IT auditing in practice Marc Verdonk Eindhoven, November 27 th 2008.

Slides:

Advertisements

Similar presentations

Auditing Research: Past, Present & Future Arnie Wright.

Advertisements

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

The Corporate Laws Amendment Bill, B6/2006. © 2006 Deloitte Touche Tohmatsu Corporate Laws Amendment Bill, B6/2006 – 29 May 2006 Introduction Presenting.

© 2010 Deloitte Touche Tohmatsu Sustainable Business Australia Counting the beans - retro-fitted commercial buildings Chris Leach Partner, National Leader.

Security and Personnel

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

Risk Intelligence Map – Board level output

The Information Systems Audit Process

Learning Objectives LO1 Explain the importance of auditing. LO2 Distinguish auditing from accounting. LO3 Explain the role of auditing in information risk.

Financial structure, management, and IFRS Reporting Creating value for growth Presenter: John Robinson Partner.

Introduction to ICANN’s new gTLD program. A practical example: the Dot Deloitte case. Jan Corstens, Partner, Deloitte WIPO Moscow, 9 Dec 2011.

0 Career Opportunities in Public Accounting. Introduction to Deloitte & Touche 1 Deloitte Touche Tohmatsu u Over 100,000 people worldwide u Over 30,000.

Internal Auditing and Outsourcing

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

2nd Global ABC Conference and Exhibition October 2013

Planning an Audit The Audit Process consists of the following phases:

Career Opportunities in Public Accounting The Who, What, Where, When, Why and How……

OVERVIEW OF INFORMATION SYSTEM (IS) AUDITING NORHAFIZAH BINTI ABDUL MUDALIP YAP YONG TECK TAN YUAN JUE TAY QIU JIE GROUP MEMBER:

A high-level and hands-on approach for organizations to deal with counterfeiting and piracy. Jan Corstens WIPO Moscow

Cyber Security Actual needs & future trends Vlastimil Červený.

DoC NTIA Digital-to-Analog Converter Box Coupon Program NPRM Nicholas Van Dongen, Senior Manager Allen Hockenbury, Senior Manager November 14, 2006.

Mike Wyatt, Director State Public Sector Cyber Risk Services

KNR- Studiedag 25 september 2013 Btw-checklist. © 2013 Deloitte The Netherlands KNR Studiedag Btw-checklist 1.

The 1 st Year in Public Accounting. Overview What to expect What to expect Professional Development Professional Development Organizational Structure.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

1 Managing IT and security Risks from Social Media in Your business By Boris Agranovich Copyright.

The views expressed in this presentation do not necessarily reflect those of the Federal Reserve Bank of New York or the Federal Reserve System Association.

Georgia Gateway– Integrated Eligibility System (IES)

INTERNAL AUDIT AND INVESTIGATION SERVICES PRESENTATION TO THE PORTFOLIO COMMITTEE ON THE UNIT’S ACTIVITIES FOR THE YEAR ENDING 31 MARCH 2006 Z MXUNYELWA,

Deloitte Forensic Forensic Technology Conference of Regulatory Officers - CORO November 2012.

Audit Planning Process

Financial Accounting (FI)

1 © 2001 Deloitte & Touche. This presentation contains proprietary information and materials which are the property of Deloitte & Touche. All rights reserved.

M I N I S T R Y O F I N D U S T R Y, E M P L O Y M E N T A N D C O M M U N I C A T I O N S OECD Guidelines on Corporate Governance of State Owned Enterprises.

FFT Business Meeting 2014 March Contact: Kevin Bromley Colin Campbell

SAM risk-free rate workshop Swaps versus bonds Lindy Schmaman.

Credit Management Services

The Opportunity The IT Audit Senior is responsible for conducting independent audits of the company’s information technology infrastructure and business.

From cost to value: 2010 Global Survey on the CIO Agenda June 15 th, 2010 IT ADVISORY KPMG INTERNATIONAL.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Risks and Controls A day in the life of our Advisory Practice November 2015.

© 2013 Deloitte Belgium DEF-Debate “Cyber Security – Risks and Opportunities for Europe’s Economy ” May 21 st 2014 Erik R. van Zuuren Director Deloitte.

PDP & Graduate Recruitment. Supporting Lifelong Professional Development.

MIS 374 Christine Lyman, Sr. Manager Jan 2015 Root Cause Analysis.

ISO 9001 Quality Management System implementation experience in the Agency on Statistics of the Republic of Kazakhstan (ASRK) Zhasser Jarkinbayev, ASRK.

ICAJ/PAB - Improving Compliance with International Standards on Auditing Planning an audit of financial statements 19 July 2014.

Working to Raise the Bar in the Quality, Professionalism and Value of Integration Services.

© 2013 Deloitte Global Services Limited Growing Markets for Social Impact September 16 th, 2014 Global Public SectorThinking people.

1Third Party Assurance Optimization and Control RationalizationCopyright © 2016 Deloitte Development LLC. All rights reserved. Third-Party Assurance (TPA)

Recruitment through social media What is it all about? Delphine Berlemont | Head of HR Operations Beatriz Baena Jiménez | Head of Marketing & Communications.

BUSINESS INFORMATION SYSTEMS

Internal and external control in an automated environment

University of Stellenbosch Business School

Capital Project / Infrastructure Renewal – Making the Business Case

Career Opportunities in Public Accounting

Innovative Financial and Non-financial Reporting

Confidence to Transform

Modernizing compliance: Moving from value protection to value creation

DEF-Debate “Cyber Security – Risks and Opportunities for Europe’s Economy ” May 21st 2014 Erik R. van Zuuren Director Deloitte ERS BE Board Member EEMA.

Get the right expertise for your business? Know how

Career Opportunities in Public Accounting

Deloitte & Touche November 2018.

The Deloitte Industry Proficiency Program

Confidence to Transform

Career Opportunities in Public Accounting

Presentation transcript:

IT auditing in practice Marc Verdonk Eindhoven, November 27 th 2008

- 1 - Agenda Introduction Typical activities Client case OnLine Auditing Tool

Introduction - Background Education  Computer Science, Utrecht University (M.Sc) Thesis: Continuous Assurance  Post master IT auditing, VU Amsterdam (RE)  Certified Information System Auditors (CISA)  Certified Information System Security Professional (CISSP) Work  Deloitte Enterprise Risk Services  Senior Manager  Consumer Business Industry, but seen most industries over past few years … and of course AIO at TU/e

The two lies of the profession....

Typical activities  Audit / Assurance:  Integrated Audit  Internal Audit  Operational Audit  Project Audit / Quality Assurance  Pré- or post implementation review  Special audit assignments  Advise / Implementation  Security & Controls  Identity Management  Risk Management  Governance, Risk and Compliance ……  Forensic – fraud detection

- 5 - Agenda Introduction Typical activities Client case OnLine Auditing Tool

`Client Case – Our Assignment  Integrated Audit  Financial Auditor & IT Auditor  IT auditor provides assurances to financial auditor  Financial auditor provides assurance to the clients’ stakeholders  Standard question of the financial auditor to the IT auditor: Can we rely on the information processed in the clients’ systems?  Why do they ask this question?  After we answered this questions, there may be additional questions

`Client Case – Description of the Client Business Perspective  Consumer Business – Food sector  Many strong brands  Annual turnover € 8Bn  Multinational,  Headquarter in The Netherlands  Strong in Europe, Middle East, Africa (EMEA) and Asia Pacific (APAC)  Local market strategy translated into a ‘decentral, unless…’-policy  Organized in a corporate organization and many Operating Companies (OpCo) with different product and market focus.

`Client Case – Description of the Client IT perspective  Highly automated processes, complex landscape  IT classification: dominant  Main ERP: SAP  Corporate ICT  Shared ICT  The Netherlands (100 fte) SAP EMEA, Global infrastructure operations  Thailand (20 fte): SAP APAC  Getronics/KPN providing hosting services for all IT  Business Information Managers at the OpCo level  Customer Council: organize supply and demand

`Client Case – Scoping Going back to the initial question: Can we rely on the information processed in the clients’ systems? 1.Understand which information is relevant for the financial auditors’ scope Balance Sheet / Profit & Loss Materiality 2.Determine systems in scope SAP and HR system (outsourced) 3.Determine landscape SAP Oracle Database Unix server Network infrastructure

`Client Case – Phased Approach Start with audit of the General Computer Controls (GCC) Operations Information Security Change Management Audit selected Application Controls

`Client Case – General Computer Controls Audit of the General Computer Controls (GCC) Operations Information Security Change Management 1.Create control framework and tailor to specific situation 2.Perform tests of Design and Implementation techniques: review documentation, interviews, perform walkthroughs 3.Perform tests of Operating Effectiveness techniques: systematic sampling 4.Document findings, factual approval, judgment  go / no go decision

`Client Case –General Computer Controls – Typical Findings In general: No policies available Processes and procedures not documented Information security Uncontrolled use of super users, administrators, developers Default passwords External parties on system Group policies override for individual users Failing user provisioning Change management Testing of changes Changes processed directly in production Lack of impact analysis Operations: Testing of backup and restore

`Client Case – Application Controls Relevance for audit if GCC’s are unreliable?

14 AN/bs/ ©2008 Deloitte. All rights reserved ©Deloitte 2008 Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of Deloitte Touche Tohmatsu and its Member Firms.