IT Audit at Brown. A collaboration between the Information Technology and Internal Audit Teams

Similar documents
This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

1. Definition & Mission

Internal Audit Charter

INTERNAL AUDIT CHARTER (Revision No. 4)

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Glossary. Chartered Institute of Internal Auditors. 26 July Add value. Adequate control. Assurance services. Board. Charter

PERFORMANCE REVIEW INTERNAL CONTROL REVIEW OF THE PUBLIC COMPANY ACCOUNTING OVERSIGHT BOARD S OFFICE OF CHIEF AUDITOR (IOPA )

INTERNAL AUDIT AND ASSURANCE MANDATE

Internal Control at OSU COSO & Enterprise Risk Management. Oregon State University Board of Trustees Executive & Audit Committee Educational Session

Charter for Enterprise Risk Management

Strengthening Control and integrity: A Checklist for government Managers

ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

Presentation to the General Committee. City of Markham. January 18, Auditor General Services. Presented by: Geoff Rodrigues & Veronica Bila

Dovetailing & Augmenting Enterprise Risk Management, Compliance, Controls Environment and Audit Presentation by:

AUDITING. Auditing PAGE 1

INTERNAL AUDIT CHARTER

Internal Audit Charter

Planning Guides. Planning. IA Governance

Quality Assessments what you need to know

2014 Integrated Internal Control Plan. FRCC Compliance Workshop May 13-15, 2014

Internal Controls: COSO, the Uniform Guidance, and More!

International Standards for the Professional Practice of Internal Auditing (Standards)

Corporate Governance. Information Request List Family- or Founder-Owned Unlisted Companies. Commitment to Corporate Governance

Implementation Guides

GROUP INTERNAL AUDIT. Internal Audit Charter 24 February 2016

MISSISSIPPI STATE UNIVERSITY INTERNAL AUDIT CHARTER

Enterprise Risk Management: Aligning Risk with Strategy & Performance June 26, :45 p.m. 4:45 p.m.

Meeting Stakeholder Expectations for Assurance: Internal Audit s Role in a Group Effort

CHARTER OF THE BOARD OF DIRECTORS

INTERNAL AUDIT CHARTER SECURE TRUST BANK PLC

Quality Assurance and Improvement Program

Practice Guide. Developing the Internal Audit Strategic Plan

Managing Fraud Risk: New Professional Guidance

To: Identify your chief goals and objectives Identify risks Prioritize the risks to achieving objectives Determine which controls/processes to review

Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

International Standards for the Professional Practice of Internal Auditing (Standards)

9/17/2017. An Overview of COSO s New Framework and Implementation Guidance SPEAKER. Laura Harden, CPA History

Prince William County Public Schools Annual Audit Plan

manner. IOPA conducts its reviews in conformance with Government Auditing Standards issued by the Comptroller General of the United States.

SERBA DINAMIK GROUP BERHAD INTERNAL AUDIT CHARTER

What We Will Cover Today

Internal Audit Charter

Risk Based Internal Audit Plan

Internal Audit Challenges & Opportunities Speaker: Laurie Shen, Director, Grant Thornton LLP

S23 - Hallmarks of a Strong Audit Function Lilian Fong and Marta O'Shea

Implementation Guide 1000

Kentucky State University Office of Internal Audit

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

AGA Gulf Region PDT COSO and the Green Book: An Enhanced Internal Control Framework

Risk Management With an Enterprise (Wide) Focus

The University of Texas at San Antonio 2014 External Quality Assessment of the Auditing and Consulting Services Office

3.6.2 Internal Audit Charter Adopted by the Board: November 12, 2013

Enterprise Risk Management Aligning Risk with Strategy and Performance COSO ERM Framework Update

Lake County School District. Quality Assurance & Improvement Program. Internal Self-Assessment for. The Internal Audit Department

Control Environment Toolkit: Internal Audit Function

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Fraud Risk Management

Practice Advisory : Quality Assurance and Improvement Program

CHARTER OF THE SONOMA COUNTY INTERNAL AUDIT FUNCTION JANUARY 15, 2013

CORPORATE GOVERNANCE THEORY, SCOPE AND IMPORTANCE

REPORT 2016/033 INTERNAL AUDIT DIVISION

Informal Consultation on Oversight Matters. September 2017

Completing the ERM Circle

2014 Integrated Internal Control Plan. FRCC Spring Compliance Workshop April 8-10, 2014

The ESRM Life Cycle In Action Simulation Exercise September 23, 2018

INTERNAL CONTROLS ON OUR CAMPUS. Kara Kearney-Saylor Director of Internal Audit, UB

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Financial Internal Controls Initiative. Martha Kerner Assistant Vice Chancellor for Business Services

The Red (Book) Rocks The Latest and Greatest Audit Standards

Tools & Techniques II: Lead Auditor

Isaca Exam CISM Certified Information Security Manager Version: 6.1 [ Total Questions: 631 ]

Internal Audit Charter

Internal Auditing 101

Internal Oversight Division. Audit Report. Audit of Enterprise Risk Management

Enterprise Risk Management (ERM) How Internal Audit Can Add Great Value

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

Internal Audit Charter

Policies, Procedures and Guidelines

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

Quality Assurance in Internal Audit. Standard on Internal Audit (SIA) 7

Internal Auditors and Enterprise Risk Management (ERM) ICPAK Presentation

The Future of Internal Auditing:

Internal Auditing 101 with Panel Discussion. VGFOA Virginia Beach May 2013

Best Practices for Establishing a Cost-Effective Internal Audit Function. Article by Heidi Wier June 2016

SIAAB Guidance #02 Internal Audit Independence- Interaction with Agency Head, Senior Staff and Placement Within the Organizational Structure

Caribbean Association of Audit Committee Members Inc. Independent Quality Assurance Assessment of the Internal Audit function

External Quality Assessment Are You Ready? Institute of Internal Auditors

White Paper. Effective and Practical Deployment of COSO: Entity Level Control and Lessons Learned. July 10, 2008 THE ROBERTS COMPANY, LLC

Role of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018

THE ARCG CHARTER. Issued in March 2008

Effective implementation of COSO s new anti-fraud guidance

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

REVISED AUDIT PLAN FOR FY 2016 TEXAS FACILITIES COMMISSION

I. Mission. II. Scope of the Work

GoldSRD Audit 101 Table of Contents & Resource Listing

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Internal Audit Charter

Wokingham Borough Council

Advisory Services Governance, Risk & Compliance

UPMC POLICY AND PROCEDURE MANUAL. Links to policies referenced within this policy can be found in Section V.

Transcription:

IT Audit at Brown A collaboration between the Information Technology and Internal Audit Teams Page 1

Agenda Objective Risk Management Overview Internal Audit at Brown IT Audit at Brown Frequently Asked Questions (FAQ) Common Findings 2 Page 2

Objective To enhance collaboration between the University s Office of Internal Audit Services and the Information Technology Services teams. 3 Page 3

Risk Management Overview Let s start with a definition: a process, effected by an entity's board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Committee of Sponsoring Organizations (COSO) 4 Page 4

Risk Management Overview What is your worldview? 5 Page 5

Risk Management Overview A Solution Oriented Approach The Three Lines of Defense 6 Page 6

Internal Audit at Brown The Third Line of Defense Let s start with a definition: Internal auditing at Brown University is independent, objective assurance and consultative activity designed to add value to the organization. The internal audit program is intended to assist the University in accomplishing its objectives by bringing a systematic, disciplined approach to increase the effectiveness and efficiency of risk management, control, and governance processes. 7 Page 7

Internal Audit at Brown - Structure 8 Page 8

Internal Audit at Brown - Mission Mission To help the Corporation protect University resources and enhance the achievement of enterprise-wide strategies by evaluating and monitoring risks, processes and policies significant to the University's mission. Vision Excel as value-added service that is committed to your goals Authority Has free, full, and unrestricted access as necessary to all and any University information, activities, records, property, manual and automated systems, and personnel for the purpose of carrying out their responsibilities. Sample Scope of Work Review design and execution of strategic priorities Assess efficiency and effectiveness of operations Evaluate compliance with policies, procedures, and external rules/regulations Review integrity of financial reporting 9 Page 9

Internal Audit at Brown Services Financial Audits Operational Audits Compliance Audits Information Technology Audits Construction Audits Advisory and Consulting Engagements Investigations Special Reviews 10 Page 10

Internal Audit at Brown Process Risk Based Approach Project Planning and Risk Assessment Test Work Reporting Draft and Final Follow-up/Remediation 11 Page 11

Internal Audit at Brown Risk Based Approach News and Events Regulatory Compliance External Consultants Industry Benchmarks Audit Universe Risk Based Prioritized Audit Universe Emerging Risk Areas High Priority Risk Areas Audit Strategy Audit Plan Low Priority Risk Areas Audit Plan University Strategy Management Interviews Prior Audits Enterprise Risks 112 Page 12

Planning and Risk Assessment Test Work Reporting Internal Audit at Brown Project Phases Identify key contacts Conduct interviews/meetings Document functions Identify risks and controls Modify audit scope as needed Develop audit program Review/assess processes Identify improvement opportunities & best practices Discuss results with management Hold client exit conference Issue Draft Report Obtain responses Issue Final Report 13 Page 13

IT Audit at Brown Risk Focus Areas Focused on risks that impact: Organizational Units Infrastructure Centralized IT Processes Networking Decentralized IT Processes Compute Storage 14 Page 14

IT Audit at Brown A Simple Control Model (SANS 20) 15 Page 15

IT Audit at Brown A Simple Control Model (SANS 20) Potential Risk Some Related SANS Controls Insider threat 14,15,16 Point of sale intrusions 1, 20 Cyber espionage/phishing/ransomware 1, 2 16 Page 16

IT Audit at Brown FAQ Q 1: How is my department selected for an Audit? Answer: 1) Risk assessment and 2) Your request Q 2: How long does an audit typically take? Answer: It depends on size, complexity, and strength of internal controls Q 3: How much of my time will the audit require? Answer: We are considerate Q 4: How can I prepare for an audit? Answer: Have key documents ready 17 Page 17

IT Audit at Brown FAQ Q 5: How confidential will the information I provide to you and my audit report be? Answer: All information received and managed by the Office of Internal Audit Services is held at the appropriate level of confidentiality. Q 6: Who gets copies of audit reports? Answer: Those in a position to see that corrective actions are taken and those with a need to know, generally, the Executive VP Finance and Administration, Senior Officials and key management personnel on a need to know basis, including members of the Audit Committee. 18 Page 18

IT Audit at Brown Common Findings Lack of formalized policies and procedures Inappropriate access management Segregation of duties Misconfigurations Change management Data security 19 Page 19

IT Audit at Brown Ethics and Compliance Reporting System (EARS) 20 Page 20

IT Audit at Brown Questions Feedback Comments 21 Page 21

IT Audit at Brown Final Thought The essence of risk management lies in maximizing the areas where we have some control over the outcome while minimizing the areas where we have absolutely no control over the outcome and the linkage between effect and cause is hidden from us. P.L. Bernstein 22 Page 22

IT Audit at Brown Contact Information Utibe Offiong Chief University Auditor Utibe_Offiong@Brown.edu 401-863-1593 23 Page 23

IT Audit at Brown Thank you for your time and attention. 24 Page 24

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback