Basics to Performing Value-added IT Audits

Transcript:Basics to Performing Value-added IT Audits:
Basics to Performing Value-added IT Audits Presented by: Edwin Caron, CISM, CRISC, CIA, CISA, CBE Background Edwin Caron, CIA, CISM, CRISC, CISA, CBE - A Management Consultant with Guidehouse LLC (formerly, PwC’s National Security Practice), Mr. Caron began his career at The Navy Exchange Service Command (NEXCOM) as an internal auditor. He has almost 20 years of experience in IT Risk Management and Audit, and Audit Readiness consulting. Edwin grew up in Norfolk, Virginia, and graduated from Old Dominion University with a BS/BA in Finance. He lives in Springfield VA with his wife (Erica), son (Sixto) and pup (Isabella Stinker). Agenda Defining a “value-added” IT Audit Defining IT Audit Universe Examples of “Low-hanging Fruit” Summary Session Q&A Quiz Quiz Question #1: How would you define Value-added audit? Defining “Value-added” Defining “Value-added” “Value” means different things to different people, depending on their perspective Quiz Quiz Question #2: What is the value of IT Auditors? Defining “Value-added” Provide independent and/or objective operational analysis following a systematic and disciplined approach to examine business functions and control activities and provide recommendations which improve control and governance processes thereby helping the organization achieve its strategies and objectives. Defining “Value-added” Implement risk-based IT audit procedures based on a formal risk assessment methodology What are we auditing The “IT audit universe” What are we auditing Common Controls What are we auditing Technical Controls What are we auditing Other Reviews In Other Words The “IT audit universe” An inventory of audit areas that is compiled and maintained to identify areas for audit during the audit planning process. Common Control Areas Governance - IS/IT strategy, policies, remediation of findings, performance monitoring and continuous audits; Common Control Areas Governance - IS/IT strategy, policies, remediation of findings, performance monitoring and continuous audits; Operations - Data centers, secure configuration of local and wide area networks, physical and logical security, disaster recovery and business continuity; Common Control Areas Governance - IS/IT strategy, policies, remediation of findings, performance monitoring and continuous audits; Operations - Data centers, secure configuration of local and wide area networks, physical and logical security, disaster recovery and business continuity; External service providers—Telecommunications, outsourcers, cloud service providers, maintenance companies, consultants, auditors, contract and relationship management, performance monitoring, and management (both at headquarters and delegated to remote offices) Technical Areas Business applications—Software (both packaged and custom), mobile apps, end-user computing (particularly spreadsheets and personal databases), license management, updates, patches and fixes, change