Developing the IT

Audit Plan (GTAG 11)

Steve Hunt – ATC Chair
Senior Manager, Crowe Horwath LLP
November 9, 2010

www.theiia.org
 Learning Objectives
• Overview of the 4 Phases of the IT Audit
Plan development process
• Understand the critical elements of each of
the following Phases:
– I Understand the Business
– II Define the IT Universe
– III Perform the Risk Assessment
– IV Formalize the Audit Plan
• Hypothetical Company Example

www.theiia.org
 Opening
p g Statement
Results from several IIA external Quality
Assessment Reviews ((QARs)) reveal that
developing an appropriate IT audit plan is one
of the weakest links in internal audit activities

Many times, instead of doing risk-based

auditing, internal auditors review what they
know or outsource to other companies, letting
them decide what to audit

www.theiia.org
 IT Audit Plan Development Process
Understand Define IT Perform Formalize
the Business Universe Risk Assessment Audit Plan

• Identify the • Dissect the business • Develop processes to • Select audit subjects
organization’s fundamentals identify risks and bundle into
strategies & business • Identify significant distinct audit
applications that • Assess risk and rank engagements
objectives audit subjects using IT
support the business • Determine audit cycle
• Understand the high operations risk factors
risk profile for the and frequency
• Identify critical • Assess risk and rank
organization infrastructure for the subjects using • Add appropriate
pp p
• Identify how the significant applications business risk factors engagements based
organization • Understand the role of on management
structures their supporting requests or
business operations technologies opportunities for
• Identify major projects g
consulting
• Understand the IT
and initiatives • Validate the plan with
service support
• Determine realistic business
model
audit subjects management

www.theiia.org
 Step 1 - Understand the Business
• Organization strategy and business objectives
• Organization business operations structure
• Regulation and compliance requirements
• IT support model
– Degree of system and geographic centralization
– Types of technologies deployed and level of reliance
– P li i and
Policies d standards
t d d
– Degree of customization
– Degree
eg ee o of ou
outsourcing
sou c g
– Degree of operational standardization

www.theiia.org
 Step 2 – Define IT Universe
• Inventory of key IT components, support processes,
and significant projects / initiatives:
– Critical applications & underlying infrastructure
– Supporting Technologies
– Si ifi
SignificanttP
Projects
j t / IInitiatives
iti ti
– Critical support processes and operations
• Centralized or decentralized
• Deliverable
• List of auditable IT areas, processes and systems

www.theiia.org
 Step 3 – Perform Risk Assessment
• Foundation – Risk and IIA Standards
– Definition of Risk according to the International
Professional Practices Framework (IPPF)
• The possibility that an event will occur that could
affect
ff t the
th achievement
hi t off objectives
bj ti which
hi h iis
measured in terms of impact and likelihood
– IPPF Performance Standard 2010 Planning
g
• The chief audit executive must establish risk-
based plans to determine the priorities of the
internal audit activity,
activity consistent with the
organization’s goals

www.theiia.org
 Step 3 – Perform Risk Assessment
• IPPF Performance Standard 2130.A1
– The internal audit activityy must evaluate the adequacy
q y
and effectiveness of controls in responding to risks
within the organization’s governance, operations and
information systems
y regarding
g g the:
• Reliability and integrity of financial and operational
information
• Effectiveness and efficiency of operations
• Safeguarding of assets
p
• Compliance with laws, regulations
g and contracts

www.theiia.org
 Step 3 – Perform Risk Assessment
• Identify and understand business objectives
– Identify and understand IT Strategy
• Obtain sufficient information from IT that describes how
their plans support the objectives of the organization
• Define the IT Universe
– List
Li t off auditable
dit bl IT areas, processes and d systems
t
• Perform Risk Assessment
– Assign risk rating to all IT sub-categories
• Infrastructure, computer operations and applications
– Risk ratings are determined by the potential impact to the
achievement of business objectives
j and p potential
likelihood of occurrence

www.theiia.org
 Step 3 – Perform Risk Assessment
• Likelihood Scale – relatively simple to determine
H 3 High probability the risk will occur
M 2 Medium probability the risk will occur
L 1 Low probability the risk will occur

• Impact Scale (financial) – can be fairly difficult to determine

H 3 The potential for material impact on the
organization’s
g earnings,
g , assets,, reputation,
p ,
or stakeholders is high
M 2 The potential for material impact on the
organization’s earnings, assets, reputation,
or stakeholders may be significant to the
audit unit, but moderate in terms of the
total organization
L 1 The potential impact on the organization is
minor in size or limited in scope

www.theiia.org
 Step 3 – Perform Risk Assessment
• Refer to GTAG Developing the IT Audit Plan for
more detailed information on risk ratings
g
• Overview of a completed IT Risk Assessment
• Scores are calculated by multiplying the impact
and
d lik
likelihood
lih d values
l
Level Composite Risk Recommended
Score Range Audit
d Cycle l
H 35 - 54 Every 1 to 2 years
M 20 - 34 Every 2 to 3 years
L 6 – 19 E
Every 3 to
t 5 years

www.theiia.org
 Step 4 – Formalize the IT Audit Plan
• Focus on high risk audit subjects
• Audit frequency
– Established in the initial risk assessment and is
proportional to the risk level
– While
Whil auditdit frequency
f will
ill b
be iinitially
iti ll ddefined,
fi d realize
li
that risk assessment is not just a point-in-time activity,
it is primarily a continuous process due to frequent
changes in technology and the organization
• Availability of limited resources and the budget for
external resources
• IT Skills of internal resources

www.theiia.org
 Step 4 – Formalize the IT Audit Plan
• Mandated audit areas must be included
– Regulatory
egu ato y compliance
co p a ce
• Hours should be reserved for non-planned projects or
audits, i.e. stakeholder requests
• External audit requirements
• Level or degree of integration of the IT audit plan with
non-IT audit plan
• Current year plan and multiyear plan
– Usuallyy 3 to 5 yyears out

www.theiia.org
Step 5 – Validate IT Audit Plan
Assessed Risk
High
Area of moderate Risk-based audit
audit focus plan, stakeholder
requests
I Mandated audits
M
P
Medium
A
C
T

Area of low audit Area of moderate

focus audit focus

Low Medium High

Likelihood

www.theiia.org
 An Example – Company’s IT Universe
Business Unit Audit Subject
Corporate Network administration and security
Corporate Remote connectivity
Corporate Windows server administration and
security
Corporate UNIX administration and security
Corporate ERP application and general controls
Corporate Sarbanes-Oxley sustainability review
Corporate Corporate privacy compliance
Corporate Database administration and security

www.theiia.org
 An Example – Company’s IT Universe
(continued)
Business Unit Audit Subject
Corporate IT governance practices
Corporate ITIL deployment practices
Corporate Application program change control
Business Major capital investment projects (i.e.,
Segment 11–33 information protection and corporate
compliance)
Facility 1–30 IT infrastructure
Facility 1–30 Human resources and payroll application
Facility 1–30 Process control systems

www.theiia.org
 An Example – Company
Company’s
s Risk Assessment

• For each area, score the impact and

likelihood of the following factors:
• Financial Impact
p
• IT Risks
– Q
Quality
y of Internal Controls
– Changes in Audit Unit
– Availability
y
– Integrity
– Confidentiality
y

www.theiia.org
 An Example – Company’s Risk Assessment
IT Risks
Financial Impact Qualit y of Int ernal Changes in Audit
Area Availibilit y Int egrit y Confident ialit y
Cont rols Unit Score and Level
Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact Likelihood Impact
ERP Applicat ion & General Cont rols 3 3 2 2 3 3 3 2 3 2 3 2 31 H
T reasury EFT Syst
S t ems 3 3 3 3 3 3 3 2 3 2 2 1 31 H
Facilit y 3 – HR/Payroll Applicat ion 3 3 3 2 3 3 2 2 2 3 2 3 31 H
Employee Benefit s Apps (Out sourced) 2 3 2 2 3 3 3 2 2 3 3 3 31 H
Facilit y 3 – IT Infrast ruct ure 2 2 3 2 3 3 3 3 3 2 2 2 30 H
Facilit y 3 – Process Cont rol Syst ems 3 3 3 2 3 3 3 3 2 2 2 1 30 H
UNIX Administ rat ion and Securit y 2 2 3 2 3 3 3 2 3 2 2 1 28 M/H
Corp Privacy Compliance 3 1 3 3 3 3 2 1 2 1 3 3 28 M/H
Dat abase Administ rat ion and Securit y 2 2 2 2 2 2 3 3 2 2 2 1 25 M
Windows Server Admin and Securit y 2 2 1 2 2 2 2 3 3 2 2 2 25 M
Facilit y 1 – IT Infrast ruct ure 2 2 3 2 1 3 3 2 3 1 1 1 24 M
Facilit y 1 – Process Cont rol Syst ems 2 3 3 2 2 2 3 3 1 1 1 1 24 M
Environment Report ing Syst ems 2 2 3 2 2 2 2 3 1 1 3 1 24 M
Facilit y 2 – IT Infrast ruct ure 2 2 3 2 1 3 3 2 3 1 1 1 24 M
Major Capit al Invest ment Project s 2 2 3 3 1 1 2 2 1 1 2 3 23 M
Applicat ion Program Change Cont rol 2 3 1 3 1 1 1 1 1 3 1 2 20 M
SOX Sust ainabilit y Review 2 2 2 2 2 2 1 1 2 2 1 2 21 M
Net work Administ rat ion and Securit y 2 2 1 1 1 2 2 1 2 2 2 2 20 M
Facilit y 2 – Process Cont rol Syst ems 2 2 2 2 2 2 2 2 1 1 1 1 20 M/L
IT IL Deployment Pract ices 1 1 1 3 2 1 3 1 1 3 2 1 20 M/L
Facilit y 2 – HR/Payroll Applicat ion 1 1 1 2 2 3 2 2 3 1 1 1 20 M/L
Facilit y 30 – HR/P ayroll Applicat ion 1 1 1 2 2 2 2 2 2 2 1 2 20 L
Facilit y 1 – HR/Payroll Applicat ion 1 1 1 2 2 2 2 2 2 2 1 2 20 L
Facilit y 30 – IT Infrast ruct ure 1 1 3 1 1 1 2 2 2 1 1 1 17 L
Facilit y 30 – Process Cont rol Syst ems 1 1 2 2 2 2 2 2 1 1 1 1 18 L
IT Governance Pract ices 1 1 2 2 1 1 3 1 1 1 1 2 17 L
Remot e Connect ivit y 1 1 1 2 2 1 1 1 1 2 2 2 17 L

www.theiia.org
An Example
p – Company’s
p y High
g Level Audit Plan
Risk Audit Days
Engagement
Level Allocated
Cycle
P
Pen T
Testt Coordination
C di ti * 0 40
Procurement Application Follow-up * 0 20
ERP Application & General Controls H 1 100
Facility 3 – HR/Payroll Application H 2 30
Employee Benefits Apps (Outsourced) H 3 100
Facility 3 – IT Infrastructure H 2 90
UNIX Administration and Security M/H 1 90
Corp Privacy Compliance M/H 3 40
Windows Server Admin and Security M 3 90
Facility 1 – IT Infrastructure M 3 90
Facility 1 – Process Control Systems M 3 90
Environmental Reporting Systems M 3 30
Major Capital Investment Projects M 3 30
SOX Sustantiability M/* 3 120
ITIL Deployment Practices L/* 4 40
Total 1000
* = Mandated or Management Request

www.theiia.org
 Summary
y
• Like any other audit planning, one must
understand the business and its various risks
in order to build an effective audit plan - IT
audit planning is no exception
• Define the IT Universe
• Perform the risk assessment
• Formalize
F li and
d validate
lid t th
the IT audit
dit plan
l

www.theiia.org
 Contact Information

Steve Hunt – Senior Manager

Dallas, Texas
steve hunt@crowehorwath com
[email protected]
214-534-9555 Mobile

www.theiia.org