2. “Reliability of internal controls and financial
reporting depends directly on such technical
controls as change management and
monitoring for information, systems, programs,
and operational configurations.”
The Institute of Internal Auditors
3. ISR Scope
Limited Scope
Gain an understanding of the controls around the
Financial System
Not a risk assessment
Benefits include
Raise awareness about the importance of controls
Highlight managements responsibilities
Uncover material risks to financial data
Helped improve overall security
4. ISR is based on
Industry Standards
ISO 17799
COBIT (IT Governance Institute) ISACA
ITIL (ITPI)
NIST Guidelines
AICPA Webtrust & Systrust
RFCs, SAS, FIPS, COSO, GAO, OMB, CC,
OECD, IATF, ISO
5. ISR Basics
Look at all of the controls of the computer systems
where the financial data lives.
6. ISR Sections
Management
Compliance
Personnel
Business Continuity
Physical Security
Information Systems Security
Application Security (Financial Application)
Communications Security (Network & Internet)
7. Question Rating
IT Governance Maturity Model (IT
Governance Institute)
5 – Optimized, continues improvement
4 – Managed and measurable, automated
3 – Defined and documented
2 – Repeatable but intuitive
1 – Ad Hoc, The organization recognizes issues
exist and needs to be addressed
0 – There is a complete lack of any
recognizable IT Governance process.
8. Rating Example: Anti-Virus Software
5 – Optimized, continuous improvement of
process and learning from incidents
4 – Automated Anti-Virus deployment,
effectiveness is monitored, updated as
needed
3 – Documented policy/procedures for Anti-
Virus, baseline is set
2 – Anti-virus is installed, there is a global
understanding of the need (They do it but it
is not documented)
1 – In the process or partial process of
implementing Anti-Virus
0 – Don’t know they need Anti-Virus
9. Two Levels of Recommendations
Management Letter Issues
These are weaknesses in internal controls that may be a
risk for financial misstatement
Given to the Board, City Council or appropriate party
Accounting Issues Memo
These internal control issues are not high risks for
financial misstatement but are industry standards and best
practices that are absent
Given to the Finance Department
Value Added
10. Remediation
What should you do with the recommendations?
Implement the appropriate controls
Implement the recommended controls
Develop other compensating controls
If you do not take action
Management should document that the risk is at
an acceptable level
Limited Scope
Not a full risk assessment – beyond what we can provide
Review not an Audit
Based on information provided by client - truthfulness
Benefits include
Gaining better understanding of FS environment – SAS 94
Raise awareness about controls – many clients don’t have a clue what they should be doing
Highlight managements responsibilities – management does not know they must be leaders in this area
Uncover major risks to Financial data – Big problems, hacking, water dripping on server rack
Raise awareness about regulatory requirements – Online bill pay
Helped clients improve security – many have implemented our recommendations
Dispel client myth that everything is public knowledge – there is still confidential information and they tend to forget integrity is a part of security
"Not to know yet to think that one knows will lead to difficulty."
Lao-Tzu (6th century B.C.); Legendary Chinese philosopher
IATF - Information Assurance Technical Framework (IATF)
COBIT – Control Objectives for Information and related Technology (IT Governance Institute)
ITIL – Information Technology Infrastructure Library (www.itpi.org) (IT Process Institute)
NIST – National Institute of Standards and Technology
We have to look at the entire environment
We have to look at compensating controls
Each system is unique
Each system is dynamic
Because each environment is unique, dynamic, and interconnected the risks are also unique, dynamic and interconnected.
IT Governance Maturity Model (IT Governance Institute)
Taken From COBIT which is based on CMM (CMM provides a framework for organizing and assessing the maturity level of IT processes for software development and maintenance.) CMM was developed by the Software Engineering Institute (SEI) in Dec 1984 http://www.sei.cmu.edu/cmm/
In 2000, the SW-CMM was upgraded to CMMI http://www.sei.cmu.edu/cmmi/general/
The SEI continues to advocate the adoption of CMMI models as the best process improvement models available for product and service development and maintenance. These models build on and extend the best practices of the Capability Maturity Model for Software (SW-CMM®), the Systems Engineering Capability Model (SECM), and the Integrated Product Development Capability Maturity Model (IPD-CMM).
IT Governance Maturity Model (IT Governance Institute)
Example: Security Policy
Documented
Published, Communicated
Employee Training – understand, know what is expected and where to find answers
Life Cycle Management – updated as needed, reviewed regularly, ownership, audit, change control
Part of the organizations culture, senior management support
Recommendations from our Information Systems Review are based on best practices and industry standards. This report covers common controls for information systems and is divided into seven sections or areas of control. Based on our review, notable points or internal control weaknesses are documented under each section.
Recommendations are simple statements that a industry standard control is not in place
To determine whether the current control environment is effective requires a risk analysis
Should mitigate risk to an acceptable level, management should determine that level and be held accountable for maintaining that level
First you will need to find them.
Generally they are first given to the Finance Director – you may need to ask that person if they don’t come to you
Implement the appropriate controls
If you intend to accept the risk then you should document the risk and that you accept the current level
By document we mean:
Risk: Virus infestation to the computer systems or network
Control: Anti-Virus software, updated daily
Or
Risk: Virus infestation to the computer systems or network
Control: The risk of infection by virus in minimal given we run terminals and not computers traditionally prone to viruses, management has determined the cost of anti-virus software outweighs the risks and accepts the current risk levels