Transcript Data Privacy and Cybersecurity Considerations for Auditors

Incorporating Continuous Assurance into the
Auditing Process
April 2, 2015 – Pinellas County
Regional ALGA Regional - Florida
Botanical Gardens - Tampa
Monday, July 20, 2015
Clients are granted permission to reproduce this presentation in written and electronic
format
1
Session Objectives
In this session you will learn:
• The difference between Continuous Monitoring and
Continuous Assurance
• Tools and techniques for transforming current manual
assurance activities into automated processes
• Tools in the technologists toolboxes that can aide or be
used for continuous assurance activities
• How to rewrite existing assurance programs to meet
regulatory needs by changing to a continuous nature
• How to sell continuous assurance to a organization
2
Auditing
CONTINUOUS MONITORING AND
CONTINUOUS ASSURANCE
3
Discussion
• Who performs continuous auditing?
• Who performs continuous monitoring?
4
Auditing Basics
• Applications/Systems should ensure that Data
maintains it: Integrity; Confidentiality; Availability
• Internal Controls should be reviewed to
determine effectiveness
• Audit processes should be SMART! Specific,
Measurable, Actionable, Repeatable and Timely
• In other words: Determine Effectiveness; Identify
Changes; Verify Compliance aides in Situational
Awareness
5
Traditional Vs. Continuous Auditing
• Traditional Audit Approach = Snapshot/Point
in Time Based Data; Manual Data Assessment
and Audit Reporting
• Continuous Auditing = Near real-time data
retrieval and automated data assessment and
automated dash-boarding and exception
notification
6
Continuous Auditing
• Continuous Auditing – Performing audit
activities on an ongoing basis to increase
assurance which may lead to better prediction
of Audit Risk.
• Audit Risk = Inherent Risk * Control Risk *
Detection Risk
• Owner = Audit Department
• Used for repeatable audit activities
7
Continuous Monitoring
• Continuous Monitoring – Activities constantly
performed by business and technology
management to ensure control effectiveness
and transaction integrity.
• Owner = Business and IT Management
• Used for control/process self assessments
8
Benefits and Commonalities
• Near real-time data gathering
• Timely Data Analytics
• Reduced Duplication of Assessment Efforts:
Performing one or the other
• Continuous Assurance
9
Sources
• IIA GTAG #3: Continuous Auditing –
Implications for Assurance, Monitoring and
Risk Assessment
• ISACA ITAF 2nd Edition 2013
• ISACA Audit and Assurance Guideline G3 Use
of CAATs effective 1 March 2008
• COSO 2013 –Automated Monitoring Activities
10
Discussion
• Based on our discussion
– How would you describe continuous auditing?
– Continuous monitoring?
11
Automating Auditing Processes:
TOOLS AND TECHNIQUES
12
Opportunities
• Application Security
• Access Controls - Employee Adds,
Terminations and Transfers
• Business Process Management Tools
• Process Control Systems
• Insider Threats – Log Pattern Review:
Transaction Logs; Access Logs, System Logs
• Big Data
13
Opportunities
•
•
•
•
•
Mobile Devices
Cloud Computing
Supply Chain Security
Software and System Assurance Processes
Advanced Persistent Threats
– Traffic Monitoring and Analysis
– Forensics
• Trusted Rights and Federation
14
Tools
• Computer Aided Audit Tools (CAAT)
– Generalized Audit Software GAS
– Customized Queries and Scripts
– Utility Software
– Software Tracing and Mapping
– Audit Expert Systems
• ACL (Audit Command Language)
• IDEA (Interactive Data Extract and Analysis)
15
Tools
•
•
•
•
Arbutus Analyzer
ESKORT Computer Audit (SESAM)
Teammate Analytics
Excel (Audit Add-In’s including: TOPCAAT;
Formlist; SIMTools; Rainbow Analyst, etc. )
• Archer; Bwise; Other GRC Tools
• Teammate; Other Audit Management Systems
16
Discussion
• What tools does your organization use and
how? Any of the one discussed in this section
and if so, how are you using them?
• How might you use them differently in the
future?
17
How Audit Can Leverage the Tools of IT
THE TECHNOLOGISTS TOOL BOX
18
Common Applications or Classes of
Applications with Audit, Compliance
and/or Reporting Modules
– Oracle
– ERP Systems: SAP; Oracle; Lawson, etc. (Approval
Processes, Threshold Overrides)
– Business Objects / Report Writers
– Exchange; Outlook; SharePoint, etc.
– SIEM (Log Management System)
– Configuration and Asset Management
– Job Scheduling / Job Run Logs
19
Tool Options
– Change and Release Management
– Incident Management
– Problem Management
– Hyena, SQLPLUS, NoSQL, etc.
– Storage/Backup Management (SAN)
– Patch Management
– Project Management - Enterprise Editions
– Firewalls
– Certificate Management
20
Tool Options
• information security continuous monitoring
(ISCM) methodology
– Intrusion Detection and Prevention
– Network/Services Monitoring
– Scanners & Sniffers
– End Point
– Vulnerability Scanning
http://sectools.org/ - Great Source to Learn More
21
Discussion
• Do you currently rely upon any of the tools
discussed in this section? If so, how do you
use them?
• What tools might you want to leverage in the
future?
22
Building Audit Assurance Programs Which Leverage Continuous Activities
MEETING REGULATORY
COMPLIANCE
23
Your Compliance Risk Universe
Step 1: Determine the existing source or develop
a listing of the regulations applicable to your
organization or that of those your audit
24
Examples
• US Federal Information Security Management
Act (FISMA) 2012 – 3 year reauthorization
requirement
• National Institute of Standards (NIST) 800-53
R4; 800-160; 800-39; 800-137; 800-37
• Federal Information Security Amendments Act
(FISAA)
• “Assess your IT network controls in real time”
25
Discussion
• What are some of the regulations impacting
your organizations and where are their
continuous requirements?
• How would you research to see if there is
guidance/regulatory requirements regarding
nature and timing of assurance activities?
http://www.usa.gov/Topics/ReferenceShelf/Laws.shtml
26
Sources for Regulation
http://www.usa.gov/Topics/ReferenceShelf/Laws.shtml
http://www.unifiedcompliance.com/free/controlsspreadsheets?gclid=CJfxwLflu8QCFdU9gQodJl8AZA
http://lib.law.washington.edu/ref/foreign.shtml
27
Your Existing Assurance Program
Step 2: Evaluate existing Assurance Programs
(for Continuous Auditing and Continuous
Monitoring) to determine how these regulations
are currently being reviewed.
Hint: Look for opportunities to automate /
further automate manual assessment activities
28
Your Organizations Risk and Control
Register
Step 3: Review (or discover and develop) the
Control Register listing the controls that are
designed to aide in regulatory compliance.
Hint: This list should contain control testing
procedures and testing results and be crossreferenced to the regulation and mapped to the risk
register to show associated process,
application/system and infrastructure component
relationships.
29
Discussion
• How does your organization or those you
support document controls (non-SOX) and
correlate between controls, risks, regulations
and associated processes, systems and
infrastructure components?
30
Selling Continuous Activities
THE BUSINESS CASE FOR
CONTINUOUS ASSURANCE
31
High Level Continuous Program
• Define strategy for Continuous Assurance for
both auditing and continuous monitoring
activities throughout enterprise
• Develop and Implement a Continuous Assurance
Program
– Determine Data Requirements / Data Testing
Processes
– Determine Monitoring Criteria
– Determine Communication Needs
– Determine Measurements/Metrics
– Design Architecture
32
High Level Continuous Program
•
•
•
•
Implement Program
Analyze and Communicate Results
Respond to Risk
Reevaluate and improve program and strategy
Hint: Adopting a solid Risk Management and
Project Management based approach to the
program is key!
33
Making the Business Case
• Continuous Auditing / Continuous Control
Monitoring / Continuous Transaction Monitoring
= Enterprise Risk Management
Hint: Before submitting business case for approval,
review document to ensure it highlights the
business value for each item proposed. Its about
Meeting Enterprise Objectives of which regulatory
compliance is one component but not the only
driver!
34
Questions to Ask
How will the changes proposed in the Business
Case impact our:
• competitive advantage? (Innovation/Agility)
• ability to prevent, detect or combat a
cyberattack?
• operational expenses?
• revenue stream?
• regulatory compliance?
35
Tool Selection Process
• Analyze and document current recurring audit processes
–
–
–
What is the process - Steps
How often is it performed
By Whom
• Assess the automation possibility for each process
documented
• Document the requirements for process automation
• Develop a Use Case describing the functional requirements
including the way the test would be performed and
expected results including reporting needs
• Obtain Project Champion Approval
• Engage Project Initiation Process
36
Tool Selection Process
• Develop Project Charter and Business Case
• Work with IT to determine possible tools to meet
continuous assurance needs
• Invoke RFI/RFP process if there is a desire to
implement a new tool or build one or more
queries/programs
• Conduct a Architecture Review on top choices
• Make tool decision
• Design; build/configure; Test and Implement
tool(s)
37
Small Group or Class Exercise
• Based on today’s discussion what
opportunities do you see for implementing
continuous assurance both for Audit and for
the Business (including IT)?
• As a team (or the class) discuss what tools you
would like to explore and develop your
business case problem/opportunity
statement.
• Share your statement with the class
38
Final Notes
WRAP-UP AND QUESTIONS
39
Thank you!
Shawna M Flanders CRISC, CISM, CISA, CSSGB, SSBB
Business – Technology Guidance Associates, LLC.
[email protected]
727-491-7337 or 844-4BUSTECH (Office)
727-483-3662 (Cell)
www.bustechga.com
Please join me on LinkedIN
40