CPE Credits: TBD
Description: This seminar discusses the status of IT Auditing within organizations, the classic approaches to providing this necessary services to the organization, the preparation of an IT Auditor for contributing to the IT Audit projects and the categorization of risks to allow the IT Audit universe to be serviced by IT Auditors. You will learn the basic fundamentals of issues concerning IT controls and the scope of IT risks that must be addressed in today's environment. The major areas which can be addressed by IT Auditors will be discussed with hands-on exercises to reinforce that knowledge.
Audience: IT Auditing for entry-level IT Auditors and General Auditors interested in moving to IT Audit .
Prerequisites: None
Objectives:
Course Outline:
A. Mission of IT Audit
1. Support financial audits
2. Independent assurance of IT governance controls
3. Independent assurance of IT environment controls
i. General controls
ii. Application controls
B. Who are IT Auditors?
1. Train IT personnel in audit techniques
2. Train financial/Audit personnel in information technology
3. Hire externally
4. Contract
i. Specialized audits
ii. Supplement staff
C. IT "Standards" or "Best Practices"
1. COBIT
2. Focused "standards"
i. ITIL
ii. ISO 17799/BS7799 GTAG
iii. ISACA Guidelines & Framework
D. What Do IT Auditors Work On?
1. Assess risks of technology
i. Compliance
ii. Internal controls
iii. IT governance
2. Key risks
3. Develop the annual plan
i. Budgeted staff
4. Revisions to the plan
5. Research required to anticipate new technology risks
6. Organizational baselines requirements
i. monitoring controls
E. Introduction to IT Organization components
1. Security
2. Operating systems management
3. Application development
4. Change management
5. Network controls
6. Manage facilities
7. Business Continuation Planning
8. Data management
9. Service organizations
F.Developing IT audit programs
1. React to the dynamics of IT environment (new technologies a threat?)
2. Defining the scope of controls
3. Tools for IT audit
i. Third-party software
ii. Develop in-house tools
G. What is the process for performing the IT Audit?
1. Assessing risk
2. Testing
3. Evidence
4. Analyze
5. Determine actions required
6. Communicate findings
H. Relationship with Financial audit team
1. Assist in developing CAAT for financial audit staff
i. mini IT department
2. Team audits of divisions, etc.
I. IT Auditors as Control Consultants
1. Participate in application or infrastructure development
2. Participate in software selection projects
J. Training challenges
1. Continuous process to keep skills
2. New technology assessment
K. The IT Auditor as a control advocate
1. Provide training in controls for IT
2. Champion control improvements
i. bio-metric identification, etc.
This seminar will be taught by RODNEY SCOTT, CIA, MBA
Rod is currently consulting and teaching in the area of the Sarbanes-Oxley Act. He developed and leads the IIA seminar "Sarbanes-Oxley Act: Assessing IT Controls". He has formed his own company and services several clients with their Sarbanes-Oxley internal control assessments for IT general controls and application controls, as well as performing IT audit assignments.