Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013.

Published byWalter Roberts Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013."— Presentation transcript:

1 IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013

2 2 Overview Objectives of IT auditing Standards Types of audits The IT audit environment Controls IT Governance Facilities Networks Operating systems Databases Applications Computing Trends

3 3 Objective of IT auditing To obtain evidence to support an opinion or conclusion that IT controls are designed, implemented and operating effectively

4 4 Standards AICPA/CICA – Assurance Standards ISACA – IT Audit and Assurance Standards COBIT – IT Control Framework ISO27K – Information Security Management ISF – Information Security Guidelines ITIL – Service Management PMBOK – Project Management Standards PCI DSS – Data Security Standards

5 5 Types of audits Compliance A review of an organizations adherence to regulatory guidelines E.g. SOX, HIPAA, PCI DSS Process An examination of the effectiveness of an organizations procedures Generally done by internal audit Outcome An examination to determine if programs/projects are generating intended benefits

6 6 Understanding the environment Risk What is the risk of using IT? How is automation different? No paper trail No human interaction System generated transactions Errors can be pervasive Remote access to data

7 7 Components of the environment IT GovernanceFacilitiesNetworksOperating SystemsDatabasesApplications

8 8 Controls Objectives of controls To mitigate risk of organization not meeting its goals and objectives Types of controls Preventative Detective Corrective

9 9 Controls Areas of controls IT general controls Environmental Financial Operational

10 10 Controls Examples of controls All users must be authenticated All changes must be approved and verified

11 11 IT Governance Where most organizations have problems Should be included in overall business goals and objectives Risk management Strategic planning Inventory of IT resources Classification of data Proper policies and procedures

12 12 Facilities Used to house computer systems, associated components, e.g.: Telecommunications Storage systems

13 13 Facilities Generally includes: Redundant/backup power supplies Redundant data communications connections Environmental controls (e.g. air conditioning, fire suppression) Security devices

14 14 Facilities Purpose: Central processing area Restrict access to computing resources Protect computing resources

15 15 Facilities Risks: Loss of processing due to damage Unauthorized access to computer systems and devices

16

17 17 Facilities Controls: Authentication Logging of user access Environmental control systems

18 18 Networks Allow communication between users, resources, etc. Consists of an intricate design of hardware and wires Hubs, switches, routers, etc.

19 19 Networks Purpose: Share information and resources Internal communications Distributed computing power Ease of administration Data protection and redundancy

20 20 Networks Risks: Do the right users have access to the right information and resources? Potential for unauthorized access Potential for unauthorized disclosure

21 21 Networks Controls: Authentication (preventive) Firewalls (preventive) Proper configuration of devices, e.g. port blocking (preventive) Intrusion detection systems (detective) Logging and monitoring (detective, corrective)

22 22 Operating systems Software that manages computer hardware resources and provides common services for programs and applications Vital component of the processing system

23 23 Operating systems Purpose: Memory management User interaction Components communication File management Securing files

24 24 Operating systems Risks: Unauthorized access to system functions Malware Inappropriate use of resources Damage to files Loss of system resources

25 25 Operating systems Controls: Authentication Operating systems policies Logging and monitoring Change management

26 26 Databases An organized collection of records having a standard format designed for efficient retrieval of information, e.g.: Access SQL Oracle Most common type is a relational database

27 27 Databases Purpose: Organize Store Retrieve information

28 28 Databases Risks: Do the right users have access to the right information? Unauthorized access to records Information is not accurate Information is missing

29 29 Databases Controls: Database management system Authentication Integrity controls Accuracy Completeness Uniqueness Logging and monitoring Backups

30 30 Applications Program or group of programs designed for end users Range from accounting to web apps Sits on top of the operating system Utilizes networks and databases

31 31 Applications Purpose: Provide a user interface to perform a specific task

32 32 Applications Risks: Unauthorized access to the application Unauthorized access to specific functions Collection of inaccurate information Inaccurate processing of information Omission of key information

33 33 Applications Controls: Authentication Change management Software updates Logging and monitoring Backups

34 34 Computing trends Web applications Mobile computing Cloud computing Bring your own device

35 35 Questions and contact Auditor General of British Columbia 8 Bastion Square, Victoria, BC V8V 1X4 cdover@bcauditor.com www.bcauditor.com 250.419.6100

Download ppt "IT Audit for non-IT auditors Cornell Dover Assistant Auditor General 31 March 2013."

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server 2008. Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.

 Controls that provide security against internal and external threats  2 Types of access controls: › Physical controls › Logical controls.
THE AUDITING OF INFORMATION SYSTEMS

THE AUDITING OF INFORMATION SYSTEMS
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Similar presentations

Ads by Google