Thread Options 
|
#187734 - 05/06/04 08:27 PM
Information Technology Auditing
|
Anonymous
Unregistered
|
I am looking for advice as to how other bankers are handling the audit of the overall information security area. With the onset of so much technology there is a wide range of services which need to be covered:
1. Internal Network Testing
2. External Network Testing
3. WebPage
4. Overall Information Technology Risk Assessment
I am curious as to how banks are handling these areas--outsourcing in many cases I presume but to the same firm? to different firms? And at what cost to the bank?
Our bank is $400 million in assets, publicly traded using FISERV as our computer service provider. Any thoughts anyone could share as to how they are handling the IT audits would be appreciated. THANKS
|
|
Return to Top
|
|
|
|
#187735 - 05/06/04 08:38 PM
Re: Information Technology Auditing
|
Member
Joined: Apr 2004
Posts: 59
|
Most of the institutions we have as clients chose to use only our firm for all services but some also choose to divide the services with other firms as well. Size of the institution does not seem to impact the decision and independence between audited areas is not an issue.
|
|
Return to Top
|
|
|
|
|
#187736 - 05/06/04 11:43 PM
Re: Information Technology Auditing
|
10K Club
Joined: Jul 2001
Posts: 83,371
Galveston, TX
|
I concur, one or several, but (Disclosure) although I work for a consulting that performs these services, outsourcing is really the way to go. Like you stated, with so much advanced technology, without working with it on a day-to-day basis, you have little chance of doing an appropriate review in house unless you have the size and resources at your exposal. For shops your size, go with any of the reputable firms and the price you will pay will be worth it. I did when I was on your side of the fence. 
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com
|
|
Return to Top
|
|
|
|
|
#187737 - 05/07/04 02:11 PM
Re: Information Technology Auditing
|
Gold Star
Joined: Dec 2002
Posts: 345
New England
|
1& 2 are outsourced to a tech firm that specializes in this. The cost is about 5 grand but the assurance is worth it. Webpage and Risk assessment is reviewed by our outsourced Internal Audit group as part of their annual audit plan. They also review the work that the other firm does for EDS and IDS.
_________________________
Its risky business, but someone has to do it.
|
|
Return to Top
|
|
|
|
|
#187738 - 05/12/04 09:37 PM
Re: Information Technology Auditing
|
Anonymous
Unregistered
|
We are a $350 million bank with inhouse IT system. We outsource our auditing, who uses a team with expertise in this particular area. The annual audit includes Information Security (GLBA), firewall tests, penetration, vulnerability tests, workstation reviews, organization controls, system maintenance procedures, network procedures, data and procedural controls, physical security as well as review of our internet banking. The audit usually runs around $15,000.
|
|
Return to Top
|
|
|
|
|
#187739 - 05/13/04 01:08 PM
Re: Information Technology Auditing
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Anon,
I am trying to scope out something similar to the original poster, Steve. Out of curiosity, I'm wondering if you could give me an idea what the $15,000 covered in the way of actual on-site time as well as the number of staff involved, how long they were in the bank, and what their professional levels were.
My scope is basically to have a risk assessment performed (the whole shebang, from policy assessment to penetration testing) for a mortgage company affiliate of a national bank. So far, I have three proposals and the least expensive is $25,000 received from a regional accounting/consultancy firm. Their proposal calls for us to prepare a response to a request letter format (similar to a regulatory exam), then they would be on-site for no more than a week. All the consultants would be CISAs, CISSPs, CISMs, etc., so they would be competent; however, the sticker shock is what hit me. I was hoping for something in the $5,000-$7,000 range, but I may just be unfamiliar with what a reasonable audit should cost.
|
|
Return to Top
|
|
|
|
|
#187740 - 05/13/04 02:48 PM
Re: Information Technology Auditing
|
Anonymous
Unregistered
|
could you e-mail me at "sriley@fnbl.com" or call me at (860) 567-6469 regarding the it exams....Steve
|
|
Return to Top
|
|
|
|
|
#187741 - 05/24/04 07:07 PM
Re: Information Technology Auditing
|
New Poster
Joined: Jan 2004
Posts: 9
|
Jay,
On average information security professionals with expertise in banking draw roughly $2,500 per day per person. A week of work with two people on site will run about $25K. Because the expertise mix requires half audit skills and half technical skills, there are a limited number of professionals who have both skill sets (eg. CISSP) and so the pricing is such. Overall pricing is dependent on the scope of the project, of course and that's where it helps to do your homework.
|
|
Return to Top
|
|
|
|
#187742 - 05/26/04 02:29 PM
Re: Information Technology Auditing
|
Member
Joined: Nov 2002
Posts: 58
Dallas, Texas
|
Audit and consulting fees vaby by region. My CPA firm charges $750/day per person for on-site work, and $500/day for off-site work. We'd be glad to give you a proposal, but we're booked until September of 2005. If you check with you state's CPA association, you may find someone that's highly qualified, and who charges an amount you find reasonable. Regards, Wayne Barnett, CPA 800-680-8692 www.barnettcpa.comwbarnett@barnettcpa.com
|
|
Return to Top
|
|
|
|
|
#187743 - 05/27/04 02:08 AM
Re: Information Technology Auditing
|
Anonymous
Unregistered
|
believe it or not - this is a serious question.
why or how does the CPA designation qualify someone to perform an IT Audit?
shouldn't a qualified IT auditor possess technology (not financial) based certifications and credentials?
just wondering, we're looking for an IT auditor also.
techgurl
|
|
Return to Top
|
|
|
|
|
#187744 - 05/27/04 05:08 AM
Re: Information Technology Auditing
|
10K Club
Joined: Nov 2003
Posts: 12,846
|
CPAs have been trained in auditing, period. Because what they have audited has, over time, become more and more likely to be compiled by information systems, that skill set has generally been absorbed. Granted, many CPAs are not qualified to do a complicated information systems audit. However, the most highly qualified information systems auditors likely are CPAs.
|
|
Return to Top
|
|
|
|
|
#187745 - 05/27/04 12:55 PM
Re: Information Technology Auditing
|
10K Club
Joined: Jul 2001
Posts: 83,371
Galveston, TX
|
Yes, and many outsourcing IT auditing firms utilize individuals that have a CPA designation, but the firm itself is not a CPA firm. There is no requirement that you use a CPA designated individual or CPA firm to perform an IT audit. You are correct in that training and experience of the individuals/firm selected is the key.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com
|
|
Return to Top
|
|
|
|
|
#187746 - 05/27/04 01:36 PM
Re: Information Technology Auditing
|
Member
Joined: Apr 2004
Posts: 59
|
Quote:
believe it or not - this is a serious question.
why or how does the CPA designation qualify someone to perform an IT Audit?
shouldn't a qualified IT auditor possess technology (not financial) based certifications and credentials?
just wondering, we're looking for an IT auditor also.
techgurl
I understand your concern. I too work for a CPA firm. I can also tell you that in the firm in which I work there are persons that specialize in many different areas and are well certified and qualified to do so, among them "Secure IT". If you are interested in finding someone to perform an IT audit, just as with any other audit area, you will need to look into their qualifications to perform such services and ask for references from previous jobs.
|
|
Return to Top
|
|
|
|
|
#187747 - 05/27/04 01:50 PM
Re: Information Technology Auditing
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Another good point by the J-man, albeit he was up quite late on that post. His point is that a CPA might not necessarily have the detail skills in application systems, understanding infrastructure or networks, but the CPA has the one thing that the entire industry most often wants: the authority and ability to provide attestation of the information contributing to a bank's financial statements. Most banking executives, most bank industry regulators, and basically the entire capital markets are concerned with the attestation of an institution's financial statements. Attestation, as we all know, is the "certification" of all financial statements by a CPA. Go to www.AICPA.org and click Statement on Auditing Standards No. 94 (SAS 94), The Effect of Information Technology on the Auditor's Consideration of Internal Control in a Financial Statement Audit. Many CPA firms may have non-CPAs (e.g., CISAs, CISSPs, etc.) conduct risk assessments and security reviews of the access controls, audit trail reporting, incident response planning, and the overall connectivity controls, etc., but the ultimate report will likely come from an engagement partner who is a CPA and who attests to the accuracy and integrity of the information contributing to the bank's financial statements and processed on any in-house or third-party computing platform. Could this interest in attestation be seen as an overkill, and be a way to keep the CPA industry "in charge"? To a degree, yes. Much in the same way that appraisers in training have USPAP-licensed appraisers "sign-off" on appraisals, many CPA firms have CPAs ultimately attest to the integrity, accuracy, and completeness of information systems in the processing of data that ultimately constitutes a bank's financial statements. A consultant that has a combination of a CPA, CISA and CISSP means that the individual can provide attestion, but the costs for that person are astronomical -- and can easily go to $3,000 per day. Don't forget that amongst banking executives there are many CPAs, too, so there is a perception that a CPA's involvement must mean that there is more value to the product -- when we all know that in IT auditing that may or may not be the case.
|
|
Return to Top
|
|
|
|
|
#187749 - 05/28/04 03:33 PM
Re: Information Technology Auditing
|
Anonymous
Unregistered
|
thx everyone for your input. and please, i mean no offense to CPAs.
our local CPA firm is pushing IT auditing on our bank pres. and i can tell you for a fact that no one at this firm is “qualified” (possesses technical depth) to audit my systems.
my thoughts after doing research and reading other posts . . .
* i understand and agree that some CPAs may be experienced and/or have other certs to provide it auditing.
* the CPA designation alone does not qualify an individual to perform an IT audit of sufficient rigorousness.
* there are no technology requirements (verifiable past it experience, examination content, etc) at all to become a CPA in my state.
* i agree that management should objectively determine and establish the qualifications of its auditors – FFIEC requirement
* as to jokerman’s absorption theory – i don’t think you can just “absorb” complex technical knowledge necessary to examine information systems – i’m not buying that one.
thx again,
techgurl
|
|
Return to Top
|
|
|
|
|
#187750 - 05/28/04 03:50 PM
Re: Information Technology Auditing
|
10K Club
Joined: Nov 2003
Posts: 12,846
|
Quote:
* there are no technology requirements (verifiable past it experience, examination content, etc) at all to become a CPA in my state.
ah, not so, grasshopper -
From the AICPA:
Quote:
Information Technology Topics
This section lists information technology topics that CPAs need to understand in order to perform auditing and other attestation engagements in computerized environments. Understanding of these topics is tested on the Auditing section.
-
Role of Information Systems Within Business
Includes reporting concepts and systems, transaction processing systems, management reporting systems, and risks.
-
Hardware
Includes CPUs, file servers, workstations/terminals, input/output devices, physical storage devices, memory, and communications devices.
-
Software
Includes operating systems, applications, and security.
-
Data Structure
Includes file organization, types of data files, and database management systems.
-
Networks
Includes LANs/WANs/VANs; internet, intranet, extranet; centralized/decentralized processing; distributed data processing; client/server computing; and end-user computing.
-
Transaction Processing Modes
Includes batch, on-line, real-time, and distributed processing.
-
Electronic Commerce
Includes electronic data interchange, electronic fund transfers, point of sale transactions, and internet-based transactions.
-
Application Processing Phases
Includes data capture; edit routines; master file maintenance; reporting, accounting, control, and management; query, audit trail, and ad hoc reports; and transaction flow.
-
IT Control Objectives
Includes completeness, accuracy, validity, integrity, timeliness, and authorization control objectives.
-
Control Activities and Design
Includes effects of general controls, preventive controls, detective controls, automated controls, and user controls.
-
Physical Access Controls and Security
Includes user identification, keypad device, and card reader controls; access rights; file attributes; and passwords.
-
Roles and Responsibilities Within IT Department
Includes roles and responsibilities of database/network/web administrators, computer operators, librarians, systems programmers, and applications programmers, and appropriate segregation of duties.
-
Disaster Recovery/Business Continuity
Includes data backup and data recovery procedures, alternate processing facilities (hot sites), and threats and risk management.
-
Audit Tests of General and Automated Controls
Includes inquiry and observation tests, reperformance tests, parallel simulation tests, embedded audit modules, and test data.
-
Computer-Assisted Auditing Techniques (CAATs)
Includes feasibility of CAATs; categories of CAATs; available tools/techniques, including data interrogation, extraction, and analysis; definition and design of CAATs; and execution and control of CAATs.
-
Risks of Auditing Around the Computer (Without Using CAATs)
Includes insufficient paper-based evidence and insufficient audit procedures.
Also, the CIA exam is quite heavy on IT. A whole section covers nothing but.
Quote:
* as to jokerman’s absorption theory – i don’t think you can just “absorb” complex technical knowledge necessary to examine information systems – i’m not buying that one.
I was not referring to individual CPAs, but to the profession, which, as you can see above, has deemed IT to be a necessary skill set for a CPA.
|
|
Return to Top
|
|
|
|
|
#187751 - 05/28/04 04:22 PM
Re: Information Technology Auditing
|
Anonymous
Unregistered
|
jokerman,
that’s interesting, thanks for the information – couldn’t find anything for my state. will you provide the weblink to that list?
why then did the AICPA introduce the CITP (certified information technology professional) designation?
could it be because the general feeling is that the CPA designation alone isn’t adequate as it pertains to technological control assurance. a dentist and a heart surgeon are both doctors, but i’d rather have the heart surgeon cutting my chest open.
i still contend, a CPA alone, does not make an IT auditor. if my performance as a tech professional is judged partly by the results of an independent IT audit, i’d rather have that audit performed by a technology specialist than by an accounting specialist.
techgurl
|
|
Return to Top
|
|
|
|
|
#187752 - 05/28/04 04:48 PM
Re: Information Technology Auditing
|
10K Club
Joined: Nov 2003
Posts: 12,846
|
Quote:
...couldn’t find anything for my state. will you provide the weblink to that list?
The CPA exam is uniform (all states take the same test). The exam content is explained here.
Quote:
why then did the AICPA introduce the CITP (certified information technology professional) designation? could it be because the general feeling is that the CPA designation alone isn’t adequate as it pertains to technological control assurance. . .i still contend, a CPA alone, does not make an IT auditor.
I don't disagree with you that passing the CPA exam does not qualify an individual to perform complicated IT audits. I do think that having the CPA in addition to appropriate IT credentials adds weight to the value of an audit opinion.
|
|
Return to Top
|
|
|
|
|
#187753 - 05/28/04 05:16 PM
Re: Information Technology Auditing
|
Anonymous
Unregistered
|
right-o, thanks, jokerman – i did find that earlier, however i interpreted the below statement differently,
“This section lists information technology topics that CPAs need to understand in order to perform auditing and other attestation engagements in computerized environments. Understanding of these topics is tested on the auditing section.”
i interpreted the above “in” to mean providing accounting audit and attestation services “within” a computerized environment rather than providing audit and attestation “of” computerized environments.
thanks for the noodle time. i think i learned something.
techgurl
|
|
Return to Top
|
|
|
|
|
#187754 - 05/29/04 02:43 AM
Re: Information Technology Auditing
|
Gold Star
Joined: May 2004
Posts: 274
New England
|
Quote:
i interpreted the above “in” to mean providing accounting audit and attestation services “within” a computerized environment rather than providing audit and attestation “of” computerized environments.
Anon --
This could be considered hair-splitting. The original poster, Steve, asked about a technology risk assessment of the enterprise, and we are all in agreement that both CPA firms and non-CPA firms offer varying risk assessment solutions. There are firms that claim they "certify" systems as secure, etc., but this is a marketing technique. ISACA has IT governance and IT auditing standards, IIA has IT standards, and ISC2 has IT security standards, but these are developed by the respective associations. There are no industry-accepted standards to "attest" a computing system only; the attestation is of the accuracy and integrity of the information through validating the output as tested in the composition of the financial statements.
That somebody might only possess a CPA certification does not mean that the individual would be less qualified to conduct an enterprise IT risk assessment. In fact, there are many information security and information technology professionals who have no certifications, so I'm not sure why someone with only CPA certification would be a concern to you.
An enterprise audit is different from, say, an information security-only assessment that only validates the methods in place to uniquely identify users, ensure secured network connectivity, and verify disaster incident response processes. The enterprise assessment is also evaluating data input and output processes. How a bank initiates, records, processes, and reports transactions, and the performing of substantive tests of transactions, is done to assess the liklihood that a material misstatement could occur in the reporting of the financial statements.
The attestation is of the financial statements, but the process must also involve validation of the internal controls, and must consider all factors that affect the risk of a material misstatement.
|
|
Return to Top
|
|
|
|
|
#187755 - 06/01/04 10:47 PM
Re: Information Technology Auditing
|
Member
Joined: Feb 2004
Posts: 90
Sunny San Diego
|
I'm wondering if anyone has a request for proposal for IT audit services that I could get my hands on. I too am looking to get some assistance with this area.
Thanks
Beth
|
|
Return to Top
|
|
|
|
|
#187756 - 06/02/04 08:33 PM
Re: Information Technology Auditing
|
10K Club
Joined: Oct 2000
Posts: 27,752
On the Net
|
Related info to this general topic: Checklist Background
_________________________
AndyZ CRCM
My opinions are not necessarily my employers.
R+R-R=R+R
Rules and Regs minus Relationships equals Resentment and Rebellion. John Maxwell
|
|
Return to Top
|
|
|
|
|
#187757 - 06/03/04 03:03 PM
Re: Information Technology Auditing
|
Anonymous
Unregistered
|
Quote:
This could be considered hair-splitting.
i don’t think it’s hair splitting (my opinion).
i want a qualified and experienced information technology auditor to audit my enterprise.
there seems to a lack of general knowledge from bankers about what to look for in an IT auditor, and that is obvious from the # of bol posts in the past 12 months that discuss how to find a good IT auditor. while some skills can be present in a CPA and a CISSP or CISA (example), the CISSP and CISA have specific knowledge of the intricacies technologies that are requisite for achieving the designation.
it is the knowledge of these technologies that separates CISSPs and CISAs from anyone else. sure, someone that does not have a certification may still be able to perform this function well, but how will i know that unless i can refer to a 3rd party professional designation of that person’s abilities.
when my enterprise is audited i want my controls tested to the maximum extent by the most qualified and trained information technology auditor.
Quote:
so I'm not sure why someone with only CPA certification would be a concern to you.
you are right, i am concerned and for a few reasons. i want the hardest, most exhaustive tests performed by the most qualified individuals that can perform those tests. i believe there are more qualified individuals than a CPA to conduct such tests. (remember our local CPA firm was pushing the IT audit on our bank president).
#1 (ego reason) my performance as an IT professional is judged by the results of things like IT audits and fed examinations. fewer bad marks = better performance.
#2 (small picture) the safety and security of my bank’s enterprise is at risk. if there are holes, weaknesses, vulnerabilities – i want to know about them before they are exploited
#3 (big picture) the safety and security of my bank’s IT enterprise is just a cog in a larger machine – and i’m a firm believer in not being the weakest link and contributing to the systemic risk of the national banking system (remember national critical infrastructure)?
i don’t feel like discovering my own vulnerabilities by a party with malicious intent or by the examiners is the way to go. look at what the OCC did to Riggs (or DIDN'T do) –
http://www.washingtonpost.com/wp-dyn/articles/A10984-2004Jun2.html
(sounds to me like regulatory misconduct).
anyway, i found my IT auditor and we’re in the process of engaging them.
thx to all.
techgurl
|
|
Return to Top
|
|
|
|
|
#187758 - 06/03/04 04:26 PM
Re: Information Technology Auditing
|
Anonymous
Unregistered
|
Quote:
... we are all in agreement that both CPA firms and non-CPA firms offer varying risk assessment solutions.
techgurl,
As I stated previously, bankers who are seeking technology risk assessments and information security and/or privacy reviews have to weigh many factors which will help to determine in which direction they choose to go in the selection of a third-party provider.
Wayne has posted some very useful information pertaining to the importance of standards (read...ethics), and it is also critical to adhere to your regulator's third-party requirements. Andy has provided links to BOL material that you can use in a self assessment. When you select this third party, are you honestly doing the FFIEC (booklets) minimum due diligence to know whether this consultant/IT auditor is finacially viable and legitimate. For example, do you even ask for CISA certification numbers of those assigned?
The marketplace is filled with many who represent themeselves as IT auditors, consultants, information security experts, etc., who claim to conduct "comprehensive penetration testing". In truth, they move the car out of their garage, or sit in their kitchen or basement, and play a home-made random "war dialer", then claim that an "exhaustive penetration test" was performed. Since most CPAs are, as Wayne and Jokerman alluded to, also possessing the CISA, my point was that it is sometimes safer to locate a firm that readily adheres to the FFIEC's third-party due diligence issues, that exudes trust and integrity, and that their final deliverable will be a well-written report that is Boardworthy and examinerworthy.
You select what fits best in your gut.
You have to go in the direction that your gut takes you, and the best of luck is wished to you.
|
|
Return to Top
|
|
|
|
|
|
Previous Thread
Index