2019 VLGAA Conference: Audit Considerations for Personally Identifiable Information and Cybersecurity
May 20, 2019
In 1988, the Virginia Local Government Auditors Association (VLGAA) started as a small group of local Virginia government auditors that shared methods and common experiences during audits. Over the years, this small group has developed into a formal organization with over 100 members statewide. The 2019 VLGAA Spring Conference continued to deliver this message, by enlisting the help of speakers from a variety of backgrounds. These included SC&H Group, the City of Chesapeake Audit Services Department, Guidehouse, and the City of Virginia Beach.
The range of topics included a summary of changes to the Yellow Book Government Auditing Standards, Performing a Value Added IT audit, and Energy Audits. In addition, SC&H had the opportunity to present on auditing considerations for Personally Identifiable Information (PII) and Cybersecurity. For additional information regarding these topics, refer to our previous blog posts Managing the Protection of Personally Identifiable Information and Don’t Let the Next Cyberattack Be Yours.
Topics of Interest
Government Auditing Standards – Yellow Book Changes
Presented by Jay Poole, City Auditor, City of Chesapeake
- New Format and Organization: The Government Accountability Office (GAO) reorganized and realigned the Yellow Book chapters to better differentiate requirements from application guidance. This allows audit practitioners to more clearly understand Yellow Book aspects that they must comply with versus those they should consider as guidance. Required components are now clearly distinguished by a “black box” around the associated language.
- Ethics, Independence, and Professional Judgement: These topics, contained within Chapter 3, have been updated to clarify the independence expectations of internal auditors. These requirements focus on:
- Independence of Mind (Yellow Book 3.21.a), which allows the auditor to conduct an engagement without compromising their professional judgement
- Independence of Appearance (Yellow Book 3.21.b), which allows a reasonable third party to assume that the integrity, objectivity, or professional skepticism of an audit organization/team has not been compromised
- Reevaluation of threats to independence whenever the audit organization becomes aware of new information or changes in facts and circumstances (Yellow Book 3.28)
- Fieldwork Standards for Performance Audits: Chapter 8 of Yellow Book includes the updated requirement 8.04 with states that “Auditors must plan the audit to reduce audit risk to an acceptably low level.” Section 8.16 defines audit risk as “the possibility that the auditors’ findings, conclusions, recommendations, or assurance may be improper or incomplete as a result of factors such as evidence that is not sufficient or appropriate, an inadequate audit process, or intentional omissions or misleading information because of misrepresentation or fraud.” Achieving this requirement is best accomplished through diligent, well documented planning procedures conducted by a competent auditing team in accordance with Yellow Book guidance. Documentation is key to supporting that appropriate procedures were taken to reduce audit risk in a performance audit.
Basics to Performing Value-added Information Technology (IT) Audits
Presented by Edwin Caron, Management Consultant, Guidehouse
- Defining a “Value-Added” IT Audit: This portion of the presentation defined what is considered “value-added”. In summary “value-added” is subjective, per organization, based on perspective of what the organization is seeking in an IT Audit. The way auditors add value to organizations is through an independent and objective analysis of control activities. The goal of the analysis is improve the control and governance processes to achieve the organizational strategies and objectives.To add value, the auditor should implement a risk-based approach. This risk-based approach will help the auditor to focus on specific areas of concern or considered at-risk. This will reduce the unnecessary review of areas that may not pose a significant threat to the organization. Development of a risk-based approach is based on a formal risk assessment methodology that helps determine why a specific process area should be audited. Specifically for IT Audits some key items to determine during the IT risk assessment phase is:
- Frequent system issues?
- How sensitive is the data within the system?
- What are some of the common or inherited controls associated with the process?
- Defining IT Audit Universe: Based on the risk assessment, a determination of what should be audited is developed. The audit plan, contains an inventory of specific audit areas in one centralized location. The audit plan may include focus areas such as:
- IT Governance: Policies and procedures, IT strategic plan
- Operations: Data centers, configuration of IT devices, system backups
- Third Party Service Providers: Cloud service providers, consultants, telecommunications
- Applications: Business software, micro-systems (ex. excel and personal databases)
- Mobile: Cell phones, tablets
- Security: Security awareness, physical and logical security
- Risk Management: Mitigation measures, risk assessment
- Data: Quality, classification, database administration, data protection
In summary, to add value to IT audits a “risk based” approach should be taken that helps determines the priorities of audit areas. These audit areas are linked to critical risks that is associated with specific business objectives and processes that helps prioritize the risks.
Overall the 2019 VLGAA Conference included information sessions that provided valuable auditing strategies and updates on authoritative guidance. Each of these sessions reminded the attendees the importance of protecting Virginia’s data and services and SC&H was proud to contribute as a presenter.