Information Technology Controls Presented by: Brian Christian
Introduction Support business management Provide general and technical controls over the polices, processes, systems, and people that makeup IT infrastructure Essential for reliability
Structure of IT Auditing
Understanding Controls General Application Preventive Detective Corrective Governance Management Technical Classified by purpose in overall system of internal controls Classified by group responsible for ensuring implementation and maintenance
IT Controls Hierarchy Define aims and objectives Define ways of working
Organization and Management Segregation of duties Initiating, authorizing, inputting, processing and checking data – Separate! IT Environment: Systems development and operations – Separate! Financial controls Identify potential failings early on Change Management
IT Controls Hierarchy Specific application systems Protect from damage Generic Application Controls: Input Processing Output Integrity Management Trail Protect from damage or loss Controlled method for development Configuration Techniques
Security and Importance of Controls Information Security Confidentiality Integrity Availability Importance of IT Controls Controlling costs and remaining competitive Protecting against information theft Complying with legislation (i.e. SOX)
Analyzing Risks Risk & Response Adequacy of Controls? Risk Mitigation IT controls are selected and implemented based on risks they are designed to manage Adequacy of Controls? Risk Mitigation Accept Eliminate Share Control
Monitoring and Assessing Controls Choosing a framework Monitoring IT Controls Ongoing Special Reviews Assessing Controls Audit Methodology Testing IT Controls and Continuous Assurance
Summary Multiple types of controls General & Application PDC Controls Governance, Management, Technical Continuous, reliable assurance and trail of evidence Controlling, Protecting & Complying Risk assessment Monitoring is critical
Questions?