Presentation is loading. Please wait.

Presentation is loading. Please wait.

Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet.

Published byBlanche Moore Modified over 9 years ago

Similar presentations

Presentation on theme: "Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet."— Presentation transcript:

1 Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet Security

2 Agenda IT Audit and assessment testing background Audit and assessment planning Issues Challenges to conducting the IT audit Benefits of automated assessment tools Examples of automated assessment tools Automated assessment tools and compliance Questions and Open Forum

3 IT Audit and assessment testing background Requirements to fulfill internal and external control reviews Compliance with federal, local, state and industry regulatory acts Detect, prevent and deter misuse, abuse or exposure of or to systems and data Identify and remediate system, process or control weaknesses Determine adequate design and effectiveness of critical business processes Reduce overall true business risk to information systems and data

4 Audit and assessment planning issues Integrated audit versus IT Audit Time required of the audit and operational staff to conduct the audit Testing methodology (e.g., manual versus automated) Findings classification/determination Communication/reporting of findings

5 Challenges to conducting the IT audit IT Auditors need to determine the impact of the systems being assessed during the course of the audit (Relevance and Criticality) Determining the audit approach (manual/checklist) versus (automated/scripted) Since information is available electronically and not necessarily in hardcopy, the traditional methods used to gather and evaluate information may not be sufficient. Some IT Audits require an advanced level of technical skills or in-depth understanding of systems (e.g., operating systems, applications, databases, etc.) IT Auditors need a deeper understanding of general computer controls (including the use of automated assessment tools) and the potential impact such controls may have on the audit approach Disparate reports, non-integration of systems logs and/or history

6 Challenges to conducting the IT audit (Continued) Areas most difficult for the IT Auditor to assess include:  Access Controls (Firewall Rules, ACL’s)  Change Management (adds, changes, deletes)  Segregation of Duties  User or system account access to data  Location of critical data (applications/databases/storage)  Data Discovery (at-rest, in-motion) Some IT Audits are extremely resource intensive and require significant IT interaction

7 Benefits of automated assessment tools Help overcome issues associated with manual testing of systems and processes Most tools are quick to run and require less interaction with IT and business staff Provide autonomy and flexibility to the audit approach Yield more detailed information than what could have been acquired manually Many reports are written in non-technical language so that most IT Auditors could understand and use the information regardless of technical skill set Reduce audit costs while increasing the audit coverage and quality of value-added recommendations Helps to rapidly identify “high, critical or most vulnerable” risk areas sooner to maximize remediation timeframes Illustrate risks and priorities to IT and business units alike

8 Examples of automated assessment tools

9 Vulnerability Assessment - Nessus http://www.nessus.org/demos/index.php?view=demo_videos

10 Data Discovery - Vontu Allows an IT Auditor to search for and identify “critical” data within information processing systems (Servers, Desktops, Workstations, Databases, Storage) Provides the ability to remediate found data (Move, Erase, Quarantine) Gives the IT Auditor a means to which expand or reduce the scope of an audit based on findings Justifies the IT Auditor’s findings of remediation after validation of the discovered “critical data” Empowers the IT Auditor to be a “business enabler” when making recommendations to internal controls or business processes

11 Firewall Reviews - Firemon Enables the IT Auditor to quickly review firewall changes using automation Facilitates the IT Auditor to detect potential issues before they arise Gives a quick view of actual risks to firewall rules Enables the IT Auditor to maintain continual analysis and impact

12 Segregation of Duties – Benefits Reduces the labor intensive task of manually reviewing user access to systems and data Expedites the testing process for user access reviews Analyze controls at specific transaction levels Quick and easy to understand reporting on potential conflicts Helps IT Auditors to better understand both defined and undefined roles within the organization Reduces the overall likelihood of risk and fraud

13 Segregation of Duties – Product Platforms Oracle – Built-in tools SAP – Versa, Business Intelligence, Firefighter, ECC 6.0 Excel Spreadsheets – ComplyXL

14 Automated assessment tools and compliance Payment Card Industry Data Security Standard Health Insurance Portability and Account ability Act Sarbanes-Oxley Act 2002 Gramm-Leach Bliley Act

15 Frameworks International Standards Organization 27001/2 CoBIT COSO OCTAVE NIST

16 Open Discussion

Download ppt "Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet."

Similar presentations

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
ITAuditing Using GAS & CAATs

ITAuditing Using GAS & CAATs
Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.

Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.
Internal Audit Awareness

Internal Audit Awareness
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.

Audit Guidance Using the Federal Information System Controls Audit Manual (FISCAM) to Achieve Audit Objectives in Financial and Performance Audits Mickie.
…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.

…optimise your IT investments Spreadsheet Management Maturity Model Philip Howard Research Director – Bloor Research.
1 Continuous Auditing Implications: Rethinking the Roles of Systems of Internal Controls Presented by Rob Nehmer Berry College at the Fifth Continuous.

1 Continuous Auditing Implications: Rethinking the Roles of Systems of Internal Controls Presented by Rob Nehmer Berry College at the Fifth Continuous.
ProCognis SOX 404 & COSO Implementation Presentation

ProCognis SOX 404 & COSO Implementation Presentation
1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.

1 SAP Security and Controls Use of Security Compliance Tools to Detect and Prevent Security and Controls Violations.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Pertemuan 5-6 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 5-6 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
IS Audit Function Knowledge

IS Audit Function Knowledge
MIS350 Accounting Information Systems Course Context.

MIS350 Accounting Information Systems Course Context.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Advanced Accounting Information Systems

Advanced Accounting Information Systems

Similar presentations

Ads by Google