IT Audit Services: Ensuring the Right Systems and Controls
IT Audit Services Ensuring the Right Systems and Controls Are in Place to Manage Risks Created by New Technologies Why Data Matters Accurate and reliable data enables customers to place orders, companies to ship product, sales people to connect with targets, and management to evaluate what is going on in the business and make appropriate decisions. All of these processes and many more rely on a complex system of technologies that underpin the operation of companies today. Navigating this environment is not getting easier. Rather, the pace of change in technology is increasing, customers now access their accounts remotely, social media is used as a sales channel, orders are placed on smartphones, and people, both employees and customers, want access to their data all the time and from everywhere. This is why it is so painful when technology goes wrong and why the specialized skill of auditing the technologies used to support a business matters. Today’s Top Technology Challenges 1. 2. 3. 4. 5. IT security and privacy/cybersecurity Resource/staffing/skills challenges Emerging technology and infrastructure changes: transformation, innovation, disruption Regulatory compliance Budgets and controlling costs 6. IT governance and risk management 7. Big data and analytics 8. Vendor, third-party and outsourcing risks 9. Cloud computing/virtualization 10. Bridging information technology (IT) and the business Results of the ISACA/Protiviti 4th Annual IT Audit Benchmarking Survey Why IT Audit Matters Technology permeates almost every facet of business today. We make thousands of assumptions every day about the reliability or function of some piece of technology that supports what we are trying to achieve. An organization’s top executives, board of directors and audit committee members look to IT management for effective oversight of IT risks, and lean on internal audit to provide assurance that the governance of those risks is happening. Consistently evaluating how the technology organization identifies and manages risk is a key role of the IT audit function. IT audit also provides insight into the threats inherent in today’s highly complex IT environment and provides assurance to the board that the collective organization has the systems and processes in place to anticipate and manage the risks brought on by new technologies. In addition, the regulatory environment is constantly changing, impacting the compliance requirements companies face (e.g., Sarbanes-Oxley, Payment Card Industry Data Security Standard (PCI DSS), HITECH Act, COSO, Cybersecurity Act, etc.). The IT audit function has a role to understand how these external requirements impact the organization and how the IT function is mitigating the company’s exposure. Despite these needs, many organizations are not well-equipped to foresee and manage IT risks adequately. Our benchmarking survey of IT audit functions,1 which we conduct annually to identify and analyze IT audit trends and gaps present in organizations today, shows there is a need for significant improvement in IT audit capabilities within most organizations. Protiviti has extensive experience with helping companies assess and improve their IT audit capabilities. We often provide the IT audit function, conduct projects on specific topics, or assist larger in-house IT audit departments as subject-matter experts. 1 1 4th Annual IT Audit Benchmarking Survey, Protiviti, 2014, www.protiviti.com/ITAuditSurvey Protiviti IT Audit Services Protiviti IT Audit Services 2 “ “RISK ASSESSMENT IS THE IDENTIFICATION AND ANALYSIS OF RELEVANT RISKS TO ACHIEVEMENT OF THE OBJECTIVES, FORMING A BASIS FOR DETERMINING HOW THE RISKS SHOULD BE MANAGED.” AS DEFINED BY THE COMMITTEE OF SPONSORING ORGANIZATIONS OF THE TREADWAY COMMISSION Our Philosophy and Approach to IT Auditing Understanding the landscape of the technology environment and how it supports the business is an involved task with which many organizations struggle. We use the model below as a guide for IT risk assessments and audit scoping and planning, to help us plot the use of technology in the company and link it back to the business. We utilize each part of the model to assess, prioritize and influence the development of the IT audit universe and audit plan. • At the core are the organization’s business processes – the reason technology exists within any organization and the ultimate focus of the IT organization. • Surrounding the core are key technology components and applications needed to enable the business. • Platforms, networks, databases and physical assets form the basis of the IT organization and each could be a source of IT risks. • Key success factors for the IT organization surround the core IT processes. Risks and Indicators of Need Technology is increasingly used to support and optimize business processes. As reliance on technology grows, so do the associated risks to the organization. Some of the business aspects affected by rapidly expanding technology use include: • Increased automation of business processes • Rising complexity of processing (users cannot or do not determine the accuracy and completeness of the processing) • Increased reliance on information to make real-time management decisions and to achieve compliance with the Securities and Exchange Commission (SEC) and other regulatory and compliance guidance • Outsourcing of technology and processes, resulting in changes to the risk profiles • Increased internal and external threats from hackers and others who want to disrupt business and/or gain advantage from confidential or proprietary information 3 Protiviti IT Audit Services The table below outlines typical IT risks and lists important indicators pointing to the need for an effective IT audit function. Risks Related to Technology • The information provided by the systems lacks integrity and effectiveness (relevance, accuracy, timeliness, consistency, valid for its business use, etc.). • Confidential information is exposed or breached. • Systems and data are not available as needed by the business. • Technology and data are not managed in accordance with laws, regulations and contractual terms and conditions. • Information and data are not reliable and sufficient for management to make decisions. • Technology and data are not managed and maintained efficiently and effectively. Indicators of Need • There has been a major change in the business or IT organization caused by rapid growth or other factors. • The company lacks a formal IT audit function, or IT audit staff is not adequately trained in emerging technologies and the related risks. • The company currently outsources the IT audit function to a provider with a perceived lack of independence and objectivity. • The IT audit function lacks the technical and business skills to meet the organization’s needs. • The company relies on fragmented or immature technology or has poor internal IT controls. • The IT department lacks documented policies and procedures, or its policies and procedures are not applied consistently across the organization. • The company must meet regulatory requirements or provide assurance to third-party entities. How We Partner With Companies to Deliver IT Audit Services A successful IT audit assesses technology risks and the control environment as they relate to critical business processes. Almost all of our IT audit engagements find their origin with a risk assessment exercise. To do this, we typically establish a “risk universe” of the IT risks inherent in the client’s business or industry, by looking at critical business processes in place, identifying key applications and supporting technology for each significant business process, understanding the management and governance structure applied, and noting current and future IT projects and initiatives. We then organize our observations into a “heat map” of risk areas, as a means of understanding where our work will deliver the most impact and value for our client, and we correlate our findings about risk with the goals of executive management. Co-sourcing or Outsourcing? An IT audit function must have the appropriate mix of skills that reflects the needs of the organization – that is, its most critical or most often used business processes and structures. In departments with designated IT auditors, internal audit staff typically will have basic knowledge of application controls and configuration, IT general controls testing (a broad level of understanding specific to the IT environment), and IT risk assessment and audit planning procedures. However, IT audit staff may lack the more advanced and specialized skills required to address adequately all of the business’s technology risks, or specific risk-sensitive processes, components and infrastructure – such as can be identified through a risk assessment exercise. Protiviti IT Audit Services 4 Furthermore, it is often difficult to hire, train and retain qualified IT audit experts in specialized areas, or the advanced audit skills may not be needed full-time throughout of the year. Organizations must evaluate carefully their internal IT audit capabilities in light of the needs of the business to determine the best way to structure the IT audit function. Co-sourcing those IT audits that require skills outside of the organization’s standard competency profile is often a better option for companies than maintaining a full skill set in-house year-round. Some organizations will find that outsourcing the IT audit function helps them focus on their core business activities, with no need to worry about the adequacy of their internal IT audit resources. In both instances, Protiviti can step in as a highly qualified and experienced IT audit partner to a company’s internal audit function in either a co-sourced or outsourced capacity. Why Choose Protiviti as Your Partner We understand that accurate and reliable data does matter and that technology is about more than settings on a server, patches that haven’t been applied, or a thousand other details that distract from the key issues. Technology is relevant to a business because it supports a business process that furthers your strategy. Our approach to IT auditing is to evaluate the context in which technology is used and enable transparency from bits and bytes to dollars and cents. Our audit services are delivered by appropriately trained and supported professionals equipped with leading-practice methodologies, tools and thought leadership. We have hundreds of professionals focused on IT internal audit solutions, and have executed more than one million hours of IT audit project work as a firm. We demand a high level of professionalism and commitment to client satisfaction from our professionals and we actively measure client satisfaction to ensure we are meeting our goals. We have provided IT audit services to nearly 800 organizations globally, more than 20 percent of which are Fortune 1000® companies. Our industry footprint includes: • Financial Services and Real Estate • Consumer Products and Services • Healthcare and Life Sciences • Technology, Media and Communications • Energy and Utilities • Industrial Products • Government By choosing Protiviti as your partner, you will gain: • Confidence that Protiviti professionals with deep technical and analytical skills will assess the security, integrity, availability and reliability of critical information • Access to Protiviti’s broad knowledge base of industry best practices for IT controls • Unbiased view of your company’s current IT environment and its risks • Actionable results to help mitigate uncontrolled risks • Appropriate alignment between the internal audit function and the company’s business and IT strategies • Improved effectiveness and efficiency of technology controls and processes 5 Protiviti IT Audit Services About Protiviti Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000® and FORTUNE Global 500® companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Contacts Brian Christensen Executive Vice President – Global Internal Audit +1.602.273.8020 [email protected] David Brand Managing Director Leader – IT Audit Practice +1.312.476.6401 [email protected] UNITED STATES CHINA Central Region Michael Thor +1.312.476.6400 [email protected] Michael Pang (852) 2238.0499 [email protected] Eastern Region James Armetta +1.212.399.8606 [email protected] Thorsten Ruetze +49.69.96.37.68.142 [email protected] Western Region Jonathan Bronson +1.213.327.1308 [email protected] Anthony Samer +1.415.402.3627 [email protected] AUSTRALIA Ewen Ferguson +61.2.8220.9500 [email protected] CANADA GERMANY JAPAN Yasumi Taniguchi +81.3.5219.6600 [email protected] SINGAPORE Ivan Leong +65.6220.6066 [email protected] UNITED KINGDOM Mark Peters +44.20.7389.0413 [email protected] Marc Poirier +1.514.871.2348 [email protected] Protiviti IT Audit Services 6 THE AMERICAS EUROPE/MIDDLE EAST/AFRICA UNITED STATES Alexandria Atlanta Baltimore Boston Charlotte Chicago Cincinnati Cleveland Dallas Denver Fort Lauderdale Houston Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. Winchester Woodbridge ARGENTINA* Buenos Aires CHILE* Santiago PERU* Lima BRAZIL* Rio de Janeiro São Paulo MEXICO* Mexico City Monterrey VENEZUELA* Caracas FRANCE Paris GERMANY Frankfurt Munich ITALY Milan Rome Turin THE NETHERLANDS Amsterdam UNITED KINGDOM London BAHRAIN* Manama QATAR* Doha KUWAIT* Kuwait City UNITED ARAB EMIRATES* Abu Dhabi Dubai OMAN* Muscat SOUTH AFRICA* Johannesburg CANADA Kitchener-Waterloo Toronto ASIA-PACIFIC AUSTRALIA Brisbane Canberra Melbourne Perth Sydney CHINA Beijing Hong Kong Shanghai Shenzhen INDIA* Bangalore Mumbai New Delhi JAPAN Osaka Tokyo SINGAPORE Singapore * Protiviti Member Firm © 2015 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Vet. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0215
© Copyright 2024