Surviving an IT Audit: Five Lessons Learned Merritt Maxim CA Inc.

Slides:

Advertisements

Similar presentations

Agenda What is Compliance? Risk and Compliance Management

Advertisements

Life Science Services and Solutions

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

Primary Benefit Types Value Discipline Benefits – Operating Excellence Reduce Cost Reduce Risk – Product Leadership Increase Revenue – Customer Intimacy.

Change Management (with an IT perspective). MBA Statement of Objective The object of undergoing this study-project is to develop an understanding.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

©2006 OLC 1 Process Management: The Foundation for Achieving Organizational Excellence Process Management Implementation Worldwide.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.

Copyright © 2007 Advantica Inc. (USA Only) and Advantica Ltd. (Outside USA). All rights reserved by the respective owner. Benefits of an Integrated Compliance.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.

Euseden INTERNAL AUDIT & ASSURANCE SERVICES.

Click to add text © 2010 IBM Corporation OpenPages Solution Overview Mark Dinning Principal Solutions Consultant.

Information Systems Controls for System Reliability -Information Security-

IT ASSET MANAGEMENT (From Booz-Allen & Hamilton).

Improving effectiveness of your tax operations 10 May 2012 CHARLOTTE RUSHTON MANAGING DIRECTOR, ASIA PACIFIC.

Chicagoland IASA Spring Conference

The Integration Story: Rational Quality Manager / Team Foundation Server / Quality Center Introductions This presentation will provide an introduction.

How Will Continuous Auditing and XBRL-GL Work Together to Provide Improved Business Value? Nigel J. R. Matthews, BASc, CA ACL Services Ltd.

Optimize ITIL ® Implementations With processes automation ITIL is a Registered Trademark by the OGC Dimitri Mizernik

Implementing and Auditing Ethics Programs

The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.

THE REGIONAL MUNICIPALITY OF YORK Information Technology Strategy & 5 Year Plan.

Presented to President’s Cabinet. INTERNAL CONTROLS are the integration of the activities, plans, attitudes, policies and efforts of the people of an.

Bruce Hallas Director Marmalade Box Ltd. UK Business Comparison of Information Security Incidents & Financial Impact Corporate UK SME UK 25% ↓ in number.

Page 1 Internal Audit Outsourcing The Moss Adams Approach to Internal Audit Outsourcing Proposed SOX 404 Changes.

Internal Control in a Financial Statement Audit

1 Mgmt 371 Chapter Twenty Basic Elements of Control Much of the slide content was created by Dr, Charlie Cook, Houghton Mifflin, Co.©

Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

Improving Water Services Provision Through a National Municipal Benchmarking Initiative Benchmarking our way to better services, more effectively, more.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.

UL UK – European Affiliates Briefing – 6 July July 2004  The High Performance Organisation Group Ltd Online Auditing European Affiliates Briefing.

Managing Regulatory Changes June 24, Regulatory Change Management Critical Component of successful overall regulatory compliance risk management.

1 Designing Effective Programs: –Introduction to Program Design Steps –Organizational Strategic Planning –Approaches and Models –Evaluation, scheduling,

Change and Patch Management Controls

Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk.

ERP For Payments Presented by: Greg Midtbo Oracle Corporation Industry Vice President Financial Services.

Maximizing the Value of Investments in Tax Administration Terry Lutes Principal, M Group.

Aligning Ethics Communication & Training With Business Priorities and Compliance Risks Willow Misty Parks Graduate Assistant Anderson School of Management.

A Framework for Organizing Current and Future Electric Utility Regulatory and Business Models Andrew Satchwell and Peter Cappers Lawrence Berkeley National.

The Implementation of BPR Pertemuan 9 Matakuliah: M0734-Business Process Reenginering Tahun: 2010.

ITIL VS COBIT 06 PLM - Group 9

Optimizing IT Operations Lessons From the Field A practical guide for maturing your IT Infrastructure Presenter’s name IT Architecture & Planning Microsoft.

Data Center Management Microsoft System Center. Objective: Drive Cost of Data Center Management 78% Maintenance 22% New Issue:Issue: 78% of IT budgets.

Connecting the dots … between Finance and Operations in Telecoms Don van Splunteren VP Sales, NAAP Global Solutions.

1Third Party Assurance Optimization and Control RationalizationCopyright © 2016 Deloitte Development LLC. All rights reserved. Third-Party Assurance (TPA)

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

Blazent / ServiceNow Messaging Guide. Transforming data into actionable intelligence Improve business outcomes by contextualizing data to make informed.

Changing IT Managing Networks in a New Reality Alex Bakman Founder and CEO Ecora Software.

1© Copyright 2016 EMC Corporation. All rights reserved. VIEWTRUST SOFTWARE OVERVIEW RISK MANAGEMENT AND COMPLIANCE MONITORING.

Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.

© 2010 South-Western, Cengage Learning, Inc. All rights reserved.

The Tax Administration Diagnostic Assessment Tool (TADAT)

Challenges and opportunities for the CFO

BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.

IS4550 Security Policies and Implementation

Training Course on Integrated Management System for Regulatory Body

Leverage What’s Out There

Transforming IT Management

Holistic Approach to Information Security

IS4680 Security Auditing for Compliance

Managed Content Services

Managing IT Risk in a digital Transformation AGE

GRC - A Strategic Approach

An overview of Internal Controls Structure & Mechanism

Internal controls Project support overview.

KEY INITIATIVE Internal Control and Technical Accounting

Presentation transcript:

Surviving an IT Audit: Five Lessons Learned Merritt Maxim CA Inc.

IT Audit Background An IT audit should focus on determining risks that are relevant to information assets, and assess controls in order to reduce or mitigate these risks IT Audit generally covers: Hardware, operating systems, network, security In addition, there are specialized audits for applications: Application audits review controls in 3 rd party, custom and home-grown software

IT Audits are Crucial Survey of SOX filers who reported “material weaknesses,” IT controls was the lead culprit IT controls (27%) Revenue (18%) Taxes (11%) Financial reporting and close (10%) Of respondents who reported a material weaknesses, what was source of material weakness?

Lesson #1: Implement a Fixed Audit Schedule and Stick to it McAfee IT Audit Survey (spring 2008) Approx. 25% of respondents ran audits on an ad-hoc basis Why? Relying on informal ad-hoc IT audits almost guarantees that audits will always receive lower priority against other projects Fixed schedule instill discipline in organization Alignment of IT audits with financial audits can identify and remediate items of mutual interest Fixed audit schedule enables better project and budget planning No missed audits because of budget overruns

Lesson #2: Automate Wherever Possible Data collection McAfee IT Audit Survey-spring %+ of respondents still using spreadsheets for collection Control Testing Why? Increase operational inefficiency Reduce time and effort for testing High effort and unplanned work around audits indicated a poorly- controlled environment Increase accuracy Builds repeatable and more sustainable processes Reduces the impact of future IT audits Automation is one area where technology can yield big benefits

Lesson #3: Utilize Existing Frameworks Aim to map IT controls against multiple regulations to a foundational standard ISO is a good example Seek single and comprehensive policies that can apply across regulations Why? Consolidates the number of required separate audits Test controls once, but have test apply against multiple regulations Generates substantial compliance savings

Lesson #4: Adopt Risk Based Approach Utilize risk assessments to: To identify the level of uncontrolled risk To appraise an organization’s internal controls Leveraging risk and control objectives Group similar controls together Why? Prioritize which areas should be reviewed 1 st Even if single control fails, you can prove that: “I'm still adequately managing this risk" or “I'm achieving the overall objective of this control."

Lesson #5: Track Regulatory Environment External environment is dynamic Regulations are updated/modified Tracking changes (and the impact on your organization) takes time & $$ Why? Want agility to adjust to changes Do not want to get caught off guard

Thank You