TRAINING SEMINAR COURSE OUTLINE October

Transcription

1 TRAINING SEMINAR COURSE OUTLINE October

2 FACILITATOR S BIOGRAPHY SHAWNA M FLANDERS CRISC, CISM, CISA, CSSGB, SSBB Shawna is the Founder and CEO of Business Technology Guidance Associates, LLC., a consulting firm that believes in collaborative innovation between business and technology - offering your technology and business partners with a unique collection of real world training and consulting services tailored to your organizations unique needs and expectations. My passion rests firmly on three pillars: 1. Enriching companies in building and improving their strategies, programs and underlying processes (primarily within technology, Technology Internal Audit, IT GRC, Technology Related Risk Management, Information Security, BCP/DR, Project Management and Process Reengineering) 2. Mentoring individuals: both in the topics above as well as aiding in their quest for ISACA certifications 3. Enhancing and developing curriculum and other publications to improve the profession. With nearly 29 years of experience in the financial services sector, Shawna brings her real world experience to every engagement. Shawna has completed certificate programs in Risk Management from Kaplan University and Six Sigma Green & Lean/Black Belt from Villanova University. She has also earned the Life Operations Management Association Associate of Customer Service designation and holds the CRISC, CISM, CISA and CSSGB certifications. Shawna has been a chapter, conference and onsite trainer for various organizations since She designs her own course content and also has contributed and/or reviewed multiple publications including ISACA CRISC and CISM Review Manuals and Risk IT and COBIT 5 for Risk. She has also participated in the development of the Risk Management and Assurance ISACA Training Week courses. 1

3 AUDITING BUSINESS APPLICATION SYSTEMS SESSION OBJECTIVES This three-day seminar is designed for financial, operational and information technology auditors who need a technical and operational understanding to audit automated business applications. Focusing on a top-down, risk-based approach to auditing application system transactions, participants will master techniques that can be applied to all types of applications from batch to online to real-time systems. You will learn how to assess key risks and controls in each stage of the application processing cycle and how to prioritize your audit approach to achieve optimal results in an effective and efficient manner. Attendees will discover how to assess all aspects of a business application, including completeness and accuracy of input, processing and output, transaction authorizations, processing flow balancing and reconciliations and controlling high-risk interfaces. You will also learn about IT general control risks and control objectives for critical aspects of the IT infrastructure. You will gain field-tested techniques for identifying, prioritizing, recording, assessing and evaluating application controls and procedures. A detailed case study and audit program will provide step-by-step reinforcement of what you will learn, and you will leave this high-impact seminar with real-world examples of application control risks, control objectives, key application control assessments and testing techniques. Prerequisite: None Advance Preparation: None Learning Level: Basic Delivery Method: Group Live Field: Auditing WHO SHOULD ATTEND? 1. IT, Financial, Operations and Business Applications Auditors. 2. Audit Managers who require an understanding of application controls and audit approaches for business application systems. 2

4 AGENDA 1. INTRODUCTION TO BUSINESS APPLICATION SYSTEMS Types of automated business applications Objectives of an application audit Application control ownership Integrated auditing Data vs. information 2. BUSINESS APPLICATION TRANSACTIONS Transaction-based application auditing Application risk assessment factors Establishing audit priorities 3. TOP-DOWN RISK-BASED PLANNING Planning the application audit Top-down, risk-based planning Defining the business environment and the application s technical environment Performing a business information risk assessment Identifying key transactions Developing a key transaction process flow Evaluating and testing application controls 4. DATA INPUT AND PROCESSING MODELS Comparing pros/cons of input and processing models Batch input/batch processing Online input/batch processing Online input/online processing Real-time input/real-time processing 5. APPLICATION CONTROLS Business applications Information objectives Business application auditing Application transaction life cycle Transaction origination Logical security Completeness and accuracy of input, processing, output Output retention and disposal Data file controls User review, balancing, reconciliation End-user documentation Segregation of duties 3

5 AGENDA 6. IT GENERAL CONTROL OBJECTIVES AND RISKS IT general controls overview IT general controls/application controls relationship COBIT and ISO27002 Physical and logical security Environmental exposures Encryption Systems development Production change management DR/business continuity planning 7. TESTING APPLICATION CONTROLS Testing automated and manual controls Testing alternatives Testing sample size Sampling terminology Negative assurance testing Types of audit evidence Functional/substantive testing CAATs Data analysis 8. DOCUMENTING APPLICATION CONTROLS Evaluating and documenting internal controls Internal control questionnaires Narratives Flowcharts / process flows Control matrix 9. END-USER COMPUTING End user computing risks General IT control, change control and purchased applications risks Spreadsheets: typical errors Spreadsheet risk factors Practical steps for evaluating spreadsheet controls 4

6 AGENDA 10. AUDITING SYSTEM DEVELOPMENT PROJECTS Business risks Audit s primary goals Traditional system development life cycle Rapid application development IA involvement/objectives 11. EXECUTING APPLICATION AUDITS Internal audit process Application audit planning Application risk assessment Determining the audit scope Obtaining planning information Planning memo/audit programs Auditing application controls Testing application controls Audit workpapers and reports Integrated auditing 5