An Integrated Approach to Performing Pre-implementation Reviews. Securities Industry and Financial Markets Association February 29, 2012

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "An Integrated Approach to Performing Pre-implementation Reviews. Securities Industry and Financial Markets Association February 29, 2012"

Transcription

1 An Integrated Approach to Performing Pre-implementation Reviews Securities Industry and Financial Markets Association February 29, 2012 Andy Ellsweig, Director Technology Risk Advisory Services

2 Discussion Approach 1)Introductions / Course Objectives 2)Integrated Audit Overview 3)Timing and Scope of Integrated Pre-imp Audits 4)Wrap-up / QA 2

3 Introduction In today s business environment where companies are increasingly turning to technology solutions (e.g., Mobile Apps, web apps, Cloud Computing) to gain a competitive edge, major system implementations can have a huge impact (negative or positive) on organizations. The scope of the audit and staffing mix on pre-implementation reviews will vary depending on the type of system under review, the platform the system is processed on, whether it is processed in house or outsourced, the timing of audit involvement and the business processes supported by the application. Because of the complexity of some of these applications and the impact new systems can have on business operations and financial reporting, an integrated approach to auditing these implementations can help add more value to our organizations. 3

4 Course Objectives To provide an approach and framework for planning and executing integrated audits of new system implementations. To evaluate the potential audits that could be performed for new system implementations and determine the optimal team composition & timing. Facilitate an Interactive Discussion Share Thoughts & War Stories 4

5 Integrated Auditing Overview

6 Integrated Auditing Objectives & Goals To provide an approach to performing risk-based reviews (that builds upon the traditional IT General Controls Analysis) in order to assess & communicate Information Technology risks from a business or regulatory perspective.

7 Integrated Business Audit Approach Today s audit approach now requires the merging of both Traditional and Information Technology audit approaches. Not all controls to be evaluated will be system-specific, but in today s environment, many of the controls will be platform and application related. The integrated business approach focuses on business risk. Access Controls provide the primary preventative controls within the integrated business audit approach and will be implemented across all information technology layers. 7

8 Integrated Business Audit Approach Today we will focus on performing integrated auditing as part of a pre- or postimplementation application review. This Layer includes the application programs, libraries and resources independent of the platforms in which they reside. Application Programs cover major functional processes, security (menu options and transaction level security) is evaluated within this layer. We will touch upon relevant areas within the platform and networking layers but only enough to link to specific application risks. 8

9 Changes In Approaches to IT Auditing Where is Integrated Auditing headed? We now have new platform environments (e.g., Web apps, Mobile apps), new techno-jargon. We frequently have to explain WHY we audit Windows, UNIX or SAP Basis, IOS, ANDROID Today s integrated reviews require the auditor to review and assimilate volumes of data about, what resources are accessible, what applications do, how the users Use or Abuse the system and how the computer system functions. Audit tools must be selected and an approach developed that will require auditors to build upon the traditional logical control/application analysis. 9

10 Changes In Approaches to IT Auditing We now must assess controls in light of business risks Assess IT controls at different layers Need to determine if controls are really functioning as designed Identify new areas where exposure/failure may occur As well as identifying what additional manual controls/surprises are out there Must be done from a Business perspective Auditors must adopt a holistic approach that is equally adaptive to Traditional and newer technology environments 10

11 Business Risk The Driving Force to Integrated Auditing The common thread throughout the design and implementation of the Company s Information Technology Architecture and Development of the Audit Plan is the significance of identifying the Business Risk. Business risk is the threat of an event or action that will adversely affect an organization s ability to achieve its business objectives and execute its strategy successfully. Effective business risk management begins with assessment. Management must constantly review the risk of catastrophic economic loss, business interruption and loss of business reputation. Business risks arise as much from the likelihood that something required or planned won t happen as they do from the threat that something bad will happen. 11

12 Business Risk The Driving Force to Integrated Auditing Must first identify the business risks The source(s) of risk should be clarified and measured (e.g., High/Medium/Low) We can then develop the comprehensive integrated audit plan that includes a balance between risks and controls. One of the major challenges facing the auditor today is understanding what must be evaluated as part of the review. 12

13 Business Risk The Driving Force to Integrated Auditing Application Layers Potential control elements that can be examined during integrated audits of new systems. PROCESS Business functions and processes that use IT (which generally includes most core business processes) APPLICATION Application software and functions DATA MANAGEMENT File structure and DBMS software controls PLATFORM Hardware platform including OS and system software NETWORK LAN, WAN, Internet, Intranet and support systems PHYSICAL Components that house, support and process IT 13

14 Business Risk The Driving Force to Integrated Auditing The integrated audit approach attempts to strike a balance between business risks and controls within the various layers The trade off between the Cost of the risk and the Cost of the controls being a deciding factor This balance should be considered in determining reportable findings 14

15 Business Risk The Driving Force to Integrated Auditing What are the next steps? We acknowledge that business risks should drive our scope and involvement Information technology controls can be segregated into multiple layers There is a need for an integrated audit approach that address each area based upon business risk So how de we apply these concepts to large-scale implementations? 15

16 Major System Implementations Integrated Scope Considerations

17 Stages of Audit Involvement The timing and scope of pre- and post-implementation audits is based on a number of factors: Size of implementation (revenue, expenses, financial transactions, etc ) and materiality Regulatory Requirements (SOX, privacy, trade monitoring) Timing of implementation (if timeline too compressed, can they support an audit?) Resources - major cause of failures (i.e., dedicated implementation team and business resources) Type of methodology used 17

18 Obstacles to Implementing Controls Lack of Awareness of Security/Control Guidelines - Application developers do not have adequate visibility or knowledge of IT policies Ambiguous Policy Statements - Vague policies are difficult to translate into actionable code Security & Controls Are Viewed as a Disabler - General perception at all levels of the organization that security and controls delay projects Unclear Ownership and Accountability - Ownership of security and control processes and data are not well defined or understood 18

19 Stages of Audit Involvement - Potential Audit Types Project Risk Review System Infrastructure Assessments High level Design Review Data Conversion reviews Integration Testing Reviews Detailed Business Process Assessment Go-Live Readiness Post-implementation Audit Post Mortem review 19

20 Potential Scope Areas - High-Level Project Risk Review Can be performed at various stages of the implementation or proactively throughout the project and should include both IT and financial auditors Auditors should be granted a seat at the table and participate in ongoing project status meetings and proactively vet control concerns Some areas to monitor: - Critical success factors (i.e., Project Steering Committee, Dedicated Project Mgr.) - Risk Management (i.e., risks quantified, contingencies, frequent management reporting) - Requirements Management - Project Management - Quality (i.e., peer review inspections, Quality Assurance Plan) - Configuration Management - Organization/Staffing - Supplier/Sub-Contractor Management 20

21 Potential Scope Areas - System Infrastructure Assessment Can be performed as soon as the system Infrastructure is built Typically performed by IT Auditors Will cover many of the key IT SOX controls Review can focus on key controls within the components of the system architecture Some Potential Scope areas include: - Application Controls Modules (i.e., PS PeopleTools, SAP Basis) - The operating systems and DB platforms (UNIX, LINUX, Windows, z/os, IOS, ANDROID, SQL, Oracle, DB2) 21

22 Potential Scope Areas - System Infrastructure Assessment (Cont.) Potential Scope areas (Cont.) - Administrative transaction access and control - Operating system and database level security testing (using scanning tools and scripts, where possible) - Middleware Components (i.e., MQ, CORBA, DCE, Encina, BEA, Weblogic) - System General controls including, Backup/Recovery Security Administration Security Policy Capacity Planning Support and Escalation Processes and System/Performance Monitoring Change Controls 22

23 Potential Scope Areas - High-level Design Review Can be performed as soon as the design documents are completed (up to a year prior to the implementation) Team composition should include financial/operational and IT auditors Most of the work will be conceptual and will be based on the documentation in place Can cover management s plans for implementing security and segregation of duties controls Can cover planned implementation of key configurable controls supporting the critical business processes 23

24 Potential Scope Areas - High-level Design Review (Cont.) Review of to be business process flows Although not typically part of a business process review, can include a checkpoint of the key project life cycle activities, including testing, data conversion, training, and contingency planning Systems documentation Planned interfaces (include plans for assessing data integrity controls) Must include caveat that due to the timing of the review, several aspects of the project that were still in progress or under development could be not be assessed in their entirety. Should give SPECIFIC examples of items not covered. 24

25 Potential Scope Areas - High-level Design Review (Cont.) Information Gathering Analysis/Review - Review business impact documentation and proposals used to sell Sr. Management - Interview project management personnel - Review project charter - Review project plans - Interview systems development personnel - Interview infrastructure groups - Interview end-users - Obtain vendor system administration, configuration, programming and user manuals 25

26 Potential Scope Areas - Data Conversion Reviews Timing Can be 3-4 months prior to go live or as soon as data is converted Can include IT and Financial auditors Covers procedures and controls surrounding the data conversion Confirm whether documentation has been retained on the conversion process, including: The file conversion plan (as outlined in the previous section); Actual results (both before and after) and the reconciliation involved Problem logs and resulting actions Test scripts and supporting files (e.g., Extract files, load files) Evidence of user sign-off 26

27 Potential Scope Areas - Data Conversion, Reviews (Cont.) Were procedures outlined in the file conversion plan followed? In order to determine whether conversion was satisfactory: Evaluate the reconciliation between data files held on the old and new systems Ensure that all differences were investigated Can re-perform data conversion items for accuracy and completeness 27

28 Potential Scope Areas - Integration Testing Review Should be performed 2-3 months before go live Review documentation of test results for completeness and level of detail, including expected and actual results, for a sample of test scripts Review management of testing problems and related processes Review level of business user involvement in scope, execution and approval of integration testing Good time to evaluate users knowledge of the system Can cover system performance including response time (by trans type) Usability Testing Final check to determine how well the system meets the users needs 28

29 Potential Scope Areas - Detailed Business Process Assessment Can be performed 1-2 months before go live and include financial and IT auditors Should cover key financial SOX controls Timing is highly dependent on how well the implementation is going Review will assess the current as-is and the future to-be business process flows and will evaluate the manual and automated controls within these processes The processes under review should be based on RISK Should document the critical business processes and interfaces chosen for review and the rationale for choosing them. 29

30 Potential Scope Areas - Detailed Business Process Assessment (Cont.) Should evaluate the critical interfaces for the following: Completeness controls (automated file-level or manual reconciliation reporting) Accuracy controls (data validations) Security (including temporary file locations) Error-handling procedures Ownership Completeness of interface testing documentation acceptance testing and integration testing The presence of negative control testing Handling of problem tickets that resulted from testing. 30

31 Potential Scope Areas - Detailed Business Process Assessment (Cont.) Depending on nature, timing and extent of testing, a specific control or report could be tested by: Inspection of system configurations Inspection or re-performance of reconciliations with supporting details Re-performance of the control activity using system data. Inspection of user access listings Execution of SOD tools Re-performance of control activity in a test environment. 31

32 Potential Scope Areas - Detailed Business Process Assessment (Cont.) Common Application Controls Input and access controls Data checks and validations Automated authorization, approval, and override Automated SOD Pended items File and data transmission controls Checks for completeness and validity of the content including data size, date and time, volume of records and authentication of the source Possible Tests include: Observe transmission reports and error reports Observe validity and completeness parameters and settings Review the access to set and amend the configurable parameters 32

33 Potential Scope Areas - Go Live Readiness Can occur up to 1 month prior to go live and include IT & Financial Auditors Should include an assessment of: Contingency Planning High-level and detailed plans for each supported business group or entity Process during planned downtime (if any) Business sustainability should extended downtime occur Communication of plans to end users Training Completeness of training User satisfaction with training Management should track who goes to training Good tool for audit group to learn about the system 33

34 Potential Scope Areas - Go Live Readiness (cont.) Integration Testing Documentation of test results for completeness and level of detail, including expected and actual results, for a sample of test scripts Management of reported problems and the related processes Are problem fixes appropriately retested Volume Testing Scope, method, and summary results of volume testing performed for transactional and batch processing Post-Production Support Organizational structure Procedures Coverage times Communication to end users Always include caveat of what was not covered 34

35 Potential Scope Areas - Post Implementation Audit These should cover the most critical business processes and interfaces reviewed as part of the detailed business process pre-implementation review Team composition should include financial & IT auditors Can confirm that the controls that were reviewed in concept, were implemented as planned Includes testing of key controls Includes transactional testing Follow-up on findings from the pre-implementation audits and confirm that there were no changes in the areas previously tested 35

36 Potential Scope Areas - Post Mortem Reviews Can include financial & IT auditors, although it is typically performed by PMO type function Post-mortem reviews focus on: Cost/ROI Schedule, and Quality metrics Examining specifications and expectations of project deliverables The review process enhances: IT support Goals Communication for future projects Benefits include less project failures, increased project quality, reduced costs, an accelerated learning process and improved project management 36

37 Questions??? 37

38 Thank You!!! Andrew Ellsweig, CPA, CGEIT Director RSM McGladrey, Inc

The Information Systems Audit

The Information Systems Audit November 25, 2009 e q 1 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2 IS Environment Back Office Batch Apps MIS Online Integrated

More information

ERP Systems: Audit and Control Risks

ERP Systems: Audit and Control Risks ERP Systems: Audit and Control Risks Jennifer Hahn Deloitte & Touche ISACA Spring Conference April 26, 1999 Session Learning Objectives At the end of this session, the participant should be able to: Understand

More information

Best Practices Report

Best Practices Report Overview As an IT leader within your organization, you face new challenges every day from managing user requirements and operational needs to the burden of IT Compliance. Developing a strong IT general

More information

Project Risk and Pre/Post Implementation Reviews

Project Risk and Pre/Post Implementation Reviews Project Risk and Pre/Post Implementation Reviews Material Changes to the System of Internal Control VGFOA Conference (Virginia Beach, VA) May 20, 2015 Agenda/Objectives Understand why system implementations

More information

Development, Acquisition, Implementation, and Maintenance of Application Systems

Development, Acquisition, Implementation, and Maintenance of Application Systems Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of

More information

Request for Proposal for Application Development and Maintenance Services for XML Store platforms

Request for Proposal for Application Development and Maintenance Services for XML Store platforms Request for Proposal for Application Development and Maintenance s for ML Store platforms Annex 4: Application Development & Maintenance Requirements Description TABLE OF CONTENTS Page 1 1.0 s Overview...

More information

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.

More information

RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT

RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT Document K23 RESEARCH NOTE CYBER-ARK FOR PRIVILEGED ACCOUNT MANAGEMENT THE BOTTOM LINE Managing privileged accounts requires balancing accessibility and control while ensuring audit capabilities. Cyber-Ark

More information

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010

Dallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010 Dallas IIA Chapter / ISACA N. Texas Chapter Auditing Tuesday, October Project 20, 2009 Management Controls January 7, 2010 Table of Contents Contents Page # Project Management Office Overview 3 Aligning

More information

Enterprise Governance and Planning

Enterprise Governance and Planning GEORGIA TECHNOLOGY AUTHORITY Title: Enterprise Operational Environment PSG Number: SO-10-003.02 Topical Area: Operations / Performance and Capacity Document Type: Standard Pages: 5 Issue Date: July 15,

More information

Change Management Best Practices

Change Management Best Practices General Change Management Best Practices Practice Area Best Practice Criteria Organization Change management policy, procedures, and standards are integrated with and communicated to IT and business management

More information

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives AUD105-2nd Edition Auditor s Guide to IT - 20 hours Objectives More and more, auditors are being called upon to assess the risks and evaluate the controls over computer information systems in all types

More information

Real-Time Database Protection and. Overview. 2010 IBM Corporation

Real-Time Database Protection and. Overview. 2010 IBM Corporation Real-Time Database Protection and Monitoring: IBM InfoSphere Guardium Overview Agenda Business drivers for database security InfoSphere Guardium architecture Common applications The InfoSphere portfolio

More information

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE:

PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE: PROJECT MANAGEMENT PLAN Outline VERSION 0.0 STATUS: OUTLINE DATE: Project Name Project Management Plan Document Information Document Title Version Author Owner Project Management Plan Amendment History

More information

Monitoring Remedy with BMC Solutions

Monitoring Remedy with BMC Solutions Monitoring Remedy with BMC Solutions Overview How does BMC Software monitor Remedy with our own solutions? The challenge is many fold with a solution like Remedy and this does not only apply to Remedy,

More information

Identity Governance Evolution

Identity Governance Evolution Identity Governance Evolution Paola Marino Principal Sales Consultant Agenda Oracle Identity Governance Innovation Cloud Scenarios enabled by Oracle Identity Platform Agenda Oracle

More information

Evaluating time and expense systems: Choosing the right platform for your organization

Evaluating time and expense systems: Choosing the right platform for your organization Evaluating time and expense systems: Choosing the right platform for your organization Prepared by: Art Shearon, Manager, McGladrey LLP 703.627.7795, art.shearon@mcgladrey.com August 2013 A growing number

More information

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director High Value Audits: An Update on Information Technology Auditing Robert B. Hirth Jr., Managing Director The technology landscape and its impact on internal audit Technology is playing an ever-growing role

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Enforcive / Enterprise Security

Enforcive / Enterprise Security TM Enforcive / Enterprise Security End to End Security and Compliance Management for the IBM i Enterprise Enforcive / Enterprise Security is the single most comprehensive and easy to use security and compliance

More information

Network Configuration Management

Network Configuration Management Network Configuration Management Contents Abstract Best Practices for Configuration Management What is Configuration Management? FCAPS Configuration Management Operational Issues IT Infrastructure Library

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

Release Management: Effective practices for IT delivery

Release Management: Effective practices for IT delivery Release Management: Effective practices for IT delivery Introduction Today s health plans face a unique combination of technology challenges due to their complex IT environments. These environments serve

More information

QA Roles and Responsibilities

QA Roles and Responsibilities QA Roles and Responsibilities There are various roles on projects, some people may play more than one role. You should always check with your organizations testing methodology on what your role(s) are.

More information

Practical Guidance for Auditing IT General Controls. September 2, 2009

Practical Guidance for Auditing IT General Controls. September 2, 2009 Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income

More information

Disaster recovery strategic planning: How achievable will it be?

Disaster recovery strategic planning: How achievable will it be? Disaster recovery strategic planning: How achievable will it be? Amr Ahmed Ernst & Young Advisory Services, Executive Director amr.ahmed@ey.com Christopher Rivera Ernst & Young Advisory Services, Manager

More information

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc. Table of Contents PART I. IS Audit Process. CHAPTER 1. Technology and Audit. Technology and Audit. Batch and On-Line Systems. CHAPTER 2. IS Audit Function Knowledge. Information Systems Auditing. What

More information

Fixed Scope Offering for. Oracle Taleo EE Saas Implementation

Fixed Scope Offering for. Oracle Taleo EE Saas Implementation Fixed Scope Offering for Oracle Taleo EE Saas Implementation Agenda Company Profile Business Challenges Business Objectives Solution Proposal Scope Modules and Functionalities Implementation Approach Project

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

Service Desk Best Practices

Service Desk Best Practices Service Desk Best Practices As an IT service provider, you understand that information can provide a powerful strategic advantage. In order to ensure the proper mechanisms are in place for information

More information

Market Comparison Report. Which ERP Architectures Best Handle Business Change?

Market Comparison Report. Which ERP Architectures Best Handle Business Change? Which ERP Architectures Best Handle Business Change? June - 2013 Which ERP Architectures Best Handle Business Change? Businesses are living in a constant state of flux due to increased competition and

More information

C31: Introduction to Application Controls: SAP and JD Edwards Sarah E. Thompson and K. C. Fike, PwC

C31: Introduction to Application Controls: SAP and JD Edwards Sarah E. Thompson and K. C. Fike, PwC C31: Introduction to Application Controls: SAP and JD Edwards Sarah E. Thompson and K. C. Fike, PwC Introduction to Application Controls SAP and JD Edwards Presentation Overview o Introductions o Application

More information

Network Test Labs (NTL) Software Testing Services for igaming

Network Test Labs (NTL) Software Testing Services for igaming Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs

More information

MANUAL TESTING. (Complete Package) We are ready to serve Latest Testing Trends, Are you ready to learn.?? New Batches Info

MANUAL TESTING. (Complete Package) We are ready to serve Latest Testing Trends, Are you ready to learn.?? New Batches Info MANUAL TESTING (Complete Package) WEB APP TESTING DB TESTING MOBILE APP TESTING We are ready to serve Latest Testing Trends, Are you ready to learn.?? New Batches Info START DATE : TIMINGS : DURATION :

More information

CA Workload Automation Agents Operating System, ERP, Database, Application Services and Web Services

CA Workload Automation Agents Operating System, ERP, Database, Application Services and Web Services PRODUCT SHEET CA Workload Automation Agents CA Workload Automation Agents Operating System, ERP, Database, Application Services and Web Services CA Workload Automation Agents extend the automation capabilities

More information

Audit Follow-Up Status As of September 30, 2015

Audit Follow-Up Status As of September 30, 2015 Audit Follow-Up Status As of September 30, 2015 Active Directory T. Bert Fletcher, CPA, CGMA City Auditor (Report #1210 issued June 19, 2012) Report #1603 January 11, 2016 Summary This is the third follow-up

More information

CDC UNIFIED PROCESS JOB AID

CDC UNIFIED PROCESS JOB AID CDC UNIFIED PROCESS JOB AID Independent Verification & Validation Activities Document Purpose This Job Aid is a brief document listing the items to be noted, checked, remembered, and delivered when completing

More information

MNLARS Project Audit Checklist

MNLARS Project Audit Checklist Audit Checklist The following provides a detailed checklist to assist the audit team in reviewing the health of a project. Relevance (at this time) How relevant is this attribute to this project or audit?

More information

SDLC- Key Areas to Audit in IT Projects ISACA Geek Week 2013 8/21/2013. PwC

SDLC- Key Areas to Audit in IT Projects ISACA Geek Week 2013 8/21/2013. PwC SDLC- Key Areas to Audit in IT Projects ISACA Geek Week 2013 8/21/2013 1 Introductions and Projects Overview Presenters Charlie Miller and Andrew Gerndt The Coca-Cola Company Principal IT Auditors Atlanta,

More information

Project Knowledge Areas

Project Knowledge Areas From Houston S: The Project Manager s Guide to Health Information Technology Implementation. Chicago: HIMSS; 2011; pp 27 39. This book is available on the HIMSS online bookstore at www. himss.org/store.

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

Cloud Computing. Chapter 1 Introducing Cloud Computing

Cloud Computing. Chapter 1 Introducing Cloud Computing Cloud Computing Chapter 1 Introducing Cloud Computing Learning Objectives Understand the abstract nature of cloud computing. Describe evolutionary factors of computing that led to the cloud. Describe virtualization

More information

Assumptions. It is assumed that:

Assumptions. It is assumed that: It is assumed that: Assumptions 1. The State will establish a MICAM project steering committee to oversee the progress of the project. This steering committee will have representation from Contractor.

More information

Checklist Checklist for planning an application migration project for legacy apps.

Checklist Checklist for planning an application migration project for legacy apps. Application Migration Checklist Checklist for planning an application migration project for legacy apps. Your App. New. Again. The Planning Process 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 2 - Your App.

More information

Information Technology Project Oversight Framework

Information Technology Project Oversight Framework i This Page Intentionally Left Blank i Table of Contents SECTION 1: INTRODUCTION AND OVERVIEW...1 SECTION 2: PROJECT CLASSIFICATION FOR OVERSIGHT...7 SECTION 3: DEPARTMENT PROJECT MANAGEMENT REQUIREMENTS...11

More information

Audit Follow-Up. Active Directory. Status As of February 28, 2015. Summary. Report #1508 April 20, 2015

Audit Follow-Up. Active Directory. Status As of February 28, 2015. Summary. Report #1508 April 20, 2015 Audit Follow-Up Status As of February 28, 2015 Active Directory T. Bert Fletcher, CPA, CGMA City Auditor (Report #1210 issued June 19, 2012) Report #1508 April 20, 2015 Summary This is the second follow

More information

XpoLog Center Log Management Solution For ANY type of Network system, Security devices, Business applications

XpoLog Center Log Management Solution For ANY type of Network system, Security devices, Business applications XpoLog Center Log Management Solution For ANY type of Network system, Security devices, Business applications XpoLog Center is an Enterprise Log Analysis and Management Solution Analyst "Most enterprises

More information

DCSS Time and Attendance Project

DCSS Time and Attendance Project 2014 DCSS Time and Attendance Project Dougherty County School System 3/28/2014 Contents Definition of Terms.. 2 Introduction.. 3 Background.. 3 Specifications/Scope of Work.. 3 Current Application Overview..

More information

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015 July 2015 Information Technology Operational Audit DEPARTMENT OF STATE Florida Voter Registration System (FVRS) Sherrill F. Norman, CPA Auditor General Secretary of State Section 20.10, Florida Statutes,

More information

Automated testing for Mobility New age applications require New age Mobility solutions

Automated testing for Mobility New age applications require New age Mobility solutions Automated testing for Mobility New age applications require New age Mobility solutions Executive Summary Today, mobile phone has transformed from its former role as a mere medium of communication to that

More information

Mission Statement. Provide comprehensive vendor and project management solutions tailored specifically to our clients needs.

Mission Statement. Provide comprehensive vendor and project management solutions tailored specifically to our clients needs. Mission Statement Provide comprehensive vendor and project management solutions tailored specifically to our clients needs. Company History 1997 Founded Icon Information Consultants, LP Market Focus: Contingent

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

The Importance of Information Delivery in IT Operations

The Importance of Information Delivery in IT Operations The Importance of Information Delivery in IT Operations David Williams Notes accompany this presentation. Please select Notes Page view. These materials can be reproduced only with written approval from

More information

+ < We call it Integrated Operations Management. Optimized Processes Assured Customer Satisfaction

+ < We call it Integrated Operations Management. Optimized Processes Assured Customer Satisfaction They work in silos We Unify Infrastructure & Application Support + < We call it Management Optimized Processes Assured Customer Satisfaction www.hclisd.com Application Support & Maintenance has traditionally

More information

Reporting on Control Procedures at Outsourcing Entities

Reporting on Control Procedures at Outsourcing Entities Auditing Guidance Statement AGS 1042 (July 2002) Reporting on Control Procedures at Outsourcing Entities Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation

More information

IT Service Desk Manager

IT Service Desk Manager IT Service Desk Manager Sangita Chandrakant Panmand [1], Sudarshan Ramakant Patil [2] Jainam Technology Pvt. Ltd, Bhaveshwar Complex, Patelwadi. Kurla, Mumbai, Maharashtra 400086. sangitap@jainamtech.com,

More information

CityNet (Lawson e-recruiting) Follow-Up Audit October 2010

CityNet (Lawson e-recruiting) Follow-Up Audit October 2010 CityNet (Lawson e-recruiting) Follow-Up Audit October 2010 Patrice Randle, City Auditor Craig Terrell, Assistant City Auditor Roshan Jayawardene, Internal Auditor CityNet (Lawson e-recruiting) Follow-Up

More information

Presented by Philippe Bogaerts Senior Field Systems Engineer p.bogaerts@f5.com. Securing application delivery in the cloud

Presented by Philippe Bogaerts Senior Field Systems Engineer p.bogaerts@f5.com. Securing application delivery in the cloud Presented by Philippe Bogaerts Senior Field Systems Engineer p.bogaerts@f5.com Securing application delivery in the cloud 2 The Leader in Application Delivery Networking Users Data Center At Home In the

More information

Overview Western 12.-13.9.2012 Mariusz Gieparda

Overview Western 12.-13.9.2012 Mariusz Gieparda Overview Western 12.-13.9.2012 Mariusz Gieparda 1 Corporate Overview Company Global Leader in Business Continuity Easy. Affordable. Innovative. Technology Protection Operational Excellence Compliance Customer

More information

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH WWW.MANTRANCONSULTING.COM 25 Mar 2011, ISACA Singapore SOD SAS70 Project Controls Infrastructure security Configurable controls Change

More information

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,

More information

Buyer s Guide Checklist - What to Look For in Online Backup and Recovery Services

Buyer s Guide Checklist - What to Look For in Online Backup and Recovery Services Introduction We are often asked, "How do I go about selecting an online data backup and recovery service?" Our Data Mountain White Paper answers that question and this accompanying Buyer s Guide Checklist

More information

Tivoli Automation for Proactive Integrated Service Management

Tivoli Automation for Proactive Integrated Service Management Tivoli Automation for Proactive Integrated Service Management Gain advantage with Tivoli Automation portfolio Optimizing the World s Infrastructure 24 October 2012, Moscow 2012 IBM Corporation Acknowledgements,

More information

Identity & Access Management Case Study & Lessons Learned. Prepared by Tariq Jan

Identity & Access Management Case Study & Lessons Learned. Prepared by Tariq Jan Identity & Access Management Case Study & Lessons Learned Prepared by Tariq Jan Investment Bank Case Study Top 5 leading global financial services firm $116 billion in revenue $2 trillion in assets 220k

More information

Internal Control Deliverables. For. System Development Projects

Internal Control Deliverables. For. System Development Projects DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls...

More information

4 Testing General and Automated Controls

4 Testing General and Automated Controls 4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Introduction to IT Audit

Introduction to IT Audit Introduction to IT Audit January 23, 2008 Who We Are Randy Roehm Technology Risk Director Jason Brucker Technology Risk Manager Zeb Buckner Internal Audit Consultant Zeb.buckner@protiviti.com Darcie Allen

More information

Review of the Tax and License Collection and Distribution System

Review of the Tax and License Collection and Distribution System Review of the Tax and License Collection and Distribution System May 4, 2012 Report No. 12-09 Evan A. Lukic, CPA County Auditor Table of Contents Topic Page Executive Summary... 3 Scope, Objectives and

More information

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

The Changing IT Risk Landscape Understanding and managing existing and emerging risks The Changing IT Risk Landscape Understanding and managing existing and emerging risks IIA @ Noon Kareem Sadek Senior Manager, Deloitte Canada Chris Close Senior Manager, Deloitte Canada December 2, 2015

More information

KMS Implementation Roadmap

KMS Implementation Roadmap KMS Implementation Roadmap Sample Excerpt Prepared by: The Knowledge Compass, Inc. TABLE OF CONTENTS 1. EXECUTIVE SUMMARY 5 1.1 Overview 5 1.2 Project Goals & Objectives 5 1.3 Implementation Approach 5

More information

IT - General Controls Questionnaire

IT - General Controls Questionnaire IT - General Controls Questionnaire Internal Control Questionnaire Question Yes No N/A Remarks G1. ACCESS CONTROLS Access controls are comprised of those policies and procedures that are designed to allow

More information

Planning/Administrative. Management & Organization. Application Level Accuracy and Completeness. EDI Systems Audit Program

Planning/Administrative. Management & Organization. Application Level Accuracy and Completeness. EDI Systems Audit Program EDI Systems Audit Program A Planning/Administrative 1 Review the Letter of Understanding and create the APM (Audit Planning Memorandum) accordingly. A-1 DB 02/03 2 Gain a high-level understanding of Auditee

More information

Cisco Unified Communications Remote Management Services

Cisco Unified Communications Remote Management Services Cisco Unified Communications Remote Management Services What You Will Learn Our remote, high-visibility, co-management approach gives you complete ownership and control of your converged network. Cisco

More information

Sample Information Security Policies

Sample Information Security Policies Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta

More information

An Oracle White Paper Updated July 2011. Best Practices for Upgrading Oracle E-E-E- E-Business Suite

An Oracle White Paper Updated July 2011. Best Practices for Upgrading Oracle E-E-E- E-Business Suite An Oracle White Paper Updated July 2011 Best Practices for Upgrading Oracle E-E-E- E-Business Suite Best Practices for Upgrading Oracle E-Business Suite Introduction... 3 Upgrade Overview... 4 The Upgrade

More information

AGILE SOFTWARE TESTING

AGILE SOFTWARE TESTING AGILE SOFTWARE TESTING Business environments continue to rapidly evolve, leaving many IT organizations struggling to keep up. This need for speed has led to an increased interest in the Agile software

More information

OpManager MSP Edition

OpManager MSP Edition OpManager MSP Edition Product Overview (6.5) June 2007 Agenda MSP Edition Architecture And Features About OpManager MSP Demo (https://mspdemo.opmanager.com) MSP Edition Architecture And Features Scalable

More information

San Francisco Chapter. Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young

San Francisco Chapter. Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young Learning Objectives Understand how data analysis can impact/improve business Understand typical data analysis challenges Understand the various

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

IT Services Management Service Brief

IT Services Management Service Brief IT Services Management Service Brief Service Continuity (Disaster Recovery Planning) Prepared by: Rick Leopoldi May 25, 2002 Copyright 2002. All rights reserved. Duplication of this document or extraction

More information

The Power of Risk, Compliance & Security Management in SAP S/4HANA

The Power of Risk, Compliance & Security Management in SAP S/4HANA The Power of Risk, Compliance & Security Management in SAP S/4HANA OUR AGENDA Key Learnings Observations on Risk & Compliance Management Current State Current Challenges The SAP GRC and Security Solution

More information

Phire Architect Hardware and Software Requirements

Phire Architect Hardware and Software Requirements Phire Architect Hardware and Software Requirements Copyright 2014, Phire. All rights reserved. The Programs (which include both the software and documentation) contain proprietary information; they are

More information

COMPARATIVE STUDY OF ERP IMPLEMENTATION METHODOLOGY CASE STUDY: ACCELERATED SAP VS DANTES & HASIBUAN METHODOLOGY

COMPARATIVE STUDY OF ERP IMPLEMENTATION METHODOLOGY CASE STUDY: ACCELERATED SAP VS DANTES & HASIBUAN METHODOLOGY COMPARATIVE STUDY OF ERP IMPLEMENTATION METHODOLOGY CASE STUDY: ACCELERATED SAP VS DANTES & HASIBUAN METHODOLOGY M. Hilman, F. Setiadi, I. Sarika, J. Budiasto, and R. Alfian Faculty of Computer Science,

More information

San Francisco Chapter. Information Systems Operations

San Francisco Chapter. Information Systems Operations Information Systems Operations Overview Operations as a part of General Computer Controls Key Areas of focus within Information Systems Operations Key operational risks Controls generally associated with

More information

Cloudbuz at Glance. How to take control of your File Transfers!

Cloudbuz at Glance. How to take control of your File Transfers! How to take control of your File Transfers! A MFT solution for ALL organisations! Cloudbuz is a MFT (Managed File Transfer) platform for organisations and businesses installed On-Premise or distributed

More information

Fixed Scope Offering Fusion Financial Implementation

Fixed Scope Offering Fusion Financial Implementation Fixed Scope Offering Fusion Financial Implementation Mindtree limited 2015 Agenda Introduction Business Objectives Product Overview Key Implementation Features Implementation Packages & Timelines Cloud

More information

Feature. Multiagent Model for System User Access Rights Audit

Feature. Multiagent Model for System User Access Rights Audit Feature Christopher A. Moturi is the head of School of Computing and Informatics at the University of Nairobi (Kenya) and has more than 20 years of experience teaching and researching on databases and

More information

WEB APPLICATION SECURITY TESTING GUIDELINES

WEB APPLICATION SECURITY TESTING GUIDELINES WEB APPLICATION SECURITY TESTING GUIDELINES 1 These guidelines were developed to support the Web Application Security Standard. Please refer to this standard for additional information and/or clarification

More information

Samples of Management Consulting Assignments. Performed by DCAG are. Provided in the following pages.

Samples of Management Consulting Assignments. Performed by DCAG are. Provided in the following pages. Samples of Management Consulting Assignments Performed by DCAG are Provided in the following pages. Thomas Bronack 15180 20 th Avenue Whitestone, NY 11357 Phone: (718) 591-5553 Cell: (917) 673-6992 Email:

More information

Auditing the Software Development Lifecycle ISACA Geek Week. Mike Van Stone Sekou Kamara August 2014

Auditing the Software Development Lifecycle ISACA Geek Week. Mike Van Stone Sekou Kamara August 2014 Auditing the Software Development Lifecycle ISACA Geek Week Mike Van Stone Sekou Kamara August 2014 Agenda Introduction Audit Scope Project Initiation SDLC Processes Stakeholders Common Development Methodologies

More information

Seven Things To Consider When Evaluating Privileged Account Security Solutions

Seven Things To Consider When Evaluating Privileged Account Security Solutions Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?

More information

Vulnerability management lifecycle: defining vulnerability management

Vulnerability management lifecycle: defining vulnerability management Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By

More information

Enterprise Security Solutions

Enterprise Security Solutions Enterprise Security Solutions World-class technical solutions, professional services and training from experts you can trust ISOCORP is a Value-Added Reseller (VAR) and services provider for best in class

More information

SAP ERP Upgrade Checklist Project Preparation

SAP ERP Upgrade Checklist Project Preparation A SAP ERP Upgrade Checklist Project Preparation Upgrade Project Phase Project Preparation Definition From the project perspective the project preparation phase includes: Learning about the new functionality

More information

Course Outline. Module 1: Introduction to Data Warehousing

Course Outline. Module 1: Introduction to Data Warehousing Course Outline Module 1: Introduction to Data Warehousing This module provides an introduction to the key components of a data warehousing solution and the highlevel considerations you must take into account

More information

SECTION 4 TESTING & QUALITY CONTROL

SECTION 4 TESTING & QUALITY CONTROL Page 1 SECTION 4 TESTING & QUALITY CONTROL TESTING METHODOLOGY & THE TESTING LIFECYCLE The stages of the Testing Life Cycle are: Requirements Analysis, Planning, Test Case Development, Test Environment

More information