Auditing IT General Controls

Size: px
Start display at page:

Download "Auditing IT General Controls"

Transcription

1 Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017

2 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program Changes Program Development Computer Operations Service Organization Control Reports (SOC) Hot Topics Closing Remarks and Wrap-up 2

3 IT Audit Fundamentals

4 Understanding IT In order to understand the IT risks and controls at an entity, we must first understand the operations of the entity, including the entity s IT environments that are relevant to the audit. This understanding begins with an understanding of the flow of information through the financial and operational process and related IT systems and environment. Relates IT to these relevant financial and operational processes. Identifies the relevant technical components of IT. Documentation may take the form of narratives and/or IT system diagrams and process flow charts. 4

5 Understanding IT (Continued) Understanding of the entity's IT environment may include: An understanding of the overall IT environment Key technology components relevant to financial reporting (e.g. application - including report writers, database - including data warehouses, operating system, network, location) Nature of transactions processed by IT including types of information (e.g. operational, financial, both, etc.) General description of the IT organization, including key functions that may be outsourced (e.g. service organizations) Key members of IT Physical location(s) of IT (e.g. main office and outsourced) The entity's reliance on IT controls for key processes (e.g. key reports, calculations access, etc.) Existence and formality of policies and procedures that are in place to determine that IT controls are implemented in a consistent manner IT strategy / steering committee IT risk management process Internal monitoring of IT (e.g. internal audit function) 5

6 Security Model Overview Application controls achieve process level audit objectives General controls allow for reliance upon application security controls Technology Examples by Layer Application & Manual Controls IT General Controls Processes Applications Data/DBMS Platforms Networks Physical Investments in Real Estate, Revenue, Procure to Pay SAP, Oracle, Hyperion SQL Windows, Unix and other operating systems Local Area Networks (LAN), Wide Area Network (WAN) Server room, Data Center 6

7 Overview of Controls What is a control? Activity that is performed to prevent or detect an error or exception from entering or continuing on in a process. Control identification Identify the risk(s) that threaten process objectives, then identify controls that mitigate risk. Don t mistake process steps for controls. Evaluate whether the control is appropriate in proportion to the risk. 7

8 Types of Controls Performed within significant application(s) to help ensure that transactions are processed appropriately. Application controls could include: Application o o o o System configuration/account mapping Exception/Edit reports, including review of these reports Interface controls, and System access, including enforcing segregation of duties ITGC IT General Controls (ITGC) support the effective functioning of application controls by helping to ensure the continued proper operation of information systems. ITGC s typically apply to applications, operating systems, databases and infrastructure End User Computing (EUC) Relate to spreadsheets and databases used within the financial reporting process and relevant operational processes 8

9 Types of Controls (continued) Preventive Designed to prevent errors or exceptions from being introduced or errors from occurring. Detective Designed to detect errors or exceptions. A detective control is not complete unless it includes corrective action. Corrective Designed to correct errors or exceptions Manual Performed by one or more personnel Automated Performed by an application or computer Combined Performed by personnel in combination with an application or computer system 9

10 IT General Controls Overview

11 Types of ITGCs A general IT control environment is a particular "processing environment" that shares a common set of general IT policies or procedures. General IT control environments may be physically in the same location or in different locations. Access to programs and data Prevent individuals from perpetrating and concealing an error or irregularity. Examples: Access administration; Physical access; Segregation of duties; Privileged user access Program development Program changes Modifications to existing systems/it applications: authorized, tested, approved, properly implemented and documented. Examples: Approval prior to change; Configuration changes Computer operations New systems/it applications which were developed or acquired are authorized, tested (including C&A), approved, properly implemented and documented. Examples: Formal testing and sign-off prior to implementation; Data migration System/IT application processing is appropriately authorized and scheduled and that deviations from scheduled processing are identified and resolved. Examples: Job monitoring (including C&A); Incident and problem management procedures 11

12 Dependency and Linkage Among Processes and Controls Financial Statements Purchasing A/P Operating Expenses Master File Applications Databases Operating Systems 12

13 Linking Determine if test work over ITGCs is appropriate: Do we understand the linkage between the automated controls and the ITGCs we plan to test? We first link specific ITGCs to the relevant application controls that support the ongoing effectiveness of the application control. ITGCs to be considered for testing are those that support the effective operation of application controls of interest. Use walkthrough to help with the linking. Identify ITGCs that cover all layers of the application control (network, OS, database, application), and support the actual operation of the app control. 13

14 IT General Controls General IT Controls Access to Programs and Data Program Changes Program Development Computer Operations 14

15 Access to Program and Data Overview Risk: Unauthorized access to data may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. Objective: Adequate controls for access to programs and data have been established to restrict access to properly authorized individuals. 15

16 Access to Program and Data Overview (continued) We consider the following access to programs and data components: Policies and procedures User access add/move/termination requests Password requirements Privileged users Physical access Periodic access reviews Appropriateness of access/segregation of duties Example Control Periodic reviews of user access are performed to help ensure the appropriateness of assigned access rights, including segregation of duties. Who is responsible for performing the reviews and how often are reviews performed? How is the review tracked? Considerations Does the review include all of the users? (Completeness) Was the review reasonable and include potential conflicts of responsibilities? Were requested changes made? (Accuracy) Were exceptions (e.g., inappropriate access, terminated employee) resolved in a timely manner? 16

17 IT General Controls IT General Controls Access to Programs and Data Program Changes Program Development Computer Operations 17

18 Program Changes and Development Overview Risk: Unauthorized changes to systems or programs may result in incomplete or inaccurate data. Objectives: Adequate controls for program changes have been established to help ensure that changes to existing systems/applications are authorized, tested, approved, properly implemented and documented. Adequate controls for program development have been established to help ensure that new systems/applications which are developed or acquired are authorized, tested, approved, properly implemented and documented. 18

19 Program Changes and Development Overview (continued) We consider the following program change and development components: Change and new development methodology Design, authorization, development, testing, and approval Migration to the production environment (SOD) Configuration changes Emergency changes Data migration Post-installation reviews (typically a secondary control) Example Control Changes (including configuration changes and emergency changes) are authorized and approved prior to release into production How are changes initiated and at what point is approval required? Who is responsible for approving changes? Considerations How are approvals tracked? How are changes tracked? Are approvals required for configuration and emergency changes? 19 19

20 IT General Controls IT General Controls Access to Programs and Data Program Changes Program Development Computer Operations 20

21 Computer Operations Overview Risk: Systems or programs are inaccurately processing data and/or processing inaccurate data. Objective: Adequate controls for computer operations have been established to ensure that system/application processing is appropriately authorized and scheduled, and deviations from scheduled processing are identified and resolved. 21

22 Computer Operations Overview (continued) We consider the following computer operations components: Job processing and monitoring Backup and recovery procedures Incident and problem management Example Control Jobs are monitored to provide reasonable assurance around accuracy, completeness and timeliness of system and data processing. How are jobs scheduled? Considerations Who is responsible for resolving errors/abends? How are errors/abends monitored and resolved? Are errors/abends resolved in a timely manner? 22

23 Impact of ITGC deficiencies Test each relevant ITGC and conclude on its operating effectiveness If we find a deficiency in a ITGC, we obtain an understanding of the impact on relevant application controls If we identify a deficiency in an ITGC, have we evaluated the impact on each related application control? Linking provides a clear understanding of a ITGC deficiency s impact given its link back to affected application controls 23

24 Service Organization Control (SOC) Reports

25 SOC Report Types The AICPA defined three types of SOC reports (summarized below) including reporting guidelines and application of reporting. Internal control over financial reporting Operational controls SOC1* SOC2 SOC3** Summary Detailed report for users and their auditors Detailed report for users, their auditors, and specified parties Short report that can be more generally distributed, with the option of displaying a Web site seal Applicability Focused on financial reporting risks and controls, specified by the service provider Most applicable when the service provider performs financial transaction processing or supports transaction processing systems Focused on: Security Availability Confidentiality Processing Integrity Privacy Applicable to a broad variety of systems * Sometimes also referred to as an SSAE 16, AT 801 or ISAE 3402 report ** Sometimes also referred to as a SysTrust, WebTrust, or Trust Services report 25

26 SOC 1 Reports - Overview Service Organization Control (SOC) reports are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service. The SOC 1 report focuses on controls that are likely relevant to a user entity s internal control over financial reporting (ICOFR). It is intended for the service organization, their customers, and their customers auditors only. These reports are also called SSAE16 reports. 26

27 How to Read a SOC Report Review opinion Review complementary user entity controls o Determine key vs. non-key o Identify existing controls for key complementary user entity controls o Document analysis Review adequacy of testing by the Service Auditor Review exceptions and determine impact 27

28 How to Read a SOC Report (continued) Taking and acting upon SSAE 16 Report information o Identify any gaps in controls related to complementary user entity controls. o Request bridge letter if end of SSAE 16 period does not correspond with the end of the fiscal year end. o Provide to auditors for their review and evaluation. o Determine whether subservice organization reports should be requested. 28

29 User Control Considerations Controls that reside at the service organization. Ultimately the service organization is responsible for this information and controls at their organization and must be mapped where applicable to confirm appropriate coverage. Example UCC 1 Mapped Control Clients should completely test new versions in their test database before requesting the application upgrade in their Production environment. Tests are documented, performed, and approved by both information systems and user personnel. Testing could include: System testing, unit testing, regression testing, and user acceptance testing. Example UCC 2 Mapped Control Clients should inform the service organization of terminated users as soon as possible. Termination of access occurs in a timely manner to reduce unauthorized access

30 Hot Topics

31 Hot Topics Scoping An important IT system was not scoped into the audit (e.g., report writers, databases, front-end systems) IT systems for component audits were improperly scoped out of the audit IT scoping decisions were not documented Impact of consideration of prior year testing results Data flow diagrams are not sufficiently documented and/or key interfaces are not sufficiently tested Reliance on system change control tools to log all system changes and user access reporting tools for listing and testing user access are not included in the scope of testing Cyber Security Evaluate Cyber Security incidents and the related impact on the audit Completeness and Accuracy Lack of completeness and accuracy testing and appropriate supporting evidence over system generated reports (e.g., population of access and change listings) Lack of completeness and accuracy testing and appropriate supporting evidence over Management Prepared Reports that support Business Processes 31

32 Hot Topics (continued) Linking Testwork to Audit Approach, Addressing Test Exceptions Inadequate documentation regarding how IT controls linked to audit approach Test exceptions were noted, however, were not assessed as control deficiencies Control deficiencies were noted, however, the impact on the audit approach was not considered Compensating controls are not sufficiently identified and documented Deficiencies are not aggregated for evaluation or the analysis of the deficiency aggregation is not adequately documented Program Development Relevant risks to the audit not well documented when significant system upgrades or new system implementation occurs at the entity. Test work may be insufficient to address business risks in the event of significant system upgrades or new system implementations. 32

33 Hot Topics (continued) Developer Access to Production: Nature of testing not sufficient where developers were known to have access to production programs. Compensating controls did not mitigate risk of developers with access to production programs and data. Management Review Controls Precision of IT management review was not documented or tested Reports used in IT management review controls were not tested for completeness and accuracy 33

34 Questions and Answers

35 Amanthi Pendegraft Director - Risk Consulting Nadine Yassine Manager Risk Consulting kpmg.com/socialmedia The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. NDPPS The KPMG name and logo are registered trademarks or trademarks of KPMG International.

IT Audit Auditing IT General Controls

IT Audit Auditing IT General Controls IT Audit Auditing IT General Controls Agenda Introduction IT Audit IT General Controls Overview Access to Programs and Data Program Change & Development Computer Operations Lessons Learned from Regulatory

More information

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7 Testers vs Writers: Pen tests Quality in Assurance Projects 10 November 2016 @ Defcamp7 Contents INTRODUCTION CONTEXT WHAT ABOUT AUDITING STANDARDS WHAT ABOUT INDEPENDENCE PEN TEST BETWEEN REGULATORY AND

More information

IT Attestation in the Cloud Era

IT Attestation in the Cloud Era IT Attestation in the Cloud Era The need for increased assurance over outsourced operations/ controls April 2013 Symeon Kalamatianos M.Sc., CISA, CISM Senior Manager, IT Risk Consulting Contents Introduction

More information

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017

Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017 Service Organization Control (SOC) Reports: What they are and what to do with them MARCH 21, 2017 Presenter Colin Wallace, CPA/CFF, CFE, CIA, CISA Partner Colin has provided management consulting and internal

More information

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud FOR LIVE POGRAM ONLY Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud TUESDAY, AUGUST 9, 2016, 1:00-2:50 pm Eastern IMPORTANT INFORMATION FOR THE

More information

Evaluating SOC Reports and NEW Reporting Requirements

Evaluating SOC Reports and NEW Reporting Requirements Evaluating SOC Reports and NEW Reporting Requirements ISACA Kris Lonborg, EY Partner Maria Avedissian, EY Senior Manager September 12, 2013 Agenda Evaluating SOC reports Recent changes made to the SOC1

More information

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers

C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers C22: SAS 70 Practices and Developments Todd Bishop, PricewaterhouseCoopers SAS No. 70 Practices & Developments Todd Bishop Director, Risk Assurance Services, PricewaterhouseCoopers Agenda SAS 70 Background

More information

ISACA Cincinnati Chapter March Meeting

ISACA Cincinnati Chapter March Meeting ISACA Cincinnati Chapter March Meeting Recent and Proposed Changes to SOC Reports Impacting Service and User Organizations. March 3, 2015 Presenters: Sayontan Basu-Mallick Lori Johnson Agenda SOCR Overview

More information

Making trust evident Reporting on controls at Service Organizations

Making trust evident Reporting on controls at Service Organizations www.pwc.com Making trust evident Reporting on controls at Service Organizations 1 Does this picture look familiar to you? User Entity A User Entity B User Entity C Introduction and background Many entities

More information

Understanding and Evaluating Service Organization Controls (SOC) Reports

Understanding and Evaluating Service Organization Controls (SOC) Reports Understanding and Evaluating Service Organization Controls (SOC) Reports Kevin Sear, CPA, CIA, CISA, CFE, CGMA Agenda 1. Why are SOC reports important? 2. Understanding the new SOC-1, SOC-2, and SOC-3

More information

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2 SAAABA Changes in Reports on Service Organization Controls April 18, 2012 Changes in Reports on Service Organization Controls (formerly SAS 70) April 18, 2012 Duane M. Reyhl, CPA Andrews Hooper Pavlik

More information

Cyber Security. It s not just about technology. May 2017

Cyber Security. It s not just about technology. May 2017 Cyber Security It s not just about technology May 2017 Introduction The Internet has opened a new frontier in warfare: everything is networked and anything networked can be hacked. - World Economic Forum

More information

Survey - Governance, Risk and Compliance

Survey - Governance, Risk and Compliance Survey - Governance, Risk and Compliance 2018 emerging trends around GRC : SAP HANA, Continuous Control Monitoring & Data Analytics kpmg.fr KPMG SURVEY RESULTS PARTICIPANTS of CAC40 companies CFO Audit

More information

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports

Retirement of SAS 70 and a new generation of Service Organization Control (SOC) Reports new generation of Service Organization Control (SOC) Reports Presented by: Nina Currigan, KPMG Advisory Manager Karen Krebsbach, Ernst & Young Advisory Manager With you today Nina Currigan Advisory Manager

More information

Contents. Process flow diagrams and other documentation

Contents. Process flow diagrams and other documentation Process flow diagrams and other documentation Contents 1. Audit lessons 2. Process flows 3. Flowcharts 4. Information produced by entity (IPE) 5. Documentation Topic 1: Audit lessons Audit lessons Teams

More information

SOC Reporting / SSAE 18 Update July, 2017

SOC Reporting / SSAE 18 Update July, 2017 SOC Reporting / SSAE 18 Update July, 2017 Agenda SOC Refresher Overview of SSAE 18 Changes to SOC 1 Changes to SOC 2 Quiz / Questions Various Types of SOC Reports SOC for Service Organizations (http://www.aicpa.org/soc4so)

More information

General Information System Controls Review

General Information System Controls Review General Information System Controls Review ECHO Application Software used by the Human Services Department, Broward Addiction Recovery Division (BARC) March 11, 2010 Report No. 10-08 Office of the County

More information

IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1

IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1 IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) 1 Agenda Background ICOFR need for IT General Controls IT General Control Areas Financial Process Example Project Governance

More information

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Charting the Course... Certified Information Systems Auditor (CISA) Course Summary Course Summary Description In this course, you will perform evaluations of organizational policies, procedures, and processes to ensure that an organization's information systems align with overall business

More information

How to avoid storms in the cloud. The Australian experience and global trends

How to avoid storms in the cloud. The Australian experience and global trends How to avoid storms in the cloud The Australian experience and global trends Discussion Topics 1. Understanding Cloud and Benefits 2. KPMG research The Australian Experience and Global Trends 3. Considerations

More information

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT?

WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? CPAs & ADVISORS STRATEGIC ALLIANCE WEBINAR SERIES WHICH SOC REPORT IS RIGHT FOR YOUR CLIENT? June 20, 2017 Cindy Boyle TO RECEIVE CPE CREDIT Participate in entire webinar Answer polls when they are provided

More information

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010 INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK Presented by Ronald E. Franke, CISA, CIA, CFE, CICA April 30, 2010 1 Agenda General Accountability Office (GAO) and IT Auditing Federal

More information

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice PREPARING FOR SOC CHANGES AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice On May 1, 2017, SSAE 18 went into effect and superseded SSAE 16. The following information is here

More information

HIPAA Privacy, Security and Breach Notification

HIPAA Privacy, Security and Breach Notification HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance

More information

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions

SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions SOC 2 examinations and SOC for Cybersecurity examinations: Understanding the key distinctions DISCLAIMER: The contents of this publication do not necessarily reflect the position or opinion of the American

More information

A sharper focus on internal controls

A sharper focus on internal controls A sharper focus on internal controls A benchmark study of technology companies kpmg.com Contents 1 Introduction 4 Detailed findings 20 Controls by business processes 30 Respondent demographics 33 About

More information

PeopleSoft Finance Access and Security Audit

PeopleSoft Finance Access and Security Audit PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...

More information

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding

More information

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC Chapter 8: SDLC Reviews and Audit... 2 8.1 Learning objectives... 2 8.1 Introduction... 2 8.2 Role of IS Auditor in SDLC... 2 8.2.1 IS Auditor as Team member... 2 8.2.2 Mid-project reviews... 3 8.2.3 Post

More information

Transitioning from SAS 70 to SSAE 16

Transitioning from SAS 70 to SSAE 16 Industry Webinar Series SAS 70 ENDS EXIT TO SSAE 16 Transitioning from SAS 70 to SSAE 16 How Does This Apply to Your Organization? Cindy Boyle, Partner Rodney Walsh, Director BKD IT Risk Services Agenda

More information

Credit Union Service Organization Compliance

Credit Union Service Organization Compliance Credit Union Service Organization Compliance How do SOC reporting and PCI requirements affect your overall compliance strategy? May 15 2012 Your Speakers Dennis Lavin Credit Union Assurance Partner Moderator

More information

The GDPR Are you ready?

The GDPR Are you ready? The GDPR Are you ready? kpmg.ie The GDPR - Overview The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) will come into force from 25th May 2018, replacing the existing data protection

More information

Clarity on Cyber Security. Media conference 29 May 2018

Clarity on Cyber Security. Media conference 29 May 2018 Clarity on Cyber Security Media conference 29 May 2018 Why this study? 2 Methodology Methodology of the study Online survey consisting of 33 questions 60 participants from C-Level (CISOs, CIOs, CTOs) 26

More information

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 APPENDIX 1 REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto

More information

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security For the Period January 1, 2016 through June 30, 2016 SOC 3 SM SOC 3 is a service

More information

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda

SAS 70 & SSAE 16: Changes & Impact on Credit Unions. Agenda SAS 70 & SSAE 16: Changes & Impact on Credit Unions John Mason CISM, CISA, CGEIT, CFE SingerLewak LLP October 19, 2010 Agenda Statement on Auditing Standards (SAS) 70 background Background & purpose Types

More information

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com Better together KPMG LLP s GRC Advisory Services for IBM OpenPages implementations kpmg.com KPMG A leader in GRC services KPMG LLP (KPMG) is the U.S. member firm of the KPMG global network of professional

More information

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016 Data Protection Practical Strategies for Getting it Right Jamie Ross Data Security Day June 8, 2016 Agenda 1) Data protection key drivers and the need for an integrated approach 2) Common challenges data

More information

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? WHITE PAPER SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY? JEFF COOK DIRECTOR CPA, CITP, CIPT, CISA North America Europe 877.224.8077 info@coalfire.com coalfire.com TABLE OF CONTENTS Summary...

More information

HIPAA Compliance Checklist

HIPAA Compliance Checklist HIPAA Compliance Checklist Hospitals, clinics, and any other health care providers that manage private health information today must adhere to strict policies for ensuring that data is secure at all times.

More information

Presenter: Ben Miron September 9, 2008

Presenter: Ben Miron September 9, 2008 Understanding IT General Controls Presenter: Ben Miron September 9, 2008 Session Objectives Understand the IT Environment Define and Identify IT General Controls Develop an understanding for the IT audit

More information

Metro. B. KPMG LLP's Management Letter presenting internal control and other. June 30,2009; and. operational matters for considemtion.

Metro. B. KPMG LLP's Management Letter presenting internal control and other. June 30,2009; and. operational matters for considemtion. Metro kos Angeles Caunty Qne Gateway PIaza 213.922, Metropafitan Ttansportatisn Authority Los Angefes, G4 gcralz-zg1;2 rnetr0.n EXECUTfVE MANAGEMENT AND AUDIT COMMITTEE FEBRUARY - 18,2010 SUBJECT: CQMPRENEMSlVE

More information

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017 Security Hygiene Be in a defensible position. Be cyber resilient. November 8 th, 2017 Agenda Getting defensive How will we do it? Basic hygiene stuff Getting started Questions Introductions Over 20 years

More information

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS Introduction If you re a growing service organization, whether a technology provider, financial services corporation, healthcare company, or professional

More information

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Internal Audit Report Electronic Bidding and Contract Letting TxDOT Office of Internal Audit Objective Review of process controls and service delivery of the TxDOT electronic bidding process. Opinion Based

More information

Cyber security and awareness for non-financial services. 24/25 May 2017

Cyber security and awareness for non-financial services. 24/25 May 2017 Cyber security and awareness for non-financial services 24/25 May 2017 Agenda Robert Kirkby (Jsy) / Linda Johnson (Gsy): Introduction Sion Lloyd-Jones: Cyber Security The need for a cunning plan Teijo

More information

Oracle Buys Automated Applications Controls Leader LogicalApps

Oracle Buys Automated Applications Controls Leader LogicalApps Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracle s Governance, Risk and Compliance Suite with Real-time Policy Enforcement October 26, 2007 Disclaimer The following is

More information

Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference

Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference April 11, 2016 kpmg.com Agenda 1. Survey said 2. Leveraging ediscovery technology to audit risk a. IP threat assessment

More information

Cyber Security Law --- Are you ready?

Cyber Security Law --- Are you ready? Cyber Security Law --- Are you ready? Xun Yang Of Counsel, Commercial IP and Technology 9 May 2017 1 / B_LIVE_APAC1:2207856v1 Content Overview of Cyber Security Law Legislative Development Key Issues in

More information

REPORT 2015/010 INTERNAL AUDIT DIVISION

REPORT 2015/010 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2015/010 Audit of information and communications technology strategic planning, governance and management in the Investment Management Division of the United Nations Joint

More information

Information for entity management. April 2018

Information for entity management. April 2018 Information for entity management April 2018 Note to readers: The purpose of this document is to assist management with understanding the cybersecurity risk management examination that can be performed

More information

Rich Powell Director, CIP Compliance JEA

Rich Powell Director, CIP Compliance JEA Rich Powell Director, CIP Compliance JEA Review access control requirements CIP-003 and CIP-007 Discuss compliance considerations Implementation Strategies Hints/Tips for audit presentation Account Control

More information

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011 www.pwc.com California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011 Agenda SSAE 16 Background Results of Audit Scope of Audit Looking Forward Closing Thoughts Slide 1

More information

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services SSAE 18 & new SOC approach to compliance Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services Agenda 1. SSAE 18 overview 2. SOC 2 + 3. 2017 Trust Services Criteria SSAE 18

More information

Chapter 08. Consideration of Internal Control in an Information Technology Environment. McGraw-Hill/Irwin

Chapter 08. Consideration of Internal Control in an Information Technology Environment. McGraw-Hill/Irwin Chapter 08 Consideration of Internal Control in an Information Technology Environment McGraw-Hill/Irwin Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved. Nature of IT Based Systems

More information

ADIENT VENDOR SECURITY STANDARD

ADIENT VENDOR SECURITY STANDARD Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational

More information

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers Identify Protect Detect Respond Recover Identify: Risk Assessments & Management 1. Risk assessments are conducted frequently (e.g. annually, quarterly). 2. Cybersecurity is included in the risk assessment.

More information

SECURITY & PRIVACY DOCUMENTATION

SECURITY & PRIVACY DOCUMENTATION Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive

More information

GDPR: A QUICK OVERVIEW

GDPR: A QUICK OVERVIEW GDPR: A QUICK OVERVIEW 2018 Get ready now. 29 June 2017 Presenters Charles Barley Director, Risk Advisory Services Charles Barley, Jr. is responsible for the delivery of governance, risk and compliance

More information

SAP Security Remediation: Three Steps for Success Using SAP GRC

SAP Security Remediation: Three Steps for Success Using SAP GRC SAP Security Remediation: Three Steps for Success Using SAP GRC All companies need strong application security environments as part of a successful overall risk management strategy. Strong risk-oriented

More information

SOC for cybersecurity

SOC for cybersecurity April 2018 SOC for cybersecurity a backgrounder Acknowledgments Special thanks to Francette Bueno, Senior Manager, Advisory Services, Ernst & Young LLP and Chris K. Halterman, Executive Director, Advisory

More information

UPGRADING DEVELOPMENT SKILLS

UPGRADING DEVELOPMENT SKILLS RSM TECHNOLOGY ACADEMY Syllabus and Agenda UPGRADING DEVELOPMENT SKILLS FOR MICROSOFT DYNAMICS 365 FOR OPERATIONS Course Details 3 Audience 3 At Course Completion 3 Course Cancellation Policy 4 Guaranteed

More information

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017

SOC Updates: Understanding SOC for Cybersecurity and SSAE 18. May 23, 2017 SOC Updates: Understanding SOC for Cybersecurity and SSAE 18 May 23, 2017 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

More information

Auditing in an Automated Environment: Appendix B: Application Controls

Auditing in an Automated Environment: Appendix B: Application Controls Accountability Modules Auditing in an Automated Environment: Initials Date Agency Prepared By Reviewed By Audit Program - Application W/P Ref Page 1 of 1 The SAO follows control objectives established

More information

Position Description IT Auditor

Position Description IT Auditor Position Title IT Auditor Position Number Portfolio Performance and IT Audit Location Victoria Supervisor s Title IT Audit Director Travel Required Yes FOR OAG HR USE ONLY: Approved Classification or Leadership

More information

FINMA Circular 2008/21 (Excerpt) IT risk management concept Deal with cyber risk Handling of electronic client data

FINMA Circular 2008/21 (Excerpt) IT risk management concept Deal with cyber risk Handling of electronic client data FINMA Circular 2008/21 (Excerpt) IT risk management concept Deal with cyber risk Handling of electronic client data dated 22 September 2016 Principle 4: Technological Infrastructure 1 Executive Management

More information

Audit Considerations Relating to an Entity Using a Service Organization

Audit Considerations Relating to an Entity Using a Service Organization An Entity Using a Service Organization 355 AU-C Section 402 Audit Considerations Relating to an Entity Using a Service Organization Source: SAS No. 122; SAS No. 128; SAS No. 130. Effective for audits of

More information

Information Technology General Control Review

Information Technology General Control Review Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor

More information

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Policy Title: Binder Association: Author: Review Date: Pomeroy Security Principles PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy Joseph Shreve September of each year or as required Purpose:...

More information

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium

Evaluating Cybersecurity Coverage A Maturity Model. Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium Discussion on: Evaluating Cybersecurity Coverage A Maturity Model Presented to: ISACA Charlotte Chapter Vision for IT Audit 2020 Symposium By: Eric C. Lovell PricewaterhouseCoopers LLP ( PwC ) March 24,

More information

Information Security for Mail Processing/Mail Handling Equipment

Information Security for Mail Processing/Mail Handling Equipment Information Security for Mail Processing/Mail Handling Equipment Handbook AS-805-G March 2004 Transmittal Letter Explanation Increasing security across all forms of technology is an integral part of the

More information

CITADEL INFORMATION GROUP, INC.

CITADEL INFORMATION GROUP, INC. CITADEL INFORMATION GROUP, INC. The Role of the Information Security Assessment in a SAS 99 Audit Stan Stahl, Ph.D. President Citadel Information Group, Inc. The auditor has a responsibility to plan and

More information

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18 Pierce County Classification Description IT SECURITY OFFICER Department: Information Technology Job Class #: 634900 Pay Range: Professional 18 FLSA: Exempt Represented: No Classification descriptions are

More information

Ahead of the next curve

Ahead of the next curve Ahead of the next curve Clarity on Cyber Security 30 May 2017 #KPMG_Cyber Study results Work on what s now think about what s next Evolution of cyber risk in Switzerland No time to waste to discuss cyber

More information

SAP Security Remediation: Three Steps for Success Using SAP GRC

SAP Security Remediation: Three Steps for Success Using SAP GRC SAP Security Remediation: Three Steps for Success Using SAP GRC All companies need strong application security environments as part of a successful overall risk management strategy. Strong risk-oriented

More information

Maher Duessel Not for Profit Training July Agenda

Maher Duessel Not for Profit Training July Agenda Maher Duessel Not for Profit Training July 2018 Agenda Review of ITGCs Review of IT Checklist Other Security Issues Questions 2 1 Review of General Computer Controls 3 ITGC What is that? Information Technology

More information

Risk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities

Risk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities Risk Based IT Auditing Master Class Unlocking your World to a Sea of Opportunities The Digital World Information Technology has developed into a nerve center of every organisation. It has become an intrinsic

More information

FDIC InTREx What Documentation Are You Expected to Have?

FDIC InTREx What Documentation Are You Expected to Have? FDIC InTREx What Documentation Are You Expected to Have? Written by: Jon Waldman, CISA, CRISC Co-founder and Executive Vice President, IS Consulting - SBS CyberSecurity, LLC Since the FDIC rolled-out the

More information

CYBER CAMPUS KPMG BUSINESS SCHOOL THE CYBER SCHOOL FOR THE REAL WORLD. The Business School for the Real World

CYBER CAMPUS KPMG BUSINESS SCHOOL THE CYBER SCHOOL FOR THE REAL WORLD. The Business School for the Real World CYBER CAMPUS THE CYBER SCHOOL FOR THE REAL WORLD. KPMG BUSINESS SCHOOL The Business School for the Real World In the real world, cyber security applies to all: large firms and small companies, tech experts,

More information

SOC Lessons Learned and Reporting Changes

SOC Lessons Learned and Reporting Changes SOC Lessons Learned and Reporting Changes Dec. 16, 2014 Your Presenters Today Arshad Ahmed, CISA, CISSP, CPA Leader of SOC and Technology Risk Services for Crowe Rod Smith, CISA, CPA Thought Leader for

More information

Subject: University Information Technology Resource Security Policy: OUTDATED

Subject: University Information Technology Resource Security Policy: OUTDATED Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from

More information

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS CONTENTS Paragraphs Introduction... 1 Organizational Structure... 2 Nature of Processing... 3 Design and Procedural Aspects... 4 Internal Controls in a CIS Environment... 5 General CIS Controls... 6-7

More information

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory The Future of IT Internal Controls Automation: A Game Changer January 2018 Risk Advisory Contents Introduction 01 Future Operating Models for Managing Internal Controls 02 Summary 07 Introduction Internal

More information

Objectives of the Security Policy Project for the University of Cyprus

Objectives of the Security Policy Project for the University of Cyprus Objectives of the Security Policy Project for the University of Cyprus 1. Introduction 1.1. Objective The University of Cyprus intends to upgrade its Internet/Intranet security architecture. The University

More information

REPORT 2015/149 INTERNAL AUDIT DIVISION

REPORT 2015/149 INTERNAL AUDIT DIVISION INTERNAL AUDIT DIVISION REPORT 2015/149 Audit of the information and communications technology operations in the Investment Management Division of the United Nations Joint Staff Pension Fund Overall results

More information

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017

2017 IT Examination Preparedness. Iowa Bankers 2017 Technology Conference October 24, 2017 2017 IT Examination Preparedness Iowa Bankers 2017 Technology Conference October 24, 2017 1 Disclaimer Materials designed to give general information on the specific subjects covered and are educational

More information

Business Continuity Planning

Business Continuity Planning Information Systems Audit and Control Association www.isaca.org Business Continuity Planning AUDIT PROGRAM & INTERNAL CONTROL QUESTIONNAIRE The Information Systems Audit and Control Association With more

More information

SAS70 Type II Reports Use and Interpretation for SOX

SAS70 Type II Reports Use and Interpretation for SOX SAS70 Type II Reports Use and Interpretation for SOX November 19, 2007 Presented by: Erin Erickson, Senior Manager Enterprise Governance and Brenda Karl, Director Technology Risk Management Agenda Background

More information

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities

More information

Introduction to Automated Controls

Introduction to Automated Controls Introduction to Automated Controls Matthew Hatch, Oliver Petri Agenda Defining Automated Controls The Value of Automated Controls Common Testing Approaches The Concept of 'Benchmarking Questions / Comments

More information

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product. Isaca EXAM - CISM Certified Information Security Manager Buy Full Product http://www.examskey.com/cism.html Examskey Isaca CISM exam demo product is here for you to test the quality of the product. This

More information

Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan

Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan 1 Introduction IT Risk and Compliance Officer in Information Management and Technology

More information

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology 24 October 2017 Content Overview of Cyber Security Law Observations on Implementation of Cyber

More information

Audit Network Security. University System of New Hampshire

Audit Network Security. University System of New Hampshire Audit Network Security Presenter Ashish Jain, CPA, CIA, CISA, CA Director of Internal Audit University System of New Hampshire 1 University System of New Hampshire 34,000 enrolled students 4 institutions

More information

SOC 3 for Security and Availability

SOC 3 for Security and Availability SOC 3 for Security and Availability Independent Practioner s Trust Services Report For the Period October 1, 2015 through September 30, 2016 Independent SOC 3 Report for the Security and Availability Trust

More information

The SOC 2 Compliance Handbook:

The SOC 2 Compliance Handbook: The SOC 2 Compliance Handbook: Your guide to SOC 2 Audit Success The SOC 2 Compliance Handbook Page 2 Table of Contents Abstract 3 Why am I being asked about SOC Compliance? 4 What s the difference between

More information

Introduction to Automated Controls. Jay Swaminathan Senior Manager, SOAProjects. San Francisco Chapter

Introduction to Automated Controls. Jay Swaminathan Senior Manager, SOAProjects. San Francisco Chapter Introduction to Automated Controls Jay Swaminathan Senior Manager, SOAProjects Agenda Defining Automated Controls The Value of Automated Controls Common Testing Approaches ITGC considerations The Concept

More information

Pave the way: Build a value driven SAP GRC roadmap March 2015

Pave the way: Build a value driven SAP GRC roadmap March 2015 www.pwc.be/erp Pave the way: Build a value driven SAP GRC roadmap March 2015 Agenda Introduction Measuring GRC Progression & Benchmarking GRC Program Roadmap Building a Business Case 2 Introduction Pave

More information

Internal Audit Report DATA CENTER LOGICAL SECURITY

Internal Audit Report DATA CENTER LOGICAL SECURITY Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory

More information

Exploring Emerging Cyber Attest Requirements

Exploring Emerging Cyber Attest Requirements Exploring Emerging Cyber Attest Requirements With a focus on SOC for Cybersecurity ( Cyber Attest ) Introductions and Overview Audrey Katcher Partner, RubinBrown LLP AICPA volunteer: AICPA SOC2 Guide Working

More information