Presentation is loading. Please wait.

Presentation is loading. Please wait.

Michael Romeu-Lugo MBA, CISA February 27, 2017

Published byAmice Alexander Modified over 7 years ago

Similar presentations

Presentation on theme: "Michael Romeu-Lugo MBA, CISA February 27, 2017"— Presentation transcript:

1 Michael Romeu-Lugo MBA, CISA February 27, 2017
IT Audit Process Michael Romeu-Lugo MBA, CISA February 27, 2017

2

3 OS/Data/Telecom/Continuity/Networks
Executive Management Business Process Finance Manufacturing Logistics Etc. IT Services OS/Data/Telecom/Continuity/Networks Entity-level Controls Entity-level controls set the tone and culture of the enterprise. IT entity-level controls are part of a company’s overall control environment. Controls Include: Strategies and plans Policies and procedures Risk assessment activities Training and education Quality assurance Internal Audit Application Controls Controls embedded within business process applications directly support financial control objectives. Such controls can be found in most financial applications including large systems such as SAP and Oracle as well as small systems such as Sage 300 ERP. Control objectives/assertions include: Completeness Accuracy Existence/authorization Presentation/disclosure IT General Controls Controls embedded within IT processes that provide a reliable operating environment and support the effective operation of application controls Controls include: Program development Program Changes Access to programs and data Computer Operations

4 Significant Accounts in the Financial Statements
Balance Sheet Income Statement Cash Flow Notes Business Processes/Classes of Transactions Accounts Receivable Accounts Payable Purchasing IT General Controls Access to Program and Data Program Development Program Changes Computer Operations Financial Applications Application Control Objectives Accurate Complete Exist / Authorized Preserved / Disclosed Application A Application B Application C IT Infrastructure Services Database Operating System Network/Physical

5 AnyBook Store, Inc. – Order-to-Cash
Context Diagram

6 AnyBook Store, Inc. – Order-to-Cash
Data Flow Diagram Level 0

7 Monitor, Evaluate and Assess
Process for Governance of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation Processes for Management of Enterprise IT Align, Plan and Organize Monitor, Evaluate and Assess aAP001 Manage the IT management Framework AP002 Manage Strategy AP005 Manage Innovation AP003 Manage Enterprise Architecture AP004 Manage Innovation AP006 Manage Budget and Costs AP007 Manage Human Resources AP008 Manage Relationships AP012 Manage Risk AP009 Manage Service Agreements AP010 Manage Suppliers AP011 Manage Innovation AP013 Manage Security MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Controls MEA03 Monitor, Evaluate and Assess Compliance With External Requirements Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI05 Manage Organisational Change Enablement BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI07 Manage Change Acceptance and Transitioning BAI06 Manage Changes BAI08 Manage Knowledge BAI09 Manage Assets BAI010 Manage Configurations Deliver, Service and Support DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS05 Manage Security Services DSS03 Manage Problems DSS04 Manage Continuity DSS06 Manage Business Process Controls

8 Monitor, Evaluate and Assess
Process for Governance of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation Processes for Management of Enterprise IT Align, Plan and Organize Monitor, Evaluate and Assess aAP001 Manage the IT management Framework AP002 Manage Strategy AP005 Manage Innovation AP003 Manage Enterprise Architecture AP004 Manage Innovation AP006 Manage Budget and Costs AP007 Manage Human Resources AP008 Manage Relationships AP012 Manage Risk AP009 Manage Service Agreements AP010 Manage Suppliers AP011 Manage Innovation AP013 Manage Security MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Controls MEA03 Monitor, Evaluate and Assess Compliance With External Requirements Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI05 Manage Organisational Change Enablement BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI07 Manage Change Acceptance and Transitioning BAI06 Manage Changes BAI08 Manage Knowledge BAI09 Manage Assets BAI010 Manage Configurations Deliver, Service and Support DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS05 Manage Security Services DSS03 Manage Problems DSS04 Manage Continuity DSS06 Manage Business Process Controls

9 DSS04 Manage Continuity

10 DSS04 Manage Continuity: Process Related Goals

11 DSS04 Manage Continuity: Process Practices, Inputs/Outputs and Activities

12 DSS04 Manage Continuity: Process Practices, Inputs/Outputs and Activities
Management Practice Description DSS04.01 Define the business continuity policy, objectives and scope Define business continuity policy and scope aligned with enterprise and stakeholder objectives DSS04.02 Maintain a Continuity Strategy Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of disaster or other major incident or disruption. DSS04.03 Develop and implement a business continuity response Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities. DSS04.04 Exercise, test and review the BCP Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated. DSS04.05 Review, maintain and improve the continuity plan Conduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements. DSS04.06 Conduct Continuity plan training Provide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption. DSS04.07 Manage Backup Arrangements Maintain availability of business-critical information. DSS04.08 Conduct post-resumption review Assess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.

13 DSS04 Manage Continuity: Process Practices, Inputs/Outputs and Activities
Management Practice Description DSS04.01 Define the business continuity policy, objectives and scope Define business continuity policy and scope aligned with enterprise and stakeholder objectives DSS04.02 Maintain a Continuity Strategy Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of disaster or other major incident or disruption. DSS04.03 Develop and implement a business continuity response Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities. DSS04.04 Exercise, test and review the BCP Test the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated. DSS04.05 Review, maintain and improve the continuity plan Conduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements. DSS04.06 Conduct Continuity plan training Provide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption. DSS04.07 Manage Backup Arrangements Maintain availability of business-critical information. DSS04.08 Conduct post-resumption review Assess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.

14 DSS04.07 Manage backup arrangements

15 IT General Controls They are General Controls because the are not specific to an application or business process. Governance Structure and Implementation System Development, Acquisition and Maintenance Controls Infrastructure and Operations Controls Information Security Controls Network and Infrastructure Controls Business Continuity Controls Preventive: Example: Pop-up blocker, security roles (access control) Detective: Example: missing required field in a form. Corrective: Example: Virus detection that finds and eliminates a threat before infecting the computer.

16 Auditing General Controls
Gaining an overall impression of the existing control environment Governance and Administration Organization Structure Governance – Policies and Procedures Staff and Skillset Supplier Management Data Center Environmental controls – AC, fire suppression, UPS, flood control, layout Physical access controls – badges, keyed entries, console access, biometrics Overall Access Controls – guards, gates/locks, badges, visitor logs

17 Auditing General Controls
Development, Acquisition, Implementation and Maintenance Justification and Business Case Program and Project Management Evaluation and procurement practices Quality Assurance and Quality Control Service Level Agreements Business Continuity Disaster recovery Backup and Restore Business Continuity Plan and Testing Security Logical Access Networks Access Controls

18 Application (System) Controls
Application Software = business transaction processing Accounts Payable Accounts Receivable Payroll Banking and Finance Data can only be understood within the context of the business process it supports Processing controls exist within the application itself

19 Auditing Application Controls
First: Know the business process! Policies/procedures Interviews Best Practices (using the work of others…) Identify Potential Risks What can go wrong? Evaluate how these are handled by the system Review test protocols vs. requirements Observation Test data

20 Application (System) Controls
Sequence checks – The control number follows sequentially and any break in the sequence or duplication is rejected and/or noted for follow up. Printing checks Limit Checks – Data should not exceed a predetermined amount ATM cash withdrawal limits Range Checks – Data should be within predetermined values. Merchandise receiving and sorting Validity Check – programmed checks of the data validity in accordance with predetermined criteria. Marital Status – Married, Single, Divorced Reasonableness Check – input data are matched to predetermined reasonable limits or occurrence rates. Shipping containers Table Lookups – data are verified against valid values in a table Drop down fields

21 Application (System) Controls
Existence Checks – Data entered correctly and agree with valid predetermined criteria. Product code Key Verification – the keying process is repeated by a separate individual using a machine that compares the original keystrokes to the repeated keyed input. Check Digit – A numeric value that has been calculated mathematically is added to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted. Account Number, invoice number Completeness Check – a field should always contain data rather than zeros or blanks. New employee processing – employee number

22 Application (System) Controls
Duplicate check – new transactions are matched to those previously input to ensure that have not already been entered. Invoice processing, Invoice numbers Logical Relationship Check – If a particular condition is true then one or more additional conditions or data input relationships may be required to be true to consider the input valid. Diagnostics.

Download ppt "Michael Romeu-Lugo MBA, CISA February 27, 2017"

Similar presentations

1 Welcome Safety Regulatory Function Handbook April 2006.

1 Welcome Safety Regulatory Function Handbook April 2006.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
 Capacity Development; National Systems / Global Fund Summary of the implementation capacities for National Programs and Global Fund Grants For HIV /TB.

 Capacity Development; National Systems / Global Fund Summary of the implementation capacities for National Programs and Global Fund Grants For HIV /TB.
ISO 9001 : 2000.

ISO 9001 : 2000.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Group 3 John Gregory John Marsh Gerri Houston Samantha McNeily.

Group 3 John Gregory John Marsh Gerri Houston Samantha McNeily.
Auditing Computer Systems

Auditing Computer Systems
COBIT - II.

COBIT - II.
MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.

MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
ISO General Awareness Training

ISO General Awareness Training
Introduction to SAP R/3.

Introduction to SAP R/3.
The Information Systems Audit Process

The Information Systems Audit Process
9 C H A P T E R Transaction Processing and Enterprise Resource Planning Systems.

9 C H A P T E R Transaction Processing and Enterprise Resource Planning Systems.
OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.

OHSAS 18001: Occupational health and safety management systems - Specification Karen Lawrence.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-

Similar presentations

Ads by Google