Educause Security Discussion mailing list archives
Re: IT Project and Internal Audit
From: Chris Bennett <bennetc () LCC EDU>
Date: Thu, 8 Oct 2009 09:46:53 -0400
In our last project, converting to Sungard Banner, I worked with our Internal Audit office which completed a similar audit of that project. I think that Internal Audit will maintain its independence as long as it is reviewing Project documents and defined controls and not designing controls. We were coming off of a less than spectacular implementation project and so Internal Audit was helpful in checking our work and providing confidence to the administration. Chris Bennett, GSNA, GSEC Director of Information Security Lansing Community College 517-483-5264 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mclaughlin, Kevin (mclaugkl) Sent: Thursday, October 08, 2009 9:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] IT Project and Internal Audit Hi All: This question is for the Auditors out there. I have done a lot of liason work between IT and Internal Audit, both within higher education and for fortune 50 companies. We recently had a new IT Internal auditor brought on board at UC and he sent us an engagement letter for an upcoming major project (Semester Conversion). I've never had an auditor get this involved in an initial IT project and just wanted to get a temperature check. While I appreciate having someone on the project team who will be paying close attention to controls and to security I have a couple of questions/concerns: 1.) throughout my interaction with auditors in the past they stress maintaining their independence - so I have to wonder if this type of project involvement would be counter to that professional mandate? 2.) is this a normal thing for auditors to do? 3.) I have always seen this type of security review for projects to be in the InfoSec space vs the audit space - is that too closed minded on my part? Here's the objectives from the Audit Engagement letter: =========================================================================================================================== The primary objectives of the review are to determine whether: . there is reasonable project governance over the phases of the system conversion; . changes that occur as part of the conversion are appropriately tracked, approved, and tested; . controls have been designed to ensure completeness and accuracy of data conversion and/or to ensure that only relevant legacy data is retained post conversion; . controls have been designed to ensure data is interfaced with other systems completely and accurately; and . potential changes to the current business processes have been identified and communicated to user community. Here's the details on what he will be auditing for one of the areas (design requirements): . Requirements and Design - involves assessing the overall changes to design of processes and controls relating to accounts receivable business cycle and student management activities, including: o Developing an understanding of the processes by reviewing design documents such as detailed specifications, process blueprints and user requirements; o Assessing the controls over completeness and accuracy of design analysis and technical specifications documentation. This phase of the review will be performed once the process blueprints, user requirements, and technical design documentation have been drafted. ============================================================================================================================ Before you ask we have a very good Central IT shop and they've delivered all their major IT projects in the past with minimal issues (SAP, Identity Mgt, etc.) Thanks for the thoughts and comments - feel free to send to me directly if you'd prefer, - Kevin Kevin L. McLaughlin, CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified Assistant Vice President, Information Security & Special Projects University of Cincinnati 513-556-9177
Current thread:
- IT Project and Internal Audit Mclaughlin, Kevin (mclaugkl) (Oct 08)
- <Possible follow-ups>
- Re: IT Project and Internal Audit Gary Dobbins (Oct 08)
- Re: IT Project and Internal Audit Chris Bennett (Oct 08)
- Re: IT Project and Internal Audit Lazarus, Carolann (Oct 08)
- Re: IT Project and Internal Audit Mclaughlin, Kevin (mclaugkl) (Oct 08)