The Information Systems Audit
|
|
- Silvia Andrews
- 8 years ago
- Views:
Transcription
1 November 25, 2009 e q 1
2 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2
3 IS Environment Back Office Batch Apps MIS Online Integrated Applications/ ERP DAS E-Commerce / Home Computing Knowledge 3
4 Information Technology Audit The IT audit focuses on determining risks that are relevant to information assets, and in assessing and evaluating controls in order to reduce or mitigate these risks. Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them. 4
5 Purpose of IT Audit Cont. The IT audit's agenda may be summarized by the following questions: Integrity - Will the information provided by the system always be accurate, reliable, and timely? Confidentiality - Will the information in the systems be disclosed only to authorized users? Availability - Will the organization's computer systems be available for the business at all times when required? 5
6 Classification of Audits Financial audits Operational audits Integrated audits IS audits Specialized audits Forensic audits 6
7 Audit Objectives Specific goals of the audit Confidentiality Integrity Reliability Availability Compliance with legal / regulatory requirements 7
8 Types of IT Audits IT Policies & Procedures Review and Gap analysis Implementation Reviews (e.g. SAP / Oracle / JD Edwards) IT Security Reviews IT Forensic Investigations Application Integrity Reviews Business Continuity IT Disaster Recovery These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation/special engagement. 8
9 Types of IT Audits System Implementation Review - Example Business process/application controls Report Testing and documentation Testing (unit, volume, user) Data Cleansing and Conversion Segregation of Duties Roll out strategies IT General Controls 9
10 Various Standards and Frameworks COBIT COSO SOX ICFR BASEL II ITIL 10
11 CobIT A framework with 34 high-level control objectives Planning and organization Acquisition and implementation Delivery and support Monitoring and evaluation Use of 36 major IT-related standards and regulations 11
12 ISACA - IS Auditing Standards Framework Framework for the ISACA IS Auditing Standards Standards Guidelines Procedures 12
13 ISACA - IS Auditing Standards Framework Standards Must be followed by IS auditors Guidelines Provide assistance on how to implement the standards Procedures Provide examples for implementing the standards 13
14 ISACA IS Auditing Standards Framework (cont.) Objectives of the ISACA IS Auditing Standards Inform management and other interested parties of the profession s expectations concerning the work of audit practitioners Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics 14
15 ISACA IS Auditing Standards Framework (cont.) S1 S2 S3 S4 S5 S6 Audit charter Independence Ethics and Standards Competence Planning Performance of audit work 15
16 ISACA IS Auditing Standards Framework (cont.) S7 S8 S9 S10 S11 Reporting Follow-up activities Irregularities and illegal acts IT Governance Use of risk assessment in audit planning S12 Audit Materiality 16
17 ISACA IS Auditing Standards Framework (cont.) S13 Using the work of other Experts S14 Audit Evidence S15 IT Controls S16 Electronic Commerce 17
18 Skills and Competence An ideal background for an IS Auditor»Business»Auditing»Information Technology 18
19 Skills and Competence (Contd.) Specialized IS skills may be needed for an auditor to: Obtain understanding of the accounting and internal control systems affected by the IS environment. Determine the effect of IS environment on the assessment of risk at each level (e.g. process, account, transactions level) Design and perform appropriate tests of control and substantive procedures e.g. data analytics. 19
20 IS Audit Resource Management & Planning Limited number of IS auditors Maintenance of their technical competence Assignment of audit staff Short and Long term planning Considerations New control issues Changing technologies Changing business processes Enhanced evaluation techniques 20
21 Information Technology Audit - Process An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. It is a process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. 21
22 A Typical IS Audit Cycle Planning Understand the Process(s) Walkthrough the Process/Controls. Design of control Test the Controls Operating Effectiveness Conclude and Report 22
23 IS Control Objectives Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment. 23
24 Key Controls A key control is a member of a set of controls that management identifies and relies upon in order to mitigate the risk of financial misstatement. In other words it is the main control that addresses the risk. Key Controls are usually identified by management. 24
25 Compensating Controls A compensating control is a control that would be in place to mitigate the risk of damage in the event a key control failed. Example: Key Control may be approval prior to access to systems but if it fails then compensating control might be the monthly monitoring of user access thus minimizing the risk to a period of one month. 25
26 Prevent / Detect Controls Change Management Example Prevent Controls Detect Controls Pre-Production Post Production Production 26
27 Elements of an Effective IT Audit Knowledge Business Technology Best Practice Tools and Methods Checklists Work Programs Automated Tools Guidelines 27
28 Risk Assessment Assessing Information Technology risks Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Should be performed periodically to address changes in the environment, security requirements and when significant changes occur. 28
29 Risk Assessment Treatment Treating security risks Each risk identified in a risk assessment needs to be treated. Controls should be selected to ensure that risks are reduced to an acceptable level 29
30 Scoping Areas / Processes in scope Risks identified within the processes / areas Application Scoping Identification of Key and compensating Controls Application Operating System Database 30
31 Scoping Management Controls Strategy DRP Security Policy IT Governance Policies and Procedures Compliance Security Environment Application, Databases Networks etc. IT General Controls Application Controls Optimizing Database Performance Reducing Network Vulnerabilities 31
32 IT Governance Entity Level Controls Controls at the Company Level that create, foster, and sustain a controlled IT environment. Examples: IT Strategic Planning IT Policies and Procedures IT Organization Structure Properly segregated duties Fraud Identification Training and Education Monitoring, and Risk Assessment 32
33 IT General Controls: Layers of Controls Data Business Data Processes 33
34 ITGC Domains ITGC Domains. Program Change Management Logical Access IT Operations (Backup & Recovery, Job scheduling, Problem and Incident Management) 34
35 Change Management Objective: To provide reasonable assurance that only appropriately authorized, tested, and approved changes are made to in-scope systems. Types of changes that fall under change management Program Development/Acquisition Program change Maintenance (Ex: Database, Operating System) Emergency Changes Configuration/Parameter Changes (Ex: Physical hardware configuration and parameter settings) 35
36 Change Management (cont.) Components of the IT Environment: Applications Interfaces DBMS (Database Management System) Network and Operating Systems (OS) Typical Key Controls Changes are Authorized Changes are Tested Changes are Approved Changes are Monitored Duties are appropriately segregated 36
37 Logical Access Objective: To determine that only authorized persons have access to data and applications (including programs, tables, and related resources) and that they can perform only specifically authorized functions. Levels of the logical access path Network / Operating System Application Database 37
38 Logical Access (cont.) General Systems Security Settings Platform Specification Password Configuration Systems User Administration New User setup Change/Transfer Termination 38
39 Logical Access (cont.) Privileged Users User Access Reviews Segregation of Incompatible Duties (SOD) Request access Approve access Provision access 39
40 IT Operations To determine that the critical data is properly backed-up so that it can be accurately and completely recovered if there is a system outage or data integrity issue. To determine that only appropriate users have the ability to make changes to job scheduling. To determine that there is a problem and incident management process in place. 40
41 IT Operations (continued) Backup & Recovery Job Scheduling Problem & Incident Management Data Center Walkthrough Physical Access 41
42 Application Controls An application control is an automated control that is programmed within a system to perform the same function over and over again. Edit Checks Validations Calculations Interfaces Authorizations 42
43 Application Controls Embedded Control System is programmed to perform the control as a result of either custom coding or packaged delivery of that functionality. Configurable Control System has the capacity to perform the control depending on its setup, but may have been configured differently. Used especially in the context of ERP systems. Example A three way match within an application 43
44 Application Controls - Testing Embedded Control Re-performance via walkthrough Inspection of authorization Configurable Control Inspect configuration Re-performance via walkthrough Inspection of authorization Consider manual overrides and the underlying ITGCs. 44
45 IT Dependent Manual Controls An IT Dependent-Manual Control is any control activity where both an individual and an IT output are combined. Example - System generated report review. Consider the underlying ITGCs. 45
46 Data Analytics Also called Computer Assisted Audit Techniques (CAATs). CAATs enable IS auditors to gather information independently. Multiple tools available to perform data analytics. 46
47 Data Analytics (cont.) Functions supported by automated tools File access File reorganization Data selection Statistical functions Arithmetical functions 47
48 Data Analytics (cont.) Considerations before utilizing CAATs Ease of use Training requirements Complexity of coding and maintenance Installation requirements Processing efficiencies Confidentiality of data being processed 48
49 Challenges for IS Auditors Completeness of the Population Time Period Coverage Key Control Tools Scoping Additional Procedures Controls Testing Impact on Application/ITDM testing if ITGC not effective 49
50 Communicating Audit Results Exit interview Correct facts Realistic recommendations Implementation dates for agreed recommendations Presentation techniques Executive summary and Visual presentation 50
51 Communicating Audit Results (cont.) Audit report structure and contents An introduction to the report (e.g. objectives, scope, procedures performed) High level Audit findings and recommendations The IS auditor s overall conclusion and opinion The IS auditor s reservations with respect to the audit Detailed audit findings and recommendations 51
52 Audit Documentation Planning, audit scope and objectives Description on the scoped audit area Audit program(s) Audit steps performed and evidence gathered Other experts used Audit findings, conclusions and recommendations 52
53 Thank You 53
Application controls testing in an integrated audit
Application controls testing in Application controls testing in an integrated audit Learning objectives Describe types of controls Describe application controls and classifications Discuss the nature,
More informationElectronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014
Electronic Audit Evidence (EAE) and Application Controls Tulsa ISACA Chapter December 11, 2014 Agenda Recent IT-related PCAOB inspection themes: Internal control over financial reporting Multi-location
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the
More informationInformation Technology General Controls (ITGCs) 101
Information Technology General Controls (ITGCs) 101 Presented by Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Internal Audit Webinar Series Webinar Agenda
More informationIT audit updates. Current hot topics and key considerations. IT risk assessment leading practices
IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations
More informationTable of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.
Table of Contents PART I. IS Audit Process. CHAPTER 1. Technology and Audit. Technology and Audit. Batch and On-Line Systems. CHAPTER 2. IS Audit Function Knowledge. Information Systems Auditing. What
More information4 Testing General and Automated Controls
4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn
More informationEffectively Assessing IT General Controls
Effectively Assessing IT General Controls Tommie Singleton UAB AGENDA Introduction Five Categories of ITGC Control Environment/ELC Change Management Logical Access Controls Backup/Recovery Third-Party
More informationUsing COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister
Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationGuide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions
Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall
More informationAn Integrated Approach to Performing Pre-implementation Reviews. Securities Industry and Financial Markets Association February 29, 2012
An Integrated Approach to Performing Pre-implementation Reviews Securities Industry and Financial Markets Association February 29, 2012 Andy Ellsweig, Director Technology Risk Advisory Services Discussion
More informationSan Francisco Chapter. Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young
Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young Learning Objectives Understand how data analysis can impact/improve business Understand typical data analysis challenges Understand the various
More informationINFORMATION TECHNOLOGY CONTROLS
CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,
More informationThe Importance of IT Controls to Sarbanes-Oxley Compliance
Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers
More informationAUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM
GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups
More informationPractical Guidance for Auditing IT General Controls. September 2, 2009
Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income
More informationAuditing Standard 5- Effective and Efficient SOX Compliance
Auditing Standard 5- Effective and Efficient SOX Compliance September 6, 2007 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the
More informationSarbanes-Oxley Control Transformation Through Automation
Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com
More informationAUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives
AUD105-2nd Edition Auditor s Guide to IT - 20 hours Objectives More and more, auditors are being called upon to assess the risks and evaluate the controls over computer information systems in all types
More informationAudit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit
D.2.1D Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit Office of the Chief Audit Executive Audit and Assurance Services Directorate March 2015 Cette publication
More information1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition
1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...
More informationInternal Financial Controls
Internal Financial Controls Who All Are Responsible? 3 What is Internal Financial Control (IFC)? 5 What is Internal financial controls over financial reporting (ICFR)? Internal Controls Global Perspective
More informationSRA International Managed Information Systems Internal Audit Report
SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...
More informationChapter 1 The Principles of Auditing 1
Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls
More informationState of Oregon. State of Oregon 1
State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information
More informationIndependent Auditors' Management Letter
The Honorable Members of the Polk County District School Board Bartow, Florida Independent Auditors' Management Letter We have audited the financial statements of the governmental activities, the aggregate
More informationDomain 5 Information Security Governance and Risk Management
Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association
More informationOffice of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug
More informationSurviving an IT Audit. Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit Services O Connor & Drew P.C. mhammond@ocd.com www.ocd.
Surviving an IT Audit Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit Services O Connor & Drew P.C. mhammond@ocd.com www.ocd.com 1 Who am I? Michael Hammond USAF veteran (IT and paralegal)
More informationInformation Technology Auditing for Non-IT Specialist
Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating
More informationHIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT
HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.
More informationCybersecurity The role of Internal Audit
Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationInformation Security Management Systems
Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector
More informationFraud and Role of Information Technology. September 2008
Fraud and Role of Information Technology September 2008 Agenda IT Value Proposition Slide 2 Prior Interpretations of Internal Control Structure Have Addressed Three Separate Parts Which Were Audited Somewhat
More informationSAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH
SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH WWW.MANTRANCONSULTING.COM 25 Mar 2011, ISACA Singapore SOD SAS70 Project Controls Infrastructure security Configurable controls Change
More informationOVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii
The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department
More informationMaster Document Audit Program
Activity Code 11510 B-1 Planning Considerations Information Technology General System Controls Audit Specific Independence Determination Members of the audit team and internal specialists consulting on
More informationIT Enabled System : Opportunities & Challenges for Assurance Professionals
IT Enabled System : Opportunities & Challenges for Assurance Professionals Acknowledgements: - ISACA - ITGI - Wikipedia - The Economist - ICMAB - SCB March 31, 2011; ICAB (Chartered Accountant Bhaban)
More informationTackling Medical Device Cybersecurity
Tackling Medical Device Cybersecurity Anthony J. Coronado Methodist Hospital of Southern California Biomedical Engineering Manager Overview of Initiative With the advancement of technology in the design
More informationSelf-Service SOX Auditing With S3 Control
Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with
More informationRisikobaseret tilgang til revision
Risikobaseret tilgang til revision Hvordan får vi egentlig forholdt os praktisk til ISA 315? v/henrik Nørgaard & Thomas Kühn Structure of the Global Audit Methodology September 2013 Page 2 Phase 1 Planning
More informationApplication Testing: Not Just for IT Auditors. Insert Logo Here
Application Testing: Not Just for IT Auditors Huntington Ingalls Industries Who We Are Over a century designing, building, overhauling and repairing ships for the U.S. Navy, the U.S. Coast Guard and world
More informationAudit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland
Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of
More informationSecurity Controls What Works. Southside Virginia Community College: Security Awareness
Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction
More informationGovernance and Management of Information Security
Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information
More informationFeature. How to Maximize Evidential Weight of Electronically Stored Information Recommendations of BS 10008
Feature Haris Hamidovic, CIA, ISMS IA, ITIL, IT Project+, is chief information security officer at Microcredit Foundation EKI Sarajevo, Bosnia and Herzegovina. Prior to his current assignment, Hamidovic
More informationCRISP Technologies Inc.
Resumption Planning (BCRP ) Consulting with BCRP Methodology and Workflow CRISP Technologies Inc. Table of Contents TABLE OF CONTENTS... 2 1 CONSULTING WITH THE CRISP BCRP METHODOLOGY... 3 2 CRISP TECHNOLOGIES
More informationIT Governance Dr. Michael Shaw Term Project
IT Governance Dr. Michael Shaw Term Project IT Auditing Framework and Issues Dealing with Regulatory and Compliance Issues Submitted by: Gajin Tsai gtsai2@uiuc.edu May 3 rd, 2007 1 Table of Contents: Abstract...3
More informationDisaster Recovery Plan Review Checklist. A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans
Disaster Recovery Plan Review Checklist A High-Level Internal Planning Tool to Assist State Agencies with Their Disaster Recovery Plans November 2008 DISASTER RECOVERY PLAN REVIEW CHECKLIST - FOR INTERNAL
More informationIS Audit and Assurance Guideline 2202 Risk Assessment in Planning
IS Audit and Assurance Guideline 2202 Risk Assessment in Planning The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards
More informationInternal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned
Internal Controls over Financial Reporting Integrating in Business Processes & Key Lessons learned Introduction Stephen McIntyre, CA, CPA (Illinois) Senior Manager at Ernst & Young in the Risk Advisory
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More informationInformation Technology General Controls Review (ITGC) Audit Program Prepared by:
Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the
More informationWhite Paper. Regulatory Compliance and Database Management
White Paper Regulatory Compliance and Database Management March 2006 Introduction Top of mind in business executives today is how to meet new regulatory compliance and corporate governance. New laws are
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of
More informationReporting on Control Procedures at Outsourcing Entities
Auditing Guidance Statement AGS 1042 (July 2002) Reporting on Control Procedures at Outsourcing Entities Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation
More informationGovernance, Risk & Compliance for Public Sector
Governance, Risk & Compliance for Public Sector Steve Hagner EMEA GRC Solution Sales From egovernment to Oracle igovernment Increase Efficiency and Transparency Oracle igovernment
More informationDallas IIA Chapter / ISACA N. Texas Chapter. January 7, 2010
Dallas IIA Chapter / ISACA N. Texas Chapter Auditing Tuesday, October Project 20, 2009 Management Controls January 7, 2010 Table of Contents Contents Page # Project Management Office Overview 3 Aligning
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationSegregation of Duties
Segregation of Duties Scott Mitchell, Senior Manager (503) 478-2193 John Earl, Manager (503) 478-2188 January 5, 2010 Our Objectives Clarify the role of Segregation of Duties (SOD) Identify alternatives
More informationUnderstanding the Entity and Its Environment and Assessing the Risks of Material Misstatement
Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.
More informationHigh Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director
High Value Audits: An Update on Information Technology Auditing Robert B. Hirth Jr., Managing Director The technology landscape and its impact on internal audit Technology is playing an ever-growing role
More informationIT Service Continuity Management PinkVERIFY
-11-G-001 General Criteria Does the tool use ITIL 2011 Edition process terms and align to ITIL 2011 Edition workflows and process integrations? -11-G-002 Does the tool have security controls in place to
More informationIT Services Management Service Brief
IT Services Management Service Brief Service Continuity (Disaster Recovery Planning) Prepared by: Rick Leopoldi May 25, 2002 Copyright 2002. All rights reserved. Duplication of this document or extraction
More informationIT Infrastructure, Strategy, and Charter Template: ISO 27000 Series Compliant - SOX, HIPAA and PCI-DSS Compliant
Brochure More information from http://www.researchandmarkets.com/reports/3031293/ IT Infrastructure, Strategy, and Charter Template: ISO 27000 Series Compliant - SOX, HIPAA and PCI-DSS Compliant Description:
More informationProject Risk and Pre/Post Implementation Reviews
Project Risk and Pre/Post Implementation Reviews Material Changes to the System of Internal Control VGFOA Conference (Virginia Beach, VA) May 20, 2015 Agenda/Objectives Understand why system implementations
More informationServices Providers. Ivan Soto
SOP s for Managing Application Services Providers Ivan Soto Learning Objectives At the end of this session we will have covered: Types of Managed Services Outsourcing process Quality expectations for Managed
More informationSAP Secure Operations Map. SAP Active Global Support Security Services May 2015
SAP Secure Operations Map SAP Active Global Support Security Services May 2015 SAP Secure Operations Map Security Compliance Security Governance Audit Cloud Security Emergency Concept Secure Operation
More informationPerformance Audit E-Service Systems Security
Performance Audit E-Service Systems Security October 2009 City Auditor s Office City of Kansas City, Missouri 15-2008 October 21, 2009 Honorable Mayor and Members of the City Council: This performance
More informationExternal Penetration Assessment and Database Access Review
External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management
More informationSpillemyndigheden s Certification Programme Information Security Management System
SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...
More informationKnowledge Management Series. Internal Audit in ERP Environment
Knowledge Management Series Internal Audit in ERP Environment G BALU ASSOCIATES Knowledge Management Series ISSUE-5 ; VOL 1 Internal Audit in ERP Environment APRIL/2012 Editorial Greetings..!!! Raja Gopalan.B
More informationIntroduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors
Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors Importance of Effective Internal Controls and COSO COSO
More informationLeRoy Budnik, Knowledge Transfer
Preparing for a Storage Security Audit LeRoy Budnik, Knowledge Transfer SNIA Legal Notice The material contained in this tutorial is copyrighted by the SNIA and is subject to other copyrights 1. Member
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationModule 2 IS Assurance Services
Module 2 IS Assurance Services Chapter 2: IS Audit In Phases Phase 2: Part: 2 of 3 CA A.Rafeq 1 Chapter 2: Agenda Chapter 2: IS Audit in Phases Phase1: Plan Phase 2: Execute Phase 3: Report 2 Phase 2:
More informationIT Risk Management Era: Research Challenges and Best Practices. Eyal Adar, Founder & CEO Eyal@WhiteCyberKnight.com Chairman of the EU SRMI
IT Risk Management Era: Research Challenges and Best Practices IARA Work Group July 1 st, 2007, Santa Clara - California Eyal Adar, Founder & CEO Eyal@WhiteCyberKnight.com Chairman of the EU SRMI (Security
More informationAuditing Application User Account Security and Identity Management with Data Analytics
Auditing Application User Account Security and Identity Management with Data Analytics James Kidwell, JD, CISA Senior Information Systems Auditor Audit Services Session Agenda and Learning Objectives Brief
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance IT Governance Policy Mergers and Acquisitions Policy Terms and Definitions Policy 164.308 12.4 12.5 EDM01 EDM02 EDM03 Information Security Privacy Policy Securing Information Systems Policy
More informationInformation Technology Internal Controls Part 2
IT Controls Webinar Series Information Technology Internal Controls Part 2 Presented by the Arizona Office of the Auditor General October 23, 2014 Part I Overview of IT Controls and Best Practices Part
More information2. Auditing. 2.1. Objective and Structure. 2.2. What Is Auditing?
- 4-2. Auditing 2.1. Objective and Structure The objective of this chapter is to introduce the background information on auditing. In section 2.2, definitions of essential terms as well as main objectives
More informationImpact of New Internal Control Frameworks
Impact of New Internal Control Frameworks Webcast: Tuesday, February 25, 2014 CPE Credit: 1 0 With You Today Bob Jacobson Principal, Risk Advisory Services Consulting Leader West Region Bob.Jacobson@mcgladrey.com
More informationCOSO s 2013 Internal Control Framework in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting
in Depth: Implementing the Enhanced Guidance for Internal Control over External Financial Reporting Table of Contents EXECUTIVE SUMMARY... 3 BACKGROUND... 3 SIGNIFICANT CHANGES AFFECTING INTERNAL CONTROL
More informationModule 6 Documenting Processes and Controls
A logical place to begin any comprehensive evaluation of internal controls is at the top entity-level controls that might have a pervasive effect on the organization. This includes a consideration of factors
More informationData Center Audit April 2015
Data Center Audit April 2015 Table of Contents Executive Summary 2 5 Highlights and Accomplishments 6 7 Summary Observations 8 This report provides management with information about the condition of risks
More informationIT Compliance 24.09.2007. After Hours Seminar September 2007 Zurich. Improving IT Risk & Compliance Management (RCM)
IT Compliance 24.09. AHS After Hours Seminar Zurich Improving IT Risk & Compliance Management (RCM) Bruno J. Wiederkehr Member of the Board ISACA Switzerland Chapter Agenda 1. Understanding the RCM Requirements
More informationDevelopment of an Interdisciplinary Information Technology Auditing Program
Development of an Interdisciplinary Information Technology Auditing Program Chienting Lin, Li-Chiou Chen, Pace University Abstract This paper provided an example for the development of an interdisciplinary
More informationHow To Improve Your Business
IT Risk Management Life Cycle and enabling it with GRC Technology 21 March 2013 Overview IT Risk management lifecycle What does technology enablement mean? Industry perspective Business drivers Trends
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA INFORMATION SYSTEMS AUDIT OFFICE OF INFORMATION TECHNOLOGY SERVICES INFORMATION TECHNOLOGY GENERAL CONTROLS OCTOBER 2014 OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA STATE AUDITOR
More informationow to use CobiT to assess the security & reliability of Digital Preservation
ow to use CobiT to assess the security & reliability of Digital Preservation Erpa WORKSHOP Antwerp 14-16 April 2004 Greet Volders Managing Consultant - VOQUALS N.V. Vice President & in charge of Education
More informationSECURITY. Risk & Compliance Services
SECURITY Risk & Compliance s V1 8/2010 Risk & Compliances s Risk & compliance services Summary Summary Trace3 offers a full and complete line of security assessment services designed to help you minimize
More informationThe added value of an operating system audit to an IT General Controls audit
Thesis: The added value of an operating system audit to an IT General Controls audit S.A.H. Cobelens MSc. 2174332 cobelens@gmail.com September 6, 2013 Vrije Universiteit Amsterdam The added value of an
More informationDepartment of Public Utilities Customer Information System (BANNER)
REPORT # 2010-06 AUDIT of the Customer Information System (BANNER) January 2010 TABLE OF CONTENTS Executive Summary..... i Comprehensive List of Recommendations. iii Introduction, Objective, Methodology
More informationAuditing Applications. ISACA Seminar: February 10, 2012
Auditing Applications ISACA Seminar: February 10, 2012 Planning Objectives Mapping Controls Functionality Tests Complications Financial Assertions Tools Reporting AGENDA 2 PLANNING Consideration / understanding
More information