TAKING THE MYSTERY OUT OF IT AUDIT
|
|
- Junior Rogers
- 5 years ago
- Views:
Transcription
1 TAKING THE MYSTERY OUT OF IT AUDIT What Every Non-IT Auditor Should Know and Every IT Auditor Should Be Able To Tell The Presentation Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates The Conference that Counts, Albany New York Monday March 19, 2018 ROSS WESCOTT is Principle of Wescott and Associates, established in 2016 to provide IT audit, risk, governance, and control consulting to a variety of industries and government. He has experience in IT audit program development and implementation using leading standards including Cobit5 IT governance Internal Audit strategy, policy, standards, procedures, and guidelines development and maintenance Risk identification and assessment Controls identification, design and evaluation Data analytics End-to-end IT audit management and execution IT SOX program development and operation Disaster recovery plan development and review, scenario/exercise development and testing Recruiting, team building, development, teaching. Ross Wescott graduated from Portland State University in 1975 with a major in Mathematics/Computer Science. He also graduated in 1986 from Marylhurst University with a Master in Management. He is a Certified Internal Auditor, Certified Information Systems Auditor, Certified Computer Professional, and a Credit Union Enterprise Risk Management Expert. He is a current and active member of the Institute of Internal Auditors and the Information Systems Audit and Control Association. He has been published in the major Internal Auditing publications and has been a speaker at conventions and conferences on many Internal Audit topics. 2 1
2 Many internal audit stakeholders continue to view Information Technology (IT) audits as a mysterious world that requires highly specialized skills. However, regulatory requirements, such as the Sarbanes-Oxley Act, highlight that organizations financial reporting and operational performance are dependent on complex information technology. Cybersecurity efforts (not just an IT issue) show that it is difficult to conduct effective audits that do not include an aspect of IT auditing. The days of auditing around the computer are over. This session peels away some of the mystery surrounding IT audits by presenting a plain English, straightforward discussion of risks, control objectives, and control techniques for selected high payback IT audit areas that do not require a large degree of technical expertise. In this session, you will learn: the context for IT Auditing in the realm of internal auditing a base knowledge of the IT control set and auditing and governance some key terms used in IT Auditing 3 The guy who knows about computers is the last person you want to have create documentation for people who do not understand computers. Adam Osborn best known for creating the first commercially available portable computer, the Osborne 1, released in April
3 It is not about accounting controls. Accounting systems and their associated controls promote a source of process and data risk that requires someone who understands the related risk and can help the business mitigate it. It is not about financial auditing. That s reserved for financial auditors including the public accountants. It is not about compliance testing. Believe it or not, in general, there are no international or national rules that IT MUST follow. There are many guidelines, a few targeted regulations, but no set of conforming rules. IT Auditors cannot make IT comply with anything. 5 IT audits are all about determining that the design and function of systems, IT processes, and business processes are effective in reducing the risk to achieving business objectives. 6 3
4 Even though this is from 2010, the sentiment still is valid for today! 7 There are 10 kinds of people in the world: those who understand binary numerals, and those who don't. From Cabinet of Mathematical Curiosities Ian Stewart a professor of mathematics at the University of Warwick, England, and a widely known popular-science and science-fiction writer. 8 4
5 9 IIA Standard 1210 Proficiency 1210.A3 Internal auditors must have sufficient knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing. 10 5
6 GTAG-I Categories of IT Knowledge Category I: Knowledge of IT needed by all professional auditors, from new recruits up through the CAE Category II: Knowledge of IT needed by audit supervisors Category III: Knowledge of IT needed by IT Audit Specialists (Editorial Comment: no kidding!) 11 GTAG-I Category I: Knowledge Understanding concepts such as application software, operating systems and system software, and networks IT security and control components such as perimeter defenses, intrusion detection, authentication, and application system controls. Understanding how business controls and assurance objectives can be impacted by vulnerabilities in business operations and the related and supporting systems, networks, and data components. Understanding IT risks without necessarily possessing significant technical knowledge. 12 6
7 There are a number of frameworks COBIT5 ITIL ISO Standard COSO 2012 ISACA. All rights reserved. COBIT 5 is a registered trademark. ITIL, PRINCE2, MSP, MoR, P3M3, P3O, MoP and MoV are registered trade marks of AXELOS Limited 2013ISO/IEC All rights reserved Copyright The Committee of Sponsoring Organizations of the Treadway Commission. All rights reserved
8
9
10 19 Consists of three volumes: Executive Summary Framework and Appendices Illustrative Tools for Assessing Effectiveness of a System of Internal Control Sets out: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness 20 10
11 Environments changes... Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Demands and complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud have driven Framework updates 21 Proscriptive: Describes how processes should work and focuses on effectiveness and efficiency. Descriptive: Describes what objectives processes ought to achieve. Focus on effectiveness and alignment
12 Traditionally, there are really only 2 groupings of controls in IT IT General Controls IT Application Controls However, there are others that do not traditionally fit Interface controls (control between systems) Database controls Data Configuration Controls IT Governance and Entity Controls 23 Let s start at the very top, most broadly defined set of controls that affect the risk of all IT controls
13 Entity-Level Controls Based on COSO Examples of Entity-Level IT Controls: Integrity and Ethical Values Management Philosophy and Managing Style HR Policies, specifically applied to IT Board and Audit Committee Oversight of IT Communication On-Going Monitoring Many more Not much different from the rest of the organization 25 IT Governance Controls fit within the scope and scheme of the organization s entity-level controls and, again, is driven by COSO. What is IT Governance? Is a subset discipline of corporate governance, focused on IT and its performance and risk management. Not to be confused with IT management, compliance, or controls. The primary focus is stewardship of IT resources for creating value for stakeholders
14 IT Governance is facilitated through the following components: 27 The Five Elements of IT Governance, as defined within Cobit5 s EDM practices, should be used by an audit team to identify the specific governance practices and goals to be reviewed: Strategic Alignment Risk Management Performance Management Resource Management Value Delivery 28 14
15 To err is human - and to blame it on a computer is even more so. Robert Orben an American is an American professional comedy writer, although he also worked as a magician. He has written multiple books on comedy, mostly collections of gags and "one-liners" originally written for his newsletter, Orben's Current Comedy, and has also written books for magicians. In 1973, he was head speechwriter to Vice President Gerald R. Ford
16 By definition, IT General Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon. In other words, they are the umbrella under which IT applications systems operate. 31 They are important because: Systems hardware and software applications support all business processes General control concepts can be applied regardless of industry, business line, size, or complexity of the environment. Without effective IT General Controls, reliance on business information is not possible. That s why, in the SOX world, IT SOx concerns itself primarily with IT general controls with some application controls thrown in for good measure
17 Typical Examples Access Control Physical access security Logical access Systems Development and Implementation (SDLC) Change Control Computer Operations Control Backup and Recovery Control Disaster Recovery Control 33 But also: Polices and Procedures IT Training IT Governance Operating and Capital Budgets Audit Trails Encryption Anti-Virus Software And on, and on, and on. Anything that is not application related
18 By definition, IT Application Controls are electronic, manual, or automated controls that typically operate at a detailed business process (cycle or transaction) level and are designed to ensure the integrity of the processed records. 35 There are typically only three kinds of application controls: Input Processing Output But modern systems have necessitated a fourth category: data configuration controls 36 18
19 The purpose of application controls, All input is accurate, complete, authorized, and correct All data is processed as intended All data stored is accurate, secure, and complete All output is accurate and complete All workflow occurs as intended 37 Examples: Input Selection from a drop-down box (e.g., States) Numbers are validated (e.g., number vs. characters) Selections are restricted to a selection (e.g., valid account numbers) 38 19
20 Examples: Processing All records from an interfaced system have been received and processed All disbursements are recorded All accruals meet specified guidelines Depreciation is calculated properly Accruals are accounted for correctly 39 Examples: Output Reports are complete, accurate, and timely Monthly financial statements are accurate Authorized recipients have received their reports, checks, or other critical documents
21 Examples: Configurable Controls Configurable parameters within the application system. Most of the current commercial application systems are heavily dependent on the configuration of various parameter tables. It is appropriate to consider the design of controls over the configuration tables as a separate element of the control design. Mainly for real-time (not batch) systems Combination edits that result in an optional processing path Inventory pulls are routed to the appropriate storeroom for issuing Changes to accounts at receipt of goods are reauthorized by the requesting manager Static data (e.g., CPI index) change is manually reviewed. 41 What makes data configuration activities different and more dangerous? Typically, they fall outside of IT purview and normal control systems Generally, 100% controlled by the business Can be changed at any time without oversight or use of change tracking Changes can be done in secret and changed back with no trace
22 These too are included on the application side: Segregation of Duties using application security access Control overrides Application documentation Data retention cycles
23 Never trust a computer you can't throw out a window. Steve Wozniak nicknamed "The Woz", an American inventor, electronics engineer, programmer, philanthropist, and technology entrepreneur who cofounded Apple Inc. He is known as a pioneer of the personal computer revolution of the 1970s and 1980s, along with Apple co-founder Steve Jobs.Wozniak single-handedly developed the 1976 Apple I and primarily designed the 1977 Apple II, known as one of the first highly successful mass-produced microcomputers. 45 A computer lets you make more mistakes faster than any other invention with the possible exceptions of handguns and Tequila. Mitch Ratcliffe a veteran journalist, media executive and entrepreneur. Author of Extreme Democracy 46 23
24 IT has come back full circle. Computing is more about business not IT; more about achieving objectives than controls (although controls help achieve objectives) There is no mystery that computer hardware and software must serve the business purpose or it has no reason for being. All auditors need to understand that first. The rest will follow. 47 Let Me Make A Bold Statement Except for the most technical of database, security, or operating systems audit work, an experienced auditor could do an audit of IT with an understanding of the business, knowledge of IT components and risk, and The tools offered with COSO and Cobit
25 Any Final Questions? 49 If you have any questions, please feel free to call and have a meaningful conversation: Ross Wescott MA CISA CIA CCP CUERME Principal Wescott and Associates rew5@comcast.net 50 25
26 Thank You! 51 26
Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING
Table of Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 3 1.1 Internal Auditing History and Background
More informationCOPYRIGHTED MATERIAL. Index
Index 2014 revised COSO framework. See COSO internal control framework Association of Certified Fraud Examiners (ACFE), 666 Administrative files workpaper document organization, 402 AICPA fraud standards
More information354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2
Index Accounts Payable Process Review Procedures Assessments, 191 Actions to Resolve Risks COSO ERM Control Activities, 97 Activity Management COSO ERM Control Activities, 81 AICPA SAS No. 1 Internal Controls
More informationCOBIT 5 With COSO 2013
Integrating COBIT 5 With COSO 2013 Stephen Head Senior Manager, IT Risk Advisory Services 1 Our Time This Evening Importance of Governance COBIT 5 Overview COSO Overview Mapping These Frameworks Stakeholder
More informationVal-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.
Val-EdTM Valiant Technologies Education & Training Services Workshop for CISM aspirants All Trademarks and Copyrights recognized Page 1 of 8 Welcome to Valiant Technologies. We are a specialty consulting
More informationEffective COBIT Learning Solutions Information package Corporate customers
Effective COBIT Learning Solutions Information package Corporate customers Thank you f o r y o u r interest Thank you for showing interest in COBIT learning solutions from ITpreneurs. This document provides
More information"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary
Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business
More informationExam Requirements v4.1
COBIT Foundation Exam Exam Requirements v4.1 The purpose of this document is to provide information to those interested in participating in the COBIT Foundation Exam. The document provides information
More informationA Global Look at IT Audit Best Practices
A Global Look at IT Audit Best Practices 2015 IT Audit Benchmarking Survey March 2015 Speakers Kevin McCreary is a Senior Manager in Protiviti s IT Risk practice. He has extensive IT audit and regulatory
More informationNo IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP
No IT Audit Staff? How to Hack an IT Audit Presenters Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP Learning Objectives After this session, participants will be able to: Devise
More informationCybersecurity & Privacy Enhancements
Business, Industry and Government Cybersecurity & Privacy Enhancements John Lainhart, Director, Grant Thornton The National Institute of Standards and Technology (NIST) is in the process of updating their
More informationKENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)
KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT) 1. DIRECTOR, LEARNING & DEVELOPMENT - LOWER KABETE Reporting to the Director General, Campus Directors will be responsible for
More informationMapping PCI DSS v2.0 With COBIT 4.1 By Pritam Bankar, CISA, CISM, and Sharad Verma
Volume 2, April 2011 Come join the discussion! Pritam Bankar and Sharad Verma will be responding to questions and comments in the discussion area of the COBIT Use It Effectively topic beginning 21 April
More informationTable of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3
Table of Contents Preface xiii PART I: IT GOVERNANCE CONCEPTS Chapter 1: Importance of IT Governance for All Enterprises 3 Chapter 2: Fundamental Governance Concepts and Sarbanes Oxley Rules 9 Sarbanes
More informationCOSO Enterprise Risk Management
COSO Enterprise Risk Management Establishing Effective Governance, Risk, and Compliance Processes Second Edition ROBERT R. MOELLER WILEY John Wiley & Sons, Inc. Contents Preface xi Chapter 1: Introduction:
More informationOpportunities to Integrate Technology Into the Classroom. Presented by:
Opportunities to Integrate Technology Into the Classroom Presented by: Mark Salamasick, CIA, CISA, CRMA, CSP Executive Director of Audit University of Texas System Discussion Topics Internal Audit Textbook
More informationBRING EXPERT TRAINING TO YOUR WORKPLACE.
BRING EXPERT TRAINING TO YOUR WORKPLACE. ISACA s globally respected training and certification programs inspire confidence that enables innovation in the workplace. ISACA s On-Site Training brings a unique
More informationFDIC InTREx What Documentation Are You Expected to Have?
FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the
More information3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework
COSO Revised: Implications for Compliance and Ethics Programs Urton Anderson, CCEP Director of the Von Allmen School of Accountancy and EY Professor The University of Kentucky Session Agenda The COSO Framework
More informationIT Audit Process Prof. Liang Yao Week Two IT Audit Function
Week Two IT Audit Function Why we need IT audit A Case Study What You Can Learn about Risk Management from Societe Generale? https://www.cio.com/article/2436790/security0/what-you-can-learn-about-risk-management-fromsociete-generale.html
More informationInformation Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan
Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan 1 Introduction IT Risk and Compliance Officer in Information Management and Technology
More informationMemphis Chapter. President s Message. This annual event is designed to provide students with a
Memphis Chapter F E B R U A R Y 2 0 1 5 Remember: Update your IIA profile for the most up-to-date news. RSVP for the Annual Student Day February 24, 2015 This annual event is designed to provide students
More informationCOURSE BROCHURE CISA TRAINING
COURSE BROCHURE CISA TRAINING What is CISA? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual within
More informationPosition Description IT Auditor
Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership
More informationAssessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper
Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper What is the history behind Sarbanes-Oxley Act (SOX)? In 2002, the U.S. Senate added the Sarbanes-Oxley Act (SOX) to
More informationTools & Techniques I: New Internal Auditor
About This Course Tools & Techniques I: New Internal Auditor Course Description Learn the basics of auditing at the new internal auditor level. This course provides an overview of the life cycle of an
More informationCOSO Enterprise Risk Management
COSO Enterprise Risk Management COSO Enterprise Risk Management Establishing Effective Governance, Risk, and Compliance Processes Second Edition ROBERT R. MOELLER John Wiley & Sons, Inc. Copyright # 2007,
More informationIT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1
IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) 1 Agenda Background ICOFR need for IT General Controls IT General Control Areas Financial Process Example Project Governance
More informationDATA STEWARDSHIP BODY OF KNOWLEDGE (DSBOK)
DATA STEWARDSHIP BODY OF KNOWLEDGE (DSBOK) Release 2.2 August 2013. This document was created in collaboration of the leading experts and educators in the field and members of the Certified Data Steward
More informationISACA Survey Results. 27 April Ms. Nancy M. Morris, Secretary Securities and Exchange Commission 100 F Street NE Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 27 April 2006 Ms. Nancy M. Morris, Secretary
More informationThe Experience of Generali Group in Implementing COBIT 5. Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA
The Experience of Generali Group in Implementing COBIT 5 Marco Salvato, CISA, CISM, CGEIT, CRISC Andrea Pontoni, CISA Generali Group at a glance Let me introduce myself Marco Salvato CISA, CISM, CGEIT,
More informationMay 14, :30PM to 2:30PM CST. In Plain English: Cybersecurity and IT Exam Expectations
May 14, 2018 1:30PM to 2:30PM CST In Plain English: Cybersecurity and IT Exam Expectations Options to Join Webinar and audio Click on the link: https://www.webcaster4.com/webcast/page/584/24606 Choose
More informationCISA Training.
CISA Training www.austech.edu.au WHAT IS CISA TRAINING? The CISA, Certified Information Systems Auditor, is a professional designation which provides great benefits and increased influence for an individual
More informationSOC for cybersecurity
April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory
More informationRisk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities
Risk Based IT Auditing Master Class Unlocking your World to a Sea of Opportunities The Digital World Information Technology has developed into a nerve center of every organisation. It has become an intrinsic
More informationCCISO Blueprint v1. EC-Council
CCISO Blueprint v1 EC-Council Categories Topics Covered Weightage 1. Governance (Policy, Legal, & Compliance) & Risk Management 1.1 Define, implement, manage and maintain an information security governance
More information26 February Office of the Secretary Public Company Accounting Oversight Board 1666 K Street, NW Washington, DC
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 26 February 2007 Office of the Secretary Public
More informationArticle II - Standards Section V - Continuing Education Requirements
Article II - Standards Section V - Continuing Education Requirements 2.5.1 CONTINUING PROFESSIONAL EDUCATION Internal auditors are responsible for maintaining their knowledge and skills. They should update
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 14001 Lead Auditor www.pecb.com The objective of the PECB Certified ISO 14001 Lead Auditor examination is to ensure that the candidate
More informationAT FIRST VIEW C U R R I C U L U M V I T A E. Diplom-Betriebswirt (FH) Peter Konrad. Executive Partner Senior Consultant
Our Contact Details IT-SCAN GMBH c/o: DOCK3 Hafenstrasse 25-27 68159 Mannheim E: info@it-scan.de W: www.it-scan.de Nationalität Berufserfahrung C U R R I C U L U M V I T A E Diplom-Betriebswirt (FH) Peter
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO/IEC 38500 Lead IT Corporate Governance Manager The objective of the PECB Certified ISO/IEC 38500 Lead IT Corporate Governance Manager examination is to ensure
More informationWhat is ISO/IEC 27001?
An Introduction to the International Information Security Management Standard By President INTERPROM July 2017 Copyright 2017 by InterProm USA. All Rights Reserved www.interpromusa.com Contents INTRODUCTION...
More informationSingapore Quick Guide to the COSO. Enterprise Risk Management and Internal Control Frameworks Edition
Singapore Quick Guide to the COSO Enterprise Risk Management and Internal Control Frameworks 2016 Edition The Protiviti-SAC COSO Academy The Protiviti-SAC COSO Academy in Singapore was formed by global
More informationSOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions
SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American
More informationThe Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation. ISACA All Rights Reserved.
The Role of Public Sector Audit and Risk Committees in Cybersecurity & Digital Transformation Tichaona Zororo CIA, CISA, CISM, CRISC, CRMA, CGEIT, COBIT 5 Certified Assessor B.Sc. Honours Information Systems,
More informationIT-CNP, Inc. Capability Statement
Securing America s Infrastructure Security Compliant IT Operations Hosting Cyber Security Information FISMA Cloud Management Hosting Security Compliant IT Logistics Hosting 1 IT-CNP, Inc. is a Government
More informationFramewOrk to DeSign and implement ifc
Marketing Partner Hotel Radisson GRT, 15 Leveraging COSO internal COntrOLS FramewOrk to DeSign and implement ifc 8 CPE Hours Networking Opportunities Qualified CIA Faculty about the Seminar The COSO Internal
More informationInternational Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, NY 10017
3701 Algonquin Road, Suite 1010 Telephone: 847.253.1545 Rolling Meadows, Illinois 60008, USA Facsimile: 847.253.1443 Web Sites: www.isaca.org and www.itgi.org 25 April 2008 International Auditing and Assurance
More informationDefinition of Internal Control
Definition of Internal Control - To address and limit potential risks - designed, implemented and maintained by those charged with governance to provide reasonable assurance about the achievement of the
More informationFRAUD-RELATED INTERNAL CONTROLS
GLOBAL HEADQUARTERS THE GREGOR BUILDING 716 WEST AVE AUSTIN, TX 78701-2727 USA TABLE OF CONTENTS I. THE NEED FOR INTERNAL CONTROLS Example... 1 Threats to an Organization s Internal Control Environment...
More informationPREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice
PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here
More informationIS Audit and Assurance Guideline 2002 Organisational Independence
IS Audit and Assurance Guideline 2002 Organisational Independence The specialised nature of information systems (IS) audit and assurance and the skills necessary to perform such engagements require standards
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 9001 Lead Auditor www.pecb.com The objective of the PECB Certified ISO 9001 Lead Auditor examination is to ensure that the candidate possesses
More informationUSING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES
WHITE PAPER USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES Table of Contents I. Overview II. COSO to CobIT III. CobIT / COSO Objectives met by using QualysGuard 2 3 4 Using QualysGuard
More informationISO/IEC overview
ISO/IEC 20000 overview Overview 1. What is ISO/IEC 20000? 2. ISO/IEC 20000 and ITIL 2 BS 15000 BS15000 started in UK and first launched on July 1, 2003. Which was replaced by ISO/IEC 20000 after formal
More informationWeighing in on the Benefits of a SAS 70 Audit for Third Party Administrators
Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators With increasing oversight and growing demands for industry regulations, third party assurance has never been under a keener
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationPECB Certified ISO Lead Auditor. Master the Audit of Occupational Health and Safety Management System (OHSMS) based on ISO 45001
Certified Lead Auditor Master the Audit of Occupational Health and Safety Management System (OHSMS) based on Why should you attend? is the first global Occupational Health and Safety Management System
More informationSolutions Technology, Inc. (STI) Corporate Capability Brief
Solutions Technology, Inc. (STI) Corporate Capability Brief STI CORPORATE OVERVIEW Located in the metropolitan area of Washington, District of Columbia (D.C.), Solutions Technology Inc. (STI), women owned
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified OHSAS 18001 Lead Auditor www.pecb.com The objective of the PECB Certified OHSAS 18001 Lead Auditor examination is to ensure that the candidate
More informationBalancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld
Balancing Compliance and Operational Security Demands Nov 2015 Steve Winterfeld What is more important? Compliance with laws / regulations Following industry best practices Developing a operational practice
More informationIsaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.
Isaca EXAM - CISM Certified Information Security Manager Buy Full Product http://www.examskey.com/cism.html Examskey Isaca CISM exam demo product is here for you to test the quality of the product. This
More informationBusiness Process Design and Internal Audit UNIVERSITY OF TEXAS AT DALLAS Course Syllabus Spring 2005
Business Process Design and Internal Audit UNIVERSITY OF TEXAS AT DALLAS Course Syllabus Spring 2005 Instructor: Mark Salamasick, CIA, CISA, CSP Course Number: AIM 6380 Semester Hours: 3 Location: SOM
More informationUK Permanent Salary Index November 2013 Based on registered vacancies and actual placements
UK Permanent Salary Index ember 1 SYSTEM INTEGRATORS & CONSULTANCIES Job Title Guidelines 8 9 2010 2011 2012 Information & Risk IT Officer Project & Risk Consultant Analyst Part of a team in a large organisation
More informationNetwork Instruments white paper
Network Instruments white paper SOX AND IT How the Observer Performance Management Platform can help IT Professionals comply with the data practices components of Sarbanes-Oxley. EXECUTIVE SUMMARY U.S.
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO/IEC 20000 Lead Auditor www.pecb.com The objective of the Certified ISO/IEC 20000 Lead Auditor examination is to ensure that the candidate
More informationOverview: Sponsored By:
Overview: IIA Winnipeg is hosting its third annual full day Fraud Summit on Tuesday, March 15 th. The 2016 Fraud Summit will focus on fraud prevention, deterrence and detection along with topics including
More informationOperations & Technology Seminar. Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ
Operations & Technology Seminar Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ Operations & Technology Roundtable Crowne Plaza Monroe, Monroe Township, NJ Tuesday, November 8, 2016
More informationDeciphering Overlapping Standards and Requirements, Using the BCP Genome
Deciphering Overlapping Standards and Requirements, Using the BCP Genome Disaster Recovery Journal Webinar Series February 13, 2013 2013 Strategic BCP, Inc. All rights reserved. strategicbcp.com 1 Today
More informationExam4Tests. Latest exam questions & answers help you to pass IT exam test easily
Exam4Tests http://www.exam4tests.com Latest exam questions & answers help you to pass IT exam test easily Exam : CISM Title : Certified Information Security Manager Vendor : ISACA Version : DEMO 1 / 10
More informationEXAM PREPARATION GUIDE
EXAM PREPARATION GUIDE PECB Certified ISO/IEC 17025 Lead Auditor The objective of the PECB Certified ISO/IEC 17025 Lead Auditor examination is to ensure that the candidate possesses the needed expertise
More informationFill in the attached registration Form and send to fax number or at
Information Security Workshop 7-10 April 2013, Gulf Hotel Key Learning Objectives: 1. Understand Information Security needs 2. Learn About Risk management Essentials 3. Understand Standards and Best Practices
More informationCyber Security in M&A. Joshua Stone, CIA, CFE, CISA
Cyber Security in M&A Joshua Stone, CIA, CFE, CISA Agenda About Whitley Penn, LLP The Threat Landscape Changed Cybersecurity Due Diligence Privacy Practices Cybersecurity Practices Costs of a Data Breach
More informationA New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO
A New Cyber Defense Management Regulation Ophir Zilbiger, CRISC, CISSP SECOZ CEO Personal Background IT and Internet professional (since 1992) PwC (1999-2003) Global SME for Network Director Information
More informationTHE INTERNATIONAL INSTITUTE OF CERTIFIED FORENSIC ACCOUNTANTS, INC. USA. CERTIFIED IN FRAUD & FORENSIC ACCOUNTING (Cr.
THE INTERNATIONAL INSTITUTE OF CERTIFIED FORENSIC ACCOUNTANTS, INC. USA CERTIFIED IN FRAUD & FORENSIC ACCOUNTING (Cr.FFa) BROCHURE Contents INTRODUCTION... 3 THE IICFA... 4 Basic Entry qualifications...
More informationCertified Information Systems Auditor (CISA)
Certified Information Systems Auditor (CISA) 1. Domain 1 The Process of Auditing Information Systems Provide audit services in accordance with IT audit standards to assist the organization in protecting
More informationBPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.
BPS Suite and the OCEG Capability Model Mapping the OCEG Capability Model to the BPS Suite s product capability. BPS Contents Introduction... 2 GRC activities... 2 BPS and the Capability Model for GRC...
More informationFOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY
FOUNDATION CERTIFICATE IN INFORMATION SECURITY v2.0 INTRODUCING THE TOP 5 DISCIPLINES IN INFORMATION SECURITY SUMMARY The Foundation Certificate in Information Security (FCIS) course is designed to provide
More informationSALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually
SALARY $49.72 - $72.54 Hourly $3,977.88 - $5,803.27 Biweekly $8,618.75 - $12,573.75 Monthly $103,425.00 - $150,885.00 Annually ISSUE DATE: 03/21/18 THE POSITION DIRECTOR OF CYBER SECURITY OPEN TO THE PUBLIC
More informationGlobal Security Consulting Services, compliancy and risk asessment services
Global Security Consulting Services, compliancy and risk asessment services Introduced by Nadine Dereza Presented by Suheil Shahryar Director of Global Security Consulting Today s Business Environment
More informationThe Integrated Auditor: Becoming the Go-to Resource Your Company Needs APRIL 24, 2018
The Integrated Auditor: Becoming the Go-to Resource Your Company Needs APRIL 24, 2018 Jeff Hemphill Partner and Central Region Leader, Risk Advisory Services Brian Kirkpatrick Managing Director, Risk Advisory
More informationPredstavenie štandardu ISO/IEC 27005
PERFORMANCE & TECHNOLOGY - IT ADVISORY Predstavenie štandardu ISO/IEC 27005 ISMS Risk Management 16.02.2011 ADVISORY KPMG details KPMG is a global network of professional services firms providing audit,
More informationRisk Advisory Academy Training Brochure
Academy Brochure 2 Academy Brochure Cyber Security Our Cyber Security trainings are focused on building your internal capacity to leverage IT related technologies more confidently and manage risk and uncertainty
More informationSession 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security
Session 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security An Overview of Recent Changes to ISO 20000 Ron Lester Enterprise Service Management Consultant, Information Technology
More informationThe Minimum IT Controls to Assess in a Financial Audit (Part II)
The Minimum IT Controls to Assess in a Financial Audit (Part II) Tommie W. Singleton, Ph.D., CISA, CITP, CMA, CPA, is an associate professor of information systems (IS) at the University of Alabama at
More information2018 CALENDAR OF ACTIVITIES
2018 CALENDAR OF ACTIVITIES WHO WE ARE AND WHAT WE OFFER Ý Public Trainings Technical Sessions Reviews GMM Other Chapter Activities Conferences Professionals Night ISACA was incorporated by individuals
More informationAltius IT Policy Collection Compliance and Standards Matrix
Governance Context and Alignment Policy 4.1 4.4 800-26 164.308 12.4 EDM01 IT Governance Policy 5.1 800-30 12.5 EDM02 Leadership Mergers and Acquisitions Policy A.6.1.1 800-33 EDM03 Context Terms and Definitions
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationInformation for entity management. April 2018
Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed
More informationSAS70 Type II Reports Use and Interpretation for SOX
SAS70 Type II Reports Use and Interpretation for SOX November 19, 2007 Presented by: Erin Erickson, Senior Manager Enterprise Governance and Brenda Karl, Director Technology Risk Management Agenda Background
More informationCOURSE BROCHURE. COBIT5 FOUNDATION Training & Certification
COURSE BROCHURE COBIT5 FOUNDATION Training & Certification What is COBIT5? COBIT 5 (Control Objectives for Information and Related Technology) is an international open standard that defines requirements
More informationITT Technical Institute. IT360 Networking Security I Onsite Course SYLLABUS
ITT Technical Institute IT360 Networking Security I Onsite Course SYLLABUS Credit hours: 4 Contact/Instructional hours: 50 (30 Theory Hours, 0 Lab Hours) Prerequisite(s) and/or Corequisite(s): Prerequisite:
More informationADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT
ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT 1 BY HUSSEIN K. ISINGOMA CISA,FCCA,CIA, CPA, MSC,BBS AG. ASSISTANT COMMISSIONER/INTERNAL AUDIT MINISTRY OF FINANCE, PLANNING AND ECONOMIC
More informationEvaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium
Discussion on: Evaluating Cybersecurity Coverage A Maturity Model Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium By: Eric C. Lovell PricewaterhouseCoopers LLP ( PwC ) March 24,
More informationIT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu
January 30, 2017 1 Corporate Structures Shareholders Governance Level: Board of Directors External Director CFO CEO Legal Counsel External Director Responsible for: Evaluate Direct Monitor Internal Directors
More informationON-DEMAND TRAINING FOR PROFESSIONALS
FACT SHEET ON-DEMAND TRAINING FOR PROFESSIONALS REP ID : 3871 GET PMP CERTIFIED. GROW IN YOUR CAREER GreyCampus offers four day Classroom Training Program on Project Management Professional (PMP ) Certification
More informationISACA CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS
ISACA The recognized global leaders in IT governance, control and assurance 1 2007 CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS 2 1 Chapter Overview 1. Introduction Organization of the IS audit function
More informationAuditing in an Automated Environment: Appendix B: Application Controls
Accountability Modules Auditing in an Automated Environment: Initials Date Agency Prepared By Reviewed By Audit Program - Application W/P Ref Page 1 of 1 The SAO follows control objectives established
More informationROLE DESCRIPTION IT SPECIALIST
ROLE DESCRIPTION IT SPECIALIST JOB IDENTIFICATION Job Title: Job Grade: Department: Location Reporting Line (This structure reports to?) Full-time/Part-time/Contract: IT Specialist D1 Finance INSETA Head
More informationEXAM PREPARATION GUIDE
When Recognition Matters EXAM PREPARATION GUIDE PECB Certified ISO 37001 Lead Auditor www.pecb.com The objective of the Certified ISO 37001 Lead Auditor examination is to ensure that the candidate possesses
More information