriculum – IT Auditing course Integrated -2012 – Schools recognized as part of IAEP

• https://na.theiia.org/about-us/about-ia/pages/participating-iaep-program-schools.aspx

• ISACA Model Curriculum - 2012http://www.isaca.org/Knowledge-Center/Academia/Pages/Programs-Aligned-with-Model-Curriculum-for-IS-Audit-and-Control.aspx

Academic Relations

ISACA - Cobit 5-Another Approach

31

Academic Relations

Example of Case Studies

• Exploring technology risk and IT audit• Business tied to technology risk • Social Media• Experiential Learning

Academic Relations

Certified Information Systems Auditor (CISA) Exam

• One part exam• Exam three testing windows• Integrate topics into class• Provide access to local CISA review if

available• Improves student career potential

immediately

33

Academic Relations

Next Steps

• If you are teaching an IT Audit and Risk Management courses – Great!

• Take advantage of various case studies• Utilize resources available from the IIA

and ISACA• Cross list course Accounting and MIS• Become a program recognized by

ISACA

34

Academic Relations

Use Of Technology As A Tool

35

Academic Relations

A couple of Different Approach’s to Audit Analytics

- Integrate into Courses

- Internal Audit/Operational Audit Course- Financial Audit Class- IT Audit Course- Other Courses

- Separate Course in Audit Analytics- Course or Program in Data Analytics in MIS

Program

36

Academic Relations

Sample Course Syllabus

Academic Relations

Cybersecurity Certificate Program

• Developed to meet the increasing need of risk management and technical personnel in the area of cybersecurity

• Joint program with business school and computer science engineering

• Program at the graduate level• Individuals receive Certificate in

Cybersecurity systems (CCSS)• All students would take this core

Cybersecurity Fundamentals course

Academic Relations

Certificate in Cyber Security

SystemsCyber Security Fundamentals

(course taken by all students)

Students take a total of four courses (12 credit hours) consisting of one common

fundamentals course and three other courses in one of four specified Tracks

Remaining courses takenwithin a selected Track

Computer Science TrackCyber Security with Computer Science

EmphasisChoose three (3) courses

from:• Information Security (CS 6324)

• Network Security (CS 6349)• Data/App Security (CS 6348)• One approved CS Elective in Cyber Security

Internal Audit TrackCyber Security with

Internal AuditEmphasis

Take the following courses:• IT Security (MIS 6330) • Internal Audit (ACCT 6380) • IT Audit & Risk Management (ACCT 6336)

Systems Engineering Track

Cyber Security with Systems Engineering

EmphasisChoose three (3) courses

from:• Systems Engineering (SYSM 6301)

• CS 6324 or MIS 6330• One approved Cyber Security course from CS, IA, or IM track

Track #1: Computer Science (CS)

Track #2: Systems Engineering (SYSE)Track #3: Internal Audit (IA)

Track #4: Information Management (IM)

Information Management Track

Cyber Security with Information

Management Emphasis

Take the following courses:• IT Security (MIS 6330) • Cloud Computing (MIS 6363)• IT Audit & Risk Management (ACCT 6336)

Cyber Security Tracks

Academic Relations

Contact Information

– Mark SalamasickExecutive Director of AuditThe University of Texas System(512) 499-4535 msalamasick@utsystem.edu