1) Oversight of DoD Cybersecurity and Cyberspace Operations: A look at What That Means and Its Impact in Today’s Changing Threat Landscape
The DoD spends billions of dollars annually on information technology, cybersecurity, and cyberspace operations. Cybersecurity is essential to the DoD and all facets of today's society in terms of our ability to do almost anything—get money out of an ATM, drive a car, fly a plane, or command and control our military forces. The DoD Office of Inspector General (DoD OIG) plays a critical role in providing oversight to the DoD's increasing reliance on cyberspace to meet mission requirements. This body of work supports the Department, and those responsible for securing systems, networks, data, and weapon systems to decrease the risk of missions and operations being compromised by malicious actors. The DoD OIG is responsible for providing independent oversight of Government programs and operations to detect and deter fraud, waste, and abuse in agency programs and operations, and promote the economy, efficiency, and effectiveness of the agency. This presentation provides insight about the DoD OIG’s oversight of the DoD's cybersecurity posture, use of cyberspace operations, and the impact our oversight has on national security.
2) Government Accountability Office’s (GAO) Assessing Data Reliability Framework
GAO’s recent guidance, Assessing Data Reliability (GAO-20-283G), outlines a process for determining whether data are sufficiently accurate and complete for the purposes of a specific audit. The guidance emphasizes making use of existing information, maximizing professional judgment, and involving the appropriate people, including management and stakeholders in key decisions. The GAO - Applied Research and Methods Team (Michele Fejfar and Kirsten Lauber) will give an overview of the process covered by the recently revised guidance to include consideration of whether and when to conduct an assessment, the extent of the assessment, possible steps to take, and the possible outcomes. The GAO - Applied Research and Methods Team will also cover additional considerations such as the kinds and levels of data covered, how data reliability is defined in an audit environment, how information system controls may be incorporated, and the timing and documentation of the assessment.
3) Securities and Exchange Commission’s (SEC) Information Technology Audit Program
The presentation will discuss the U.S. Securities and Exchange Commission’s Office of Inspector General’s efforts over the last five years establishing (as a smaller OIG) its Information Technology audit program. Specifically, Kelli Brown-Barnes plan to discuss some of the challenges SEC faced with staffing, contracting, interactions with the agency, etc. Further, Ms. Brown-Barnes will discuss lessons learned while working through the challenges the SEC faced while developing the program. Also, Ms. Brown-Barnes will highlight some key accomplishments made by the office, including how SEC planned and performed a multi-year portfolio of audits and evaluations related to IT programs and operations and IT security. Additionally, Ms. Brown-Barnes will discuss how our efforts with respect to our work has recognized that Information Security is an agency management and performance challenge area. Lastly, Ms. Brown-Barnes will close with a description of our vision for 2020 and beyond.
4) Cooperative Compliance, Enhancing Cybersecurity Foundational Minimums
Cybersecurity policies meant to protect sensitive information are often misunderstood, avoided, or circumvented by employees. Employees don’t like to be inconvenienced by the extra steps necessary for protection that to them seem unnecessary. This can be compounded by a complex cybersecurity environment with multiple competing standards that seem similar but have unique approaches, naming conventions, and acronyms. Nat Bongiovanni will discuss how to solve these challenges by creating cooperative compliance. Cooperative compliance starts by understanding the entire risk environment based on the NIST SP 800-171 Framework, a foundational minimum for confidentiality and integrity.
5) The Role of IT Auditors in an Integrated Financial Statement Audit
IT auditors are an integral part of a financial statement audit and risk inefficiency and ineffectiveness when they are siloed from financial auditors. IT auditors should be involved in all phases of the audit including planning, internal control, testing, and reporting. The session will cover a financial statement audit using an integrated approach in which IT auditors are in lockstep with the financial auditors, addressing practical ways to cut-down barriers, set expectations with auditees, and the related benefits.
6) Taxonomy for IT Risk Management
We often hear IT auditors talk about ‘connecting the dots’ and ‘having a holistic picture’ of risk, but do not have a good idea of how to do so in a practical manner. Having a common risk language or taxonomy in place may not only help IT auditors to consistently define and identify risks, but also aggregate them across the organization. The presentation provides an insight into what a taxonomy is, its purpose, and value add for an IT audit. The presentation will also highlight leading practices for optimizing the development and use of a taxonomy, as well as some common pitfalls.
7) How FINRA Internal Audit is using Tableau to Audit
This presentation illustrates how the Audit Team is using Data Analytics in Planning, Fieldwork, and Consulting projects. The visualization brings the auditors closer to the data and give them control over the analytics that they use in their projects. Also part of this presentation, we will discuss the approach and development of the visualizations; using live demos, we will show you how the audit team uses the complex Visualizations to understand the business, pick samples, and draw conclusions on the business processes.