Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister"

Transcription

1 Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister

2 Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles. I am an accountant with 28 years experience working in various International Control & IT roles. I am British and resident in the US. I am British and resident in the US. I speak 4 languages, but unfortunately not Japanese. I speak 4 languages, but unfortunately not Japanese. I was involved in the implementation of the BP SOX program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes. I was involved in the implementation of the BP SOX program in 2004 & 2005 and was instrumental in the implementation of COBiT version 3 and compliance processes.

3 AGENDA Some Context about Compliance Sarbanes Oxley Differences in Japan & Other countries The BP Process In SOX Using COBiT Selection & mapping. BP Gap Analysis & Remediation Criteria Key Learning s & Some Tips for You

4 Sarbanes-Oxley (SOX) Act Highlights Established the Public Company Accounting Oversight Board (PCAOB) and gave it broad powers to oversee the public accounting firms Introduced new limitations on auditors including mandatory partner rotation and limits on services Requires new disclosure controls that inform corporate officers of material information during the reporting period

5 Sarbanes Oxley Two Key Sections Sec 302 Financial Reporting Sec 404 Internal Controls

6 SOX 404 Requires management to include an internal control report in each SEC filing that: - States the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and - Contains an assessment, as of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures Requires an audit of management s report on internal controls

7 SOX Effect on Other countries SOX legislation coming to Japan, Canada, South Africa & Europe. COBiT & COSO I Frameworks become more important in documenting and testing the effectiveness of internal controls. Some Differences external Auditors are NOT required to attest to Management s attestation on Internal Controls in Canada.

8 Relationships Between IT & Business Financial & Business Teams review manual and automated business process controls Business Processes Applications Data/DBMS Platforms Networks Physicals Application Manager and IT SOX perform Application General Controls and Application Security Reviews Data Center Operations Manager and IT SOX evaluate supporting infrastructure for all financial applications as a part of the IT General Controls review An effective automated business process control requires effective operating IT controls

9 Overview of SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate)

10 Overview of ICE/DCT SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process

11 Overview of ICE/DCT SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process 4 Workstreams: Application Business Controls Evaluate in Batches IT Owns & Implements Application General Controls Application Security Review 100 Applications & 10 data centres Applications + 10 data centres IT General Controls

12 Overview of ICE/DCT SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process 4 Workstreams: Application Business Controls Evaluate in Batches Identified COBIT Gaps Identified COBIT Gaps Tier 1 IT Own, Fund, Deliver Plan Process embedded across IT IT Owns & Implements Application General Controls Application Security Review IT General Controls 100Applications & 150data centres Applications + 10 data centres Tier 2 Tier 3 Tier 4r Filter gaps Challenge gaps Integrate with IT plans IT Central (data centres) IT Segments & functions (applications) Repeatable annual process Staff trained Internal resource

13 Overview of SOX Program Agree Processes & Applications Evaluate/Document Prioritise Gaps, agree Timeline Remediate Gaps Monitoring/Reporting (Operate) Finance Decisions on scope Agree in-scope processes Identify supporting applications Agree control framework Agree gap prioritisation process Agree remediation timetable Agree Financial Control monitoring & compliance process 4 Workstreams: Application Business Controls Evaluate in Batches Identified COBIT Gaps Identified COBIT Gaps Tier 1 IT Own, Fund, Deliver Plan Process embedded across IT IT Owns & Implements Application General Controls Application Security Review IT General Controls 100 Applications 10 data centres Applications + 10 data centres Tier 2 Tier 3 Tier 4r Filter gaps Challenge gaps Integrate with IT plans IT Central (data centres) IT segments & functions (applications) Repeatable annual process Staff trained Internal resource Group-wide integrated plan Documented CETs & Gaps Prioritised set of gaps & Timeline Gaps remediated by IT IT own on-going process IT Progress Reporting:

14 Why COBiT. Page 29 How was CobiT chosen Control Systems considered COBIT ISO ITIL (Information Technology Infrastructure Library) Assessment criteria used Control needs of SOX: Consistency with the General and Application control needs of SOX. COBiT more comprehensive. Extent of use outside BP: The use of each system by other companies for this purpose

15 Why COBIT H O W HIGH ITIL ISO COBIT D E T A I L E D MED LOW COSO TURNBULL LOW MED HIGH BREADTH OF IT CONTROL COVERAGE

16 Why COBiT.

17 Why COBiT.

18 Why COBiT.

19 CobiT v3 Overview July RED IT Processes are a part of the DCT SOX Control Framework [12 Control processes- 68 Control Activities] Monitor the Process Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit Define the IT Plan Define the Information Architecture Define the Technology Direction Define the Organization and Relationships Manage the IT Investment Planning and Organization Communicate Management Aims Manage HR Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality Monitoring Information and IT Systems Acquisition and Implementation Define Service Levels Manage Third Party Services Manage Performance and Capacity Ensure Continuous Service Ensure System Security Identify and Attribute Costs Educate and Train Users Delivery and Support Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents Manage Facilities Manage Data Manage Operations Identify Solutions Acquire (Develop) and Maintain Application Software Acquire and Maintain Technology Infrastructure Develop & Maintain Procedures Install and Accredit Systems Manage Changes

20 CobiT v4 Overview August 2006 Amendments for Compliance Business as Usual RED IT Processes are a part of the DCT Compliance Control Framework [11 Control processes 32 Control Activities] Monitor & Evaluate IT performance Monitor & Evaluate Internal Control Ensure regulatory Compliance Provide IT Governance Define the IT Plan Define the Information Architecture Define the Technology Direction Define the IT processes, Organization and Relationships Manage the IT Investment Planning and Organization Communicate Management Aims Manage HR Manage Quality Assess & Manage IT Risks Manage Projects Monitoring Information and IT Systems Acquisition and Implementation Define Service Levels Manage Third Party Services Manage Performance and Capacity Ensure Continuous Service Ensure System Security Identify and Allocate Costs Educate and Train Users Delivery and Support Manage Service Desk & Incidents Manage the Configuration Manage Problems Manage Data Manage Physical Environment Manage Operations Identify Automated Solutions Acquire (Develop) and Maintain Application Software Acquire and Maintain Technology Infrastructure Enable Operations & Use Procure IT Resources Manage Changes Install and Accredit Systems

21 IT Risk Analysis Criteria Filter Activity Identified BP BP COBIT COBIT Gaps Gaps 1) 1) COBIT COBIT Summary Summary Rank CP CP Level Level 2) 2) COBIT COBIT Detailed Detailed ranking CO CO level level 3) 3) ICE ICE Financial Financial Tier Tier Rankings Rankings 1st Filter 2nd Filter 3 rd Filter COBIT Gap Criteria Control Process Level COBIT Gap Criteria Control Objective level Tier 1 to Tier 4 4) 4) Additional Additional Business Business info info 4 th Filter A prioritised set of Sarbanes Oxley gaps Global vs. Local, Prior Audit etc. E-learning suitability

22 Key GAP Prioritization Explained 1) 1) COBIT COBIT Summary Summary Rank CP CP Level Level Identified COBIT Gaps Identified COBIT Gaps Tier 1 Tier 2 Tier 3 Tier 4r 2) 2) COBIT COBIT Detailed Detailed ranking CO CO level level

23 Key GAP Prioritization Explained 1) 1) COBIT COBIT Summary Summary Rank CP CP Level Level Identified COBIT Gaps Identified COBIT Gaps Effectiveness The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line] Tier 1 Tier 2 Tier 3 Tier 4r 2) 2) COBIT COBIT Detailed Detailed ranking CO CO level level

24 Key GAP Prioritization Explained 1) 1) COBIT COBIT Summary Summary Rank CP CP Level Level Effectiveness The degree to which the Control Objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, costs and effort. [ COBiT On-line] Identified COBIT Gaps Identified COBIT Gaps Tier 1 Tier 2 Tier 3 Tier 4r 2) 2) COBIT COBIT Detailed Detailed ranking CO CO level level Colour Coding: COBIT HIGH split into Very High AI6 & DS5 VH Change Management & Ensure System Security. Maps to ICE tier 1 HIGH Remaining COBIT Reds Maps to ICE Tier 2 H M L N Medium As Per COBIT- Maps to Ice Tier 3 Low As per COBIT maps to ICE Tier 4 No Gap 0 Rank Maps to BP Risk convention

25 Key GAP Prioritization Explained 3) 3) ICE ICE Financial Financial Tier Tier Rankings Rankings Identified COBIT Gaps Identified COBIT Gaps Tier 1 Tier 2 Tier 3 Tier 4r 4) 4) Additional Additional Business Business info info Financial Criteria Maps one to one with the COBIT ranking - Tier One - = > $100m COBiT Very High - Tier Two < $100m > $20m COBiT High - Tier Three < $20m > $1m COBiT Medium - Tier Four < $1m - COBiT Low Other Criteria Example Application $ Throughput - Very High - > $1b - High > $1b < $1b > $250m - Medium < $250m > $100m - Low < $100m

26

27 Key Learning s & Some Tips For you Do Not Use COSO alone, it is not detailed enough for IT. ISO is NOT ENOUGH. It does not cover well the following:- - Data Management - Third Party processes - IT Delivery & Support Operations - Audit & Governance issues - Software & Hardware development controls - Segregation of Duties Consult & Agree your framework with your external auditors before you implement your program. Do not select too many COBiT control objectives and control practices. Simplify & Simplify. Concentrate on Key IT Control deficiencies that are high or are a critical risk:- - Change Management Issues - Access Controls & Segregation of Duties - Some Data Management Issues like back ups & storage. Include your IT applications (e.g. SAP) with your business process documentation. Why? Most of your business controls are defined by your systems and applications.

28 Key Learning s & Tips continued.. Do not Test too many applications & processes take a Risk & Business Impact Approach. Look out for spreadsheets. Errors in relatively simple spreadsheets can result in potentially material misstatements in financial results. - The best feature is their worst flexibility - Use Pricewaterhouse-Coopers Five step process - Inventory Spreadsheets - Evaluate use, complexity - Determine level of controls - Evaluate existing controls - Develop remediation

29 Key Learning s & Tips continued.. Use Frameworks like COSO & COBiT as benchmarks, they don t give you the answers or the specific controls, only the templates; tailor them to your company s needs Beware . E.G. Spreadsheets ed to controllers for consolidation. Potential security & storage issue. Beware use of compliance tools/software. It is still not a mature market. Consider how you will administer Third Parties & Outsourced Partners Assign Accountabilities for each Business & IT process (e.g. Order to Pay for Business & Change Management for IT Note Segregation of Duties is a business accountability but facilitated by IT)

30

31 Thank you

32

33 What Role Does IT Play? Infrastructure Application Controls Business Partner to ensure controls are operating effectively across the organization New Applications

34 Process vs. Control Control Objective: User access to network is appropriately assigned. Example of Process: Management reviews user access on a monthly basis. Example of Control: Management reviews and signs off on a report generated on a monthly basis containing user accounts and roles to ensure appropriateness and accuracy.

35 A New Internal Control Paradigm PCAOB Guidance Examples of Documentation: Documentation that provides reasonable support for management s assessment of the effectiveness of internal control over financial reporting covers: The design of controls over relevant assertions related to all significant accounts and disclosures in the financial statements, Information about how significant transactions are initiated, recorded, processed, and reported, Enough information about the flow of transactions to identify where material misstatements due to error or fraud could occur, Controls designed to prevent or detect fraud, Controls over the period-end financial reporting process, Controls over safeguarding of assets, and The results of management s testing and evaluation.

36 Identification of Control Points Definition of a control point: 1. An action within a process where the key data changes form; 2. A handoff between individuals or programs within a process; or 3. A handoff between software applications

37 Control Type Categories Identifying the control types may reveal an over-reliance on a particular type of control or an absence of a key control type Policies & Procedures Authorization Controls Key Performance Indicators Management Review Detailed (Data Comparison) Reconciliation Segregation of Duties System Access Automated Exception Report

38 Control Categories - Definitions Policies & Procedures Policy and procedure control documentation is often needed where directly linked adhering to standard policies and procedures is critical to the effectiveness of the control, especially where control procedures cross organizational or geographic boundaries. Policies and procedures related controls generally include formal written documents that have been recently updated, and is both accessible and used by the individuals involved in executing the control activities documented. Authorization Controls Approval of transactions executed in accordance within authority as set by senior management's general or specific policies and procedures Key Performance Indicators Key performance indicators are financial and non-financial quantitative measurements that are: Collected by the entity, either continuously or periodically Used by management to evaluate the extent of progress toward meeting the entity's defined objectives In order for key performance indicators to be an effective control, they must have a level of precision that enables detection of errors 38

39 Control Categories - Definitions Management Review Management review is a review conducted by someone, other than the preparer of the transaction or journal entry, who analyses and oversees activities performed. In many instances, it will be a manager reviewing the work of a subordinate. However, it is not limited to this. It may include co-workers reviewing each other's work. Detailed A detailed control activity consists of a comparison between two sets of data. An example of a detailed control could be a comparison between two sets of information where the individual components of the data are compared. This control can be either a detailed manual control when the comparison is performed by humans, or a detailed automated control when the activity is performed by a system. Reconciliation A reconciliation is a control designed to check whether two sums match and identifying the differences between the two sums. It does not involve comparing on an item by item basis the information in two different sets of data.. 39

40 Control Categories - Definitions Segregation of Duties Segregation of duties is the separating of duties and responsibilities of authorizing transactions, recording transactions, and maintaining custody to prevent individuals from being in a position to both perpetrate and conceal an error or irregularity. System Access System access are the access rights that individual users or groups of users have within a computer information system-processing environment, as determined and defined by the configuration of the system. Automated Exception Reports An exception report control shows a violation of a set standard to a responsible party who conducts follow ups and resolves the item. 40

41 General IT Controls

42 EXAMPLES GENERAL IT CONTROLS Information Security Management Of Philosophy & Policy Logical Security Over the Operating System Logical security Over Data Security within Applications Systems Administration & The Use of Privileged Accounts Physical Security Network/Dial-up Access External Network Connections

43 Computer Operations Service Level Agreements Problem Management Business Continuity Network Management Operational Performance & Data Centre Environment. Scheduling, preparing & running batch processes. Backup & Recovery Upgrades To System software.

44 Development & Implementation Requirements Definition Design & build in-house systems or package selection. Unit, system & user testing Data Conversion Go-Live decision Documentation & training

45 Program Change Control Management of maintenance activities Specification, authorization & tracking of change requests. Unit, system & user testing Authorization of transfers to live environment Updating technical & user documentation & training. Database Administration

46 Relationship Between General IT & Application Controls. General IT Controls contribute to the effectiveness of application controls. General controls do not provide direct coverage of application control objectives.( E.g. completeness, accuracy, validity, restricted access) When designing & relying on application controls, the strength of the underlining general controls needs to be considered.

47 Relationship Between General IT & Application Controls General Controls Ensure that overall It environment is well controlled The It Organization meets its intended purposes & there is proper management control over IT. Physical & logical security is correctly implemented & maintained. New apps & changes to existing apps are properly authorized. Application Controls Ensure that computer applications process as intended Business processes may be enabled by one or more applications. Many Common applications utilize configurable controls. Controls to ensure the maintenance of data quality should be considered.

48 Relationship Between General IT & Application Controls Platform Security (IT) &Restricted Application Level Access. Inappropriate access to data libraries at for example the UNIX platform level, circumvents any good application level access controls that limits user access to specific transactions. External Network Security (IT) & validity controls ( Application) Weak Network Security that allows outsiders to access the internal network (e.g. from the internet, dial-up, or third party connections) increases the likelihood that unauthorized individuals will have an opportunity to enter invalid transaction data or standing data.

49 Relationship Between General IT & Application Controls Backup & Recovery (IT) & Completeness Controls (application) If a full day s transactions is lost due to a system disk crash, then all completed transactions entered that day would be lost and be required to be reentered the next day if possible Development & Implementation (IT) & Accuracy Controls ( Application) User acceptance testing performed by business area personnel during the system development lifecycle will help ensure that the necessary accuracy controls built into the application are working as planned prior to production rollout.

50 Relationship Between General IT & Application Controls Program Change Control (IT) & Accuracy Controls Application. Inadequate change control procedures over the application program code could allow programmers to modify the manner in which the application processes a transaction. This could intentionally or unintentionally disable input and /or balancing controls within the application that would identify transaction problems.

51 Relationship Between General IT & Application Controls Problem Management (IT) & Completeness Controls (Application) Inadequate procedures to identify and resolve system problems, could result in numerous application transactions being processed incompetently. For example, if the nightly batch processing was interrupted, good problem management procedures would be required to identify the problem, notify the proper personnel, correct the problem and restart the batch from the prior stopping point. Application Control for accuracy that requires a code to be present on a database is compromised if IT controls don t limit programmers form updating the database.

52 Application Controls

53 Application Controls Manual and automated controls exist to ensure that information within the business process is: Complete Accurate Valid and authorized Restricted form unauthorized access A combination of controls is needed to PREVENT, DETECT and CORRECT processing errors.

54 Application Control Objectives CAVIAR Completeness Accuracy Validity Restricted Access

55 Application Controls- Completeness All transactions are recorded, input and accepted for processing once and only once. All transactions that are input and accepted for processing are updated to the appropriate data file. Duplicates are rejected Rejected transactions are evaluated and reentered Once data is updated to a file, that data remains correct and current on the file and represents balances that exist.

56 Application Controls- Completeness Examples Invoice Numbering should be system assigned and sequential. Any interfaces to the General Ledger should be complete and accurate. When entering account information, all key fields are required to ensure completeness.

57 Application Controls- Accuracy Key Data elements are recorded and input to the system accurately through data entry design features. Changes to standing data are accurately input All transactions input and accepted for processing, update the appropriate file All transactions affect the proper accounting period **** Accuracy Controls are evaluated at the data element level.

58 Application Controls- Accuracy Examples SSN Data field enforces entry of 9 numeric characters. Customer credit limits determine amount range Business Unit limited to using their own GL accounts Correct Zip code required in address field Sales can only be entered in proper accounting period. Foreign currency tables are updated daily.

59 Application Controls- Validity Transactions are Authorized Transactions are not fictitious and they relate to the company. Changes To standard Data are authorized & reviewed

60 Application Controls- Validity Examples Buyer limits force to supervisor for additional approval. Customers who require non-standard prices require management approval. Only the HR manager can approve a new employee to be added via a special user ID. A sales Order will not be accepted unless customer number is present on Customer Master File. To achieve appropriate segregation of duties, no one user has the ability to: a) Update/create vendor in vendor master file b) Enter new invoices c) Select invoices for payment. Rate tables are maintained only by authorized users.

61 Application Controls Restricted Access Protect against unauthorized amendments of data. Ensure confidentiality of data. Protect physical assets such as cash and inventory from theft or misuse.

62 Application Controls Restricted Access Examples Periodic review of users on the system is performed to ensure users have access to those functions and data required to perform their job functions. IT personnel are granted only temporary access to production data. Sales teams have the ability to view all of their accounts and current opportunities Pending contracts are restricted from all but the legal dept. once terms are set. System controls user access by function User access forms are completed, appropriately approved & submitted to the Security Administrator

The Importance of IT Controls to Sarbanes-Oxley Compliance

The Importance of IT Controls to Sarbanes-Oxley Compliance Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers

More information

Sarbanes-Oxley Control Transformation Through Automation

Sarbanes-Oxley Control Transformation Through Automation Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com

More information

IT Governance Dr. Michael Shaw Term Project

IT Governance Dr. Michael Shaw Term Project IT Governance Dr. Michael Shaw Term Project IT Auditing Framework and Issues Dealing with Regulatory and Compliance Issues Submitted by: Gajin Tsai gtsai2@uiuc.edu May 3 rd, 2007 1 Table of Contents: Abstract...3

More information

A Sarbanes-Oxley Roadmap to Business Continuity

A Sarbanes-Oxley Roadmap to Business Continuity A Sarbanes-Oxley Roadmap to Business Continuity NEDRIX Conference June 23, 2004 Dr. Eric Schmidt eschmidt@controlsolutions.com Control Solutions International TECHNOLOGY ADVISORY, ASSURANCE & RISK MANAGEMENT

More information

Risk and Controls 101

Risk and Controls 101 Risk and Controls 101 Agenda What is a Risk and Control? Controls 101 What is Risk and Control? Control Types Control Execution Control Categories A-123 Process here at LBNL Wrap-up Process Risk Map Control

More information

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall

More information

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition 1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...

More information

The Information Systems Audit

The Information Systems Audit November 25, 2009 e q 1 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2 IS Environment Back Office Batch Apps MIS Online Integrated

More information

SARBANES-OXLEY SECTION 404

SARBANES-OXLEY SECTION 404 SARBANES-OXLEY SECTION 404 A TOOLKIT FOR MANAGEMENT AND AUDITORS VOLUME 2 Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (PCAOB) was established by Congress under

More information

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers Sarbanes-Oxley Section 404: Compliance s for Foreign Private Issuers Table of Contents Requirements of the Act.............................................................. 1 Accelerated Filer s...........................................................

More information

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: 1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202) 862-8430 www.pcaobus.org STAFF VIEWS AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN

More information

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014 Electronic Audit Evidence (EAE) and Application Controls Tulsa ISACA Chapter December 11, 2014 Agenda Recent IT-related PCAOB inspection themes: Internal control over financial reporting Multi-location

More information

International Institute of Management

International Institute of Management Executive Education Executive Action Learning Seminars Executive Seminars Executive Courses International Institute of Management Executive Education Courses CIO & Sarbanes Oxley Compliance SOX Implementation

More information

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013

IT Risk Management Life Cycle and enabling it with GRC Technology. 21 March 2013 IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends

More information

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions Industry Sound Practices for Financial and Accounting Controls at Financial Institutions Federal Reserve Bank of New York January 2006 FINANCIAL AND ACCOUNTING CONTROLS: INDUSTRY SOUND PRACTICES FOR FINANCIAL

More information

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma

S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma S24 - Governance, Risk, and Compliance (GRC) Automation Siamak Razmazma Governance, Risk, Compliance (GRC) Automation Siamak Razmazma Siamak.razmazma@protiviti.com September 2009 Agenda Introduction to

More information

Sarbanes-Oxley Section 404: Management s Assessment Process

Sarbanes-Oxley Section 404: Management s Assessment Process Sarbanes-Oxley Section 404: Management s Assessment Process Frequently Asked Questions ADVISORY Contents 1 Introduction 2 Providing a Road Map for Management 3 Questions and Answers 3 Section I. Planning

More information

Self-Service SOX Auditing With S3 Control

Self-Service SOX Auditing With S3 Control Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with

More information

Auditing Standard 5- Effective and Efficient SOX Compliance

Auditing Standard 5- Effective and Efficient SOX Compliance Auditing Standard 5- Effective and Efficient SOX Compliance September 6, 2007 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the

More information

IT Governance and Control: An Analysis of CobIT 4.1. Prepared by: Mark Longo

IT Governance and Control: An Analysis of CobIT 4.1. Prepared by: Mark Longo IT Governance and Control: An Analysis of CobIT 4.1 Prepared by: Mark Longo December 15, 2008 Table of Contents Introduction Page 3 Project Scope Page 3 IT Governance.Page 3 CobIT Framework..Page 4 General

More information

Impact of New Internal Control Frameworks

Impact of New Internal Control Frameworks Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com

More information

CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT S RESPONSIBILITIES AND IMPORTANCE TO THE EXTERNAL AUDITORS

CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT S RESPONSIBILITIES AND IMPORTANCE TO THE EXTERNAL AUDITORS A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

Practical Guidance for Auditing IT General Controls. September 2, 2009

Practical Guidance for Auditing IT General Controls. September 2, 2009 Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income

More information

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office. GAO United States General Accounting Office Internal Control November 1999 Standards for Internal Control in the Federal Government GAO/AIMD-00-21.3.1 Foreword Federal policymakers and program managers

More information

[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06]

[RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] SECURITIES AND EXCHANGE COMMISSION 17 CFR PART 241 [RELEASE NOS. 33-8810; 34-55929; FR-77; File No. S7-24-06] Commission Guidance Regarding Management s Report on Internal Control Over Financial Reporting

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

WHITE PAPER. Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements

WHITE PAPER. Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements WHITE PAPER Sarbanes - Oxley Section 404: How BMC Software Solutions Address General IT Control Requirements TABLE OF CONTENTS Executive Summary 2 Sarbanes-Oxley Section 404 Internal Controls 3 IT Involvement

More information

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* July 2004 *connectedthinking The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act Introduction

More information

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

Navigating the Standards for Information Technology Controls

Navigating the Standards for Information Technology Controls Navigating the Standards for Information Technology Controls By Joseph B. O Donnell and Yigal Rechtman JULY 2005 - Pervasive use of computers, along with recent legislation such as the Sarbanes- Oxley

More information

Compliance and Ethics at the Federal Reserve Bank of New York

Compliance and Ethics at the Federal Reserve Bank of New York Compliance and Ethics at the Federal Reserve Bank of New York Operational Risk and Internal Audit Course Marina Adams, Compliance Officer and AVP David K. Clune, Compliance and Ethics Officer Kevin White,

More information

INFORMATION TECHNOLOGY CONTROLS

INFORMATION TECHNOLOGY CONTROLS CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

More information

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset

Asset Manager Guide to SAS 70. Issue Date: October 7, 2007. Asset Asset Manager Guide to SAS 70 Issue Date: October 7, 2007 Asset Management Group A s s e t M a n a g e r G u i d e SAS 70 Table of Contents Executive Summary...3 Overview and Current Landscape...3 Service

More information

G24 - SAS 70 Practices and Developments Todd Bishop

G24 - SAS 70 Practices and Developments Todd Bishop G24 - SAS 70 Practices and Developments Todd Bishop SAS No. 70 Practices & Developments Todd Bishop Senior Manager, PricewaterhouseCoopers LLP Agenda SAS 70 Background Information and Overview Common SAS

More information

Relevant COSO Principles. Policies and procedures are maintained. Policies and Procedures. Roles and responsibilities are identified

Relevant COSO Principles. Policies and procedures are maintained. Policies and Procedures. Roles and responsibilities are identified Accountability is unable to govern service processes No consistent or communicated policies procedures structure is inadequate Policies procedures are maintained Roles responsibilities are identified Policies

More information

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers

Sarbanes-Oxley Section 404: Compliance Challenges for Foreign Private Issuers Sarbanes-Oxley Section 404: Compliance s for Foreign Private Issuers As of March 14, 2005 Table of Contents Requirements of the Act.............................................................. 1 Accelerated

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Keeping watch over your best business interests.

Keeping watch over your best business interests. Keeping watch over your best business interests. 0101010 1010101 0101010 1010101 IT Security Services Regulatory Compliance Services IT Audit Services Forensic Services Risk Management Services Attestation

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

Information Technology Auditing for Non-IT Specialist

Information Technology Auditing for Non-IT Specialist Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and J-SOX

Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and J-SOX FLASH REPORT Japanese Guidelines for Internal Control Reporting Finalized Differences in Requirements Between the U.S. Sarbanes-Oxley Act and On February 15, 2007, the Business Accounting Council of the

More information

Communicating Internal Control Related Matters Identified in an Audit

Communicating Internal Control Related Matters Identified in an Audit Communicating Internal Control 1843 AU Section 325 Communicating Internal Control Related Matters Identified in an Audit (Supersedes SAS No. 112.) Source: SAS No. 115. Effective for audits of financial

More information

Internal Control Deliverables. For. System Development Projects

Internal Control Deliverables. For. System Development Projects DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls...

More information

SARBANES OXLEY: ACHIEVING COMPLIANCE BY STARTING WITH ISO 17799

SARBANES OXLEY: ACHIEVING COMPLIANCE BY STARTING WITH ISO 17799 SARBANES OXLEY: ACHIEVING COMPLIANCE BY STARTING WITH ISO 17799 Dwight A. Haworth and Leah R. Pietron Compliance with the Sarbanes Oxley Act of 2002 (SOX) has been hampered by the lack of implementation

More information

Draft Information Technology Policy

Draft Information Technology Policy Draft Information Technology Policy Version 3.0 Draft Date June 2014 Status Draft Approved By: Table of Contents 1.0 Introduction... 6 Background... 6 Purpose... 6 Scope... 6 Legal Framework... 6 2.0 Software

More information

Information Security Program

Information Security Program Stephen F. Austin State University Information Security Program Revised: September 2014 2014 Table of Contents Overview... 1 Introduction... 1 Purpose... 1 Authority... 2 Scope... 2 Information Security

More information

Board Update. Performance Management Activities

Board Update. Performance Management Activities Board Update Performance Management Activities May 2007 Purpose of Today s Meeting Update Board Members Share Scope, Plans & Results» Benchmarking & Performance Improvement» Compliance Activities 1 Chugach

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

Guide to Internal Control Over Financial Reporting

Guide to Internal Control Over Financial Reporting Guide to Internal Control Over Financial Reporting The Center for Audit Quality prepared this Guide to provide an overview for the general public of internal control over financial reporting ( ICFR ).

More information

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation) It is a well-known fact in computer security that security problems are very often a direct result of software bugs. That leads security researches to pay lots of attention to software engineering. The

More information

Report on. Office of the Superintendent of Financial Institutions. Corporate Services Sector Human Resources Payroll. April 2010

Report on. Office of the Superintendent of Financial Institutions. Corporate Services Sector Human Resources Payroll. April 2010 Report on Office of the Superintendent of Financial Institutions Corporate Services Sector Human Resources Payroll April 2010 Table of Contents 1. Background... 3 2. Audit Objectives, Scope and Approach...

More information

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal

More information

Master Document Audit Program

Master Document Audit Program Activity Code 11510 B-1 Planning Considerations Information Technology General System Controls Audit Specific Independence Determination Members of the audit team and internal specialists consulting on

More information

COBIT & ITIL usage for SOX current and future

COBIT & ITIL usage for SOX current and future COBIT & ITIL usage for SOX current and future Robert E Stroud International Vice President ISACA Evangelist ITSM & IT Governance CA, Inc. Japan, November 8, 2007 Trademark Notice ITIL is a registered trademark

More information

Information Systems and Technology

Information Systems and Technology As public servants, it is our responsibility to use taxpayers dollars in the most effective and efficient way possible while adhering to laws and regulations governing those processes. There are many reasons

More information

General Computer Controls

General Computer Controls 1 General Computer Controls Governmental Unit: University of Mississippi Financial Statement Date: June 30, 2007 Prepared by: Robin Miller and Kathy Gates Date: 6/29/2007 Description of computer systems

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of

More information

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT ORGANIZATION,

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

ACCA P1 Internal Control. incorporated into Combined code, it was last revised in 2005 and still present as a standalone document.

ACCA P1 Internal Control. incorporated into Combined code, it was last revised in 2005 and still present as a standalone document. Internal Control ACCA P1 Internal Control Turnbull Report 1999 provided guidance for creating strong internal control system and later incorporated into Combined code, it was last revised in 2005 and still

More information

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners. Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international

More information

Development, Acquisition, Implementation, and Maintenance of Application Systems

Development, Acquisition, Implementation, and Maintenance of Application Systems Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of

More information

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER

TECK RESOURCES LIMITED AUDIT COMMITTEE CHARTER Page 1 of 7 A. GENERAL 1. PURPOSE The purpose of the Audit Committee (the Committee ) of the Board of Directors (the Board ) of Teck Resources Limited ( the Corporation ) is to provide an open avenue of

More information

3.B METHODOLOGY SERVICE PROVIDER

3.B METHODOLOGY SERVICE PROVIDER 3.B METHODOLOGY SERVICE PROVIDER Approximately four years ago, the American Institute of Certified Public Accountants (AICPA) issued Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting

More information

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010 Dallas IIA Chapter / ISACA N. Texas Chapter Auditing Tuesday, October Project 20, 2009 Management Controls January 7, 2010 Table of Contents Contents Page # Project Management Office Overview 3 Aligning

More information

What Should IS Majors Know About Regulatory Compliance?

What Should IS Majors Know About Regulatory Compliance? What Should IS Majors Know About Regulatory Compliance? Working Paper Series 08-12 August 2008 Craig A. VanLengen Professor of Computer Information Systems/Accounting Northern Arizona University The W.

More information

CREDIT CARDS CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 13-28 June 28, 2013

CREDIT CARDS CALIFORNIA STATE UNIVERSITY, EAST BAY. Audit Report 13-28 June 28, 2013 CREDIT CARDS CALIFORNIA STATE UNIVERSITY, EAST BAY Audit Report 13-28 June 28, 2013 Henry Mendoza, Chair Lupe C. Garcia, Vice Chair Rebecca D. Eisen Steven M. Glazer William Hauck Hugo N. Morales Members,

More information

Sarbanes Oxley Act Statement of Ability. An AdRem Software White Paper

Sarbanes Oxley Act Statement of Ability. An AdRem Software White Paper Sarbanes Oxley Act Statement of Ability An AdRem Software White Paper 2009 AdRem Software, Inc. This document is written by AdRem Software and represents the views and opinions of AdRem Software regarding

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

The Challenges and Myths of Sarbanes-Oxley Compliance

The Challenges and Myths of Sarbanes-Oxley Compliance W H I T E P A P E R The Challenges and Myths of Sarbanes-Oxley Compliance Meeting the requirements of regulatory legislation on the iseries. SOX-001 REV1b FEBRUARY 2005 Bytware, Inc. All Rights Reserved.

More information

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement Auditor General s Office Governance and Management of City Computer Software Needs Improvement Transmittal Report Audit Report Management s Response Jeffrey Griffiths, C.A., C.F.E Auditor General, City

More information

Addressing SOX compliance with XaitPorter. Version 1.0 Sept. 2014

Addressing SOX compliance with XaitPorter. Version 1.0 Sept. 2014 Addressing SOX compliance with XaitPorter Version 1.0 Sept. 2014 Table of Contents 1 Addressing Compliance... 1 2 SOX Compliance... 2 3 Key Benefits... 5 4 Contact Information... 6 1 Addressing Compliance

More information

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE

COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COSO 2013: WHAT HAS CHANGED & STEPS TO TAKE TO ENSURE COMPLIANCE COMMITTEE OF SPONSORING ORGANIZATIONS (COSO) 2013 The Committee of Sponsoring Organizations (COSO) Internal Controls Integrated Framework,

More information

Sarbanes-Oxley Compliance for Cloud Applications

Sarbanes-Oxley Compliance for Cloud Applications Sarbanes-Oxley Compliance for Cloud Applications What Is Sarbanes-Oxley? Sarbanes-Oxley Act (SOX) aims to protect investors and the general public from accounting errors and fraudulent practices. For this

More information

Fraud and Role of Information Technology. September 2008

Fraud and Role of Information Technology. September 2008 Fraud and Role of Information Technology September 2008 Agenda IT Value Proposition Slide 2 Prior Interpretations of Internal Control Structure Have Addressed Three Separate Parts Which Were Audited Somewhat

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

INFORMATION SECURITY California Maritime Academy

INFORMATION SECURITY California Maritime Academy CSU The California State University Office of Audit and Advisory Services INFORMATION SECURITY California Maritime Academy Audit Report 14-54 April 8, 2015 Senior Director: Mike Caldera IT Audit Manager:

More information

Audit of NSERC Award Management Information System

Audit of NSERC Award Management Information System Internal Audit Audit Report Audit of NSERC Award Management Information System TABLE OF CONTENTS 1. EXECUTIVE SUMMARY... 2 2. INTRODUCTION... 3 3. AUDIT FINDINGS- BUSINESS PROCESS CONTROLS... 5 4. AUDIT

More information

The Value of Vulnerability Management*

The Value of Vulnerability Management* The Value of Vulnerability Management* *ISACA/IIA Dallas Presented by: Robert Buchheit, Director Advisory Practice, Dallas Ricky Allen, Manager Advisory Practice, Houston *connectedthinking PwC Agenda

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

General IT Controls Audit Program

General IT Controls Audit Program Contributed February 5, 2002 by Paul P Shotter General IT Controls Audit Program Purpose / Scope Perform a General Controls review of Information Technology (IT). The reviews

More information

Introduction. What is ITIL? Automation Centre. Tracker Suite and ITIL

Introduction. What is ITIL? Automation Centre. Tracker Suite and ITIL 1 Introduction The Information Technology Infrastructure Library (ITIL) aims to improve the management of IT services within the organization, for lowered costs, improved efficiency and productivity. But

More information

STANDING ADVISORY GROUP MEETING

STANDING ADVISORY GROUP MEETING 1666 K Street, NW Washington, D.C. 20006 Telephone: (202) 207-9100 Facsimile: (202)862-8430 www.pcaobus.org STANDING ADVISORY GROUP MEETING BROKER-DEALER AUDIT CONSIDERATIONS JULY 15, 2010 Introduction

More information

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

Data Privacy and Gramm- Leach-Bliley Act Section 501(b) Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

Using Assurance Models in IT Audit Engagements

Using Assurance Models in IT Audit Engagements Using Assurance Models in IT Audit Engagements Adrian Baldwin, Yolanta Beres, Simon Shiu Trusted Systems Laboratory HP Laboratories Bristol HPL-2006-148R1 January 29, 2008* audit, assurance, compliance,

More information

Adrian Lane Security Strategist Securosis.com

Adrian Lane Security Strategist Securosis.com Using SIEM for Compliance Adrian Lane Security Strategist Securosis.com Overview SIM/SEM Introduction Compliance Initiatives Implementation Examples Tips Other Considerations Evolution of Terminology SIM

More information

Sarbanes-Oxley 404. Sarbanes-Oxley Background. SOX 404 Internal Controls. Goals of Sarbanes-Oxley

Sarbanes-Oxley 404. Sarbanes-Oxley Background. SOX 404 Internal Controls. Goals of Sarbanes-Oxley Sarbanes-Oxley Background Sarbanes-Oxley 404 Internal Controls in Financial Reporting: Implications for Actuaries Legislation passed July 30, 2002 Applies to GAAP financial statements filed with SEC Effective

More information

COSO Internal Control Integrated Framework (2013)

COSO Internal Control Integrated Framework (2013) COSO Internal Control Integrated Framework (2013) The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its updated Internal Control Integrated Framework (2013 Framework)

More information

OFFICE OF THE CITY AUDITOR

OFFICE OF THE CITY AUDITOR CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR Audit of Information Technology Services Department Project No. AU10-012 September 1, 2011 Audit of Information Technology Services Department Executive Summary

More information

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy Presentation to The Institute of Internal Auditors Breakfast Session February 6, 2014 Outline of

More information

Financial Management Information System Centralized Operations

Financial Management Information System Centralized Operations Audit Report Financial Management Information System Centralized Operations March 2003 This report and any related follow-up correspondence are available to the public. Alternate formats may also be requested

More information

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information