The Information Systems Audit

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "The Information Systems Audit"

Transcription

1 November 25, 2009 e q 1

2 Institute of of Pakistan ICAP Auditorium, Karachi Sajid H. Khan Executive Director Technology and Security Risk Services e q 2

3 IS Environment Back Office Batch Apps MIS Online Integrated Applications/ ERP DAS E-Commerce / Home Computing Knowledge 3

4 Information Technology Audit The IT audit focuses on determining risks that are relevant to information assets, and in assessing and evaluating controls in order to reduce or mitigate these risks. Any audit that encompasses review and evaluation (wholly or partly) of automated information processing systems, related non-automated processes and the interfaces between them. 4

5 Purpose of IT Audit Cont. The IT audit's agenda may be summarized by the following questions: Integrity - Will the information provided by the system always be accurate, reliable, and timely? Confidentiality - Will the information in the systems be disclosed only to authorized users? Availability - Will the organization's computer systems be available for the business at all times when required? 5

6 Classification of Audits Financial audits Operational audits Integrated audits IS audits Specialized audits Forensic audits 6

7 Audit Objectives Specific goals of the audit Confidentiality Integrity Reliability Availability Compliance with legal / regulatory requirements 7

8 Types of IT Audits IT Policies & Procedures Review and Gap analysis Implementation Reviews (e.g. SAP / Oracle / JD Edwards) IT Security Reviews IT Forensic Investigations Application Integrity Reviews Business Continuity IT Disaster Recovery These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation/special engagement. 8

9 Types of IT Audits System Implementation Review - Example Business process/application controls Report Testing and documentation Testing (unit, volume, user) Data Cleansing and Conversion Segregation of Duties Roll out strategies IT General Controls 9

10 Various Standards and Frameworks COBIT COSO SOX ICFR BASEL II ITIL 10

11 CobIT A framework with 34 high-level control objectives Planning and organization Acquisition and implementation Delivery and support Monitoring and evaluation Use of 36 major IT-related standards and regulations 11

12 ISACA - IS Auditing Standards Framework Framework for the ISACA IS Auditing Standards Standards Guidelines Procedures 12

13 ISACA - IS Auditing Standards Framework Standards Must be followed by IS auditors Guidelines Provide assistance on how to implement the standards Procedures Provide examples for implementing the standards 13

14 ISACA IS Auditing Standards Framework (cont.) Objectives of the ISACA IS Auditing Standards Inform management and other interested parties of the profession s expectations concerning the work of audit practitioners Inform information system auditors of the minimum level of acceptable performance required to meet professional responsibilities set out in the ISACA Code of Professional Ethics 14

15 ISACA IS Auditing Standards Framework (cont.) S1 S2 S3 S4 S5 S6 Audit charter Independence Ethics and Standards Competence Planning Performance of audit work 15

16 ISACA IS Auditing Standards Framework (cont.) S7 S8 S9 S10 S11 Reporting Follow-up activities Irregularities and illegal acts IT Governance Use of risk assessment in audit planning S12 Audit Materiality 16

17 ISACA IS Auditing Standards Framework (cont.) S13 Using the work of other Experts S14 Audit Evidence S15 IT Controls S16 Electronic Commerce 17

18 Skills and Competence An ideal background for an IS Auditor»Business»Auditing»Information Technology 18

19 Skills and Competence (Contd.) Specialized IS skills may be needed for an auditor to: Obtain understanding of the accounting and internal control systems affected by the IS environment. Determine the effect of IS environment on the assessment of risk at each level (e.g. process, account, transactions level) Design and perform appropriate tests of control and substantive procedures e.g. data analytics. 19

20 IS Audit Resource Management & Planning Limited number of IS auditors Maintenance of their technical competence Assignment of audit staff Short and Long term planning Considerations New control issues Changing technologies Changing business processes Enhanced evaluation techniques 20

21 Information Technology Audit - Process An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. It is a process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. 21

22 A Typical IS Audit Cycle Planning Understand the Process(s) Walkthrough the Process/Controls. Design of control Test the Controls Operating Effectiveness Conclude and Report 22

23 IS Control Objectives Internal control objectives apply to all areas, whether manual or automated. Therefore, conceptually, control objectives in an IS environment remain unchanged from those of a manual environment. 23

24 Key Controls A key control is a member of a set of controls that management identifies and relies upon in order to mitigate the risk of financial misstatement. In other words it is the main control that addresses the risk. Key Controls are usually identified by management. 24

25 Compensating Controls A compensating control is a control that would be in place to mitigate the risk of damage in the event a key control failed. Example: Key Control may be approval prior to access to systems but if it fails then compensating control might be the monthly monitoring of user access thus minimizing the risk to a period of one month. 25

26 Prevent / Detect Controls Change Management Example Prevent Controls Detect Controls Pre-Production Post Production Production 26

27 Elements of an Effective IT Audit Knowledge Business Technology Best Practice Tools and Methods Checklists Work Programs Automated Tools Guidelines 27

28 Risk Assessment Assessing Information Technology risks Risk assessments should identify, quantify and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. Should be performed periodically to address changes in the environment, security requirements and when significant changes occur. 28

29 Risk Assessment Treatment Treating security risks Each risk identified in a risk assessment needs to be treated. Controls should be selected to ensure that risks are reduced to an acceptable level 29

30 Scoping Areas / Processes in scope Risks identified within the processes / areas Application Scoping Identification of Key and compensating Controls Application Operating System Database 30

31 Scoping Management Controls Strategy DRP Security Policy IT Governance Policies and Procedures Compliance Security Environment Application, Databases Networks etc. IT General Controls Application Controls Optimizing Database Performance Reducing Network Vulnerabilities 31

32 IT Governance Entity Level Controls Controls at the Company Level that create, foster, and sustain a controlled IT environment. Examples: IT Strategic Planning IT Policies and Procedures IT Organization Structure Properly segregated duties Fraud Identification Training and Education Monitoring, and Risk Assessment 32

33 IT General Controls: Layers of Controls Data Business Data Processes 33

34 ITGC Domains ITGC Domains. Program Change Management Logical Access IT Operations (Backup & Recovery, Job scheduling, Problem and Incident Management) 34

35 Change Management Objective: To provide reasonable assurance that only appropriately authorized, tested, and approved changes are made to in-scope systems. Types of changes that fall under change management Program Development/Acquisition Program change Maintenance (Ex: Database, Operating System) Emergency Changes Configuration/Parameter Changes (Ex: Physical hardware configuration and parameter settings) 35

36 Change Management (cont.) Components of the IT Environment: Applications Interfaces DBMS (Database Management System) Network and Operating Systems (OS) Typical Key Controls Changes are Authorized Changes are Tested Changes are Approved Changes are Monitored Duties are appropriately segregated 36

37 Logical Access Objective: To determine that only authorized persons have access to data and applications (including programs, tables, and related resources) and that they can perform only specifically authorized functions. Levels of the logical access path Network / Operating System Application Database 37

38 Logical Access (cont.) General Systems Security Settings Platform Specification Password Configuration Systems User Administration New User setup Change/Transfer Termination 38

39 Logical Access (cont.) Privileged Users User Access Reviews Segregation of Incompatible Duties (SOD) Request access Approve access Provision access 39

40 IT Operations To determine that the critical data is properly backed-up so that it can be accurately and completely recovered if there is a system outage or data integrity issue. To determine that only appropriate users have the ability to make changes to job scheduling. To determine that there is a problem and incident management process in place. 40

41 IT Operations (continued) Backup & Recovery Job Scheduling Problem & Incident Management Data Center Walkthrough Physical Access 41

42 Application Controls An application control is an automated control that is programmed within a system to perform the same function over and over again. Edit Checks Validations Calculations Interfaces Authorizations 42

43 Application Controls Embedded Control System is programmed to perform the control as a result of either custom coding or packaged delivery of that functionality. Configurable Control System has the capacity to perform the control depending on its setup, but may have been configured differently. Used especially in the context of ERP systems. Example A three way match within an application 43

44 Application Controls - Testing Embedded Control Re-performance via walkthrough Inspection of authorization Configurable Control Inspect configuration Re-performance via walkthrough Inspection of authorization Consider manual overrides and the underlying ITGCs. 44

45 IT Dependent Manual Controls An IT Dependent-Manual Control is any control activity where both an individual and an IT output are combined. Example - System generated report review. Consider the underlying ITGCs. 45

46 Data Analytics Also called Computer Assisted Audit Techniques (CAATs). CAATs enable IS auditors to gather information independently. Multiple tools available to perform data analytics. 46

47 Data Analytics (cont.) Functions supported by automated tools File access File reorganization Data selection Statistical functions Arithmetical functions 47

48 Data Analytics (cont.) Considerations before utilizing CAATs Ease of use Training requirements Complexity of coding and maintenance Installation requirements Processing efficiencies Confidentiality of data being processed 48

49 Challenges for IS Auditors Completeness of the Population Time Period Coverage Key Control Tools Scoping Additional Procedures Controls Testing Impact on Application/ITDM testing if ITGC not effective 49

50 Communicating Audit Results Exit interview Correct facts Realistic recommendations Implementation dates for agreed recommendations Presentation techniques Executive summary and Visual presentation 50

51 Communicating Audit Results (cont.) Audit report structure and contents An introduction to the report (e.g. objectives, scope, procedures performed) High level Audit findings and recommendations The IS auditor s overall conclusion and opinion The IS auditor s reservations with respect to the audit Detailed audit findings and recommendations 51

52 Audit Documentation Planning, audit scope and objectives Description on the scoped audit area Audit program(s) Audit steps performed and evidence gathered Other experts used Audit findings, conclusions and recommendations 52

53 Thank You 53

Application controls testing in an integrated audit

Application controls testing in an integrated audit Application controls testing in Application controls testing in an integrated audit Learning objectives Describe types of controls Describe application controls and classifications Discuss the nature,

More information

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014

Electronic Audit Evidence (EAE) and Application Controls. Tulsa ISACA Chapter December 11, 2014 Electronic Audit Evidence (EAE) and Application Controls Tulsa ISACA Chapter December 11, 2014 Agenda Recent IT-related PCAOB inspection themes: Internal control over financial reporting Multi-location

More information

Certified Information Systems Auditor (CISA) Course 1 - The Process of Auditing Information Systems

Certified Information Systems Auditor (CISA) Course 1 - The Process of Auditing Information Systems Certified Information Systems Auditor (CISA) Course 1 - The Process of Auditing Information Systems Slide 1 Course 1 The Process of Auditing Information Systems Slide 2 Topic A Management of the IS audit

More information

4 Testing General and Automated Controls

4 Testing General and Automated Controls 4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn

More information

Certified Information Systems Auditor (CISA)

Certified Information Systems Auditor (CISA) Certified Information Systems Auditor (CISA) Course Introduction Course Introduction Module 01 - The Process of Auditing Information Systems Lesson 1: Management of the Audit Function Organization of the

More information

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister

Using COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.

More information

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc. Table of Contents PART I. IS Audit Process. CHAPTER 1. Technology and Audit. Technology and Audit. Batch and On-Line Systems. CHAPTER 2. IS Audit Function Knowledge. Information Systems Auditing. What

More information

Effectively Assessing IT General Controls

Effectively Assessing IT General Controls Effectively Assessing IT General Controls Tommie Singleton UAB AGENDA Introduction Five Categories of ITGC Control Environment/ELC Change Management Logical Access Controls Backup/Recovery Third-Party

More information

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices IT audit updates Current hot topics and key considerations Contents IT risk assessment leading practices IT risks to consider in your audit plan IT SOX considerations and risks COSO 2013 and IT considerations

More information

An Integrated Approach to Performing Pre-implementation Reviews. Securities Industry and Financial Markets Association February 29, 2012

An Integrated Approach to Performing Pre-implementation Reviews. Securities Industry and Financial Markets Association February 29, 2012 An Integrated Approach to Performing Pre-implementation Reviews Securities Industry and Financial Markets Association February 29, 2012 Andy Ellsweig, Director Technology Risk Advisory Services Discussion

More information

INFORMATION TECHNOLOGY CONTROLS

INFORMATION TECHNOLOGY CONTROLS CHAPTER 14 INFORMATION TECHNOLOGY CONTROLS SCOPE This chapter addresses requirements common to all financial accounting systems and is not limited to the statewide financial accounting system, ENCOMPASS,

More information

Information Technology General Controls (ITGCs) 101

Information Technology General Controls (ITGCs) 101 Information Technology General Controls (ITGCs) 101 Presented by Sugako Amasaki (Principal Auditor) University of California, San Francisco December 3, 2015 Internal Audit Webinar Series Webinar Agenda

More information

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security

More information

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions Guide to the Sarbanes-Oxley Act: IT Risks and Controls Frequently Asked Questions Table of Contents Page No. Introduction.......................................................................1 Overall

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

The Importance of IT Controls to Sarbanes-Oxley Compliance

The Importance of IT Controls to Sarbanes-Oxley Compliance Hosted by Deloitte, PricewaterhouseCoopers and ISACA/ITGI The Importance of IT Controls to Sarbanes-Oxley Compliance 15 December 2003 1 Presenters Chris Fox, CA Sr. Manager, Internal Audit Services PricewaterhouseCoopers

More information

Introduction Seminar: Information and Technology Audit. The Hague, May Ferdinand Uittenbogaard

Introduction Seminar: Information and Technology Audit. The Hague, May Ferdinand Uittenbogaard Introduction Seminar: Information and Technology Audit The Hague, May 2015 Ferdinand Uittenbogaard Content Focus on theoretical backbone of IT-audit: Methodology, fundamental principles, types of controls;

More information

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.

More information

Sarbanes-Oxley Control Transformation Through Automation

Sarbanes-Oxley Control Transformation Through Automation Sarbanes-Oxley Control Transformation Through Automation An Executive White Paper By BLUE LANCE, Inc. Where have we been? Where are we going? BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com

More information

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM GENERAL: The Technology department is responsible for the managing of electronic devices and software for the District, as well as the Help Desk for resolution of employee-created help tickets. The subgroups

More information

Internal Financial Controls

Internal Financial Controls Internal Financial Controls Who All Are Responsible? 3 What is Internal Financial Control (IFC)? 5 What is Internal financial controls over financial reporting (ICFR)? Internal Controls Global Perspective

More information

Practical Guidance for Auditing IT General Controls. September 2, 2009

Practical Guidance for Auditing IT General Controls. September 2, 2009 Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income

More information

IT Enabled System : Opportunities & Challenges for Assurance Professionals

IT Enabled System : Opportunities & Challenges for Assurance Professionals IT Enabled System : Opportunities & Challenges for Assurance Professionals Acknowledgements: - ISACA - ITGI - Wikipedia - The Economist - ICMAB - SCB March 31, 2011; ICAB (Chartered Accountant Bhaban)

More information

Auditing Standard 5- Effective and Efficient SOX Compliance

Auditing Standard 5- Effective and Efficient SOX Compliance Auditing Standard 5- Effective and Efficient SOX Compliance September 6, 2007 Presented to: The Dallas Chapter of the Institute of Internal Auditors These slides are incomplete without the benefit of the

More information

CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT S RESPONSIBILITIES AND IMPORTANCE TO THE EXTERNAL AUDITORS

CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT S RESPONSIBILITIES AND IMPORTANCE TO THE EXTERNAL AUDITORS A U D I T I N G A RISK-BASED APPROACH TO CONDUCTING A QUALITY AUDIT 9 th Edition Karla M. Johnstone Audrey A. Gramling Larry E. Rittenberg CHAPTER 3 INTERNAL CONTROL OVER FINANCIAL REPORTING: MANAGEMENT

More information

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives AUD105-2nd Edition Auditor s Guide to IT - 20 hours Objectives More and more, auditors are being called upon to assess the risks and evaluate the controls over computer information systems in all types

More information

Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit

Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit D.2.1D Audit of Policy on Internal Control Information Technology General Controls (ITGCs) Audit Office of the Chief Audit Executive Audit and Assurance Services Directorate March 2015 Cette publication

More information

How do the latest best practices on IT Governance, CoBit and Business Service Management impact your Business Continuity Methodology?

How do the latest best practices on IT Governance, CoBit and Business Service Management impact your Business Continuity Methodology? How do the latest best practices on IT Governance, CoBit and Business Service impact your Business Continuity Methodology? Lillibett Machado 06/14/2005 1 Enterprise & IT Governance 2 Enterprise Governance...

More information

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned

Internal Controls over Financial Reporting. Integrating in Business Processes & Key Lessons learned Internal Controls over Financial Reporting Integrating in Business Processes & Key Lessons learned Introduction Stephen McIntyre, CA, CPA (Illinois) Senior Manager at Ernst & Young in the Risk Advisory

More information

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

Information Technology General Controls Review (ITGC) Audit Program Prepared by: Information Technology General Controls Review (ITGC) Audit Program Date Prepared: 2012 Internal Audit Work Plan Objective: IT General Controls (ITGC) address the overall operation and activities of the

More information

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget

Office of the Auditor General Performance Audit Report. Statewide Oracle Database Controls Department of Technology, Management, and Budget Office of the Auditor General Performance Audit Report Statewide Oracle Database Controls Department of Technology, Management, and Budget March 2015 071-0565-14 State of Michigan Auditor General Doug

More information

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition

1. FPO. Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Second Edition 1. FPO Guide to the Sarbanes-Oxley Act: IT Risks and Controls Second Edition Table of Contents Introduction... 1 Overall IT Risk and Control Approach and Considerations When Complying with Sarbanes-Oxley...

More information

Information Technology Auditing for Non-IT Specialist

Information Technology Auditing for Non-IT Specialist Information Technology Auditing for Non-IT Specialist IIA Pittsburgh Chapter October 4, 2010 Agenda Introductions What are General Computer Controls? Auditing IT processes controls Understanding and evaluating

More information

SRA International Managed Information Systems Internal Audit Report

SRA International Managed Information Systems Internal Audit Report SRA International Managed Information Systems Internal Audit Report Report #2014-03 June 18, 2014 Table of Contents Executive Summary... 3 Background Information... 4 Background... 4 Audit Objectives...

More information

State of Oregon. State of Oregon 1

State of Oregon. State of Oregon 1 State of Oregon State of Oregon 1 Table of Contents 1. Introduction...1 2. Information Asset Management...2 3. Communication Operations...7 3.3 Workstation Management... 7 3.9 Log management... 11 4. Information

More information

IT GOVERNANCE TRANSITION ANALYSIS FROM ITIL TO COBIT: CASE STUDY BANKING INDUSTRY IN THAILAND

IT GOVERNANCE TRANSITION ANALYSIS FROM ITIL TO COBIT: CASE STUDY BANKING INDUSTRY IN THAILAND IT GOVERNANCE TRANSITION ANALYSIS FROM ITIL TO COBIT: CASE STUDY BANKING INDUSTRY IN THAILAND Saksri Zuurbier, Kasetsart University, THAILAND Pornthep Anussornnitisarn, Kasetsart University, THAILAND Bordin

More information

San Francisco Chapter. Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young

San Francisco Chapter. Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young Jonathan Shipman, Ernst & Young David Morgan, Ernst & Young Learning Objectives Understand how data analysis can impact/improve business Understand typical data analysis challenges Understand the various

More information

IT Audit for non-it auditors

IT Audit for non-it auditors IT Audit for non-it auditors Cornell Dover Assistant Auditor General 31 March 2013 Overview Objectives of IT auditing Standards Types of audits The IT audit environment Controls IT Governance Facilities

More information

Section 404 Audits of Internal Control and Control Risk

Section 404 Audits of Internal Control and Control Risk Section 404 Audits of Internal Control and Control Risk I. Introduction Preparation Questions: Which of the GAAS fieldwork standards requires and understanding of internal controls? What is the difference

More information

Risikobaseret tilgang til revision

Risikobaseret tilgang til revision Risikobaseret tilgang til revision Hvordan får vi egentlig forholdt os praktisk til ISA 315? v/henrik Nørgaard & Thomas Kühn Structure of the Global Audit Methodology September 2013 Page 2 Phase 1 Planning

More information

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT A Review List This paper was put together with Security in mind, ISO, and HIPAA, for guidance as you move into a cloud deployment Dr.

More information

Domain 5 Information Security Governance and Risk Management

Domain 5 Information Security Governance and Risk Management Domain 5 Information Security Governance and Risk Management Security Frameworks CobiT (Control Objectives for Information and related Technology), developed by Information Systems Audit and Control Association

More information

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland

Audit Report. Effectiveness of IT Controls at the Global Fund Follow-up report. GF-OIG-15-20b 26 November 2015 Geneva, Switzerland Audit Report Effectiveness of IT Controls at the Global Fund Follow-up report GF-OIG-15-20b Geneva, Switzerland Table of Contents I. Background and scope... 3 II. Executive Summary... 4 III. Status of

More information

Auditing Application Controls in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Auditing Application Controls in an Oracle EBS Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA Auditing Application Controls in an Oracle EBS Environment Presented by: Jeffrey T. Hare, CPA CISA CIA Presentation Agenda Overview: Introductions Overall system risks related to Application Controls Audit

More information

Auditing Application User Account Security and Identity Management with Data Analytics

Auditing Application User Account Security and Identity Management with Data Analytics Auditing Application User Account Security and Identity Management with Data Analytics James Kidwell, JD, CISA Senior Information Systems Auditor Audit Services Session Agenda and Learning Objectives Brief

More information

IT Controls and COBIT

IT Controls and COBIT Our mission is to build relationships and develop innovative solutions which help dynamic people and organizations to create and realize value... IT Controls and COBIT Presentation 2004 Wöll Consulting,

More information

INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT CONTENTS

INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT CONTENTS INTERNATIONAL STANDARD ON AUDITING 401 AUDITING IN A COMPUTER INFORMATION SYSTEMS ENVIRONMENT (This Standard is effective, but will be withdrawn when ISA 315 and 330 become effective) * CONTENTS Paragraph

More information

Chapter 1 The Principles of Auditing 1

Chapter 1 The Principles of Auditing 1 Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls

More information

Module 6 Documenting Processes and Controls

Module 6 Documenting Processes and Controls A logical place to begin any comprehensive evaluation of internal controls is at the top entity-level controls that might have a pervasive effect on the organization. This includes a consideration of factors

More information

Surviving an IT Audit. Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit Services O Connor & Drew P.C. mhammond@ocd.com www.ocd.

Surviving an IT Audit. Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit Services O Connor & Drew P.C. mhammond@ocd.com www.ocd. Surviving an IT Audit Michael Hammond, CISA, CRISC, CISSP, C EH Director, IT Audit Services O Connor & Drew P.C. mhammond@ocd.com www.ocd.com 1 Who am I? Michael Hammond USAF veteran (IT and paralegal)

More information

ISO27001 Controls and Objectives

ISO27001 Controls and Objectives Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the

More information

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director

High Value Audits: An Update on Information Technology Auditing. Robert B. Hirth Jr., Managing Director High Value Audits: An Update on Information Technology Auditing Robert B. Hirth Jr., Managing Director The technology landscape and its impact on internal audit Technology is playing an ever-growing role

More information

AUDIT USING CERTIFIED KNOWLEDGE TOM ZIMMERMAN SENIOR DIRECTOR, IT AUDITING CLEVELAND CLINIC

AUDIT USING CERTIFIED KNOWLEDGE TOM ZIMMERMAN SENIOR DIRECTOR, IT AUDITING CLEVELAND CLINIC 1 PREPARING FOR AN IT AUDIT USING CERTIFIED KNOWLEDGE TOM ZIMMERMAN SENIOR DIRECTOR, IT AUDITING CLEVELAND CLINIC AHIA 32 nd Annual Conference August 25-28, 2013 Chicago, Illinois www.ahia.org Biography

More information

GAIT FOR BUSINESS AND IT RISK

GAIT FOR BUSINESS AND IT RISK GAIT FOR BUSINESS AND IT RISK (GAIT-R) The Institute of Internal Auditors March 2008 Table of Contents 1. Introduction...1 2. Executive Summary...2 3. Why GAIT-R?...4 4. The GAIT-R Principles...6 5. GAIT-R

More information

Performance Audit E-Service Systems Security

Performance Audit E-Service Systems Security Performance Audit E-Service Systems Security October 2009 City Auditor s Office City of Kansas City, Missouri 15-2008 October 21, 2009 Honorable Mayor and Members of the City Council: This performance

More information

ISO 27001 Controls and Objectives

ISO 27001 Controls and Objectives ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements

More information

Reporting on Control Procedures at Outsourcing Entities

Reporting on Control Procedures at Outsourcing Entities Auditing Guidance Statement AGS 1042 (July 2002) Reporting on Control Procedures at Outsourcing Entities Prepared by the Auditing & Assurance Standards Board of the Australian Accounting Research Foundation

More information

Governance, Risk & Compliance for Public Sector

Governance, Risk & Compliance for Public Sector Governance, Risk & Compliance for Public Sector Steve Hagner EMEA GRC Solution Sales From egovernment to Oracle igovernment Increase Efficiency and Transparency Oracle igovernment

More information

Knowledge Management Series. Internal Audit in ERP Environment

Knowledge Management Series. Internal Audit in ERP Environment Knowledge Management Series Internal Audit in ERP Environment G BALU ASSOCIATES Knowledge Management Series ISSUE-5 ; VOL 1 Internal Audit in ERP Environment APRIL/2012 Editorial Greetings..!!! Raja Gopalan.B

More information

Project Risk and Pre/Post Implementation Reviews

Project Risk and Pre/Post Implementation Reviews Project Risk and Pre/Post Implementation Reviews Material Changes to the System of Internal Control VGFOA Conference (Virginia Beach, VA) May 20, 2015 Agenda/Objectives Understand why system implementations

More information

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH

SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH SAP SECURITY CLEARING THE CONFUSION AND TAKING A HOLISTIC APPROACH WWW.MANTRANCONSULTING.COM 25 Mar 2011, ISACA Singapore SOD SAS70 Project Controls Infrastructure security Configurable controls Change

More information

Information Security Management Systems

Information Security Management Systems Information Security Management Systems Øivind Høiem CISA, CRISC, ISO27001 Lead Implementer Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector

More information

External Penetration Assessment and Database Access Review

External Penetration Assessment and Database Access Review External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

Cybersecurity The role of Internal Audit

Cybersecurity The role of Internal Audit Cybersecurity The role of Internal Audit Cyber risk High on the agenda Audit committees and board members are seeing cybersecurity as a top risk, underscored by recent headlines and increased government

More information

Governance and Management of Information Security

Governance and Management of Information Security Governance and Management of Information Security Øivind Høiem, CISA CRISC Senior Advisor Information Security UNINETT, the Norwegian NREN About Øivind Senior Adviser at the HE sector secretary for information

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

Independent Auditors' Management Letter

Independent Auditors' Management Letter The Honorable Members of the Polk County District School Board Bartow, Florida Independent Auditors' Management Letter We have audited the financial statements of the governmental activities, the aggregate

More information

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all

More information

Module 2 IS Assurance Services

Module 2 IS Assurance Services Module 2 IS Assurance Services Chapter 2: IS Audit In Phases Phase 2: Part: 2 of 3 CA A.Rafeq 1 Chapter 2: Agenda Chapter 2: IS Audit in Phases Phase1: Plan Phase 2: Execute Phase 3: Report 2 Phase 2:

More information

Our Impacts: accurate base factor data supporting Audit Ready Output

Our Impacts: accurate base factor data supporting Audit Ready Output Our Impacts: accurate base factor data supporting Audit Ready Output Report on third party sourced base factors used within the Our Impacts platform as at 31 January 2014 and the design of internal controls

More information

Fraud and Role of Information Technology. September 2008

Fraud and Role of Information Technology. September 2008 Fraud and Role of Information Technology September 2008 Agenda IT Value Proposition Slide 2 Prior Interpretations of Internal Control Structure Have Addressed Three Separate Parts Which Were Audited Somewhat

More information

NOVEMBER, 2009 CHERYL YARBROUGH TARPLEY & UNDERWOOD, P.C.

NOVEMBER, 2009 CHERYL YARBROUGH TARPLEY & UNDERWOOD, P.C. Proposed Statements on Standards for Accounting and Review Services NOVEMBER, 2009 CHERYL YARBROUGH TARPLEY & UNDERWOOD, P.C. Overview Review of current SSARS and requirements Review of current independence

More information

Meaningful Use and Core Requirement 15

Meaningful Use and Core Requirement 15 Meaningful Use and Core Requirement 15 How can I comply the lack of time and staff... www.compliancygroup.com 1 Meaningful Use and Core Requirement 15 Meaningful Use Protection of Protected Health Information

More information

Brink's Modern. Internal Auditing. Eighth Edition. A Common Body of Knowledge ROBERT R. MOELLER WILEY

Brink's Modern. Internal Auditing. Eighth Edition. A Common Body of Knowledge ROBERT R. MOELLER WILEY Brink's Modern Internal Auditing Eighth Edition A Common Body of Knowledge ROBERT R. MOELLER WILEY Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal

More information

IS Audit and Assurance Guideline 2202 Risk Assessment in Planning

IS Audit and Assurance Guideline 2202 Risk Assessment in Planning IS Audit and Assurance Guideline 2202 Risk Assessment in Planning The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards

More information

IT Services Management Service Brief

IT Services Management Service Brief IT Services Management Service Brief Service Continuity (Disaster Recovery Planning) Prepared by: Rick Leopoldi May 25, 2002 Copyright 2002. All rights reserved. Duplication of this document or extraction

More information

Appendix VIII SAS 70 Examinations of EBT Service Organizations

Appendix VIII SAS 70 Examinations of EBT Service Organizations Appendix VIII SAS 70 Examinations of EBT Service Organizations Background States must obtain an examination by an independent auditor of the State electronic benefits transfer (EBT) service providers (service

More information

GUIDELINE FOR AUDIT OF IT ENVIRONMENT

GUIDELINE FOR AUDIT OF IT ENVIRONMENT EUROPEAN COURT OF AUDITORS AUDIT METHODOLOGY AND SUPPORT GUIDELINE FOR AUDIT OF IT ENVIRONMENT CONTENTS 1 INTRODUCTION... 2 2 AUDITING IN AN IT ENVIRONMENT... 3 3 IT AUDIT APPROACH... 6 3.1 PLANNING PHASE...

More information

IT Infrastructure, Strategy, and Charter Template: ISO 27000 Series Compliant - SOX, HIPAA and PCI-DSS Compliant

IT Infrastructure, Strategy, and Charter Template: ISO 27000 Series Compliant - SOX, HIPAA and PCI-DSS Compliant Brochure More information from http://www.researchandmarkets.com/reports/3031293/ IT Infrastructure, Strategy, and Charter Template: ISO 27000 Series Compliant - SOX, HIPAA and PCI-DSS Compliant Description:

More information

Assessing the Audit Impact of Cloud Computing. kpmg.com

Assessing the Audit Impact of Cloud Computing. kpmg.com Assessing the Audit Impact of Cloud Computing kpmg.com 1 Assessing the Audit Impact of Cloud Computing Cloud Computing Cloud computing is becoming an important IT strategy for entities that need varying

More information

Using Assurance Models in IT Audit Engagements

Using Assurance Models in IT Audit Engagements Using Assurance Models in IT Audit Engagements Adrian Baldwin, Yolanta Beres, Simon Shiu Trusted Systems Laboratory HP Laboratories Bristol HPL-2006-148R1 January 29, 2008* audit, assurance, compliance,

More information

Self-Service SOX Auditing With S3 Control

Self-Service SOX Auditing With S3 Control Self-Service SOX Auditing With S3 Control The Sarbanes-Oxley Act (SOX), passed by the US Congress in 2002, represents a fundamental shift in corporate governance norms. As corporations come to terms with

More information

IT Governance Dr. Michael Shaw Term Project

IT Governance Dr. Michael Shaw Term Project IT Governance Dr. Michael Shaw Term Project IT Auditing Framework and Issues Dealing with Regulatory and Compliance Issues Submitted by: Gajin Tsai gtsai2@uiuc.edu May 3 rd, 2007 1 Table of Contents: Abstract...3

More information

Internal Control Deliverables. For. System Development Projects

Internal Control Deliverables. For. System Development Projects DIVISION OF AUDIT SERVICES Internal Control Deliverables For System Development Projects Table of Contents Introduction... 3 Process Flow... 3 Controls Objectives... 4 Environmental and General IT Controls...

More information

San Francisco Chapter. Information Systems Operations

San Francisco Chapter. Information Systems Operations Information Systems Operations Overview Operations as a part of General Computer Controls Key Areas of focus within Information Systems Operations Key operational risks Controls generally associated with

More information

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act*

The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act* July 2004 *connectedthinking The Use of Spreadsheets: Considerations for Section 404 of the Sarbanes-Oxley Act Introduction

More information

Auditing Applications. ISACA Seminar: February 10, 2012

Auditing Applications. ISACA Seminar: February 10, 2012 Auditing Applications ISACA Seminar: February 10, 2012 Planning Objectives Mapping Controls Functionality Tests Complications Financial Assertions Tools Reporting AGENDA 2 PLANNING Consideration / understanding

More information

Information Technology Internal Controls Part 2

Information Technology Internal Controls Part 2 IT Controls Webinar Series Information Technology Internal Controls Part 2 Presented by the Arizona Office of the Auditor General October 23, 2014 Part I Overview of IT Controls and Best Practices Part

More information

ethic Audit Solution

ethic Audit Solution Automation reducing your average time to produce report by 21% ethic Audit Solution Workflow driven audit and compliance platform that enables efficient and effective auditing process ethic is a web based

More information

Introduction to IT Audit

Introduction to IT Audit Introduction to IT Audit January 23, 2008 Who We Are Randy Roehm Technology Risk Director Jason Brucker Technology Risk Manager Zeb Buckner Internal Audit Consultant Zeb.buckner@protiviti.com Darcie Allen

More information

Corporate Governor. New COSO Framework links IT and business process

Corporate Governor. New COSO Framework links IT and business process Corporate Governor Providing vision and advice for management, boards of directors and audit committees Summer 2014 New COSO Framework links IT and business process Michael Rose, Partner, Business Advisory

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement Understanding the Entity and Its Environment 1667 AU Section 314 Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement (Supersedes SAS No. 55.) Source: SAS No. 109.

More information

ow to use CobiT to assess the security & reliability of Digital Preservation

ow to use CobiT to assess the security & reliability of Digital Preservation ow to use CobiT to assess the security & reliability of Digital Preservation Erpa WORKSHOP Antwerp 14-16 April 2004 Greet Volders Managing Consultant - VOQUALS N.V. Vice President & in charge of Education

More information

Master Document Audit Program

Master Document Audit Program Activity Code 11510 B-1 Planning Considerations Information Technology General System Controls Audit Specific Independence Determination Members of the audit team and internal specialists consulting on

More information

Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005

Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005 Comparison of Controls between ISO/IEC 27001:2013 & ISO/IEC 27001:2005 Introduction The new standard ISO/IEC 27001:2013 has been released officially on 1 st October 2013. Since we understand that information

More information

Security Controls What Works. Southside Virginia Community College: Security Awareness

Security Controls What Works. Southside Virginia Community College: Security Awareness Security Controls What Works Southside Virginia Community College: Security Awareness Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction

More information

Segregation of Duties

Segregation of Duties Segregation of Duties Scott Mitchell, Senior Manager (503) 478-2193 John Earl, Manager (503) 478-2188 January 5, 2010 Our Objectives Clarify the role of Segregation of Duties (SOD) Identify alternatives

More information

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners. Auditing the Business Continuity Process Dr. Eric Schmidt, Principal, Transitional Data Services, Inc. Business continuity audits are rapidly becoming one of the most urgent issues throughout the international

More information