A CIO’s Survival Guide A CIO’s Survival Guide f IT A dif IT A difor an IT Auditfor an IT Audit

Thomas DanfordThomas DanfordCIO, Tennessee Board of RegentsCIO, Tennessee Board of RegentsC , ss o d o g sC , ss o d o g s

Background & Objectives …Background & Objectives …Background & Objectives …Background & Objectives …

State Audit chose the TBR office State Audit chose the TBR office as its “pilot” for developing IT as its “pilot” for developing IT Audit plans and procedures for Audit plans and procedures for Banner.Banner.Brief discussion of the variousBrief discussion of the variousBrief discussion of the various Brief discussion of the various types of audits and how they relate types of audits and how they relate to IT Audits.to IT Audits.Share with the audience what’s Share with the audience what’s investigated in an IT Audit and investigated in an IT Audit and how it’s conducted.how it’s conducted.Relay some findings to date.Relay some findings to date.Provide some guidance & Provide some guidance & suggestions for when your suggestions for when your institution has its IT Audit.institution has its IT Audit.

Types of AuditsTypes of AuditsTypes of AuditsTypes of Audits

Operational AuditsOperational Audits examine the use of unit resources to examine the use of unit resources to b db devaluate whether those resources are being used in the most evaluate whether those resources are being used in the most

effective and efficient way. They include elements of the other effective and efficient way. They include elements of the other audit types listed below. audit types listed below. Fi i l A diFi i l A di i i d i f fi i li i d i f fi i lFinancial AuditsFinancial Audits examine accounting and reporting of financial examine accounting and reporting of financial transactions. transactions. Compliance AuditsCompliance Audits examine adherence to laws, regulations, examine adherence to laws, regulations,

li i d dli i d dpolicies and procedures. policies and procedures. Internal Control ReviewsInternal Control Reviews focus on the components of major focus on the components of major business activities such as payroll and benefits, and their physical business activities such as payroll and benefits, and their physical securitysecuritysecurity. security. Information Technology (IT) AuditsInformation Technology (IT) Audits examine internal control examine internal control environment of automated information processing systems and environment of automated information processing systems and how people use those systemshow people use those systemshow people use those systems. how people use those systems.

The IT Audit Evaluates …The IT Audit Evaluates …The IT Audit Evaluates …The IT Audit Evaluates …

System(s) input output and processing controlsSystem(s) input output and processing controlsSystem(s) input, output, and processing controlsSystem(s) input, output, and processing controlsBackup & media storage (offBackup & media storage (off--site)site)Di d l ( d if i h bDi d l ( d if i h bDisaster preparedness plan (and if it has been Disaster preparedness plan (and if it has been tested!)tested!)System(s) securitySystem(s) securityComputer facilitiesComputer facilitiespp

How does the IT Audit Work?How does the IT Audit Work?How does the IT Audit Work?How does the IT Audit Work?

KickKick--off Meeting to discuss off Meeting to discuss ggaudit objectives with delivery audit objectives with delivery of extensive questionnaires.of extensive questionnaires.Interview & investigativeInterview & investigativeInterview & investigative Interview & investigative phase based upon responses phase based upon responses to questionnaires.to questionnaires.Exit interview with Q&A onExit interview with Q&A onExit interview with Q&A on Exit interview with Q&A on any discovered weaknesses or any discovered weaknesses or findings.findings.P bli h d A di R i hP bli h d A di R i hPublished Audit Report with Published Audit Report with weaknesses and/or findings.weaknesses and/or findings.Management response.Management response.g pg p

What Are Auditors Looking For?What Are Auditors Looking For?What Are Auditors Looking For?What Are Auditors Looking For?

Reportable conditionsReportable conditions –– are matters that represent a significant are matters that represent a significant d dd ddeficiency in the design or operation of the internal control deficiency in the design or operation of the internal control structure structure which couldwhich could adversely affect the organization's ability adversely affect the organization's ability to record, process, summarize, and report financial data to record, process, summarize, and report financial data consistent with the assertions of management in the financialconsistent with the assertions of management in the financialconsistent with the assertions of management in the financial consistent with the assertions of management in the financial statements.statements.Material WeaknessesMaterial Weaknesses –– are significant deficiencies, or are significant deficiencies, or combination of significant deficiencies that results incombination of significant deficiencies that results in more thanmore thancombination of significant deficiencies, that results in combination of significant deficiencies, that results in more than more than a remote likelihooda remote likelihood that a material control process could be that a material control process could be obverted or bypassed. obverted or bypassed. FindingsFindings –– conditions thatconditions that do adversely affectdo adversely affect the institution andthe institution andFindingsFindings conditions that conditions that do adversely affectdo adversely affect the institution and the institution and may include conditions dealing with irregularities, illegal acts, may include conditions dealing with irregularities, illegal acts, errors, inefficiency, waste, ineffectiveness, conflicts of interest, errors, inefficiency, waste, ineffectiveness, conflicts of interest, and for our purposes control weaknesses. and for our purposes control weaknesses. p pp p

Interview & Investigation AreasInterview & Investigation AreasInterview & Investigation AreasInterview & Investigation Areas

Infrastructure Security & ControlInfrastructure Security & ControlInfrastructure Security & ControlInfrastructure Security & ControlApplication Security & ControlApplication Security & ControlDi P d PlDi P d PlDisaster Preparedness PlanDisaster Preparedness Plan

INFRASTRUCTURE SECURITY & CONTROL:INFRASTRUCTURE SECURITY & CONTROL: Relates to Relates to hh d i f h k d i l d hd i f h k d i l d hthethe design of the campus network system and includes the design of the campus network system and includes the

backbones, routers, switches, wireless access points, access backbones, routers, switches, wireless access points, access methods and protocols usedmethods and protocols used. Of special interest are the filters . Of special interest are the filters pp pp& protective measures that govern (1) Internet open access (2) & protective measures that govern (1) Internet open access (2) Intranet controlled access and (3) Secured Access.Intranet controlled access and (3) Secured Access.Particular areas of interest include:Particular areas of interest include:Particular areas of interest include:Particular areas of interest include:

Physical security of computer center Physical security of computer center –– Environmental controls, locks, Environmental controls, locks, cameras & authorizations to enter.cameras & authorizations to enter.N k fi iN k fi i Fil & fi ll lFil & fi ll l d h i hd h i hNetwork configuration Network configuration –– Filter & firewall ruleFilter & firewall rule--sets and their change processes.sets and their change processes.ID and password ruleID and password rule--sets sets –– Length, character requirements, aging, etc.Length, character requirements, aging, etc.Operating System Operating System –– File & directory permissions.File & directory permissions.Patch management Patch management –– Remediation of known exploits.Remediation of known exploits.Segregation of duties of IT staff.Segregation of duties of IT staff.

APPLICATION SECURITY & CONTROL:APPLICATION SECURITY & CONTROL: Relates to theRelates to thedesign of the administrative system and includes additional design of the administrative system and includes additional server operating system issues as well as the DBMS and the server operating system issues as well as the DBMS and the application that sits on top of both. Heavily scrutinized areapplication that sits on top of both. Heavily scrutinized areapplication that sits on top of both. Heavily scrutinized are application that sits on top of both. Heavily scrutinized are users, both functional and technical and their roles.users, both functional and technical and their roles.Particular areas of interest include:Particular areas of interest include:

Default users and their passwordsDefault users and their passwordsRole based security Role based security –– Especially as it is setup in the application itself and Especially as it is setup in the application itself and access to the native DBMS or OSaccess to the native DBMS or OSaccess to the native DBMS or OS.access to the native DBMS or OS.User accounts and password management User accounts and password management –– Procedures & signoff for account Procedures & signoff for account holders, length, character requirements, aging, etc.holders, length, character requirements, aging, etc.Software modification Software modification –– Procedures and segregation of duties in their Procedures and segregation of duties in their g gg gimplementation.implementation.Patch management Patch management –– Remediation of known exploits across multiple Remediation of known exploits across multiple instances.instances.Segregation of duties of IT and functional usersSegregation of duties of IT and functional usersSegregation of duties of IT and functional users.Segregation of duties of IT and functional users.

APPLICATION SECURITY & CONTROLAPPLICATION SECURITY & CONTROL(T 5 I )(T 5 I )(Top 5 Issues)(Top 5 Issues)

Improper account provisioning with segregation of duties Improper account provisioning with segregation of duties p p p g g gp p p g g gInsufficient controls for change management Insufficient controls for change management A general lack of understanding around key system A general lack of understanding around key system configurationsconfigurationsconfigurations configurations Audit logs not being reviewed (or that review itself not being Audit logs not being reviewed (or that review itself not being logged) logged) Abnormal transactions not identified in a timely mannerAbnormal transactions not identified in a timely manner

DISASTER PREPAREDNESS PLAN:DISASTER PREPAREDNESS PLAN: The state in which an The state in which an i i i i d f di P d i li i i i d f di P d i linstitution is prepared for disaster. Preparedness involves a institution is prepared for disaster. Preparedness involves a plan for avoiding and recovering from a disaster with plan for avoiding and recovering from a disaster with preservation and retrieval of records lost by an unexpected preservation and retrieval of records lost by an unexpected catastrophic occurrence.catastrophic occurrence.Particular areas of interest include:Particular areas of interest include:

Backup of critical data Backup of critical data –– Including frequency, media, where and how far away.Including frequency, media, where and how far away.Printed plans Printed plans –– Kept off site by plan principles with contact lists.Kept off site by plan principles with contact lists.Recovery processes Recovery processes –– Includes not only IT operations but facilities (hot & Includes not only IT operations but facilities (hot & y py p y p (y p (cold sites).cold sites).Business continuity while IT functions are restored.Business continuity while IT functions are restored.Actual testing of the plan.Actual testing of the plan.

Banner Issues Banner Issues Di dDi dDiscoveredDiscovered

As of 10/12/2007As of 10/12/2007

Y10K ComplianceY10K ComplianceY10K ComplianceY10K Compliance

Banner cannot handle the switchBanner cannot handle the switchBanner cannot handle the switch Banner cannot handle the switch from the year 9999 to 10000from the year 9999 to 10000

Tips to Make the Audit Go SmoothlyTips to Make the Audit Go SmoothlyTips to Make the Audit Go SmoothlyTips to Make the Audit Go Smoothly

Avoid making it an “adversarial” engagementAvoid making it an “adversarial” engagementAvoid making it an adversarial engagementAvoid making it an adversarial engagementProvide what’s asked of youProvide what’s asked of youD diD diDocument & diagram Document & diagram

For Additional Information:For Additional Information:

Wikipedia has a good overview of IT auditing at: Wikipedia has a good overview of IT auditing at: p g gp g ghttp://en.wikipedia.org/wiki/Information_technology_audithttp://en.wikipedia.org/wiki/Information_technology_auditControl Objectives for Information and related Technology (COBIT) is a set Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA)created by the Information Systems Audit and Control Association (ISACA)created by the Information Systems Audit and Control Association (ISACA), created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1992. and the IT Governance Institute (ITGI) in 1992. http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/Taggedhttp://www.isaca.org/Template.cfm?Section=COBIT6&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981Page/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981

Thank YouThank YouThank YouThank You

Please share your comments, ideas, suggestions, Please share your comments, ideas, suggestions, questions . . .questions . . .

Thomas DanfordThomas Danfordtdanford@tbr.edutdanford@tbr.edu

615615--366366--44514451615615 366366 44514451