State Performance & Technology Audits

Overview of IT Reviews at Local Educational Agencies

Presented to:

Pennsylvania Association of School Business Officials

53rd Annual ConferenceMarch 6, 2008

Introduction Thomas E. Marks Deputy Auditor General for Audits CPA PA Department of the Auditor General

234 Finance BuildingHarrisburg, PA 17120(717) 705-4126tmarks@auditorgen.state.pa.us

Introduction Michael A. Billo Assistant Director of IT Audits CISA, CGAP PA Department of the Auditor General

406 Finance BuildingHarrisburg, PA 17120(717) 787-0557mbillo@auditorgen.state.pa.us

Department Structure

Bureau of School Audits Over 100 auditors statewide doing

performance audits of all LEAs Information Technology Audits

7 auditors assisting all audit bureaus with the more complex technology issues in their audits and training the financial and performance auditors in IT auditing

IT Audits Mission Statement

To be an innovative team providing support, analysis, problem-solving, training, and technical audits

Information Technology (IT) ATM POS LAN WAN Internet URL VPN Gigabyte/terabyte Ebay

ISP IP Address .com cell phone wii IM texting Ipod Xbox

Information Technology Auditing

Information Technology (IT) Auditing Electronic Data Processing (EDP)

Auditing Part of the review of internal control Internal controls related to information

technology, e.g., organizational placement of IT personnel, physical and logical access, SDLC, outsourcing, backups and contingency planning

Audit and IT Standards GAAS – promulgated by the Auditing Standards

Board (ASB) of the American Institute of Certified Public Accountants (AICPA); Statements on Auditing Standards (SASs)

GAGAS (Yellow Book) – promulgated by the U. S. Government Accountability Office (GAO)

ISACA – COBIT FISCAM CERT Best Practices

History of IT Reviews

Southwest region school had membership days changed inadvertently that affected membership subsidy

Outside vendor processing the membership and attendance data for the school

Controls relinquished to the outside vendor and overlooked by the school

Evolution of IT Reviews Consistency of audit procedures and

coverage Admittedly a new part of the audit Auditing in the 21st century Technology has changed some internal

controls Multiple vendors being used by schools for

processing membership and attendance data More than 50 reviews completed during 2007

Evolution of Reviews (cont’d.)

On-the-job training during 2007; more formal training for school auditors in the IT review procedures in the regions in the first quarter of 2008

School auditors to perform the reviews at all LEAs using an outside vendor for membership and attendance data processing after the training

Risk Membership not a high-risk area Mindset however is important Accounting Safe Schools Grades Social Security Numbers Student Numbers Other vulnerable IT areas

IT General Controls Segregation of duties Access

Physical (locks, security) Logical (user ID and passwords)

Systems Development Life Cycle (SDLC) Backups and Recovery Contingency planning Outsourcing Environmental

Audit Objective

Would you know if your membership and/or attendance data was changed (significantly or otherwise)?

IT Application Controls

Data Origination Data Input Data Processing Data Output

Overview of Audit Procedures

Administer internal control questionnaire through inquiries of relevant management and personnel

Request and review applicable documentation

Rate weaknesses in a finding or observation based on severity of weaknesses and presence of manual compensating controls

Some specifics … Walkthrough of hardware, software, interface,

access method, etc. Review of IT contracts/maintenance

agreement Security policies and procedures User ID approval and maintenance

Separated employees/vendors Physical and logical access controls Vendor access

… and a few more

Remote access Vendors, LEA employees dial-up, Internet, VPN

System development and maintenance Program change control

Backups/Recovery Contingency Planning Environmental considerations

Manual Compensating Controls

Reconciliations Trends Rollforwards Data entry procedures and review Report Review Evidence of Review Management Oversight

Common Weaknesses Logical Access

Group IDs or Individual IDs Password policy and syntax requirements

Minimum Length Complexity

Alpha, numeric, special characters Upper and lower case

Forced to change; how often? How many failed attempts allowed?

Logged off after a period of inactivity?

Common Weaknesses Monitoring logs

Producing the log? If yes, is anyone looking at it?

Contracts and Maintenance Agreements LEA recourse for errors/non-performance

Security and Acceptable Use Policies Approvals and Authorizations Environmental (Smoke, Fire, Temperature)

Sources

www.isaca.org www.gao.gov www.cert.org

Questions and Comments

Thank you for your attention!