IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Similar documents
Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

COPYRIGHTED MATERIAL. Index

Weighing in on the Benefits of a SAS 70 Audit for Third Party Administrators

Cybersecurity Conference Presentation North Bay Business Journal. September 27, 2016

Tools & Techniques I: New Internal Auditor

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

PROFESSIONAL SERVICES (Solution Brief)

SQL Compliance Whitepaper HOW COMPLIANCE IMPACTS BACKUP STRATEGY

354 & Index Board of Directors Responsibilities Audit Committee and Risk Committee Coordination, 244 Audit Committee Functions and Responsibilities, 2

OF ACCOUNTANTS IAASB CAG MEETING MARCH 7, 2011

Understanding and Evaluating Service Organization Controls (SOC) Reports

Demonstrating Compliance in the Financial Services Industry with Veriato

Operations & Technology Seminar. Tuesday, November 8, 2016 Crowne Plaza Monroe, Monroe Township, NJ

Position Description IT Auditor

Is Your Compliance Strategy Putting Your Business at Risk?

COBIT 5 With COSO 2013

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

CCISO Blueprint v1. EC-Council

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

ITT Technical Institute. IT360 Networking Security I Onsite Course SYLLABUS

Cybersecurity in Higher Ed

Cybersecurity It Matters to SMB

Article II - Standards Section V - Continuing Education Requirements

What To Do When Your Data Winds Up Where It Shouldn t

01.0 Policy Responsibilities and Oversight

Security Awareness Compliance Requirements. Updated: 11 October, 2017

IS305 Managing Risk in Information Systems [Onsite and Online]

Data Security: Public Contracts and the Cloud

IS Audit and Assurance Guideline 2002 Organisational Independence

Table of Contents. Preface xiii PART I: IT GOVERNANCE CONCEPTS. Chapter 1: Importance of IT Governance for All Enterprises 3

Security Breaches: How to Prepare and Respond

IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

Oracle Database Vault

Information Security Risk Strategies. By

Achieving third-party reporting proficiency with SOC 2+

Putting It All Together:

HITRUST CSF: One Framework

HITRUST CSF Assurance Program HITRUST, Frisco, TX. All Rights Reserved.

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

DIPLOMA COURSE IN INTERNAL AUDIT

NYDFS Cybersecurity Regulations

Brink s Modern Internal Auditing. Eighth Edition

CONSIDERATIONS BEFORE MOVING TO THE CLOUD

IBM Internet Security Systems October Market Intelligence Brief

The Evolving Threat to Corporate Cyber & Data Security

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Governance, Risk & Compliance - Management Commitment; Building a GRC Aware Culture.

locuz.com SOC Services

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

COURSE BROCHURE CISA TRAINING

NERC Staff Organization Chart Budget

1 Hitachi ID Access Certifier. 2 Agenda. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Cloud Security Implications for Financial Services

NERC Staff Organization Chart Budget 2018

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

IS Audit and Assurance Guideline 2001 Audit Charter

ISACA CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS

IT Attestation in the Cloud Era

AT FIRST VIEW C U R R I C U L U M V I T A E. Diplom-Betriebswirt (FH) Peter Konrad. Executive Partner Senior Consultant

CSF to Support SOC 2 Repor(ng

CISA/CISM/CGEIT. CGEIT Programs Overview Prof. Ing.. Claudio CILLI CISA, CISM, CGEIT, CISSP, CSSLP, CIA, M.Inst.ISP

SYNACK PCI DSS PENETRATION TESTING TECHNICAL WHITE PAPER

CISA Training.

Predstavenie štandardu ISO/IEC 27005

IIA EXAM - IIA-CGAP. Certified Government Auditing Professional. Buy Full Product.

Tracking and Reporting

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

UCOP ITS Systemwide CISO Office Systemwide IT Policy

IBM Fundamentals of Applying Tivoli Security and Compliance Management Solutions V2.

Memphis Chapter. President s Message. This annual event is designed to provide students with a

Assessment and Compliance with Sarbanes-Oxley (SOX) Requirements DataGuardZ Whitepaper

Tokenisation: Reducing Data Security Risk

Exploring Emerging Cyber Attest Requirements

HISTORY: ADMINISTRATION AND COST CONTROL:

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

Risk Based IT Auditing Master Class. Unlocking your World to a Sea of Opportunities

Exam Questions IIA-CGAP

Operational Network Security

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

FDIC InTREx What Documentation Are You Expected to Have?

IT Audit Process Prof. Liang Yao Week Six IT Audit Planning

Administrative Directive No. 4: 2011 Continuing Professional Education Requirements for All Certification Programs

Compliance and Privileged Password Management

NERC Staff Organization Chart

The Impact of Cybersecurity, Data Privacy and Social Media

2017 PORT SECURITY SEMINAR & EXPO. ISACA/CISM Information Security Management Training for Security Directors/Managers

The Texas A&M University System Internal Audit Department MONTHLY AUDIT REPORT

Next Generation Policy & Compliance

Mastering SOC-1 Attestation Reports Under SSAE 16: Auditing Service Organizations Controls in the Cloud

NERC Staff Organization Chart Budget 2019

The Evolution of Data Governance Regulations and What IA Departments Need to Know FEBRUARY 27, 2018

SAS 70 SOC 1 SOC 2 SOC 3. Type 1 Type 2

Document Title: IT Security Assessment Questionnaire

The CIA Challenge Exam. August 2018

BHConsulting. Your trusted cybersecurity partner

Unit Compliance to the HIPAA Security Rule

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

Transcription:

Week Two IT Audit Function

Why we need IT audit A Case Study What You Can Learn about Risk Management from Societe Generale? https://www.cio.com/article/2436790/security0/what-you-can-learn-about-risk-management-fromsociete-generale.html https://www.youtube.com/watch?v=whijjksajs0 Inside threats Segregation of duties Monitoring system and escalation procedures Protecting credentials

A Sample IT Audit Org. Chart CEO Board of Directors/Audit Committee Chief Auditor IT Audit Director Finance Audit Director Infrastructure Auditors Application Auditors Finance Auditors Finance Auditors

IT Audit Engagements General Computer Audit IT Strategy and planning Information security Change management Software and hardware maintenance Disaster Recovery, etc. Target IT Audit Mainframe Windows/Unix/Linux Databases Network Cybersecurity

IT Audit Engagements (cont.) Application Audit Electronic Funds Transfer (EFT) Trading applications Accounting applications Enterprise Risk Management (ERP), etc. Integrated Audit Work with other audit teams (financial, compliance, fraud, etc.) Pre-implementation review SDLC Cloud solution, etc. Continuous Monitoring

Audit Methodology Overview The need of an internal audit document to provide guidance of each audit phase (e.g. Audit Manual) Following the International Professional Practices Framework (IPPF) IT Audit ITFA Sample areas of coverage for methodology: Risk assessment Audit Planning Fieldwork Audit report Issue Tracking, etc.

Audit Methodology Overview Audit subject (audit universe and entities) Audit objective Audit scope Preaudit planning Audit procedures and steps for data gathering Evaluating audit evidence and draw conclusion Communicating results to management Issuing report Tracking status of issue remediation

IT Audit and C.I.A Triad

ITAF A Professional Practice Framework for IT Audit IS Audit and Assurance Standards Mandatory General Standards Performance Standards Reporting Standards IS Audit and Assurance Guidelines IS Audit and Assurance Tools and Techniques

ITAF A Professional Practice Framework for IT Audit General Standards 1001 Audit Charter 1002 Organizational Independence 1003 Professional Independence 1004 Reasonable Expectation 1005 Due Professional Care 1006Proficiency 1007Assertions 1008Criteria

ITAF A Professional Practice Framework for IT Audit Performance Standards 1201 Engagement 1202 Risk Assessment in Planning 1203 Performance and Supervision 1204 Materiality 1205 Evidence 1206 Using the Work of Other Experts 1207 Irregularity and Illegal Acts Reporting Standards 1401 Reporting 1402 Follow-up Activities

CISA Worldwide More than 115,000 professionals have earned the CISA certification since it was established in 1978. The number of current CISAs by region is: Asia: 21,730 Central/South America: 2,440 Europe/Africa: 18,880 North America: 33,640 Oceania: 1,950 Source: https://www.isaca.org/about-isaca/press-room/pages/isaca-certifications-by-region.aspx

IT Audit responsibilities Sample job description https://www.glassdoor.com/job/it-audit-associate-jobs-srch_ko0,18.htm

IT Audit Proficiencies and Certifications Education background Professional job qualifications Relevant working experience Quality of work Certifications: Certified Internal Auditor (CIA) Certified Information System Auditor (CISA) Certified Information System Security Professional (CISSP) Six Sigma (PMP) Continuous Education

IT Audit Phases

IT Audit Phases (cont.)

Effect of Laws and Regulations on IS Audit (cont.) US Heal Insurance Portability and Accountability Act (HIPAA): HIPAA requires that the privacy of health records be protected, wherever they reside or whenever they are moved. That means the impact of HIPAA can be felt by nearly every aspect of IT operations, including messaging, storage, virtualization and even networking, so long as electronic PHI (ephi) records are stored within or transferred over them. In turn, IT must be able to produce evidence of the security of these systems for compliance audits. US Sarbanes Sox (SOX): Internal Control Over Financial Reporting

Effect of Laws and Regulations on IS Audit The Gramm-Leach-Bliley Act (GLBA): also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. FFIEC Regulations: https://ithandbook.ffiec.gov/ PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information.

Ethic Matters Arthur Anderson Case Study Group Assignment #1 Research the failure of Arthur Anderson, one of the Big 5 public accounting firm with over 90 years history providing accounting and auditing services to its clients. Identify any ethic and due diligence related issues that leading to the firm s failure. What can we learn from Arthur Anderson s case.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback