February 27 2017 1 3 Executive Management Business Process Finance Business Process Manufacturing Business Process Logistics Business Process Etc IT Services OSDataTelecomContinuityNetworks ID: 746659
Download Presentation The PPT/PDF document "IT Audit Process Michael Romeu-Lugo MBA,..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
IT Audit Process
Michael Romeu-Lugo MBA, CISAFebruary 27, 2017
1Slide2Slide3
3
Executive Management
Business Process
Finance
Business Process
Manufacturing
Business Process
Logistics
Business Process
Etc.
IT Services
OS/Data/Telecom/Continuity/Networks
Entity-level Controls
Entity-level controls set the tone and culture of the enterprise. IT entity-level controls are part of a company’s overall control environment.Controls Include:Strategies and plansPolicies and proceduresRisk assessment activitiesTraining and educationQuality assuranceInternal Audit
Application ControlsControls embedded within business process applications directly support financial control objectives. Such controls can be found in most financial applications including large systems such as SAP and Oracle as well as small systems such as Sage 300 ERP.Control objectives/assertions include:CompletenessAccuracyExistence/authorizationPresentation/disclosure
IT General Controls
Controls embedded within IT processes that provide a reliable operating environment and support the effective operation of application controls
Controls include
:
Program development
Program Changes
Access to programs and data
Computer OperationsSlide4
4
Significant Accounts in the Financial Statements
Balance Sheet
Income Statement
Cash Flow
Notes
Business Processes/Classes of Transactions
Accounts Receivable
Accounts Payable
Purchasing
Financial Applications
Application A
Application B
Application C
IT Infrastructure ServicesDatabaseOperating System
Network/Physical
IT General Controls
Access to Program and Data
Program Development
Program Changes
Computer Operations
Application Control Objectives
Accurate
Complete
Exist / Authorized
Preserved / DisclosedSlide5
AnyBook Store, Inc. – Order-to-Cash
5
Context DiagramSlide6
AnyBook Store, Inc. – Order-to-Cash
6
Data Flow Diagram
Level 0Slide7
Process for Governance of Enterprise IT
Evaluate, Direct and Monitor
EDM01
Ensure Governance Framework Setting and Maintenance
EDM02
Ensure Benefits Delivery
EDM05
Ensure Stakeholder Transparency
EDM03
Ensure Risk
Optimisation
EDM04
Ensure Resource
OptimisationProcesses for Management of Enterprise IT
Align, Plan and OrganizeaAP001 Manage the IT management FrameworkAP002 Manage Strategy
AP005
Manage Innovation
AP003
Manage Enterprise Architecture
AP004
Manage Innovation
AP006
Manage Budget and Costs
AP007
Manage Human Resources
AP008
Manage Relationships
AP012
Manage Risk
AP009
Manage Service Agreements
AP010
Manage Suppliers
AP011
Manage Innovation
AP013
Manage Security
Build, Acquire and Implement
BAI01
Manage
Programmes
and Projects
BAI02
Manage Requirements Definition
BAI05
Manage
Organisational
Change Enablement
BAI03
Manage Solutions Identification and Build
BAI04
Manage Availability and Capacity
BAI07
Manage Change Acceptance and Transitioning
BAI06
Manage Changes
BAI08
Manage Knowledge
BAI09
Manage Assets
BAI010
Manage Configurations
Deliver, Service and Support
DSS01
Manage Operations
DSS02
Manage Service Requests and Incidents
DSS05
Manage Security Services
DSS03
Manage Problems
DSS04
Manage Continuity
DSS06
Manage Business Process Controls
Monitor, Evaluate and Assess
MEA01
Monitor, Evaluate and Assess Performance and Conformance
MEA02
Monitor, Evaluate and Assess the System of Internal Controls
MEA03
Monitor, Evaluate and Assess Compliance With External RequirementsSlide8
Process for Governance of Enterprise IT
Evaluate, Direct and Monitor
EDM01
Ensure Governance Framework Setting and Maintenance
EDM02
Ensure Benefits Delivery
EDM05
Ensure Stakeholder Transparency
EDM03
Ensure Risk
Optimisation
EDM04
Ensure Resource
OptimisationProcesses for Management of Enterprise IT
Align, Plan and OrganizeaAP001 Manage the IT management FrameworkAP002 Manage Strategy
AP005
Manage Innovation
AP003
Manage Enterprise Architecture
AP004
Manage Innovation
AP006
Manage Budget and Costs
AP007
Manage Human Resources
AP008
Manage Relationships
AP012
Manage Risk
AP009
Manage Service Agreements
AP010
Manage Suppliers
AP011
Manage Innovation
AP013
Manage Security
Build, Acquire and Implement
BAI01
Manage
Programmes
and Projects
BAI02
Manage Requirements Definition
BAI05
Manage
Organisational
Change Enablement
BAI03
Manage Solutions Identification and Build
BAI04
Manage Availability and Capacity
BAI07
Manage Change Acceptance and Transitioning
BAI06
Manage Changes
BAI08
Manage Knowledge
BAI09
Manage Assets
BAI010
Manage Configurations
Deliver, Service and Support
DSS01
Manage Operations
DSS02
Manage Service Requests and Incidents
DSS05
Manage Security Services
DSS03
Manage Problems
DSS04
Manage Continuity
DSS06
Manage Business Process Controls
Monitor, Evaluate and Assess
MEA01
Monitor, Evaluate and Assess Performance and Conformance
MEA02
Monitor, Evaluate and Assess the System of Internal Controls
MEA03
Monitor, Evaluate and Assess Compliance With External RequirementsSlide9
DSS04 Manage Continuity
9Slide10
DSS04 Manage Continuity: Process Related Goals
10Slide11
DSS04 Manage Continuity:
Process Practices, Inputs/Outputs and Activities
11Slide12
DSS04 Manage Continuity:
Process Practices, Inputs/Outputs and Activities
12
Management Practice
Description
DSS04.01 Define the business continuity policy, objectives and scope
Define business continuity policy and scope aligned with enterprise and stakeholder objectives
DSS04.02 Maintain a Continuity Strategy
Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of disaster or other major incident or disruption.
DSS04.03 Develop and implement a business continuity response
Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities.
DSS04.04 Exercise, test and review the BCPTest the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated.
DSS04.05 Review, maintain and improve the continuity planConduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements.
DSS04.06 Conduct Continuity plan trainingProvide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption.DSS04.07 Manage Backup ArrangementsMaintain availability of business-critical information.DSS04.08 Conduct post-resumption reviewAssess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.Slide13
DSS04 Manage Continuity:
Process Practices, Inputs/Outputs and Activities
13
Management Practice
Description
DSS04.01 Define the business continuity policy, objectives and scope
Define business continuity policy and scope aligned with enterprise and stakeholder objectives
DSS04.02 Maintain a Continuity Strategy
Evaluate business continuity management options and choose a cost-effective and viable continuity strategy that will ensure enterprise recovery and continuity in the face of disaster or other major incident or disruption.
DSS04.03 Develop and implement a business continuity response
Develop a business continuity plan (BCP) based on the strategy that documents the procedures and information in readiness for use in an incident to enable the enterprise to continue its critical activities.
DSS04.04 Exercise, test and review the BCPTest the continuity arrangements on a regular basis to exercise the recovery plans against predetermined outcomes and to allow innovative solutions to be developed and help to verify over time that the plan will work as anticipated.
DSS04.05 Review, maintain and improve the continuity planConduct a management review of the continuity capability at regular intervals to ensure its continued suitability, adequacy and effectiveness. Manage changes to the plan in accordance with the change control process to ensure that the continuity plan is kept up to date and continually reflects actual business requirements.
DSS04.06 Conduct Continuity plan trainingProvide all concerned internal and external parties with regular training sessions regarding the procedures and their roles and responsibilities in case of disruption.DSS04.07 Manage Backup ArrangementsMaintain availability of business-critical information.DSS04.08 Conduct post-resumption reviewAssess the adequacy of the BCP following the successful resumption of business processes and services after a disruption.Slide14
DSS04.07 Manage backup arrangements
14Slide15
IT General Controls
They are General Controls because the are not specific to an application or business process.Governance Structure and Implementation
System Development, Acquisition and Maintenance ControlsInfrastructure and Operations ControlsInformation Security ControlsNetwork and Infrastructure ControlsBusiness Continuity Controls
15Slide16
Auditing General Controls
Gaining an overall impression of the existing control environment
Governance and AdministrationOrganization StructureGovernance – Policies and Procedures
Staff and Skillset
Supplier Management
Data Center
Environmental controls – AC, fire suppression, UPS, flood control, layout
Physical access controls – badges, keyed entries, console access, biometrics
Overall Access Controls – guards, gates/locks, badges, visitor logs
16Slide17
Auditing General Controls
Development, Acquisition, Implementation and Maintenance
Justification and Business CaseProgram and Project ManagementEvaluation and procurement practices
Quality Assurance and Quality Control
Service Level Agreements
Business Continuity
Disaster recovery
Backup and Restore
Business Continuity Plan and Testing
SecurityLogical AccessNetworksAccess Controls
17Slide18
Application (System) Controls
Application Software = business transaction processing
Accounts PayableAccounts ReceivablePayroll
Banking and Finance
Data can only be understood within the context of the business process it supports
Processing controls exist within the application itself
18Slide19
Auditing Application Controls
First: Know the business process!
Policies/proceduresInterviewsBest Practices (using the work of others…)Identify Potential Risks
What can go wrong?
Evaluate how these are handled by the system
Review test protocols vs. requirements
Observation
Test data
19Slide20
Application (System) Controls
Sequence checks – The control number follows sequentially and any break in the sequence or duplication is rejected and/or noted for follow up.
Printing checksLimit Checks – Data should not exceed a predetermined amountATM cash withdrawal limitsRange Checks
– Data should be within predetermined values.
Merchandise receiving and sorting
Validity Check
– programmed checks of the data validity in accordance with predetermined criteria.
Marital Status – Married, Single, Divorced
Reasonableness Check – input data are matched to predetermined reasonable limits or occurrence rates.Shipping containersTable Lookups – data are verified against valid values in a tableDrop down fields
20Slide21
Application (System) Controls
Existence Checks – Data entered correctly and agree with valid predetermined criteria.
Product codeKey Verification – the keying process is repeated by a separate individual using a machine that compares the original keystrokes to the repeated keyed input.Check Digit – A numeric value that has been calculated mathematically is added to data to ensure that the original data have not been altered or an incorrect, but valid, value substituted.
Account Number, invoice number
Completeness Check
– a field should always contain data rather than zeros or blanks.
New employee processing – employee number
21Slide22
Application (System) Controls
Duplicate check – new transactions are matched to those previously input to ensure that have not already been entered.
Invoice processing, Invoice numbersLogical Relationship Check – If a particular condition is true then one or more additional conditions or data input relationships may be required to be true to consider the input valid.Diagnostics.
22