Transcript Integrating the IT Specialist into the Audit Team

Integrating the IT Specialist into
the Audit Team
Daniel J. O’Keefe, CPA, MBA, CFE
Moore Stephens Lovelace, P.A.
Chris Ghosio, CCNP, CCDA, TMCSM, TMCSE
MSL Technologies
Agenda
 National Security Risks
 Why Use IT Audit Specialists?
 What IS Data Security?
 Audit Standards and IT
 Auditing IT Controls
 Common IT Findings in a Financial Statement Audit
 PCI DSS Compliance
2
National Security Risks










Titan Rain
State Department’s East Asia Bureau
Offices of Representative Frank Wolf
Commerce Department
Naval War College
Commerce Secretary Carlos Gutierrez and the 2003
Blackout
McCain and Obama Presidential Campaigns
Office of Senator Bill Nelson
Ghostnet
Lockheed Martin’s F-35 Program
3
National Security Risks (cont’d.)
 DOE Encounters Over 10 Million Cyber Attacks a Day
 NASA Victim of 13 Mayor Cyber Attacks Last Year
 Number of Computer Viruses:
 2000 Over 50,000
 2005 Over 100,000
 2010 Over 1,000,000
 World Economic Forum puts Cyber Attacks in Top
Five Biggest Global Risks for 2012
 Cyber Command was created in 2010 at Fort Meade,
next to the operations center for the NSA, the
nation’s largest spy agency
4
Why Use IT Audit Specialists?

Audit Standards Require a “Risked-based Approach”

OLD SCHOOL – Garbage in, Garbage out

NEW SCHOOL – Assess IT Risk by Evaluating Risk
Factors

Most CPA’s are not Adequately Trained to Assess IT
Risks

IT Specialists can Effectively Communicate with IT
Personnel
5
Why Use IT Audit Specialists? (cont’d.)
BENEFITS

Reduces Audit Risk

Provides the Ability to use Computer Assisted
Audit Techniques

Provides Value-added Service

Completes the Audit Loop
6
Why Use IT Audit Specialists? (cont’d.)
BURDENS

May Add Additional Cost to Audit

Would Need to Apply “Use of a Specialist”
Procedures if Outsourced

Locating a Qualified IT Specialist

Monitoring IT Specialist’s Activities
7
Think of Security as Being
Similar to Castle Defenses
Flanking Towers
Gatehouse
Arrow Slits
Battlements
Tower
Curtain Wall
Moat
Narrow Bridge
8
The focus of the IT evaluation is to
determine if defenses are in place to
ensure financial data maintains:
Confidentiality – Preventing the disclosure of
information to unauthorized individuals or systems
Integrity – Ensuring that data or information cannot
be changed undetectably
Availability – Ensuring the information is available
when needed
9
IT Considerations in a Financial Statement Audit
Audit Standards and IT
Auditor’s primary interest is in an entity’s
use of IT to:
 Initiate
 Authorize
 Record
 Process and,
 Report transactions or other financial data
10
IT Considerations in a Financial Statement Audit
Audit Standards and IT (cont’d.)
IT may provide efficient and effective controls by:
 Enhanced timeliness and availability, and accuracy
of information
 Facilitation of information analysis
 Enhanced monitoring of policies and procedures
 Reduced Risk of Circumvention of Controls
 Report transactions or other financial data
11
IT Considerations in a Financial Statement Audit
Audit Standards and IT (cont’d.)
IT may pose risks to internal control by:
 Unauthorized access to data (destruction, changes,
unauthorized transactions)
 Unauthorized changes to master files
 Unauthorized changes to systems or programs
 Failure to make proper changes to systems or programs
 Potential loss of data or inability to recover data
12
Auditing IT Controls
Starts with the IT survey:
 Helps provide a baseline of the environment
 Identifies financial applications and supporting
components.
 IT Organization
 IT Security Controls
 IT Operations
13
Auditing IT Controls (cont’d.)
Perimeter protection configurations:






Firewalls
IPS / IDS
DMZ
Wireless
Web Content Filtering
Remote Access (VPN)
Desktop Security:
 Local Administration Permissions
 Anti-malware Software
14
Auditing IT Controls (cont’d.)
Server Security:
 Application and Folder Permissions
 Server Security Hardening
Financial Applications Security:
 User Permissions
 On-line Payments
User Administration:
 Controls for Adding and Removing Users
15
Auditing IT Controls (cont’d.)
Data Backup:
 Backup Jobs
 Backup Storage
 Data Encryption
 Restore Testing
16
Auditing IT Controls (cont’d.)
Policies and Procedures:







IT Security Policy
Physical Security Policy
Firewall Policy
Encryption Policy
User Management Policies
Acceptable Use Policies
Security Awareness Program
17
Auditing IT Controls (cont’d.)
Patch Management:
 How are patches approved?
 How are patches applied?
 Is patch management automated?
Vulnerability Management:




Internal vulnerabilities
External vulnerabilities
How are each identified?
Remediation efforts?
18
Auditing IT Controls (cont’d.)
Change Management:
 How are changes tested?
 How are changes approved?
 Are all changes documented?
Business Continuity Planning and Execution:
 Are plans in place to restore the financial
applications?
 Have the plans been tested?
19
Common IT Findings in a Financial Statement Audit
Controls to be Evaluated








Physical Security
User Account Management
AntiVirus and Malware
Data Backup
Application Security
Network Security
Policies and Procedures
Business Continuity/Disaster Recovery
20
Common IT Findings in a Financial Statement Audit
Physical Security
 Excessive staff access to the computer room
 No access logs to the computer room – Who was in there? When?
Why?
 No video surveillance in computer room – What were they doing?
 Security lacking in Telecom closets - Could bring down your network!
User Management





Terminated employees still in the systems
Shared administrator user ID’s
Password complexity rules not used or only partially implemented
End users configured as power users or administrators
Password-protected screensavers, network and application timeouts
not enforced
21
Common IT Findings in a Financial Statement Audit
AntiVirus and Malware
 AutoRun or AutoPlay functionality enabled
 Lack of centralized control and management of AntiVirus software
Data Backup






Backups not stored out-of-area
Backups not stored in a secure, offsite location
Transport of backup tapes not logged
Backups not encrypted
Backup tapes not tested
No formal procedure in place to “age” backup tapes
22
Common IT Findings in a Financial Statement Audit
Application Security
 Inadequate user password rules
 No interface with Active Directory (requires
multiple logons)
 Lack of activity logging, reporting and monitoring
capabilities
 IT staff with excessive access to production data
 Decentralized security administration (no
separation of duties)
23
Common IT Findings in a Financial Statement Audit
Network Security
 Administration of network devices over unsecured
protocols
 Shared and local administrator ID’s on network
devices
 Firewall rules need tightening
 Intrusion Prevention Systems either not installed or
not maintained
 No formal procedure for monitoring server and
network device events
 No log aggregation
24
Common IT Findings in a Financial Statement Audit
Policies and Procedures
Common Deficiencies in Policies and Procedures








Security Awareness Program
Acceptable Use Policies and Procedures
User Account Management Policies (HR)
Change Control Policies and Procedures
Patch Management Policies and Procedures
Data Backup Management
Encryption Management and
Personal Computing Device Management Policies
25
Common IT Findings in a Financial Statement Audit
Business Continuity and Disaster Recovery
 Lack of fully documented Disaster Recovery Plan
 Lack of fully documented Business Continuity Plan
 Lack of exercising or testing of plans
26
IT Personnel Risks
Risks vary depending upon the size of your business:
Small Business – Do you need a full-time IT person? If you have
one, do they have the proverbial “keys to the kingdom”?
Medium Business – Attracting and retaining skilled technicians is
a challenge, as is maintaining their technical skill levels and
certifications.
Enterprise – Are the number of technicians on staff adequate to
support the needs of the enterprise and are their skill levels
appropriate?
27
Outsourcing IT Functions
One option to mitigating some of the personnel risks associated
with IT is to outsource some or all functions to a third party.
Small Business – A lot of small businesses are outsourcing all IT
functions to IT vendors.
Medium Business – Typically outsource on a regular basis, as their IT
staff has limited skill sets.
Enterprise – Utilize IT consultants for specialized projects.
28
Common Risks in Outsourcing IT
 Outsourcing a critical process.
 Someone other than an internal
employee handling your data and IT.
 IT vendor misrepresented skill level
and expertise of staff.
 IT vendor does not adhere to Service
Level Agreements (SLAs).
29
Evaluating & Selecting Outsourcers
 Types of technical competencies the
outsourcer possesses.
 Experience in your industry.
 Agreement terms.
 SLAs.
 Is the “Cloud” a good option…do your due
diligence
30
Payment Card Industry (PCI) Data Security
Standard (DSS)
PCI DSS provides a baseline of technical and operational
requirements designed to protect cardholder data.
PCI DSS applies wherever account data is stored,
processed or transmitted.
The primary account number is the defining factor in the
applicability of PCI DSS requirements. If a primary
account number (PAN) is stored, processed or
transmitted, PCI DSS requirements apply.
31
PCI DSS High-level Overview
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect
cardholder data.
2. Do not use vendor-supplied defaults for system passwords
and other security parameters.
Protect Cardholder Data
3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open,
public networks.
32
PCI-DSS High-level Overview (cont’d.)
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software or programs.
6. Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need to know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.
33
PCI-DSS High-level Overview (cont’d.)
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and
cardholder data.
11. Regularly test security systems and processes.
Maintain an Information Security Policy
12. Maintain a policy that addresses information security for
all personnel.
34
In Summary
Data is the lifeblood of an organization;
are the right controls in place to
protect it?
35
QUESTIONS?
Daniel J. O’Keefe
Moore Stephens Lovelace, P.A.
[email protected]
407-740-5400
Chris Ghosio
MSL Technologies
[email protected]
321-214-2223
Schedule at a Glance
• Tuesday, May 8, 2012
8:00 a.m. - 9:40 a.m.
Local Government Accountability Update – Marilyn Rosetti and David Ward
•
8:00 a.m. - 9:40 a.m.
Auditing Small Governments – Debbie Goode
•
8:00 a.m. - 9:40 a.m.
GFOA Budget Award Program – Eric Johnson
•
8:00 a.m. - 9:40 a.m.
Economic Update – Mark Vitner
•
8:00 a.m. - 9:40 a.m.
Current Treasury Management Practices and Tools – Keith Henry, Nancy Mirfin and David
Witthohn
•
10:00 a.m. - 11:40 a.m.
GFOA CAFR Award Program – Linda Dufresne and Sarah Koser
•
10:00 a.m. - 11:40 a.m.
How to Invest With Fewer Dollars? – Jeff Larson, Linda Senne and Jeffrey Yates
•
10:00 a.m. - 11:40 a.m.
Strategies to Address Aging Infrastructure – Celine Hyer
•
10:00 a.m. - 11:40 a.m.
Making Technology Work for You! – Steve Murray and Darrel Thomas
•
10:00 a.m. - 11:40 a.m.
Debt Affordability & Policies – Mickey Miller