Embed Size (px)
Citation preview
IT Audit BasicsIT Audit Basics
Information
for
Governance and Executives
Barry L. MathisBarry L. MathisBarry L. Mathis
IT Audit Senior ManagerIT Audit Senior ManagerIT Audit Senior Manager
CHAN Healthcare AuditorsCHAN Healthcare AuditorsCHAN Healthcare Auditors
Discussion Points
• Information Technology (IT) Audit Myths
• What is IT Audit ?
• Risk Corollary
• Typical IT Audits
• The Role of Governance
• Audit Committee Experts
2
Information Technology (IT) Audit Myths
• Isn’t it really just ITaccounting?
• IT Auditing is all about compliance, right?
• Aren't computer auditors meant to stop (computer) frauds?
• IT Audit is mostly technical, right?
3
What is IT Audit?
The independent examination of records and other information in order to form an opinion on the
integrity of a system of controls and recommend control improvements to limit risks.
4
Risk Corollary
If:
Business Processes rely on Information Systems
Then:
Information Technology Risk = Business Risk
5
Risk Corollary Examples
• Treating patients and operating the business
• Collecting revenue
• Managing and paying associates
• Planning and tracking results
• Evaluating and making strategic and operating decisions
• Communicating and leading the organization
• Clinical & purchasing
systems
• Billing systems
• Human resources & payroll
systems
• Budgeting, accounting, &
financial reporting systems
• Decision support systems
• Email systems
Business Processes Supporting IT System
6
Risk Corollary –Actual Occurrences
System Implementations
• Critical new system late and over budget– Project governance, project management
• Surgery charges were over billed– Interfaces, data maintenance procedures
• Medicare bills not sent out for several months – Registration process, system testing, manual
reconciliations
7
Risk Corollary –
Actual Occurrences
Operations
• Captured surgery charges did not cross to the billing system – Interfaces, reconciliations, change management
• Internet hackers probing unsecured system containing patient health information– Security management, database security
• Patient health information taken home and stolen – Backup and recovery
8
Typical IT Audits
•Operational computer system/network audits:
•Review the controls within and surrounding operational computer systems and networks, at various levels e.g.network, operating system, layered software, application software, databases, logical/procedural controls, preventive/detective/corrective controls, crypto, logging ...
9
Typical IT Audits
•Data Center / IT Facility audits:
•Evaluate the computer building,
suite, room or cupboard, including aspects such as physical security (walls, CCTV, locks, guards, barbed wire, visitor procedures ...), environmental controls (fire and
flood protection, power supply, air conditioning), computer and network operations processes and management systems, oh and the IT
equipment itself.
10
Typical IT Audits
•Implementation audits (Pre & Post) :
•Review the controls within an application install or major upgrade at various levels e.g.project management, integration testing, training, conversion integrity, network impact, security controls…
11
Typical IT Audits
•Change Control audits:
•Review the planning and control of changes to systems, networks, applications, processes, facilities etc., including configuration management, control over the promotion of code from development through testing to production, and the management of changes to the organization.
12
Typical IT Audits
•Information security and control audits:
•Review controls relating to confidentiality, integrity and availability of systems and data.
13
Typical IT Audits
•Compliance and legal audits:
•Review legal and regulatory aspects of
IT systems (e.g. software copyright compliance, HIPAA, protection of personal data).
14
Typical IT Audits
•Business continuity planning & disaster
recovery audits:
•Review arrangements to restore some semblance of normality after a disaster affecting the IT systems, and perhaps assess the organization's approach to risk management.
15
Typical IT Audits
•“Special investigations”:
•This is audit-speak for contingency and un-pre-planned work such as investigating suspected frauds or information security breaches, performing due diligence review of IT assets for mergers and acquisitions etc.
16
Governance
•The Role of Governance
17
The Role of Governance
As with other governance activities, governance of
IT involves expertise from the board and executive
management. Given that IT is complex and
requires specialized expert knowledge the board
can be supported by an IT Strategy Committee or
Council, however, boards and executives must set
direction and insist on control.
Governance Publishing, May 2006
18
Audit Committee IT Expert
19
Audit Committee IT Expert
• Article: Information Technology and the
Board of Directors (HBR 10/2005) (handout
provided)
• Attributes of IT Expert:
– Skilled communicator
– Focus on the big picture of IT strategy
– Solid grounding in business needs
– Holistic view of the organization & system
architectures
• “…serves much the same function as the
certified financial expert on an audit
committee.” 20
Audit Committee IT Expert –CHAN (SEC adapted)
Audit committee financial expert attributes:
– information technology
• An understanding of GAAP and financial statements;
– information technology fundamentals, to include infrastructure, industry applications, and IT operations
• The ability to assess the general application of
such principles in connection with the accounting
for estimates, accruals and reserves;
– fundamentals…their application to the
organization 21
Audit Committee IT Expert –CHAN (SEC adapted)
• Experience preparing, auditing, analyzing or evaluating financial statements that present a breadth and level of complexity of accountingissues that are generally comparable to the breadth and complexity of issues that can reasonably be expected to be raised by the registrant's financial statements, or experience actively supervising one or more persons engaged in such activities;
– managing…technology fundamentals…technology…organization’s information technology.
22
Audit Committee IT Expert –CHAN (SEC adapted)
• An understanding of internal controls and procedures for financial reporting;
– information services
• An understanding of audit committee functions.
23
Audit Committee IT Expert –CHAN (SEC adapted)
Under the final rules, a person must have acquired such attributes through any one or more of the following:
(1) Education and experience as a principal financial officer, principal accounting officer, controller, public accountant or auditor or experience in one or more positions that involve the performance of similar functions;
– chief information officer, information technology director, external or internal information technology auditor
(2) Experience actively supervising a principal financial officer, principal accounting officer, controller, public accountant, auditor or person performing similar 24
Audit Committee IT Expert –CHAN (SEC adapted)
(3) Experience overseeing or assessing the
performance of companies or public
accountants with respect to the preparation,
auditing or evaluation of financial statements;
– auditors…delivery or auditing of
information services
(4) Other relevant experience.
25
Conclusion
Additional Questions & Discussion
26
