Workshop on Risk based IT Auditing for Non-IT auditors

1. Risk Based
ITAuditing for Non-IT
Auditors
The GOLD Winner of Information
Security Training Profession in
Sri Lanka (ISACA Sri Lanka
Chapter Awards- 2008
Annul Convention)
+94 0765377471 L: +94 11 2825177 +94 777 372697Web: www.itgrc.lkEmail:info@itgrc.lk
IT Governance and Risk Consulting (Pvt) Ltd.
# 11/24,1/1, | Melder Place | Nugegoda
| Colombo | Sri Lanka
Mobile: +94 (0) 777 372697
Office Tel: +94 011 2825177 | Fax: +94 011 2810188
info@sltnet.lk I www.itgrc.lk
For More Info Call:
Mrs Rupasinghe or Ms Gayanika
0772300268/0765377471
IT Audit
Consulting,
Contact
0777372697
THILAKPATHIRAGE:
MBA,B.Com FIB CISSCISACISM
CRISC CGEIT CBCP ITIL(V3) CCSE
CCSA OpRisk- DIR/CEO and
Senior ITGovernance and Risk
Consultant of ITGRC Ltd. In his
35 years of long service in the
Banking and Financial services industry, Thilak has
held Senior Positions in Seylan Bank in IS
Assurances, Information Risk Management, IT
Governance, Business Continuity Planning
Information Security (CISO) and Operational Risk
Management. Being the first CISA in the Country,
he was pioneered in developing IT Assurance and
security Processional practices for the Banking
sector in Sri Lanka.
He is a workshop leader in Information Security,
Business Continuity and GRC topics and won
Prestigious Information security Gold Medal
awarded by ISACA Sri Lanka Chapter in 2008.
Thilak is also ITIL v3 authorized trainer (EXIN) in
Sri Lanka. Thilak conducts CISSP CISA ITIL CISM
CGEIT CRISC certification courses for last several
years and has achieved world best results.
Currently he is the President of ISSA Chapter Sri
Lanka and the DIR/CEO of ITGRC Ltd. He owns
diverse and multi disciplinary academics and
industry leading certifications. He conduct
Lectures in UCSC and Sri Japure Universities on
Information Security topics.
The Risk Based IT Auditing for Non-IT Auditors
(Basics of IT Auditing) with Thilak is a unique and
rewarding experience and he brings a vast
amount of experience into the class for everyone
to learn from.
To read his full Linked profile:
http://www.linkedin.com/in/thilakjayasenapathir
age
www.itgrc.lk
Date, Duration and Venue:
Date: 9th & 10th July, 2015 Time: 9.00am - 5.00pm.
Duration: 2 days
Venue: Global Tower, Colombo 5, Sri Lanka.
Course Fee:
eCopy of the manual and Refreshment are provided
LKR 30,000
LEARNING OBJECTIVE
Delegates will develop an understanding of IT audit, technology
risks and controls delivered from a non-technical perspective.
Specific outcomes include a basic understanding of:
?Information systems risk
?Application controls
?The systems development life cycle
?Logical security at the application, database, network
and operating systems levels
?IT general controls (non security)
COURSE CONTENT:
DAY 1
SESSION 1:
Introduction to IS Auditing
IT Audit: A 21st Century Perspective. Topics to be
discussed include:
?Evaluation of Internal Auditing and IT
Auditing
?Emergence of corporate governance and IT
Auditing
?Three key elements of success
?Key Leadership Attributes for Success
?Origin of IT Audit and CHANGE
?Nature of IT Audit
?What are the Most Powerful Audit Questions?
?Challengers of IT Audit in 21 century
WHO SHOULD ATTEND?
Those who need to have basic understanding of IT Risk Base
audit practices:
Level 1:
The course will be of benefit to internal auditors, operational
risk managers and others those who requiring a fundamental
understanding of the subject and do not always have the use
of a technical IT support team to assist in their review.
Level 2:
The program would also be of value to financial and
operational audit professionals who are already practicing
internal audit and considering a career move into IT auditing
as well as non-IT audit professionals tasked with the
responsibility for assessing their organization's IT operations
and infrastructure.
Prerequisites: There is no prerequisite for this course.
SESSION 4:
Discussions on partnership between audit and IT management. The
IT auditing process, the current auditing framework & its challenges.
This Session will address:
?The IT Auditing Process
?2015 CISA Job Practices: Defining the Audit Scope
?IT Audit Planning
?The Major Elements of an IT Audit
?Organization and Management
?IT Audit Standards and Practices
?Policies and Procedures
?IT Infrastructure and Data bases
?System Development and change
?System Operations and Support
?Application Systems Reviews
SESSION 5:
Understanding key information systems control- Application based
?Key automated controls of on-line transactions
?Core Banking Operations
?Human resources and payroll processes
?Procure to pay processes
?Order to cash processes
?Logical information security
?Segregation of duties
?User account management
?Application layer security
?Physical and environmental controls
?Controls over IT service management processes (ITIL-based)
?General Controls
DAY 2
SESSION 6:
Auditing key information systems controls Procedures to audit the
adequacy and effectiveness of each of the key information controls
identified:
?Perform a walkthrough
?Defining the population to be tested for control effectiveness
?Testing procedures
SESSION 7:
Auditing SDLC and System Controls Employing the best practices of
SDLC is not just a good idea in the IT industry; it serves as a control
over systems development process:.
?IT Project Management and Governance
?Development methodologies
?Eight Phases of SDLC and Control implementation
?Auditors role in SDLC Process
?Quality Assurance and User acceptance Testing
SESSION 8 :
Corpoarate Governance, IT Governance, and compliance.
The role of IT governance and its connection to IT auditing and the key
issues facing organizations globally. Specifically, this session will
address:
?Governance, Risk and Compliance- GRC
?IT Governance and IT-GRC
?How should an enterprise most effectively and efficiently govern
its IT activities?
?What is Compliance? and IT's Contribution to Compliance
?Best Practices for Security and SOX Compliance
?How Can IT Systems Assist Management of Compliance Issues?
?Putting IT GRC into action
SESSION 9:
?COBIT 5 and GTAG guideline:
?COBIT 5 Principles and Framework
?COBIT 5 Process Reference Model
?COBIT5 for IT Assurance and Security
?IIA Global Technology Assurances Guides(GTAG)
SESSION 10:
?IT audit profiling and reporting
?Audit Charter and Independence
?Reporting
?Supporting financial or operational audits
?Communicating audit findings
SESSION 11:
Audit of data files - Application of CAATs?
Purpose of CAATs?
Understanding data and meta data?
Formulating the CAAT specification?
Development, testing and implementation of CAATs?
SESSION 3:
Risk through effective risk profiling and management in IT
auditing. Session topics address the following:
?Risk management principles and practices
?IS Risk assessment and analysis methodologies
?Information threats, vulnerabilities and exposures
?Information assets valuation methodologies
?Risk Management Standards COSO,ISO31000,COBIT and
ISO 27001)
?Methods used to determine sensitivity and criticality of
information resources
?Baseline modeling and risk-based assessments of control
requirements
?The Nine Primary Steps of a Risk Assessment
Methodology
?Information security controls and countermeasures and
their effectiveness
?Risk mitigation strategies for information resources
?Cost benefit analysis - mitigating risks to acceptable
levels
INTRODUCTION
This is a practical workshop in nature that will empower
participants to immediately use the knowledge imparted in
real scenarios. The methodology employed is very effective
and interactive whereby case studies and group discussions
will be used. It guides internal auditors into the realm of
system based auditing and examines IS audit techniques and
procedures in a non-technical way. Upon completion of this
training, the participants should be able to perform a fair
amount of IS audit right away and be ready to move to the
next level.
SESSION 2:
?Understanding the information systems
environment
?Centralised vs distributed systems vs cloud
computing
?On-line vs batch systems
?Network concepts
?Databases
?Operating systems
?The systems development life cycle
?Risk in an outsourced environment and Cloud
Computing
?Key IT service Management Processess-ITIL