Re: IT Project and Internal Audit

[Gary Dobbins <dobbins () ND EDU>]

We've had internal audit participate on major projects, but they don't design, since they can't later audit what is 
"their own work."

If your team structure has a mechanism to maintain that independence, you're ok, but it might not be easy.


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Mclaughlin, Kevin (mclaugkl)
Sent: Thursday, October 08, 2009 9:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IT Project and Internal Audit

Hi All:

This question is for the Auditors out there.   I have done a lot of liason work between IT and Internal Audit, both 
within higher education and for fortune 50 companies.  We recently had a new IT Internal auditor brought on board at UC 
and he sent us an engagement letter for an upcoming major project (Semester Conversion).  I've never had an auditor get 
this involved in an initial IT project and just wanted to get a temperature check.

While I appreciate having someone on the project team who will be paying close attention to controls and to security I 
have a couple of questions/concerns:
1.) throughout my interaction with auditors in the past they stress maintaining their independence - so I have to 
wonder if this type of project involvement would be counter to that professional mandate?
2.)  is this a normal thing for auditors to do?
3.) I have always seen this type of security review for projects to be in the InfoSec space vs the audit space - is 
that too closed minded on my part?

Here's the objectives from the Audit Engagement letter:
===========================================================================================================================
The primary objectives of the review are to determine whether:

*    there is reasonable project governance over the phases of the system conversion;

*    changes that occur as part of the conversion are appropriately tracked, approved, and tested;

*    controls have been designed to ensure completeness and accuracy of data conversion and/or to ensure that only 
relevant legacy data is retained post conversion;

*    controls have been designed to ensure data is interfaced with other systems completely and accurately; and

*    potential changes to the current business processes have been identified and communicated to user community.



Here's the details on what he will be auditing for one of the areas (design requirements):
*        Requirements and Design
-        involves assessing the overall changes to design of processes and controls relating to accounts receivable 
business cycle and student management activities, including:
o   Developing an understanding of the processes by reviewing design documents such as detailed specifications, process 
blueprints and user requirements;
o   Assessing the controls over completeness and accuracy of design analysis and technical specifications documentation.
This phase of the review will be performed once the process blueprints, user requirements, and technical design 
documentation have been drafted.

============================================================================================================================

Before you ask we have a very good Central IT shop and they've delivered all their major IT projects in the past with 
minimal issues (SAP, Identity Mgt, etc.)

Thanks for the thoughts and comments - feel free to send to me directly if you'd prefer,

- Kevin

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177