IT Audit Process. Prof. Mike Romeu. January 30, IT Audit Process. Prof. Mike Romeu

Similar documents
NERC Staff Organization Chart Budget 2019

NERC Staff Organization Chart Budget 2019

NERC Staff Organization Chart Budget 2018

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE TRENDS BY FCPAK ERIC KIMANI

NERC Staff Organization Chart Budget 2017

NERC Staff Organization Chart Budget 2017

COURSE BROCHURE. COBIT5 FOUNDATION Training & Certification

COBIT 5 With COSO 2013

IS Audit and Assurance Guideline 2002 Organisational Independence

IS Audit and Assurance Guideline 2001 Audit Charter

NERC Staff Organization Chart

Information Security Governance and IT Governance

ISACA Cincinnati Chapter March Meeting

POSITION DESCRIPTION

VET Quality Framework audit report

Achieving effective risk management and continuous compliance with Deloitte and SAP

CERTIFIED IN THE GOVERNANCE OF ENTERPRISE IT CGEIT AFFIRM YOUR STRATEGIC VALUE AND CAREER SUCCESS

ROI for Your Enterprise Through ISACA A global IS association helping members achieve organisational success.

Governance, Risk & Compliance - Management Commitment; Building a GRC Aware Culture.

A Framework for Managing Crime and Fraud

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

NZQA registered unit standard 8086 version 7 Page 1 of 5. Demonstrate knowledge required for quality auditing

EXAM PREPARATION GUIDE

Invest in. ISACA-certified professionals, see the. rewards.

Auditing and Monitoring in an Effective Institutional Compliance Program

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)

Application for Certification

RISK INTELLIGENCE Assurance and efficiency improvement through a robust Enterprise Risk Management approach

SOC for cybersecurity

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

3/13/2015. COSO Revised: Implications for Compliance and Ethics Programs. Session Agenda. The COSO Framework

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

NERC Staff Organization Chart Budget

9 March Assessment Policy for Qualifications and Part Qualifications on the Occupational Qualifications Sub-Framework (OQSF)

Business Continuity Planning

Risk Advisory Academy Training Brochure

ROLE DESCRIPTION IT SPECIALIST

- OQSF - Occupational Qualifications Sub-framework

UKAS accredited Certification Bodies

MetricStream GRC Summit 2013: Case Study

ISO 27001:2013 certification

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Spillemyndigheden s requirements for accredited testing organisations. Version of 1 July 2012

Position Description IT Auditor

Chapter 8: SDLC Reviews and Audit Learning objectives Introduction Role of IS Auditor in SDLC

NERC Staff Organization Chart 2015 Budget

Citation for published version (APA): Berthing, H. H. (2014). Vision for IT Audit Abstract from Nordic ISACA Conference 2014, Oslo, Norway.

CSF to Support SOC 2 Repor(ng

19 March Assessment Policy for Qualifications and Part Qualifications on the Occupational Qualifications Sub-Framework (OQSF)

PROTERRA CERTIFICATION PROTOCOL V2.2

ARMA Professional Qualifications. Marie Garnett Head of Professional Development

IMPLEMENTING SECURITY, PRIVACY, AND FAIR DATA USE PRINCIPLES

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

ACCAB. Accreditation Commission For Conformity Assessment Bodies

Tools & Techniques I: New Internal Auditor

IT MANAGER PERMANENT SALARY SCALE: P07 (R ) Ref:AgriS042/2019 Information Technology Manager. Reporting to. Information Technology (IT)

"Energy and Ecological Transition for the Climate" Label Control and Monitoring Plan Guidelines

INFORMATION TECHNOLOGY ( IT ) GOVERNANCE FRAMEWORK

Val-EdTM. Valiant Technologies Education & Training Services. Workshop for CISM aspirants. All Trademarks and Copyrights recognized.

SSAE 18 & new SOC approach to compliance. Moderator Name: Patricio Garcia Managing Partner ControlCase Attestation Services

IIA EXAM - IIA-CGAP. Certified Government Auditing Professional. Buy Full Product.

Pronouncement 7 CPD v3.0

COBIT 5 Foundation. Certification-led Audit, Security, Governance & Risk

A Global Look at IT Audit Best Practices

PREPARING FOR SOC CHANGES. AN ARMANINO WHITE PAPER By Liam Collins, Partner-In-Charge, SOC Audit Practice

20 February Accreditation of Assessment Centres

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

AT FIRST VIEW C U R R I C U L U M V I T A E. Diplom-Betriebswirt (FH) Peter Konrad. Executive Partner Senior Consultant

Security and Privacy Governance Program Guidelines

M&A Cyber Security Due Diligence

Quality Assurance and IT Risk Management

Cloud solution consultant

Terms of Participation

Request for Proposal (RFP)

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Workday s Robust Privacy Program

EXAM PREPARATION GUIDE

BENEFITS of MEMBERSHIP FOR YOUR INSTITUTION

CRITERIA FOR CERTIFICATION BODY ACCREDITATION IN THE FIELD OF RISK BASED INSPECTION MANAGEMENT SYSTEMS

COBIT 5 Foundation Certification Training Course - Brochure

POSITION DESCRIPTION

PRODUCT SAFETY PROFESSIONAL CERTIFICATION PROGRAM DETAILS. Overview

IQ Level 4 Award in Understanding the External Quality Assurance of Assessment Processes and Practice (QCF) Specification

Table of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING

EXAM PREPARATION GUIDE

Rethinking Information Security Risk Management CRM002

Chartered Membership: Professional Standards Framework

Superannuation Transaction Network

SERVICE DESCRIPTION ISO Lex. Certifications

Alberta Reliability Standards Compliance Monitoring Program. Version 1.1

A SERVICE ORGANIZATION S GUIDE SOC 1, 2, & 3 REPORTS

Qualification and Renewal Criteria for certification to engage in the practice of accounting

UK Permanent Salary Index November 2013 Based on registered vacancies and actual placements

UNCONTROLLED IF PRINTED

New Jersey State Legislature Office of Legislative Services Office of the State Auditor. November 16, 2015 to November 30, 2017

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

EXAM PREPARATION GUIDE

Workshop Item 1 - ISO 9001: 2008 migration

Transcription:

January 30, 2017 1

Corporate Structures Shareholders Governance Level: Board of Directors External Director CFO CEO Legal Counsel External Director Responsible for: Evaluate Direct Monitor Internal Directors Management Level : Management Human Resources Operations Sales and Marketing Information Technology Finance Responsible for: Plan Build Run Monitor

Drive What is the Objective of Governance? Stakeholder Needs Governance Objective: Value Creation Benefit Realization Risk Optimization Resource Optimization 3

Meeting Stakeholder s Needs Many Stakeholders and many definitions of Value Governance Negotiating and deciding amongst different Stakeholder s values and interest Governance System must consider all Stakeholders when making decisions about Benefits Resources Risk Assessment For each decision to make Who receives the benefit? Who bears the risk? What resources are required? 4

Aligning Enterprise and IT Goals Stakeholder s Needs - Driven by Market Changes Competitive Environment New or Changed Technology Changes in Regulatory and Business Environments Stakeholder s Needs help set Enterprise Goals Financial Goals Customer Goals Internal Processes Goals Learning and Growth Enterprise Goals help define IT-related Goals Financial Goals Customer Goals Internal Processes Goals Learning and Growth Enterprise Goals Cascades IT-related Goals Cascades Enabler Goals 5

The Role of the Audit and Assurance Professional Assurance pursuant to an accountability relationship between two or more parties, an IT audit and assurance professional may be engaged to issue a written communication expressing a conclusion about the subject matters to the accountable party. Audit - Formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. Assurance engagements can include: support for audited financial statements, reviews of controls, compliance with required standards and practices, and compliance with agreements, licenses, legislation and regulation. 6

Five Components of Audit and Assurance 1. Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional 7

Five Components of Audit and Assurance 1. Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional Accountable Party 8

Five Components of Audit and Assurance 1. Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional User of assurance report 9

Five Components of Audit and Assurance 1. Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional 10

Five Components of Audit and Assurance 1. Three-party relationship, including: The accountable party (auditee) The user of the assurance report Assurance professional 2. Subject matter the area within the audit universe that are under review in the assurance assignment. 3. Suitable criteria reference against which the subject is evaluated Usually established by Management Design evaluated by assurance professional 4. Assurance Process structured approach for execution of engagement 5. Conclusions and recommendations Based on observations, facts and documentation Identify control weaknesses and root causes Substantiate the risks Make recommendations 11

Principles of Providing Assurance

Principle 1: Meeting Stakeholder Needs Internal BOD Audit, Risk, Compliance Groups Executive Management Business Management Shareholders and Investors External Auditors Regulators Business Partners Customers and Clients External 13

Assurance Engagement Types Characteristics Self-Assessment Internal Audit/Compliance Review External Audit Independence Requirements Not required or guaranteed Objectivity of self-assessors should be encouraged by defining clear responsibilities and correct followup. Should be optimised by the correct composition of the internal audit/ compliance department members Interested Party (user) Enabler owners Executive management, audit committee, operational management and enabler owners involved Responsible Party (accountable party) Enabler ownwers Management and business enabler owners involved Assurance Provider (assurance professional) Enabler owners Reporting Format and Requirements Free format Internal consistency required Governing Rules/Standards Standardised approaches based on good practices required Level of Trust (reliability) Lowest Depends on the skill and objectivity of the assessor Internal audit/compliance Department Internal consistency required, in line with professional standards Standardised approaches based on good practices required Professional standards and code of ethics to be respected Medium Depends on the skill and expertise of the internal audit/compliance department and on co-operation of the accountable party Independence of the external auditors should be established, verified and maintained. Primarily directed toward the board/shareholders, but of importance to the enterprise in general The board and executive management involved External auditor Highly regulated/standardised Adherence to applicable codes of ethics and standards should be established, verified and maintained. Maximal 14

Governing Rules and Standards IT Audit Framework (ITAF) IT Audit and Assurance Professional Standard Roles and Responsibilities Knowledge and Skills Diligence, Conduct and Reporting Requirements Standards are mandatory Guidelines, tools and techniques aid performance Section Standards Guidelines General 1000 2000 Performance 1200 2200 Reporting 1400 2400 Code of Professional Ethics Guide for professional and personal conduct of members of ISACA and/or its certification holders 15

For Discussion Mark Martinez, Sr. IT Auditor, is preparing his audit plan for the year. Last year s objective was to review the controls for the company s network in preparation for the new e-commerce portal. The new e-commerce portal was successfully rolled out at the end of November 2012 just as he was presenting his audit report to the management team. This year the Executive Director of Web Services has indicated that he prefers to focus the audit on a newly-implemented Mobile Device Management (MDM) system used to manage the ipads deployed to the field (Sales and Marketing). How should you as the auditor respond? 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback