IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Transcription

1 IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations IT audit updates current hot topics and key considerations 2 1

2 IT risk assessment leading practices IT audit updates current hot topics and key considerations IT risk assessment leading practices Why is IT risk assessment more vital than ever? There are multiple drivers behind the growing importance of the IT risk assessment: 1 Internal Audit executives continue to be challenged by the Audit Committee and executive management to look around the corner 2 3 Changes in the marketplace and external environment Increased exposure to fraud and financial misstatements Intensified need to assess risk due to globalization, acquisitions and integration Increased regulatory demand Changes in the role of IT within organizations Increased IT programs and projects geared towards improving the business and a large number of those failing or not realizing the intended benefits Effective use of IT resources and technology is pivotal to staying competitive in today s global market Larger group of stakeholders and landscape to be included in the IT risk assessment, beyond the accepted boundaries of the organization IT audit updates current hot topics and key considerations 4 2

3 IT risk assessment leading practices Developing an effective methodology An IT risk assessment methodology needs to be implemented that is simple, integrates with the organization s enterprise risk management approach, and has an effect on the ability of the organizations to achieve its business objectives. Methodology People Knowledge Technology Co-Develop Expectations Risk Assessment Audit Plan Execution Communicate Results Diagnose and conduct the risk assessment process Design the audit plan Input Business unit and control Self-assessments Interviews with executives Changes in laws and regulations Identification IT strategy alignment with business Identify new and emerging risks Assessment Prioritization Population of potential audits Risk-based IT projects Process / system audits Projects and initiative audits Resource allocation Allocate and rationalize resource requirements Reconciliation and finalization Risk-based IT projects Process / system audits Projects and initiative audits X% X% X% Audit Committee and external auditor Input Likelihood, impact, management preparedness Strategic and value audits Strategic and value audits X% 100% What increases confidence in the IT Internal Audit Risk Assessment? Diversity in data, stakeholders and participants leads to greater risk insight Technology, used in the right way, is a game changer Collaborative and embedded within the business IT audit updates current hot topics and key considerations 5 IT risk assessment leading practices Basic vs. leading practice IT risk assessment techniques Components of the IT Risk Assessment Basic Leading Data and Inputs Reviewed IT Internal audit issues IT SOX and external audit issues Data Analytics Analytics run but limited summarization of data Business and IA leadership struggle to spot trends in data Stakeholder Engagement Focus on IT stakeholders Heavy emphasis on home office stakeholders Point in time engagement primarily during annual IT risk assessment IT and business leaders are not trained on risk management Interview/Survey Techniques Inconsistent documentation of interviews Surveys used for SOX 302 certification purposes or not at all Collaboration IT Internal Audit attends interviews with little participation from other risk management functions or operational audit IT Risk assessment viewed as IT Internal Audit s Risk Assessment Audit Prioritization Impact and likelihood utilized for prioritization Audits prioritization based heavily on IT competencies available in IA department Root causes from past IT issues Competitor and peer risks Industry trends 3rd party external IT risk data Analyst reports Risk analytics are based on most critical questions IT, business and IA need to answer Trending and period to period comparisons can identify emerging risks or changes to existing risks Efforts are aligned with other Big Data initiatives Includes operational and global stakeholders beyond IT Risk management is embedded in IT leadership training Risk scenario planning workshops for significant IT risks Continuous dialogue with stakeholders (monthly, quarterly meetings) Risk committee utilized to review risk assessment changes IT subject matter resources participate in select interviews to draw out key risks Surveys used to confirm risk assessment results with lower-level IT management not interviewed Stakeholders self-assess risk based on IT Governance, Risk and Compliance (GRC) solution containing dynamic risk database IT Risk assessment collaboratively developed by Internal Audit (operational and IT) and other risk management functions and IT SOX, external audit and other risk management functions participate in interviews Risk assessment embedded within strategic planning process Categorize IT risks within each of following: availability, confidentiality, integrity, effectiveness, efficiency. Relevance to strategic objectives is utilized to prioritize IT risks Audits executed based on value to organization and connection to strategic objectives Outputs Relatively static internal audit plan Dynamic IT internal audit plan that changes throughout the year and is reset at selected milestones (ex. quarter, trimester, bi-annually) IT audit plan addresses unified framework of all IT compliance needs beyond just SOX (e.g. PCI, FISMA, HIPAA, ISO27001, etc.) External audit IT audit plan and IA reliance strategy integrated and optimized IT audit updates current hot topics and key considerations 6 3

4 IT risks to consider in your audit plan IT audit updates current hot topics and key considerations IT risks to address Information Security Mobile Cloud Segregation of duties/identity and access management Date Loss Prevention & Privacy Business Continuity Management IT Risk Management Program Risk Software/IT Asset Management Social Media Risk Management IT audit updates current hot topics and key considerations 8 4

5 Information security The gap is being driven by the following issues: lack of alignment with the business, identifying resources with the right skills and training, immature processes and architecture, and the emergence of new and evolving technologies The audits that make an impact Information security program assessment Evaluate the organization s information security program, including strategy, awareness and training, vulnerability assessments, predictive threat models, monitoring, detection and response, technologies and reporting. Threat and vulnerability management program assessment Evaluate the organization s threat and vulnerability management (TVM) program including threat intelligence, vulnerability identification, remediation, detection, response, and countermeasure planning. Vulnerability assessment Audit should perform, or make certain IT performs, a regular attack and penetration (A&P) review. These should not be basic A&Ps that only scan for vulnerabilities. Today we suggest risk-based and objectivedriven penetration assessments tailored to measure the company s ability to complicate, detect and respond to the threats that the company is most concerned about. Key questions to evaluate during audit How comprehensive of an information security program exists? Is information security embedded within the organization, or is it an IT only responsibility? How well does the organization self-assess threats and mitigate the threats? How comprehensive of a threat and vulnerability management program exists? Is the threat and vulnerability management (TVM) program aligned with business strategy and the risk appetite of the organization? Are the components of TVM integrated with one another, as well as with other security and IT functions? Do processes exist to address that identified issues are appropriately addressed and remediation is effective? What mechanisms are in place to complicate attacks the organization is concerned about? What vulnerabilities exist and are exploits of these vulnerabilities detected? What is the organizations response time when intrusion is detected? IT audit updates current hot topics and key considerations 9 Mobile The advancement in mobile technology has introduced new challenges for the enterprise, including: Potential loss or leakage of important business information Security challenges given range of devices, operating systems, and firmware limitations and vulnerabilities Theft of the device due to the small size Compliance with state, federal and international privacy regulations that vary from one jurisdiction to another as employees travel with mobile devices Navigation of the gray line on privacy and monitoring between personal and company use of the device The audits that make an impact Mobile device configuration review Identify risks in mobile device settings and vulnerabilities in the current implementation. This audit would include an evaluation of trusted clients, supporting network architecture, policy implementation, management of lost or stolen devices, and vulnerability identification through network accessibility and policy configuration. Mobile application black box assessment Perform audit using different front-end testing strategies: scan for vulnerabilities using various tools, and manually verify scan results. Attempt to exploit the vulnerabilities identified in mobile web apps. Key questions to evaluate during audit How has the organization implemented bring your own device (BYOD)? Are the right policies/mobile strategies in place? Are mobile devices managed in a consistent manner? Are configuration settings secure and enforced through policy? How do we manage lost and stolen devices? What vulnerabilities exist, and how do we manage them? What vulnerabilities can be successfully exploited? How do we respond when exploited, and do we know an intrusion has occurred? Mobile application gray box assessment Combine traditional source code reviews (white box testing) with front-end (black box) testing techniques to identify critical areas of functionality and for symptoms of common poor coding practices. Each of these hot spots in the code should be linked to the live instance of the application where manual exploit techniques can verify the existence of a security vulnerability. How sound is the code associated with the mobile applications used within the organization? What vulnerabilities can be exploited within the code? IT audit updates current hot topics and key considerations 10 5

6 Cloud The move to the cloud has outpaced the organization s ability to understand the following risks: Providers not living up to service level agreements (SLAs), resulting in cloud architecture or deployment challenges Evolving cloud standards increasing the risk that a company s systems won t work with the provider s Legal and regulatory risk in how information is handled in the cloud Information security and privacy risks around the confidentiality, integrity and availability of data Cloud adoption and change management within an organization The audits that make an impact Cloud strategy and governance audit Evaluate the organization s strategy for utilizing cloud technologies. Determine if the appropriate policies and controls have been developed to support the deployment of the strategy. Evaluate alignment of the strategy to overall company objectives and the level of preparedness to adopt within the organization. Cloud security and privacy review Assess the information security practices and procedures of the cloud provider. This may be a review of their SOC 1, 2 and/or 3 report(s), a review of their security SLAs and/or an on-site vendor audit. Determine if IT management worked to negotiate security requirements into their contract with the provider. Review procedures for periodic security assessments of the cloud provider(s), and determine what internal security measures have been taken to protect company information and data. Cloud provider service review Assess the ability of the cloud provider to meet or exceed the agreed-upon SLAs in the contract. Areas of consideration should include technology, legal, governance, compliance, security and privacy. In addition, internal audit should assess what contingency plans exist in case of failure, liability agreements, extended support, and the inclusion of other terms and conditions as part of the service contracts, as well as availability, incident, and capacity management and scalability. Key questions to evaluate during audit Is there a strategy around the use of cloud providers? Are there supporting policies to follow when using a cloud provider? Are policies integrated with legal, procurement and IT policies? Has a business impact assessment been conducted for the services moving to the cloud? Does your organization have secure authentication protocols for users working in the cloud? Have the right safeguards been contractually established with the provider? What SLAs are in place for uptime, issue management and overall service? Has the cloud provider been meeting or exceeding the SLAs? What issues have there been? Does the organization have an inventory of uses of external cloud service providers, both sponsored within IT or direct by the business units? IT audit updates current hot topics and key considerations 11 Segregation of duties/identity and access management While segregation of duties (SoD) is considered to be a fundamental control for which organizations have developed strong processes, the complexity of today s enterprise systems leaves many companies struggling This SoD challenge is compounded by the following: The lack of investment in identity and access management or governance, risk and compliance tools Poor visibility to cross system segregation of duties and Reliance on costly and time intensive manual controls The audits that make an impact Systematic segregation of duties review audit Evaluate the process and controls IT has in place to effectively manage segregation of duties. Perform an assessment to determine where segregation of duties conflicts exist and compare to known conflicts communicated by IT. Evaluate the controls in place to manage risk where conflicts exist. Role design audit Evaluate the design of roles within ERPs and other applications to determine if inherent SoD issues are embedded within the roles. Provide role design, role cleanup or role redesign advisory assistance and pre- and post-implementation audits to solve identified SoD issues. Segregation of duties remediation audit Follow up on previously identified external and internal audit findings around SoD conflicts. Key questions to evaluate during audit How does IT work with the business to identify cross-application segregation of duties issues? Does business personnel understand ERP roles well enough to perform user access reviews? While compensating controls identified for SoD conflicts may detect financial misstatement, would they truly detect fraud? Does the organization design roles in a way that creates inherent SoD issues? Do business users understand the access being assigned to roles they are assigned ownership of? Does the organization take appropriate action when SoD conflicts are identified? Have we proactively addressed SoD issues to prevent year-end audit issues? IAM/GRC technology assessment Evaluate how IAM or GRC software is currently used, or could be used, to improve SoD controls and processes. Is IAM or GRC software currently used effectively to manage SoD risk? What software could be utilized to improve our level of SoD control, and what are our business requirements? IT audit updates current hot topics and key considerations 12 6

7 Data loss prevention and privacy The vast majority of privacy incidents result from the actions of internal users and trusted third parties, and most have been unintentional During the last decade, significant changes in the approach to privacy have escalated the tension between individuals and organizations. This tension appears in two distinct areas: the market s redefinition of privacy management; and technology s redefinition of privacy invasion. The audits that make an impact Data governance and classification audit Evaluate the processes management has put in place to classify data, and develop plans to protect the data based on the classification. Key questions to evaluate during audit What sensitive data do we hold what is our most important data? Where does our sensitive data reside, both internally and with third parties? Where is our data going? DLP control review Audit the controls in place to manage privacy and data in motion, in use and at rest. Consider the following scope areas: perimeter security, network monitoring, use of instant messaging, privileged user monitoring, data sanitation, data redaction, export/save control, endpoint security, physical media control, disposal and destruction, and mobile device protection. Privacy regulation audit Evaluate the privacy regulations that affect the organization, and assess management s response to these regulations through policy development, awareness and control procedures. What controls do we have in place to protect data? How well do these controls operate? Where do our vulnerabilities exist, and what must be done to manage these gaps? How well do we understand the privacy regulations that affect our global business? For example, HIPAA is potentially a risk to all organizations, not just health care providers or payers. Do we update and communicate policies in a timely manner? Do users follow control procedures to address regulations? IT audit updates current hot topics and key considerations 13 IT SOX considerations and risks IT audit updates current hot topics and key considerations 7

8 IT SOX considerations Applying a risk-based approach when planning an IT audit Determining the in-scope IT applications Determining the categories of IT General Controls (ITGCs) that are relevant for which ITGCs are to be evaluated Logical access Change management IT operations Determining the relevant ITGCs for the selected components of the applications for which ITGCs are to be evaluated IT audit updates current hot topics and key considerations 15 IT SOX considerations When are IT applications considered to be in scope for the audit? When they support: Application and IT-dependent manual controls that support initiation, recording, processing, correcting (as necessary) and reporting of the financial statements Significant disclosure processes by which transactions, events or conditions required to be disclosed by the applicable reporting framework are accumulated, recorded, processed, summarized and appropriately reported in the financial statements The production of Electronic Audit Evidence prepared by the entity and used as audit evidence IT audit updates current hot topics and key considerations 16 8

9 IT SOX considerations What factors are used to determine an efficient audit approach? The number of application and IT-dependent manual controls identified for each IT application The extend of EAE generated by each application The extent to which the entity has ITGCs implemented and evidenced Whether there are multiple IT applications identified within a significant class of transaction (SCOT) or significant disclosure process that produces EAE Whether the are sufficient financial statement, non-itdm controls that address the risks of the entity using IT in the SCOT or significant disclosure processes IT audit updates current hot topics and key considerations 17 IT SOX considerations How do we determine the relevant ITGC categories for each in-scope application? ITGC categories are considered to be in scope when one or more of the risks they address may cause a material misstatement to the financial statements Logical access Manage change IT operations IT audit updates current hot topics and key considerations 18 9

10 IT SOX considerations How do we determine what IT components are relevant to the audit? GAM defines five technical components within each IT environment: Application Database Operating system Network Internet/report access IT audit updates current hot topics and key considerations 19 Other IT SOX considerations and risks IT SOX consideration Testing of Electronic Audit Evidence (EAE) Service organizations Automated controls Risk ITGCs are not performed on the relevant application that supported the identified EAE EAE is not tested for completeness and accuracy Failure to consider and test the controls at service organizations that is in scope for the audit Failure to address differences between SOC 1 reporting period and audit period The test of one may not cover all applicable scenarios Incomplete testing of automated controls Embedded vs. configurable controls Management override might not be properly addressed Management review controls Common processes Insufficient testing of management review controls: Not testing all attributes and addressing precision Not testing controls to determine completeness and accuracy of underlying data Insufficient procedures to conclude on whether systems and controls were designed and implemented consistently IT audit updates current hot topics and key considerations 20 10

11 COSO 2013 and IT considerations IT audit updates current hot topics and key considerations What remained the same The cube Five components of internal control The core definition of internal control Requirement to consider the five components to assess the effectiveness of a system of internal control Emphasis on the importance of management judgment in designing, implementing, and conducting internal control, and in assessing the effectiveness of a system of internal control IT audit updates current hot topics and key considerations 22 11

12 One of the big changes in the 2013 framework Principles-based approach While the 1992 version implicitly reflected the core principles of internal controls, the 2013 version explicitly states 17 principles that represent the concepts associated with each of the five components The new framework presumes that all 17 principles must be present and functioning in an effective system of internal control IT audit updates current hot topics and key considerations principles defined 1. Control environment 2. Risk assessment 3. Control activities 4. Information and communication 5. Monitoring 1. Demonstrates commitment to integrity and ethical values 2. Board of Directors demonstrates independence from management and exercises oversight responsibility 3. Management, with Board oversight, establishes structure, authority and responsibility 4. The organization demonstrates commitment to competence 5. The organization establishes and enforces accountability 6. Specifies relevant objectives with sufficient clarity to enable identification of risks 7. Identifies and assesses risk 8. Considers the potential for fraud in assessing risk 9. Identifies and assesses significant change that could impact system of internal control 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures 13. Obtains or generates relevant, quality information 14. Communicates internally 15. Communicates externally 16. Selects, develops and performs ongoing and separate evaluations 17. Evaluates and communicates deficiencies Principles in the framework IT audit updates current hot topics and key considerations 24 12

13 Principles 11 and 13 IT General Controls principle Principle 11: The organization selects and develops general control activities over technology to support the achievement of objectives Specific information and communication principle related to information quality Principle 13: The organization obtains or generates and uses relevant, quality information to support the functioning of internal control IT audit updates current hot topics and key considerations 25 Deficiency evaluation An effective system of internal control requires that: Each of the five components of internal control and all relevant principles are present and functioning The five components are operating together in an integrated manner Principles are fundamental concepts associated with components If a relevant principle is not present and functioning, the associated component cannot be present and functioning Controls will need to be mapped to the 17 principles and deficiencies will need to be evaluated in the context of the 17 principles Renewed focus on IT deficiencies IT audit updates current hot topics and key considerations 26 13

14 Questions? IT audit updates current hot topics and key considerations 27 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization and may refer to one or more of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved ey.com 14