IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Slides:



Advertisements
Similar presentations
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Advertisements

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems
Auditing Computer-Based Information Systems
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
The Islamic University of Gaza
Security Controls – What Works
Information Security Policies and Standards
 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.
THE AUDITING OF INFORMATION SYSTEMS
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
Information Security Update CTC 18 March 2015 Julianne Tolson.
Overview of Systems Audit
1 IS 8950 Managing Network Infrastructure and Operations.
Computer Based Information Systems Control UAA – ACCT 316 – Fall 2003 Accounting Information Systems Dr. Fred Barbee.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Current Job Components Information Technology Department Network Systems Administration Telecommunications Database Design and Administration.
1 © 2012 John Wiley & Sons, Ltd, Accounting for Managers, 4th edition, Chapter 9 Using Accounting Information for Decision Making, Planning.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Architecture
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Systems Security Operations Security Domain #9.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
S4: Understanding the IT environment of the entity.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
SESSION 14 INFORMATION SYSTEMS SECURITY AND CONTROL.
IMFO Annual Conference – 2015 S21: Good Governance & Oversight B2B.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 10 Case Study: Conducting an Information Systems Audit.
Chapter 2 Securing Network Server and User Workstations.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
PCI Training for PointOS Resellers PointOS Updated September 28, 2010.
1 TOPIC 6 DATABASE 6.1 Introduction to Database 6.2 Basic Concept of Database 6.3 Database Object DATABASE.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Statement of Auditing Standard No. 94 The Effect of Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement.
Chapter 3-Auditing Computer-based Information Systems.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Dr. Ir. Yeffry Handoko Putra
Review of IT General Controls
Managing the IT Function
I have many checklists: how do I get started with cyber security?
Computer-Based Processing: Developing an Audit Assessment Approach
IS4680 Security Auditing for Compliance
What a non-IT auditor needs to know about IT & IT controls
Systems Design Chapter 6.
PLANNING A SECURE BASELINE INSTALLATION
Overview of Computer system
Presentation transcript:

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013

2 Overview Objectives of IT auditing Standards Types of audits The IT audit environment Controls IT Governance Facilities Networks Operating systems Databases Applications Computing Trends

3 Objective of IT auditing To obtain evidence to support an opinion or conclusion that IT controls are designed, implemented and operating effectively

4 Standards AICPA/CICA – Assurance Standards ISACA – IT Audit and Assurance Standards COBIT – IT Control Framework ISO27K – Information Security Management ISF – Information Security Guidelines ITIL – Service Management PMBOK – Project Management Standards PCI DSS – Data Security Standards

5 Types of audits Compliance A review of an organizations adherence to regulatory guidelines E.g. SOX, HIPAA, PCI DSS Process An examination of the effectiveness of an organizations procedures Generally done by internal audit Outcome An examination to determine if programs/projects are generating intended benefits

6 Understanding the environment Risk What is the risk of using IT? How is automation different? No paper trail No human interaction System generated transactions Errors can be pervasive Remote access to data

7 Components of the environment IT GovernanceFacilitiesNetworksOperating SystemsDatabasesApplications

8 Controls Objectives of controls To mitigate risk of organization not meeting its goals and objectives Types of controls Preventative Detective Corrective

9 Controls Areas of controls IT general controls Environmental Financial Operational

10 Controls Examples of controls All users must be authenticated All changes must be approved and verified

11 IT Governance Where most organizations have problems Should be included in overall business goals and objectives Risk management Strategic planning Inventory of IT resources Classification of data Proper policies and procedures

12 Facilities Used to house computer systems, associated components, e.g.: Telecommunications Storage systems

13 Facilities Generally includes: Redundant/backup power supplies Redundant data communications connections Environmental controls (e.g. air conditioning, fire suppression) Security devices

14 Facilities Purpose: Central processing area Restrict access to computing resources Protect computing resources

15 Facilities Risks: Loss of processing due to damage Unauthorized access to computer systems and devices

17 Facilities Controls: Authentication Logging of user access Environmental control systems

18 Networks Allow communication between users, resources, etc. Consists of an intricate design of hardware and wires Hubs, switches, routers, etc.

19 Networks Purpose: Share information and resources Internal communications Distributed computing power Ease of administration Data protection and redundancy

20 Networks Risks: Do the right users have access to the right information and resources? Potential for unauthorized access Potential for unauthorized disclosure

21 Networks Controls: Authentication (preventive) Firewalls (preventive) Proper configuration of devices, e.g. port blocking (preventive) Intrusion detection systems (detective) Logging and monitoring (detective, corrective)

22 Operating systems Software that manages computer hardware resources and provides common services for programs and applications Vital component of the processing system

23 Operating systems Purpose: Memory management User interaction Components communication File management Securing files

24 Operating systems Risks: Unauthorized access to system functions Malware Inappropriate use of resources Damage to files Loss of system resources

25 Operating systems Controls: Authentication Operating systems policies Logging and monitoring Change management

26 Databases An organized collection of records having a standard format designed for efficient retrieval of information, e.g.: Access SQL Oracle Most common type is a relational database

27 Databases Purpose: Organize Store Retrieve information

28 Databases Risks: Do the right users have access to the right information? Unauthorized access to records Information is not accurate Information is missing

29 Databases Controls: Database management system Authentication Integrity controls Accuracy Completeness Uniqueness Logging and monitoring Backups

30 Applications Program or group of programs designed for end users Range from accounting to web apps Sits on top of the operating system Utilizes networks and databases

31 Applications Purpose: Provide a user interface to perform a specific task

32 Applications Risks: Unauthorized access to the application Unauthorized access to specific functions Collection of inaccurate information Inaccurate processing of information Omission of key information

33 Applications Controls: Authentication Change management Software updates Logging and monitoring Backups

34 Computing trends Web applications Mobile computing Cloud computing Bring your own device

35 Questions and contact Auditor General of British Columbia 8 Bastion Square, Victoria, BC V8V 1X

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.