Re: IT Internal Audit Framework

[Jim Dillon <jim.dillon () CU EDU>]

Vito,

Carlos has done an excellent job of spelling out the practice frameworks most internal audit shops develop their 
approach and standards from.  For the industry his answers are typically correct, and the follow-on about COBIT is also 
correct, it represents the CBK of governance and risk from most auditor's perspectives although we defer to many 
practice and compliance standards in our work as well.

If you want something slightly more tangible and communicable than all these standards (which you should acknowledge or 
review if you want any in-depth perspective) I have developed a one-page framework that guides our department's 
practice.  The intent was to create a communication piece that captured the scope of most audit inquiry in a way that 
could be discussed with management (COBIT is difficult to do this with as it is excruciatingly comprehensive) and leads 
to consistent scope and objective discussions.

I'm not quite ready to post this (our framework product) to the list or publish it generally, but here are the general 
concepts of the framework.  If you'd like to discuss it further you may contact me at the number below.

====================
First, recognize that most internal IT Audit is concerned with the scope of Governance, Risk, and Control.  That 
perspective may often sit a few layers higher above the forest than the perspective of many security professionals, and 
I find this a constant source of miscommunication and tension.

The framework considers these concepts:


-          Stakeholder Needs and Value Creation drive/define Organizational Objectives.

-          Those objectives pursue opportunity and/or navigate risk.

The value delivery of audit is related to both of these pursuits.


-          IT Value is represented either by asset (data primarily, intellectual property or infrastructure and process 
secondarily) creation and management, or by service delivery through technology enablement.

Audit then is concerned within this value frame in providing Governance, Risk, and Control products (4 approaches: 
audits, control reviews, consultations, and assurance reviews) to ultimately support the organizational objectives.  
These products are scoped to:


-          Either a Governance (direction, alignment, evaluation) or Management (plan, manage, operate, maintain, 
secure) engagement.  (I try not to mix both in one engagement.)

-          Consider People/Principles, Policies, or Practice/Process related to the Governance or Management scope 
selected for the engagement.  (I typically try to limit this approach to one or two of the P's for scope control.)

-          Elect to focus on either Asset value and protection or Service Delivery (Portfolio, App management, 
Infrastructure, Performance, Attestation)

Summary: So Internal Audit exists to provide value in support of organizational objectives related to the governance, 
risk management, and control structures of the organization through counsel, audit, assurance, and control evaluation.  
IT Audit in particular is concerned with the delivery of value through the effective governance and management of IT 
assets and the delivery of effective and efficient IT services.
======================

If you wanted something simpler, I hope the above helps.  I have considered the professional practice guidelines and 
COBIT 4,5 in developing this summary framework, and you will find a considerable bit more information about the 
expected disciplines of Internal Audit by referencing the IIA and ISACA standards Carlos mentioned.  Often however, 
there is too much information there for concise discussion and the abbreviated framework above, executed according to 
the standards, can account for most Internal Audit endeavors.  One of the key concepts the framework I present doesn't 
go into detail about is the objective and independent nature of the audit practice.  It is why Internal Audit typically 
reports to a governing board rather than management and defers so heavily to standards and best practices.

I've been working on and operating our practice according to this framework for a little over a year now and I am 
mostly satisfied that it is sufficient and effective at scoping and communicating audit objectives, although I still 
consider it a work in process.

Best regards,

Jim Dillon

Jim Dillon, CISA, CISSP
Director of IT Audit Services, CU Internal Audit
University of Colorado
Primary Phone and Messages: 303-735-7028
Grant Street Phone: 303-837-2201
Audit Administration: 303-837-2195
Fax: 303-837-2190
jim.dillon () cu edu
[Description: R:\Branding\MASTER\System\Logos\cu-logo_fl.jpg]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carlos 
Lobato
Sent: Friday, January 09, 2015 12:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] IT Internal Audit Framework


Vito,



The Internal Auditing profession overall is regulated by the International Professional Practices Framework (IPPF) 
promulgated by The Institute of Internal Auditors<http://www.theiia.org/> (IIA).



At a lower specialize IT level, ISACA<http://www.isaca.org/> has some standards that IT auditors must follow when 
conducting IT audits, but they align with the IPPF.



As far as Higher Ed is concern, The Association of College & University Auditors<http://www.acua.org/> (ACUA) develops 
guidance and resources for higher ed auditors, but they all align with the IPPF framework.



All professional Internal Auditors and their respective Departments follow the IPPF because their practices are 
assessed on a regular basis by independent third parties to conformance with this framework and the outcome is reported 
to their Governing Body i.e. Board of Regents, etc.


Carlos,



Carlos S. Lobato, CISA, CIA, CISSP

IT Compliance Officer



New Mexico State University

Information and Communication Technologies

MSC 3AT PO Box 30001

Las Cruces, NM  88003



Phone (575) 646-5902

Fax (575) 646-5278

________________________________
From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Vito Rocco <vito.rocco () UNLV EDU<mailto:vito.rocco () UNLV EDU>>
Sent: Friday, January 09, 2015 12:16 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] IT Internal Audit Framework

Does anyone have an example of an auditing framework that is tailored to higher ed? For now, I don't care what standard 
it is based on. I am just trying to gather some examples. If you have something that you use for internal auditing and 
you would be willing to share it, please feel free to contact me outside of the list.

Thanks,

Vito Rocco, MS-IT, CISSP, EnCE
Information Security Specialist
University of Nevada, Las Vegas
(702) 895-0400 - Office
(702) 895-1847 - Fax
Security Reports to: informationsecurityoffice () unlv edu<mailto:informationsecurityoffice () unlv edu>