Collaborative RelationshipBetween IT and Internal Auditing
Presented by:
Robert Clark, Jr., CIA, CBMDirector of Internal Auditing, Georgia Tech
President, Association of College & University Auditors
[email protected] (404) 894-4606/ fax (404) 894-6990
www.audit.gatech.eduRobert N. Clark, Jr., C.I.A., Director of Internal Auditing, Georgia Tech June 2003
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
2
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy4. Input to IT on recommended controls,
procedures, and best practices5. Cooperation with response to Information
Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
3
Opportunities for Collaboration:
1. Assessing Risk
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
4
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
5
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
6
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy4. Input to IT on recommended controls,
procedures, and best practices
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
7
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy4. Input to IT on recommended controls,
procedures, and best practices5. Cooperation with response to Information
Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
8
Reporting Structure at GIT
President
Provost Sr. VP Admin & Finance
Vice Chancellorfor Audit ServicesBoard of Regents
Director ofDirector ofInternal AuditingInternal Auditing
Executive Staff
CIO
Director Info Security
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
9
Internal Audit Primary MissionFour Potential Orientations
DETECTION
PassivePassive
SCOPESCOPEInternal Control*Internal Control*
•Focus on examination of past transactions
•Report past problems and recommend solutions
•Maintain rigid independence
*Defined along the lines of COSO’s Integrated Framework
APPROACHAPPROACH
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
10
Internal Audit Primary MissionFour Potential Orientations
DETECTION
PREVENTION
PassivePassive
ActiveActive
SCOPESCOPEInternal Control*Internal Control*
•Focus on examination of past transactions
•Report past problems and recommend solutions
•Maintain rigid independence
•Active promotion of internal control agenda
•Recommending preventive measures to the campus unit and advice in making changes
•Maintain objectivity while eliminating unnecessary organizational barriers
*Defined along the lines of COSO’s Integrated Framework
APPROACHAPPROACH
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
11
Internal Audit Primary MissionFour Potential Orientations
DETECTION ADVISORY
PREVENTION
PassivePassive
ActiveActive
SCOPESCOPEInternal Control*Internal Control* Business PerformanceBusiness Performance
•Focus on examination of past transactions
•Report past problems and recommend solutions
•Maintain rigid independence
•Defining process improvement opportunities, if seen
•By-product of internal control assessment but not focusing on internal controls
•Moving away from compliance auditing (dangerous position…)
•Active promotion of internal control agenda
•Recommending preventive measures to the campus unit and advice in making changes
•Maintain objectivity while eliminating unnecessary organizational barriers
*Defined along the lines of COSO’s Integrated Framework
APPROACHAPPROACH
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
12
Internal Audit Primary MissionFour Potential Orientations
DETECTION ADVISORY
PREVENTION SOLUTION
PassivePassive
ActiveActive
SCOPESCOPEInternal Control*Internal Control* Business PerformanceBusiness Performance
•Focus on examination of past transactions
•Report past problems and recommend solutions
•Maintain rigid independence
•Defining process improvement opportunities, if seen
•By-product of internal control assessment but not focusing on internal controls
•Moving away from compliance auditing (dangerous position…)
•Active promotion of internal control agenda
•Recommending preventive measures to the campus unit and advice in making changes
•Maintain objectivity while eliminating unnecessary organizational barriers
•Target process improvements as a key goal
•Focus on Assessing Risk and Management’s Mitigation of Risk
•Work toward implementation of cost-beneficial internal controls & compliance
•Teamwork approach while maintaining objectivity and independent perspective
*Defined along the lines of COSO’s Integrated Framework
APPROACHAPPROACH
13Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
Internal Audit’s Role…
…it’s more than counting beans...
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
14
Assessing Risk… Internal Audit’s role: Identify key risksIdentify key risks of the organization Look at all areas of exposure, not just financialnot just financial Focus on the issues that matter most in safeguarding the assets of
the Institute Develop audit procedures to examine high risk areas and verify
strength of processes to mitigate risksstrength of processes to mitigate risks Provide feedback to mgmt on effectivenesseffectiveness of policies and
procedures Promote awareness of policies and best practices Help bring Management togetherbring Management together on key risks Develop organizational approach to managing risk
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
15
What is RISK?
… Anything that could prevent the organization from meeting its goals
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
16
Assessing Risk – with Management Talk with all members of
Senior Management (one-on-one discussions)
Ask key questions, such as: “Where are potential exposures?” “What keeps you up at night?” “Where do you see risks for your unit and GIT?” “What are some of the potential adverse situations that What are some of the potential adverse situations that
could occur within…?could occur within…?” Goal is to identify and inventory RISKS
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
17
Assessing Risks:Description of adverse situation that could occur
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
18
Assessing Risks:Description of adverse situation that could occurPotential impact of this situation were to occur (1-5)
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
19
Assessing Risks:Description of adverse situation that could occurPotential impact of this situation were to occur (1-5)xProbability of this situation occurring (1-5)
= Risk Ranking
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
20
Risk Discussion Tool
Campus Unit
Area(s) in which there may be risk
Description of what a significant adverse condition could be
Potential impact if a significant
adverse condition were to occur
[scale of 1 (low) to 5 (high)]
Probability of the impact(s) [scale of 1:5]
Risk rating [impact X
probability] Comments/ Factors for consideration
Financial
Legal & Regulatory
Public Relations
Information Security
Health & Safety
Effectiveness & Efficiency
Human Resources
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
21
Audit Risk Universe
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
22
Audit Focus -- Zeroing InInformation Gathering
Monitoring/ General Awareness (committees)
Informal Reviews Informal Reviews (surveying internal control)(surveying internal control)
Risk-Based Audits (processes & risk)
Process Improvement
(reengineering)
Strategy/Solution Strategy/Solution Development/ Development/ Partnering w/ Partnering w/ Mgmt. as Key Mgmt. as Key
ResourceResource
Audits of compliance & controlsAudits of compliance & controls
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
23
Identifying Unit-level Information Systems Risks
Logical Security Environmental and Physical
Controls Data Security and Stewardship Management of IS Resources Equipment Maintenance Back-up and Recovery Training and Documentation Operations/ Administration Web Site Operation/ Development Software Licensing
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
24
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage
3. Feedback to IT on effectiveness of IT policy4. Input to IT on recommended controls,
procedures, and best practices5. Cooperation with response to Information
Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
25
IT Advising IA on audit coverage… CIO, Director of Information Security, and others in IT review
draft of audit programs, in some cases helping to draft audit steps (“What would you, as CIO, look for if you were conducting these reviews?”)
IT provides further insight, clarification, and direction to auditors
Internal Auditing seeks IT’s opinion/support regarding feasibility of audit recommendations
Ultimately, Internal Auditing’s decision – but collaborating with IT to ensure the most effective coverage of IT risks throughout the organization
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
26
The Audit Plan
Focus on reviewing how each organization is moving toward effectively and efficiently mitigating each of the risks
Independent verifications & attestations to determinestrength of processes
Conclusions are forward-looking - how well positionedare they to deal with risk ?
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
27
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
28
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy
4. Input to IT on recommended controls, procedures, and best practices
5. Cooperation with response to Information Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
29
Feedback to IT…
Reports go not only to unit head but to senior management (including CIO) to show where opportunities for improvement exist
Direct communication with CIO regarding areas in which more training/education/guidance or IT focus should be provided to campus units
IA offers advice to senior mgmt on areas for policy enhancement
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
30
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy4. Input to IT on recommended controls,
procedures, and best practices
5. Cooperation with response to Information Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
31
Recommended best practices…
IA provides trend analysis summaries to senior management (including CIO) showing common areas acrosscampus requiring improvement
Leads to targeted plans for action aimed at addressing the specific issues (as opposed to blanket policies which may be unnecessarily onerous)
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
32
Recommended procedures… President assembled committee (chaired by
CIO) to revise Computer Network Usage Policy• VP for Finance, VP for HR, Chief Legal Advisor,
Director of Internal Auditing, Associate Dean, Student Govt. rep, & others
• [Note: IA’s role was not to “set” policy, rather to advise committee on key areas the policy should address]
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
33
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy4. Input to IT on recommended controls,
procedures, and best practices5. Cooperation with response to Information
Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
34
Responding to Info Security Incidents Information on an incident may come from
a variety of sources:• OHR – personnel-related complaint• Legal Affairs – person seeking legal advice• Financial Services – questionable transaction(s)• Campus Police – allegation of illegal behavior• Information Security – analysis of questionable traffic or use,
spurious bandwidth usage, intrusion detection system reports, etc.
• Internal Auditing – information discovered during audit; Fraud, Waste, & Abuse Hotline; etc.
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
35
Responding to Info Security Incidents
Challenge: ensuring a consistent approach to dealing with incidents
Risk: If investigation not handled appropriately or consistently, puts Institute at risk
Solution: IA recommended creation of ad-hoc task force and procedure to address Info Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
36
http://www.audit.gatech.edu/IAcollabrative2.wmf
Monday, March 31, 2003
Georgia Tech Dept. of Internal Auditing - Office of InformationTechnology - Information Security Collaborative Diagram
Event Or IncidentRequiring Collaboration
Determine Lead:
- Coordination of Efforts- Determine Custodians of Data
- Responsibility for Reporting
As Required
DetermineScope:
Review Method-Intrusive
-Non Intrusive
Investigation- Level of Forensics
Determine Potential Outcome:
Legal ActionAdministrative Outcome
Ad-Hoc Group Convenes
o Director of Internal Auditing
o Chief Legal Advisor
o Associate VP - Office ofHuman Resources
o Associate VP - Office ofInformation Technology
o Director of InformationSecurity
Communication of Results.
Determine Resources
Other Resources to beConsidered
o Director of Campus Security(Police)
o Associate VP FinancialServices
o Director of InstituteCommunications
o Unit Head of Affected Area
o Chief Technology Officer
ConductInvestigation
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
37
Step 1
Incident is brought to attention of member of mgmt He/She convenes Ad-Hoc Group [CIO, AVP-OHR, Chief
Legal Advisor, Director Internal Auditing, Director of Information Security]
“What do we know now?” Group shares info to determine other resources that may
need to be involved (e.g., Director Campus Security, AVP- Financial Services, Director Institute Communications, Chief Technology Officer, head of affected unit, etc.)
Group determines needed resources
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
38
Step 2
Group makes a determination on the potential outcome• E.g., if the situation/allegations are proven true, will this likely
result in (1) legal action, or (2) administrative/personnel action only?
• This determines procedures to be followed in conducting the investigation and standard of evidence to which to adhere
• Also determines whether law enforcement should be notified and/or involved
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
39
Step 3 Group determines who will take the lead
in facilitating the investigation. This person:• Coordinates efforts, arranges meetings,
initiates status reporting• Initiates status reporting to the
Office of the President• Determines appropriate custodian of
investigation data• Facilitates reporting at the end of investigation
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
40
Step 4
Investigation is conducted following appropriate procedures agreed-to by Group
Regular communication with Group on status, observations, noteworthy issues
Report is produced by the facilitator and reviewed (if necessary) by Group to ensure all are aware of key issues
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
41
Step 5
Group re-convenes to:• evaluate effectiveness of process; • document “lessons learned”; and • discuss ways the situation may be prevented in the
future, e.g.,– Additional audit steps to examine for this elsewhere?– Need for policy enhancement?– Need for additional education/awareness?
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
42
Opportunities for Collaboration:
1. Assessing Risk2. Advising IA on audit coverage3. Feedback to IT on effectiveness of IT policy4. Input to IT on recommended controls,
procedures, and best practices5. Cooperation with response to Information
Security incidents
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
43
Results of Collaborative Approach IA and IT aligned on areas of high risk Common approach for responding to Information Security incidents IT becomes source of “education and awareness” for IA IA able to represent organizational perspective on IT issues across
campus to audiences to which IT would not normally have access IA provides independent and objective feedback to IT on
effectiveness of IT policies and procedures (within OIT and across the campus)
Combining perspectives to establish best practices for Information Systems across organization
Robert N. Clark, Jr., CIA, CBM, Director of Internal Auditing, Georgia Tech, June 2003
44