/
IT Audit Process Michael Romeu-Lugo MBA, CISA February 27, 2017 IT Audit Process Michael Romeu-Lugo MBA, CISA February 27, 2017

IT Audit Process Michael Romeu-Lugo MBA, CISA February 27, 2017 - PowerPoint Presentation

cheryl-pisano
cheryl-pisano . @cheryl-pisano
Follow
342 views
Uploaded On 2019-11-01

IT Audit Process Michael Romeu-Lugo MBA, CISA February 27, 2017 - PPT Presentation

IT Audit Process Michael RomeuLugo MBA CISA February 27 2017 1 3 Executive Management Business Process Finance Business Process Manufacturing Business Process Logistics Business Process Etc IT Services ID: 762009

continuity manage controls business manage continuity business controls dss04 process ensure data application evaluate plan enterprise management monitor control

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "IT Audit Process Michael Romeu-Lugo MBA,..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

IT Audit Process Michael Romeu-Lugo MBA, CISAFebruary 27, 2017 1

3 Executive Management Business Process Finance Business Process Manufacturing Business Process Logistics Business Process Etc. IT Services OS/Data/Telecom/Continuity/Networks Entity-level Controls Entity-level controls set the tone and culture of the enterprise. IT entity-level controls are part of a company’s overall control environment.Controls Include:Strategies and plansPolicies and proceduresRisk assessment activitiesTraining and educationQuality assuranceInternal Audit Application ControlsControls embedded within business process applications directly support financial control objectives. Such controls can be found in most financial applications including large systems such as SAP and Oracle as well as small systems such as Sage 300 ERP.Control objectives/assertions include:CompletenessAccuracyExistence/authorizationPresentation/disclosure IT General Controls Controls embedded within IT processes that provide a reliable operating environment and support the effective operation of application controls Controls include : Program development Program Changes Access to programs and data Computer Operations

4 Significant Accounts in the Financial Statements Balance Sheet Income Statement Cash Flow Notes Business Processes/Classes of Transactions Accounts Receivable Accounts Payable Purchasing Financial Applications Application A Application B Application C IT Infrastructure ServicesDatabaseOperating System Network/Physical IT General Controls Access to Program and Data Program Development Program Changes Computer Operations Application Control Objectives Accurate Complete Exist / Authorized Preserved / Disclosed

AnyBook Store, Inc. – Order-to-Cash 5 Context Diagram

AnyBook Store, Inc. – Order-to-Cash 6 Data Flow Diagram Level 0

Process for Governance of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency EDM03 Ensure Risk Optimisation EDM04 Ensure Resource OptimisationProcesses for Management of Enterprise IT Align, Plan and OrganizeaAP001 Manage the IT management FrameworkAP002 Manage Strategy AP005 Manage Innovation AP003 Manage Enterprise Architecture AP004 Manage Innovation AP006 Manage Budget and Costs AP007 Manage Human Resources AP008 Manage Relationships AP012 Manage Risk AP009 Manage Service Agreements AP010 Manage Suppliers AP011 Manage Innovation AP013 Manage Security Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI05 Manage Organisational Change Enablement BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI07 Manage Change Acceptance and Transitioning BAI06 Manage Changes BAI08 Manage Knowledge BAI09 Manage Assets BAI010 Manage Configurations Deliver, Service and Support DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS05 Manage Security Services DSS03 Manage Problems DSS04 Manage Continuity DSS06 Manage Business Process Controls Monitor, Evaluate and Assess MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Controls MEA03 Monitor, Evaluate and Assess Compliance With External Requirements

Process for Governance of Enterprise IT Evaluate, Direct and Monitor EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery EDM05 Ensure Stakeholder Transparency EDM03 Ensure Risk Optimisation EDM04 Ensure Resource OptimisationProcesses for Management of Enterprise IT Align, Plan and OrganizeaAP001 Manage the IT management FrameworkAP002 Manage Strategy AP005 Manage Innovation AP003 Manage Enterprise Architecture AP004 Manage Innovation AP006 Manage Budget and Costs AP007 Manage Human Resources AP008 Manage Relationships AP012 Manage Risk AP009 Manage Service Agreements AP010 Manage Suppliers AP011 Manage Innovation AP013 Manage Security Build, Acquire and Implement BAI01 Manage Programmes and Projects BAI02 Manage Requirements Definition BAI05 Manage Organisational Change Enablement BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI07 Manage Change Acceptance and Transitioning BAI06 Manage Changes BAI08 Manage Knowledge BAI09 Manage Assets BAI010 Manage Configurations Deliver, Service and Support DSS01 Manage Operations DSS02 Manage Service Requests and Incidents DSS05 Manage Security Services DSS03 Manage Problems DSS04 Manage Continuity DSS06 Manage Business Process Controls Monitor, Evaluate and Assess MEA01 Monitor, Evaluate and Assess Performance and Conformance MEA02 Monitor, Evaluate and Assess the System of Internal Controls MEA03 Monitor, Evaluate and Assess Compliance With External Requirements

DSS04 Manage Continuity 9

DSS04 Manage Continuity: Process Related Goals 10

DSS04 Manage Continuity: Process Practices, Inputs/Outputs and Activities 11

DSS04 Manage Continuity: Process Practices, Inputs/Outputs and Activities 12 Management Practice Description DSS04.01 Define the business continuity policy, objectives and scope Define business continuity policy and scope aligned with enterprise and stakeholder objectives DSS04.02 Maintain a Continuity Strategy Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of disaster or other major incident or disruption. DSS04.03 Develop and implement a business continuity response Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities. DSS04.04 Exercise, test and review the BCPTest the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated. DSS04.05 Review, maintain and improve the continuity planConduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements. DSS04.06 Conduct Continuity plan trainingProvide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption.DSS04.07 Manage Backup ArrangementsMaintain availability of business-critical information.DSS04.08 Conduct post-resumption reviewAssess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.

DSS04 Manage Continuity: Process Practices, Inputs/Outputs and Activities 13 Management Practice Description DSS04.01 Define the business continuity policy, objectives and scope Define business continuity policy and scope aligned with enterprise and stakeholder objectives DSS04.02 Maintain a Continuity Strategy Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of disaster or other major incident or disruption. DSS04.03 Develop and implement a business continuity response Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities. DSS04.04 Exercise, test and review the BCPTest the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated. DSS04.05 Review, maintain and improve the continuity planConduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements. DSS04.06 Conduct Continuity plan trainingProvide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption.DSS04.07 Manage Backup ArrangementsMaintain availability of business-critical information.DSS04.08 Conduct post-resumption reviewAssess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.

DSS04.07 Manage backup arrangements 14

IT General Controls They are General Controls because the are not specific to an application or business process.Governance Structure and Implementation System Development, Acquisition and Maintenance ControlsInfrastructure and Operations ControlsInformation Security ControlsNetwork and Infrastructure ControlsBusiness Continuity Controls 15

Auditing General Controls Gaining an overall impression of the existing control environment Governance and AdministrationOrganization StructureGovernance – Policies and Procedures Staff and Skillset Supplier Management Data Center Environmental controls – AC, fire suppression, UPS, flood control, layout Physical access controls – badges, keyed entries, console access, biometrics Overall Access Controls – guards, gates/locks, badges, visitor logs 16

Auditing General Controls Development, Acquisition, Implementation and Maintenance Justification and Business CaseProgram and Project ManagementEvaluation and procurement practices Quality Assurance and Quality Control Service Level Agreements Business Continuity Disaster recovery Backup and Restore Business Continuity Plan and Testing SecurityLogical AccessNetworksAccess Controls 17

Application (System) Controls Application Software = business transaction processing Accounts PayableAccounts ReceivablePayroll Banking and Finance Data can only be understood within the context of the business process it supports Processing controls exist within the application itself 18

Auditing Application Controls First: Know the business process! Policies/proceduresInterviewsBest Practices (using the work of others…)Identify Potential Risks What can go wrong? Evaluate how these are handled by the system Review test protocols vs. requirements Observation Test data 19

Application (System) Controls Sequence checks – The control number follows sequentially and any break in the sequence or duplication is rejected and/or noted for follow up. Printing checksLimit Checks – Data should not exceed a predetermined amountATM cash withdrawal limitsRange Checks – Data should be within predetermined values. Merchandise receiving and sorting Validity Check – programmed checks of the data validity in accordance with predetermined criteria. Marital Status – Married, Single, Divorced Reasonableness Check – input data are matched to predetermined reasonable limits or occurrence rates.Shipping containersTable Lookups – data are verified against valid values in a tableDrop down fields 20

Application (System) Controls Existence Checks – Data entered correctly and agree with valid predetermined criteria. Product codeKey Verification – the keying process is repeated by a separate individual using a machine that compares the original keystrokes to the repeated keyed input.Check Digit – A numeric value that has been calculated mathematically is added to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted. Account Number, invoice number Completeness Check – a field should always contain data rather than zeros or blanks. New employee processing – employee number 21

Application (System) Controls Duplicate check – new transactions are matched to those previously input to ensure that have not already been entered. Invoice processing, Invoice numbersLogical Relationship Check – If a particular condition is true then one or more additional conditions or data input relationships may be required to be true to consider the input valid.Diagnostics. 22