Presentation is loading. Please wait.

Presentation is loading. Please wait.

What a non-IT auditor needs to know about IT & IT controls

Published byYenny Widjaja Modified over 5 years ago

Similar presentations

Presentation on theme: "What a non-IT auditor needs to know about IT & IT controls"— Presentation transcript:

1 What a non-IT auditor needs to know about IT & IT controls
Presented by Ruben Garcia, CISA and Nick Oscari, CPA from ATR Advisory LLC

2 Agenda Why is this important?
Core “Must Have” Knowledge Items: 1 through 10 Summary Nick

3 Why does a non-IT auditor need to know about IT?
Auditors should gain an understanding of the design of specific controls by following a transaction from origination through the organization’s processes, including the applicable information systems, until it is reflected in the organization’s financial records (PCAOB AS 2201) IIA Standards requires that internal auditors must have sufficient knowledge of key information technology risk and controls to perform their assigned work (1210.A3). GTAG (Global Technology Audit Guide) defines three categories of IT knowledge for auditors as: Category 1: Knowledge of IT needed by all professional auditors Category II: Knowledge of IT needed by audit supervisors Category IIII: Knowledge of IT needed by IT audit specialists Category I includes understanding of IT concepts such as applications, operating systems/systems software, networks, IT security and the related controls components More efficient and effective non-IT audits!!! Nick

4 Core “Must Have” Knowledge #10
IT Assertions: Security Availability Confidentiality Integrity Scalability Reliability Effectiveness Efficiency Financial Assertions: Completeness Existence Accuracy Valuation Obligation/Rights Presentation/Disclosure Nick & Ruben

5 Core “Must Have” Knowledge #9
Understanding Technology Stack Layers Application (e.g. MS Word) Database Operating System (e.g. Windows, Unix, Linux) Network, Routers, Switches, Firewalls Servers Ruben

6 Core “Must Have” Knowledge #8
IT General Controls (ITGC) vs Application Controls ITGC (i.e. home foundation) Security Administration Physical Security/Environmental Change Management/System Development IT Operations (backups/job processing) Application Controls (i.e. indoor plumbing) Application controls are those controls that pertain to the scope of individual business processes within application systems, including input controls, data edits, automated approval requirements, transaction logging, and error reporting. Driven by business process need and should be owned by the business process owner Nick

7 Core “Must Have” Knowledge #7
System Development & Change Management (ITGC) What is it? Change Mgmt: includes changes to software configurations, software changes, patch management System Development: new system implementations, new feature added to existing system Primary Risk Unauthorized changes or poor system development results in unreliable information, security access issues, system availability/reliability issues Controls Change Mgmt Controls System Development Controls Ruben

8 Core “Must Have” Knowledge #6
Security Administration (ITGC) What it is? Establishes overall computer security for the IT environment Must be evaluated at each layer of technology (i.e. app, OS, DB) Primary Risk Unauthorized modification, deletion, addition to information assets (i.e. theft/damage of your most prized home possessions) Controls Access levels set to only allow personnel to perform their job duties Segregation of Duties User Access Administration Periodic Access Reviews (qtrly, semi-annual, annual) System Administrator privileges (limit and/or monitor) Nick

9 Core “Must Have” Knowledge #5
Physical: Security & Environmental (ITGC) What it is? Physical access to hardware Environmental protection of critical physical IT assets Primary Risk Unauthorized access to IT information assets Physical assets damaged due to lack of controlled temperature, exposure to water, a power loss, or fire Controls Physical access to sensitive areas restricted through badge access/biometric locks HVAC, fire suppression, flood monitoring, back-up battery (UPS)/generators Nick

10 Core “Must Have” Knowledge #4
Data Back Up (ITGC) What it is? Periodic backing up of information assets to allow recovery for any number of reasons (e.g. software failure/hardware failure) Primary Risk Inability to recover information assets resulting in unreliable or missing information assets Controls Backups of critical data performed Procedures should be in place to periodically validate recovery process Business Continuity policies and procedures exist defining type of data and frequency of backups Nick

11 Core “Must Have” Knowledge #3
IT Operations (ITGC) What is it? Supervising and maintaining computer systems operations to include: Production Scheduling Problem logging, tracking & reporting Help desk Risks Undetected computer processing issues or inability to quickly recover from issues resulting in unreliable/inability to access information assets Controls Processing & Output controls Help Desk procedures Ruben

12 Core “Must Have” Knowledge #2
Outsourcing of Technology & IT Activities What is it? Includes software as service, platform as a service, infrastructure as a service, cloud computing, Risks Vendor does not have properly controlled environment User Requirements not adhered resulting in garage in/garbage out Controls Vendor Management Program Third Party Reviews (SOC/SSAE 18) & User Requirements Ruben

13 Core “Must Have” Knowledge #2
Outsourcing of Technology & IT Activities What is it? Includes software as service, platform as a service, infrastructure as a service, cloud computing, Risks Vendor does not have properly controlled environment User Requirements not adhered resulting in garage in/garbage out Controls Vendor Management Program Third Party Reviews (SOC/SSAE 18) & User Requirements IMPORTANT: You can’t outsource your responsibility for your information assets!!!!! Ruben

14 Core “Must Have” Knowledge #1
Cybersecurity Buzz Word Defined Equifax Controls: Risk Assessments Security Access Controls Change Mgmt Controls Physical Controls Ruben

15 Summary Understanding the basics of IT, IT risks and IT controls will make a non-IT auditor much more capable of: Nick

16 Summary Understanding the basics of IT, IT risks and IT controls will make a non-IT auditor much more capable of: identifying all the potential risks related to the processes under audit Nick

17 Summary Understanding the basics of IT, IT risks and IT controls will make a non-IT auditor much more capable of: identifying all the potential risks related to the processes under audit 2) Scoping a non-IT audit appropriately to account for the effectiveness or lack of effectiveness of the IT environment A. For example, A/P process audit assessed as low risk with an ineffective control environment for related IT systems and strong application controls. B. For example, revenue process assessed as high risk with an effective control environment and strong application controls. Nick

18 Summary Understanding the basics of IT, IT risks and IT controls will make a non-IT auditor much more capable of: identifying all the potential risks related to the processes under audit 2) Scoping a non-IT audit appropriately to account for the effectiveness or lack of effectiveness of the IT environment For example, A/P process audit assessed at low risk with an ineffective control environment for related IT systems and strong application controls. For example, revenue process assessed a high with an effective control environment and strong application controls. 3) Becoming a much better auditor than Nick was as a second year associate at KPMG Nick

19 Summary Challenge: Go look at your non-IT audits that you are currently working on and consider whether you understand the relevant IT systems, IT risks, IT controls and how they impact your planned audit approach for your non-IT audit Nick

20 Summary Challenge: Go look at your non-IT audits that you are currently working on and consider whether you understand the relevant IT systems, IT risks, IT controls and how they impact your planned audit approach for your non-IT audit 2. Interact with your IT auditor – they don’t bite Nick

21 Questions Nick

Download ppt "What a non-IT auditor needs to know about IT & IT controls"

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
The World of Access Controls

The World of Access Controls
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
Internal Controls What Are They And Why Should I Care? 1.

Internal Controls What Are They And Why Should I Care? 1.
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Group 3 John Gregory John Marsh Gerri Houston Samantha McNeily.

Group 3 John Gregory John Marsh Gerri Houston Samantha McNeily.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
The Islamic University of Gaza

The Islamic University of Gaza
Learning Objectives LO1 Distinguish between management and auditor’s responsibilities regarding an auditee organization’s internal controls. LO2 Explain.

Learning Objectives LO1 Distinguish between management and auditor’s responsibilities regarding an auditee organization’s internal controls. LO2 Explain.
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
Sarbanes-Oxley Compliance Process Automation

Sarbanes-Oxley Compliance Process Automation
IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose.

IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose.
Review of Introduction to Auditing

Review of Introduction to Auditing
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
The Information Systems Audit Process

The Information Systems Audit Process
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Similar presentations

Ads by Google