SlideShare une entreprise Scribd logo
1  sur  53
Télécharger pour lire hors ligne
Basics in
IT Audit and
Application
Control
Testing
Presented by Dinesh Bareja
Doha, 28April 2019
Basics in IT Audit and Application Control Testing
April 28, 2019
This document has been created by IndiaWatch., Open Security Alliance., Dinesh O Bareja
Released in the public domain under Creative Commons License (Attribution- Noncommercial 2.5 India)
http://creativecommons.org/licenses/by-nc-sa/2.5/in/
The information and practices listed in this document are provided as is and for guidance purposes only and should not be
construed to be a standard (unless mentioned otherwise). Readers are urged to make informed decisions before adopting the
information given in this document.
The author(s) may not be held responsible, or liable, in any event and for any issues arising out of the use of the information and / or
guidelines included in this document. Further, we do not give any warranty on accuracy, completeness, functionality, usefulness or
other assurances as to the content in the document. We disclaim all responsibility for any losses, damage caused or attributed, directly
or indirectly, from reliance on and the use of such information.
Readers are welcome to provide feedback to the authors using the contact information provided in this document. This document
has been prepared for general public distribution so all animations have been converted to static images.
Graphics and images are usually obtained from the internet and royalty free sources and are usually acknowledged by us. Errors may
be expected in this practice and this is not intentional.-we resect creative rights and request owner(s) to inform us of any inadvertent
omission. Any trademarks or companies may be displayed or mentioned with the purpose of establishing a point or for better
understanding and we do not claim any exclusivity or relationship with their respective owers.
License and Copyright
Acknowledgements & Disclaimer
Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged (above) where possible. Any company names,
brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or
otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to us
for remediation of the erroneous action(s).
Basics in IT Audit and Application Control Testing
April 28, 2019
ABOUT ME
Dinesh O Bareja
CISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR
• Researcher Founder: IndiaWatch & Open Security Alliance
• Principal Advisor : Pyramid Cyber Security & Forensic Pvt Ltd
Cyber Peace Foundation
Red Team Hacker Academy
• Outsourced CISO : IceWarp Technologies Ltd
• Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch)
Enterprise & Government Policy Development; Cyber Security
Strategy, Design & Architecture; Specialist – GRC, SOC, ERM,
COBIT, ISO, BCP/DR etc;
Basics in IT Audit and Application Control Testing
April 28, 2019
ABOUT
ME
MY CONTACT
INFORMATION
dinesh@opensecurityalliance.org
@bizsprite
linkedin.com/in/dineshbareja
+91.9769890505
dineshobareja
dineshobareja
indiwatch.in
dineshbareja.com
Information Security professional
working hard to stay abreast of
technology, risks, threats,
opportunities and looks forward
to the excitement of the future..
Basics in IT Audit and Application Control Testing
April 28, 2019
introduction
• This presentation is an amalgam of my experience and guidance from
the IIA Global Technology Audit Guide(s) (GTAG guides)
• At times I may specifically mention the GTAG reference where it is used
directly
• I have tried not to include audit basics so as to restrict myself to the IT
specific areas of the practice
• Some places I have shared questions, lists but those are top of the mind
so should not be considered as the complete set … you will have to
build your own questionnaire based on the size of the org etc
Basics in IT Audit and Application Control Testing
April 28, 2019
A Few essentials
to remember as
you get into the
iT Audit and
application
testing domain
Basics in IT Audit and Application Control Testing
April 28, 2019
1. DATA IS THE ULTIMATE ASSET
WHICH NEEDS TO BE PROTECTED
2. RISK management is the
fundamental control for
information security (be it
audit / test / design)
Basics in IT Audit and Application Control Testing
April 28, 2019
IT AUDIT – A Preamble
An Audit is an Audit… we look inside claims of compliance to uncover
hidden weaknesses, invisible issues, organization challenges and more.
IT audit requires a larger set or skills as it has to look at IT technically,
strategically, operationally as well as from the security and business point
of view.
As IT is a key enabling function for business and is increasingly critical for
survival this makes IT Audit an existential necessity for any organization
that wants to grow, survive and thrive.
References:
GTAG-01 - Information Technology Risk and Controls
Basics in IT Audit and Application Control Testing
April 28, 2019
IT AUDIT
• Provides assurance on the security triad of CIA
• Confidentiality : The information in the
systems is available only to authorized users
• Integrity : The information provided by the
system(s) will be accurate, reliable and
timely (always)
• Availability : The computer systems will be
available for business at all times, whenever
needed.
• Examine and evaluate the organization’s
Information Technology infrastructure, policies
and operations to cover people process and
technology
• An IT audit will help determine whether IT
controls protect corporate assets, ensure data
integrity and are aligned with the business's
overall goals
what is
this
Basics in IT Audit and Application Control Testing
April 28, 2019
• Enables higher confidence in IT
processes as business depends on IT
• Contain organizational costs arising out
of data loss or system usage error
• Identify possible risk areas of incorrect
decision making
• Mitigate costs of computer and asset
abuse
• Value of computer hardware, software
and personnel
• Maintenance of privacy
• Envisage and identify improvement
IT AUDIT
THE NEED
Basics in IT Audit and Application Control Testing
April 28, 2019
• Compliance with best practices as
provided by standards, frameworks,
guidelines or laws and regulations
• Protection of organization assets from
any type of risk like theft, misuse
• Disruptive attacks like DDOS,
ransomware, APT etc can be managed
• Reputation and customer confidence
are proactively protected
IT AUDIT
THE
Assurance
Basics in IT Audit and Application Control Testing
April 28, 2019
• International or domestic standards,
guidelines, frameworks
• ISO27001, ISO22301, ISO20000,
Cloud Security Guidelines, PCI-DSS,
GTAG, NIST, GDPR etc
• Industry / business best practices
• Customer requirements
• Vendor guidelines
IT AUDIT
Baselines
references
Basics in IT Audit and Application Control Testing
April 28, 2019
IT Audit
Universe
• An all-encompassing collection of
audit areas, devices, people,
technologies, organizational entities,
and locations
• Business functions that provide
adequate assurance on the
organization’s risk management level
• Tangible or intangible assets (this
includes business, people, process and
technology in the organization)
Basics in IT Audit and Application Control Testing
April 28, 2019
IT Audit coverage
•TECHNOLOGY
• Applications
• Databases
• Operating Systems
• Networks
•CONTROLS
• ITGC
• Systems Development
• Change Management
• Logical Access
• Physical Security
• Service & Support
Process
• Backup and Restore
• APPLICATION
CONTROLS
• Authorization
• Data Integrity
• Segregation
•IT
MANAGEMENT
• IT Planning
• System Operations
• Programming
• Vendor Management
Basics in IT Audit and Application Control Testing
April 28, 2019
Basics in IT Audit and Application Control Testing
April 28, 2019
The audit universe is huge with many different types of
audits being conducted. IT audit too, takes on different
colors, shades or shape depending on the mandate(s).
Basics in IT Audit and Application Control Testing
April 28, 2019
IT Audit Types
•Internal, External
(supplier/customer),
Certification
•ISMS (ISO27001)
•ISO 22301, 31000,
ITSM (ISO:20000)
•Regulatory (SOX, ITGC,
Govt)
•Vendor (3rd Party)
•System development
•Application audits
•IT Infrastructure
•IS Maturity
•Risk assessments
•Cloud
•IS Functional audit
•SLA… etc.
Basics in IT Audit and Application Control Testing
April 28, 2019
Getting
Started
on the
IT audit
•Authority
•Accountability
Basics in IT Audit and Application Control Testing
April 28, 2019
Starting the IT audit
•Purpose of Audit
•Scope
•Operating Principles
•Authority
•Accountability
Basics in IT Audit and Application Control Testing
April 28, 2019
Starting the IT audit
•Authority
•Accountability
• Mission statement
• Role
• Aims/goals
• Objectives
• Relationship with
external audit
• Auditee
requirements
Purpose
• Critical success
factors
• Key performance
indicators
• Risk assessment
• Other measures
of performance
Operating
principles
Basics in IT Audit and Application Control Testing
April 28, 2019
Starting the IT audit
•Authority
•Accountability
• Right of access to
information, personnel,
locations and systems
relevant to the
performance of audits
• Scope or any limitations of
scope
• Functions to be audited
• Auditee expectations
• Organizational structure,
including reporting lines
to board and senior
management
AUTHORITY
• Auditee rights
• Independent quality
reviews
• Assessment of compliance
with standards
• Assessment of completion
of the audit plan
• Comparison of budget to
actual costs
• Agreed actions, e.g.,
penalties when either
party fails to carry out their
responsibilities
ACCOUNTABILITY
Basics in IT Audit and Application Control Testing
April 28, 2019
Looking at the IT Universe (organization) and fundamentals (or call them
basics and essentials) : access controls, asset management, governance,
people, physical environment, operations, communication, incident
response, business continuity & more
IT Audit Basics & Essentials
Basics in IT Audit and Application Control Testing
April 28, 2019
Context
• Fundamentally the audit should show a snapshot of the as-is
state and the remediation path to the to-be state
• Objective view of business, people, process and technology
with respect to the baseline standard / regulatory guideline
• Audit Objective in alignment with the strategic vision and
mission of the business
• “People Process & Technology” and “Confidentiality, Integrity
and Availability” are the two tenets on which the audit should
be based
• People (experienced, skilled and knowledgeable), Process (design,
effective, controlled) & Technology (viable, needed, utilized)
Basics in IT Audit and Application Control Testing
April 28, 2019
Basics that must be in place
• IT Risk Management is fundamental to
the Infosec organization and
operations
• Assets are managed with a risk based
framework
• Access to the organization’s most
valuable assets (data) is adequately
controlled
• RA done to identify assets that
• Are likeliest targets for cyberattacks
• Cause the most significant disruption if
compromised
• Data classification to identify which
data, if compromised, would cause
financial or competitive loss, and have
legal ramifications, or reputational
damage to the organization
• Incident Management & Response
Team is prepared to react / respond
effectively to a security incident
• Roles and responsibilities are defined
• Essential IS management practices like
password, backup, change,
configuration, patch are controlled
• Emerging risks and threats are
continuously monitored
Basics in IT Audit and Application Control Testing
April 28, 2019
Key IT AUDIT Areas
•Security
•Risk Management
•Access Management
•Asset Management
•Backup & Recovery
•Data Classification
•Web Site / Web Applications
•Applications
•Resource Management
•Shadow IT
•Awareness
•Metrics (KPIs)
•BCP/DR
•Incident Response
•Drills and Tests
•Technology Risk Assmt
•Log Management
•Cloud Security
•ROI / UOI
Basics in IT Audit and Application Control Testing
April 28, 2019
ITAUDIT
STRUCTUREGTAG-1ItRiskandControls
Basics in IT Audit and Application Control Testing
April 28, 2019
Probe Questions for CONTROL
Selection
• Do IT / IS policies and IT controls —
exist?
• Role / responsibilities for IT and IT
controls are defined, assigned,?
• Are controls designed and operating
effectively?
• Is the mix of preventive, detective,
and corrective controls effective?
• Do the controls provide evidence
when control parameters are
exceeded or when controls fail?
• How is management alerted to
failures?
• Is evidence retained (e.g., through
an audit trail)?
• Are the IT infrastructure equipment
and tools logically and physically
secured?
• Are access and authentication
control mechanism used?
• Are controls in place to protect the
operating environment and data
from viruses and other malicious
software?
• Are firewall-related controls
implemented?
• Do firewall polices exist?
• Are external and internal
vulnerability assessments completed,
and have risks been identified and
resolved appropriately?
• Are change and configuration
management and quality assurance
processes in place?
• Are structured monitoring and
service measurement processes in
place?
• Have the risks of outsourced services
been taken into consideration? (For
details on this, refer to GTAG 7: IT
Outsourcing.)
Basics in IT Audit and Application Control Testing
April 28, 2019
ROI / UOI / VOU
•Reduce ROI priority
•First review the UOI (Utilization of
Investment)
•Then ensure VOU (Value of Utilization)
•… ROI is assured if these two are in place.
You only have to identify financial values of
the goals / objectives
Basics in IT Audit and Application Control Testing
April 28, 2019
Infrastructure Testing
Servers
Printers
Routers
Workstations
Laptops
If it’s on the network
scan it!
Remote/ Onsite Vulnerability Scans
Secondary
Locations
Branch Offices
Vendors
Warehouses
Shop Floor
Field Offices
Retail Outlets
Tools & Techniques
- Vulnerability Assessment
- Penetration Testing
- Threat Modelling
- Security Maturity Assessment
- Configuration Review
- Hardening
Basics in IT Audit and Application Control Testing
April 28, 2019
IT Audit process - High Level
•Planning
•Assessment /
Testing
•Reporting
•Follow-up
•Communication
•Audit Findings
•Assessment
Results
•Confirmation of
planned actions
•Audit Response
Verification
•Fieldwork
•Evaluation
•Testing
•Internal Control
Questionnaire
•Audit Scope
•Objectives
Planning Assessment
ReportingFollow-up
Basics in IT Audit and Application Control Testing
April 28, 2019
1: Planning
• Kickoff
• Define
Objectives
• Define Scope
• Internal
Controls
• Historical
Incidents
• Past Audits &
Closures
• Site Survey
• Current
Policies, SOP,
Procedures
• Develop Audit
Plan / Checklist
• Questionnaires
Basics in IT Audit and Application Control Testing
April 28, 2019
2: ASSESSMENT / TESTING
• Meet With Functional Team
• What data will be collected
• How/when will it be collected
• Site employee involvement
• Access
• Data Collection
• Based on scope/objectives
• Types of Data
• Physical security
• Interview staff
• Vulnerability assessments
• Access Control assessments
Basics in IT Audit and Application Control Testing
April 28, 2019
3: Reporting
•Exit Meeting – Draft Report
• Questions & answer for site
managers and functional team
• Present & discuss draft report
• Obtain buy-in and acceptance
of findings and report
•Update with feedback…
prepare final report and submit
fpr the board
Basics in IT Audit and Application Control Testing
April 28, 2019
4. Follow-up
•Review of findings i.e. actions
taken to resolve internal audit
findings. They may be tested to
ensure that desired results
were achieved
•Ensure closure of NCs
•Carry out a new scan
(VAPT/AppSec) after closure of
the vulnerabilities, as per
contract
Basics in IT Audit and Application Control Testing
April 28, 2019
• Logs
• Screenshots
• Confirmation messages
• Documents
• Emails
• Minutes of Meetings
• Responses from stakeholders
• Performance / Test Results
• Pictures
• Data and database snapshots
• Observation notes from
walkthroughs etc
Types of
Evidence
for Audit
FindIngs
Basics in IT Audit and Application Control Testing
April 28, 2019
• Which IT assets are at risk and what is the threat
event?
• Value of asset Confidentiality, Integrity, and
Availability?
• Impact and Probability of the risk event?
• If a threat event happened, how bad could its
impact be?
• How often might the event be expected to
occur (frequency of occurrence)?
• How certain are the answers to the first four
questions (uncertainty analysis)?
• What can be done to reduce / manage /
transfer the risk?
• How much will it cost?
• Is the mitigation / remediation cost-efficient?
• Are risks informed to asset owners
IT Risk –
basic risk
assessment
Basics in IT Audit and Application Control Testing
April 28, 2019
IT Risks
Governance Risks
• Lack of commitment from
top management leading to
lack of support
• Lack of security awareness
of people working at the
ground level.
• Complacency of IT security
controls implementation.
• Inadequately defined roles
and responsibilities and lack
of skills
General IT Risks
• The risk of a natural disaster
impacting technology.
• Man-caused disaster
impacting technology.
• Malicious code infection.
• Remote Access, Identity and
Authentication
Management, etc. ...
• Overreliance on security
monitoring software
• Inadequate system logging
• Technology innovations
that outpace security
• Outdated operating systems
• Lack of encryption
• Data on user-owned mobile
devices
• IT “diplomatic immunity”
within your organization
• Challenges recruiting and
retaining qualified IT staff
• Segregation of duties
Basics in IT Audit and Application Control Testing
April 28, 2019
Assessing Risks related to the IT
Environment
• Develop processes to
identify risks.
• Assess risk and rank audit
subjects using IT risk
factors.
• A risk assessment:
• Provides a foundation for
the audit plan;
• Promotes timely audit
reporting on high-risk
conditions;
• Ensures that relevant
information has been
obtained from all
management levels,
including boards of
directors, IT auditors, and
functional area
management;
• Establishes a basis for
managing the audit
department effectively;
and
• Provides a summary of
how the individual audit
subject is related to the
overall organization as
well as to the business
plans.
Basics in IT Audit and Application Control Testing
April 28, 2019
Application risks
• Insecure
development
practices
• Security testing
not done during
dev phase
• Source code
leaked
• Comments and
passwords hard
coded
• Application is not
updated
(patched)
• Logic bomb
dropped by
disgruntled
employee
(changes are
unmanaged)
• Poor
authorization and
authentication
• Insecure
Validation
• Logs not enabled
• Default settings
• Unnecessary
privileges
Basics in IT Audit and Application Control Testing
April 28, 2019
Application Controls
Applications (or software) includes any and
all whether on premises or on cloud (e.g. ERP,
CRM, Intranet, Web Application etc)
Basics in IT Audit and Application Control Testing
April 28, 2019
Application Controls
Application controls are those controls that
pertain to the scope of individual processes or
application systems
This includes data edits, separation of business
functions, balancing of processing totals,
transaction logging, and error reporting, secure
development and operations
Basics in IT Audit and Application Control Testing
April 28, 2019
Application Controls
•Application controls ensure proper coverage
and the confidentiality, integrity, and availability
of the application and its associated data.
•Proper application controls greatly reduce the
risks and threats associated with application
usage because applications are prevented from
executing if they put the network or sensitive
data at risk.
Basics in IT Audit and Application Control Testing
April 28, 2019
Objectives
• Input data is accurate, complete, authorized, and correct
• Data is processed as intended in an acceptable time period
• Output and stored data is accurate and complete
• A record is maintained to track data processing from input to
storage to output
• Cost effective and efficient means to manage risk
• Reliant on the effectiveness on the IT general control
environment
• Approach varies for complex versus non-complex environments
Basics in IT Audit and Application Control Testing
April 28, 2019
Common Application Controls
(GTAG 8)
• Input and access controls
(These controls ensure that all
input transaction data is
accurate, complete, and
authorized.)
• Data checks and validations
• Automated authorization,
approval, and override
• Automated SOD
• File & Data Transmission
Controls (These controls
ensure that internal and
external electronically
transmitted files and
transactions are received
from an identified source and
processed accurately and
completely.)
• File transmission controls
• Data transmission controls
• Processing Controls (These
controls ensure that valid
input data has been
processed accurately and
completely.)
• Automated file identification
and validation
• Automated functionality and
calculations
• Audit trails and overrides
• Data extraction, filtering,
and reporting
• Interface balancing
• Automated functionality and
aging
• Duplicate checks
• Output Controls (These
controls ensure that output is
complete, accurate, and
distributed appropriately.)
• General ledger and sub-
ledger posting
• Update authorization
• Master Files and Standing
Data Controls (These controls
ensure the integrity and
accuracy of master files and
standing data.)
• Update authorization
Basics in IT Audit and Application Control Testing
April 28, 2019
APPLICATION CONTROLS
• Completeness checks – controls
ensure records processing from
initiation to completion
• Validity checks – controls ensure
only valid data is input or
processed
• Identification / Access – controls
ensure unique, irrefutable
identification of all users
• Authentication – controls provide
an application system
authentication mechanism
• Authorization – controls ensure
access to the application system by
approved business users only
• Input controls – controls ensure
data integrity feeds into the
application system from upstream
sources
• Forensic controls – controls ensure
scientifically and mathematically
correct data, based on inputs and
outputs
Basics in IT Audit and Application Control Testing
April 28, 2019
Questioning input controls
• How does the transaction originate?
• How is the transaction authorized (e.g., a manual signature,
electronic signature, screen access authorization, etc.)?
• Who inputs the source data? Are these individuals separate
from those who reconcile the processing results?
• How is the source data added into the application (e.g., batch,
online, etc.)?
• Who has access to the application (input / output/ transaction /
source)
• Is data entry conducted within a short time after the source
document is created?
Basics in IT Audit and Application Control Testing
April 28, 2019
Benefits of Application Controls
• Reliability
• Reduces likelihood of errors due to manual
intervention
• Benchmarking
• Reliance on general controls can lead to concluding
the application controls are effective year to year
without re-testing
• Time and cost savings
• Typically application controls take less time to test and
only require testing once as long as the IT general
controls are effective
Basics in IT Audit and Application Control Testing
April 28, 2019
Application Control Hygiene
• Applications
should be kept in
good hygiene (or
good working
condition)
• This requires that
we take care of
the application
during
• Design
• Development
• Change
• Installation
• Operations
• Maintenance
• In simple terms is
means to take
care of:
• Change
Management
• Security in design
• Secure Coding
• Patch
Management
• Backup
• Versioning
• Documentation
• Logs
• Defaults
• Remote access
• Threat Modelling
Basics in IT Audit and Application Control Testing
April 28, 2019
WRAPUP IT Audits will help to identify
the current state, and, using
risk based methods will be
able to provide an effective
path for mitigation and
remediation. Auditee
organization must enable
continuous improvement as
recommended by the
auditors and most
importantly – remediation /
mitigation measures should
be carried out in the
shortest possible time once
identified.
Application controls are a
cost effective and efficient
means to manage risk
through the process to
build security in. This can be
achieved with practices like
Secure Coding, Access
controls, Patch
Management, Testing and
following industry
standards will help decrease
risks. IA should determine
that application controls are
designed appropriately and
operate effectively
Basics in IT Audit and Application Control Testing
April 28, 2019
RoleofInternal
Auditors
• Knowledge of key IT risks, controls and audit techniques (GTAG 1)
• Where are IT controls applied? Everywhere. IT includes technology components,
processes, people, organization, and architecture, as well as the information itself. Many
IT controls are technical in nature, and IT supplies the tools for many business controls.
• Consultant and advisor providing Independent risk assessment
• Advise on what is to be protected? Level of protection and what are the controls to be
applied.
• Can provide guidance on Risk appetite, tolerance and mandatory regulations as IA has
inside view of the organization.
Basics in IT Audit and Application Control Testing
April 28, 2019
HowMuchOfA
TechieDoYou
NeedToBe
•Knowledge of key IT risks, controls,
audit techniques, events and incidents,
new and upcoming technologies
•Networked with technologists (subject
matter experts)
•Logical and lateral thinker
•Common sense
Basics in IT Audit and Application Control Testing
April 28, 2019
Global Technology Audit Guides
(GTAG)
• GTAG 1: Information Technology
Controls
• GTAG 2: Change and Patch
Management Controls: Critical for
Organizational Success
• GTAG 3: Continuous Auditing:
Implications for Assurance,
Monitoring, and Risk Assessment
• GTAG 4: Management of IT
Auditing
• GTAG 5: Managing and Auditing
Privacy Risks
• GTAG 6: Managing and Auditing IT
Vulnerabilities
• GTAG 7: Information Technology
Outsourcing
• GTAG 8: Auditing Application
Controls
• GTAG 9: Identity and Access
Management
• GTAG 10: Business Continuity
Management
• GTAG 11: Developing the IT Audit
Plan
• GTAG 12: Auditing IT Projects
• GTAG 13: Fraud Prevention and
Detection in an Automated World
• GTAG 14: Auditing User-developed
Applications
• GTAG 15: Information Security
Governance
• GTAG 16: Data Analysis
Technologies
• GTAG 17: Auditing IT Governance
Practice guides who provide detailed guidance for conducting internal audit activities. These guides
are published by the Institute of Internal Auditors (IIA). They include detailed processes and
procedures, such as tools and techniques, programs, and step-by-step approaches, as well as
examples of deliverables.
Basics in IT Audit and Application Control Testing
April 28, 2019

Contenu connexe

Tendances

IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologiesgenetics
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubKaushal Trivedi
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructurepramod_kmr73
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)Muhammad Azmy
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Auditvelcomerp
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentationMidhun Nirmal
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and ControlAsad Raza
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance PresentationSkye Rogers
 
Iso27001 The Road To Certification
Iso27001   The Road To CertificationIso27001   The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 

Tendances (20)

IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
Security audit
Security auditSecurity audit
Security audit
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Audit of it infrastructure
Audit of it infrastructureAudit of it infrastructure
Audit of it infrastructure
 
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
CONTROL & AUDIT INFORMATION SYSTEM (HALL, 2015)
 
ERP IT Infrastructure Audit
ERP IT Infrastructure AuditERP IT Infrastructure Audit
ERP IT Infrastructure Audit
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
 
Iso 27001 isms presentation
Iso 27001 isms presentationIso 27001 isms presentation
Iso 27001 isms presentation
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
 
IT Audit Methodologies
IT Audit MethodologiesIT Audit Methodologies
IT Audit Methodologies
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
SOX- IT Perspective
SOX- IT PerspectiveSOX- IT Perspective
SOX- IT Perspective
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 
Sox Compliance Presentation
Sox Compliance PresentationSox Compliance Presentation
Sox Compliance Presentation
 
Iso27001 The Road To Certification
Iso27001   The Road To CertificationIso27001   The Road To Certification
Iso27001 The Road To Certification
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
3c 2 Information Systems Audit
3c   2   Information Systems Audit3c   2   Information Systems Audit
3c 2 Information Systems Audit
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 

Similaire à Basics in IT Audit and Application Control Testing

Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxJoshJaro
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessLaura Perry
 
What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information GovernanceAtle Skjekkeland
 
Bayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore.
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)NCTechSymposium
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planninggoreankush1
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientAccenture Operations
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdfSoniaCristina49
 
ANALYTICAL-TOOLS-AND-COMPUTER-ETHICS.pptx
ANALYTICAL-TOOLS-AND-COMPUTER-ETHICS.pptxANALYTICAL-TOOLS-AND-COMPUTER-ETHICS.pptx
ANALYTICAL-TOOLS-AND-COMPUTER-ETHICS.pptxjustineguadayo1104
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007David Cunningham
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionPrecisely
 
Brandon Consulting Overview
Brandon Consulting OverviewBrandon Consulting Overview
Brandon Consulting OverviewRonan Martin
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security ProgramShauna_Cox
 

Similaire à Basics in IT Audit and Application Control Testing (20)

Orientation in IT Audit
Orientation in IT AuditOrientation in IT Audit
Orientation in IT Audit
 
5548 isaca for-students
5548 isaca for-students5548 isaca for-students
5548 isaca for-students
 
Overview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptxOverview-of-an-IT-Audit-Lesson-1.pptx
Overview-of-an-IT-Audit-Lesson-1.pptx
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4
 
Information Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your BusinessInformation Security Program & PCI Compliance Planning for your Business
Information Security Program & PCI Compliance Planning for your Business
 
What is Information Governance
What is Information GovernanceWhat is Information Governance
What is Information Governance
 
Bayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance AnalystBayo Omisore, IT Auditor-Compliance Analyst
Bayo Omisore, IT Auditor-Compliance Analyst
 
Info Security & PCI(original)
Info Security & PCI(original)Info Security & PCI(original)
Info Security & PCI(original)
 
IT Risk assessment and Audit Planning
IT Risk assessment and Audit PlanningIT Risk assessment and Audit Planning
IT Risk assessment and Audit Planning
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
How to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber ResilientHow to Make Your Enterprise Cyber Resilient
How to Make Your Enterprise Cyber Resilient
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
ANALYTICAL-TOOLS-AND-COMPUTER-ETHICS.pptx
ANALYTICAL-TOOLS-AND-COMPUTER-ETHICS.pptxANALYTICAL-TOOLS-AND-COMPUTER-ETHICS.pptx
ANALYTICAL-TOOLS-AND-COMPUTER-ETHICS.pptx
 
Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007Establishing a framework for it governance by dave cunningham 2007
Establishing a framework for it governance by dave cunningham 2007
 
Get Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security SolutionGet Ready for Syncsort's New Best-of-Breed Security Solution
Get Ready for Syncsort's New Best-of-Breed Security Solution
 
Brandon Consulting Overview
Brandon Consulting OverviewBrandon Consulting Overview
Brandon Consulting Overview
 
Auditing concept
Auditing conceptAuditing concept
Auditing concept
 
Topic11
Topic11Topic11
Topic11
 
Developing an Information Security Program
Developing an Information Security ProgramDeveloping an Information Security Program
Developing an Information Security Program
 

Plus de Dinesh O Bareja

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers Dinesh O Bareja
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCDinesh O Bareja
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITDinesh O Bareja
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaDinesh O Bareja
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked InDinesh O Bareja
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionDinesh O Bareja
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSDinesh O Bareja
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Dinesh O Bareja
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India ReadyDinesh O Bareja
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires SuperhumansDinesh O Bareja
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsDinesh O Bareja
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Dinesh O Bareja
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentDinesh O Bareja
 
Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information SecurityDinesh O Bareja
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013Dinesh O Bareja
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
Information Security It's All About Compliance
Information Security   It's All About ComplianceInformation Security   It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in IndiaDinesh O Bareja
 

Plus de Dinesh O Bareja (20)

WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers WFH Cybersecurity Basics Employees and Employers
WFH Cybersecurity Basics Employees and Employers
 
Cybersecurity 2.0
Cybersecurity 2.0Cybersecurity 2.0
Cybersecurity 2.0
 
Can Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRCCan Cyber Insurance Enforce Change in Enterprise GRC
Can Cyber Insurance Enforce Change in Enterprise GRC
 
Finance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with ITFinance and Accounting professionals to bridge the gap with IT
Finance and Accounting professionals to bridge the gap with IT
 
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, IndiaGovernance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
Governance and IoT Cyber Risks - presented at Defcon-OWASP Lucknow, India
 
Mind Your Manners On Linked In
Mind Your Manners On Linked InMind Your Manners On Linked In
Mind Your Manners On Linked In
 
ISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introductionISE - InfoSec Essentials .. an introduction
ISE - InfoSec Essentials .. an introduction
 
Common Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CSCommon Sense 101 - so much to learn about CS
Common Sense 101 - so much to learn about CS
 
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
Governance in Cybercrime and Cybersecurity orgns - final distribution Organiz...
 
Cyberwar - Is India Ready
Cyberwar - Is India ReadyCyberwar - Is India Ready
Cyberwar - Is India Ready
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Incident Response Requires Superhumans
Incident Response Requires SuperhumansIncident Response Requires Superhumans
Incident Response Requires Superhumans
 
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in CorporationsManaging Frequently Overlooked Risks & Threats (FORTS) in Corporations
Managing Frequently Overlooked Risks & Threats (FORTS) in Corporations
 
Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0Bug Bounty Hunter's Manifesto V1.0
Bug Bounty Hunter's Manifesto V1.0
 
Bug Bounty Programs : Good for Government
Bug Bounty Programs : Good for GovernmentBug Bounty Programs : Good for Government
Bug Bounty Programs : Good for Government
 
Indian Thoughts in Information Security
Indian Thoughts in Information SecurityIndian Thoughts in Information Security
Indian Thoughts in Information Security
 
India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013India Top5 Information Security Concerns 2013
India Top5 Information Security Concerns 2013
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document
 
Information Security It's All About Compliance
Information Security   It's All About ComplianceInformation Security   It's All About Compliance
Information Security It's All About Compliance
 
OSA - Internet Security in India
OSA - Internet Security in IndiaOSA - Internet Security in India
OSA - Internet Security in India
 

Dernier

Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...DianaGray10
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationKnoldus Inc.
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2DianaGray10
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)IES VE
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNeo4j
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch TuesdayIvanti
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfTejal81
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosErol GIRAUDY
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud DataEric D. Schabell
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024Brian Pichman
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Muhammad Tiham Siddiqui
 

Dernier (20)

Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...Explore the UiPath Community and ways you can benefit on your journey to auto...
Explore the UiPath Community and ways you can benefit on your journey to auto...
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Introduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its applicationIntroduction to RAG (Retrieval Augmented Generation) and its application
Introduction to RAG (Retrieval Augmented Generation) and its application
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2UiPath Studio Web workshop series - Day 2
UiPath Studio Web workshop series - Day 2
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)The Importance of Indoor Air Quality (English)
The Importance of Indoor Air Quality (English)
 
Novo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4jNovo Nordisk's journey in developing an open-source application on Neo4j
Novo Nordisk's journey in developing an open-source application on Neo4j
 
March Patch Tuesday
March Patch TuesdayMarch Patch Tuesday
March Patch Tuesday
 
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdfQ4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
Q4 2023 Quarterly Investor Presentation - FINAL - v1.pdf
 
Scenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenariosScenario Library et REX Discover industry- and role- based scenarios
Scenario Library et REX Discover industry- and role- based scenarios
 
3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data3 Pitfalls Everyone Should Avoid with Cloud Data
3 Pitfalls Everyone Should Avoid with Cloud Data
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024AI Workshops at Computers In Libraries 2024
AI Workshops at Computers In Libraries 2024
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)Trailblazer Community - Flows Workshop (Session 2)
Trailblazer Community - Flows Workshop (Session 2)
 

Basics in IT Audit and Application Control Testing

  • 1. Basics in IT Audit and Application Control Testing Presented by Dinesh Bareja Doha, 28April 2019
  • 2. Basics in IT Audit and Application Control Testing April 28, 2019 This document has been created by IndiaWatch., Open Security Alliance., Dinesh O Bareja Released in the public domain under Creative Commons License (Attribution- Noncommercial 2.5 India) http://creativecommons.org/licenses/by-nc-sa/2.5/in/ The information and practices listed in this document are provided as is and for guidance purposes only and should not be construed to be a standard (unless mentioned otherwise). Readers are urged to make informed decisions before adopting the information given in this document. The author(s) may not be held responsible, or liable, in any event and for any issues arising out of the use of the information and / or guidelines included in this document. Further, we do not give any warranty on accuracy, completeness, functionality, usefulness or other assurances as to the content in the document. We disclaim all responsibility for any losses, damage caused or attributed, directly or indirectly, from reliance on and the use of such information. Readers are welcome to provide feedback to the authors using the contact information provided in this document. This document has been prepared for general public distribution so all animations have been converted to static images. Graphics and images are usually obtained from the internet and royalty free sources and are usually acknowledged by us. Errors may be expected in this practice and this is not intentional.-we resect creative rights and request owner(s) to inform us of any inadvertent omission. Any trademarks or companies may be displayed or mentioned with the purpose of establishing a point or for better understanding and we do not claim any exclusivity or relationship with their respective owers. License and Copyright Acknowledgements & Disclaimer Various resources on the internet have been referred to contribute to the information presented. Images have been acknowledged (above) where possible. Any company names, brand names, trade marks are mentioned only to facilitate understanding of the message being communicated - no claim is made to establish any sort of relation (exclusive or otherwise) by the author(s), unless otherwise mentioned. Apologies for any infraction, as this would be wholly unintentional, and objections may please be communicated to us for remediation of the erroneous action(s).
  • 3. Basics in IT Audit and Application Control Testing April 28, 2019 ABOUT ME Dinesh O Bareja CISA, CISM, ITIL, ISMS, Cert ERM, Cert IPR • Researcher Founder: IndiaWatch & Open Security Alliance • Principal Advisor : Pyramid Cyber Security & Forensic Pvt Ltd Cyber Peace Foundation Red Team Hacker Academy • Outsourced CISO : IceWarp Technologies Ltd • Ex Cyber Surveillance Advisor – CDRC (Jharkhand Police – Special Branch) Enterprise & Government Policy Development; Cyber Security Strategy, Design & Architecture; Specialist – GRC, SOC, ERM, COBIT, ISO, BCP/DR etc;
  • 4. Basics in IT Audit and Application Control Testing April 28, 2019 ABOUT ME MY CONTACT INFORMATION dinesh@opensecurityalliance.org @bizsprite linkedin.com/in/dineshbareja +91.9769890505 dineshobareja dineshobareja indiwatch.in dineshbareja.com Information Security professional working hard to stay abreast of technology, risks, threats, opportunities and looks forward to the excitement of the future..
  • 5. Basics in IT Audit and Application Control Testing April 28, 2019 introduction • This presentation is an amalgam of my experience and guidance from the IIA Global Technology Audit Guide(s) (GTAG guides) • At times I may specifically mention the GTAG reference where it is used directly • I have tried not to include audit basics so as to restrict myself to the IT specific areas of the practice • Some places I have shared questions, lists but those are top of the mind so should not be considered as the complete set … you will have to build your own questionnaire based on the size of the org etc
  • 6. Basics in IT Audit and Application Control Testing April 28, 2019 A Few essentials to remember as you get into the iT Audit and application testing domain
  • 7. Basics in IT Audit and Application Control Testing April 28, 2019 1. DATA IS THE ULTIMATE ASSET WHICH NEEDS TO BE PROTECTED 2. RISK management is the fundamental control for information security (be it audit / test / design)
  • 8. Basics in IT Audit and Application Control Testing April 28, 2019 IT AUDIT – A Preamble An Audit is an Audit… we look inside claims of compliance to uncover hidden weaknesses, invisible issues, organization challenges and more. IT audit requires a larger set or skills as it has to look at IT technically, strategically, operationally as well as from the security and business point of view. As IT is a key enabling function for business and is increasingly critical for survival this makes IT Audit an existential necessity for any organization that wants to grow, survive and thrive. References: GTAG-01 - Information Technology Risk and Controls
  • 9. Basics in IT Audit and Application Control Testing April 28, 2019 IT AUDIT • Provides assurance on the security triad of CIA • Confidentiality : The information in the systems is available only to authorized users • Integrity : The information provided by the system(s) will be accurate, reliable and timely (always) • Availability : The computer systems will be available for business at all times, whenever needed. • Examine and evaluate the organization’s Information Technology infrastructure, policies and operations to cover people process and technology • An IT audit will help determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business's overall goals what is this
  • 10. Basics in IT Audit and Application Control Testing April 28, 2019 • Enables higher confidence in IT processes as business depends on IT • Contain organizational costs arising out of data loss or system usage error • Identify possible risk areas of incorrect decision making • Mitigate costs of computer and asset abuse • Value of computer hardware, software and personnel • Maintenance of privacy • Envisage and identify improvement IT AUDIT THE NEED
  • 11. Basics in IT Audit and Application Control Testing April 28, 2019 • Compliance with best practices as provided by standards, frameworks, guidelines or laws and regulations • Protection of organization assets from any type of risk like theft, misuse • Disruptive attacks like DDOS, ransomware, APT etc can be managed • Reputation and customer confidence are proactively protected IT AUDIT THE Assurance
  • 12. Basics in IT Audit and Application Control Testing April 28, 2019 • International or domestic standards, guidelines, frameworks • ISO27001, ISO22301, ISO20000, Cloud Security Guidelines, PCI-DSS, GTAG, NIST, GDPR etc • Industry / business best practices • Customer requirements • Vendor guidelines IT AUDIT Baselines references
  • 13. Basics in IT Audit and Application Control Testing April 28, 2019 IT Audit Universe • An all-encompassing collection of audit areas, devices, people, technologies, organizational entities, and locations • Business functions that provide adequate assurance on the organization’s risk management level • Tangible or intangible assets (this includes business, people, process and technology in the organization)
  • 14. Basics in IT Audit and Application Control Testing April 28, 2019 IT Audit coverage •TECHNOLOGY • Applications • Databases • Operating Systems • Networks •CONTROLS • ITGC • Systems Development • Change Management • Logical Access • Physical Security • Service & Support Process • Backup and Restore • APPLICATION CONTROLS • Authorization • Data Integrity • Segregation •IT MANAGEMENT • IT Planning • System Operations • Programming • Vendor Management
  • 15. Basics in IT Audit and Application Control Testing April 28, 2019
  • 16. Basics in IT Audit and Application Control Testing April 28, 2019 The audit universe is huge with many different types of audits being conducted. IT audit too, takes on different colors, shades or shape depending on the mandate(s).
  • 17. Basics in IT Audit and Application Control Testing April 28, 2019 IT Audit Types •Internal, External (supplier/customer), Certification •ISMS (ISO27001) •ISO 22301, 31000, ITSM (ISO:20000) •Regulatory (SOX, ITGC, Govt) •Vendor (3rd Party) •System development •Application audits •IT Infrastructure •IS Maturity •Risk assessments •Cloud •IS Functional audit •SLA… etc.
  • 18. Basics in IT Audit and Application Control Testing April 28, 2019 Getting Started on the IT audit •Authority •Accountability
  • 19. Basics in IT Audit and Application Control Testing April 28, 2019 Starting the IT audit •Purpose of Audit •Scope •Operating Principles •Authority •Accountability
  • 20. Basics in IT Audit and Application Control Testing April 28, 2019 Starting the IT audit •Authority •Accountability • Mission statement • Role • Aims/goals • Objectives • Relationship with external audit • Auditee requirements Purpose • Critical success factors • Key performance indicators • Risk assessment • Other measures of performance Operating principles
  • 21. Basics in IT Audit and Application Control Testing April 28, 2019 Starting the IT audit •Authority •Accountability • Right of access to information, personnel, locations and systems relevant to the performance of audits • Scope or any limitations of scope • Functions to be audited • Auditee expectations • Organizational structure, including reporting lines to board and senior management AUTHORITY • Auditee rights • Independent quality reviews • Assessment of compliance with standards • Assessment of completion of the audit plan • Comparison of budget to actual costs • Agreed actions, e.g., penalties when either party fails to carry out their responsibilities ACCOUNTABILITY
  • 22. Basics in IT Audit and Application Control Testing April 28, 2019 Looking at the IT Universe (organization) and fundamentals (or call them basics and essentials) : access controls, asset management, governance, people, physical environment, operations, communication, incident response, business continuity & more IT Audit Basics & Essentials
  • 23. Basics in IT Audit and Application Control Testing April 28, 2019 Context • Fundamentally the audit should show a snapshot of the as-is state and the remediation path to the to-be state • Objective view of business, people, process and technology with respect to the baseline standard / regulatory guideline • Audit Objective in alignment with the strategic vision and mission of the business • “People Process & Technology” and “Confidentiality, Integrity and Availability” are the two tenets on which the audit should be based • People (experienced, skilled and knowledgeable), Process (design, effective, controlled) & Technology (viable, needed, utilized)
  • 24. Basics in IT Audit and Application Control Testing April 28, 2019 Basics that must be in place • IT Risk Management is fundamental to the Infosec organization and operations • Assets are managed with a risk based framework • Access to the organization’s most valuable assets (data) is adequately controlled • RA done to identify assets that • Are likeliest targets for cyberattacks • Cause the most significant disruption if compromised • Data classification to identify which data, if compromised, would cause financial or competitive loss, and have legal ramifications, or reputational damage to the organization • Incident Management & Response Team is prepared to react / respond effectively to a security incident • Roles and responsibilities are defined • Essential IS management practices like password, backup, change, configuration, patch are controlled • Emerging risks and threats are continuously monitored
  • 25. Basics in IT Audit and Application Control Testing April 28, 2019 Key IT AUDIT Areas •Security •Risk Management •Access Management •Asset Management •Backup & Recovery •Data Classification •Web Site / Web Applications •Applications •Resource Management •Shadow IT •Awareness •Metrics (KPIs) •BCP/DR •Incident Response •Drills and Tests •Technology Risk Assmt •Log Management •Cloud Security •ROI / UOI
  • 26. Basics in IT Audit and Application Control Testing April 28, 2019 ITAUDIT STRUCTUREGTAG-1ItRiskandControls
  • 27. Basics in IT Audit and Application Control Testing April 28, 2019 Probe Questions for CONTROL Selection • Do IT / IS policies and IT controls — exist? • Role / responsibilities for IT and IT controls are defined, assigned,? • Are controls designed and operating effectively? • Is the mix of preventive, detective, and corrective controls effective? • Do the controls provide evidence when control parameters are exceeded or when controls fail? • How is management alerted to failures? • Is evidence retained (e.g., through an audit trail)? • Are the IT infrastructure equipment and tools logically and physically secured? • Are access and authentication control mechanism used? • Are controls in place to protect the operating environment and data from viruses and other malicious software? • Are firewall-related controls implemented? • Do firewall polices exist? • Are external and internal vulnerability assessments completed, and have risks been identified and resolved appropriately? • Are change and configuration management and quality assurance processes in place? • Are structured monitoring and service measurement processes in place? • Have the risks of outsourced services been taken into consideration? (For details on this, refer to GTAG 7: IT Outsourcing.)
  • 28. Basics in IT Audit and Application Control Testing April 28, 2019 ROI / UOI / VOU •Reduce ROI priority •First review the UOI (Utilization of Investment) •Then ensure VOU (Value of Utilization) •… ROI is assured if these two are in place. You only have to identify financial values of the goals / objectives
  • 29. Basics in IT Audit and Application Control Testing April 28, 2019 Infrastructure Testing Servers Printers Routers Workstations Laptops If it’s on the network scan it! Remote/ Onsite Vulnerability Scans Secondary Locations Branch Offices Vendors Warehouses Shop Floor Field Offices Retail Outlets Tools & Techniques - Vulnerability Assessment - Penetration Testing - Threat Modelling - Security Maturity Assessment - Configuration Review - Hardening
  • 30. Basics in IT Audit and Application Control Testing April 28, 2019 IT Audit process - High Level •Planning •Assessment / Testing •Reporting •Follow-up •Communication •Audit Findings •Assessment Results •Confirmation of planned actions •Audit Response Verification •Fieldwork •Evaluation •Testing •Internal Control Questionnaire •Audit Scope •Objectives Planning Assessment ReportingFollow-up
  • 31. Basics in IT Audit and Application Control Testing April 28, 2019 1: Planning • Kickoff • Define Objectives • Define Scope • Internal Controls • Historical Incidents • Past Audits & Closures • Site Survey • Current Policies, SOP, Procedures • Develop Audit Plan / Checklist • Questionnaires
  • 32. Basics in IT Audit and Application Control Testing April 28, 2019 2: ASSESSMENT / TESTING • Meet With Functional Team • What data will be collected • How/when will it be collected • Site employee involvement • Access • Data Collection • Based on scope/objectives • Types of Data • Physical security • Interview staff • Vulnerability assessments • Access Control assessments
  • 33. Basics in IT Audit and Application Control Testing April 28, 2019 3: Reporting •Exit Meeting – Draft Report • Questions & answer for site managers and functional team • Present & discuss draft report • Obtain buy-in and acceptance of findings and report •Update with feedback… prepare final report and submit fpr the board
  • 34. Basics in IT Audit and Application Control Testing April 28, 2019 4. Follow-up •Review of findings i.e. actions taken to resolve internal audit findings. They may be tested to ensure that desired results were achieved •Ensure closure of NCs •Carry out a new scan (VAPT/AppSec) after closure of the vulnerabilities, as per contract
  • 35. Basics in IT Audit and Application Control Testing April 28, 2019 • Logs • Screenshots • Confirmation messages • Documents • Emails • Minutes of Meetings • Responses from stakeholders • Performance / Test Results • Pictures • Data and database snapshots • Observation notes from walkthroughs etc Types of Evidence for Audit FindIngs
  • 36. Basics in IT Audit and Application Control Testing April 28, 2019 • Which IT assets are at risk and what is the threat event? • Value of asset Confidentiality, Integrity, and Availability? • Impact and Probability of the risk event? • If a threat event happened, how bad could its impact be? • How often might the event be expected to occur (frequency of occurrence)? • How certain are the answers to the first four questions (uncertainty analysis)? • What can be done to reduce / manage / transfer the risk? • How much will it cost? • Is the mitigation / remediation cost-efficient? • Are risks informed to asset owners IT Risk – basic risk assessment
  • 37. Basics in IT Audit and Application Control Testing April 28, 2019 IT Risks Governance Risks • Lack of commitment from top management leading to lack of support • Lack of security awareness of people working at the ground level. • Complacency of IT security controls implementation. • Inadequately defined roles and responsibilities and lack of skills General IT Risks • The risk of a natural disaster impacting technology. • Man-caused disaster impacting technology. • Malicious code infection. • Remote Access, Identity and Authentication Management, etc. ... • Overreliance on security monitoring software • Inadequate system logging • Technology innovations that outpace security • Outdated operating systems • Lack of encryption • Data on user-owned mobile devices • IT “diplomatic immunity” within your organization • Challenges recruiting and retaining qualified IT staff • Segregation of duties
  • 38. Basics in IT Audit and Application Control Testing April 28, 2019 Assessing Risks related to the IT Environment • Develop processes to identify risks. • Assess risk and rank audit subjects using IT risk factors. • A risk assessment: • Provides a foundation for the audit plan; • Promotes timely audit reporting on high-risk conditions; • Ensures that relevant information has been obtained from all management levels, including boards of directors, IT auditors, and functional area management; • Establishes a basis for managing the audit department effectively; and • Provides a summary of how the individual audit subject is related to the overall organization as well as to the business plans.
  • 39. Basics in IT Audit and Application Control Testing April 28, 2019 Application risks • Insecure development practices • Security testing not done during dev phase • Source code leaked • Comments and passwords hard coded • Application is not updated (patched) • Logic bomb dropped by disgruntled employee (changes are unmanaged) • Poor authorization and authentication • Insecure Validation • Logs not enabled • Default settings • Unnecessary privileges
  • 40. Basics in IT Audit and Application Control Testing April 28, 2019 Application Controls Applications (or software) includes any and all whether on premises or on cloud (e.g. ERP, CRM, Intranet, Web Application etc)
  • 41. Basics in IT Audit and Application Control Testing April 28, 2019 Application Controls Application controls are those controls that pertain to the scope of individual processes or application systems This includes data edits, separation of business functions, balancing of processing totals, transaction logging, and error reporting, secure development and operations
  • 42. Basics in IT Audit and Application Control Testing April 28, 2019 Application Controls •Application controls ensure proper coverage and the confidentiality, integrity, and availability of the application and its associated data. •Proper application controls greatly reduce the risks and threats associated with application usage because applications are prevented from executing if they put the network or sensitive data at risk.
  • 43. Basics in IT Audit and Application Control Testing April 28, 2019 Objectives • Input data is accurate, complete, authorized, and correct • Data is processed as intended in an acceptable time period • Output and stored data is accurate and complete • A record is maintained to track data processing from input to storage to output • Cost effective and efficient means to manage risk • Reliant on the effectiveness on the IT general control environment • Approach varies for complex versus non-complex environments
  • 44. Basics in IT Audit and Application Control Testing April 28, 2019 Common Application Controls (GTAG 8) • Input and access controls (These controls ensure that all input transaction data is accurate, complete, and authorized.) • Data checks and validations • Automated authorization, approval, and override • Automated SOD • File & Data Transmission Controls (These controls ensure that internal and external electronically transmitted files and transactions are received from an identified source and processed accurately and completely.) • File transmission controls • Data transmission controls • Processing Controls (These controls ensure that valid input data has been processed accurately and completely.) • Automated file identification and validation • Automated functionality and calculations • Audit trails and overrides • Data extraction, filtering, and reporting • Interface balancing • Automated functionality and aging • Duplicate checks • Output Controls (These controls ensure that output is complete, accurate, and distributed appropriately.) • General ledger and sub- ledger posting • Update authorization • Master Files and Standing Data Controls (These controls ensure the integrity and accuracy of master files and standing data.) • Update authorization
  • 45. Basics in IT Audit and Application Control Testing April 28, 2019 APPLICATION CONTROLS • Completeness checks – controls ensure records processing from initiation to completion • Validity checks – controls ensure only valid data is input or processed • Identification / Access – controls ensure unique, irrefutable identification of all users • Authentication – controls provide an application system authentication mechanism • Authorization – controls ensure access to the application system by approved business users only • Input controls – controls ensure data integrity feeds into the application system from upstream sources • Forensic controls – controls ensure scientifically and mathematically correct data, based on inputs and outputs
  • 46. Basics in IT Audit and Application Control Testing April 28, 2019 Questioning input controls • How does the transaction originate? • How is the transaction authorized (e.g., a manual signature, electronic signature, screen access authorization, etc.)? • Who inputs the source data? Are these individuals separate from those who reconcile the processing results? • How is the source data added into the application (e.g., batch, online, etc.)? • Who has access to the application (input / output/ transaction / source) • Is data entry conducted within a short time after the source document is created?
  • 47. Basics in IT Audit and Application Control Testing April 28, 2019 Benefits of Application Controls • Reliability • Reduces likelihood of errors due to manual intervention • Benchmarking • Reliance on general controls can lead to concluding the application controls are effective year to year without re-testing • Time and cost savings • Typically application controls take less time to test and only require testing once as long as the IT general controls are effective
  • 48. Basics in IT Audit and Application Control Testing April 28, 2019 Application Control Hygiene • Applications should be kept in good hygiene (or good working condition) • This requires that we take care of the application during • Design • Development • Change • Installation • Operations • Maintenance • In simple terms is means to take care of: • Change Management • Security in design • Secure Coding • Patch Management • Backup • Versioning • Documentation • Logs • Defaults • Remote access • Threat Modelling
  • 49. Basics in IT Audit and Application Control Testing April 28, 2019 WRAPUP IT Audits will help to identify the current state, and, using risk based methods will be able to provide an effective path for mitigation and remediation. Auditee organization must enable continuous improvement as recommended by the auditors and most importantly – remediation / mitigation measures should be carried out in the shortest possible time once identified. Application controls are a cost effective and efficient means to manage risk through the process to build security in. This can be achieved with practices like Secure Coding, Access controls, Patch Management, Testing and following industry standards will help decrease risks. IA should determine that application controls are designed appropriately and operate effectively
  • 50. Basics in IT Audit and Application Control Testing April 28, 2019 RoleofInternal Auditors • Knowledge of key IT risks, controls and audit techniques (GTAG 1) • Where are IT controls applied? Everywhere. IT includes technology components, processes, people, organization, and architecture, as well as the information itself. Many IT controls are technical in nature, and IT supplies the tools for many business controls. • Consultant and advisor providing Independent risk assessment • Advise on what is to be protected? Level of protection and what are the controls to be applied. • Can provide guidance on Risk appetite, tolerance and mandatory regulations as IA has inside view of the organization.
  • 51. Basics in IT Audit and Application Control Testing April 28, 2019 HowMuchOfA TechieDoYou NeedToBe •Knowledge of key IT risks, controls, audit techniques, events and incidents, new and upcoming technologies •Networked with technologists (subject matter experts) •Logical and lateral thinker •Common sense
  • 52. Basics in IT Audit and Application Control Testing April 28, 2019 Global Technology Audit Guides (GTAG) • GTAG 1: Information Technology Controls • GTAG 2: Change and Patch Management Controls: Critical for Organizational Success • GTAG 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment • GTAG 4: Management of IT Auditing • GTAG 5: Managing and Auditing Privacy Risks • GTAG 6: Managing and Auditing IT Vulnerabilities • GTAG 7: Information Technology Outsourcing • GTAG 8: Auditing Application Controls • GTAG 9: Identity and Access Management • GTAG 10: Business Continuity Management • GTAG 11: Developing the IT Audit Plan • GTAG 12: Auditing IT Projects • GTAG 13: Fraud Prevention and Detection in an Automated World • GTAG 14: Auditing User-developed Applications • GTAG 15: Information Security Governance • GTAG 16: Data Analysis Technologies • GTAG 17: Auditing IT Governance Practice guides who provide detailed guidance for conducting internal audit activities. These guides are published by the Institute of Internal Auditors (IIA). They include detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well as examples of deliverables.
  • 53. Basics in IT Audit and Application Control Testing April 28, 2019