it auditing and the challenge of new technologies june 16, 2011 presented by: jay bowman, cisa, cism
TRANSCRIPT
IT Auditing and the Challenge of New
Technologies
June 16, 2011
Presented by: Jay Bowman, CISA, CISM
•Evolution of technology and its applications
•What this means in terms of opportunities
•What this means in terms of risks
•What this means in terms of providing internal audit coverage.
•Actions you and your institution can take
This Morning’s Topics
2
The rapid changes in technology during our lifetimes has made possible services our parents couldn’t even dream of.
•Building Blocks
•Computers
•Telephones
•Technology-Based Services
Evolution of Technology
3
Technology Building Blocks
4
Technology Building Blocks
5
Technology Building Blocks
6
Technology Building Blocks
7
Technology Building Blocks
8
Technology Building Blocks
9
Computers
10
Computers
11
Computers
12
Computers
13
Computers
14
Computers
15
Computers
16
Computers
17
Computers
18
Telephones
19
Telephones
20
Telephones
21
Telephones
22
Telephones
23
Telephones
24
Telephones
25
Telephones
26
Telephones
27
Telephones
28
Telephones
29
Telephones
30
Telephones
31
The Atlanta Payments Project
Technology-Based Services
32
The Atlanta Payments Project
•Electronic Payments Services
•Implementation Considerations and Obstacles
Technology-Based Services
33
The Atlanta Payments Project
• Electronic Payments Services• Check Authorization• Telephone Banking• Point-of-Sale Transactions• Automated Clearinghouse (ACH)• Check Truncation
Technology-Based Services
34
The Atlanta Payments Project
• Implementation Considerations & Obstacles• Technology
• Storage Limitations and Costs• Communications Speeds and Costs• Processor Speeds and Costs
• Consumer Acceptance
Technology-Based Services
35
•Storage Limitations and Costs
Considerations and Obstacles
36
•Communications Speeds and Costs
Considerations and Obstacles
37
•Processor Speeds and Costs
Considerations and Obstacles
38
• Consumer Acceptance
Considerations and Obstacles
39
• Consumer Acceptance
Older consumers are generally much slower to adopt new technology/services.
Considerations and Obstacles
40
• Consumer Acceptance
Considerations and Obstacles
41
The Atlanta Payments Project
• Electronic Payments Services• Check Authorization• Telephone Banking• Point-of-Sale Transactions• Automated Clearinghouse (ACH)• Check Truncation
Technology-Based Services
42
• Check Authorization
Technology-Based Services
43
• Check Authorization
Technology-Based Services
44
• Telephone Banking
Technology-Based Services
45
• Point-of-Sale Transactions
Technology-Based Services
46
• Automated Clearinghouse (ACH)
Technology-Based Services
47
• Check Truncation
Technology-Based Services
48
What does all this mean in terms of IT internal audit?
_____________
49
What does all this mean in terms of IT internal audit?
_____________
50
New technologies carry the same risks challenges and rewards as the old
technologies!
_____________
51
New technologies carry the same risks challenges and rewards as the old
technologies!And the same audit requirements!
_____________
52
First, what we’re really talking about is new applications of existing technologies.
• Cloud Computing
• Mobile Banking
New Technologies?
53
Cloud Computing
54
The “new” cloud computing is an evolution of the “old” distributed computing
• Relies on the Internet instead of private networks
• All resources may not be “owned” or “controlled” by the user of the cloud
Cloud Computing
55
Cloud Computing
56
An evolution the “old” telephone banking
• Un-tethered
• Technology and cost impediments disappearing
• Potential limited only by imagination and the ability of management to allocate time to plan,
implement and market
Mobile Banking
57
Mobile Banking
58
Mobile Banking
59
Mobile Banking
60
Mobile Banking
61
• Reduce (or keep the lid on) costs
• Attract new members
• Retain existing members
Opportunities
62
• Increased costs (without corresponding increases in members and/or revenues)
• Loss of members
• Security and/or privacy breaches
• Access control
• Regulatory criticism
Risks
63
How do we audit the new technology applications?
_____________
64
By following the same
methodical, risk-based approach
that has successfully been applied
in earlier phases
of the evolution of
technology and its applications.
How do we audit the new technology applications?
65
• To provide “appropriate” Information Technology (IT) coverage that complements internal audits of financial and operational areas in a timely and cost-effective manner.
• To present complex technical findings in business terms that Management and Directors can understand and properly respond to.
The Challenges
66
• Internal Auditor performs IT audits• Full-time IT internal auditor on staff• Co-source IT internal audits• Rely on external auditors• Other
The Alternatives
67
• Internal Auditor performs IT audits• Full-time IT internal auditor on staff• Co-source IT internal audits• Rely on external auditors• Other
The Alternatives
68
• Adequacy of Coverage– Subject Matter Expertise– Depth of coverage– Availability of time
• Maintenance of Requisite Knowledge• Awareness of Best Practices• Continuity/Institutional Knowledge• Regulatory Environment• Cost
Issues Surrounding Alternatives
69
• Risk Assessment
• IT Internal Audits
• Monitoring and Follow-up
IT Audit Approach
70
• IT Internal Audit Risk Assessment
IT Audit Approach
71
• Risk Categories– Financial– Operational– Technology– Reputational– Regulatory Compliance
• Evaluation Process/Management Involvement• Risk Ratings/Allocation of Resources
IT Internal Audit Risk Assessment
72
• Risk Categories– Financial– Operational– Technology– Reputational– Regulatory Compliance
• Evaluation Process/Management Involvement• Risk Ratings/Allocation of Resources
IT Internal Audit Risk Assessment
73
IT Risk Assessment Model is composed of nine major dimensions:
– Strategy and Planning– Outsourced Vendor Management– Disaster Recovery/Business Continuity Planning– Infrastructure Support and Maintenance– Information Security– Systems Development & Maintenance– Systems Support & Operations– Governance– Critical Applications
IT Risk Assessment Model
74
Planning is critical to ensure that IT goals support the overall goals of the institution
Strategy and Planning
75
Planning is critical to ensure that IT goals support the overall goals of the institution
• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)
Strategy and Planning
76
Planning is critical to ensure that IT goals support the overall goals of the institution
• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)
• Short-range IT (annual) plans describe the implementation steps/ projects, identifies appropriate resources, and includes detailed budgets.
Strategy and Planning
77
Planning is critical to ensure that IT goals support the overall goals of the institution
• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)
• Short-range IT (annual) plans describe the implementation steps/ projects, identifies appropriate resources, and includes detailed budgets.
• Plans should consider technological changes and opportunities, and will define the information systems architecture for the institution.
78
Strategy and Planning
Planning is critical to ensure that IT goals support the overall goals of the institution
• IT strategy and plans should be formalized and aligned with the institution’s business and strategic goals (3 years and up)
• Short-range IT (annual) plans describe the implementation steps/ projects, identifies appropriate resources, and includes detailed budgets.
• Plans should consider technological changes and opportunities, and will define the information systems architecture for the institution.
• Progress against the plans is monitored by senior management
79
Strategy and Planning
Management of the institution retains responsibility regardless of whether functions are outsourced
• A VM policy establishing ownership and procedures has been approved by the Board
• Risk assessments are performed prior to outsourcing• Vendor evaluation and selection procedures are formalized• Standard for contracts and service level agreements have been
established• Existing service providers are reviewed and monitored• A VM program report is presented annually to the Board
80
Outsourced Vendor Management (VM)
The institution has developed and documented a comprehensive IT Disaster Recovery Plan and associated Business Continuity Plans.
• The Plan includes a Risk Assessment of likely threat scenarios• Threat scenarios address impact on systems, facilities and people• Business Impact Analyses (BIAs) have been prepared for all
departments and functions• Qualified personnel are responsible for maintaining the Plan current• The plan is tested regularly with feedback to address “failures”• The Board receives an annual report on the plan and testing results
Disaster Recovery/Business Continuity Planning
81
Infrastructure Support and Maintenance includes those components of information technology, which support computer operations and business applications and consist of:
• Operating Systems• Networks• Databases• Hardware• Software
82
Infrastructure Support and Maintenance
The institution has resources and procedures in place to provide a stable, serviceable IT environment
• A current and complete inventory of hardware, software, and network (data and voice) devices is maintained
• Qualified resources monitor and maintain the network infrastructure• There is a formal plan to ensure the IT infrastructure is stable, and meets
business requirements in terms of cost, availability, scalability, redundancy, interoperability, functionality etc.
• There is formal equipment maintenance plans for all hardware, software, and network devices
• Monitoring mechanisms are in place to alert management of device and system failures.
• There are service contracts to provide back-up equipment and assistance in the event of an infrastructure failure.
Infrastructure Support and Maintenance
83
Information security policies, procedures, standards, and guidance and/or the information security architecture will define how security features and functionality are to be administered.
• Tools and Techniques• Access Restrictions• Authentication• Password Strengths• Security Monitoring and Logon Attempts
Information Security
84
The institution has resources and procedures in place to appropriately secure infrastructure and information•There is a Board-approved information security policy. •The policy has been distributed to all employees who annually sign an affirmation of their understanding•There is an information security officer who is independent of IT functions.•Users are assigned formal roles/profiles for the network and system that are based on job responsibilities.•The organization maintains virus detection software for all workstations and servers •There have been no security breaches.
Information Security
85
Many institutions do not develop or maintain applications in-house. For those institutions that do develop software, the areas of focus consist of:
• Systems Development Life Cycle (SDLC)
• Application Version Control
• Change Control Procedures
• User Acceptance Testing
Systems Development & Maintenance
86
The institution has the necessary organization, tools and procedures to ensure reliable systems are developed timely and securely
• The institution has adopted a Systems Development Life Cycle (SDLC) methodology
• There is a centralized Project Management function to coordinate and manage IT resources across the institution.
• Separate environments are maintained for testing new systems and/or system enhancement and modifications.
• A controlled process is used to move changes into production
Systems Development & Maintenance
87
Those IT functions that support processing:
• Job Scheduling
• Data and Software Back-up
• Production Control
• Media Management
• Help Desk
• Procedural Documentation
• Anti-virus Measures
System Support and Operations
88
The institutions has the organization, tools and procedures to scheduled and operate systems timely and reliably•An Operations Procedural Manual has been developed which includes escalation procedures to be performed in the event of a systems failure.•Automated job schedulers ensure batch jobs are processed timely and in the correct order.•Monitoring devices ensure operational failures are detected for corrective action. Production failures are recorded and analyzed.•All software and data are back-up on a routine basis•An Operations Committee meets regularly to review systems performance agaiand discuss ways to improve overall operations.•A centralized help desk responds to system problems.
System Support and Operations
89
IT policies and practices should align with applicable statutory and regulatory guidance such as:
• HIPAA (personnel-related requirements)
• Sarbanes-Oxley (not credit unions…yet)
• Gramm-Leach-Bliley Act
• NCUA guidance
• FFIEC IT Handbooks
Governance
90
The institution has the organization, tools and procedures to ensure compliance with applicable guidance•The institution has developed a process to identify IT statutory and regulatory requirements.•An IT governance committee focuses on the development of standards and employee education to foster compliance with external guidance and internal policies.•Documented, comprehensive IT Policies and Procedures are reviewed, updated and approved at least annually•An IT Control Self Assessment Process to evaluate compliance with documented IT Policies and Procedures.•A Privacy/Security Risk Assessment and Privacy/Security Audit are conducted annually.
Governance
91
For applications critical to its mission and ongoing operations, the institution has instituted appropriate procedures and controls.•The institution had developed and maintains an inventory of mission critical applications
•The organization has identified and/or developed specific controls for each critical applications related to:
– Security
– Data Validation and Control
– Error Processing
– Interface Controls
– Accounting Controls
– Error Reporting
– System Testing
•A Systems Control Self Evaluation is periodically performed for each critical system.
Critical Applications
92
• IT Internal Audits
IT Audit Approach
93
• Derived from Risk Assessment– Specific Audits/Frequency
• IT audits are sequenced and cycled based on relative risk• Timetable for Deliverables
– Other Considerations• Alignment with financial / operational audit plan• Significant Change (e.g. new processing system)• Support of External Auditors• Key Management/Staff Availability• Regulatory Examination Schedule
• Major issue: Granular IT audits vs. “IT General Controls” audit
IT Internal Audit Schedule
94
• Risk assessment results• Size of institution and IT shop• Infrastructure complexity• In-house vs. outsourced core processing• Regulatory atmosphere and guidance• Available funding
General Controls vs. Granular
95
• Core Application Admin & Security
• Network Admin & Security
• e-Banking/Mobile Banking
• Computer Operations
• Disaster Recovery/Business Continuity
• Third-Party Vendor Management
• GLBA 501(b) Customer Information Privacy
• FedLine Advantage
IT Internal Audits
96
• Logical Access Controls– Procedures for granting, removing and changing access– Review sample of access control requests– Test for separated employees still on system– Evaluate granting of administrator/high-level access
• New Releases and Fixes– Timely installation– Appropriate user testing and signoff– Updating of IT and user documentation
• System-specific requirements– Changing default IDs and passwords– Tailoring system settings
• Review and Action upon System Exception Reports
Core Application Admin & Security
97
• Logical Access Controls– Procedures for granting, removing and changing access– Review sample of access control requests– Test for separated employees still on network– Evaluate granting of administrator/high-level access
• New Equipment, Software Releases and Fixes– Timely installation– Appropriate user testing and signoff– Updating of Network documentation
• Network-specific requirements– Changing default IDs and passwords– Tailoring system settings
• Network Vulnerability Assessments (Penetration Tests)– Frequency, Independence, Rotation, Due Diligence– Scope/depth/focus of findings; actions in response
Network Admin & Security
98
• Logical Access Controls (Members and employees)– Procedures for granting, removing and changing access– Review sample of access control requests– Test for separated employees– Evaluate granting of administrator/high-level access– Monitoring of adjustments, password resets, etc.– Multi-factor Authentication
• New Releases and Fixes– Timely installation– Appropriate user testing and signoff– Updating of documentation
• System-specific requirements– Changing default IDs and passwords– Tailoring system settings
• Member Support – Help Desk, Educational Materials
e-Banking/Mobile Banking
99
• Physical Access Controls– Procedures/basis for granting, removing access
• Operations employees• Senior management• Housekeeping/Building Maintenance/Security
– Access Control Mechanisms/Monitors– Visitor Access Procedures/Controls
• Physical Infrastructure– Temperature/humidity sensors and alarms– Threat/motion sensors and alarms– Overall housekeeping
• Operations Staff– Training– Background checks
Computer Operations
100
• Operating Policies/Procedures/Manuals– Current– Complete
• Job Scheduling/Monitoring– Automatic sequences– Manual scheduling– Logging of operator activities/intervention– Management review of logs
• Computer Room Equipment– Current Inventory– Maintenance scheduling and logging– Failure logging and remediation
• Sensitive Materials Handling and Disposal– Negotiable instruments– Confidential reports
Computer Operations (continued)
101
• Plan Development and Support– Qualified Individual(s) in Charge– Appropriate skill sets and sufficient time– Designated individuals through institution– Involvement of key vendors– Board/Management support
For each of the following areas, determine• Existence• Completeness• Currency
Disaster Recovery/Business Continuity
102
• Risk Assessment– Reasonably foreseeable threats– Likelihood, severity, impact– Systems, infrastructure, staff– Must address pandemic flu
• Business Impact Analyses (BIAs)– All departments and functions– Impact on their functions, other departments, members, overall
institution• Detailed Plans
– IT: Disaster Recovery Plan– Other Departments: Business Continuity Plans– Contents:
• Equipment and software lists• Inventories of forms and supplies• Procedures
Disaster Recovery/Business Continuity (continued)
103
• Alternate Location(s)– Designated– Stocked with pre-staged procedures, supplies, equipment
• Administrative Components– Designated Individuals who can Declare Disaster– Disaster/Damage Assessment Procedures– Employee Notification Procedures/Calling Trees– Other Notification Lists
• Directors/Supervisory Committee Chair• Public Safety Officials• Regulators• Key Vendors• Key Members
Disaster Recovery/Business Continuity (continued)
104
• Testing– Administrative aspects
• Disaster declaration and assessment• Appropriate notifications
– Information Technology• All systems or critical systems• Ability to locate and retrieve backups and restore from them• Network(s)• Key processing vendors
– Other departments• Prioritized by function• Tabletop tests• Tests in conjunction with IT test
– Frequency – at least annually– Audit participation– Post-test analyses and reviews– Remediation plans
Disaster Recovery/Business Continuity (continued)
105
• Policy– Fixes responsibility and accountability– Establishes procedures for major components
• Risk Assessment – pre-decision to outsource
– Potential Impact on Strategic Goals – Management Oversight and Evaluation– Contingency Plans– Regulatory Requirements & Guidance
• Vendor Selection Process– Identification of Potential Vendors– Due Diligence and Selection– Contract Negotiation and Award
Third Party Vendor Management
106
• Current Vendor Evaluation– Frequency depends on ranking– Topics
• Financial Stability• Performance against SLAs• Key Personnel turnover• Insurance coverage• Type II SAS 70 (service providers)• Disaster recovery testing & results• Protection of member information
• Annual Board Report– VM policy (any recommended changes)– New critical vendors– Summary of review of current vendors– Other key information
Third Party Vendor Management (continued)
107
GLBA 501 (b) Customer Information Privacy• Board-approved Privacy Policy
– Fixes responsibility– Establishes program– Requires reporting
• Privacy Program• Privacy Risk Assessment
– Assess and document risk of unauthorized access to non-public member information
– Scope should include:• IT infrastructure• Manual (i.e. paper) instances• Third party processors
– Is it sufficiently granular? Specific?• Third-party processors
– Explicit contractual provision– Due diligence on effectiveness of controls
108
• Third-party processors– Explicit contractual provision– Due diligence on effectiveness of controls
• Employee training– All employees– Annual– Relevant– Documented
• Annual Report to Board– Summary of program over previous year– Recommended policy changes (if any)– Incidents (if any)– Specific contents per guidance
GLBA 501 (b) Customer Information Privacy (cont.)
109
The FedLine Advantage audit complements audits of Funds Transfers and other Accounting-related audits
•Logical Access Controls– Procedures for granting, removing and changing access– Review sample of access control requests– Appropriate separation of duties– Test for separated employees still on system
•Physical Access Controls– Secure location for FedLine-capable PCs– Controls over FedLine Advantage access tokens
•Others as specified in Fed guidance– Creation and review of control reports
FedLine Advantage
110
• Monitoring and Follow-up
IT Audit Approach
111
• Follow-up Matrix
– Should contain all findings that were not “closed” at the time audit report was presented to Supervisory Committee
– Used by Supervisory Committee to track progress against stated plans and target dates
– Can/should also be used by Management to supervise and guide efforts
Monitoring and Follow-Up
112
• Issues revisited– Coverage– Competence– Currency (of technical information)– Continuity– Climate (regulatory)– Cost
• Using this template, and based on their knowledge of credit union, Management and the Supervisory Committee can arrive at the right approach
Choosing the Right Approach
113
One more thing…
114
One more thing…
Should we be auditing Governance?
115
One more thing…
Should we be auditing Governance?
116
The institution has the organization, tools and procedures to ensure compliance with applicable guidance•The institution has developed a process to identify IT statutory and regulatory requirements.•An IT governance committee focuses on the development of standards and employee education to foster compliance with external guidance and internal policies.•Documented, comprehensive IT Policies and Procedures are reviewed, updated and approved at least annually•An IT Control Self Assessment Process to evaluate compliance with documented IT Policies and Procedures.•A Privacy/Security Risk Assessment and Privacy/Security Audit are conducted annually.
Governance Redux
117
Which of these areas are likely to undergo change as• New legislation is passed?• New regulations are promulgated?• New technologies are investigated and implemented?
Governance Redux
118
ALL OF THEM
Governance Redux
119
The institution has the organization, tools and procedures to ensure compliance with applicable guidance•The institution has developed a process to identify IT statutory and regulatory requirements. •An IT governance committee focuses on the development of standards and employee education to foster compliance with external guidance and internal policies.•Documented, comprehensive IT Policies and Procedures are reviewed, updated and approved at least annually•An IT Control Self Assessment Process to evaluate compliance with documented IT Policies and Procedures.•A Privacy/Security Risk Assessment and Privacy/Security Audit are conducted annually.
Understand the new technologies and services• Maturity and potential• Costs• Security and privacy implications• Competitive landscape—what are other institutions in our trade area doing?• Other risks
• Loss due to fraud or theft• Regulatory criticism• Reputational
Actions You and Your Institution Can Take
120
Know your member base (and potential member base)• What are their access needs (bricks and mortar vs.
hand-held devices)• Is membership aging? Becoming younger?• How do we know needs?
• Surveys? • Anecdotal data?
• Understand your institution’s vision and strategic • What markets (segments, communities) are we in?• Where do we want to go?
Actions You and Your Institution Can Take
121
• Understand the strengths of management and staff
•Do we have the in-house expertise to embrace, exploit and control new technologies?• If yes, let’s set a timetable • If no, we either need to develop it or find a third-party vendor
Actions You and Your Institution Can Take
122
• Ensure Development/Implementation is orderly and controlled
• Planning is critical• Realistic timeframes• Milestones/checkpoints• Progress reporting as appropriate• Metrics (usage, costs)• Policies and procedures• Marketing and Educational materials• Staff training• Roll-out sequencing
Actions You and Your Institution Can Take
123
Post-Rollout Oversight
• Projected vs. Actual• Usage• Costs• Revenues
• Anecdotal information on• Overall progress• Member reaction• Unexpected things that went right/wrong
• Plans for activities prior to next status report• Management’s assessment
Actions You and Your Institution Can Take
124
IT Internal Audit coverage should include the guidance and oversight received from the Board (i.e. Governance)
This coverage can be accomplished in “pieces” throughout the other IT audit areas
Governance Redux
125
Technology will continue to evolve
Credit Unions can choose to adopt new technologies and offer new services or not, but
Competitors and members will be watching and evaluating
Risks and challenges remain relatively the same
Your IT Internal Audit program can and must evolve, too.
Conclusions________________________
126