Risk assessment checklist - Plan and organize

Similar documents
Risk assessment checklist - Acquire and implement

Risk assessment checklist - Purchasing cycle

Risk assessment checklist - Not-for-Profit governance

Career Ladder Editable Template

Risk Management Policy

OPERATIONAL RISK EXAMINATION TECHNIQUES

B U S I N E S S R I S K M A N A G E M E N T L T D

CAREER TRACKS. Supervisor Toolkit. FAQ: For Managers

CITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

GOVERNANCE MATTERS What is Governing Policy? Promoting Excellence in Corporate Governance, Risk Management and Operational Effectiveness

Management Response and Action Plan

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

An Overview of the 2013 COSO Framework. August 2013

CORE. Integration. EXAM SPECIFICATIONS Certified Professional in Supply Management (CPSM ) Supply Management. Supply Management. CPSM Learning System

Florida Department of Highway Safety and Motor Vehicles Office of Inspector General

POSITION DESCRIPTION

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

CGEIT Certification Job Practice

These are the primary functions of the Board, and should be the main focus of the Board s attention and activities.

Management Responsibilities Comparative Table

Topics. Background Approach Status

View Point Health Basics of Supervision Module 5: Performance Management

CPSM. Exam Specifications. Building a Global Network of Supply Management Experts. Certified Professional in Supply Management (CPSM )

Position No. Job Title Supervisor s Position Finance Officer Manager, Finance & Administration Nunavut Airports

Guam Power Authority Corporate Governance

Introductions. An Overview of the COSO 2013 Framework. Christian Peo Sharon Todd. An Overview of the 2013 COSO Framework.

IT Audit Process. Michael Romeu-Lugo MBA, CISA March 27, IT Audit Process. Prof. Mike Romeu

IMPLEMENTING PARTNER CHECKLIST

MPAC BOARD OF DIRECTORS MANDATE

COSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions

Internal Audit Charter

External Quality Assessment Are You Ready? Institute of Internal Auditors

Analysis of ISO 9001:2015 against the ICoCA Certification Assessment Framework

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

3.6.2 Internal Audit Charter Adopted by the Board: November 12, 2013

Corporate Governance Framework

Agency Risk Management and Internal Control Standards

HUMAN RESOURCE MANAGEMENT: AN OVERVIEW

2012 IIA Standards Update

Summary of ISO 9001:2015 New and Changed Requirements

Management Excluded Job Description

AUDIT COMMITTEE CHARTER (updated as of August 2016)

POSITION DESCRIPTION

Manage operational plan

APPENDIX A - CAO-A-1307

GATU Webinar Part 1 March 2017 Presented by Carol Kraus, CPA

CAREER TRACKS JOB STRUCTURE: CATEGORIES AND LEVELS

Auditor General s Office REVIEW OF THE CITY SAP COMPETENCY CENTRE APPENDIX 1. June 1, 2010

Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013

Practices in Enterprise Risk Management

6.2 What are the benefits of information management? Generally speaking, there are four kinds of benefits from managing information strategically:

Internal Control Questionnaire and Assessment

SELF ASSESSMENT OF BUSINESS OBJECTIVES. Kelly Dorin CPA, CA, CIA, CFE, CCSA, CRMA

CARIBBEAN EXAMINATIONS COUNCIL JOB DESCRIPTION

Standards for Internal Control in New York State Government 2016 Update

Board Mandate. 1. About the Mandate. 2. Responsibilities. Purpose

Introduction to IT Governance. IT Governance CEN 667

CHAPTER 4 THE EVOLVING/ STRATEGIC ROLE OF HUMAN RESOURCE MANAGEMENT

ISO Your implementation guide

INTERNAL CONTROL: COMPLIANCE, OPERATIONAL AND FINANCIAL

My experiences with Employee Fraud

Last revised: March 1, 2018 TRANSMISSION FUNCTION TITLES AND JOB DESCRIPTIONS

Management Accountability Framework

INTERNAL CONTROLS. Revision A

Internal Audit Self-Assessment Questionnaire:

University of Houston-Victoria Job Performance Appraisal

Manager, Facilities Operations

Project Risk Management (PRM)

Support Services Review Template

REAL ESTATE DIVISION AUDIT SUMMARY OVERVIEW

OC Public Works Reorganization Proposal

In Place; No Changes Recommended DRAFT

CANADIAN DERIVATIVES CLEARING CORPORATION (THE CORPORATION ) BOARD CHARTER

your resume to Initial screening of candidates to occur no later than May 1, Position open until filled.

EMPLOYEE FRAUD OPPORTUNITIES CHECKLIST

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

9/17/2017. An Overview of COSO s New Framework and Implementation Guidance SPEAKER. Laura Harden, CPA History

Human Resources Job Summaries

EXECUTIVE DIRECTOR INFORMATION AND TECHNOLOGY SYSTEMS

Internal Control Questionnaire and Assessment

LeiningerCPA, Ltd. RISK MANAGEMENT POLICY STATEMENT


Internal Control Vulnerability Assessment (January 2011) Unit Name. Prepared by. Title. Reviewed by. Title. Reviewer s Comments

Audit of Weighing Services. Audit and Evaluation Services Final Report Canadian Grain Commission

RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS. Article 1 Scope and Purpose

The City of Kawartha Lakes Public Library

Implementation Guides

SUPPLY CHAIN AND OPERATING RISK

Mott Community College Job Description

Perspectives on Strategy

Plan International, Kenya Job Description Country Logistics and Administration Manager

Health and Safety Management System Review Form

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

UNITED NATIONS DEVELOPMENT PROGRAMME GENERIC JOB DESCRIPTION

BOARD OF DIRECTORS MANDATE

Compliance Program Effectiveness Guide

SUGGESTED SOLUTIONS Audit and Assurance. Certificate in Accounting and Business II Examination March 2014

Head of Finance & Operations

TERMS OF REFERENCE FOR THE BOARD OF DIRECTORS AND THE MANAGEMENT OF SA SA INTERNATIONAL HOLDINGS LIMITED

Transcription:

Check Yes or No or N/A (where not applicable). Where a No is indicated, some action may be required to rectify the situation. Cross-references (e.g., See FN 1.01) point to the relevant policy in the First Reference Internal Control Library. FN = Finance & Accounting PolicyPro, Volume 1; GV = Finance & Accounting Policy- Pro, Volume 2; OP = OMPP policies in FAPP electronic version; IT = Information Technology PolicyPro; NP = Not-for-Profit PolicyPro. Define a strategic IT plan and direction PO1 Do you have a policy requiring that IT strategic and tactical plans be prepared and maintained? See IT1.01, 1.02, 12.01 PO2 PO3 PO4 PO5 PO6 PO7 PO8 PO9 PO10 PO11 Do you ensure that strategic plans lead to tactical plans? See IT1.01, 1.02 Do you mandate that IT planning happens at least once a year? See IT IT1.01, 1.02 Have you developed or acquired a standard planning approach and methodology? See IT1.01, 1.02 Is the IT strategic plan related to your organization s objectives and business plans? Does it evolve as those plans are updated? See IT1.01 Does your strategic plan correspond with your risk appetite? See IT1.01, 1.02, 1.05, 1.06 Are objectives and plans reassessed as frequently as required, commensurate with the rate of change in technology, threats, risks and business opportunities? See IT1.01, 1.02 Do managers of other business units participate in the IT strategic planning exercise? See IT1.01 Have you established committees or regular meetings between business and IT management to share information and promote synergy? See IT1.01 Do you have a process where appropriate business and IT executives approve the strategic and tactical plans? See IT1.01, 1.02 Does the planning process consider technology trends and developments, and relevant architecture elements? See IT1.01, 1.02 2008-2010 First Reference Inc. All Rights Reserved. 1

PO12 PO13 PO14 PO15 PO16 PO17 Do you obtain input to the planning process from key stakeholders, including employees, customers, and suppliers? See IT1.01, 1.02 Have you developed a communication strategy to maximize the exposure and acceptance of the IT plans throughout the organization?. See IT1.01, 1.02 Have you assigned responsibilities for the development, approval, communication and monitoring of IT objectives and plans? See IT1.01, 1.02 Do you mandate that senior management must consider IT plans when making decisions related to technology within their business units? See IT1.01, 1.02 Do you obtain feedback about the quality and usefulness of IT plans from senior management across the organization, and from the staff who use the plans? See IT1.01, 1.02 Have you considered forming a high-level IT security steering committee including senior IT managers and business process owners to assess risks and identify gaps? See IT 1.02, 1.03 Define IT processes, organization and relationships PO18 Is IT an active participant in establishing the organization s overall objectives and business strategies? See IT1.01 PO19 PO20 PO21 Is there a process for establishing an owner for each IT component? See IT1.01, 1.02, 1.05, 1.06 Are the roles and responsibilities for each category of owner established and communicated across the organization? See IT1.01, 1.02, 1.05, 1.06 Are ongoing periodic reviews performed to confirm that established responsibilities and accountabilities remain relevant and are being met? See IT1.01, 1.02, 1.05, 1.06 2008-2010 First Reference Inc. All Rights Reserved. 2

PO22 PO23 PO24 PO25 PO26 PO27 PO28 Do you assign responsibilities so that no single individual has authority to add, modify or delete an information asset without there being an independent review of that activity? See IT1.03, 4.02 Do you maintain separation of duties between initiation and authorization activities? See IT1.03, 4.02. Do you maintain separation of duties between implementation (or execution), and verification activities? See IT1.03, 4.02 In processes with a high degree of risk, are key business functions separated, so that no individual can add, modify or delete information or transactions? See IT1.03, 4.02 Do you have policies to maintain separation of duties during vacations, illnesses or leaves of absence? IT1.03, 4.02 Have you created data management policies that assigns responsibilities for data management activities to appropriate information resource owners and users? See IT5.04 Do you have policies that ensure that the custodians and users of data maintain the confidentiality of the data according to the classification assigned by data owners? See IT9.02 Manage IT human resources PO29 Are departmental and individual performance plans linked to and integrated with IT technology objectives and plans? See IT1.01, 1.02 PO30 PO31 PO32 Are recognition and reward mechanisms related to the achievement of IT objectives and plans? See IT1.01, 1.02 Do you have a IT skills inventory and compare it to the required skills periodically to identify potential gaps? See IT12.01 Do you have a process or plan to eliminate skill gaps through training, supervision, acquisition, contracting, hiring or outsourcing? See IT12.01 2008-2010 First Reference Inc. All Rights Reserved. 3

PO33 PO34 PO35 Do you maintain IT succession plans to ensure that the necessary skills and experience will be available in the future? See IT 12.01 Have you created accountability for organizational security in position descriptions and performance objectives? See 12.01, 12.02 Do you have a process to communicate HR changes (e.g., terminations, transfers) to the individuals responsible for maintaining security privileges? Manage quality PO36 Have you established policies and standards to ensure the efficiency and effectiveness of the systems development and acquisition process? See IT2.02, 3.02 PO37 PO38 PO39 PO40 PO41 Have you defined the role of financial and internal audit representatives and the extent of their involvement in systems development and acquisition? See IT2.02, 3.02, 7.03 Have you established procedures to ensure that application code is consistent with design specifications and meets the organization s standards for programming languages, documentation, code structure, naming conventions and processing controls? See IT2.02, 3.02, 4.01 Have you created and communicated standards for programming languages, documentation, code structure, naming conventions and processing controls? See IT2.02, 3.02 Do you confirm the quality of the code using supervisor review, unit testing and independent quality assurance reviews? See IT2.02, 3.02 Have you created a quality assurance function to independently test code for functionality, and to review the code and accompanying documentation for compliance with standards and maintainability? See IT2.02, 3.02 2008-2010 First Reference Inc. All Rights Reserved. 4

Assess and manage IT risks PO42 Is the importance of IT risk captured in organization-wide policies, standards and procedures and effectively communicated to all personnel at all levels? PO43 PO44 PO45 PO46 PO47 PO48 PO49 PO50 PO51 PO52 Do management decisions and conduct reflect risk management and control principles? Is this communicated to employees and in corporate communications to outside stakeholders? Is risk management included in performance evaluations of business units, technology support areas, and systems? Is there an ongoing employee awareness program to enforce the organization s risk culture? Is the organization s risk assessment process a key reference when preparing information for IT strategic and tactical plans? See IT1.01, 1.02, 1.05, 1.06 Have you established procedures to survey the internal and external environment to identify changes in business or technology risks? See IT1.01, 1.02, 1.05, 1.06 Are there clearly defined responsibilities and accountabilities for IT risk management? See IT1.05, 1.06 Have you established a steering committee for IT risk management and control to direct risk management programs and monitor their effectiveness? Do position descriptions include responsibilities and accountabilities for risk management? Do management objectives include targets and indicators for risk management? See IT1.05, 1.06 Does responsibility for risk management ultimately lie with the owners of the components? 2008-2010 First Reference Inc. All Rights Reserved. 5

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback