Re: IT Project and Internal Audit

["Lazarus, Carolann" <lazarus () BUFFALO EDU>]

I've been an IT auditor for over 20 years.  This sounds like a typical audit of systems development.   Instead of 
auditing the system, the project management controls are audited.  It seems entirely appropriate to me.  What you 
provided indicates he will not be doing design work, just reviewing the controls over that work.  This type of audit 
isn't as common as the typical IT audit for various reasons, but they can be very valuable.  It can give management 
assurance that the project has good controls, and it will provide the new IT auditor with lots of information on how 
the central IT shop works, not just limited to this project.

Think of it this way, I can audit the access to a system - specifically looking at who has access and is that access 
appropriate.  But I also audit the administration of access.  Do they have procedures for granting access?, is a review 
of access performed regularly and documented?, Is responsibility for access administration formally assigned?, etc.... 
Can you see the difference?

There's actually two distinct ways to audit a developing system, the controls in the system, and the controls over the 
project management.  And they don't have to be separate audits.  The former is more typical, but the latter is not 
inappropriate.

What you provided from the engagement letter looks pretty textbook to me.  Here's a quote right from the IT auditor 
certification review manual.  It's talking about the design phase of system development - ...the IT auditor is 
interested in evaluating the effectiveness of the design process itself, such as in the use of structured design 
techniques, prototyping and test plans, and software baselining, to establish a formal software change process that 
effectively freezes the inclusion of any changes to system requirements without a formal review and approval process.  
The key documents coming out of this phase include system, subsystem, program and database specifications, test plans, 
and a defined and documented formal software change control process.

Hope this helped.

Carolann G Lazarus
lazarus () buffalo edu<mailto:lazarus () buffalo edu>
716-829-6947
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Mclaughlin, Kevin (mclaugkl)
Sent: Thursday, October 08, 2009 9:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] IT Project and Internal Audit

Hi All:

This question is for the Auditors out there.   I have done a lot of liason work between IT and Internal Audit, both 
within higher education and for fortune 50 companies.  We recently had a new IT Internal auditor brought on board at UC 
and he sent us an engagement letter for an upcoming major project (Semester Conversion).  I've never had an auditor get 
this involved in an initial IT project and just wanted to get a temperature check.

While I appreciate having someone on the project team who will be paying close attention to controls and to security I 
have a couple of questions/concerns:
1.) throughout my interaction with auditors in the past they stress maintaining their independence - so I have to 
wonder if this type of project involvement would be counter to that professional mandate?
2.)  is this a normal thing for auditors to do?
3.) I have always seen this type of security review for projects to be in the InfoSec space vs the audit space - is 
that too closed minded on my part?

Here's the objectives from the Audit Engagement letter:
===========================================================================================================================
The primary objectives of the review are to determine whether:

*    there is reasonable project governance over the phases of the system conversion;

*    changes that occur as part of the conversion are appropriately tracked, approved, and tested;

*    controls have been designed to ensure completeness and accuracy of data conversion and/or to ensure that only 
relevant legacy data is retained post conversion;

*    controls have been designed to ensure data is interfaced with other systems completely and accurately; and

*    potential changes to the current business processes have been identified and communicated to user community.



Here's the details on what he will be auditing for one of the areas (design requirements):
*        Requirements and Design
-        involves assessing the overall changes to design of processes and controls relating to accounts receivable 
business cycle and student management activities, including:
o   Developing an understanding of the processes by reviewing design documents such as detailed specifications, process 
blueprints and user requirements;
o   Assessing the controls over completeness and accuracy of design analysis and technical specifications documentation.
This phase of the review will be performed once the process blueprints, user requirements, and technical design 
documentation have been drafted.

============================================================================================================================

Before you ask we have a very good Central IT shop and they've delivered all their major IT projects in the past with 
minimal issues (SAP, Identity Mgt, etc.)

Thanks for the thoughts and comments - feel free to send to me directly if you'd prefer,

- Kevin

Kevin L. McLaughlin,  CISM, CISSP, GIAC-GSLC, PMP, ITIL Master Certified
Assistant Vice President, Information Security & Special Projects
University of Cincinnati
513-556-9177