This document provides an overview of an IT audit conducted at a state university system. It describes the types of audits performed, including operational, financial, compliance, and IT audits. For IT audits, it examines infrastructure security and controls, application security and controls, and disaster preparedness plans. Key areas investigated include physical security, network configuration, user access controls, and backup procedures. The document concludes with tips for making an IT audit go smoothly, such as avoiding an adversarial approach and fully documenting systems and controls.
1. A CIO’s Survival Guide
for
f an IT Audit
A di
Thomas Danford
CIO, Tennessee Board of Regents
C, ss o do gs
2. Background & Objectives …
State Audit chose the TBR office
as its “pilot” for developing IT
Audit plans and procedures for
Banner.
Brief discussion of the various
types of audits and how they relate
to IT Audits.
Share with the audience what’s
investigated in an IT Audit and
how it’s conducted.
Relay some findings to date.
Provide some guidance &
suggestions for when your
institution has its IT Audit.
3. Types of Audits
Operational Audits examine the use of unit resources to
evaluate whether those resources are b being used in the most
d
effective and efficient way. They include elements of the other
audit types listed below.
Financial A di examine accounting and reporting of financial
Fi i l Audits i i d i f fi il
transactions.
Compliance Audits examine adherence to laws, regulations,
policies and procedures.
li i d d
Internal Control Reviews focus on the components of major
business activities such as payroll and benefits, and their physical
security.
security
Information Technology (IT) Audits examine internal control
environment of automated information processing systems and
how people use those systems.
systems
4. The IT Audit Evaluates …
System(s) input, output, and processing controls
input output
Backup & media storage (off-site)
(off-
Disaster preparedness plan ( d if it has been
Di d l (and i h b
tested!)
System(s) security
Computer facilities
p
5. How does the IT Audit Work?
Kick-
Kick-off Meeting to discuss
g
audit objectives with delivery
of extensive questionnaires.
Interview & investigative
phase based upon responses
to questionnaires.
Exit interview with Q&A on
any discovered weaknesses or
findings.
Published A di Report with
P bli h d Audit R ih
weaknesses and/or findings.
Management response.
g p
6. What Are Auditors Looking For?
Reportable conditions – are matters that represent a significant
deficiency in the d
d design or operation of the internal control
structure which could adversely affect the organization's ability
to record, process, summarize, and report financial data
consistent with the assertions of management in the financial
statements.
Material Weaknesses – are significant deficiencies, or
combination of significant deficiencies, that results in more than
deficiencies
a remote likelihood that a material control process could be
obverted or bypassed.
Findings – conditions that do adversely affect the institution and
may include conditions dealing with irregularities, illegal acts,
errors, inefficiency, waste, ineffectiveness, conflicts of interest,
and for our purposes control weaknesses.
pp
7. Interview & Investigation Areas
Infrastructure Security & Control
Application Security & Control
Disaster Preparedness Plan
Di P d Pl
8. INFRASTRUCTURE SECURITY & CONTROL: Relates to
the d i of the campus network system and i l d the
h design f h k d includes h
backbones, routers, switches, wireless access points, access
methods and protocols used. Of special interest are the filters
p used. p
& protective measures that govern (1) Internet open access (2)
Intranet controlled access and (3) Secured Access.
Particular areas of interest include:
Physical security of computer center – Environmental controls, locks,
cameras & authorizations to enter.
Network configuration – Fil & firewall rule-sets and their change processes.
N k fi i Filter fi ll rule-
l d hi h
ID and password rule-sets – Length, character requirements, aging, etc.
rule-
Operating System – File & directory permissions.
Patch management – Remediation of known exploits.
Segregation of duties of IT staff.
9. APPLICATION SECURITY & CONTROL: Relates to the
design of the administrative system and includes additional
server operating system issues as well as the DBMS and the
application that sits on top of both. Heavily scrutinized are
users, both functional and technical and their roles.
Particular areas of interest include:
Default users and their passwords
Role based security – Especially as it is setup in the application itself and
access to the native DBMS or OS.
OS
User accounts and password management – Procedures & signoff for account
holders, length, character requirements, aging, etc.
Software modification – Procedures and segregation of duties in their
gg
implementation.
Patch management – Remediation of known exploits across multiple
instances.
Segregation of duties of IT and functional users.
users
10. APPLICATION SECURITY & CONTROL
(Top 5 Issues)
(T I )
Improper account p
pp provisioning with segregation of duties
g gg
Insufficient controls for change management
A general lack of understanding around key system
configurations
Audit logs not being reviewed (or that review itself not being
logged)
Abnormal transactions not identified in a timely manner
11. DISASTER PREPAREDNESS PLAN: The state in which an
institution is
i i i i prepared f di d for disaster. P
Preparedness i
d involves a
l
plan for avoiding and recovering from a disaster with
preservation and retrieval of records lost by an unexpected
catastrophic occurrence.
Particular areas of interest include:
Backup of critical data – Including frequency, media, where and how far away.
Printed plans – Kept off site by plan principles with contact lists.
Recovery processes – Includes not only IT operations but facilities (hot &
yp y p (
cold sites).
Business continuity while IT functions are restored.
Actual testing of the plan.
14. Tips to Make the Audit Go Smoothly
Avoid making it an “adversarial” engagement
adversarial
Provide what’s asked of you
Document & diagram
D di
15. For Additional Information:
Wikipedia has a g
p good overview of IT auditing at:
g
http://en.wikipedia.org/wiki/Information_technology_audit
Control Objectives for Information and related Technology (COBIT) is a set
of best practices (framework) for information technology (IT) management
created by the Information Systems Audit and Control Association (ISACA),
(ISACA)
and the IT Governance Institute (ITGI) in 1992.
http://www.isaca.org/Template.cfm?Section=COBIT6&Template=/Tagged
Page/TaggedPageDisplay.cfm&TPLID=55&ContentID=7981
16. Thank You
Please share your comments, ideas, suggestions,
questions . . .
Thomas Danford
tdanford@tbr.edu
615-366-
615-366-4451