- Audience introduction, who are from SHC, SLAC, UIT, ORCO, etc.
- IT Audit Team introduction and composition per slide.
- OCRO leadership introduction per slide.
- OCRO's mission: independent set of eyes to provide advisory and audit services to partners across all Stanford affiliates.
- Three lines of Defense Model:
- 1st: Management Controls, Internal Control Measures
- 2nd: Financial Controls, Risk Management, Security, etc.
- 3rd: Internal Audit
- Clients Universe per slide
- Example of IT Risks and Projects Performed in the past to address these risks
- Expansion on the "Social Media Project" as an example, worked with seven schools to set social media governance guidance and proposed to form a governance body to oversight the management of social media. Main client was University Communication to get guiding principals of social media practice and management to manage potential risks.
- How is a project (audit/advisory) determined?
- Industry emerging IT risks
- ERM/CMCC process
- Stanford/Business/IT initiatives
- Stanford Management inputs
In addition to annual audit plans, there are often unplanned requests and projects come in throughout the fiscal year.
- Approach:
- Identify: IT risks to business -> determine assessment framework
- Assess: the framework determined above
- Assist: the evaluation of 3 elements involved in each identified risk people, process and technology
- Q&As:
Q1: Pediatrics. Department of compliance audit used to happen years ago, is it still happening?
A1: We still do compliance audits, department of pediatrics may not have reached the threshold of radar yet. If there is risk, we can go in and perform an audit.
Q2: How to not disturb client's normal workload during an audit?
A2: We try to keep balance and be cognizant of client's normal workload. We plan ahead, work around with client's work schedule, work with the clients to make sure audits are not disturbing normal business operations.
Q3: What type of audits do we perform from the IT arena?
A3: More from the IT processes and controls perspectives than the financial expenditures that occurred in the IT departments. We look at security, privacy, etc. people, process and technology. Take R&DE as an example, we reviewed the Revel POS system, who is making changes to the system, what are the processes, what are the risks associated with these processes, what are controls addressing these risks.
Q4: what are the generic recommendations for people who best design processes and controls?
A4: Think about who are involved in the processes, what are risks, from data perspectives, think about inputs and outputs. For security, there are MinSec standards. Depending on the process is, the data is, there are difference regulations, guidelines to assist with the design.
Q5: Do you involve in projects that have multiple stakeholders?
A5: Currently, we are working on a project called Access to Enterprise Data in a Decentralized Environment. There are various data owners and system owners involved that all are stakeholders of enterprise data. Our approach was to select a number of key business units to interview and perform fieldwork at. Similarly with the social media audit, multiple schools were involved.
Q6: How do you choose one project over another?
A6: We need to priority projects based on the risks, values to clients as well as the resource availability.
Q7: Once recommendation is provided, how do you follow up on action plans/recommendations? What happens if actions are not completed.
A7: Typically we do quarterly follow-ups based on agreed-upon completion dates. Sometimes, we follow-up more often based client's preference and needs. If action plans are past due over a certain period of time (e.g. a year), we need to obtain explanation of the past-due and report to audit committee. Nowadays, we moved away from providing recommendations, rather we let management to take ownership and come up with their own action plans.
Q8: Any audits you do on the enterprise campus solutions?
A8: We focus more on the Oracle financial audits as a department. Although we don't currently have an audit focusing on Campus Solutions specifically, we do consider student data in various audits.
Q9: Do you review a process rather than a product?
Q9: Correct. We don't do product code reviews. However, we do review system implementations (pre or post).
Q10: Do you have a webpage to share best practices? How do you share best practices across departments?
A10: We do have our website. But best practices are not posted there. This is a good idea and we will look into this. We engage discussions among departments to promote best practices across departments.
Any further questions, please contact Biniam Debrezion, IT Audit Manager, biniamd@stanford.edu
