Arizona State University Fiscal Year 2009 IT Risk Assessment Methodology Prepared for the January 22, 2009 Audit Committee Meeting
|
|
- Margaret Magdalen French
- 8 years ago
- Views:
Transcription
1 Arizona State University Fiscal Year 2009 IT Risk Assessment Methodology Prepared for the January 22, 2009 Audit Committee Meeting This document provides an overview of the methodology used by ASU University Audit and Advisory Services to fulfill the expectations of the ABOR Audit Committee in developing the Fiscal Year 2009 IT Risk Assessment: I. Mandate The Audit Committee of the Arizona Board of Regents at their January 24, 2008 Meeting, (Agenda Item #4 Discussion of Proposed Changes to the Overall Internal Audit of the University System - Information Technology Audits), instructed that a permanent working group consisting of representatives from the tri-universities and the ABOR Central Office Staff: A. Assess IT audit coverage by the Auditor General and by internal audit B. Identify areas that should be subject to audit C. Establish priorities for audit D. Recommend an IT audit component of the annual audit plans to the chief audit executives and the Audit Committee, and E. Cooperate in audits as needed. II. Scope A. Determined Auditable Units based upon the organizational structure reflected within the Fiscal Year 2009 Sources and Uses Report B. Two IT Environments: Distributed (Colleges and Administrative Units Decentralized) and Centralized (University Technology Office) C. Five campuses (four physical university locations of Tempe, Downtown Phoenix, West and Polytechnic, along with the virtual campus of ASU Online) D. Report the assessment results in conformance with ISACA standard P1 - Information Systems Risk Assessment Measurement III. Methodology ABOR Central Office Audit Staff called a meeting on February 28, 2008, to discuss the audit objectives with the IT auditors from the tri-university audit staffs. The merits of utilizing the fundamental principles of the Information Systems Audit and Control Association (ISACA) methodology of COBIT 4.1 as a general guideline were reviewed, though it was left up to the IT auditors as how to accomplish the objective. It was also determined we were to report the assessment results in conformance with ISACA standard P1 - Information Systems Risk Assessment Measurement, described as a methodology to produce a risk model to optimize the assignment of IS audit resources through a comprehensive understanding of the organization s IS environment and the risks associated with each auditable unit. The IT Risk Assessment Engagement Letter (see attached) was sent out on March 6, The engagement meeting was held on March 13, 2008, with Adrian Sannier, University Technology Officer. In that meeting, Adrian Sannier agreed with the assessment objectives and provided further guidance by recommending that we collect information regarding the storage location and ownership of sensitive data Page 1 of 6
2 in order to further classify that data to better secure that data. Other meetings with UTO management, including the Information Security Officer, were also held at this time. Our background research and due diligence included, but was not limited to: ISACA P1 Information Security Risk Assessment Measurement COBIT 4.1 (to include a two-day course hosted by ISACA covering COBIT 4.1) ISO/IEC I7799:2005 Information Technology Security Techniques NIST Risk Management Guide Payment Card Industry (PCI) Data Security Standard IIA Guide to the Assessment of IT Risk Methodology (GAIT) COSO Enterprise Risk Management Model Office of the Auditor General Arizona s Universities Information Technology Security Audit From our research and a preliminary evaluation of the IT environment of the University we determined there were two distinct IT environments at ASU; distributed and centralized. We relied on the FY 2009 Sources and Uses report to establish the universe of Auditable Units for purposes of the IT Risk Assessment Survey Questionnaire. Auditable Units were defined as a departmental unit or any unit so designated. There were numerous Auditable Units across the four physical university locations of Tempe, Downtown Phoenix, West and Polytechnic campuses, along with the virtual campus of ASU Online, within the distributed environment. The centralized IT environment is defined as the facilities and services provided by the University Technology Office (UTO). Our next concern was how to thoroughly cover the universe of the distributed IT environment and how to best organize and present the information we collected. Prior IT Risk Assessments at ASU and the IIA GAIT Methodology both suggested that the fiscal financial structure of Sources and Uses reporting gave us the comprehensive coverage structure and the appropriate level of granularity we were looking for. It became apparent that the most practical way to present the information was to evaluate Auditable Units primarily at the departmental level as delineated within the Sources and Uses report. An evaluation of Sources and Uses report further revealed there were close to 240 Auditable Units (not to include centralized UTO) at the University at the departmental level inclusive of all four campus locations and ASU Online. We determined that each of the 240 Auditable Units would receive an IT Risk Assessment Survey Questionnaire (see attached). IV. IT Risk Assessment Survey Questionnaire Development We developed the Survey Questionnaire based primarily on the industry standard of ISO/IEC I7799:2005 (recently renamed ISO/IEC 27002:2005) written in Microsoft Excel. The multiple choice format was selected to provide uniformity in compiling the answers, make the Survey Questionnaire more userfriendly and decrease the time required to complete it. The multiple choice answers to each of these questions were then numbered so that a commensurate level of risk could be attached to each answer response (weighted from 3 to 5; 3 for Medium Risk, 4 for Medium High Risk and 5 for High Risk; 1 and 2 were not an option as information technology is inherently not a Low Risk or Low Medium Risk environment). The numbered answers were then used, when added together and averaged by subcategory, to arrive at either the Impact Risk Value or the Likelihood Risk Value for each Auditable Unit (following the ISACA P1 Information Systems Risk Assessments Measurement standard framework), as well as the Combined Risk Value and Risk Rating. This Risk Value Computation is found on the Auditable Unit s IT Risk Assessment Results Form (RARF, see attached). Page 2 of 6
3 Risk Value Computation found on the Risk Assessment Results Form (RARF) The responses that support the Risk Assessment Conclusion on the Auditable Unit s RARF are drawn from a total of 68 questions in PART ONE (tab one) of the Survey Questionnaire document. Business Managers were responsible for answering 38 of the questions and IT Administrators were responsible for answering the remaining 30 questions. In PART TWO (tab two), respondents were requested to list the software applications that are being utilized and the kinds of data they create, transfer and store for the Auditable Unit. Typically, IT Administrators are more familiar with the overall applications in use and how they map to the IT infrastructure, while Business Managers are more familiar with the specific data generated from those applications and user requirements. Ultimately, it is the Accountable Administrator, who is the head of the department or Auditable Unit (a VP, Dean, Chair, Director or designated Administrator), that is the responsible owner of the data, particularly sensitive data that is subject to regulations and compliance as to how that data is protected and stored. The applications and data information on PART TWO will serve to further facilitate a greater understanding of the composition of the data for any one Auditable Unit for data classification purposes. PART TWO seeks to identify sensitive and/or non-sensitive data and the location of where that data is stored. Succinctly, the Accountable Administrator is the data owner and the IT Administrator is the data custodian. To be effective, an IT Risk Assessment for an institution of higher education should be a collaboration between business and information technology. Page 3 of 6
4 With the Survey Questionnaire draft completed, we vetted the document against comparable examples from other institutions of higher learning and against the pronounced fundamental standards of IT security. The assessment related information from Ohio State University, New Mexico State University, the University of Minnesota and the University System of California was particularly beneficial. The one standard that we followed the closest while developing our Survey Questionnaire was ISO/IEC I7799, followed by COBIT 4.1, COSO and NIST Having developed a structure for the Survey Questionnaire that aligned with industry standards, we determined that we had to build flexibility into the document so that the diverse interests from the various parts of the distributed IT environment of the university would be represented equally and without bias. To do that, we determined that we must provide a range of multiple choice answers that would represent every possible answer, within reason. While holding the structure of our industry standard questions constant, we met with as many representative groups across the university as possible in order to discuss the questions and how they would answer them. From their answers we built a range of responses that we hoped would be inclusive for all the approximately 240 distributed Auditable Units at ASU. To accomplish our goal of representative participation, we met individually or in small groups with the Internal Audit Liaisons, which provided us with insight from a wide array of academic and administrative units within the University. We also requested every Liaison to include the ranking IT Administrator in their respective areas of responsibility for a two hour meeting designed to further review the effectiveness of the Survey Questionnaire. From those meetings, we also derived a more comprehensive range of multiple choice answers. The Internal Audit Liaisons represent the following areas of the University: President s Office Executive Vice President and Provost Office ASU at the Polytechnic Campus ASU at the West Campus ASU Online and Extended Campus Chief Financial Officer University Administration and Legal Affairs Research and Economic Affairs Public Affairs University Student Initiatives Intercollegiate Athletics (ICA) University Technology Office We went through all 68 multiple choice questions in these conference room meetings with overhead projector presentations in order to facilitate small group discussion for each question and each answer. Everyone s response mattered and everyone s input made a difference in further refining the ASU IT Risk Assessment Survey Questionnaire. For each answer we further discussed if the response indicated whether there was medium risk, medium high risk or high risk associated with the response and accordingly numerically weighted the response as well. We also requested the respondents to keep in mind whether the question was being answered from the business perspective or from the IT perspective. Building upon the input of the Internal Audit Liaisons and their IT Administrators, University Audit reached a representative range of responses for each of the individual questions; from just two possible answers, typically a Yes No question, to some of the more complex questions that encompass a range of response of up to eight possible answers. Page 4 of 6
5 Because of the singular opportunity presented by the Survey Questionnaire to interact with the business and IT representative of such a broad spectrum of Auditable Units across the University, we determined that we wanted to include open ended questions at the end of the document. Based on feedback gained during these meetings, we added four narrative questions in order to provide respondents the venue to share with us (1) any security breach within their respective areas during the past twelve months, (2) any additional information that they would like to provide, (3) any Survey Questionnaire question(s) they would change and (4) specific questions where respondents felt that an adequate answer wasn t provided among the choices given. For that question we asked that they leave the original answer blank, list the number of the question in the space provided at the end of the Survey Questionnaire (see #72 on page 7 of PART ONE), followed by their own answer to the question. We would then follow-up and evaluate their response for the question, weight it for risk and include it in that Auditable Unit s Risk Rating. To further get the word out about the Survey Questionnaire and to request additional feedback from the information technology community at ASU, we next made presentations to the University Technology Council and the USIST monthly meeting. The members were all provided with Survey Questionnaire drafts and were asked to reply back to us with their comments. We also presented the Survey Questionnaire and answered questions regarding the rollout process to the Academic Unit Business Managers at their monthly meeting. This was an important presentation because these individuals serve as the senior financial administrators for their respective academic units, and as such would be directly responsible for facilitating the Survey Questionnaire responses through their Auditable Units. V. IT Risk Assessment Survey Questionnaire Distribution During the first week of October 2008, the ASU IT Risk Assessment Survey Questionnaire had reached the requisite level of assurance necessary to go forward with distribution of the document to all 240 Auditable Units. We met with Paul Ward, Vice President, University Administration and Legal Affairs, and LeEtta Overmyer, Deputy Vice President, to review the Survey Questionnaire and the Methodology to date. With Paul Ward s guidance, we then met with Adrian Sannier, University Technology Officer, and Scott Banks, Information Security Officer, to review the methodology and gain their acceptance to go forward with distribution of the Survey Questionnaire. Adrian was in agreement with the methodology and provided a cover letter addressed to Survey Questionnaire Participants which endorsed the IT Risk Assessment process and emphasized the importance of the respondent s full and timely participation (see attached). Along with the Survey Questionnaire Participants, the cover letter was also sent to Elizabeth Capaldi, Executive Vice President and Provost of the University; Carol Campbell, Executive Vice President and Chief Financial Officer; and Paul Ward, Vice President. Their participation further established tone at the top that emphasized and reinforced the importance of improved IT security at ASU. Following the endorsement of senior management, we began distribution of the Survey Questionnaire in a gradual rollout process to control the process and ensure the reliability of the results. The fifteen Auditable Units of the Ira A. Fulton School of Engineering were used as our test sample. The results of those Survey Questionnaires were reviewed, changes were made to the document as appropriate and the revised Survey Questionnaire was rolled out to the remainder of the Auditable Unit population. As of December 31, 2008, all Survey Questionnaires have been distributed to a total of 245 Auditable Units. Those documents were targeted to reach the Business Representative and the IT Administrator that were the most knowledgeable for any given Auditable Unit. The Survey Questionnaire also required the participation of the Senior Business Representative and the Senior IT Administrator, as well as the Page 5 of 6
6 Accountable Administrator, who is the VP, Dean, Chair, Director or designated Administrator for the Auditable Unit. While those closest to the daily operations of business and information technology answered the bulk of the questions, it was the Accountable Administrator that had the final signoff before returning the completed document to University Audit. Over 400 individuals at the University in varying capacities have directly participated in the distributed Fiscal Year 2009 ASU IT Risk Assessment Survey Questionnaire process. VI. Results To date, there has been over a 75% response from Auditable Units returning their Survey Questionnaires. If we include the Survey Questionnaire responses that are currently outstanding but committed to respond, the final response increases to greater than 85%. VII. Deliverables The IT Risk Assessment Results Form (RARF) summarizes results drawn from the Survey Questionnaire document for each Auditable Unit which highlights areas of risk: sensitive data and data storage locations, risk attributes, and Web-based applications, if any. The RARF provides Auditable Unit administrators with an overview of areas of risk that require varying degrees of remediation. The Risk Value Computation results drawn from the survey questionnaire responses are further stratified to Impact Risk Value and Likelihood Risk Value from which a Risk Assessment Conclusion is determined in a Combined Risk Value and Risk Rating. These two overall risk factors of Combined Risk Value and Risk Rating are carried forward to a comprehensive report that compares the risk of all Auditable Units across the University (the IT Risk Assessment Ranking Report). The IT Risk Assessment Ranking Report ranks the Auditable Unit universe based on Combined Risk Value and Risk Rating. This report will rank the Auditable Units from highest to lowest risk and will serve as the basis for prioritizing future IT audits and other special projects. Trends within the Risk Assessment information gathered to date have provided insights into potential security weaknesses of a significant nature that were previously unassessed and are currently being evaluated for remedial action. The Survey Questionnaire document itself served as a training mechanism for Auditable units reviewing their internal processes for appropriate controls and adherence to University policy. Page 6 of 6
SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT
SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT Through CGIAR Financial Guideline No 3 Auditing Guidelines Manual the CGIAR has adopted the IIA Definition of internal auditing
More informationOff-Site Data Storage Audit Number 09-07 June 9, 2009
Audit Number 09-07 June 9, 2009 University Audit and Advisory Services EXECUTIVE SUMMARY Objectives and Scope The objectives of the audit included reviewing compliance with the terms of off-site data storage
More informationASU Payroll Audit Number 07-01 April 2007
Audit Number 07-01 April 2007 University Audit and Advisory Services EXECUTIVE SUMMARY Scope and Objective During fiscal year ended June 30, 2006, Arizona State University (ASU) paid over 6,500 employees
More informationEnterprise Risk Management Panel Discussion
Enterprise Risk Management Panel Discussion Facilitators Bill Cole, VCU and VCUHS CAE Michael Bordoni, former Emory University CAE, now DHG (Dixon Hughes Goodman LLP) Risk Advisory Services Partner Gary
More informationGUIDELINES FOR ACADEMIC PROGRAM REVIEW For self-studies due to the Office of the Provost on October 1, 2015 CENTERS
GUIDELINES FOR ACADEMIC PROGRAM REVIEW For self-studies due to the Office of the Provost on October 1, 2015 CENTERS OVERVIEW OF PROGRAM REVIEW At Illinois State University, primary responsibility for maintaining
More information2012 Audit Plan. Finance, Audit and Facilities Committee Board of Regents. November 2011 ATTACHMENT
2012 Audit Plan Finance, Audit and Facilities Committee Board of Regents November 2011 ATTACHMENT Table of Contents Executive Summary...1 2012 Audit Plan...2 Analysis of Coverage of University Auditable
More informationGUIDELINES FOR ACADEMIC PROGRAM REVIEW For self-studies due to the Office of the Provost on October 1, 2016 RESEARCH AND SERVICE CENTERS
GUIDELINES FOR ACADEMIC PROGRAM REVIEW For self-studies due to the Office of the Provost on October 1, 2016 RESEARCH AND SERVICE CENTERS OVERVIEW OF PROGRAM REVIEW Primary responsibility for maintaining
More informationAboriginal Affairs and Northern Development Canada. Internal Audit Report. Audit of Internal Controls Over Financial Reporting.
Aboriginal Affairs and Northern Development Canada Internal Audit Report Audit of Internal Controls Over Financial Reporting Prepared by: Audit and Assurance Services Branch Project #: 14-05 November 2014
More informationAudit Follow-up: Mobile Computing Security
Audit Follow-up: Mobile Computing Security September 2015 FY15 - #07 Submitted to: Michele L. Norin, Vice President for Information Technology and Chief Information Officer Derek A. Masseth, Senior Director,
More informationAudit of Policy on Internal Controls: Selected Business Processes
D.2.1D Audit of Policy on Internal Controls: Selected Business Processes Office of the Chief Audit and Evaluation Executive Audit and Assurance Services Directorate April 2014 Cette publication est également
More informationUniversity of Oregon Information Technology Risk Assessment. December 2, 2015
December 2, 2015 Table of Contents EXECUTIVE SUMMARY... 3 BACKGROUND... 3 APPROACH... 4 IT UNITS... 5 NOTED STRENGTHS... 5 THEMES... 6 IT RISKS... 11 IT RISKS DESCRIPTIONS... 12 APPENDIX A: BAKER TILLY
More informationGuide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions
Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall
More informationSignificant accomplishments of Audit Operations and RACP are described below.
The MIT Audit Division delivers audit services through a risk-based program of audit coverage, including process audits, targeted reviews, and advisory services. These efforts, in coordination with the
More informationInternal Auditing Guidelines
Internal Auditing Guidelines Recommendations on Internal Auditing for Lottery Operators Issued by the WLA Security and Risk Management Committee V1.0, March 2007 The WLA Internal Auditing Guidelines may
More informationMapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA
Volume 3, July 2014 Come join the discussion! Alberto León Lozano will respond to questions in the discussion area of the COBIT 5 Use It Effectively topic beginning 21 July 2014. Mapping COBIT 5 with IT
More informationAdministrative Guidelines on the Internal Control Framework and Internal Audit Standards
Administrative Guidelines on the Internal Control Framework and Internal Audit Standards GCF/B.09/18 18 February 2015 Meeting of the Board 24 26 March 2015 Songdo, Republic of Korea Agenda item 24 Page
More informationDepartment of Audit and Compliance. Quality Self-Assessment
Department of Audit and Compliance Quality Self-Assessment November 2014 CONTENTS EXECUTIVE SUMMARY... 2 PURPOSE OF SELF-ASSESSMENT... 4 SELF-ASSESSMENT SCOPE OF WORK... 4 RESULTS OF SELF-ASSESSMENT WORK...
More informationU.S. Department of Justice. Mission First...Linking Strategy to Success
U.S. Department of Justice Mission First...Linking Strategy to Success Department of Justice Human Capital Strategic Plan 2007-2012 Table of Contents Foreword.......................................................................1
More informationNAU, UA, and ASU seek funding to implement and deploy a vulnerability scanning and management solution. Funding amount requested: $195,000.
Technology Oversight Committee April 23, 2008 Item 5 Page 1 of 1 EXECUTIVE SUMMARY ACTION ITEM Tri-University Vulnerability Scanning/Management Solution ISSUE NAU, UA, and ASU seek funding to implement
More informationINTERNAL AUDIT MANUAL
དང ལ ར ས ལ ན ཁག Internal Audit Manual INTERNAL AUDIT MANUAL Royal Government of Bhutan 2014 i i ii ii Internal Audit Manual དང ལ ར ས ལ ན ཁག ROYAL GOVERNMNET OF BHUTAN MINISTRY OF FINANCE TASHICHHO DZONG
More informationAdding Value to the UK Community
2011 ANNUAL REPORT Adding Value to the UK Community Table of Contents Director s Message 1 In-House Quality Initiatives 2-3 Governance 4 Metric Scorecard 5-7 UKIA Staff 8-9 Internal Audit assists the University
More informationIFAD Policy on Enterprise Risk Management
Document: EB 2008/94/R.4 Agenda: 5 Date: 6 August 2008 Distribution: Public Original: English E IFAD Policy on Enterprise Risk Management Executive Board Ninety-fourth Session Rome, 10-11 September 2008
More informationInformation Security Program
Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security
More informationBYLAWS OF CAL STATE L.A. UNIVERSITY AUXILIARY SERVICES, INC. A CALIFORNIA NONPROFIT PUBLIC BENEFIT COPORATION ARTICLE I. Name
BYLAWS OF CAL STATE L.A. UNIVERSITY AUXILIARY SERVICES, INC. A CALIFORNIA NONPROFIT PUBLIC BENEFIT COPORATION ARTICLE I The name of this Corporation is Name Section 2.01. Principal Office. Cal State L.A.
More informationPhase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls
Phase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls Office of the Chief Audit and Evaluation Executive Audit and Assurance Services Directorate November 2013 Cette
More informationInternal Audit Practice Guide
Internal Audit Practice Guide Continuous Auditing Office of the Comptroller General, Internal Audit Sector May 2010 Table of Contents Purpose...1 Background...1 Definitions...2 Continuous Auditing Professional
More informationProject Update December 2, 2008 2008 Innovation Grant Program
Tri-University Vulnerability Scanning/Management Solution Project Update December 2, 2008 2008 Innovation Grant Program 1 Project Summary This grant application is part of a previous project report presented
More informationAudit Management Software Solution
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 Scope of Work I. Scope of Solicitation II. Instructions to Offerors III. Scope of
More informationOctober 20, 2015. Sincerely. Anthony Chavez, CIA, CGAP, CRMA Director, Internal Audit Division
Internal Audit Annual Report Fiscal Year 2015 October 20, 2015 Honorable Greg Abbott, Governor Members of the Legislative Budget Board Members of the Sunset Advisory Commission Mr. John Keel, CPA, State
More informationThe California State University Office of Audit and Advisory Services CSU COLLEGE REVIEWS. Systemwide
CSU The California State University Office of Audit and Advisory Services COLLEGE REVIEWS Systemwide Audit Report 15-28 September 11, 2015 EXECUTIVE SUMMARY OBJECTIVE The objectives of the audit were to
More informationPractice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE
Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE March 2012 Table of Contents Executive Summary... 1 Introduction... 1 Risk Management and Assurance (Assurance Services)... 1 Assurance Framework...
More informationComptroller of Public Accounts Effectiveness of Internal Engagement May 1997
Table of Contents Comptroller of Public Accounts Effectiveness of Internal Engagement May 1997 Overall Conclusion...1 The Internal Audit Department Is Currently Effective in All Eight Criteria, But Could
More informationTexas Woman s University Guidelines for Implementing Distance Education Degrees 1
Texas Woman s University Guidelines for Implementing Distance Education Degrees 1 The offering of entire programs via distance technologies involves rigorous approvals both on and off campus. Individuals
More informationIIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING
IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN RESOURCING THE INTERNAL AUDIT ACTIVITY Revised: Page 1 of 5 Introduction When considering the resourcing of the internal audit activity a question that
More informationOHIO BOARD OF REGENTS RESOLUTION
OHIO BOARD OF REGENTS Agenda Item 3.7 Co-located Campuses Review Project Report RESOLUTION BE IT RESOLVED: upon recommendation of the Chancellor and with the concurrence of the Program Effectiveness, Research
More informationPAYMENT CARD PROCESSING
CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Long Beach Audit Report 15-43 January 5, 2016 EXECUTIVE SUMMARY OBJECTIVE
More informationOversight of Information Technology Projects. Information Technology Audit
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Oversight of Information Technology Projects Information Technology Audit May 29, 2009 Report 09-19 FINANCIAL
More informationPresentation. Dear Reader:
Dear Reader: Presentation It is with great satisfaction that we present the results of the Coordinated Audit by the Federal Court of Accounts Brazil (TCU) on Information Technology (IT) Governance. This
More informationInstitutional Data Management and Systems Acquisition
Administrative Regulation 10:3 Responsible Office: Chief Information Officer Date Effective: 6/04/2008 Supersedes Version: 1/01/2001 Institutional Data Management and Systems Acquisition Major Topics Organizational
More informationSAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS
SAFEGUARDS FOR PROTECTING PRIVATE DATA - SERVICE PROVIDERS AND CONTRACTORS THE UNIVERSITY OF NEW MEXICO October 17, 2013 Audit Committee Members J.E. Gene Gallegos, Chair Lt. General Bradley Hosmer, Vice
More informationInformation Technology Governance
Information Technology Governance The University of Texas at Austin Office of Internal Audits UTA 2.302 (512) 471-7117 The University of Texas at Austin Internal Audit Committee Mr. Frank W. Maresh, CPA,
More informationARIZONA STATE UNIVERSITY W. P. CAREY SCHOOL OF BUSINESS BUSINESS INFORMATION TECHNOLOGY
ARIZONA STATE UNIVERSITY W. P. CAREY SCHOOL OF BUSINESS BUSINESS INFORMATION TECHNOLOGY Audit Report No. ASU 04 04 June 30, 2004 Arizona Board of Regents Audit Services 2020 N. Central Avenue, Suite 230
More informationOffice of the Auditor General AUDIT OF IT GOVERNANCE. Tabled at Audit Committee March 12, 2015
Office of the Auditor General AUDIT OF IT GOVERNANCE Tabled at Audit Committee March 12, 2015 This page has intentionally been left blank Table of Contents Executive Summary... 1 Introduction... 1 Background...
More informationCENTRAL VIRGINIA COMMUNITY COLLEGE. Annual Strategic Budget Planning Process
CENTRAL VIRGINIA COMMUNITY COLLEGE Annual Strategic Budget Planning Process Table of Contents Important Dates and Deadlines... 2 Compliance Assist Access and Input... 4 Content for Budget Request... 9
More informationAudit of the Test of Design of Entity-Level Controls
Audit of the Test of Design of Entity-Level Controls Canadian Grain Commission Audit & Evaluation Services Final Report March 2012 Canadian Grain Commission 0 Entity Level Controls 2011 Table of Contents
More informationAudit of Financial Management Governance. Audit Report
Audit of Financial Management Governance Audit Report March 2015 TABLE OF CONTENTS Executive Summary... 2 What we examined... 2 Why it is important... 2 What we found... 2 Background... 4 Objective...
More informationBudgeting and Planning Process
Budgeting and Planning Process Summary The budget is an important annual planning document for the university and reflects choices, priorities and tactics set forth as the result of intensive planning.
More informationComprehensive Risk Assessment and Developing the Audit Plan
Comprehensive Risk Assessment and Developing the Audit Plan Laure Boyd, CIA, CGAP Internal Audit Manager Leon County Clerk of the Circuit Court and Comptroller Our Time Today Background Risk Assessment
More informationUsing COSO Small Business Guidance for Assessing Internal Financial Controls
Using COSO Small Business Guidance for Assessing Internal Financial Controls By János Ivanyos, Memolux Ltd. (H), IIA Hungary Introduction New generation of general models referring to either IT or Internal
More informationSeptember 28, 2011. Audit s Role in Governance, Risk Management and Internal Control
September 28, 2011 Internal Audit Overview Audit s Role in Governance, Risk Management and Internal Control Mission Provide independent, objective assurance and advisory services designed to add value
More informationRevised August 2013 Revised March 2006 Presented to Planning Council December 1993
1 Revised August 2013 Revised March 2006 Presented to Planning Council December 1993 Table of Content Mission, Vision, and Core Values... 3 Institutional Goals... 4 Historical Perspective and Current View...
More informationInternal Control over Financial Reporting Guidance for Smaller Public Companies
Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked Questions Internal Control over Financial Reporting Guidance for Smaller Public Companies Frequently Asked
More information1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition
1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationPerformance Management and Salary Adjustment Processes Administrative and Professional Faculty Information Technology
Performance Management and Salary Adjustment Processes Administrative and Professional Faculty Information Technology The goals of performance management processes are to provide feedback on an annual,
More informationDepartment of History Policy 1.1. Faculty Evaluation. Evaluation Procedures
Approved: 2/23/099 Department of History Policy 1.1 Faculty Evaluation Evaluation Procedures 1. The Department of History will evaluate all tenured and non-tenure faculty by March 1 of each academic year
More informationCollege of Business Faculty Charter. Code of Operating Standards for Academic Policy and Administrative Structure
College of Business Faculty Charter Code of Operating Standards for Academic Policy and Administrative Structure I. PURPOSES A. To formally identify organizational structure and procedures for faculty
More informationUnit Specific Questions Administrative
Unit Specific Questions Administrative Name of individual completing this report: Charles D. Warner E-mail address of individual completing this report: cwarner@shawnee.edu Goals and Mission 1. How are
More informationGAO DEFENSE CONTRACT AUDITS. Actions Needed to Improve DCAA's Access to and Use of Defense Company Internal Audit Reports
GAO United States Government Accountability Office Report to the Committee on Armed Services, U.S. Senate December 2011 DEFENSE CONTRACT AUDITS Actions Needed to Improve DCAA's Access to and Use of Defense
More informationDepartment of Administration Portfolio Management System 1.3 June 30, 2010
E 06/ 30/ 2010 EX AM PL 1. 3 06/ 28/ 2010 06/ 24/ 2010 06/ 23/ 2010 06/ 15/ 2010 06/ 18/ 2010 Portfolio System 1.3 June 30, 2010 Contents Section 1. Project Overview... 1 1.1 Project Description... 1 1.2
More informationGovernance Processes and Organizational Structures for Information Management
UNIVERSITY BUSINESS EXECUTIVE ROUNDTABLE Governance Processes and Organizational Structures for Information Management Custom Research Brief Research Associate Lauren Edmonds Research Manager Priya Kumar
More informationState of Minnesota. Enterprise Security Strategic Plan. Fiscal Years 2009 2013
State of Minnesota Enterprise Security Strategic Plan Fiscal Years 2009 2013 Jointly Prepared By: Office of Enterprise Technology - Enterprise Security Office Members of the Information Security Council
More informationFinal Report on Project Management Skills of the University of California Libraries Staff. July, 2010
Final Report on Project Management Skills of the University of California Libraries Staff July, 2010 from the Project Management Skills Task Force Members: Joan Starr, CDL, Chair Mary Linn Bergstrom, UC
More informationII: CONSTITUENT UNIT BYLAWS Sections 5-12 Pages 2-3
BYLAWS OF THE COLLEGE OF BUSINESS ADMINISTRATION UNIVERSITY OF NEVADA, RENO Approved by the College Faculty on March 29, 1996 Approved by the President on April 1, 1997 TABLE OF CONTENTS I: COLLEGE BYLAWS
More informationB o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing
B o a r d of Governors of the Federal Reserve System Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing January 23, 2013 P U R P O S E This policy statement is being issued
More informationGuidance for the Quality Assurance of Fire Protection Systems
Guidance for the Quality Assurance of Fire Protection Systems Prepared for: Office of Energy Research Office of Environment, Safety and Health Technical Support Prepared by: Roy F. Weston, Inc. October
More informationThe University of Tennessee IT Governance Process (Restructured)
4/1/2015 1 The University of Tennessee IT Governance Process (Restructured) The current University of Tennessee Statewide IT Governance model was implemented in 2012, established to provide a structure
More informationBOARD AND CEO ROLES DIFFERENT JOBS DIFFERENT TASKS
BOARD AND CEO ROLES DIFFERENT JOBS DIFFERENT TASKS Introduction Local boards of trustees and chief executive officers play different roles and have different responsibilities in leading their districts.
More informationAudit of Community Futures Program
Audit of Community Futures Program WESTERN ECONOMIC DIVERSIFICATION CANADA Audit, Evaluation & Disclosure Branch April 2009 Table of Contents 1.0 EXECUTIVE SUMMARY 1 2.0 STATEMENT OF ASSURANCE 2 3. 0 INTRODUCTION
More informationQuality Assessment Report. Louisville Metro Government Office of Internal Audit. For. December 13, 2006
Quality Assessment Report For Louisville Metro Government Office of Internal Audit December 13, 2006 Table of Contents Executive Summary 4 Introduction 4 The Titus Solution 4 Comments 5 Conformity Rating
More informationThe College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012
The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only Agenda Introduction Basic program components Recent trends in higher education risk management Why
More informationComputer Security Incident Response Team
Computer Security Incident Response Team Operational Standards The University of Scranton Information Security Office August 2014 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0
More informationR345, Information Technology Resource Security 1
R345, Information Technology Resource Security 1 R345-1. Purpose: To provide policy to secure the private sensitive information of faculty, staff, patients, students, and others affiliated with USHE institutions,
More informationAUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL
AUDIT OF READINESS FOR THE IMPLEMENTATION OF THE POLICY ON INTERNAL CONTROL AUDIT REPORT JUNE 2010 TABLE OF CONTENTS EXCUTIVE SUMMARY... 3 1 INTRODUCTION... 5 1.1 AUDIT OBJECTIVE. 5 1.2 SCOPE...5 1.3 SUMMARY
More informationCURRICULUM CHANGE PROCEDURES FOR THE CSUF CATALOG
CURRICULUM CHANGE PROCEDURES FOR THE CSUF CATALOG COURSE AND CURRICULUM CHANGE PROCEDURES: Request for New Undergraduate Course: A request for a new undergraduate course is made through the submission
More informationSCRUTINY COMMITTEE ITEM 04 28 MARCH 2012
SCRUTINY COMMITTEE ITEM 04 28 MARCH 2012 INTERNAL AUDIT PLAN Report of the: Director of Finance Contact: John Turnbull or Gillian McTaggart Urgent Decision?(yes/no) No If yes, reason urgent decision required:
More informationSound Transit Internal Audit Report - No. 2014-3
Sound Transit Internal Audit Report - No. 2014-3 IT Project Management Report Date: Dec. 26, 2014 Table of Contents Page Background 2 Audit Approach and Methodology 2 Summary of Results 4 Findings & Management
More informationATTACHMENT B PROGRAM MANAGEMENT SERVICES BEXAR COUNTY FY 2007 - FY 2017 FLOOD CONTROL PROJECTS
ATTACHMENT B PROGRAM MANAGEMENT SERVICES BEXAR COUNTY FY 2007 - FY 2017 FLOOD CONTROL PROJECTS The following scope of services for program management is an effort to provide an encompassing but not all
More informationFederal Bureau of Investigation s Integrity and Compliance Program
Evaluation and Inspection Division Federal Bureau of Investigation s Integrity and Compliance Program November 2011 I-2012-001 EXECUTIVE DIGEST In June 2007, the Federal Bureau of Investigation (FBI) established
More informationIT Infrastructure Audit
IT Infrastructure Audit Office of the Chief Audit and Evaluation Executive Audit and Assurance Services Directorate June 2011 Cette publication est également disponible en français. This publication is
More informationComputer Security Roles and Responsibilities and Training Should Remain Part of the Computer Security Material Weakness.
Computer Security Roles and Responsibilities and Training Should Remain Part of the Computer Security Material Weakness September 2004 Reference Number: 2004-20-155 This report has cleared the Treasury
More informationFinal Audit Report. Audit of the Human Resources Management Information System. December 2013. Canada
Final Audit Report Audit of the Human Resources Management Information System December 2013 Canada Table of Contents Executive summary... i A - Introduction... 1 1. Background... 1 2. Audit objective...
More informationPAYMENT CARD PROCESSING
CSU The California State University Office of Audit and Advisory Services PAYMENT CARD PROCESSING California State University, Bakersfield Audit Report 15-42 October 13, 2015 EXECUTIVE SUMMARY OBJECTIVE
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all
More informationCentral Piedmont Community College Technology Plan Process vs. Project Request Process
Central Piedmont Community College Technology Plan Process vs. Project Request Process What type of request do I submit? Project or Tech Plan? Project Request Tech Plan You have an idea for a process improvement
More informationPRESENTATION OF INTERNAL AUDIT SERVICES DAVIS CAMPUS. Rick Catalano Director, Internal Audit Services January 2009
PRESENTATION OF INTERNAL AUDIT SERVICES DAVIS CAMPUS Rick Catalano Director, Internal Audit Services January 2009 UC Davis Background Rankings Washington Monthly: 8 th in contributions to society NSF:
More informationGovernance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009
Governance For Compliance The Convergence of Central and Distributed IT Compliance Presented to VASCAN Conference 2009 JASON C. RICHARDS CHIEF INFORMATION SECURITY OFFICER VIRGINIA COMMUNITY COLLEGE SYSTEM
More informationThis article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.
Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international
More informationApril 2004. Reference Number: 2004-40-088
Information Is Needed to Determine the Effect the Wage and Investment Division Research Program Has on Improving Customer Service and Voluntary Compliance April 2004 Reference Number: 2004-40-088 This
More informationDate: December 17, 2010 Code: TECHNICAL LETTER HR/PCOS 2010-02. To: Human Resources Directors Response By: January 28, 2011
Office of the Chancellor 401 Golden Shore, 4 th Floor Long Beach, CA 90802-4210 562-951-4411 Email: hradmin@calstate.edu Date: December 17, 2010 Code: HR/PCOS 2010-02 To: Human Resources Directors Response
More informationIntroduction to Enterprise Risk Management at UVM DRAFT
Introduction to Enterprise Management at UVM 1 Enterprise What is Enterprise Management? Enterprise risk management is a structured, consistent, and continuous process across the whole organization for
More informationThe University of Texas at Austin BYLAWS OF THE GRADUATE STUDENT ASSEMBLY. ARTICLE I Objectives
The University of Texas at Austin BYLAWS OF THE GRADUATE STUDENT ASSEMBLY ARTICLE I Objectives Section 1. General Objectives 1.1. To represent the views of graduate students to the university community
More informationIndustry Services Quality Management System
Industry Services Quality Management System Canadian Grain Commission Audit & Evaluation Services Final report March, 2012 Table of contents 1.0 Executive summary...2 Authority for audit... 2 Background...
More informationArizona State University. HIPAA Compliance. Audit Report Number 15-08. May 7, 2015
This page left blank intentionally. Summary The Health Insurance Portability and Accountability Act of 1996 (HIPAA) audit was included on the Arizona State University (ASU) FY 2015 annual audit plan approved
More informationThe R ole of Internal Audit in the Control E nvironment
The R ole of Internal Audit in the Control E nvironment Wanda Lynn Riley Chief Audit Executive Audit and Advisory Services University of California, Berkeley Internal auditing is an independent, objective
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationTIER II STANDARD FOR AUDITORS
Job Classification Manual Page 1 of 37 TIER II STANDARD FOR AUDITORS INTRODUCTION 1. This grade level standard illustrates the application of the ICSC Master Standard (Tier I) to a specific field of work
More informationComputer Security Incident Response Team
University of Scranton Computer Security Incident Response Team Operational Standards Information Security Office 1/27/2009 Table of Contents 1.0 Operational Standards Document Overview... 3 2.0 Establishment
More informationEnterprise Risk Management. Breaking Down the Barriers at Emory
Enterprise Risk Management Breaking Down the Barriers at Emory Willis Healthcare Forum Nashville, TN July 10, 2007 Shulamith Klein Senior Director Office of Risk & Insurance Services The Emory Enterprise
More informationInformation Security Plan May 24, 2011
Information Security Plan May 24, 2011 REVISION CONTROL Document Title: Author: HSU Information Security Plan John McBrearty Revision History Revision Date Revised By Summary of Revisions Sections Revised
More information