Auditing Open Source Applications by Using COBIT 4.1
|
|
- Logan Richardson
- 6 years ago
- Views:
Transcription
1 Auditing Open Source Applications by Using COBIT 4.1 Assist. Cristian AMANCEI, PhD candidate Academy of Economic Studies, Bucharest, Romania Department of Computer Science in Economics Abstract: Open source application becomes more and more a viable solution for organizations. The access to the source code enables organizations to adapt the capabilities of the applications to the business processes that are supported by the application. The cost constraints and the opportunity to improve the application in order to respond to the changes on the economic environment, requires the auditor to identify the associated risks and the controls that mitigate those risks. In this paper we present a selection of controls from the COBIT framework that we considered mandatory for open source applications. Keywords: IT audit, open source applications, COBIT. 1. COBIT The Control Objectives for Information and related Technology (COBIT) were first released in 1996 by ISACA and have since been revised several times, the current version being 4.1. The COBIT framework [3] does not specify which technologies an organization should or shouldn't use. It is a high-level framework that can be used to evaluate an organization's eisting or planned controls: be they policies, processes or technologies. Each of the sections of COBIT consists of four subsections: description, control objectives, management guidelines and maturity model. The description is a high-level overview of the section that follows. The control objectives are a high-level list of requirements. In the management guidelines, the control objectives are mapped according to which members of an organization should be responsible, accountable, consulted or informed (RACI) on how each control objective is actually implemented. Also it takes the control objectives and breaks them down into goals and high-level metrics to measure how close the enterprise is to achieving those goals. The maturity model, gives auditors a framework for determining how mature an organization is in regard to a specific section [5]. 2. Key Issues in Using OSA The goal of the audit mission is to obtain a reasonable assurance concerning the deployment and the operating of the open source software, in accordance with the appropriate rules and settlements (regulations), and with specific security standards [1]. The audit plan for open source application is driven by the following issues: - eternal support [4] For OSA that is downloaded over the Internet, no official support is available. There are organizations that provide consultancy and eternal support for the adoption and implementation of OSA, enforcing this solution on the market. 87
2 Even if user assistance is provided through online channels such as mailing lists, forums or wikis, corporate users have no assurance that they will be provided with accurate and timely assistance for any problems they eperience. It the case of business-critical systems, the support offered by the OSA community is insufficient and professional support is required. Based on this requirement, several vendors offer commercial versions of OSA that include professional support services. - cost consideration [4] Even if OSA can be downloaded from the Internet free of charge, the real cost of using OSA are difficult to assess, due to the fact that the implementation is not free of charge, and additional costs are incurred for training, migration and maintenance. Based on this it is difficult to evaluate whether the total cost of ownership of OSA is lower than the total cost of ownership for proprietary software. - the business processes supported by the application The impact on the organization mainly depends on the type of software that is adopted and the business processed that will be supported by the application. Training users may represent a considerable investment, as users may have a long eperience working with other proprietary software solutions. In order to have good results during training, it is important to create a favorable attitude with end users toward the OSA solution, and to help users to see the differences of the new solution and who it will adjust their working habits by reducing the work load. - the source code security on the production environment When implementing an OSA solution the organizations has direct access to the source code, as it is free, and can adapt and improve the solution to properly fit the organizations needs. Even if we have these possibilities, the source code must not go into production directories. The complied class files are all that is required in most cases. All source code should be removed and only the eecutables should remain. The source code should be access only in secured areas and a versioning system must be implemented by the organization. Also we must remember that no development tools should be present on a production environment. All these issues can be addressed by implementing a good change management policy and a versioning system. - the application controls defined for business purposes The responsibility for application controls is an end-to-end joint responsibility between business and IT, but the nature of the responsibilities changes as follows: The business is responsible to properly: define functional and control requirements, and the use of automated services; IT is responsible to: automate and implement business functional and control requirements, and establish controls to maintain the integrity of applications controls. 3. Application of COBIT to OSA Based on the five key issues noted for using OSA, relevant COBIT processes and the subprocesses that can be especially useful in this case have been identified. The application of COBIT to OSA audit should help in addressing the issues mentioned above and, allow for the use of OSA in a more controlled manner. 88
3 COBIT describes a set of good practices for management, control and security of information technology, and organizes them around a logical framework of IT processes. COBIT 4.1 contains several new important concepts, such as the alignment of business and IT goals, their relationship with supporting IT processes, roles and responsibilities within IT processes, and the interrelationship between IT processes [6]. Figure 1 provides an overview of the mapping of COBIT with the five identified key issues of OSA. Only the most relevant control objectives have been retained and discussed here. The COBIT control objectives are divided into si domains: Process Control (PC), Plan and Organize (PO), Acquire and Implement (AI), Deliver and Support (DS), Monitor and Evaluate (ME) and Application Control (AC) [2]. The following breaks down each COBIT process and its relation to OSA operation. Eternal Support PO 1.4 IT strategic plan - Organizations may consider it a strategic choice to implement OSA. For eample, organizations may choose OSA in an effort to reduce constraints of the vendor. The future developments should be presented in the IT strategic plan. PO 3.1 Technological direction planning: - A strengths, weaknesses, opportunities and threats (SWOT) analysis for OSA should be made, based on the specific environment of the organization. A SWOT analysis helps to get insight into the potential benefits of using OSA for the organization. - OSA should fit within the enterprise architecture and should be compatible with the overall IT infrastructure. If not, the migration would require too much time and financial resources, and reduce the benefits of adopting OSA. When making the analysis and analyzing the options, the type of support needed should be already established and included in the scenarios. PO 3.3 Monitor future trends and regulations - Since OSA is distributed under licenses that are fundamentally different from proprietary software, the legal counsel should investigate the implications for the organization. PO 4.15 Relationships - The organization must develop good relationships with those vendors that provide eternal knowledge on OSA software. Relevant OSA activities in the organization should be coordinated with these eternal parties. AI 5.3 Supplier selection - Potential providers that can meet the required level of support identified. The organization needs to determine if support contracts offered by commercial OSA vendors are acceptable or whether additional support services from a third-party consultant are desirable. An investigation will be performed to identify the list of officially recognized support vendors, if available, or the persons involved in the project will prepare one. The organization has to know the support vendors that have a thorough knowledge of the OSA product and where it can find easy access to the OSA developers and at what price. DS 1.1 Service level management framework - Decision makers must first determine the requested level of support that is required for OSA. Factors that may 89
4 influence this choice are the lack of in-house OSA epertise and the importance of the business process that is supported by the OSA installed. DS 1.3 Service level agreements - It is important to ensure that service level agreements (SLAs) are agreed upon with the eternal party providing support for OSS. The SLA management process should ensure that the SLA objectives are measured, so that they can be reported back to the stakeholders. SLAs should be revised when requirements change. DS 2.3 Supplier risk management - Organizations need to consider the potential risks involved in relying on small, local firms that offer OSA related services. It is possible that these organizations may not be able to fulfill their contractual agreements, due to their limited size. DS 2.4 Supplier performance monitoring - The performance of eternal parties should be monitored and evaluated. Since new OSA support vendors continue to appear on the market, the organization must regularly benchmark the offering of the current suppliers to the market. Cost Considerations PO 5.1 Financial management framework - A financial framework for the assessment of the costs and benefits should be in place. This is helpful in comparing the cost of an OSA solution with a proprietary solution. It is important that costs be calculated over the whole life cycle of the project, including migration costs, implementation consultants, training cost and the support fees. DS 6.3 Cost modeling and charging - The costs of the IT infrastructure should be charged back to business process that uses the OSA software. These costs are likely to differ between OSA and proprietary software, and the difference will probably impact the adoption decision. The business processes supported by the application PC 2 Process Ownership - Each process supported by the OSA software must have an owner assigned. The organization will clearly define the role and the responsibilities of the process owner, such as design, interaction with other processes and performance measurement. The process owner must have sufficient authority to implement, drive and improve the process. PC 5 Policy, Plans and Procedures - All the policies, plans and procedures will be documented, reviewed, maintained, approved, communicated and used for training. This will help in decreasing the number of incidents and will increase the staff awareness. PO 7.2 Personnel competencies - The personnel involved in the process sustained by the application should possess or develop the required OSA competencies. Therefore, organizations should encourage the staff to obtain the necessary knowledge on OSA and acquire the necessary certifications if needed. 90
5 PO 7.4 Personnel training - Staff members should receive appropriate training on OSA in order to improve their job performance. Lately, an increasing number of training institutions are offering courses on OSA products. AI 2.6 Major upgrades to eisting systems - If the introduction of OSA constitutes a major change in the organization, the impact of this change should be properly assessed, by the users that will work in the new environment. AI 4.3 Knowledge transfer to end users - Users should have access to documentation on the OSA product. For some OSA products, limited documentation is available. Commercial vendors of OSA products generally provide high-quality documentation. Firms that offer training courses may also provide documentation for OSA. It is essential that the availability of good documentation from suppliers be evaluated. AI 7.1 Training - A training approach should be developed to assist users in making the transition. All affected users should have the opportunity to attend the training sessions. The training should be structured in the phases: the first one focusing on generic skills, and a second phase that will focus on specific and more advanced tasks. DS 7.1 Identification of education and training needs - Following the adoption of OSA, the training plan for affected employees should be revised to include the necessary staff related skills. DS 7.2 Delivery of training and education - Sufficient training sessions on OSA should be organized shortly before or after the migration. All users must attend the training session, in order to decrease the level of incidents after the migration. DS 7.3 Evaluation of training received - The effectiveness of the training sessions should be assessed by testing the users knowledge. Possible gaps in the knowledge required for performing tasks should lead to a revision of the training approach or result in additional training sessions. The source code security on the production environment AI 3.3 Infrastructure maintenance - New versions of OSA products can be released more frequently than proprietary software. Therefore, maintenance procedures should state which types of updates and upgrades are applied. Organizations may also prefer to implement new OSA versions that come with important changes needed in the business process supported by the software. ME 2.1 Monitoring of internal control framework - A policy with the accepted frameworks and practices for internal control monitoring and evaluation activities has to be defined by the organization. The organization should take into consideration an independent evaluation of the internal control system for proactive detection and resolution of control deviations. Promptly report, follow up and analysis of the eception should be a priority for the organization. 91
6 ME 2.4 Control self-assessment Defining and identifying evaluation criteria for conducting self-assessments will increase the ability of the organization to implement preventive measures for recurring eceptions by applying corrective measures. By using the control self-assessment, the organization will have a proactive approach in improving the quality of service that drives the client relationship. ME 4.5 Risk management - The implementation of a new OSA product will have an impact on the organization risk assessment. The risk assessment changes have to be indentified and compared with the board appetite for risk eposures. Approval must be received for levels that are above approved previous approved residual risk. A clear defined approach for managing risk must be defined in order to achieve a desired level for the control environment. ME 4.6 Performance measurement - A performance measurement system for the defined objectives must be put in place in order to assess the management performance in the eecution and achievement of the business strategies. This system will highlight the objectives that have not been achieved and an action plan will be prepared for future compliance. The application controls defined for business purposes AC 2 Source data collection and entry - The business processes that are supported by OSA product should propose controls that will ensure the data input in a timely manner and by authorized and qualified staff. Clear access rights matri must be defined, in order to secure the access to input, edit, authorize, accept and reject transactions, and override errors. Segregation of duties for data collection and entry must be defined and accepted by the business owners. AC 3 Accuracy, completeness and authentic checks - Based on business reasons, controls that will check for accuracy, completeness and validity will be defined. Where it is possible, these controls should be automated. All the transactions that fail the validation rules will be posted in special file for proper review. AC 4 Process integrity and validity - During the processing cycle, the detection of erroneous transactions must not disrupt the processing of valid transactions. The review of adjustments, overrides and high-value transactions must be performed promptly and in detail by appropriate personnel who does not perform data entry. These controls should be defined by the business key users, during implementation phase. AC 5 Output review, reconciliation and error handling - Procedures should be defined and implemented, to ensure that the business owners review the final output for reasonableness, accuracy and completeness, and that output is handled in line with the applicable confidentiality classification. Report potential errors, log them in an automated, centralized logging facility, and address errors in a timely manner. 92
7 Eternal support Cost consideration Business processes supported by application PC 2 Process Ownership PC 5 Policy, Plans and Procedures PO 1.4 IT Strategic plan PO 3.1 Technological direction planning PO 3.3 Monitor future trends and regulations PO 4.15 Relationships PO 5.1 Financial management framework PO 7.2 Personnel competencies PO 7.4 Personnel training AI 2.6 Major upgrades to eisting systems AI 3.3 Infrastructure maintenance AI 4.3 Knowledge transfer to end users AI 5.3 Supplier selection AI 7.1 Training DS 1.1 Service level management framework DS 1.3 Service level agreements DS 2.3 Supplier risk management DS 2.4 Supplier performance monitoring DS 6.3 Cost modeling and charging DS 7.1 Identification of education and training needs DS 7.2 Delivery of training and education DS 7.3 Evaluation of training received ME 2.1 Monitoring of internal control framework ME 2.4 Control self-assessment ME 4.5 Risk management ME 4.6 Performance measurement AC 2 Source data collection and entry AC 3 Accuracy, completeness and authentic checks AC 4 Process integrity and validity AC 5 Output review, reconciliation and error handling Fig. 1. Mapping of COBIT with OSA Key Issues Source code security on the production environment Application controls defined for business purposes 4. Conclusions This article has described some key issues that required attention during the audit of a OSA product. This selection of control objectives from COBIT 4.1 addresses only the key issues introduced in this paper and addresses only the minimal requirements from the audit point of view. Other control objective can be selected from COBIT in order to provide assurance over management practices. The provided set of control objectives can be leveraged 93
8 as a quick scan to verify if current management practices in using OSA are complete and sufficient for the organization. References [1] I. Ivan, G. Noşca and S. Capisizu, Auditul sistemelor informatice, ASE Printing House, Bucharest, 2005 [2] IT Governance Institute, COBIT 4.1, 2007 [3] D. Mortman, How to use COBIT for compliance, in Information Security Magazine, March [4] K. Ven, S. De Haes, W. Van Grembergen and J. Verelst, Using COBIT 4.1 to Guide the Adoption and Implementation of Open Source Software, in Information System Control Journal, Vol 3, [5] C. Lahti, S. Lanza and R. Peterson, Sarbanes-Oley IT Compliance Using COBIT and Open Source Tools, Syngress Printing House, Bucharest, [6] T. Surcel and C. Amancei, ERP System Audit a Control Support for Knowledge Management, in Economic Informatics Journal, Vol XII, No. 4(48), 2008, Inforec Publishing Huouse, Bucharest. [7] M. Popa and F. Alecu, ERP Informatics System Audit, in Informatica Economică 2 nd supplement Knowledge Management Projects, Systems and Technologies: Reinforcement and Etension of Universities & Business Community Partnerships in the Knowledge Era, vol. 10, pp , November Author Cristian AMANCEI is University Assistant at Academy of Economics Studies Bucharest, Faculty of Economic Cybernetics, Statistics and Informatics. He is a PhD candidate from October 2007 at Economic Informatics Department from Academy of Economic Studies. He holds a Master in Science Computerized Project Management from Academy of Economic Studies, Bucharest. He is Certified Information Systems Auditor (CISA). He graduated in Economic Informatics at Faculty of Economic Cybernetics, Statistics and Informatics in His main research areas are: information system audit, data structures, metrics in information systems and object oriented programming. 94
Key-Words: IT systems tolerance, risk areas and subareas, control evaluation, risk assessment, IT risk, IT audit steps, audit questionnaires
Key Components and Operability Evaluation of Internal Controls for Ris Assessment Modeling in IT Audit CRISTIAN AMANCEI, TRĂIAN SURCEL Economic Informatics Department Academy of Economic Studies Bucharest
More informationSarbanes-Oxley: Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts. Anthony Noble VP, IT Internal Audit
Sarbanes-Oxley: A Focus on IT Controls Company Case Study - Viacom Inc. IT General Controls - Sustaining Compliance Efforts Anthony Noble VP, IT Internal Audit Today s Agenda Introduction Viacom Methodology
More informationCRISC EXAM PREP COURSE: SESSION 4
CRISC EXAM PREP COURSE: SESSION 4 Job Practice 2 Copyright 2016 ISACA. All rights reserved. DOMAIN 4 RISK AND CONTROL MONITORING AND REPORTING Copyright 2016 ISACA. All rights reserved. Domain 4 Continuously
More informationCOBIT Control Assessment Questionnaire
The key to maintaining profitability in a technologically changing environment is how well you maintain control. COBIT's Control Objectives provides the critical insight needed to delineate a clear policy
More informationCorporate Background and Experience: Financial Soundness: Project Staffing and Organization
A motion by Kentucky, on behalf of the Certification Committee, to adopt changes to the Governing Board Rules, Appendix C, Criteria and Minimum Standards for CSP Certification: Appendix C (04/07/2015)
More informationAnnex 1 (Integrated frameworks on Business/IT alignment) Annex 2 Goals Cascade, adapted from COBIT5
Annex (Integrated frameworks on Business/IT alignment) Annex 2 Goals Cascade, adapted from COBIT5 Annex 2 RACI chart for EDM0, Retrieved from COBIT5 Description: R Responsible The one(s) who performs the
More informationInternal Controls: Need Them, Have Them, Love Them
Internal Controls: Need Them, Have Them, Love Them Tiffany R. Winters, Esquire twinters@bruman.com Brustein & Manasevit Fall Forum 2010 Why Do We Have Internal Controls? The Federal Managers Financial
More informationSeptember 17, 2012 Pittsburgh ISACA Chapter
September 17, 2012 Pittsburgh ISACA Chapter What is COBIT? Control Objectives for Information and related Technologies ISACA s guidance on the enterprise governance and management of IT. Builds on more
More informationProactively Managing ERP Risks. January 7, 2010
Proactively Managing ERP Risks January 7, 2010 0 Introductions and Objectives Establish a structured model to demonstrate the variety of risks associated with an ERP environment Discuss control areas that
More informationSOA Health, Governance and Security
SOA Health, Governance and Security Ross Moodley SOA Leader IBM Global Business Services Australia/New Zealand Vinod Ralh SOA Architecture Leader IBM Software Group Australia/New Zealand IBM has harvested
More informationEVALUATION OF INFRASTRUCTURE INFORMATION TECHNOLOGY GOVERNANCE USING COBIT 4.1 FRAMEWORK
International Conference on Information Systems for Business Competitiveness (ICISBC 2013) 20 EVALUATION OF INFRASTRUCTURE INFORMATION TECHNOLOGY GOVERNANCE USING COBIT 4.1 FRAMEWORK Rusmala Santi 1) Syahril
More informationIntelligent automation and internal audit
Intelligent automation and internal audit Adding value through governance, risk management, and controls Second article in the series kpmg.ch Contents Governing intelligent automation across the enterprise
More informationCertified Identity Governance Expert (CIGE) Overview & Curriculum
Overview Identity and Access Governance (IAG) provides the link between Identity and Access Management (IAM) rules and the policies within a company to protect systems and data from unauthorized access,
More informationCGEIT QAE ITEM DEVELOPMENT GUIDE
CGEIT QAE ITEM DEVELOPMENT GUIDE TABLE OF CONTENTS PURPOSE OF THE CGEIT ITEM DEVELOPMENT GUIDE 3 PURPOSE OF THE CGEIT QAE... 3 CGEIT EXAM STRUCTURE... 3 WRITING QUALITY ITEMS... 3 MULTIPLE-CHOICE ITEMS...
More informationITIL Intermediate Capability Stream:
ITIL Intermediate Capability Stream: OPERATIONAL SUPPORT AND ANALYSIS (OSA) CERTIFICATE Sample Paper 1, version 6.1 Gradient Style, Complex Multiple Choice QUESTION BOOKLET Gradient Style Multiple Choice
More informationCENTRE (Common Enterprise Resource)
CENTRE (Common Enterprise Resource) IT Service Management Software designed for ISO 20000 ITSM ISO/IEC 20000 is the international IT Service Management (ITSM) standard that enables IT organizations (whether
More informationGOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.
GOVERNANCE 8.A.1 - Objective: Information Technology strategies, plans, personnel and budgets are consistent with AES' business and strategic requirements and goals. Objective Risk Statement(s): - IT Projects,
More informationIT Assurance Services And Role Of CA In BPO-KPO. IT Enabled Services And Emerging Technologies
IT Assurance Services And Role Of CA In BPO-KPO IT Enabled Services And Emerging Technologies Chapter 2: Facilitated e-learning Part 1 of 2 CA M S Mehta, FCA 1 IT Assurance Services and Role of CA in BPO-KPO
More informationInternational Civil Aviation Organization FIRST INFORMATION MANAGEMENT PANEL (IMP/1) Montreal, Canada January, 25 30, 2015
International Civil Aviation Organization WORKING PAPER 15/01/2015 rev. 0 FIRST INFORMATION MANAGEMENT PANEL (IMP/1) Montreal, Canada January, 25 30, 2015 Agenda Item 5: Review and elaborate on concepts,
More informationTranslate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.
Principles Principle 1 - Meeting stakeholder needs The governing body is ultimately responsible for setting the direction of the organisation and needs to account to stakeholders specifically owners or
More informationCHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS
5-1 CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS INTRODUCTION In accordance with Statements on Auditing Standards Numbers 78 and 94, issued by the American Institute of Certified Public Accountants
More informationPOSITION DETAILS. ORGANOGRAM (Adjust as necessary. Include line manager, line manager s manager, all subordinates and colleagues. Include job grades)
HR191 JOB DESCRIPTION NOTES Forms must be downloaded from the UCT website: http://www.uct.ac.za/depts/sapweb/forms/forms.htm This form serves as a template for the writing of job descriptions. A copy of
More informationTitle: Configuration Management: The Core of IT Operations Session #: 495 Speaker: Donna Scott Company: Gartner
Title: Configuration Management: The Core of IT Operations Session #: 495 Speaker: Donna Scott Company: Gartner Predicts 2006 Increasing regulatory requirements will drive IT investment by as much as a
More informationExternal Supplier Control Obligations. Records Management
External Supplier Control Obligations Records Management Page 1 Governance and Roles and The Supplier must define and communicate roles and responsibilities for Records Records Management requires high-level
More informationStephen M. Eells State Auditor. Department of the Treasury Division of Revenue and Enterprise Services Information Technology Systems
Department of the Treasury Division of Revenue and Enterprise Services Information Technology Systems February 6, 2017 to June 20, 2018 Stephen M. Eells State Auditor Table of Contents Scope... 1 Objective...
More informationCGEIT Certification Job Practice
CGEIT Certification Job Practice Job Practice A job practice serves as the basis for the exam and the experience requirements to earn the CGEIT certification. This job practice consists of task and knowledge
More informationCMMI V2.0 MODEL AT-A-GLANCE. Including the following views: Development Services Supplier Management. CMMI V2.0 outline BOOKLET FOR print.
CMMI V.0 MODEL AT-A-GLANCE Including the following views: Development Services Supplier Management CMMI V.0 outline BOOKLET FOR print.indd CMMI V.0 An Integrated Product Suite Designed to meet the challenges
More informationAppendix A - Service Provider RACI Model
Portfolio es: R A C / I P.1 Portfolio Strategy Centralized management of one or more portfolios (major programs), which includes identifying, prioritizing, authorizing, managing, and controlling projects,
More informationCORROSION MANAGEMENT MATURITY MODEL
CORROSION MANAGEMENT MATURITY MODEL CMMM Model Definition AUTHOR Jeff Varney Executive Director APQC Page 1 of 35 TABLE OF CONTENTS OVERVIEW... 5 I. INTRODUCTION... 6 1.1 The Need... 6 1.2 The Corrosion
More informationCGEIT ITEM DEVELOPMENT GUIDE
CGEIT ITEM DEVELOPMENT GUIDE Updated March 2017 TABLE OF CONTENTS Content Page Purpose of the CGEIT Item Development Guide 3 CGEIT Exam Structure 3 Writing Quality Items 3 Multiple-Choice Items 4 Steps
More informationSOX 404 & IT Controls
SOX 404 & IT Controls IT Control Recommendations For Small and Mid-size companies by Ike Ugochuku, CIA, CISA TLK Enterprise 2006, www.tlkenterprise.com INTRODUCTION Small, medium, and large businesses
More informationCity of Markham. Report of the Auditor General Human Resources Information System ( HRIS ) Implementation Audit. Presented to:
City of Markham Report of the Auditor General Human Resources Information System ( HRIS ) Implementation Audit Presented to: General Committee of Council, City of Markham Date: June 18, 2018 AGENDA Background
More informationMinimizing fraud exposure with effective ERP segregation of duties controls
Minimizing fraud exposure with effective ERP segregation of duties controls Prepared by: Luke Leaon, Manager, RSM US LLP luke.leaon@rsmus.com, +1 612 629 9072 Adam Harpool, Manager, RSM US LLP adam.harpool@rsmus.com,
More informationWORK PLAN AND IV&V METHODOLOGY Information Technology - Independent Verification and Validation RFP No IVV-B
1. Work Plan & IV&V Methodology 1.1 Compass Solutions IV&V Approach The Compass Solutions Independent Verification and Validation approach is based on the Enterprise Performance Life Cycle (EPLC) framework
More information9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in
9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable
More informationANNEX 5 -QUALITY OVERSIGHT 1. INTRODUCTION 2. SCOPE
DSS/Support to CAA-NSA A5-1 Guidelines for NSAs for the Development of the ANSP Oversight Process 5-Quality Oversight ANNEX 5 -QUALITY OVERSIGHT 1. INTRODUCTION ANSP s quality oversight is a fundamental
More informationISO/IEC Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance
DISCUSS THIS ARTICLE ISO/IEC 27001 Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance By Christopher Oparaugo, CISM, CGEIT, CRISC COBIT Focus 14 December 2015 The balanced scorecard
More informationYaSM and the YaSM Process Map. Introduction to YaSM Service Management
YaSM and the YaSM Process Map Introduction to YaSM Management Contents Why Yet another Management Model?... 5 YaSM - the idea... 5 A framework for everyone in the business of providing services... 6 YaSM
More informationCollaborative Free Software Development
Collaborative Free Software Development Cristian CIUREA Economic Informatics Department, Academy of Economic Studies, Bucharest, Romania cristian.ciurea@ie.ase.ro Abstract: In this paper is presented the
More informationMIS Systems & Infrastructure Lifecycle Management 1. Week 9 March 17, 2016
MIS 5203 Lifecycle Management 1 Week 9 March 17, 2016 Study Objectives Application Control related to Data and Transaction Software Development Processes and Quality Standards 2 Phase 1 Feasibility Phase
More informationOPERATIONAL RISK EXAMINATION TECHNIQUES
OPERATIONAL RISK EXAMINATION TECHNIQUES 1 OVERVIEW Examination Planning Oversight Policies, Procedures, and Limits Measurement, Monitoring, and MIS Internal Controls and Audit 2 Risk Assessment: Develop
More informationPRIVY COUNCIL OFFICE. Audit of PCO s Accounts Payable Function. Final Report
[*] An asterisk appears where sensitive information has been removed in accordance with the Access to Information Act and Privacy Act. PRIVY COUNCIL OFFICE Audit and Evaluation Division Final Report January
More informationOverview. Understand the concepts of Audit. Understand the need for Controls and internal controls. Understand and apply the principles of audit
Audit Chapter 18 Overview Understand the concepts of Audit Understand the need for Controls and internal controls Understand and apply the principles of audit IT Audit IT auditing is the evaluation of
More informationCOMPUTERISED SYSTEMS
ANNEX 11 COMPUTERISED SYSTEMS PRINCIPLE This annex applies to all forms of computerised systems used as part of a GMP regulated activities. A computerised system is a set of software and hardware components
More informationEmerging & disruptive technology risks
Emerging & disruptive technology risks Shawn W. Lafferty, KPMG Partner IT Internal Audit/Risk Assurance April 2018 Why IT internal audit? find ways to overcome resource and budgetary constraints. This
More information"IT Governance Helping Business Survival
"IT Governance Helping Business Survival Steve Crutchley CEO & Founder Consult2Comply www.consult2comply.com Introduction Steve Crutchley Founder & CEO of Consult2Comply 39 Years IT & Business Experience
More informationImplementing and Managing Open Source Compliance Programs
Implementing and Managing Open Source Compliance Programs Ibrahim Haddad, Ph.D. VP of R&D, Head of Open Source Twitter: Web: @IbrahimAtLinux IbrahimAtLinux.com Open Source Compliance Summit Yokohama, November
More informationPurposing the entirety of COBIT5 for the Assurance Professional. Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates
Purposing the entirety of COBIT5 for the Assurance Professional Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates The Conference that Counts, Albany New York Monday March 19, 2018 ROSS WESCOTT
More informationBraindumps COBIT5 50q
Braindumps COBIT5 50q Number: COBIT5 Passing Score: 800 Time Limit: 120 min File Version: 16.5 http://www.gratisexam.com/ Isaca COBIT 5 COBIT 5 Foundation I have correct many of questions answers. If there
More informationFeature. IT Governance and Business-IT Alignment in SMEs
Feature Steven De Haes, Ph.D., is professor of information systems management at the Antwerp Management School and the University of Antwerp (Belgium) and a managing director of the Information Technology
More informationAudit Committee Presentation FY2011 Audit Plan (annual risk assessment) August 16, 2010
Audit Committee Presentation FY2011 Audit Plan (annual risk assessment) August 16, 2010 INTERNAL AUDITS ACADEMIC ENTERPRISE Are research and development expenses expended in accordance with the terms of
More informationnpliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for
IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION EUROS (US $1.15 BILLION) BY EUROPEAN UNION REGULATORS for failing to comply with a 2004 antitrust order. The previous year, DaimlerChrysler paid a US $30
More informationQuality Standards in Open Source Lifecycle
Quality Standards in Open Source Lifecycle Bogdan VINTILA Academy of Economic Studies, Bucharest, Romania vb@vintilabogdan.ro Abstract: Open source applications and components are very important for the
More informationInternal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)
Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR) Origin of IFC The first significant focus on internal control certification related to financial reporting
More informationBusiness Benefits by Aligning IT best practices
Business Benefits by Aligning IT best practices Executive Summary Since the Sarbanes-Oxley Act (Sarbanes-Oxley or SOX) was signed into law in 2002, many companies have adopted some IT practices to comply
More informationConsiderations when Choosing a Managed IT Services Provider. ebook
Considerations when Choosing a Managed IT Services Provider ebook Contents Considering Managed Services?...3 Consideration 1: Depth...4 Consideration 2: Proactive...5 Consideration 3: Knowledge & Processes...6
More informationCertified Internal Auditor (CIA ) Exam Syllabus
Certified Internal Auditor (CIA ) Exam Syllabus Part 1 Internal Audit Basics 125 questions 2.5 Hours (150 minutes) The CIA exam Part 1 topics tested include aspects of mandatory guidance from the IPPF;
More informationInternal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)
Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017) Assessor 1: Assessor 2: Date: Date: Legend: Generally
More informationSarbanes-Oxley Compliance Kit
Kit February 2018 This product is NOT FOR RESALE or REDISTRIBUTION in any physical or electronic format. The purchaser of this template has acquired the rights to use it for a SINGLE Disaster Recovery
More informationEX0-114_Wins_Exam. Number: Passing Score: 800 Time Limit: 120 min File Version: 1.0
EX0-114_Wins_Exam Number: 000-000 Passing Score: 800 Time Limit: 120 min File Version: 1.0 http://www.gratisexam.com/ 20000 IT Service Management Foundation Bridge based on ISO/IEC Total Questions: 78
More informationIT Service Management Foundation based on ISO/IEC20000
IT Service Management Foundation based on ISO/IEC20000 Number: EX0-115 Passing Score: 60 Time Limit: 90 min File Version: 4.0 http://www.gratisexam.com/ Exin EX0-115 IT Service Management Foundation based
More informationClearPath Services. Accelerate your ClearPath ROI. Isaac Levy Global Manager ClearPath Services May 2013
ClearPath Accelerate your ClearPath ROI Isaac Levy Global Manager ClearPath May 2013 Agenda Business Drivers and Challenges From IT Administration to Business Innovation ClearPath Mission Critical Framework
More informationChapter 6 Field Work Standards for Performance Audits
Chapter 6 Field Work Standards for Performance Audits Introduction 6.01 This chapter contains field work requirements and guidance for performance audits conducted in accordance with generally accepted
More informationReport. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report
Report Quality Assessment of Internal Audit at Draft Report / Final Report Quality Self-Assessment by Independent Validation by Table of Contents 1.
More informationPresent and functioning: Fine-tuning your ICFR using the COSO update
Present and functioning: Fine-tuning your ICFR using the COSO update November 2014 With the COSO s 1992 Control Framework being superseded by the 2013 updated edition on December 15, 2014, now is the time
More informationRisk Management For and By the BOT. Secured BOT Series
Secured BOT Series 2018 Contents Risk Management For and By the BOT Setting context for RPA Risk Management Deloitte's Risk Framework For RPA Risk Management For the BOT Risk Management By the BOT How
More informationRisk assessment checklist - Acquire and implement
Check Yes or No or N/A (where not applicable). Where a No is indicated, some action may be required to rectify the situation. Cross-references (e.g., See FN 1.01) point to the relevant policy in the First
More informationERP IMPLEMENTATION RISK
ERP IMPLEMENTATION RISK Kari Sklenka-Gordon, Director at RSM National ERP Risk Advisory Leader March 2017 2015 2016 RSM US LLP. All Rights Reserved. Speaker Kari Sklenka-Gordon National RSM ERP Risk Advisory
More informationRetail Payment Systems Internal Control Questionnaire
Retail Payment Systems Internal Control Questionnaire Completed by: Date Completed: POLICIES AND PROCEDURES 1. Has the board of directors, consistent with its duties and responsibilities, adopted formal
More informationReview of Payment Controls
Review of Payment Controls June 12, 2009 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing Office of
More informationCORPORATE GOVERNANCE
Full Partial None CORPORATE GOVERNANCE This document has been prepared in terms of the JSE Listings Requirements and sets out Distell Group Limited s application of the principles contained in King III.
More informationEnterprise Availability Management
Statement of Work Enterprise Availability Management This Statement of Work ( SOW ) is between the Customer (also called you and your ) and the IBM legal entity referenced below ( IBM ). This SOW is subject
More informationBOM/BSD 2/November 1994 BANK OF MAURITIUS. Guideline on Maintenance of Accounting and other Records and Internal Control Systems
BOM/BSD 2/November 1994 BANK OF MAURITIUS Guideline on Maintenance of Accounting and other Records and Internal Control Systems November 1994 Revised November 2013 Revised December 2017 TABLE OF CONTENTS
More informationGovernance, COBIT and the Cloud a match made in the sky! Robert E Stroud CGEIT International Vice President ISACA Treasurer, Director Audit,
Governance, COBIT and the Cloud a match made in the sky! Robert E Stroud CGEIT International Vice President ISACA Treasurer, Director Audit, Standards & Compliance itsmf Intl. Service Management and Governance
More informationIs your ERP ready for COSO 2013?
Is your ERP ready for COSO 2013? Securing the ERP Webcast series February 26, 2015 Agenda COSO 2013 overview What is changing and what is not? Internal control definition Components and principles Transition
More informationGUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))
GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2)) Operational Risk Management MARCH 2017 STATUS OF GUIDANCE The Isle of Man Financial Services Authority ( the Authority ) issues guidance for
More informationISACA. The recognized global leader in IT governance, control, security and assurance
ISACA The recognized global leader in IT governance, control, security and assurance High-level session overview 1. CRISC background information 2. Part I The Big Picture CRISC Background information About
More informationCIA EXAM CONTENT. Part 1 :The Internal Audit Activitys Role in Governance Risk and Control
CIA EXAM CONTENT Part 1 :The Internal Audit Activitys Role in Governance Risk and Control A. Comply with The IIA's Attribute Standards (15-25%) (P) 1. Define purpose, authority, and responsibility of the
More informationGenpact Intelligent Operations SM
PROVIDE VISIBILITY Genpact Intelligent Operations SM Making enterprises more competitive, with operations that sense, act and learn from the outcome of actions, at scale Foreword Intelligent Operations
More informationVendor: EXIN. Exam Code: EX Exam Name: ITIL Foundation (syllabus 2011) Exam. Version: Demo
Vendor: EXIN Exam Code: EX0-001 Exam Name: ITIL Foundation (syllabus 2011) Exam Version: Demo Exam A QUESTION 1 Which role is responsible for carrying out the activities of a process? A. Process owner
More informationTypes of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA
Types of Systems Audit & Relevance Presented By: Prasad Pendse, CISA Agenda Systems Audit Categories & Types of Systems Audit, Relevance IT & Application Audits Security Audits Process Audits Advantages
More informationUniversity of Nebraska Central Administration Position Description. General Information Working Job Title:
University of Nebraska Central Administration Position Description General Information Working Job Title: Identity Management Specialist (Developer 15-1133) Position Number: new Employee s Name: SAP Personnel
More informationThe importance of a solid data foundation
The importance of a solid data foundation Prepared by: Michael Faloney, Director, RSM US LLP michael.faloney@rsmus.com, +1 804 281 6805 February 2015 This is the first of a three-part series focused on
More informationCERT Resilience Management Model, Version 1.2
CERT Resilience Management Model, Asset Definition and Management (ADM) Richard A. Caralli Julia H. Allen David W. White Lisa R. Young Nader Mehravari Pamela D. Curtis February 2016 CERT Program Unlimited
More informationCOBIT. IT Governance CEN 667
COBIT IT Governance CEN 667 1 Project proposal (week 4) Goal of the projects are to find applicable measurement and metric methods to improve processes: For 27000 series of standards 27001 and 27004 For
More informationIncreasing External Auditor Reliance
Increasing External Auditor Reliance Guiding Internal Auditors to realize the benefits of raising the bar on External Auditor Reliance. SOX Software Made Simple Table of Contents 1 Introduction 3 Factors
More informationTitle: HP OpenView Configuration Management Overview Session #: 87 Speaker: Loic Avenel Company: HP
Title: HP OpenView Configuration Management Overview Session #: 87 Speaker: Loic Avenel Company: HP What we will cover in this session What is the HP OpenView configuration management solution for enterprises?
More informationState of Michigan Civil Service Commission Capitol Commons Center, P.O. Box Lansing, MI POSITION DESCRIPTION
CS-214 Rev 11/2013 State of Michigan Civil Service Commission Capitol Commons Center, P.O. Box 30002 Lansing, MI 48909 POSITION DESCRIPTION Position Code 1. This position description serves as the official
More informationEnterprise Architecture and COBIT
Enterprise and COBIT The Open Group October 22, 2003 www.realirm.co.za reducing risk, adding value, driving change Agenda 2 Introduction Case Study Enterprise and IT Governance Conclusion Business Orientation
More informationIT Audit Process. Michael Romeu-Lugo MBA, CISA March 27, IT Audit Process. Prof. Mike Romeu
Michael Romeu-Lugo MBA, CISA March 27, 2017 1 Agenda Audit Planning PS 1203 / PG 2203 Evidence PS 1205 / PG 2205 References: ITAF 3 rd Edition Information Systems Auditing: Tools and Techniques Creating
More informationW. R. GRACE & CO. CORPORATE GOVERNANCE PRINCIPLES
W. R. GRACE & CO. CORPORATE GOVERNANCE PRINCIPLES The primary responsibility of the directors of W. R. Grace & Co. is to exercise their business judgment to act in what they reasonably believe to be in
More informationCITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide
CITIBANK N.A JORDAN Governance and Management of Information and Related Technologies Guide 2018 Table of Contents 1. OVERVIEW... 2 2. Governance of Enterprise IT... 3 3. Principles of Governance of Enterprise
More informationINTELLECTUAL PROPERTY MANAGEMENT ENTERPRISE ESCROW BEST PRACTICES REPORT
INTELLECTUAL PROPERTY MANAGEMENT ENTERPRISE ESCROW BEST PRACTICES REPORT What is Mission Critical to You? Before you acquire mission-critical technology from a third-party software vendor, take a few minutes
More informationSTATE OF NORTH CAROLINA
STATE OF NORTH CAROLINA DEPARTMENT OF ADMINISTRATION DIVISION OF PURCHASE AND CONTRACT FINANCIAL RELATED AUDIT OFFICE SUPPLIES TERM CONTRACT AUDIT FOLLOW-UP JUNE 2014 OFFICE OF THE STATE AUDITOR BETH A.
More informationSelftestengine COBIT5 36q
Selftestengine COBIT5 36q Number: COBIT5 Passing Score: 800 Time Limit: 120 min File Version: 16.5 http://www.gratisexam.com/ Isaca COBIT 5 COBIT 5 Foundation I have correct many of questions answers.
More informationIS AUDITING GUIDELINE G10 AUDIT SAMPLING
IS AUDITING GUIDELINE G10 AUDIT SAMPLING The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that apply specifically to IS auditing.
More informationProviding full life-cycle identity management. August idm365.com
Providing full life-cycle identity management. August 2014 idm365.com Whitepaper Contents Introduction... 3 Processes and Tools... 3 Objectives... 5 Scope... 6 The Concept in a Nutshell... 7 Business Benefits...
More informationCENTURYLINK DRAFT SUPPLY CHAIN RISK MANAGEMENT (SCRM) PLAN
Enterprise Infrastructure Solutions Volume 2 Management Volume Draft SCRM Plan CENTURYLINK DRAFT SUPPLY CHAIN RISK MANAGEMENT (SCRM) PLAN DRAFT CDRL 77 November 4, 2016 Qwest Government Services, Inc.
More informationInternal Audit s Brave Prudent, New World Annual WNY Conference
Internal s Brave Prudent, New World 2017 Annual WNY Conference AGENDA Utopia or Dystopia Design for a new world: frameworks Data analytics and the audit life cycle Session Description The always-increasing
More informationManaging Service Level Agreement
Managing Service Level Agreement Natasa Zabkar ¹Triglav Insurance Company Ltd Miklošičeva 19, 1000 Ljubljana, Slovenia e-mail: nzabkar@zav-triglav.si Viljan Mahnic ²University of Ljubljana Faculty of Computer
More information