Types of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA

Similar documents
Sarbanes-Oxley Compliance Kit

Risk Management For and By the BOT. Secured BOT Series

SOX FOR NPO S Focus on Control. Stephen L. Kuptz, CPA

Brink's Modern Internal Auditing

SARBANES-OXLEY COMPLIANCE MANAGING CHANGING EXPECTATIONS January 20, 2017

Negotiating in a Sarbanes-Oxley World

Increasing External Auditor Reliance

SOX 404 & IT Controls

SOX106. Accounts Payable and Sarbanes-Oxley; Strengthening your Internal Controls- 10 hours. Objectives

B S R & Co. LLP. Reporting on Internal. Reporting An Overview. Sarbanes Oxley Act (SOX) 28 December 2013

Corporate Governance Principles of Auditing: An Introduction to International Standards on Auditing - Ch 14

COMPUTERISED SYSTEMS

RFP for Consultancy to Upgrade from CMMI Maturity Level 3 to CMMI Maturity Level 5 & Prism Certification

Benchmarking Report Share, Compare, Validate SAMPLE. Year: 2017 Your Organization Date

SIMPLE FUND 360: AN AUDITORS GUIDE. Australia s leading cloud SMSF admin solution AN AUDITORS GUIDE.

Sarbanes Oxley Impact on Supply Chain Management

Guide to the Sarbanes-Oxley Act: Internal Control Reporting Requirements

Assurance Services. thinking strategically to your best advantage

ENTERPRISE RISK SERVICES Managing Risk, Driving Results

THIRD-PARTY RISK MANAGEMENT

EFFICIENT USE OF AUDIT COMMITTEES

t: +44 (0) f: +44 (0) e: w:

STANDING ADVISORY GROUP MEETING

SEMINAR ON INTERNAL FINANCIAL CONTROLS. Oct 31, 2015 at ISACA Pune Chapter Nov 1, 2015 at Pune Branch of WIRC of ICAI

ﺖﻴﻨﻣا ﺖﻳﺮﻳﺪﻣ ﻢﺘﺴﻴﺳ ﻲﺷزﻮﻣآ رﺎﻨﻴﻤﺳ يﺎﻫدراﺪﻧﺎﺘﺳا يﺎﻬﺘﺳﺎﻴﺳ ﻪﻳﺎﭘ ﺮﺑ تﺎﻋﻼﻃا BS7799 & BS15000 لوا ﻲﺷزﻮﻣآ رﺎﻨﻴﻤﺳ

Checklist for Higher Education

Internal Financial Controls New perspectives as per Companies Act 2013 and CARO 2016

CPA REVIEW SCHOOL OF THE PHILIPPINES M a n i l a. AUDITING THEORY Risk Assessment and Response to Assessed Risks

Reporting on an Examination of Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting

ISACA S IT Audit, Information Security & Risk Insights Africa 2014 MAY, 2014

SPECIFICATION NO. TxDOT * REVISED: AUGUST 2017 CRIMINAL BACKGROUND CHECKS

Joint IIA/ ISACA/ ACFE Spring Fraud Conference: Fraud & the External Auditor, and You

WORK PLAN AND IV&V METHODOLOGY Information Technology - Independent Verification and Validation RFP No IVV-B

SMITH & NEPHEW PLC TERMS OF REFERENCE OF THE AUDIT COMMITTEE

Oversight of payment instruments. The Banque de France s approach CONFERENCE. E-payments in Europe

Sarbanes-Oxley Compliance: Managing Technology Controls

See your auditor clearly. Transparency report: How we perform quality audit engagements

ENERGY PERFORMANCE PROTOCOL QUALITY ASSURANCE SPECIFICATION

Statement on Risk Management and Internal Control

Policy Outsourcing and Cloud-Based File Sharing

Assurance Services. Assurance Services

ASSESSMENT AND EVALUATION OF THE CITY OF PHILADELPHIA S INFORMATION TECHNOLOGY GENERAL CONTROLS FISCAL 2016

CDK GLOBAL, INC. AUDIT COMMITTEE CHARTER Effective January 20, 2016

Will Your Company Pass a Privacy Audit?

Applying Integrated Assurance Management Scenarios for Governance Capability Assessment

Emerging Technology and Security Update

References Concept. Principle. EU Annex 11 US FDA , (g), (i), 11 Orlando Lopez 2/15/11. Old Annex 11.

International Standard on Auditing (Ireland) 402 Audit Considerations Relating to an Entity using a Service Organisation

Vol. 2 Management RFP No. QTA0015THA A2-2

EMPLOYMENT OPPORTUNITIES

IT and Enterprise Governance By Michael J. A. Parkinson, CISA, CIA, and Nicholas J. Baker, CPA

WELLS FARGO & COMPANY AUDIT AND EXAMINATION COMMITTEE CHARTER

EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union

VENDOR RISK MANAGEMENT FCC SERVICES

AUDIT COMMITTEE CHARTER DATED AS OF AUGUST 5, 2010

Challenges & Best Practices in Managing the Account Reconciliation Process

GOVERNANCE AES 2012 INFORMATION TECHNOLOGY GENERAL COMPUTING CONTROLS (ITGC) CATALOG. Aut. / Man. Control ID # Key SOX Control. Prev. / Det.

Reporting on Pro Forma Financial Information

Securing Intel s External Online Presence

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

SOUTHWEST AIRLINES CO. AUDIT COMMITTEE CHARTER

BUSINESS CPA EXAM REVIEW V 3.0. For Exams Scheduled After March 31, 2017

CUSTOMER AND SUPPLIER ROLES AND RESPONSIBILITIES FOR 21 CFR 11 COMPLIANCE ASSESSMENT. 21 CFR Part 11 FAQ. (Frequently Asked Questions)

Business Resilience: Proactive measures for forward-looking enterprises

CHAPTER 5 INFORMATION TECHNOLOGY SERVICES CONTROLS

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

CRESCENT CAPITAL BDC, INC. AUDIT COMMITTEE CHARTER

NEWMARK GROUP, INC. AUDIT COMMITTEE CHARTER. (as of December 2017)

Assurance Research Advisory Group Firm Data

COMPLIANCE AT LARGER INSTITUTIONS. November 11 13, Robert F. Roach Chief Compliance Officer New York University

GET MORE PAYMENTS WITH ACI VIRTUAL COLLECTION AGENT

Advanced External Auditing [AU2] Examination Blueprint

Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors)

Continuous Monitoring: Getting Results Today!

Format and organization of GAGAS Auditor preparation of financials is a significant threat to independence 3 party arrangements in government State

SARBANES - OXLEY ACT- THREAT OR OPPORTUNITY FOR AUDITORS?

December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:

INTRODUCTION IT AUDITING FOR NON-IT AUDITORS GOLDCAL LLC Danny M. Goldberg, Founder 1

The Road to Continuous Assurance. Jason A. Gross, CPA, CIA, CFE, CISA, ACDA Vice President, Controls Management Siemens Financial Services, Inc.

Cargotec Supplier Requirements

Scope of this SA Effective Date Objective Definitions Sufficient Appropriate Audit Evidence... 6

IFRS and Information Technology. Chris Anderson, Grant Thornton Jim Menzies, Grant Thornton

Implementation Tips for Revenue Recognition Standards. June 20, 2017

Risk Advisory Services (RAS)

NEW YORK LIFE INSURANCE COMPANY AUDIT COMMITTEE MISSION STATEMENT

Enterprise Content Management and Business Process Management

Enhancing Audit Quality and Transparency

41880 Introduction to Hyperion Financial Management. Mike Malwitz Director Product Strategy Oracle Enterprise Performance Management

September 9, 2016 kpmg.ca

Audit Independence Policy

12.0 Business Continuity Management

THORNEY OPPORTUNITIES LTD ACN AUDIT & RISK COMMITTEE CHARTER

Audit and Risk Committee Charter

INTERNATIONAL STANDARD ON AUDITING 402 AUDIT CONSIDERATIONS RELATING TO ENTITIES USING SERVICE ORGANIZATIONS CONTENTS

SOX Audit Environment

ISACA. The recognized global leader in IT governance, control, security and assurance

AUDIT COMMITTEE. each member must be financially literate (as determined by the Board);

Risk Based Thinking & QMS Risk Management as per ISO

The New COSO Framework: Avoiding Deficiencies and Driving Change

Transcription:

Types of Systems Audit & Relevance Presented By: Prasad Pendse, CISA

Agenda Systems Audit Categories & Types of Systems Audit, Relevance IT & Application Audits Security Audits Process Audits Advantages of Systems Audit Professional Qualifications for Systems Audit

Systems Audit An audit of the controls designed and implemented into the system to ensure the integrity of the data processed by the system and maintain the proper functionality of system processes. System Audit Categories: IT & Application Audit Compliance Security Audit IT Audit Provide assurance that IT Systems are adequately protected Reduce risk of data tampering, data loss or leakage, service disruption and poor management of IT systems Process Audit

Types of Systems Audit ITGC Controls Review Application Audit System Interface Audit Pre-Implementation Review Post- Implementation Review Security Audit Data Centre Audit Third party Information Risk Assessment Process Audit Data Migration Audit Performance Audit Statutory Audit Internal Controls Review / SOX Controls Review SAS70/SSAE16/ISAE 3402 audit of IT Processes Software Asset Management (SAM) Audit / Licensing Audit

IT General Controls (ITGC) Review An audit of the controls in place for technology that affects the management of fundamental organizational processes. ITGC Areas: Change Management Physical & Logical Access Controls Computer Operations Controls Ensure the proper development and implementation of applications Integrity of programs, data files, and computer operations. ITGC Review Incident & Problem Management Backup / Recovery BCP / DRP

Application Audit According to ISACA, The policies, procedures and activities designed to provide reasonable assurance that objectives relevant to a given automated solution (application) are achieved. Control Areas: User management Changing nature of Business Incident & Problem Management Application Audit Password & Logical Controls Data accuracy Completeness Validity, verifiability and consistency Change Management Master Management Audit Trail Review Achieve data integrity and data reliability

System Interface Audit Introduction Exchange of information between two or more applications. Requires data validation for input as well as output controls Complexity of IT Infrastructure and system interfaces for information flow Risks associated with Data Integrity Eavesdropping

Pre-Implementation Review Audit review of a system currently being developed. To evaluate and test proposed control environment in the new system The IT solution meets the business requirements. BU and IT are aware of controls needed within the system. Managed effectively and efficiently during design, development and implementation. Implemented in accordance with established policies and best practices.

Post-Implementation Review Evaluates whether the project has achieved its intended objectives, Reviews the performance of project management activities and captures learning points for future improvements Ensure that the original requirements have been successfully implemented into production. Review is not limited for completion of project but to ensure that the organization benefits from the project outcome.

Security Audit Systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established standards / criteria. Classified as Internal & External Security Audit Audit Areas: Operating System Review Security systems and processes are working as intended Comply with the legislations and acts Vulnerability Assessment / Penetration Testing Security Audit Database Review Identify the gaps in the existing defenses Complex nature of systems Hacking incidents / breach Network Review

Data Centre Audit Comparing existing infrastructure against best industry practices and it mainly includes review of Physical and environmental security. Large investments in Data & Hardware Complex IT Architectures Data Center Tier Levels based on criticality

Third Party Information Risk Assessment Review of business functions and operations to determine whether the activities, resources and behaviors are being managed efficiently and effectively. Results of business operations and measures them against the predetermined goals of the company. Compliance risk for third party business relationships Reduced data loss Applicable Standards: ISO 27001, SSAE 16, etc.

Process Audit Review of business functions and operations to determine whether the activities, resources and behaviors are being managed efficiently and effectively. Results of business operations and measures them against the predetermined goals of the company. Effective Management of Process: Improvements Goals & Measures Processes Standardization of processes Quality Standards such as ISO 9000 Non core activities outsourced to third party Review Results

Data Migration Audit Data Migration audit verifies the completeness & accuracy of data transferred from legacy system to new system. Focus on: Completeness Accuracy Consistency Technological advancement, legacy systems, efficient newer systems Consistency of data migrated to new system

Performance Audit Refers to an examination of a program, function, operation or the management systems and procedures. Review of systems (hardware, software, network) performance over period. Helps in detecting frauds, performance deviations. Future requirement to support future growth

Compliance / Statutory Audit Compliance audits provide management with tool for the internal review of compliance in their operating units. Is governed by respective statutes, laws& rules. Changing nature of business resulting In statutory changes across the World Standardization of business processes for the critical, financially relevant systems.

Compliance / Statutory Audit (cont ) # Audit Name Regulator/ Authority 1 System Audit RBI RBI, Banks, NBFC's 2 System Audit SEBI Entity Circular No. Frequency Stock Exchange, MF's, Stock brokers RBI/2010-11/494 DBS.CO.ITC.BC.No.6/31.0 2.008/2010-11 CMTR23912, MCX- SX/CTCL/1101/2013, CMTR23125 NBFC: Yearly RBI, Banks Annually Professional Qualification CISA/CISSP/CIS M/DISA CISA/CISM/DISA 3 4 Code of Practice for Metering & Billing (CPMBA) Investment Risk Management system & Process Audit TRAI Telecom Companies F.No.302-1/2010-QoS Yearly CA's IRDA Insurance Companies IRDA-INV/CIR/023/2009-10 3 years CA's 5 System Audit IT Act 2000 IT Act 2000 6 SSAE16 AICPA 7 Listed Internal controls & SOX Act, USA Financial Reporting 8 System Audit PCI-DSS Service Organizations companies in USA & their subsidiaries. Payment Card industry Auditing std. board(asb) of AICPA Yearly CPA's SOX Act Periodically CPA's Contractual Requirement for Payment card service provider As per requirement PCI-QA

Internal Control Review / SOX Control Review / Clause 49 The Sarbanes-Oxley Act (SOX) defines the requirements for the integrity of source data related to financial transactions and disclosures. SOX Section 404 implementation of technical controls and continuous access auditing to assure the reliability of data related to financial transactions. Clause 49 (Indian equivalent of SOX) which states top management becomes directly accountable for all financial statements and internal controls of the organization SOX Regulations: Public Company Accounting Oversight Board (PCAOB) Corporate scandals and lack of investor confidence Corporate and criminal fraud accountability SOX Regulation s Auditor independence Significance to Corporate Governance Enhanced financial disclosures Corporate responsibility High penalties for management of Companies & imprisonment

SAS70 / SSAE16 / ISAE 3402 Audit of IT Processes Statement on Standards for Attestation Engagements (SSAE ) No. 16 - The standard for service organizations to demonstrate controls in operations and its design to achieve objectives set forth. Attested by an Independent Auditor. The standard provides for two types of reporting Type I and Type II. Need for written assertion from management of service organization regarding effectiveness of controls Outsourcing of non-core activities affecting financials of parent company Attest function than SAS70 s Audit function

Software Asset Management (SAM) Audit / Licensing Audit SAM audit involves review of following business practices for software application within organization Activities: Review Policy Complex licensing requirements Identify Gaps Prepare Inventory High cost of Licensing Unrestricted use of internet by employees Analyze & Verify

Advantages of System Audit Advantages: Detection of non compliant procedure Continual Improvement Increase in productivity Increased Confidentiality, Integrity & Availability Increased data accuracy, completeness, validity, verifiability and consistency Build a confidence among stakeholders through increase in safe & secure system Compliance to Statutory / Compliance / Legal Requirements

Qualifications for System Audit Qualification Certification Body* Certified Information Systems Auditor (CISA) Certified Information Security Manager (CISM) Diploma in Information System Audit (DISA) Global Information Assurance Certification (GIAC) Certified Information Systems Security Professionals (CISSP) Systems Security Certified Professionals (SSCP) Certified in Risk & Information Systems Control (CRISC) ISO 27001:05 Lead Auditors (LA) * Logo s have been taken from websites of the respective Organizations.

Agility Precision Quality

talk to us! Prasad Pendse

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback