John Intindolo, profile picture
Uploaded byJohn Intindolo
PPT, PDF535 views

Project_Paper_Presentation_ISSC471_Intindolo

An IT security audit is an independent analysis of a company's IT system controls, policies, and procedures to evaluate their adequacy and ensure compliance. The document discusses the importance of governance, risk management, and compliance for IT security audits. It also outlines the audit process, future trends including a focus on risk and analytics, and regulatory issues concerning frameworks, cybersecurity, and auditing standards.

Embed presentation

Downloaded 14 times
IT Security AuditIT Security Audit By John IntindoloBy John Intindolo ISSC471ISSC471 Instructor Jenelle DavisInstructor Jenelle Davis
What is an IT Security Audit?What is an IT Security Audit? An IT security Audit is an independent analysis and inspection ofAn IT security Audit is an independent analysis and inspection of records and activities to calculate the adequacy of systemrecords and activities to calculate the adequacy of system controls, certify compliance with company policies and procedures,controls, certify compliance with company policies and procedures, and to recommend necessary changes in controls, policies, and/orand to recommend necessary changes in controls, policies, and/or procedures (Goldberg, n.d.).procedures (Goldberg, n.d.).
- Governance- Governance - Risk Management- Risk Management - Compliance- Compliance GRC- Responsibility for Corporate Governance (“Outline for the,” n.d.)
Importance of GovernanceImportance of Governance  Principles of Corporate Governance:Principles of Corporate Governance: - Shareholder recognition- Shareholder recognition - Stakeholder interests- Stakeholder interests - Board responsibilities must be clearly outlined- Board responsibilities must be clearly outlined to majority shareholdersto majority shareholders - Code of conduct for ethical decisions should be- Code of conduct for ethical decisions should be established for all board membersestablished for all board members - Business transparency to promote shareholder- Business transparency to promote shareholder trusttrust Corporate governance is intended to “increase theCorporate governance is intended to “increase the accountability of your company and to avoidaccountability of your company and to avoid massive disasters before they occur” so that amassive disasters before they occur” so that a company does not cause its employees andcompany does not cause its employees and shareholders to go bankrupt (Sun, n.d.). i.e. Enron.shareholders to go bankrupt (Sun, n.d.). i.e. Enron. (“Corporate governance,” n.d.)
Importance of RiskImportance of Risk ManagementManagement  Reasons Risk Management is Important:Reasons Risk Management is Important: - Identifying threats and vulnerabilities relevant to- Identifying threats and vulnerabilities relevant to the organizationthe organization - Implements controls to minimize risks- Implements controls to minimize risks - Ensures business survivability- Ensures business survivability (“Risk management cycle,” n.d.)
Importance of ComplianceImportance of Compliance  Reasons Compliance is Important:Reasons Compliance is Important: - Risk of sanctions in the event of a- Risk of sanctions in the event of a breach (criminal, civil, or both)breach (criminal, civil, or both) - CIA Triad (Confidentiality, Integrity,- CIA Triad (Confidentiality, Integrity, and Availability) of the organization’sand Availability) of the organization’s systemsystem i.e. When Target had many of its customer’si.e. When Target had many of its customer’s credit card information stolen this pastcredit card information stolen this past winter, it had a negative effect on theirwinter, it had a negative effect on their reputation as many people did not want toreputation as many people did not want to shop there as a result of the incident.shop there as a result of the incident.(“Quiet please compliance,” n.d.)
Importance of ComplianceImportance of Compliance Cont’d.Cont’d.  ComplianceCompliance – Privacy practices & policiesPrivacy practices & policies – Risk assessmentRisk assessment – Encryption for work-related e-mailsEncryption for work-related e-mails – Training on privacy practices & policiesTraining on privacy practices & policies  Maintaining ComplianceMaintaining Compliance – Periodic security assessmentsPeriodic security assessments – Annual security compliance auditsAnnual security compliance audits – Well-defined proper security controlsWell-defined proper security controls (“Compliance,” n.d.)
Audit ProcessAudit Process  ScopeScope – The outline of the entire auditThe outline of the entire audit  IT Infrastructure Audit ReportIT Infrastructure Audit Report – Must be properly written so management will consider the measuresMust be properly written so management will consider the measures needed to improve compliance throughout the IT infrastructureneeded to improve compliance throughout the IT infrastructure – Communicates the resultsCommunicates the results – Prevents misinterpretation of the resultsPrevents misinterpretation of the results – Details a list of recommendations to improve complianceDetails a list of recommendations to improve compliance  Writing the IT Audit ReportWriting the IT Audit Report – Executive SummaryExecutive Summary – Summary of FindingsSummary of Findings – Gap AnalysisGap Analysis – IT Security AssessmentIT Security Assessment – Security Controls and CountermeasuresSecurity Controls and Countermeasures – Compliance AssessmentCompliance Assessment – Compliance RecommendationsCompliance Recommendations (“Business and it,” n.d.)
Future Trends of IT AuditsFuture Trends of IT Audits  Focus on RiskFocus on Risk – Less emphasis on controlsLess emphasis on controls – More emphasis on Risk Management and GovernanceMore emphasis on Risk Management and Governance  Reporting StructureReporting Structure – More reporting to the CEO rather than the CFOMore reporting to the CEO rather than the CFO – Risk committees will become more common and perhaps represent aRisk committees will become more common and perhaps represent a majority over Audit committeesmajority over Audit committees – A hybrid reporting structure in some cases where a chief risk officerA hybrid reporting structure in some cases where a chief risk officer will be created to handle internal auditswill be created to handle internal audits  Background SkillsBackground Skills – People who know businessPeople who know business – Ability to mitigate riskAbility to mitigate risk – Ability to distinguish between efficiency and effectivenessAbility to distinguish between efficiency and effectiveness – Possess Analytical and critical thinking skillsPossess Analytical and critical thinking skills
Future Trends of IT AuditsFuture Trends of IT Audits Cont’d.Cont’d.  Rise of MillenialsRise of Millenials – Those born in the last centuryThose born in the last century – Greater comfort level with using advanced technology to communicateGreater comfort level with using advanced technology to communicate with audit clients than older colleagueswith audit clients than older colleagues – Create a more flexible work environmentCreate a more flexible work environment  Big TechnologyBig Technology – Analytic tools will be able to analyze vast amounts of data on emergingAnalytic tools will be able to analyze vast amounts of data on emerging trends and anomaliestrends and anomalies – Movement towards continuous auditingMovement towards continuous auditing – Advancements in technology will greatly affect the audit processAdvancements in technology will greatly affect the audit process  Combined AssuranceCombined Assurance – Cross-functional AssuranceCross-functional Assurance – Different assurance activities will combine to become moreDifferent assurance activities will combine to become more efficient and effectiveefficient and effective
IT Audit CompaniesIT Audit Companies  ProtivitiProtiviti – Improving internal auditing through technologyImproving internal auditing through technology  CoalfireCoalfire – Provides a unique, unbiased perspective into the effectiveness andProvides a unique, unbiased perspective into the effectiveness and efficiency of IT controlsefficiency of IT controls  Enterprise Risk ManagementEnterprise Risk Management – Use customized tools, expert resources, and proven methodologies soUse customized tools, expert resources, and proven methodologies so that the IT audit service is specifically designed for your companythat the IT audit service is specifically designed for your company  TrustCCTrustCC – Modular approach to IT auditing so that clients may choose whichModular approach to IT auditing so that clients may choose which modules they want and how often they want to audit eachmodules they want and how often they want to audit each
Regulatory IssuesRegulatory Issues  Updated COSO Framework QuestionsUpdated COSO Framework Questions – Is the framework being used for internal control over reporting only, or for operations andIs the framework being used for internal control over reporting only, or for operations and regulatory compliance as well?regulatory compliance as well? – Are company controls mapped to the new framework?Are company controls mapped to the new framework? – How are possible gaps between current processes, controls, or documentation beingHow are possible gaps between current processes, controls, or documentation being addressed in the new framework?addressed in the new framework? – Is the company educating everyone on the content of the updated COSO framework?Is the company educating everyone on the content of the updated COSO framework?  CybersecurityCybersecurity – What are the critical assets that need to be secured, how are vulnerabilities identified, andWhat are the critical assets that need to be secured, how are vulnerabilities identified, and how are risk disclosed?how are risk disclosed? – What is the overall strategy for protecting against cyber attacks?What is the overall strategy for protecting against cyber attacks? – How robust are the organization’s incident response and communications plans?How robust are the organization’s incident response and communications plans?  Proposed Auditor’s Reporting ModelProposed Auditor’s Reporting Model – Changes could significantly change the external auditor’s report and create a need forChanges could significantly change the external auditor’s report and create a need for expanded audit proceduresexpanded audit procedures – Enhanced language in the auditor’s report on the responsibilities of the auditorEnhanced language in the auditor’s report on the responsibilities of the auditor – New statements in the auditor’s report that will provide additional information on areas likeNew statements in the auditor’s report that will provide additional information on areas like auditor independence and tenureauditor independence and tenure
ReferencesReferences  Business and it audit [Web Graphic]. Retrieved from http://www.boundlessllc.com/images/Audit_27.jpg  Compliance [Web Graphic]. Retrieved from https://www.atcoresystems.com/sugarcrm- images/compliance_sugarcrm_atcore_systems.jpg  Corporate governance [Web Graphic]. Retrieved from http://www.insecticidesindia.com/images/corporate- governance.jpg  Goldberg, M. IT Security Auditing [PowerPoint slides]. Retrieved from https://www.google.com/url? sa=t&rct=j&q=&esrc=s&source=web&cd=11&cad=rja&uact=8&ve d=0CKQBEBYwCg&url=https%3A%2F%2Fisis.poly.edu %2Fcourses%2Fcs996-management-s2005%2FLectures %2Fsecurity %2520audit.ppt&ei=LIyTU9_qJNTNsQT_n4CQCg&usg=AFQjCNEw Yf2W68P7jNw9J6DzJxNirMhLDw&sig2=2JrsyrbmWZ_4s1xhQeOVz A&bvm=bv.68445247,d.cWc
References Cont’d.References Cont’d.  Jackson, R. (2013). Internal audit in 2020. Retrieved from http://www.theiia.org/intAuditor/feature- articles/2013/december/internal-audit-in-2020/  Outline of the holistic responsibility for corporate governance [Web Graphic]. Retrieved from http://www.isaca.org/Images/journal/j0905-complinace-mgt1.gif  Quiet please compliance person at work [Web Graphic]. Retrieved from http://hipaanews.net/files/2010/10/quiet_please_compliance_per son_at_work_tshirt-p2359222439750942623gdm_400- 300x300.jpg  Risk management cycle [Web Graphic]. Retrieved from http://www.pharmadirections.com/images/Headers and Graphics/riskmanagement.jpg  Sun, L. (n.d.). Why is corporate governance important. Retrieved from http://www.businessdictionary.com/article/618/why-is- corporate-governance-important/
References Cont’d.References Cont’d.  Top issues for audit committees in 2014. (2014). Retrieved from http://deloitte.wsj.com/riskandcompliance/2014/01/10/top- issues-for-audit-committees-in-2014/

More Related Content

PPTX
2 Day MOSTI Workshop
byCondition Zebra (CONZebra)
 
PDF
IT Risk Management
byTudor Damian
 
PDF
Information technology risks
bysalman butt
 
PDF
Aligning Risk Management with ITIL
byAustin Songer
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPT
Security Maturity Assessment
byClaude Baudoin
 
PDF
Security Maturity Models.
byPriyanka Aash
 
PDF
Thomas r sauer_projectresume_2013
bytrsauer75
 
2 Day MOSTI Workshop
byCondition Zebra (CONZebra)
 
IT Risk Management
byTudor Damian
 
Information technology risks
bysalman butt
 
Aligning Risk Management with ITIL
byAustin Songer
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Security Maturity Assessment
byClaude Baudoin
 
Security Maturity Models.
byPriyanka Aash
 
Thomas r sauer_projectresume_2013
bytrsauer75
 

What's hot

PDF
IT Security and Risk Management - Visionet Systems
byVisionet Systems, Inc.
 
PDF
Security Framework for Digital Risk Managment
bySecurestorm
 
PPTX
Erm talking points
byEnterpriseGRC Solutions, Inc.
 
PDF
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
byPriyanka Aash
 
PDF
Securing the Supply Chain
byIgnyte Assurance Platform
 
PPTX
Emerging Need of a Chief Information Security Officer (CISO)
byMaurice Dawson
 
PDF
Information Technology Vendor Risk Management
byDeepak Bansal, CPA CISSP
 
PDF
Information Security Strategic Management
byMarcelo Martins
 
PPTX
Technology Risk Management
bySocial Tables
 
PDF
Cyber risk management-white-paper-v8 (2) 2015
byAccounting_Whitepapers
 
DOCX
The Significance of IT Security Management & Risk Assessment
byBradley Susser
 
PPTX
Enterprise governance risk_compliance_fcm slides
byEnterpriseGRC Solutions, Inc.
 
PDF
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
byawish11
 
PPSX
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
PPTX
Security assessment isaca sv presentation jan 2016
byEnterpriseGRC Solutions, Inc.
 
PPTX
Its time to rethink everything a governance risk compliance primer
byEnclaveSecurity
 
PDF
Cyber Security Risk Management
byShaun Sloan
 
PDF
How to measure your cybersecurity performance
byAbhishek Sood
 
PDF
Cybersecurity solution-guide
byAdilsonSuende
 
IT Security and Risk Management - Visionet Systems
byVisionet Systems, Inc.
 
Security Framework for Digital Risk Managment
bySecurestorm
 
Erm talking points
byEnterpriseGRC Solutions, Inc.
 
Don't Get Left In The Dust How To Evolve From Ciso To Ciro
byPriyanka Aash
 
Securing the Supply Chain
byIgnyte Assurance Platform
 
Emerging Need of a Chief Information Security Officer (CISO)
byMaurice Dawson
 
Information Technology Vendor Risk Management
byDeepak Bansal, CPA CISSP
 
Information Security Strategic Management
byMarcelo Martins
 
Technology Risk Management
bySocial Tables
 
Cyber risk management-white-paper-v8 (2) 2015
byAccounting_Whitepapers
 
The Significance of IT Security Management & Risk Assessment
byBradley Susser
 
Enterprise governance risk_compliance_fcm slides
byEnterpriseGRC Solutions, Inc.
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
byawish11
 
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
Security assessment isaca sv presentation jan 2016
byEnterpriseGRC Solutions, Inc.
 
Its time to rethink everything a governance risk compliance primer
byEnclaveSecurity
 
Cyber Security Risk Management
byShaun Sloan
 
How to measure your cybersecurity performance
byAbhishek Sood
 
Cybersecurity solution-guide
byAdilsonSuende
 

Viewers also liked

PPTX
Governance, risk and compliance framework
byCeyeap
 
PDF
Compliance framework
byManoj Agarwal
 
PDF
Irm Risk Appetite
byHassan Zaitoun
 
PPTX
Functional Audit
byManoj Agarwal
 
PPTX
Confidentiality
byDeniseMHA
 
PPT
Geohydrology ii (1)
byAmro Elfeki
 
PPTX
Presentatie kd en grof ontwerp
bykgili
 
DOCX
Mu0013 hr audit
byconsult4solutions
 
PPTX
Bab 4
bychusnulkusuma22
 
PPTX
Personal Data Law Update, Kazakhstan, 2015
byGalina Pogrebnaya
 
PPTX
венок
byarzmary
 
DOCX
TOURISM AND HOSPITALITY MARKETING
byJanine Chong
 
PDF
emdr therapy los angeles
bySaramills14
 
PPTX
Cartilla lina guillin
byLina Guillin
 
PPTX
My last vacation
byJuandaviid08
 
Governance, risk and compliance framework
byCeyeap
 
Compliance framework
byManoj Agarwal
 
Irm Risk Appetite
byHassan Zaitoun
 
Functional Audit
byManoj Agarwal
 
Confidentiality
byDeniseMHA
 
Geohydrology ii (1)
byAmro Elfeki
 
Presentatie kd en grof ontwerp
bykgili
 
Mu0013 hr audit
byconsult4solutions
 
Bab 4
bychusnulkusuma22
 
Personal Data Law Update, Kazakhstan, 2015
byGalina Pogrebnaya
 
венок
byarzmary
 
TOURISM AND HOSPITALITY MARKETING
byJanine Chong
 
emdr therapy los angeles
bySaramills14
 
Cartilla lina guillin
byLina Guillin
 
My last vacation
byJuandaviid08
 

Similar to Project_Paper_Presentation_ISSC471_Intindolo

PDF
A Major Revision of the CISRCP Program
byGoogleNewsSubmit
 
PPTX
Orientation in IT Audit
bySuman Thapaliya
 
PPT
Security audit
byRosaria Dee
 
PPTX
Audit presentation
byMetafrique group
 
PDF
Audit Report Model and Sample
byFlevy.com Best Practices
 
PPTX
Overview-of-an-IT-Audit-Lesson-1.pptx
byJoshJaro
 
PPTX
Cyber Security Audit and Information Security.pptx
byalamba570
 
PPTX
Information Systems Audit & CISA Prep 2010
byDonald E. Hester
 
PDF
auditpresentation-121006061658-phpapp02.pdf
byowaissayyed0041
 
PPT
Auditing concept
byGanesh Sharma
 
PDF
Key considerations for your internal audit plan
byessbaih
 
PPTX
GRC is a framework that helps organizations manage rules, risks, and regulato...
byMaheshTengli3
 
PPTX
IT Audit - Evolve and Stay in the Game
bySymptai Consulting Limited
 
PPTX
it grc
by9535814851
 
PPTX
Comprehensive Guide to IT Internal Audit
byLawrenceCheung27
 
PPTX
Fundamentals of Information Security Audit.pptx
byasebe3
 
PDF
2015 Tackling This Year's Audit Hot Spots
byRon Steinkamp
 
PDF
Rosetta Stone x Compliance ONETRUST-1.pdf
byrossinial
 
PPTX
Setting up an Effective Security and Compliance Office
byCloud Watchmen Inc.
 
PPT
Rothke Patchlink
byBen Rothke
 
A Major Revision of the CISRCP Program
byGoogleNewsSubmit
 
Orientation in IT Audit
bySuman Thapaliya
 
Security audit
byRosaria Dee
 
Audit presentation
byMetafrique group
 
Audit Report Model and Sample
byFlevy.com Best Practices
 
Overview-of-an-IT-Audit-Lesson-1.pptx
byJoshJaro
 
Cyber Security Audit and Information Security.pptx
byalamba570
 
Information Systems Audit & CISA Prep 2010
byDonald E. Hester
 
auditpresentation-121006061658-phpapp02.pdf
byowaissayyed0041
 
Auditing concept
byGanesh Sharma
 
Key considerations for your internal audit plan
byessbaih
 
GRC is a framework that helps organizations manage rules, risks, and regulato...
byMaheshTengli3
 
IT Audit - Evolve and Stay in the Game
bySymptai Consulting Limited
 
it grc
by9535814851
 
Comprehensive Guide to IT Internal Audit
byLawrenceCheung27
 
Fundamentals of Information Security Audit.pptx
byasebe3
 
2015 Tackling This Year's Audit Hot Spots
byRon Steinkamp
 
Rosetta Stone x Compliance ONETRUST-1.pdf
byrossinial
 
Setting up an Effective Security and Compliance Office
byCloud Watchmen Inc.
 
Rothke Patchlink
byBen Rothke
 

More from John Intindolo

PPTX
ISSC456_Project_Presentation_Intindolo
byJohn Intindolo
 
DOCX
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
byJohn Intindolo
 
DOCX
ISSC471_Final_Project_Paper_John_Intindolo
byJohn Intindolo
 
DOCX
ISSC481_Term_Paper_John_Intindolo
byJohn Intindolo
 
DOC
ISSC361_Project_John_Intindolo
byJohn Intindolo
 
DOCX
ISSC490_Project_John_Intindolo
byJohn Intindolo
 
DOC
Research_Paper_ISSC461_Intindolo
byJohn Intindolo
 
PPTX
Project_Presentation_ISSC361_Intindolo
byJohn Intindolo
 
DOCX
ISSC368_Final_Project Proposal_Wk8_Intindolo
byJohn Intindolo
 
DOC
ISSC422_Project_Paper_John_Intindolo
byJohn Intindolo
 
DOCX
Project_Paper_ISSC455_Intindolo
byJohn Intindolo
 
DOCX
ISSC362_Research_Paper_Intindolo
byJohn Intindolo
 
DOCX
Research_Paper_Final_ISSC431_Intindolo
byJohn Intindolo
 
PPTX
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
byJohn Intindolo
 
DOCX
ISSC456_Final_J_Intindolo
byJohn Intindolo
 
PPTX
Attack_Project_Presentation_ISSC461_Intindolo
byJohn Intindolo
 
PPTX
Power_Point_Presentation_ISSC458_Intindolo
byJohn Intindolo
 
ISSC456_Project_Presentation_Intindolo
byJohn Intindolo
 
Wk 7 Case Study Summary Paper_ISSC331_Intindolo
byJohn Intindolo
 
ISSC471_Final_Project_Paper_John_Intindolo
byJohn Intindolo
 
ISSC481_Term_Paper_John_Intindolo
byJohn Intindolo
 
ISSC361_Project_John_Intindolo
byJohn Intindolo
 
ISSC490_Project_John_Intindolo
byJohn Intindolo
 
Research_Paper_ISSC461_Intindolo
byJohn Intindolo
 
Project_Presentation_ISSC361_Intindolo
byJohn Intindolo
 
ISSC368_Final_Project Proposal_Wk8_Intindolo
byJohn Intindolo
 
ISSC422_Project_Paper_John_Intindolo
byJohn Intindolo
 
Project_Paper_ISSC455_Intindolo
byJohn Intindolo
 
ISSC362_Research_Paper_Intindolo
byJohn Intindolo
 
Research_Paper_Final_ISSC431_Intindolo
byJohn Intindolo
 
ISSC455_Week6_Project_PowerPoint_Presentation_Intindolo
byJohn Intindolo
 
ISSC456_Final_J_Intindolo
byJohn Intindolo
 
Attack_Project_Presentation_ISSC461_Intindolo
byJohn Intindolo
 
Power_Point_Presentation_ISSC458_Intindolo
byJohn Intindolo
 

Project_Paper_Presentation_ISSC471_Intindolo

  • 1.
    IT Security AuditITSecurity Audit By John IntindoloBy John Intindolo ISSC471ISSC471 Instructor Jenelle DavisInstructor Jenelle Davis
  • 2.
    What is anIT Security Audit?What is an IT Security Audit? An IT security Audit is an independent analysis and inspection ofAn IT security Audit is an independent analysis and inspection of records and activities to calculate the adequacy of systemrecords and activities to calculate the adequacy of system controls, certify compliance with company policies and procedures,controls, certify compliance with company policies and procedures, and to recommend necessary changes in controls, policies, and/orand to recommend necessary changes in controls, policies, and/or procedures (Goldberg, n.d.).procedures (Goldberg, n.d.).
  • 3.
    - Governance- Governance -Risk Management- Risk Management - Compliance- Compliance GRC- Responsibility for Corporate Governance (“Outline for the,” n.d.)
  • 4.
    Importance of GovernanceImportanceof Governance  Principles of Corporate Governance:Principles of Corporate Governance: - Shareholder recognition- Shareholder recognition - Stakeholder interests- Stakeholder interests - Board responsibilities must be clearly outlined- Board responsibilities must be clearly outlined to majority shareholdersto majority shareholders - Code of conduct for ethical decisions should be- Code of conduct for ethical decisions should be established for all board membersestablished for all board members - Business transparency to promote shareholder- Business transparency to promote shareholder trusttrust Corporate governance is intended to “increase theCorporate governance is intended to “increase the accountability of your company and to avoidaccountability of your company and to avoid massive disasters before they occur” so that amassive disasters before they occur” so that a company does not cause its employees andcompany does not cause its employees and shareholders to go bankrupt (Sun, n.d.). i.e. Enron.shareholders to go bankrupt (Sun, n.d.). i.e. Enron. (“Corporate governance,” n.d.)
  • 5.
    Importance of RiskImportanceof Risk ManagementManagement  Reasons Risk Management is Important:Reasons Risk Management is Important: - Identifying threats and vulnerabilities relevant to- Identifying threats and vulnerabilities relevant to the organizationthe organization - Implements controls to minimize risks- Implements controls to minimize risks - Ensures business survivability- Ensures business survivability (“Risk management cycle,” n.d.)
  • 6.
    Importance of ComplianceImportanceof Compliance  Reasons Compliance is Important:Reasons Compliance is Important: - Risk of sanctions in the event of a- Risk of sanctions in the event of a breach (criminal, civil, or both)breach (criminal, civil, or both) - CIA Triad (Confidentiality, Integrity,- CIA Triad (Confidentiality, Integrity, and Availability) of the organization’sand Availability) of the organization’s systemsystem i.e. When Target had many of its customer’si.e. When Target had many of its customer’s credit card information stolen this pastcredit card information stolen this past winter, it had a negative effect on theirwinter, it had a negative effect on their reputation as many people did not want toreputation as many people did not want to shop there as a result of the incident.shop there as a result of the incident.(“Quiet please compliance,” n.d.)
  • 7.
    Importance of ComplianceImportanceof Compliance Cont’d.Cont’d.  ComplianceCompliance – Privacy practices & policiesPrivacy practices & policies – Risk assessmentRisk assessment – Encryption for work-related e-mailsEncryption for work-related e-mails – Training on privacy practices & policiesTraining on privacy practices & policies  Maintaining ComplianceMaintaining Compliance – Periodic security assessmentsPeriodic security assessments – Annual security compliance auditsAnnual security compliance audits – Well-defined proper security controlsWell-defined proper security controls (“Compliance,” n.d.)
  • 8.
    Audit ProcessAudit Process ScopeScope – The outline of the entire auditThe outline of the entire audit  IT Infrastructure Audit ReportIT Infrastructure Audit Report – Must be properly written so management will consider the measuresMust be properly written so management will consider the measures needed to improve compliance throughout the IT infrastructureneeded to improve compliance throughout the IT infrastructure – Communicates the resultsCommunicates the results – Prevents misinterpretation of the resultsPrevents misinterpretation of the results – Details a list of recommendations to improve complianceDetails a list of recommendations to improve compliance  Writing the IT Audit ReportWriting the IT Audit Report – Executive SummaryExecutive Summary – Summary of FindingsSummary of Findings – Gap AnalysisGap Analysis – IT Security AssessmentIT Security Assessment – Security Controls and CountermeasuresSecurity Controls and Countermeasures – Compliance AssessmentCompliance Assessment – Compliance RecommendationsCompliance Recommendations (“Business and it,” n.d.)
  • 9.
    Future Trends ofIT AuditsFuture Trends of IT Audits  Focus on RiskFocus on Risk – Less emphasis on controlsLess emphasis on controls – More emphasis on Risk Management and GovernanceMore emphasis on Risk Management and Governance  Reporting StructureReporting Structure – More reporting to the CEO rather than the CFOMore reporting to the CEO rather than the CFO – Risk committees will become more common and perhaps represent aRisk committees will become more common and perhaps represent a majority over Audit committeesmajority over Audit committees – A hybrid reporting structure in some cases where a chief risk officerA hybrid reporting structure in some cases where a chief risk officer will be created to handle internal auditswill be created to handle internal audits  Background SkillsBackground Skills – People who know businessPeople who know business – Ability to mitigate riskAbility to mitigate risk – Ability to distinguish between efficiency and effectivenessAbility to distinguish between efficiency and effectiveness – Possess Analytical and critical thinking skillsPossess Analytical and critical thinking skills
  • 10.
    Future Trends ofIT AuditsFuture Trends of IT Audits Cont’d.Cont’d.  Rise of MillenialsRise of Millenials – Those born in the last centuryThose born in the last century – Greater comfort level with using advanced technology to communicateGreater comfort level with using advanced technology to communicate with audit clients than older colleagueswith audit clients than older colleagues – Create a more flexible work environmentCreate a more flexible work environment  Big TechnologyBig Technology – Analytic tools will be able to analyze vast amounts of data on emergingAnalytic tools will be able to analyze vast amounts of data on emerging trends and anomaliestrends and anomalies – Movement towards continuous auditingMovement towards continuous auditing – Advancements in technology will greatly affect the audit processAdvancements in technology will greatly affect the audit process  Combined AssuranceCombined Assurance – Cross-functional AssuranceCross-functional Assurance – Different assurance activities will combine to become moreDifferent assurance activities will combine to become more efficient and effectiveefficient and effective
  • 11.
    IT Audit CompaniesITAudit Companies  ProtivitiProtiviti – Improving internal auditing through technologyImproving internal auditing through technology  CoalfireCoalfire – Provides a unique, unbiased perspective into the effectiveness andProvides a unique, unbiased perspective into the effectiveness and efficiency of IT controlsefficiency of IT controls  Enterprise Risk ManagementEnterprise Risk Management – Use customized tools, expert resources, and proven methodologies soUse customized tools, expert resources, and proven methodologies so that the IT audit service is specifically designed for your companythat the IT audit service is specifically designed for your company  TrustCCTrustCC – Modular approach to IT auditing so that clients may choose whichModular approach to IT auditing so that clients may choose which modules they want and how often they want to audit eachmodules they want and how often they want to audit each
  • 12.
    Regulatory IssuesRegulatory Issues Updated COSO Framework QuestionsUpdated COSO Framework Questions – Is the framework being used for internal control over reporting only, or for operations andIs the framework being used for internal control over reporting only, or for operations and regulatory compliance as well?regulatory compliance as well? – Are company controls mapped to the new framework?Are company controls mapped to the new framework? – How are possible gaps between current processes, controls, or documentation beingHow are possible gaps between current processes, controls, or documentation being addressed in the new framework?addressed in the new framework? – Is the company educating everyone on the content of the updated COSO framework?Is the company educating everyone on the content of the updated COSO framework?  CybersecurityCybersecurity – What are the critical assets that need to be secured, how are vulnerabilities identified, andWhat are the critical assets that need to be secured, how are vulnerabilities identified, and how are risk disclosed?how are risk disclosed? – What is the overall strategy for protecting against cyber attacks?What is the overall strategy for protecting against cyber attacks? – How robust are the organization’s incident response and communications plans?How robust are the organization’s incident response and communications plans?  Proposed Auditor’s Reporting ModelProposed Auditor’s Reporting Model – Changes could significantly change the external auditor’s report and create a need forChanges could significantly change the external auditor’s report and create a need for expanded audit proceduresexpanded audit procedures – Enhanced language in the auditor’s report on the responsibilities of the auditorEnhanced language in the auditor’s report on the responsibilities of the auditor – New statements in the auditor’s report that will provide additional information on areas likeNew statements in the auditor’s report that will provide additional information on areas like auditor independence and tenureauditor independence and tenure
  • 13.
    ReferencesReferences  Business andit audit [Web Graphic]. Retrieved from http://www.boundlessllc.com/images/Audit_27.jpg  Compliance [Web Graphic]. Retrieved from https://www.atcoresystems.com/sugarcrm- images/compliance_sugarcrm_atcore_systems.jpg  Corporate governance [Web Graphic]. Retrieved from http://www.insecticidesindia.com/images/corporate- governance.jpg  Goldberg, M. IT Security Auditing [PowerPoint slides]. Retrieved from https://www.google.com/url? sa=t&rct=j&q=&esrc=s&source=web&cd=11&cad=rja&uact=8&ve d=0CKQBEBYwCg&url=https%3A%2F%2Fisis.poly.edu %2Fcourses%2Fcs996-management-s2005%2FLectures %2Fsecurity %2520audit.ppt&ei=LIyTU9_qJNTNsQT_n4CQCg&usg=AFQjCNEw Yf2W68P7jNw9J6DzJxNirMhLDw&sig2=2JrsyrbmWZ_4s1xhQeOVz A&bvm=bv.68445247,d.cWc
  • 14.
    References Cont’d.References Cont’d. Jackson, R. (2013). Internal audit in 2020. Retrieved from http://www.theiia.org/intAuditor/feature- articles/2013/december/internal-audit-in-2020/  Outline of the holistic responsibility for corporate governance [Web Graphic]. Retrieved from http://www.isaca.org/Images/journal/j0905-complinace-mgt1.gif  Quiet please compliance person at work [Web Graphic]. Retrieved from http://hipaanews.net/files/2010/10/quiet_please_compliance_per son_at_work_tshirt-p2359222439750942623gdm_400- 300x300.jpg  Risk management cycle [Web Graphic]. Retrieved from http://www.pharmadirections.com/images/Headers and Graphics/riskmanagement.jpg  Sun, L. (n.d.). Why is corporate governance important. Retrieved from http://www.businessdictionary.com/article/618/why-is- corporate-governance-important/
  • 15.
    References Cont’d.References Cont’d. Top issues for audit committees in 2014. (2014). Retrieved from http://deloitte.wsj.com/riskandcompliance/2014/01/10/top- issues-for-audit-committees-in-2014/

Editor's Notes

  • #10 (Jackson, 2013)
  • #11 (Jackson, 2013)
  • #13 (“Top issues for,” 2014)