Trends in Information Technology (IT) Auditing



Similar documents
Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

Cybersecurity Audit Why are we still Vulnerable? November 30, 2015

CYBERSECURITY NEXUS ROBERT E STROUD INTERNATIONAL PRESIDENT, ISACA RAMSÉS GALLEGO INTERNATIONAL VICE PRESIDENT, ISACA

Cybersecurity Framework: Current Status and Next Steps

Re: Experience with the Framework for Improving Critical Infrastructure Cybersecurity ( Framework )

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Impact of New Internal Control Frameworks

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Terms of Reference for an IT Audit of

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

Strategy, COBIT and Vision: HOW DO THEY RELATE? Ken Vander Wal, CISA, CPA, Past President, ISACA

Security & IT Governance: Strategies to Building a Sustainable Model for Your Organization

Enhancing IT Governance, Risk and Compliance Management (IT GRC)

Program Overview and 2015 Outlook

Chayuth Singtongthumrongkul

Achieving Business Imperatives through IT Governance and Risk

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

KEY TRENDS AND DRIVERS OF SECURITY

Over 20 years experience in Information Security Management, Risk Management, Third Party Oversight and IT Audit.

Compliance Doesn t Mean Security Achieving Security and Compliance with the latest Regulations and Standards

GLOBAL STANDARD FOR INFORMATION MANAGEMENT

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

Vendor Risk Management Financial Organizations

COBIT 5 For Cyber Security Governance and Management. Nasser El-Hout Managing Director Service Management Centre of Excellence (SMCE)

Domain 5 Information Security Governance and Risk Management

The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant

ISACA Tools Help Develop Cybersecurity Expertise

Italy. EY s Global Information Security Survey 2013

Logging In: Auditing Cybersecurity in an Unsecure World

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

CYBERSECURITY SLAs: MANANGING REQUIREMENTS AT ARM S LENGTH

Corporate Governor. New COSO Framework links IT and business process

Mapping COBIT 5 with IT Governance, Risk and Compliance at Ecopetrol S.A. By Alberto León Lozano, CISA, CGEIT, CIA, CRMA

How To Write A Cybersecurity Framework

ASSESSMENT OF THE IT GOVERNANCE PERCEPTION WITHIN THE ROMANIAN BUSINESS ENVIRONMENT

Internal audit value optimization for insurance organizations

AUD105-2nd Edition. Auditor s Guide to IT - 20 hours. Objectives

PREPARED DIRECT TESTIMONY OF SCOTT KING ON BEHALF OF SOUTHERN CALIFORNIA GAS COMPANY

Cybersecurity The role of Internal Audit

C ETS C/ETS: CYBER INTELLIGENCE + ENTERPRISE SOLUTIONS CSCSS / ENTERPRISE TECHNOLOGY + SECURITY

ITIL Service Lifecycles and the Project Manager

Cloud Computing Risk Assessment

FINRA Publishes its 2015 Report on Cybersecurity Practices

This article will provide background on the Sarbanes-Oxley Act of 2002, prior to discussing the implications for business continuity practitioners.

Hot Topics in IT. CUAV Conference May 2012

ESKISP Direct security testing

Assessing & Managing IT Risks: Using ISACA's CobiT & Risk IT Frameworks

Aalborg Universitet. Cyber Assurance - what should the IT auditor focus on? Berthing, Hans Henrik Aabenhus. Publication date: 2014

Responses: Only a 0% Only b 100% Both a and b 0% Neither a nor b 0%

What Should IS Majors Know About Regulatory Compliance?

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

NIST Cybersecurity Framework. ARC World Industry Forum 2014

ASSESSING VENDORS USING THE NIST CYBERSECURITY FRAMEWORK

Information Technology Auditing for Non-IT Specialist

Cybersecurity Framework. Executive Order Improving Critical Infrastructure Cybersecurity

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Governance, Risk, and Compliance (GRC) White Paper

Developing and Enhancing Cyber Security Capabilities in the Region. Khaled Gamo Technology Advisor Ministry of communication and informatics

ITIL's IT Service Lifecycle - The Five New Silos of IT

Cybersecurity Kill Chain. William F. Crowe, CISA, CISM, CRISC, CRMA September 2015 ISACA Jacksonville Chapter Meeting August 13, 2015

The Intersection of Internal Controls and Cyber Security

NetIQ FISMA Compliance & Risk Management Solutions

Information Security Management System (ISMS) Overview. Arhnel Klyde S. Terroza

IT AUDIT WHO WE ARE. Current Trends and Top Risks of /9/2015. Eric Vyverberg. Randy Armknecht. David Kupinski

PROPOSED INTERPRETIVE NOTICE

Moving Forward with IT Governance and COBIT

Defending the Database Techniques and best practices

COBIT Helps Organizations Meet Performance and Compliance Requirements

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Cyberprivacy and Cybersecurity for Health Data

NIST Cybersecurity Framework & A Tale of Two Criticalities

Benchmark of controls over IT activities Report. ABC Ltd

IT Governance Implementation Workshop

The Next Generation of Security Leaders

Cyber Risk Management Guidance for FHFA Regulated Entities

The Role of the Board in Enterprise Risk Management

HOW TO ADDRESS THE CURRENT IT SECURITY SKILLS SHORTAGE

Develop an Effective Control Environment. W. Wade Sapp CUNA Mutual Group February 11, 2015

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

PII Compliance Guidelines

IT Service Management ITIL, COBIT

ISACA ON-SITE TRAINING DELIVERS EXPERT INSTRUCTION AT YOUR WORKPLACE

Executive's Guide to

Agenda 3/7/ ERM Symposium March 14 16, Continuous Controls Monitoring. I. Changes In Corporate Environment

Risk Considerations for Internal Audit

Transcription:

Trends in Information Technology (IT) Auditing Padma Kumar Audit Officer May 21, 2015

Discussion Topics Common and Emerging IT Risks Trends in IT Auditing IT Audit Frameworks & Standards IT Audit Plan

Common and Emerging IT Risks Cyber Security Third Party Risks Insider Threat (malicious intent, errors, inappropriate use) IT Asset Management Business Continuity/IT Resiliency Information Security Data Management (Security, Availability, Quality, Compliance) Newer Technologies (Cloud, Internet of Things, Robotics, 3D-P) Mobile Computing Application Development Regulatory Compliance

Reviews of Key Risks Cyber Security Third Party Risks Insider Threat Business Continuity Newer Technologies Change Activities (project reviews) Trends in IT Auditing Talent Management Ensuring appropriate skill sets Talent retention, succession planning, cross-training (demand > supply worldwide) Leveraging expertise from within the organization & outside Stakeholder Engagement Co-ordination with other assurance providers Increased interaction with business owners & non-it stakeholders Enterprise Risk Management Enterprise view versus siloed view of IT Risks Linking IT Risks to organizational objectives End to End Risk Assessment Approach Increased engagement with the Board of Directors on IT Risks Audit Tools & Approaches Ongoing Risk Assessments (dynamic vs static) Continuous Auditing and Monitoring Data Analytics

IT Audit Frameworks and Standards Some of the frameworks and standards that auditors and risk management professionals use to guide their assessments; Control Objectives for Information & Related Technology (COBIT) Information Technology Infrastructure Library (ITIL) Committee of Sponsoring Organizations (COSO) International Organization for Standardization (ISO) National Institute of Standards and Technology (NIST) Other National and Local Guidelines These help with understanding the environment, identifying the key controls, evaluating design, testing effectiveness and reporting findings

IT Audit Frameworks & Standards - COBIT Was developed by ISACA, which was previously known as Information Systems Audit & Control Association, but now only goes by the acronym ISACA to reflect the broad range of IT governance professionals it serves COBIT 5 was released in April 2012 and links together the prior version (4.0) with other ISACA standards such as Risk IT (IT risk management) and Val IT (IT value delivery), as well as other major standards and frameworks in the market place such as ITIL and ISO COBIT 5 provides a comprehensive framework, a set of generally accepted IT control objectives, that assists enterprises to achieve goals and deliver value through effective governance and risk management ISACA has created a Cyber Security Nexus (CSX) as a knowledge platform for cyber security related topics

COBIT 5 Principles At a Glance Source: ISACA

Recent ISACA Publications - Sample Listing COBIT 5 for Information Security COBIT 5 for Risk Vendor Management using COBIT 5 Transforming Cybersecurity (CSX publication) Implementing NIST Cybersecurity Framework (CXS Publication) Managing APTs (CXS Publication) These publications are available for free download, or at a discounted price, for members on ISACA s website.

IT Audit Frameworks & Standards - ITIL Information Technology Infrastructure Library (ITIL) framework is a set of concepts and practices for managing IT services and provides best practices which organizations can adopt to improve overall IT service management and; Help align IT services with current and future needs of the business Improve the quality of IT services Reduce the cost of providing the IT service The current version is ITIL 2011 edition and it comprises of the following processes; Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement The library is a series of documents, developed by the United Kingdom government s Office of Government Commerce (OGC), that can be used to aid the implementation

IT Audit Frameworks & Standards COSO COSO stands for the "Committee Of Sponsoring Organizations of the Treadway Commission," a nonprofit commission that in 1992 established a common definition of internal control and created a framework for evaluating the effectiveness of internal controls; COSO framework defines internal control as a process, effected by an entity s board of directors, management and other personnel, designed to provide "reasonable assurance" regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations COSO divides internal controls into five components; Control Environment, Risk Assessment, Control Activities, Information & Communication and Monitoring In 2004 COSO published the Enterprise Risk Management Integrated Framework that expands on internal control and provides a broader enterprise wide focus COSO updated its 1992 framework and issued it in May 2013; the framework called Internal Control Integrated Framework:2013, includes seventeen (17) principles representing fundamental concepts associated with the five (5) components of internal control In January 2015 COSO published a document titled COSO in the Cyber Age to help explain how the 2013 framework can help organizations evaluate manage cyber risks

IT Audit Frameworks & Standards COSO The 17 principles are listed below and grouped according to the applicable COSO component Source: COSO

IT Audit Frameworks & Standards ISO & NIST ISO publishes technical reports and specifications that can be used as a guide by organizations to implement control processes ISO 27002 is a widely used framework for Information Security Management and an updated edition was published in 2013 ISO 27032 was published in July 2012 as a framework for cyber security NIST is a United States federal agency that develops and promotes measurement, standards, and technology NIST 800-53 is a widely used framework for Information Security Management In February 2014 NIST introduced a framework for improving cyber security and has since engaged with stakeholders in the public and private sectors to discuss and disseminate guidelines and practice advisories

IT Audit Frameworks & Standards Other Guidelines In the United States, legislation relating to cyber security assessments and cyber threat sharing have either already been passed or are undergoing debate in the U.S Congress In the United States, federal and state regulatory bodies have also released standards and guidelines relating to cyber security, third party risk management, data privacy, and business resiliency and more are expected European Parliament passed a Cyber Security Directive in 2014 with the aim to improve cyber security in the European Union by establishing security standards Several other nations have also either passed legislation/guidelines relating to cyber security and other emerging risks or are in the process of doing so

Developing an IT Audit Plan Per the Institute of Internal Auditors (IIA), defining an IT Audit Plan involves knowledge of the business and supporting IT processes and developing an understanding of how business operations and IT services support the organizational objectives Source: Institute of Internal Auditors

IT Audit Plan at FRB New York Our IT Audit Plan is based on a combination of IT Processes, IT Infrastructure Services and Organizational Units It was developed by identifying and understanding: o Organization strategies and business objectives o Key business processes o IT service support model o Applications and technology infrastructure o Change activities Work executed by IT Audit includes: o Performing IT Process & Infrastructure Audits o Participation in Integrated Audits of Business Processes o Project Reviews o Consulting on new initiatives o Ongoing liaison activities

Conclusion Key Reminders Changes in technology and processes introduce new risks and major technology changes are expected by 2020! The importance of technology should be viewed within the context of business objectives ( business speak vs IT speak ) Increased co-ordination among assurance providers to leverage risk and control assessments and increased involvement from business owners and non-it stakeholders, including the Board of Directors IT Audit Plan should be flexible and updated as needed to adopt to changes and ideally based on internationally accepted frameworks to increase credibility and acceptance with clients Talent management has become critical with demand exceeding supply with respect to skills in IT audit, IT risk, and IT security worldwide

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information