IT Audit Auditing IT General Controls

Similar documents
Auditing IT General Controls

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Leveraging ediscovery Technology for Internal Audit 2016 Houston IIA 7th Annual Conference

Survey - Governance, Risk and Compliance

How to avoid storms in the cloud. The Australian experience and global trends

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

HIPAA Privacy, Security and Breach Notification

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cyber Security. It s not just about technology. May 2017

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

A sharper focus on internal controls

The GDPR Are you ready?

Cyber security and awareness for non-financial services. 24/25 May 2017

IT General Controls and Why We Need Them -Dennis McLaughlin, CISA (Cyber AIT) Dennis McLaughlin - Cyber AIT 1

IT Attestation in the Cloud Era

Ahead of the next curve

Physical security advisory services Securing your organisation s future

HIPAA Compliance Checklist

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Clarity on Cyber Security. Media conference 29 May 2018

Making trust evident Reporting on controls at Service Organizations

Never a dull moment. Media Conference «Clarity on Cyber Security» 24 May 2016

Pave the way: Build a value driven SAP GRC roadmap March 2015

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

HOW SAFE IS YOUR DATA? Micho Schumann, KPMG, Cayman Islands

Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan

What Directors and C-Suite professionals need to know kpmg.ca/insuranceconference2017

CYBER CAMPUS KPMG BUSINESS SCHOOL THE CYBER SCHOOL FOR THE REAL WORLD. The Business School for the Real World

California ISO Audit Results for 2011 SSAE 16 & Looking Forward for 2012 December 15, 2011

HIPAA RISK ADVISOR SAMPLE REPORT

Risk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities

Webtrends Inc. Service Organization Controls (SOC) 3 SM Report on the SaaS Solutions Services System Relevant to Security

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

January 25, Digital Governments. From KPMG s Harvey Nash survey to a future of opportunities

RSM TECHNOLOGY ACADEMY Syllabus and Agenda TECHNICAL BOOTCAMP FOR MICROSOFT DYNAMICS AX 2012 R3

GDPR: A QUICK OVERVIEW

SAP Security Remediation: Three Steps for Success Using SAP GRC

Trough a cyber security lens

UPGRADING DEVELOPMENT SKILLS

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Cybersecurity: Pre-Breach Preparedness and Post-Breach Duties

SFC strengthens internet trading regulatory controls

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

The Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

Release Notes. Sage Master Builder CD

FINMA Circular 2008/21 (Excerpt) IT risk management concept Deal with cyber risk Handling of electronic client data

Strengthening your fraud and cyber-crime protection controls. March 2017

Healthcare Privacy and Security:

Business Continuity Planning

ISO & ISO & ISO Cloud Documentation Toolkit

The Network Integrator Journey

Sparta Systems TrackWise Digital Solution

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

FRAUD-RELATED INTERNAL CONTROLS

Presenter: Ben Miron September 9, 2008

Public Safety Canada. Audit of the Business Continuity Planning Program

Rich Powell Director, CIP Compliance JEA

Safeguarding unclassified controlled technical information (UCTI)

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Checklist: Credit Union Information Security and Privacy Policies

Information Technology Disaster Recovery Planning Audit Redacted Public Report

VMware BCDR Accelerator Service

Subject: University Information Technology Resource Security Policy: OUTDATED

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

STATE OF NORTH CAROLINA OFFICE OF THE STATE AUDITOR BETH A. WOOD, CPA FAYETTEVILLE STATE UNIVERSITY

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Privacy Breach Response and Reporting

SAP Security Remediation: Three Steps for Success Using SAP GRC

ACCOUNTING (ACCT) Kent State University Catalog

13.f Toronto Catholic District School Board's IT Strategic Review - Draft Executive Summary (Refer 8b)

ISO 22301: An Overview of BCM Implementation Process. Presenter: Dejan Kosutic

NYDFS Cybersecurity Regulations

Keys to a more secure data environment

REPORT 2015/186 INTERNAL AUDIT DIVISION

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Session 5: Business Continuity, with Business Impact Analysis

Global Statement of Business Continuity

Terms of Reference for the. IFMS Security review consultancy

Independent Accountant s Report

REPORT 2015/149 INTERNAL AUDIT DIVISION

HEALTH CARE AND CYBER SECURITY:

Position Description IT Auditor

How to Conduct a Business Impact Analysis and Risk Assessment

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Turning Risk into Advantage

Information Technology Risk Assessment

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

IIoT cyber security simulation

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

PCI DATA SECURITY STANDARDS VERSION 3.2. What's Next?

Business Continuity Management Standards A Side-by-Side Comparison

CISA ITEM DEVELOPMENT GUIDE

Google Cloud & the General Data Protection Regulation (GDPR)

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

SOC Lessons Learned and Reporting Changes

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

Internal Audit Report DATA CENTER LOGICAL SECURITY

Building and Testing an Effective Incident Response Plan

Transcription:

IT Audit Auditing IT General Controls

Agenda Introduction IT Audit IT General Controls Overview Access to Programs and Data Program Change & Development Computer Operations Lessons Learned from Regulatory Reviews Questions, Closing Remarks, and Wrap-up

IT Audit

Role of IT in Financial Reporting Process Significant Accounts/Disclosures in Financial Statements Balance Sheet Income Statement Cash Flow Notes Other Classes of Transactions Business Processes Accounts Payable Payroll Financial Reporting IT Environment Financial Applications (application controls) SAP Red Prairie Hyperion Business Events and Transactions IT General Controls (Activities) Access Program Change Program Development Computer Operations

ITGC Workflow Understand the IT environment Identify in-scope systems Review existing documents Conduct interviews Document processes Review process flows Identify and communicate Gaps Finalize ITGC flows and risks Test controls and evaluate deficiencies

IT General Controls Overview

IT General Controls IT General Controls Access to Programs and Data Program Change Program Development Computer Operations Risk: Unauthorized access to data may result in destruction of data or improper changes to data, including the recording of unauthorized or nonexistent transactions or inaccurate recording of transactions. Objective: Adequate controls for access to programs and data have been established to restrict access to properly authorized individuals.

Access to Programs and Data Overview We consider the following access to programs and data components: Policies and procedures User access add/move/termination requests Password requirements Privileged users Physical access Periodic access reviews Appropriateness of access/segregation of duties

IT General Controls IT General Controls Access to Programs and Data Program Change Program Development Computer Operations Risk: Unauthorized changes to systems or programs may result in incomplete or inaccurate data. Objectives: Adequate controls for program changes have been established to help ensure that changes to existing systems/applications are authorized, tested, approved, properly implemented and documented. Adequate controls for program development have been established to help ensure that new systems/applications which are developed or acquired are authorized, tested, approved, properly implemented and documented.

Program Change & Development Overview We consider the following program change and development components: Change and new development methodology Design, authorization, development, testing, and approval Migration to the production environment (SOD) Configuration changes Emergency changes Data migration Post-installation reviews (typically a secondary control) 10

IT General Controls IT General Controls Access to Programs and Data Program Change Program Development Computer Operations Risk: Systems or programs are inaccurately processing data and/or processing inaccurate data. Objective: Adequate controls for computer operations have been established to ensure that system/application processing is appropriately authorized and scheduled and deviations from scheduled processing are identified and resolved.

Computer Operations Overview We consider the following computer operations components: Job processing and monitoring Backup and recovery procedures* Incident and problem management * Disaster Recovery plans are typically not in-scope. Companies need to show that they have adequate controls in place to backup their systems and data, and recover data for financially relevant systems.

Lessons Learned from Regulatory Reviews Completeness and Accuracy of user listings/reports Change Management Testing Re-performance Approach 13

Questions, Closing Remarks, and Wrap-up

Thank you! Paul Torres, Director ptorres@kpmg.com Phone: 480 459 3632 Kati Stojak, Manager kstojak@kpmg.com Phone: 480 459 3520 www.kpmg.com

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. 2014 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback