What Financial Executives Asking About IT

Report
WHAT FINANCIAL EXECUTIVES
ARE ASKING ABOUT IT AUDIT
AND RISK MANAGEMENT
Institute of Internal Auditors – LI Chapter
Annual Information Technology Conference
May 10, 2013
Joel Lanz, CPA/CITP, CGMA, CISA, CISM, CISSP, CFE
Prior to starting his practice in 2001, Joel was a Technology Risk Partner in Arthur Andersen’s
Business Risk Consulting and Assurance Practice, and was a Manager at Price Waterhouse. His
industry experience includes Vice President and Audit Manager at The Chase Manhattan Bank and
senior IT auditor positions at two insurance companies. He currently is an Adjunct Professor in the
School of Business at The State University of New York – College at Old Westbury. He teaches
graduate courses in Auditing, Advanced Assurance, Forensic Accounting ,Accounting Information
Systems and Accounting Research.
Joel is the Chair of the AICPA’s Certified Information Technology Professional (CITP) Specialist
Credential committee, and serves on the Institute’s Cybersecurity, Forensic Technology Task Force.
He co-chaired the 2010 and 2011 Top Technologies Task Force and previously served on the
Institute’s IT Executive and CITP Credential Committees Joel is a member of the Editorial Board of
“The CPA Journal.” Joel previously chaired both the New York State Society of Certified Public
Accountants Technology Assurance and Information Technology Committees. He also serves on the
Institute of Internal Auditors – Long Island Chapter Board of Governors.
2
SESSION DESCRIPTION
• In this fast paced presentation closing our annual technology
conference, Joel Lanz, who authors a monthly technology
question and answer column for the New York State Society
of CPAs “Trusted Professional” newspaper will discuss IT
Audit and Risk Management issues frequently on the mind of
the newspaper’s over 30,000 financial executive
readers. Highlights of this year’s most popular columns will
be reviewed providing participants with a briefing on key IT
Audit and Risk Management areas. He will review sources of
information that can be used by these Financial Executives
and their Internal Auditors in trying to identify appropriate
areas of interest so that they can add relevant value to the
organization.
WHAT IS THIS MONTHLY COLUMN
THAT YOU ARE TALKING ABOUT?
THE TRUSTED PROFESSIONAL
TECH Q&A FOR TODAY’S CPA
•
• Monthly column addressing
key IT Risk Management and
Audit Issues – yet sometimes
we discuss “the little
technology challenges” that
are faced on a daily basis.
• Joel responds to reader
questions about technology
and the role of financial
executives in managing
information risk.
• Usually each column
addresses 2-4 questions and
comprises 1000 words.
•
Is the voice of the New York State
Society of CPAs (NYSSCPA), keeping
readers up-to-date on legislative,
regulatory and administrative
developments, particularly as they
concern tax and audit policies and
accounting practices of New York
State.
The publication serves members of the
NYSSCPA by providing in-depth
coverage of NYSSCPA news and
insight into key issues and changes
affecting New York CPAs and
information on regulatory and ethical
standards of the profession.
SO, WHAT’S ON THEIR MINDS?
NO SURPRISES
HERE
• Information Security
• Privacy Risk
Management
• Managing IT Vendors
and Partners
• Cloud Computing
IT’s IMPACT ON CLIENTS
• WE SHOULD NOT
HAVE BEEN THAT
SURPISED – BUT – THE
ROLE OF THE
FINANCIAL EXECUTIVE
(CPA) IN MANAGING
OR ADVISING CLIENTS
ON IT OPERATIONS
AND FINANCE WAS
GREATER THAN
EXPECTED.
• BYOD Policy
Challenges
• Preparing the IT
Budget
• Managing the IT
Department
• Updating the
Business Continuity
Plan
• “MORE
THAN”
SOMEWHAT
SURPRISED
• Access vs. Excel
• How to integrate IT
Audit
• How to Secure a
Microsoft Word
Document
• The recent Internet
Explorer scare
raised a number of
issues related to
patch
management. What
do my clients need
to know about patch
management?
•
•
•
•
Many information security practitioners
believe that an appropriate patch
management is one of the most critical
protection strategies that companies and
personal users can employ to reduce logical
security threats.
To know what to patch, users must be
aware of what is on their system.
Microsoft provides a utility, Windows Server
Update Services (WSUS) that according to
the Microsoft website enables information
technology administrators to deploy the
latest Microsoft product updates to
computers that are running the Windows
operating system.
Alternatively, companies will use an
automated vulnerability scanning tool such
as Nessus (Tenable Network Security) or
Qualys to help identify required patches.
• A number of my clients
have implemented a
“Bring Your Own
Device” (BYOD)
program to help their
employees manage the
number of handheld
devices as well as
reduce expenses for the
businesses. Should I
adapt a similar program
for my practice?
•
•
•
•
As with so many other things in business,
the answer is it depends. Companies have
implemented BYOD programs in response
to the “consumerization of IT.”
So in implementing BYOD programs,
companies are trying to respond in a timely
manner to the introduction of rapidly
developing technologies adapted by the
consumer sector (e.g.,employees) but have
yet to be – or are not being adapted by
business or corporate IT (e.g., Tablets).
As with many other technology-related
decisions a lot is going to depend on which
industry you are in and the extent of
regulatory requirements that need to be
addressed to protect confidential and nonpublic information.
CIO Magazine has produced “The Consumerization
of IT and BYOD Guide”
(http://www.cio.com/article/705880/The_Consumeri
zation_of_IT_and_BYOD_Guide) that provides a
very useful toolkit in evaluating the issues.
• What are some of
the key issues
that should be
included in our IT
vendor
management
oversight efforts?
•
•
•
•
Depending on the particular business and
the industry it serves, each IT vendor
represents a different risk to the business,
and due to the reality of resource constraint
faced by all businesses efforts will need to
be prioritized.
Appropriate contract provisions including
specifying expectations as to service
delivery and right-to-audit are key. In many,
but not all situations, a thorough review of
the IT Vendor’s Service Organization Report
(especially SOC 2) can facilitate the review.
Preparing contract abstracts summarizing
key contract provisions can also help with
oversight efforts. Understanding IT vendor
plans for security breaches and business
continuity can also help determine that the
IT vendor will facilitate business operations
in a crisis situation.
The Defense Contract Audit Agency’s
“Contract Audit Manual” available at
http://www.dcaa.mil/cam.htm to be an
excellent source of ideas
• I’m getting ready to
prepare/review the
IT budget for next
year – what should I
be considering?
•
•
•
In many ways, although complex, budgeting
for IT does not differ materially from
budgeting for other significant business
investments and expenses.
Based on my reviews of IT budgets, I
continue to find that implementing basic
financial discipline can go a long way in
identifying “excess” resources. For example
appropriately planning for infrastructure
maintenance, including the impact of
changes to architectures including but not
limited to cloud computing, confirming
contract compliance and use of technology
paid for, and reducing the complexity and
variability of technology used.
Perhaps most important, is that financial
people should not be intimidated by the
vocabulary used in IT budgeting and do
what is needed, to obtain the understanding
of issues represented in the budget to fulfill
their financial responsibilities.
• I’m the controller for
a “midsize”
distribution company
and have just been
assigned
responsibilities for
the Information
Technology function.
What question should
I be asking?
•
•
•
•
•
Is the effectiveness of provided services
accumulated and monitored?
Is the IT function appropriately placed within
the organization and does the function have
the necessary leadership and management
assets to satisfy and deliver upon executive
management expectations?
To what extent have financial management
practices been implemented by IT (e.g.,
managerial finance issues including ROI for
new projects and key investments).
Are critical applications and “core”
application systems effectively implemented
within the business area and are system
features utilized to the extent possible to
enhance the ability of business users of the
system to achieve their objectives?
Is IT risk being managed to an acceptable
level given the business objectives identified
above?
• It’s been awhile
since we reviewed
our business
continuity plan. Any
suggestions to
jumpstart our
efforts?
•
•
•
•
BCP is on the agenda of most business
leaders, but due to other pressing concerns
does not receive the urgency or funding to
help ensure that appropriate plans are
developed, implemented and maintained.
BCP is a business issue and includes
significant decisions that go beyond
information technology concerns.
Being able to recover data does not mean
that you would also be able to reroute your
telecommunications capability to a different
facility that will now house your business.
The Federal Emergency Management
Agency (FEMA) through its Ready.gov
website provides significant guidance and
tools to help facilitate this process. Of
particular note is the “Business Continuity
Planning Suite” available at
http://www.ready.gov/business-continuityplanning-suite.
• When to use Excel
vs. when to use
Access?
•
•
•
•
•
For many practitioners the response to this
question has more to do with their familiarity
with the applications rather than the features
themselves.
New versions of Excel have significantly
increased the analytical capabilities and
presentation of financial analysis including
the use of Pivot Tables, statistical
techniques and graphing/charting tools.
Access is a more sophisticated application
that is better suited to managing information.
Access requires a more disciplined
approach as the various relationships within
the database need to be defined during
database design and generally provides less
flexibility for modification than does Excel.
Access can also provide a report of all
actions taken on the database including the
types of queries that were run.
• How can we
effectively leverage
IT Auditing into our
audits?
•
•
•
Firms of all sizes face the challenge of how
technology needs to be assessed, and how
to translate technology risk into the audit
decision.
Remember it's all about understanding and
addressing the risk in an effective and
efficient manner. Don't get confused with the
technical jargon involved. Obtain a sufficient
understanding of IT so you can determine
how it impacts the audit risk model.
Assess whether the IT controls are in place
and functioning so that you can adjust your
overall testing in accordance with the audit
risk model.
• How can I
secure
Microsoft Word
documents?
•
•
•
•
Although this question appears to be
simple, it's answer is quite complex.
Basic protection includes the use of
password and encryption features
within word.
A variety of access permission options
including encrypted the document with
a password and limiting further
distribution of the document.
In addition to access privileges,
another major threat is the unintended
use of the metadata that is contained
in the document.
BONUS SLIDE
(“December Stocking Stuffers”)
• What
should I be
reading to
enhance
my skills?
•
•
•
•
•
•
“IT Risk”, by George Westernmen, Harvard
Business School Press, 2007. (General IT
Risk Management).
“The Adventures of an IT Leader,” by Austin,
Nolan and O'Donnell, Harvard Business
School Press, 2009. (CXO and Leadership).
“The Art of Intrusion,” by Kevin Mitnick, John
Wiley & Sons, 2005. (Information Security
and Fraud Prevention).
“Forensic Analytics,” Mark Nigrini, John
Wiley & Sons, 2011. (IT Audit, Computer
Facilitated Fraud Prevention and Detection)
“The CERT Guide to Insider Threats: How to
Prevent, Detect, and Respond to Information
Technology Crimes “, Cappelli, Moore and
Trzeciak, Addison-Wesley Professional,
2012. (IT Audit, Information Security, Fraud
Prevention and Risk Management).
A Practical Guide to Reducing IT Costs,
Cassidy and Cassidy, J Ross publishing,
2010. (CXO and Financial Managers).
FOR FURTHER
INFORMATION
• Contact Joel directly
at:
Joel Lanz, CPA/CITP,
CFF
Joel Lanz, CPA, P.C.
471 N. Broadway-pmb
395
Jericho, NY 11753
(516) 933-3662
[email protected]
www.joellanzcpa.com
• Visit www.
joellanzcpa.com for
related articles and
other related
presentations

similar documents