Presentation is loading. Please wait.

Presentation is loading. Please wait.

Surviving an IT Audit: Five Lessons Learned Merritt Maxim CA Inc.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Surviving an IT Audit: Five Lessons Learned Merritt Maxim CA Inc."— Presentation transcript:

1

2 Surviving an IT Audit: Five Lessons Learned Merritt Maxim CA Inc.

3 IT Audit Background An IT audit should focus on determining risks that are relevant to information assets, and assess controls in order to reduce or mitigate these risks IT Audit generally covers: Hardware, operating systems, network, security In addition, there are specialized audits for applications: Application audits review controls in 3 rd party, custom and home-grown software

4 IT Audits are Crucial Survey of SOX filers who reported “material weaknesses,” IT controls was the lead culprit IT controls (27%) Revenue (18%) Taxes (11%) Financial reporting and close (10%) Of respondents who reported a material weaknesses, what was source of material weakness?

5 Lesson #1: Implement a Fixed Audit Schedule and Stick to it McAfee IT Audit Survey (spring 2008) Approx. 25% of respondents ran audits on an ad-hoc basis Why? Relying on informal ad-hoc IT audits almost guarantees that audits will always receive lower priority against other projects Fixed schedule instill discipline in organization Alignment of IT audits with financial audits can identify and remediate items of mutual interest Fixed audit schedule enables better project and budget planning No missed audits because of budget overruns

6 Lesson #2: Automate Wherever Possible Data collection McAfee IT Audit Survey-spring 2008 50%+ of respondents still using spreadsheets for collection Control Testing Why? Increase operational inefficiency Reduce time and effort for testing High effort and unplanned work around audits indicated a poorly- controlled environment Increase accuracy Builds repeatable and more sustainable processes Reduces the impact of future IT audits Automation is one area where technology can yield big benefits

7 Lesson #3: Utilize Existing Frameworks Aim to map IT controls against multiple regulations to a foundational standard ISO 27001 is a good example Seek single and comprehensive policies that can apply across regulations Why? Consolidates the number of required separate audits Test controls once, but have test apply against multiple regulations Generates substantial compliance savings

8 Lesson #4: Adopt Risk Based Approach Utilize risk assessments to: To identify the level of uncontrolled risk To appraise an organization’s internal controls Leveraging risk and control objectives Group similar controls together Why? Prioritize which areas should be reviewed 1 st Even if single control fails, you can prove that: “I'm still adequately managing this risk" or “I'm achieving the overall objective of this control."

9 Lesson #5: Track Regulatory Environment External environment is dynamic Regulations are updated/modified Tracking changes (and the impact on your organization) takes time & $$ Why? Want agility to adjust to changes Do not want to get caught off guard

10 Thank You Merritt.maxim@ca.com 508-628-8597

Download ppt "Surviving an IT Audit: Five Lessons Learned Merritt Maxim CA Inc."

Similar presentations

Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
Life Science Services and Solutions

Life Science Services and Solutions
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Primary Benefit Types Value Discipline Benefits – Operating Excellence Reduce Cost Reduce Risk – Product Leadership Increase Revenue – Customer Intimacy.

Primary Benefit Types Value Discipline Benefits – Operating Excellence Reduce Cost Reduce Risk – Product Leadership Increase Revenue – Customer Intimacy.
Change Management (with an IT perspective). MBA2004222 Statement of Objective The object of undergoing this study-project is to develop an understanding.

Change Management (with an IT perspective). MBA Statement of Objective The object of undergoing this study-project is to develop an understanding.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.

Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.
Copyright © 2007 Advantica Inc. (USA Only) and Advantica Ltd. (Outside USA). All rights reserved by the respective owner. Benefits of an Integrated Compliance.

Copyright © 2007 Advantica Inc. (USA Only) and Advantica Ltd. (Outside USA). All rights reserved by the respective owner. Benefits of an Integrated Compliance.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Euseden INTERNAL AUDIT & ASSURANCE SERVICES.

Euseden INTERNAL AUDIT & ASSURANCE SERVICES.
Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
IT ASSET MANAGEMENT (From Booz-Allen & Hamilton).

IT ASSET MANAGEMENT (From Booz-Allen & Hamilton).
Improving effectiveness of your tax operations 10 May 2012 CHARLOTTE RUSHTON MANAGING DIRECTOR, ASIA PACIFIC.

Improving effectiveness of your tax operations 10 May 2012 CHARLOTTE RUSHTON MANAGING DIRECTOR, ASIA PACIFIC.
Chicagoland IASA Spring Conference

Chicagoland IASA Spring Conference
The Integration Story: Rational Quality Manager / Team Foundation Server / Quality Center Introductions This presentation will provide an introduction.

The Integration Story: Rational Quality Manager / Team Foundation Server / Quality Center Introductions This presentation will provide an introduction.

Similar presentations

Ads by Google