Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practitioner Discussant Comments Malik Datardina CPA, CA, CISA.

Published byAlicia Maxwell Modified over 9 years ago

Similar presentations

Presentation on theme: "Practitioner Discussant Comments Malik Datardina CPA, CA, CISA."— Presentation transcript:

1 Practitioner Discussant Comments Malik Datardina CPA, CA, CISA

2 Disclaimer!!! Risk management applied: “The following views are my own and are not of my employer, Deloitte.”

3 Conceptually I Data Lot of promise: Bring CAATs Audit Analytics into Security Makes it possible to automate access control testing

4 The Good Mathematics in abstract can be difficult to grasp. But paper made it digestible Use of simple models Examples relevant to auditors, e.g. “a teller may deposit a customer’s money into the customer’s account” Brought together necessary concepts e.g. RBAC, REA,

5 Audience Understood this was primarily for academic audience; right? Who is the audience? Consider multiple audiences Don’t limit just to audit; beneficial from operations, network, information security, etc.

6 Why is this necessary? Solution looking for a problem? What is the current ‘state of the art’? Any pitfalls with respect to manual testing? What are the risks? How does this procedure address them? Need to illustrate benefit or cost of this outweighs External audit: can this save time in audit costs? Internal audit: explain how this will help from a compliance perspective – how does it address: PCI, ISO 27001/2, SOC2 (Trust Services/cloud)

7 Some feedback Why is this necessary? Solution looking for a problem? Need to illustrate benefit or cost of this outweighs External audit: can this save time in audit costs? Internal audit: explain how this will help from a compliance perspective – how does it address: PCI, ISO 27001/2, SOC2 (Trust Services/cloud)

8 How does this work practically? Need to explain how this works in practice: What are the practical steps you need to take to do this? How do you get access rules in an electronic format? Can this be obtained from SAP, Oracle, etc? What is exactly required for the auditor to do to actually create the list of “right rules” to audit the security rules obtained from the device.

9 Insights from other areas? Software testing: What can be learned from static analysis (i.e. automated testing of software)? Intrusion detection systems: Are there potential for false positives? Is there a tuning problem? Data quality: Are there data quality issues when you get access controls “data dump” from the machine?

Download ppt "Practitioner Discussant Comments Malik Datardina CPA, CA, CISA."

Similar presentations

90 th Annual Meeting & Exposition April 3 – 6, 2011 Memphis, Tennessee An Introduction to Spend Analysis and Spend Management Optimizing your spend.

90 th Annual Meeting & Exposition April 3 – 6, 2011 Memphis, Tennessee An Introduction to Spend Analysis and Spend Management Optimizing your spend.
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.

Chapter 21 Assurance, Attestation, and Internal Auditing Services Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
Assurance, Attestation, and Internal Auditing Services

Assurance, Attestation, and Internal Auditing Services
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Audit Automation as the Foundation of Continuous Auditing Michael Alles Alexander Kogan Miklos A. Vasarhelyi J. Donald Warren, Jr.

Audit Automation as the Foundation of Continuous Auditing Michael Alles Alexander Kogan Miklos A. Vasarhelyi J. Donald Warren, Jr.
TEL382 Homework Assignments. Outline HW#1 Find and Review/Describe 3 Existing IS Policy Manuals HW#2 Perform Qualitative Risk Analysis for Organization.

TEL382 Homework Assignments. Outline HW#1 Find and Review/Describe 3 Existing IS Policy Manuals HW#2 Perform Qualitative Risk Analysis for Organization.
ISO 9000 and Total Quality: The Relationship Eng. Basel F. Qandeel.

ISO 9000 and Total Quality: The Relationship Eng. Basel F. Qandeel.
Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.

Software Verification and Validation (V&V) By Roger U. Fujii Presented by Donovan Faustino.
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.

1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
Continuous Monitoring as a tool for Fraud Detection Anton Bouwer CQS Technology Holdings

Continuous Monitoring as a tool for Fraud Detection Anton Bouwer CQS Technology Holdings
Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.

Best Practices for User Access Controls and Segregation of Duties Presented by: Jeffrey T. Hare, CPA CISA CIA ERP Seminars.
Report Splitting and Distribution What is involved in splitting and distributing? What is involved in splitting and distributing? Why split or burst reports?

Report Splitting and Distribution What is involved in splitting and distributing? What is involved in splitting and distributing? Why split or burst reports?
Monday, 17 August 2015 Compliance Management, Governance and Benchmarking Strategic security management.

Monday, 17 August 2015 Compliance Management, Governance and Benchmarking Strategic security management.
How Will Continuous Auditing and XBRL-GL Work Together to Provide Improved Business Value? Nigel J. R. Matthews, BASc, CA ACL Services Ltd.

How Will Continuous Auditing and XBRL-GL Work Together to Provide Improved Business Value? Nigel J. R. Matthews, BASc, CA ACL Services Ltd.
SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.

SOC1 vs. SOC2 vs. SOC3 Source: ryServices/Pages/AICPASOC3Report.aspx.
Chapter 1 The Information System: An Accountant’s Perspective Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western,

Chapter 1 The Information System: An Accountant’s Perspective Accounting Information Systems, 5 th edition James A. Hall COPYRIGHT © 2007 Thomson South-Western,

Similar presentations

Ads by Google