This document provides an overview of IT auditing from the Office of Internal Audit and Compliance. It outlines the audit methodology, which takes a top-down, risk-based approach to evaluate key business functions and their associated controls. The scope of audits is determined through a risk assessment process. Audits focus on high impact, high probability risks and assess whether critical processes have defined, documented controls that are periodically evaluated. The document reviews the types of audits conducted, factors in the audit selection process, and the overall engagement plan methodology.
This document provides an overview of Domain 1 of the CISA exam, which covers auditing information systems. It discusses key concepts including:
- Audit planning, which involves understanding the business, environment, prior work, risk analysis, and developing an audit plan.
- Risk analysis, which is part of audit planning and helps identify risks and vulnerabilities to determine necessary controls.
- Internal controls, which are policies and procedures to reduce risks. They can be preventive, detective, or corrective.
- COBIT, a framework from ISACA for governance and management of enterprise IT. It is based on principles and enablers.
- Risk-based auditing approaches audit risk through understanding
The document provides information on conducting risk assessments and audits. It discusses key aspects of the audit process including establishing an audit charter, planning audits, assessing risks, and evaluating assets, threats, and vulnerabilities. Some key points:
1) An audit charter outlines the audit's scope, responsibilities, objectives, and authority. It requires senior management approval.
2) Developing an audit plan involves understanding the business, assessing risks, setting objectives and scope, and devising an audit strategy. The biggest challenge is matching resources to the plan.
3) Risk assessment identifies assets, threats, vulnerabilities, and safeguards. It values assets, estimates likelihood of threats, and calculates potential losses to inform risk treatment.
The document provides an overview of business continuity planning (BCP) by outlining key concepts such as objectives, approaches, dimensions of scope, and entry points. It discusses satisfying audit requirements, rebuilding infrastructure, resuming business activities, and ensuring customer service as potential objectives. The document also describes infrastructure, business, and business risk-based approaches and entry points. Finally, it provides examples of identifying business processes, information flows, infrastructure dependencies, and assessing risks.
The auditing process for an HR audit involves 6 steps: 1) An orientation meeting between key staff to discuss important issues and develop an audit plan and procedures. 2) Scanning available personnel information. 3) Surveying employees through interviews with managers and representatives. 4) Conducting interviews using questions developed in step 2. 5) Synthesizing the data gathered to present the current situation, priorities, staff patterns, and issues identified. 6) Reporting results through discussions with managers and specialists and a formal report identifying important issues.
Sap security compliance tools_PennonSoftPennonSoft
The document discusses using security compliance tools to detect and prevent security and controls violations in SAP systems. It outlines increased regulatory focus on security, risks like access control and segregation of duties issues, and how tools can help with real-time monitoring, resolving segregation of duties issues, and providing automated analysis and monitoring to assess authorization compliance. The benefits of these tools are that they can run with SAP, automate separation of duties analysis and monitoring of critical transactions, and provide quick assessments to business users, auditors, and security staff while avoiding manual analysis and false positives.
The document provides a summary of Drefus Tarpkin's professional experience, qualifications, and skills. It outlines over 15 years of experience in areas such as internal audit, business analysis, financial and IT audit, project management, risk management, and more. Tarpkin has significant experience managing and performing audits across various industries. Additional experience includes education consulting, SOX compliance, accounting, and information systems auditing. Tarpkin's skills include expertise in auditing, identifying risks and opportunities, and building business partnerships.
This document defines and describes various types of audit tests that can be used to validate process measures and controls. It provides a table that defines 16 common types of audit tests, including facilitated meetings, interviewing, questioning, observation and inspection, documentation review, and analytical review. For each test, it describes the test, provides advantages and disadvantages, and gives an example of how the test could be applied.
The document discusses key concepts in auditing information systems, including defining internal and external audits, describing the five phases of the audit cycle, and outlining components of an effective internal control system such as preventive, detective, and corrective controls.
This document provides an overview of Domain 1 of the CISA exam, which covers auditing information systems. It discusses key concepts including:
- Audit planning, which involves understanding the business, environment, prior work, risk analysis, and developing an audit plan.
- Risk analysis, which is part of audit planning and helps identify risks and vulnerabilities to determine necessary controls.
- Internal controls, which are policies and procedures to reduce risks. They can be preventive, detective, or corrective.
- COBIT, a framework from ISACA for governance and management of enterprise IT. It is based on principles and enablers.
- Risk-based auditing approaches audit risk through understanding
The document provides information on conducting risk assessments and audits. It discusses key aspects of the audit process including establishing an audit charter, planning audits, assessing risks, and evaluating assets, threats, and vulnerabilities. Some key points:
1) An audit charter outlines the audit's scope, responsibilities, objectives, and authority. It requires senior management approval.
2) Developing an audit plan involves understanding the business, assessing risks, setting objectives and scope, and devising an audit strategy. The biggest challenge is matching resources to the plan.
3) Risk assessment identifies assets, threats, vulnerabilities, and safeguards. It values assets, estimates likelihood of threats, and calculates potential losses to inform risk treatment.
The document provides an overview of business continuity planning (BCP) by outlining key concepts such as objectives, approaches, dimensions of scope, and entry points. It discusses satisfying audit requirements, rebuilding infrastructure, resuming business activities, and ensuring customer service as potential objectives. The document also describes infrastructure, business, and business risk-based approaches and entry points. Finally, it provides examples of identifying business processes, information flows, infrastructure dependencies, and assessing risks.
The auditing process for an HR audit involves 6 steps: 1) An orientation meeting between key staff to discuss important issues and develop an audit plan and procedures. 2) Scanning available personnel information. 3) Surveying employees through interviews with managers and representatives. 4) Conducting interviews using questions developed in step 2. 5) Synthesizing the data gathered to present the current situation, priorities, staff patterns, and issues identified. 6) Reporting results through discussions with managers and specialists and a formal report identifying important issues.
Sap security compliance tools_PennonSoftPennonSoft
The document discusses using security compliance tools to detect and prevent security and controls violations in SAP systems. It outlines increased regulatory focus on security, risks like access control and segregation of duties issues, and how tools can help with real-time monitoring, resolving segregation of duties issues, and providing automated analysis and monitoring to assess authorization compliance. The benefits of these tools are that they can run with SAP, automate separation of duties analysis and monitoring of critical transactions, and provide quick assessments to business users, auditors, and security staff while avoiding manual analysis and false positives.
The document provides a summary of Drefus Tarpkin's professional experience, qualifications, and skills. It outlines over 15 years of experience in areas such as internal audit, business analysis, financial and IT audit, project management, risk management, and more. Tarpkin has significant experience managing and performing audits across various industries. Additional experience includes education consulting, SOX compliance, accounting, and information systems auditing. Tarpkin's skills include expertise in auditing, identifying risks and opportunities, and building business partnerships.
This document defines and describes various types of audit tests that can be used to validate process measures and controls. It provides a table that defines 16 common types of audit tests, including facilitated meetings, interviewing, questioning, observation and inspection, documentation review, and analytical review. For each test, it describes the test, provides advantages and disadvantages, and gives an example of how the test could be applied.
The document discusses key concepts in auditing information systems, including defining internal and external audits, describing the five phases of the audit cycle, and outlining components of an effective internal control system such as preventive, detective, and corrective controls.
This document discusses auditing application controls, including:
1. Defining application controls and distinguishing them from IT general controls. Application controls are specific to a program or system supporting a business process, while IT general controls apply across the entire IT environment.
2. The role of internal auditors in assessing risks related to applications, scoping application control reviews, and determining appropriate audit approaches. This involves understanding business processes, specialized resources that may be needed, and testing techniques.
3. Risk assessment of applications, including assessing inherent risks related to the nature of the technology and how systems are configured and used. Application controls and IT general controls aim to mitigate risks to integrity, completeness, timeliness and availability of data.
This document describes CheckAud, a software tool for auditing authorizations in SAP systems. It provides functions for authorization audits, segregation of duties checks, analysis of critical authorizations, user authorization reports, and simulation of authorization changes. The tool includes predefined analysis templates for SAP modules and helps ensure audits are comprehensive and efficient.
This document provides an overview of an internal risk assessment process presentation. It outlines the presentation agenda, which includes discussions of internal control frameworks like COSO and COBIT, risk assessment techniques, risk identification mapping, and the components of internal control. It also details the key aspects of each presentation section, such as defining internal control, its objectives, and management and auditor responsibilities regarding internal control assessment.
Key considerations for your internal audit planessbaih
The document discusses emerging risks and areas of focus for internal audit plans, providing examples of audits that can deliver value in these areas. It includes a "risk radar" depicting risks by business function, from financial to strategic. For accounting, it identifies emerging issues including changes to accounting standards globally and in various countries. It provides examples of impactful audits in accounting such as reviewing accounting policies and statutory reporting. It poses key questions for evaluating risks and opportunities in these areas.
Everything You Need To Know About Internal Control ReviewsAdriana Sklencar
This document discusses an internal control review for the public sector presented by Welch LLP. It covers when to consider an internal control review, what to expect from the process, the basic streams or business processes that would be reviewed, and the benefits of conducting such a review. The process involves developing a risk-based strategy, documenting and assessing key financial controls, and drafting a management action plan. Benefits include improving efficiencies at a lower cost than a full audit and gaining a fresh view of the system and environment. Questions from attendees can be tweeted with the hashtag #WelchGov.
The document provides guidelines and examples for rating audits. It includes five rating levels - Good, Satisfactory, Requires Improvement, Unsatisfactory, and Concurrence/Nonconcurrence. Sample 1 provides detailed descriptions of each rating level and examples of how to rate audits of internal controls, operations, and accounting records based on an audit rating grid. Sample 2 defines five audit report ratings on a scale from Strong to Unsatisfactory based on the effectiveness of risk management practices.
Corporate Compliance Seminars provides educational seminars and consulting services on internal controls, regulatory compliance, corporate governance, IT security, and fraud prevention. The document discusses the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which issued an updated Internal Control - Integrated Framework in 2013. The update codified principles and points of focus to help organizations develop and assess the effectiveness of their internal control systems. It expanded the focus to include operations, compliance and non-financial reporting objectives in addition to financial reporting. Organizations are encouraged to transition to applying the updated framework by December 15, 2014.
This chapter discusses IT governance and related topics that will represent approximately 15% of the CISA examination. The key learning objectives are to evaluate the effectiveness of an organization's IT governance structure, strategy, policies, risk management, and monitoring practices. Best practices for IT governance include establishing an IT strategy committee, using an IT balanced scorecard to evaluate performance, and ensuring effective information security governance. The chapter also covers IT strategic planning, policies, procedures, risk management, personnel management, sourcing strategies, and outsourcing considerations.
This document provides examples of how data analytics can be used for internal auditing purposes. It discusses using data analytics to:
1) Automate existing journal entry and employee expense testing through the use of scripts in audit software.
2) Create additional automated testing routines as part of continuous controls monitoring, including identifying duplicates, fraudulent patterns, and high-risk journal entries.
3) Perform analyses of journal entry and employee expense data such as general data overviews, population analyses to identify anomalies, and testing of specific expense types or journal accounts deemed high-risk.
This document discusses risk assessments and their importance for audit planning. It provides definitions for risk and risk assessment, and explains how risk assessments allow entities to understand potential impacts on objectives. Risk assessments employ both qualitative and quantitative methods, relate risks to time horizons and objectives, and assess inherent and residual risks. The document also discusses how internal auditors can add value through risk-based audit planning and evaluating management's risk assessments and controls. Key components of risk assessments are outlined.
This document discusses internal controls for an organization. It begins with definitions of internal control from COSO, including that internal control is a process designed to provide reasonable assurance of achieving objectives related to operations, reporting, and compliance. It then discusses key concepts of internal controls including the five components of the COSO framework: control environment, risk assessment, control activities, information and communication, and monitoring. Specific control activities discussed include separation of duties, documentation, authorization and approvals, and reconciliation and review. The document emphasizes that internal controls should be appropriate and cost-effective for an organization.
This document provides an overview of the key topics covered in the 2016 CISA Review Course, including IS auditor roles and responsibilities, audit planning, risk analysis, internal controls, performing IS audits, and compliance vs substantive testing. The document outlines ISACA standards and guidelines for IS auditing, and frameworks like COBIT 5 that help achieve governance and management objectives for enterprise IT. Methodologies, techniques, and objectives for risk-based auditing are also summarized.
Internal auditors can provide both assurance work and consulting services to an organization. There are six main types of consulting work: formal engagements, informal engagements, emergency services, assessment services, facilitation services, and remedial services. The document then outlines the typical steps and considerations for an internal audit consulting engagement, including: establishing initial terms of reference, conducting a preliminary survey, establishing suppositions, developing an audit work program, performing detailed field work, determining underlying causes, defining and evaluating options, testing selected options, discussing options with management, and reporting findings.
Building Continuous Auditing Capabilities utilizing CAATs and Data Analytics technologies. Overview , CA, DA, ACL, Audit Guidelines, Technology, Audit Innovation,
This document provides an overview of chapter 2 from the 2007 CISA review course, which covers IT governance. It discusses key topics like corporate governance, information systems strategy, policies and procedures, risk management, IS management practices, IS organizational structure and responsibilities, and auditing the management, planning and organization of IS. The chapter aims to ensure CISA candidates understand how organizations can provide assurance that proper IT governance structures and processes are in place.
Mobile EHS and Quality Auditing - Lessons LearnedNimonik
Smart phones and tablets are becoming commonplace in our offices. With this new technology, it is possible to improve efficiency during an audit, allowing more audits to be conducted with fewer resources. There are opportunities and pitfalls that all companies should be aware of before embarking on a mobile software project. This talk will cover lessons learned at L’Oreal, FedEx and Grupo Bimbo about deploying mobile technology and conducting compliance audits in the workplace.
The audit concluded that Finance Canada has developed an adequate Corporate Risk Profile and established an Integrated Risk Management function in line with guidelines. Some elements of the communication strategy from the Corporate Risk Profile have not been fully implemented. The Department has identified key risks but could improve awareness of risk management practices among staff through better communication.
The document provides guidelines for internal audit ratings on a scale of Good to Unsatisfactory. It also includes samples of internal audit rating guides that define ratings on scales such as Strong to Critical. The guides provide attributes for each rating to determine where an audit falls based on the presence of issues, effectiveness of controls, and actions required to remedy weaknesses.
The document discusses the COSO internal control framework's principles of monitoring internal controls. It states that monitoring ensures controls continue operating effectively through ongoing or separate evaluations. Planning and organizational support form the foundation for monitoring, including tone from management and the board's understanding of monitoring's importance. Monitoring procedures evaluate important controls over meaningful risks, and assessing results prioritizes and communicates deficiencies for corrective action. Effective monitoring uses a systematic process of identifying risks and determining optimal monitoring approaches.
The document provides an overview of an upcoming IT audit being conducted by the Office of Internal Audit at a university. It outlines the audit process, including an introduction, orientation, and slide presentation covering the OIA background and audit methodology. It also discusses preparing for the on-site audit, including examining identity management, access control, and security management. The document details the audit flow, evidence gathering, and expectations for management response and follow-up after the audit is completed.
Internal Audit Best Practices for Safety, Environment, and Quality AuditsNimonik
Nimonik has seen a wide variety of internal Health, Safety, Environmental and Quality (HSEQ) audit programs. They seem to come in all shapes and sizes! Each company tends to focus on different risks and controls.
Whether your organization conforms to ISO 19011 or another internal audit standard, re-focusing your internal audit program on your risks, controls, and operational reality is a key driver for operational excellence.
On March 14th, John Wolfe shared insights from over 20 years as a hands-on HSE Director and as the Sr. Director of Operations Integrity Audit for a global Oil & Gas company. John outlined the attributes of an outstanding Internal audit program. He showed you how you can build out a program tailored to your operations and add tremendous value to your business.
This document discusses auditing application controls, including:
1. Defining application controls and distinguishing them from IT general controls. Application controls are specific to a program or system supporting a business process, while IT general controls apply across the entire IT environment.
2. The role of internal auditors in assessing risks related to applications, scoping application control reviews, and determining appropriate audit approaches. This involves understanding business processes, specialized resources that may be needed, and testing techniques.
3. Risk assessment of applications, including assessing inherent risks related to the nature of the technology and how systems are configured and used. Application controls and IT general controls aim to mitigate risks to integrity, completeness, timeliness and availability of data.
This document describes CheckAud, a software tool for auditing authorizations in SAP systems. It provides functions for authorization audits, segregation of duties checks, analysis of critical authorizations, user authorization reports, and simulation of authorization changes. The tool includes predefined analysis templates for SAP modules and helps ensure audits are comprehensive and efficient.
This document provides an overview of an internal risk assessment process presentation. It outlines the presentation agenda, which includes discussions of internal control frameworks like COSO and COBIT, risk assessment techniques, risk identification mapping, and the components of internal control. It also details the key aspects of each presentation section, such as defining internal control, its objectives, and management and auditor responsibilities regarding internal control assessment.
Key considerations for your internal audit planessbaih
The document discusses emerging risks and areas of focus for internal audit plans, providing examples of audits that can deliver value in these areas. It includes a "risk radar" depicting risks by business function, from financial to strategic. For accounting, it identifies emerging issues including changes to accounting standards globally and in various countries. It provides examples of impactful audits in accounting such as reviewing accounting policies and statutory reporting. It poses key questions for evaluating risks and opportunities in these areas.
Everything You Need To Know About Internal Control ReviewsAdriana Sklencar
This document discusses an internal control review for the public sector presented by Welch LLP. It covers when to consider an internal control review, what to expect from the process, the basic streams or business processes that would be reviewed, and the benefits of conducting such a review. The process involves developing a risk-based strategy, documenting and assessing key financial controls, and drafting a management action plan. Benefits include improving efficiencies at a lower cost than a full audit and gaining a fresh view of the system and environment. Questions from attendees can be tweeted with the hashtag #WelchGov.
The document provides guidelines and examples for rating audits. It includes five rating levels - Good, Satisfactory, Requires Improvement, Unsatisfactory, and Concurrence/Nonconcurrence. Sample 1 provides detailed descriptions of each rating level and examples of how to rate audits of internal controls, operations, and accounting records based on an audit rating grid. Sample 2 defines five audit report ratings on a scale from Strong to Unsatisfactory based on the effectiveness of risk management practices.
Corporate Compliance Seminars provides educational seminars and consulting services on internal controls, regulatory compliance, corporate governance, IT security, and fraud prevention. The document discusses the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which issued an updated Internal Control - Integrated Framework in 2013. The update codified principles and points of focus to help organizations develop and assess the effectiveness of their internal control systems. It expanded the focus to include operations, compliance and non-financial reporting objectives in addition to financial reporting. Organizations are encouraged to transition to applying the updated framework by December 15, 2014.
This chapter discusses IT governance and related topics that will represent approximately 15% of the CISA examination. The key learning objectives are to evaluate the effectiveness of an organization's IT governance structure, strategy, policies, risk management, and monitoring practices. Best practices for IT governance include establishing an IT strategy committee, using an IT balanced scorecard to evaluate performance, and ensuring effective information security governance. The chapter also covers IT strategic planning, policies, procedures, risk management, personnel management, sourcing strategies, and outsourcing considerations.
This document provides examples of how data analytics can be used for internal auditing purposes. It discusses using data analytics to:
1) Automate existing journal entry and employee expense testing through the use of scripts in audit software.
2) Create additional automated testing routines as part of continuous controls monitoring, including identifying duplicates, fraudulent patterns, and high-risk journal entries.
3) Perform analyses of journal entry and employee expense data such as general data overviews, population analyses to identify anomalies, and testing of specific expense types or journal accounts deemed high-risk.
This document discusses risk assessments and their importance for audit planning. It provides definitions for risk and risk assessment, and explains how risk assessments allow entities to understand potential impacts on objectives. Risk assessments employ both qualitative and quantitative methods, relate risks to time horizons and objectives, and assess inherent and residual risks. The document also discusses how internal auditors can add value through risk-based audit planning and evaluating management's risk assessments and controls. Key components of risk assessments are outlined.
This document discusses internal controls for an organization. It begins with definitions of internal control from COSO, including that internal control is a process designed to provide reasonable assurance of achieving objectives related to operations, reporting, and compliance. It then discusses key concepts of internal controls including the five components of the COSO framework: control environment, risk assessment, control activities, information and communication, and monitoring. Specific control activities discussed include separation of duties, documentation, authorization and approvals, and reconciliation and review. The document emphasizes that internal controls should be appropriate and cost-effective for an organization.
This document provides an overview of the key topics covered in the 2016 CISA Review Course, including IS auditor roles and responsibilities, audit planning, risk analysis, internal controls, performing IS audits, and compliance vs substantive testing. The document outlines ISACA standards and guidelines for IS auditing, and frameworks like COBIT 5 that help achieve governance and management objectives for enterprise IT. Methodologies, techniques, and objectives for risk-based auditing are also summarized.
Internal auditors can provide both assurance work and consulting services to an organization. There are six main types of consulting work: formal engagements, informal engagements, emergency services, assessment services, facilitation services, and remedial services. The document then outlines the typical steps and considerations for an internal audit consulting engagement, including: establishing initial terms of reference, conducting a preliminary survey, establishing suppositions, developing an audit work program, performing detailed field work, determining underlying causes, defining and evaluating options, testing selected options, discussing options with management, and reporting findings.
Building Continuous Auditing Capabilities utilizing CAATs and Data Analytics technologies. Overview , CA, DA, ACL, Audit Guidelines, Technology, Audit Innovation,
This document provides an overview of chapter 2 from the 2007 CISA review course, which covers IT governance. It discusses key topics like corporate governance, information systems strategy, policies and procedures, risk management, IS management practices, IS organizational structure and responsibilities, and auditing the management, planning and organization of IS. The chapter aims to ensure CISA candidates understand how organizations can provide assurance that proper IT governance structures and processes are in place.
Mobile EHS and Quality Auditing - Lessons LearnedNimonik
Smart phones and tablets are becoming commonplace in our offices. With this new technology, it is possible to improve efficiency during an audit, allowing more audits to be conducted with fewer resources. There are opportunities and pitfalls that all companies should be aware of before embarking on a mobile software project. This talk will cover lessons learned at L’Oreal, FedEx and Grupo Bimbo about deploying mobile technology and conducting compliance audits in the workplace.
The audit concluded that Finance Canada has developed an adequate Corporate Risk Profile and established an Integrated Risk Management function in line with guidelines. Some elements of the communication strategy from the Corporate Risk Profile have not been fully implemented. The Department has identified key risks but could improve awareness of risk management practices among staff through better communication.
The document provides guidelines for internal audit ratings on a scale of Good to Unsatisfactory. It also includes samples of internal audit rating guides that define ratings on scales such as Strong to Critical. The guides provide attributes for each rating to determine where an audit falls based on the presence of issues, effectiveness of controls, and actions required to remedy weaknesses.
The document discusses the COSO internal control framework's principles of monitoring internal controls. It states that monitoring ensures controls continue operating effectively through ongoing or separate evaluations. Planning and organizational support form the foundation for monitoring, including tone from management and the board's understanding of monitoring's importance. Monitoring procedures evaluate important controls over meaningful risks, and assessing results prioritizes and communicates deficiencies for corrective action. Effective monitoring uses a systematic process of identifying risks and determining optimal monitoring approaches.
The document provides an overview of an upcoming IT audit being conducted by the Office of Internal Audit at a university. It outlines the audit process, including an introduction, orientation, and slide presentation covering the OIA background and audit methodology. It also discusses preparing for the on-site audit, including examining identity management, access control, and security management. The document details the audit flow, evidence gathering, and expectations for management response and follow-up after the audit is completed.
Internal Audit Best Practices for Safety, Environment, and Quality AuditsNimonik
Nimonik has seen a wide variety of internal Health, Safety, Environmental and Quality (HSEQ) audit programs. They seem to come in all shapes and sizes! Each company tends to focus on different risks and controls.
Whether your organization conforms to ISO 19011 or another internal audit standard, re-focusing your internal audit program on your risks, controls, and operational reality is a key driver for operational excellence.
On March 14th, John Wolfe shared insights from over 20 years as a hands-on HSE Director and as the Sr. Director of Operations Integrity Audit for a global Oil & Gas company. John outlined the attributes of an outstanding Internal audit program. He showed you how you can build out a program tailored to your operations and add tremendous value to your business.
The document provides information about internal process audits. It discusses management systems, standards, effectiveness and efficiency, quality management system principles and elements. It defines an audit and describes the purpose, benefits, types, preparation, performance, non-conformity reports, post-audit activities and best practices of audits. The document emphasizes that audits are meant to determine conformity and provide opportunities for improvement, not to evaluate people's capabilities. It also provides tips on how to effectively face an audit.
Robust governance processes to provide assurance on reported mineral resource...srkconsulting
This document discusses robust governance processes for mineral resource and ore reserve assurance. It recommends technical peer reviews and audits at various stages to improve assurance. Peer reviews conducted during the estimation process allow time for improvements, while audits done after the fact identify opportunities for future enhancement. Examples provided show how Rio Tinto and Atlas Iron implement oversight committees and external reviews to ensure accuracy and compliance in resource and reserve reporting. Overall, the document argues that independent assurance through a structured review and audit system helps mitigate risks, improve technical practices, and build confidence among investors and regulators.
Robust governance processess to provide assurance on reported mineral resourc...srkconsulting
Mineral resources and ore reserves are key assets for a resources company. Assurance is needed over the processes that are applied in their estimation and reporting to assess and manage the risk that the mineral resources and ore reserves are incorrectly defined and/or reported which will impact on business decision making, reporting, reputation and investor confidence.
This document discusses a roundtable on continuous auditing and risk monitoring. The agenda includes introductions, a discussion of what the market is doing, the role of automation, and a roundtable discussion. Key points from the discussion include: determining the appropriate frequency of auditing and monitoring based on risk; continuous auditing and monitoring should be risk-based and focus on critical areas; and technology can enable more frequent auditing if needed but not all transactions need continuous evaluation.
ביקורת פנימית-הורוביץ איל עשה עבודה לקוי לחנך את הלוח, מנהלים, מנהלי ומשתמשים אפילו לגבי היקף ו מטרת הפונקציה ביקורת פנימית. חודש המודעות של ביקורת פנימית הבינלאומי מציג הזדמנות מעולה כדי להפוך את החינוך בראש סדר העדיפויות.
The document discusses internal audit methodology. It covers defining internal audit, its objectives, applicability, responsibilities under CARO 2020, and standards. It then discusses the risk-based internal audit methodology which includes understanding the business and risks, identifying key processes, creating an assurance plan, analyzing processes through interviews and mapping, and assessing process risks. The document provides details on each step of the internal audit methodology.
This document provides an overview of various International Standards on Auditing (ISAs). It summarizes the key topics covered in different sections of the ISAs related to planning an audit, assessing risks, obtaining evidence, dealing with estimates and subsequent events, and communicating findings. The document explains concepts like materiality, professional skepticism, audit risk and different types of audit evidence. It also describes standards on specific areas like fraud, laws and regulations, external confirmations, sampling and use of management representations.
Nial has over 3 years of experience in cyber security consulting including enterprise risk management, ITGC audits, compliance audits, and risk management. As a security consultant, Nial's responsibilities include evaluating ITGC controls design and effectiveness to support financial reporting, coordinating control implementation, and identifying technology controls within processes. Nial has experience conducting ITGC audits for financial institutions and serving as a Governance, Risk, and Compliance Lead for an e-commerce organization.
The document discusses conducting risk assessment for an internal audit department. It begins by outlining the key objectives and activities of the internal audit function. It then provides a list of 27 questions and answers to map out the internal audit processes, inherent risks, and key controls. The questions cover topics like audit planning, coordination with other departments, reporting structure, budgeting, performance metrics, theoretical risks, and controls. The overall purpose is to establish a proper risk management process for the internal audit department.
Internal financial control - how ready are you - WebinarAli Zeeshan
Prof. Arif Ahmed gave a webinar on internal financial controls. He began by introducing himself and his experience in finance and risk management. He then discussed the key aspects of internal controls based on the COSO 2013 framework, including control environment, risk assessment, control activities, information and communication, and monitoring. Specifically, he covered enhanced risk assessments, fraud risk assessments, controls in IT environments, and factors that determine quality of information. He emphasized that internal controls must be customized to each organization and address objectives across different levels. Monitoring involves ongoing and separate evaluations to identify control deficiencies.
Hanrick Curran Audit Training - Internal Controls - March 2013Matthew Green
Training delivered to assisting audit staff as part of their continuing professional development/education (CPE/CPD). Provided in a 60 minute session with substantial discussion and interaction.
Evolving role of internal auditing functionDebashis Gupta
The document discusses the evolving role of internal auditing functions. It covers positioning internal audit in an organization through strategic partnerships with business and benchmarking the internal audit function. It also discusses risk-based audit approaches and governance processes, focusing on the roles of various stakeholders. The document advocates for internal audit to act as a strategic partner by providing quality assurance on critical risks. It outlines how internal auditing has shifted from traditional transaction-based approaches to more modern risk-based approaches.
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore.
Bayo Omisore has over 13 years of experience in IT auditing, risk management, security, and compliance. He has worked as a senior IT auditor for Methode Electronics and as an IT audit consultant for several large companies. His experience includes performing audits of IT infrastructure, applications, and business processes; identifying risks; documenting processes and controls; assessing compliance; and making recommendations for improvement. He has expertise in areas such as SOX compliance, security reviews, and project implementation assessments.
IT management audits can serve multiple purposes and provide many benefits. First, audits are used to validate compliance with established technology related policies, programs and procedures. Then, audits are also used as an investigative tool, to gather information and analyze current operational conditions for the purposed of recommending specific “policies, programs and procedures”. The primary purpose of a given audit will determine the scope and related execution planning. Validation audits are likely performed on a regularly scheduled basis, with a standardized scope and set of executing procedures. Investigative audits are likely triggered in response to a specific need, and planning will be shaped by unique goals and circumstances. Whatever the purpose, the goal is to ensure that audits serve a purpose, are planned for minimal disruption, and that all results are used to maximize IT value.
This document discusses internal controls for computer-based business systems. It defines internal control as processes, policies, and standards that ensure effective administration of an organization. The key purposes of internal control are to promote effective and efficient operations, safeguard resources, ensure adherence to laws and regulations, and produce reliable financial reporting. The five key components of internal control are the control environment, risk assessment, control activities, information and communication, and monitoring. The document also outlines various types of IT audits conducted to evaluate internal controls, such as operational audits, development audits, and disaster recovery audits.
An IT security audit involves independently examining an organization's IT systems, controls, policies and procedures. The document outlines the key steps in an IT audit including planning, testing and reporting. It also discusses defining auditors and their roles, preparing for an audit, and how audits are conducted at the application level to assess controls related to administration, security, disaster recovery and more. The goal of an audit is to evaluate security adequacy and recommend improvements.
This document discusses the importance of quality assurance and control for high-quality financial reporting. It notes that assessments in financial reporting are highly judgmental due to principle-based standards and human factors. Effective quality assurance requires cooperation between various parties, including auditors, professional accounting organizations that perform oversight, and regulators. It recommends a step-by-step approach to improving quality control and assurance practices over multiple years through education, guidance, and review. High-quality financial reporting is important for public trust and well-functioning markets.
The document summarizes key points from a critical infrastructure security workshop presented by Drew Williams. It discusses defining critical infrastructure and the scope of governance, risk management, and compliance (GRC) in the Asia-Pacific region. It also profiles different critical infrastructure sectors in Malaysia and identifies common fail points that can undermine GRC strategies. The workshop provided an overview of trends, best practices, and a maturity model to help organizations develop effective long-term GRC roadmaps.
This document provides an overview and agenda for a presentation on securing and hardening DNS servers. It discusses configuring DNS servers at both the local system level and network level. At the local level, it recommends partitioning the file system, using chroot jails, firewalls, and access control configurations. At the network level, it discusses topics like limiting services, securing NTP, and managing DNS zones and records. The overall goal is to understand the high-level requirements for securing a DNS server and limiting access to the DNS service.
The document discusses protecting one's electronic identity and the risks of identity theft. It begins with an introduction by Erwin Carrow on his background and role conducting IT evaluations. It then outlines some key points on understanding the risk to personal information, how identities can be stolen both online and offline, and the various ways data can be lost or leaked. It provides examples of commercial and personal threats, describing how identities are exploited using social engineering and technical attacks. It notes the legal implications are still developing and that individuals bear responsibility for initiating action. Overall, the document aims to increase awareness of identity theft risks and provide resources on protecting personal information and responding to potential issues.
This document discusses the risks of phishing and social networks. It begins with some basic terminology and context around key players like individuals, technology, and services involved. It describes the basic methodology that criminals and terrorists use to exploit common activities on the internet like social networks, email, and web browsing. This includes making counterfeit activities look normal to attract users. The document provides some statistics on data breaches and privacy losses. It emphasizes knowing yourself and potential threats to understand your risk profile. It recommends practical precautions to mitigate risks like keeping software updated, using security tools, and exercising common sense online. Resources for more information are also included.
The document provides an overview of frameworks that can be used for information systems security in higher education. It discusses key frameworks like COBIT, ISO 27002, and NIST standards that define controls and best practices. The presentation aims to help attendees understand how to evaluate their internal control structures and security approaches based on recognized standards and frameworks.
Puppetnets and Botnets: Information Technology Vulnerability Exploitsecarrow
The focus of this paper is to identify dominant trends of
information security threats to the Internet 2001 to 2007. This
paper is intended to provide an understanding of the new
emphasis of attacks through use of robotic networks and how
some users and organizations are already preparing a response
using innovative visualization techniques in conjunction with
traditional methods. The scope of research will focus on basic
enterprise level services that are commonly provided by various
corporations; e.g., e-mail, browser applications, wireless and
mobile devices, IP telephony, and online banking. The research
will first review the network infrastructure common to most
corporate organizations and assume basic enterprise components
and functionality in response to the current security threats. The
second emphasis will consider the impact of malware robotic
networks (Botnets and Puppetnets) on the corporate network
infrastructure and how to address these threats with new and
innovative techniques. This approach is pragmatic in application
and focuses on assimilation of existing data to present a
functional rationale of attacks to anticipate and prepare for this
coming year.
InfoSec Technology Management of User Space and Services Through Security Thr...ecarrow
The focus of this paper will demonstrate the need to clearly define
and segregate various user space environments in the enterprise
network infrastructure with controls ranging from administrative
to technical and still provide the various services needed to
facilitate the work space environment and administrative
requirements of an enterprise system. Standards assumed are
industry practices and associated regulatory requirements with
implementations as they apply to the various contextual
applications. This is a high level approach to understanding the
significance and application of an effective secure network
infrastructure. The focus is on end user needs and the associated
services to support those needs. Conceptually user space is a
virtual area allocated to the end user needs identified with specific
services to support those needs by creating a virtual playground.
To manage risk, the concept of creating a "security threat gateway
(STG)" isolates and secures each user space with its associated
services. Emphasis will be placed on the functional managerial
process and application of the STG, safeguarding one user space
from another, to facilitate the use of the needed services to
perform the operational tasks of the organization. When user’s
needs and associated components are clearly identified, then it is
possible for anyone to use this model as a template, to guide them
in creating an effective strategy for their own network security.
This approach is practical in orientation and application, focusing
on a high level perspective and assumes the reader already has a
low level technical background for a tactical implementation in
mitigating risk to the enterprise network infrastructure.
InfoSec Technology Management of User Space and Services Through Security Thr...
Oiac It Audit Wo Cartoons
1. Office of Internal Audit
and Compliance
IT Auditing Overview
CIO Advisory Counsel Meeting
Spring 2011 - Savannah, Ga.
2. Session Guide
Office of Internal Audit
and Compliance
• Erwin (Chris) L. Carrow
IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP,
LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!)
Board of Regents, University System of Georgia
Office of Internal Audit and Compliance
270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax
Email: erwin.carrow@usg.edu ecarrow@gmail.com ecarrow@google.com
http://www.linkedin.com/in/thebishop
Twitter: @ecarrow
Skype: erwin.louis.carrow
2
3. Session Agenda
(22 Slides – unless additional needs for clarity)
Office of Internal Audit
and Compliance
Quick Overview – Audit Methodology (slides 1-15)
Assessment Lifecycle & Applying Controls (slides 16-18)
Overview & Summary (slides 19-22)
______________________________________________________________
Terminology & Context of Security Implementation (slides 23-27)
Securing Business Functions
Governance
Business Function Characteristics Vertical (B2S) and Horizontal (B2B) Relationship
Risk Identification & Reconciliation (slides 28-34)
Business Impact Analysis
Risk Assessment Process
Risk Analysis Methodology
Categories and Types (slides 35-37)
Risk – Enterprise Risk Management (BIA, RA, ERM)
Information, Information Systems, & Users
Controls Framework (slides 38-44)
Types of Controls, Skill Sets, and Resources
Criteria Maturity of Controls to Support Outcomes
Procedures Operational Tasks to Implement and Support Controls (low-level)
Example: Identity Management (COBIT, CMMI, & NIST) (slides 45-55) 3
4. Key Takeaways
Office of Internal Audit
and Compliance
Understand OIAC requirements how IT audit
function applies their framework for assessing
controls to compensate for high
impact/probability risks.
Provide a high-level overview of how the
framework applies to institutional and agency
audits / consulting.
Provide a resources for review & dialogue
4
5. Office of Internal Audit
and Compliance
Quick Overview – Audit
Methodology
5
6. Why We Audit – Mission & Charter
Office of Internal Audit
and Compliance
• “Internal auditing provides independent and objective
assurance and consulting services to the Board of Regents
(Board), the Chancellor, and institution leadership in
order to add value and improve operations. The internal
audit activity helps the University System Office (USO)
and USG institutions accomplish their objectives by
bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of governance, risk
management, compliance, and internal control processes.”
- Internal Audit Charter approved by the Board of Regents
*(underline added )
6
7. Types of Audits – Federal, State,
Office of Internal Audit
Campus, and Board of Regents
and Compliance
• Federal Auditors
– Rely on work of state auditors
– May focus on federal compliance (FISMA, FERPA, HIPAA, etc.),
financial aid, and federal grants management
• State Auditors – Financial and Performance
– Financial / Operational auditors - external auditors validating
internal controls and the AFR
– Performance auditors – external auditors focused on specific
system-wide process or policy issue
• Campus Auditors
– Varies by campus
– Generally focused on departmental reviews
– Report to institution President and USO Chief Audit Officer
• Board of Regents Auditors
– Shoot the gaps that other agencies do not address and engage with
specific BOR or Legislative concerns
8. The Audits Selection Process:
OIAC Risk Assessment & Planning Process
Office of Internal Audit
and Compliance
(The “Why Us Syndrome and What We Audit?”)
• OIAC’s Risk Assessment process
– Quantitative Data: previous
findings, financials, etc.
– Qualitative Data: surveys,
interviews, trends, etc.
– Quarterly review and assessment
versus annual approach to be
proactive
• Rolling Audit Plan
– Designed to ensure coverage of
institutions with high risk
– Also designed to ensure OIAC
coverage at all USG institutions at
least once every 3-4 years
– Specifies institution and broad
categories in which to audit
– May also incorporate consulting
engagements and other special
projects
9. Overall Engagement Plan
Summary of Process
Office of Internal Audit
and Compliance
• Top Down methodology for the auditing assessment
– Risk based: High Impact / High Probability – 32 different influencers
– Business Goals to Standards and Practices
– Business Function critical component identification
– Leadership (administrator) to Technician or Staff member (end user)
– Assess Requirements, Resources, and Processes
• The approach focused on key business functions and their associated
Business Goals and Objectives as it relates to the assessed entities.
• Once identified and agreed upon for each business function, the key
associated requirements, resources, and processes were identified and
assessed to determine if high or critical risk is being managed.
• Focus was upon Control Practices and Responsibility / Accountability
associated with key activities with an expected CMMI level 3 criteria
for High Risk Critical processes.
9
10. Methodology, Scope, & Criteria
Office of Internal Audit
and Compliance
• Standards for the Methodology
– Institute of Internal Auditor (IIA - www.theiia.org)
– Information System Audit & Control Association (ISACA -
www.isaca.org)
• Scope of Application: Area of Emphasis (Entity or Process)
– Usually focused on institution-wide processes, e.g., data classification,
IT services, NOC, incident response / emergency planning, strategic
planning, change management, etc.
• Determine what areas of High Risk or Critical Systems exist for the assessed
entities at the institution?
– Risk Analysis (OIAC) & Preliminary Assessment with Institution
– Prior Coordination / Business Impact Analysis / Risk Assessment - Information request
list, based upon audited entities
– Analysis of information provided from pre-audit phase
• Scope of Execution: Area of Emphasis (Entity or Process)
– Business Functions (High Critical Risk)
• Examples: IAM: Identity and Access Control Management & NETSEC: Perimeter & Network Security
– Will incorporate recommended focus areas from institutional leadership
– Scope can change during the course of an audit if warranted
• CMMI Criteria level 3: Process is Defined & Documented and periodically Evaluated
10
11. Those Involved in Areas Reviewed &
Priority of Emphasis (# Personnel – # Meetings)
Office of Internal Audit
and Compliance
Information
Technology
Academic Units
Department
(Limited)
(High)
Administrative
Auxiliaries Units (Medium)
(Low)
11
12. Summary for Plan of Action
Office of Internal Audit
and Compliance
During the engagement we …
• Gather Information / Evidence - related to
implementation of controls to address High
Impact / High Probability risk
– Interviews with key personnel (Business Owner,
Trustees, & Stewards)
– Test and Validate Objectives
• Information - Information systems
• Direct observation & dialogue
• Document initial analysis (informal)
• Dialogue and gain Confirmation of
Observations (validation)
• Dialogue and gain Common Understanding of
Exceptions and Issues
• Identify to Key Shareholders / Leadership
Issues and discuss Solutions
• Up until the final report is completed, dialogue
will continue with audited entity regarding
issues (objections are welcome – it is your
right!)
12
13. The Process We Follow –
From Notification to Reporting
Office of Internal Audit
and Compliance
• 1st Phase: Pre-Campus Work (Preparatory Efforts)
– Announcement / Notification Letter, sent to President upon rolling audit plan approval
(specific 5-month period during which the audit will be conducted)
– Preliminary Survey- Brief visit on campus, approx. 60 prior to start of audit
– Engagement Letter – Sent to President approx. 30 days prior to start of audit
– Data Collection – Initial interviews, data requests, network scans may take place prior to
arrival on campus – the more we get ahead of time the less time we have to spend
onsite
• 2nd Phase: On-Campus Fieldwork (Evidence Gathering Phase)
– Initiated with Entrance Conference (“Line in the Sand”)
– Scope of work may expand / contract
– Campus POC kept informed on audit progress and issues (daily)
– End of field work review, a meeting conducted at close of work summarizing initial
results and implications
• 3rd Phase: Post-Campus Work (Documentation & Publication Phase)
– Draft Report prepared and sent as discussion document
– Exit Conference held either in person or via phone / video conference
– Official Draft Report sent requiring response from institution
– Institution’s response incorporated in report
– Report published and distributed
13
14. Summary of Engagement
Office of Internal Audit
Flow Timeframes
and Compliance
Rolling Risk Assessment & Notification – three times per year 1
Preliminary Survey onsite with Senior Leadership
60 Days Audit Letter with data request sent – preliminary assessment
2
30 Days Entrance meeting & field work
2 to 4 Wks End of field work meeting w/ Key Shareholders
3
4-6 Wks 1-2 Wks 1Wk 30 Days 1Wk 90 Days
14
20. Putting it all together…
Office of Internal Audit
and Compliance
20
21. Thank You for Your Patience &
Office of Internal Audit
and Compliance
Participation - Any Questions?
Understand OIAC requirements and
the IT audit function applies their
framework for assessing controls to
compensate for high
impact/probability risks.
Provide a high-level overview of
how the framework applies to
institutional and agency audits /
consulting.
Provide a resources for review &
dialogue
21
22. Helpful Resources
Office of Internal Audit
and Compliance
CIS Benchmarks - http://www.cisecurity.org/benchmarks.html
IIA - www.theiia.org
ISACA - www.isaca.org
ISC(2) - www.isc2.org
ISO - www.iso.org
ITGI - www.itgi.org
NIST - csrc.nist.gov
NSA - www.nsa.gov
IASE - iase.disa.mil
Web App Consortium - www.webappsec.org
EDUCAUSE - educause.edu/security
Univ. Austin Texas Sec. - security.utexas.edu
Univ. Cornell Sec. - www.cit.cornell.edu/security
Virginia Tech Sec. - security.vt.edu
Ga. Tech Info Sec. Center - www.gtisc.gatech.edu
22
23. Office of Internal Audit
and Compliance
Terminology & Context of the
Audit Implementation
23
24. Securing Business Events
Office of Internal Audit
and Compliance
• It still comes down to …, Business event Needs and Outcomes
– Goals or Objectives – Vision, Mission, & Operations
– Rules and Requirements
• Identifying critical business functions
– Support Infrastructure: Finance and Accounting, Human Resources, Facilities,
Services, other administrative functions or departments
– Production Infrastructure: those folks who actually make the widgets (Instruction)!
• Identify the departments and who are the key personnel, e.g., Business
owners, Trustees and Stewards?
• Identify the vertical (B2S - dependent) and horizontal (B2B -
interdependent) relationships that potentially introduce risk (IT
Governance)
• Identify the systems that support business functions
• Categories and type of information and information systems
• Answer the question … “How are the people and systems integrated into
the business process?”
• Answer the question … “What internal controls exist or need to be
implemented to mitigate risk?”
24
25. Governance Interdependencies &
Value Drivers
Office of Internal Audit
and Compliance
Control Objectives for Information and related Technology (COBIT®)
25
26. Business Functions and
Characteristics
Office of Internal Audit
and Compliance
Control Objectives for Information and related Technology (COBIT®)
26
27. Governance: Business to Stewardship
(B2S) versus Business to Business (B2B)
Office of Internal Audit
and Compliance
27
28. Office of Internal Audit
and Compliance
Risk Identification &
Reconciliation
28
29. Audit Risk Life Cycle Variables
Office of Internal Audit
and Compliance
29
30. Standards of Application
Office of Internal Audit
and Compliance
• Industry Standards / Frameworks
– COBiT 4.1 (Control Objectives for Information Technology)
– NIST (National Institute of Standards and Technology)
– ISO 17799/27001 (International Organization for
Standardization)
– ITIL (Information Technology Infrastructure Library)
• Compliance and Regulatory Requirements (FISMA, FERPA,
HIPAA, PCI, SOX, SCADA, etc.)
• Board of Regents Standards
– Board of Regents Policy
– ITS Security Guidelines
– Business Process Manual
• Institutions’ Local Policies and Procedures
NOT PERSONAL OPINION OR PREFERENCES!!!!!
30
31. Business Impact Analysis
Office of Internal Audit
and Compliance
Must understand …
Business goals and requirements
Internal and external relationships
What resources are involved
Who is in charge and what
interdependencies exist
Vision (Strategic) Mission
(Tactical) Objectives (Operational)
factors for success
KPI’s What are the Key
Performance / Process Indicators?
What distinctions and outcomes exist
for each stage
What is the scope of probability /
impact (Beware “Chicken Little”
effect)
What expectations exist for each key
shareholder
Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 31
32. Assessing for Risk …
Office of Internal Audit
and Compliance
Risk assessment evaluates components of
information, information system security
and compliance as it relates to the business
function
Assess Mitigate / Monitor Re-
Assess
Ongoing risk management program must be
in place
Business owner or key shareholder must
own the process
Establish a standard for considering and
negotiating risk
Annual (periodic) risk assessment
deliverable with recommendations for
corrective action
Clearly define and document accepted risk –
someone needs to sign off on the
responsibility
32
33. Risk Mitigation
Office of Internal Audit
and Compliance
Once risks are identified, they must be
mitigated via internal controls
Internal Controls: a practice approved
by management to mitigate risk or
produce a desired outcome in a
business process for implementing
and enforcing information security
and compliance
Design Document Implement
Document and retain artifacts.
Test the controls prior to implementation
to validate expectations
Monitor results
Re-test controls periodically
33
34. Re-Assess Risks
Office of Internal Audit
and Compliance
Risk Assessments are an on-
going exercise;
Track mitigation strategies, did
they work?
What “Framework(s)” are being applied?
Is there an identifiable “Structure” in place e.g.,
risk management program?
Is the “Methodology” recognizable, e.g.,
documented and not arbitrary?
Are you using tools to monitor, manage, and
validate the associated processes?
Test re-test controls (design
and effectiveness)
Document test results,
corrective actions, changes in
business needs / requirements.
Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 34
36. Risk Categories and Types?
Office of Internal Audit
and Compliance
Determined how the categories of risk may or may
not apply:
Risk Types
Strategic: Affects the entities’ ability to achieve
goals and objectives
Compliance: Affects compliance with laws and
regulations, safety and environmental issues,
litigation, conflicts of interest, etc.
Reputational: Affects reputation, public perception,
political issues, etc.
Financial: Affects loss of assets, technology, etc.
Operational: Affects on-going management
processes and procedures
Risk Management Process
Agreed upon methodology to assess priorities (BIA,
RA, ERM)
Consistency and agreement in identification of risks
Focus upon high probability / high impact risk
Types and classification – Information, Systems, &
People
36
37. Information & Information System Users
(Internal & External) Categories and Types?
Office of Internal Audit
and Compliance
What type of information, on which
systems, are being accessed by which
users?
Public, administrative, sensitive, confidential
Internal: Administrative, Managerial,
Informational
External: General Public or Specific Target
group
What level of access and authorization
of the information is being provided to
those types of users?
Is the risk being managed with
effective controls?
People who use or interact with the
Information include:
Share Holders / Owners / Management
Employees & Business Partners
Service providers / Contractors /
Customers / Clients
Regulators etc…
37
39. Control Objectives for Information
and related Technology (COBIT)
Office of Internal Audit
and Compliance
• Developed by the ITGI (Current v4.1 5.0)
– https://www.isaca.org/
• Value of IT, Risk, and Control
• Links IT service delivery to business requirements
(already defined, right?)
• A lifecycle; constantly adapting, improving, re-adapting
• Four Responsibility Domains:
– Plan and Organize (PO)
– Acquire and Implement (AI)
– Deliver and Support (DS)
– Monitor and Evaluate (ME)
• Make a grocery list of needs and then go shopping
39
41. Audit Controls Definition
Office of Internal Audit
and Compliance
Audit Controls & Assessment
• Provides roadmap to auditor on which areas to focus audit
steps (assess controls)
– Preventive: controls to stop the problem from occurring
– Detective: controls to find the problem
– Corrective: controls to repair the problem after detection
– Administrative: policies, standards, guidelines, &
procedures
– Technical: controls using hardware or software for
processing & analysis
– Physical: controls to implement barriers or deterrents
• Based upon industry standards, requirements, & practices
• Build list of high level objectives and outcomes to address
risks associated with audited entity
41
42. Common Maturity Model
Office of Internal Audit
Integrated (CMMI)
and Compliance
– Variants of the CMMI: CMM & ISO 15504
– Identifies WHERE you are at in the application of IT risk
mitigation controls and HOW to get to the next level
– Levels of Application
• Level 0: No Recognizable Process, though one is needed
• Level 1: Process is Ad-hoc and perform by key individuals
• Level 2: Process is Repeatable , but not controlled
• Level 3: Process is Defined & Documented and
periodically Evaluated
• Level 4: Managed & Measurable; effective Internal
Controls with Risk Management
• Level 5: Optimized Enterprise wide risk and control
program
42
43. Engagement: Application of
Office of Internal Audit
Standards
and Compliance
• Assessment Standards & Identification
– Create assessment program (pre-engagement)
• Identify risk & criteria
• Identify audit resources, skill sets, & personnel
• Develop information requirements for requests
– Share expectations and objectives with institution
• Gather Information / Evidence
– Assess Controls: Strengths / Weaknesses (during
engagement) [validate assurance or identify vulnerabilities / exploitation]
– Calculate Level of Control criteria being applied
(CMMI)
• Analysis to Determine if Compliant with Standards
• Document Variances or Exceptions / Issues [potential issues]
• Report Per Charter Requirements (Ratings)
43
45. Office of Internal Audit
and Compliance
Example: Controls Mapping
11/12/2011 Framework for Information & System Security
45
46. IAM Example:
Office of Internal Audit
Entity to be Assessed for Risk
and Compliance
• IAM: Identity and Access Control Management
– Identity Management; the management of user
credentials and the means by which users might log
onto and use various systems or resources, e.g.,
the provisioning and de-provisioning of student,
faculty, staff, and outside agencies identities
– Access Control; the mechanisms in place to permit
or deny the use of a particular resource by a
particular entity, e.g., technical or administrative
controls to allow or deny access to file shares
46
47. Users Involved in Business Functions and
Types of Information and Systems?
(Provisioning of High Risk or Critical Information)
Office of Internal Audit
and Compliance
Business Functional responsibility for assigning “Rights & Permissions” to
various roles within the organization
Business Owner: Responsible for the provisioning and delegation of the processes or functions and
associated privileges, e.g., Payroll, Finance, HR, etc.
Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated
departments that conduct day to day operations
Stewards: Responsible to service and support the business function, typically provide a technical system
or infrastructure to facilitate business needs, e.g., Information Technology Services, etc.
Audience: What / Who is the use of the information intended.
B2S versus B2B: Vertical and horizontal relationships (IT Governance)
Types of Information (classification) per organization or agency
Unrestricted / Public: No consequence typically general information
Sensitive: typically references’ legal or externally imposed constraints that requires this restriction
Confidential: highest level of restriction, applies to the risk or harm that may result from disclosure or
inappropriate use, e.g., FERPA, HIPAA, etc.
Types of Information Systems to support information exchange
Infrastructure and architecture to support business driven events
Classification and type (comparable to the information being managed)
Supply Chain Management (SCM), Enterprise Resource Planning (ERP), Customer Resource Management
(CRM), Business Intelligence (BI), basic communications, etc.
Determine scope of assessment and entities (people, application systems, &
information) to be assessed
47
48. Example associated Key Process –
Office of Internal Audit
Ecommerce e.g., One Card System
and Compliance
• COBIT high level framework for controls relating to the Ecommerce
systems
– Plan and Organize (PO) — Provides direction to solution delivery(AI) and
service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11
– Acquire and Implement (AI) —Provides the solutions and passes them to
be turned into services AI5 and AI4
– Deliver and Support (DS) —Receives the solutions and makes them usable
for end users: DS1, DS5 and DS11
• Map the requirements to your preferred checklist, e.g. NIST or ISO
• Requirements for Ecommerce Compliment other Processes
– Less work required for other system implementations
– No duplication of effort if requirements are properly addressed
• Identity Management applies to many different other process
requirements, e.g., Applications, Operating Systems, and Databases
48
49. Example: Identity and Access
Office of Internal Audit
Control Management (IAM)
and Compliance
COBIT 4.1 DS5.3 Identity Management
• Ensure that all users (internal, external and temporary) and their
activity on IT systems (business application, IT environment, system
operations, development and maintenance) are uniquely identifiable.
Enable user identities via authentication mechanisms.
• Confirm that user access rights to systems and data are in line with
defined and documented business needs and that job requirements
are attached to user identities.
• Ensure that user access rights are requested by user management,
approved by system owners and implemented by the security-
responsible person.
• Maintain user identities and access rights in a central repository.
• Deploy cost-effective technical and procedural measures, and keep
them current to establish user identification, implement
authentication and enforce access rights.
49
50. Example: Identity and Access
Control Management (IAM)
Office of Internal Audit
and Compliance
Logical Didactic Approach - DS5.3 Identity Management (How it is
Evaluated)
• Control over the IT process of Ensure systems security that satisfies the business
requirement for IT of maintaining the integrity of information and processing
infrastructure and minimizing the impact of security vulnerabilities and incidents
• By focusing on
– defining IT security policies, plans and procedures, and monitoring, detecting,
reporting and resolving security vulnerabilities and incidents
• Is achieved by
– Understanding security requirements, vulnerabilities and threats
– Managing user identities and authorizations in a standardized manner
– Testing security regularly
• And is measured by
– Number of incidents damaging the organization's reputation with the public
– Number of systems where security requirements are not met
– Number of violations in segregation of duties
50
51. How to Measure Success?
Maturity Model – CMMI DS5 Snapshot (Criteria)
Office of Internal Audit
and Compliance
DS5 Ensure Systems Security - Management of the process of Ensure systems security that
satisfies the business requirements for IT of maintaining the integrity of information and
processing infrastructure and minimizing the impact of security vulnerabilities and
incidents is:
0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a
complete lack of a recognizable system security administration process.
1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT
security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT
security breaches are unpredictable.
2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority
... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen
primarily as the responsibility and domain of IT and the business does not see IT security as within its domain.
3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy.
Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as
driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed.
Security training is available for IT and the business, but is only informally scheduled and managed.
4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is
consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and
authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized
processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted ….
IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for
security management have been defined but are not yet measured.
5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business
objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly
accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents
are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted
to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and
analyzed. Adequate controls to mitigate risks are promptly communicated ….
51
52. COBIT 4.01 Standards to NIST Mapping –Integration
with other Standards (Alignment of IT Controls to
Mitigate Risk)
Office of Internal Audit
and Compliance
52
53. NIST 800-53, Revision 1 Standards
Terminology and Application
Office of Internal Audit
and Compliance
53
54. Audit Program
Development Life-Cycle
Office of Internal Audit
and Compliance
54
55. COBIT Mappings
Office of Internal Audit
and Compliance
Others besides NIST are currently posted at
www.isaca.org/downloads:
Aligning COBIT, ITIL and ISO 17799 for Business Benefit
COBIT® Mapping: Mapping of CMMI for Development
COBIT® Mapping: Mapping of ISO/IEC 17799:2000
COBIT® Mapping: Mapping of ISO/IEC 17799:2005
COBIT® Mapping: Mapping of ITIL
COBIT® Mapping: Mapping of PMBOK
COBIT® Mapping: Mapping of PRINCE2
COBIT® Mapping: Mapping of SEI’s CMM for Software
COBIT® Mapping: Mapping of TOGAF 8.1
COBIT® Mapping: Overview of International IT Guidance
55