SlideShare une entreprise Scribd logo

CIS Audit Lecture # 1

Télécharger en tant que PPSX, PDF
C
Cheng Olayvar
TechnologieBusiness
1  sur  24
OVERVIEW OF IT AUDIT IT RISK AND CONTROLS IS AUDIT PROCESS
Assurance engagement  An engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria. (Handbook of ISA; IFAC)
Code of Professional Ethics ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the Association and/or its certification holders. Members and ISACA Certification holder’s shall: 1.Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
Code of Professional Ethics 2.Perform their duties with due diligence and professional care, in accordance with professional standards and best practices. 3.Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
Code of Professional Ethics 4.Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. 5.Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
Code of Professional Ethics 6.Inform appropriate parties of the results of work performed; revealing all significant facts known to them. 7.Support the professional education of stakeholders in enhancing their understanding of information systems security and control. Failure to comply with this Code of Professional Ethics can result in an investigation in to a member’s or certification holder’s conduct and, ultimately, in disciplinary measures.
Auditing  Evaluation  Organization  System  Process  Project  Product  Performed by  Competent  Independent  Objective  Issue report
Why do we plan?  To improve effectiveness  Enhance the chance of success  To improve efficiency  Achieve the best result with the least resources
What should we consider in planning an IS Audit?  Risk  Controls  Technological updates  Business needs  Auditing techniques
How do we plan (Audit planning process)? Defining the needs/problem Gather relevant information Evaluate the plan Asses /enumerate the risks Assign resources Implement the plan Develop strategy Analyze the risk Set audit scope and Identify and review controls objectives
Risk  Is the potential that a given threat will exploit the vulnerabilities of an asset/s to cause loss or damage to the asset/s.
Risk Assessment  Identifying business risks relevant to financial reporting objectives;  Estimating the significance of the risks;  Assessing the likelihood of their occurrence; and  Deciding about actions to address those risks. -PSA 315.15
Internal control in a CIS Environment  General CIS Control  Application Control
General CIS Control  Organization and management controls  Development and maintenance controls  Delivery and support controls  Monitoring controls
Organization and management controls  Strategic information technology plan.  CIS policies and procedures.  Clearly defined roles and responsibilities.  Segregation of incompatible functions  Monitoring of IS activities performed by third party consultants.
Development and maintenance controls  Project initiation, requirements definition, systems design, testing, data conversion, go-live decision, migration to production environment, documentation of new or revised systems, and user training.  Acquisition and implementation of off-the-shelf packages.  Request for changes to the existing systems.  Acquisition, implementation, and maintenance of system software .
Delivery and support controls  Establishment of service level agreements against which CIS services are measured.  Performance and capacity management controls.  Event and problem management controls.  Disaster recovery/contingency planning, training, and file backup.  Computer operations controls.  Systems security.  Physical and environment controls.
Monitoring controls  Monitoring of key CIS performance indicators.  Internal and external CIS audits.
Application Control  Controls over input  Controls over processing and computer data files  Controls over output
Controls over input  Transactions are properly validated and authorized before being processed by the computer.  Transactions are accurately converted into machine readable form and recorded in the computer data files.  Transactions are not lost, added, duplicated or improperly changed.  Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis.
Controls over processing and computer data files  Transactions, including system generated transactions, are properly processed by the computer.  Transactions are not lost, added, excluded, duplicated or improperly changed.  Processing errors are identified and corrected on a timely basis.
Controls over output  Results of processing are accurate.  Access to output is restricted to authorized personnel.  Output is provided to appropriate authorized personnel on a timely basis.
How do we plan (Audit planning process)? Defining the needs/problem Gather relevant information Evaluate the plan Asses /enumerate the risks Assign resources Implement the plan Develop strategy Analyze the risk Set audit scope and Identify and review controls objectives
References  PAPS 1008  PSA 315  ISACA

Recommandé

Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment Presentation
EMAC Consulting Group
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
Cicero Ray Rufino
 
Integrated Test Facility
Integrated Test FacilityIntegrated Test Facility
Integrated Test Facility
kzoe1996
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approach
kzoe1996
 
Audit & Assurance
Audit & AssuranceAudit & Assurance
Audit & Assurance
Ahmad Tariq Bhatti
 
Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...
Dr. Sanjay Sawant Dessai
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systems
jayussuryawan
 

Recommandé

Auditing In Computer Environment Presentation
Auditing In Computer Environment PresentationAuditing In Computer Environment Presentation
Auditing In Computer Environment Presentation
EMAC Consulting Group
 
IT General Controls
IT General ControlsIT General Controls
IT General Controls
Cicero Ray Rufino
 
Integrated Test Facility
Integrated Test FacilityIntegrated Test Facility
Integrated Test Facility
kzoe1996
 
Test Data Approach
Test Data ApproachTest Data Approach
Test Data Approach
kzoe1996
 
Audit & Assurance
Audit & AssuranceAudit & Assurance
Audit & Assurance
Ahmad Tariq Bhatti
 
Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...Audit in computerised informaton system environment and recent development i...
Audit in computerised informaton system environment and recent development i...
Dr. Sanjay Sawant Dessai
 
Chapter 1 auditing and internal control
Chapter 1 auditing and internal controlChapter 1 auditing and internal control
Chapter 1 auditing and internal control
Tommy Zul Hidayat
 
Chapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systemsChapter 4 security part ii auditing database systems
Chapter 4 security part ii auditing database systems
jayussuryawan
 
Information system control and audit
Information system control and auditInformation system control and audit
Information system control and audit
Astri Stiawaty
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
_supriadi
 
Internal controls
Internal controlsInternal controls
Internal controls
Geetali Tare
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditing
Tunde Elijah Kelani
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
Kaushal Trivedi
 
Recent Trends In Auditing.pptx
Recent Trends In Auditing.pptxRecent Trends In Auditing.pptx
Recent Trends In Auditing.pptx
Dr. Nidhi Raj Gupta
 
Assurance Engagement
Assurance EngagementAssurance Engagement
Assurance Engagement
Muhammad Ehtisham Jadoon
 
Standards of Internal Audit
Standards of Internal AuditStandards of Internal Audit
Standards of Internal Audit
Karan Puri
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
seanpizzy
 
Internal Control
Internal ControlInternal Control
Internal Control
Salih Islam
 
It audit ch 1
It audit ch 1It audit ch 1
It audit ch 1
Ahmed Tnt
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-Oxley
Amarnath Gupta
 
Lecture 5 the information system - a general model of ais
Lecture 5 the information system - a general model of aisLecture 5 the information system - a general model of ais
Lecture 5 the information system - a general model of ais
Habib Ullah Qamar
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
Tommy Zul Hidayat
 
What is external financial report
What is external financial reportWhat is external financial report
What is external financial report
Ajay Sachdeva
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
Sazzad Hossain, ITP, MBA, CSCA™
 
Completing the audit
Completing the auditCompleting the audit
Completing the audit
sellyhood
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
Damilola Mosaku
 
Audit of the acquisition and payment cycle
Audit of the acquisition and payment cycleAudit of the acquisition and payment cycle
Audit of the acquisition and payment cycle
sellyhood
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
Tommy Zul Hidayat
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 

Contenu connexe

Tendances

It audit ch 1
It audit ch 1It audit ch 1
It audit ch 1
Ahmed Tnt
 

Tendances (20)

Information system control and audit
Information system control and auditInformation system control and audit
Information system control and audit
 
Computer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and TechniquesComputer-Assisted Audit Tools and Techniques
Computer-Assisted Audit Tools and Techniques
 
Internal controls
Internal controlsInternal controls
Internal controls
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditing
 
IT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit ClubIT General Controls Presentation at IIA Vadodara Audit Club
IT General Controls Presentation at IIA Vadodara Audit Club
 
Recent Trends In Auditing.pptx
Recent Trends In Auditing.pptxRecent Trends In Auditing.pptx
Recent Trends In Auditing.pptx
 
Assurance Engagement
Assurance EngagementAssurance Engagement
Assurance Engagement
 
Standards of Internal Audit
Standards of Internal AuditStandards of Internal Audit
Standards of Internal Audit
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
Internal Control
Internal ControlInternal Control
Internal Control
 
It audit ch 1
It audit ch 1It audit ch 1
It audit ch 1
 
SOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-OxleySOX compliance - Understanding Sarbanes-Oxley
SOX compliance - Understanding Sarbanes-Oxley
 
Lecture 5 the information system - a general model of ais
Lecture 5 the information system - a general model of aisLecture 5 the information system - a general model of ais
Lecture 5 the information system - a general model of ais
 
Chapter 2 auditing it governance controls
Chapter 2 auditing it governance controlsChapter 2 auditing it governance controls
Chapter 2 auditing it governance controls
 
What is external financial report
What is external financial reportWhat is external financial report
What is external financial report
 
Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9Audit Risk Assessment Chapter 9
Audit Risk Assessment Chapter 9
 
Completing the audit
Completing the auditCompleting the audit
Completing the audit
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
Audit of the acquisition and payment cycle
Audit of the acquisition and payment cycleAudit of the acquisition and payment cycle
Audit of the acquisition and payment cycle
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksChapter 3 security part i auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 

Similaire à CIS Audit Lecture # 1

Chap1 2007cisareviewcourse-090511232029-phpapp02
Chap1 2007cisareviewcourse-090511232029-phpapp02Chap1 2007cisareviewcourse-090511232029-phpapp02
Chap1 2007cisareviewcourse-090511232029-phpapp02
Waqas Ahmad
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptximplementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
zeidali3
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
William Godwin
 

Similaire à CIS Audit Lecture # 1 (20)

CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Auditing
AuditingAuditing
Auditing
 
Audits & Inspections_Katalyst HLS
Audits & Inspections_Katalyst HLSAudits & Inspections_Katalyst HLS
Audits & Inspections_Katalyst HLS
 
#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi#Contract Risk Audit# By SN panigrahi
#Contract Risk Audit# By SN panigrahi
 
Chap1 2007 Cisa Review Course
Chap1 2007 Cisa Review CourseChap1 2007 Cisa Review Course
Chap1 2007 Cisa Review Course
 
Chap1 2007cisareviewcourse-090511232029-phpapp02
Chap1 2007cisareviewcourse-090511232029-phpapp02Chap1 2007cisareviewcourse-090511232029-phpapp02
Chap1 2007cisareviewcourse-090511232029-phpapp02
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
 
Infographic: Maturing Audit Plans and Processes
Infographic: Maturing Audit Plans and Processes Infographic: Maturing Audit Plans and Processes
Infographic: Maturing Audit Plans and Processes
 
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptximplementation_of_a_risk-based_process_safety_management_system_framework.pptx
implementation_of_a_risk-based_process_safety_management_system_framework.pptx
 
CCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdfCCISO_Certification_Training_Course-Outline.pdf
CCISO_Certification_Training_Course-Outline.pdf
 
Business case for information security program
Business case for information security programBusiness case for information security program
Business case for information security program
 
Business case for Information Security program
Business case for Information Security programBusiness case for Information Security program
Business case for Information Security program
 
module_1.pptx
module_1.pptxmodule_1.pptx
module_1.pptx
 
ISACA Belgium CERT view 2011
ISACA Belgium CERT view 2011ISACA Belgium CERT view 2011
ISACA Belgium CERT view 2011
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
IIA GAM CS 8-5: Audit and Control of Continuous Monitoring Programs and Artif...
 
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
CS 8-5_Audit and Control of Continuous Monitoring Programs and Artificial Int...
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
 
Information System Audit and Control
Information System Audit and ControlInformation System Audit and Control
Information System Audit and Control
 

Plus de Cheng Olayvar

Information system and security control
Information system and security controlInformation system and security control
Information system and security control
Cheng Olayvar
 
Accounting Information System
Accounting Information SystemAccounting Information System
Accounting Information System
Cheng Olayvar
 
Cash Flow Statement - Finac 4
Cash Flow Statement - Finac 4Cash Flow Statement - Finac 4
Cash Flow Statement - Finac 4
Cheng Olayvar
 
Production Management - ABC Inventory
Production Management - ABC InventoryProduction Management - ABC Inventory
Production Management - ABC Inventory
Cheng Olayvar
 

Plus de Cheng Olayvar (12)

Cost of Capital
Cost of Capital Cost of Capital
Cost of Capital
 
AIS Lecture 1
AIS Lecture 1AIS Lecture 1
AIS Lecture 1
 
Sophos a-to-z
Sophos a-to-z Sophos a-to-z
Sophos a-to-z
 
Information system and security control
Information system and security controlInformation system and security control
Information system and security control
 
AIS Implementation
AIS ImplementationAIS Implementation
AIS Implementation
 
Bsa 1286
Bsa 1286Bsa 1286
Bsa 1286
 
Microsoft Project
Microsoft ProjectMicrosoft Project
Microsoft Project
 
Accounting Information System
Accounting Information SystemAccounting Information System
Accounting Information System
 
Info System 2
Info System 2Info System 2
Info System 2
 
Info System
Info SystemInfo System
Info System
 
Cash Flow Statement - Finac 4
Cash Flow Statement - Finac 4Cash Flow Statement - Finac 4
Cash Flow Statement - Finac 4
 
Production Management - ABC Inventory
Production Management - ABC InventoryProduction Management - ABC Inventory
Production Management - ABC Inventory
 

Dernier

Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

CIS Audit Lecture # 1

  • 1. OVERVIEW OF IT AUDIT IT RISK AND CONTROLS IS AUDIT PROCESS
  • 2. Assurance engagement  An engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria. (Handbook of ISA; IFAC)
  • 3. Code of Professional Ethics ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the Association and/or its certification holders. Members and ISACA Certification holder’s shall: 1.Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.
  • 4. Code of Professional Ethics 2.Perform their duties with due diligence and professional care, in accordance with professional standards and best practices. 3.Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.
  • 5. Code of Professional Ethics 4.Maintain the privacy and confidentiality of information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. 5.Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.
  • 6. Code of Professional Ethics 6.Inform appropriate parties of the results of work performed; revealing all significant facts known to them. 7.Support the professional education of stakeholders in enhancing their understanding of information systems security and control. Failure to comply with this Code of Professional Ethics can result in an investigation in to a member’s or certification holder’s conduct and, ultimately, in disciplinary measures.
  • 7. Auditing  Evaluation  Organization  System  Process  Project  Product  Performed by  Competent  Independent  Objective  Issue report
  • 8. Why do we plan?  To improve effectiveness  Enhance the chance of success  To improve efficiency  Achieve the best result with the least resources
  • 9. What should we consider in planning an IS Audit?  Risk  Controls  Technological updates  Business needs  Auditing techniques
  • 10. How do we plan (Audit planning process)? Defining the needs/problem Gather relevant information Evaluate the plan Asses /enumerate the risks Assign resources Implement the plan Develop strategy Analyze the risk Set audit scope and Identify and review controls objectives
  • 11. Risk  Is the potential that a given threat will exploit the vulnerabilities of an asset/s to cause loss or damage to the asset/s.
  • 12. Risk Assessment  Identifying business risks relevant to financial reporting objectives;  Estimating the significance of the risks;  Assessing the likelihood of their occurrence; and  Deciding about actions to address those risks. -PSA 315.15
  • 13. Internal control in a CIS Environment  General CIS Control  Application Control
  • 14. General CIS Control  Organization and management controls  Development and maintenance controls  Delivery and support controls  Monitoring controls
  • 15. Organization and management controls  Strategic information technology plan.  CIS policies and procedures.  Clearly defined roles and responsibilities.  Segregation of incompatible functions  Monitoring of IS activities performed by third party consultants.
  • 16. Development and maintenance controls  Project initiation, requirements definition, systems design, testing, data conversion, go-live decision, migration to production environment, documentation of new or revised systems, and user training.  Acquisition and implementation of off-the-shelf packages.  Request for changes to the existing systems.  Acquisition, implementation, and maintenance of system software .
  • 17. Delivery and support controls  Establishment of service level agreements against which CIS services are measured.  Performance and capacity management controls.  Event and problem management controls.  Disaster recovery/contingency planning, training, and file backup.  Computer operations controls.  Systems security.  Physical and environment controls.
  • 18. Monitoring controls  Monitoring of key CIS performance indicators.  Internal and external CIS audits.
  • 19. Application Control  Controls over input  Controls over processing and computer data files  Controls over output
  • 20. Controls over input  Transactions are properly validated and authorized before being processed by the computer.  Transactions are accurately converted into machine readable form and recorded in the computer data files.  Transactions are not lost, added, duplicated or improperly changed.  Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis.
  • 21. Controls over processing and computer data files  Transactions, including system generated transactions, are properly processed by the computer.  Transactions are not lost, added, excluded, duplicated or improperly changed.  Processing errors are identified and corrected on a timely basis.
  • 22. Controls over output  Results of processing are accurate.  Access to output is restricted to authorized personnel.  Output is provided to appropriate authorized personnel on a timely basis.
  • 23. How do we plan (Audit planning process)? Defining the needs/problem Gather relevant information Evaluate the plan Asses /enumerate the risks Assign resources Implement the plan Develop strategy Analyze the risk Set audit scope and Identify and review controls objectives
  • 24. References  PAPS 1008  PSA 315  ISACA

Notes de l'éditeur

  1. Defining the needs/problemGather relevant informationAsses /enumerate the risksAnalyze the riskIdentify and review controlsSet audit scope and objectivesDevelop strategyAssign resources
  2. Check the impact and probability of the threat
  3. Defining the needs/problemGather relevant informationAsses /enumerate the risksAnalyze the riskIdentify and review controlsSet audit scope and objectivesDevelop strategyAssign resources