Re: IT Project and Internal Audit

[Chris Bennett <bennetc () LCC EDU>]

In our last project, converting to Sungard Banner, I worked with our Internal Audit office which completed a similar 
audit of that project.  I think that Internal Audit will maintain its independence as long as it is reviewing Project 
documents and defined controls and not designing controls.  We were coming off of a less than spectacular 
implementation project and so Internal Audit was helpful in checking our work and providing confidence to the 
administration.  

 

Chris Bennett, GSNA, GSEC

Director of Information Security

Lansing Community College

517-483-5264

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Mclaughlin, Kevin (mclaugkl)
Sent: Thursday, October 08, 2009 9:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IT Project and Internal Audit

 

Hi All:

 

This question is for the Auditors out there.   I have done a lot of liason work between IT and Internal Audit, both 
within higher education and for fortune 50 companies.  We recently had a new IT Internal auditor brought on board at UC 
and he sent us an engagement letter for an upcoming major project (Semester Conversion).  I've never had an auditor get 
this involved in an initial IT project and just wanted to get a temperature check.

 

While I appreciate having someone on the project team who will be paying close attention to controls and to security I 
have a couple of questions/concerns:

1.) throughout my interaction with auditors in the past they stress maintaining their independence - so I have to 
wonder if this type of project involvement would be counter to that professional mandate?

2.)  is this a normal thing for auditors to do?

3.) I have always seen this type of security review for projects to be in the InfoSec space vs the audit space - is 
that too closed minded on my part?

 

Here's the objectives from the Audit Engagement letter:

===========================================================================================================================

The primary objectives of the review are to determine whether:

.    there is reasonable project governance over the phases of the system conversion;

.    changes that occur as part of the conversion are appropriately tracked, approved, and tested;

.    controls have been designed to ensure completeness and accuracy of data conversion and/or to ensure that only 
relevant legacy data is retained post conversion;

.    controls have been designed to ensure data is interfaced with other systems completely and accurately; and

.    potential changes to the current business processes have been identified and communicated to user community.

 

Here's the details on what he will be auditing for one of the areas (design requirements):

.        Requirements and Design 

-        involves assessing the overall changes to design of processes and controls relating to accounts receivable 
business cycle and student management activities, including: 

o   Developing an understanding of the processes by reviewing design documents such as detailed specifications, process 
blueprints and user requirements; 

o   Assessing the controls over completeness and accuracy of design analysis and technical specifications documentation.

This phase of the review will be performed once the process blueprints, user requirements, and technical design 
documentation have been drafted. 

 

============================================================================================================================

 

Before you ask we have a very good Central IT shop and they've delivered all their major IT projects in the past with 
minimal issues (SAP, Identity Mgt, etc.)

 

Thanks for the thoughts and comments - feel free to send to me directly if you'd prefer,

 

- Kevin

 

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified

Assistant Vice President, Information Security & Special Projects

University of Cincinnati

513-556-9177