All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

Slides:



Advertisements
Similar presentations
©2008 Prentice Hall Business Publishing, Auditing 12/e, Arens/Beasley/Elder The Impact of Information Technology on the Audit Process Chapter 12.
Advertisements

Auditing, Assurance and Governance in Local Government
Internal Audit Awareness
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
Welcome! Internal Auditing CHAPTER 1. Definition Internal auditing is an independent, objective, assurance and consulting activity designed to add value.
Auditing Computer Systems
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
The Role of the Internal Audit Department
IT Security Auditing Martin Goldberg.
Office of Inspector General (OIG) Internal Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
IT Controls Part I: Sarbanes-Oxley & IT Governance 1 Accounting Information Systems, 5 th edition James A. Hall.
Effort Reporting: A Departmental Approach to Meeting Audit Requirements Dianne Valdez, MBA, CIA, CISA, CCSA Enrique Valdez Jr., MBA.
Session 4: Good Governance: How SAIs influence Good Governance in Public Administration Zahira Ravat 27 & 28 May 2014.
Internal Auditing and Outsourcing
AUDITING INFORMATION SYSTEMS SECURITY. AUDIT OF LOGICAL ACCESS USE OF TECHNIQUES FOR TESTING SECURITY USE OF INVESTIGATION TECHNIQUES.
TO ENSURE  THE EFFICIENT & EFFECTIVE DEVELOPMENT / MAINTENANCE OF IT SYSTEMS  PROPER IMPLEMENTATION OF IT SYSTEMS  PROTECTION OF DATA AND PROGRAMS.
Central Piedmont Community College Internal Audit.
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
Internal Auditing & Management Control ACCT 620 Otto Chang Professor of Accounting.
C. P. Mansoor S. Ahmed M. Com, PGDBA.  Not confined to Independent Audit  Systematic Examination of  Records  Procedures  Systems  Operations.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
UNM and Health System Internal Audit Departments Internal Audit Department Orientation Manu Patel, Internal Audit Director Purvi Mody, Executive Director,
Organize to improve Data Quality Data Quality?. © 2012 GS1 To fully exploit and utilize the data available, a strategic approach to data governance at.
Section Topics Establish a framework for assessing risk
Chapter Three IT Risks and Controls.
©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Internal and Governmental Financial Auditing and Operational Auditing.
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley Internal and Governmental Financial Auditing and Operational Auditing.
Roles and Responsibilities
Implementing and Auditing Ethics Programs
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
IT Service Delivery And Support Week Eleven – Auditing Application Control IT Auditing and Cyber Security Spring 2014 Instructor: Liang Yao (MBA MS CIA.
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
Information Systems Security Operational Control for Information Security.
Internal Audit Office Manager Meeting November 13, 2012.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Chapter 21 Internal, Operational, and Compliance Auditing McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Pertemuan 3-4 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
College Reviews An Overview Presented by Howard Lutwak, CIA Director of Internal Audit January 2004.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8 th Edition Modern Auditing: Assurance Services and the Integrity of Financial.
Chapter 8 Auditing in an E-commerce Environment
The Impact of Information Technology on the Audit Process
Internal Controls For Municipalities Vermont State Auditor’s Office – August 2008.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Internal Audit Agency Integrity + Professionalism INTERNAL AUDIT AGENCY ISACA Presentation 15 July, 2013 Alisa Hotel, ACCRA.
Business Continuity Planning 101
Chapter 15A IT Controls Part I: Sarbanes-Oxley & IT Governance.
1. Internal control system
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Review of IT General Controls
Let Auditing Be Your Superpower
Alia Al-Nujaidi
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
Managing the IT Function
The Impact of Information Technology on the Audit Process
The Impact of Information Technology on the Audit Process
What a non-IT auditor needs to know about IT & IT controls
County HIPAA Review All Rights Reserved 2002.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
INPUT OUTPUT ASSURANCE
Costanza Schivi - 9 April 2019
Audit.
Financial Control Measures
Presentation transcript:

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1

All Rights Reserved, Duke Medicine 2007 Agenda Stakeholders What is “Internal Audit” Office of Internal Audits Information Technology Audit Audit Process and IT Audits IT Controls SOM Compliance Review Audit Scope 2

All Rights Reserved, Duke Medicine 2007 Stakeholders Board of Directors Audit Committee Senior Management External Audit Internal Audit Audit Clients 3

All Rights Reserved, Duke Medicine 2007 Stakeholder Roles Joint effort: Board of Directors – determines and approves strategies, sets objectives and ensures the objectives are being met. Audit Committee – responsible for overseeing the internal control structure (operations, compliance, and financial reporting) Senior Management – defines, develops, implements, and documents the internal control structure External Audit – attests to the fair statement of financial results Internal Audit - validate the internal control structure by analyzing the effectiveness of internal controls 4

All Rights Reserved, Duke Medicine 2007 Definition of Internal Audit Institute of Internal Auditors (IIA) Standard Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. 5

All Rights Reserved, Duke Medicine 2007 Duke Office of Internal Audits 6

All Rights Reserved, Duke Medicine 2007 IT Audit Role Advising the Audit Committee and senior management on IT internal control issues Performing IT Risk Assessments Performing: –Institutional Risk Area Audits –General Controls Audits –Application Controls Audits –Technical IT Controls Audits –Internal Controls advisors during systems development and analysis activities. 7

All Rights Reserved, Duke Medicine 2007 IT Audit Process Words that come to mind when you hear “Audit” Proctology Chinese Water Torture Root Canal You may be wondering "why me?" Understanding the reasons for an audit and the process involved can help alleviate your fears The audit process is generally a ten-step procedure: 1.Notification & Request for Preliminary Information 2.Planning 3.Opening Meeting 4.Fieldwork 5.Communication 6.Draft Report 7.Management Responses 8.Closing Meeting 9.Report Distribution 10.Follow-up 8

All Rights Reserved, Duke Medicine IT - General Controls IT Controls GeneralControlsGeneralControls IT Concerns and Issues Disaster Recovery Business Resumption Plans (BRP) BRP Testing Alternate Processing Physical Security Physical Access HVAC Fire Protection UPS Backup/Contingency Planning Data Backups Restore Procedures Offsite Storage Change Management Program Change Controls Tracking Change Approvals Logical Access Process to grant, change and remove access to network, application and database

All Rights Reserved, Duke Medicine IT - Application Controls IT Controls ApplicationControlsApplicationControls IT Concerns and Issues Output Controls Reconciliation Distribution Access Processing Controls Audit Trails Interface Controls Control Totals Access Controls User-IDs/Passwords Data Security – regulations Network Security Security Administration Access Authorization GeneralControlsGeneralControls Input Controls Data Entry Controls System Edits Segregation of Duties Transaction Authorization

All Rights Reserved, Duke Medicine 2007 Audit Approach for SOM Compliance Review PI interviews (What and Where) IT Support Staff interviews (GCC) eIRB (RDSP) & ISOP review 11

All Rights Reserved, Duke Medicine 2007 General Computers Control Review IT Administration – policies and procedures Logical Access: Evaluate and assess the process of granting, removing and changing access rights for systems, applications, databases and infrastructure (including but not limited to assessing segregation of duties and logging) Computer Operations: Evaluate and assess backup processes, job scheduling, patch management, system availability and disaster recovery planning/testing Vendor Management: Review of 3rd party access, contracts and IT responsibilities, Business Associate Agreement (BAA) Physical Security and Data Center Environmental Controls 12

All Rights Reserved, Duke Medicine Hotlines

All Rights Reserved, Duke Medicine Resources

All Rights Reserved, Duke Medicine 2007 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.