Escolar Documentos
Profissional Documentos
Cultura Documentos
Audit Committee
Compensation Committee
Governance Committee
Finance Committee
IT Roles in the Organization….
(contd)
Management
Audit
Internal Auditing – CAE and Audit Staff External Auditing
Analyzing Risk
Risk Determines Response
Risk Considerations in Determining the
adequacy of IT Controls:
The IT Infrastructure
IT Risks Faced by the Organization
Risk Appetite and Tolerance
Performing Risk analysis
Value of Information
Appropriate IT Controls
Analyzing Risk…contd
Risk Mitigation Strategies
Accept the risk
Eliminate the risk
Share the risk
Control/mitigate the risk
Digital Dozen (VISA)
1. Install and maintain a working firewall to protect data.
2. Keep security patches up-to-date.
3. Protect stored data.
4. Encrypt data sent across public networks.
5. Use and regularly update anti-virus software.
6. Restrict access by "need to know."
7. Assign an unique Identification Code (ID) to each person
with computer access.
8. Don't use vendor-supplied defaults for passwords and
security parameters.
9. Track all access to data by unique ID.
10. Regularly test security systems and processes.
11. Implement and maintain an information security policy.
12. Restrict physical access to data.
Fundamental Five
1. Identity and Access Management
(including privilege assignment and authentication)
2. Change Management (including patch management)
3. Configuration Management
4. Firewalls (workstation, host, sub-network,
and perimeter)
5. Malware protection (including worms and viruses)
Monitoring and Techniques
Choosing a Control Framework
Monitoring IT Controls
Ongoing Monitoring
Daily/Periodic
Event-driven
Continuous
Special Reviews
Annual (or quarterly) control assessment
Audit reviews
Assessment
What Audit Methodology to Use?
Testing IT Controls and Continuous Assurance
Automated Continuous Monitoring
Automated Internal Control Analysis Tools
Automated Risk Analysis
Audit Committee/Management/Audit Interfaces
Metrics and reporting
Audit Report Summaries
Conclusion
Assessing IT controls is an ongoing process
The CAE should keep assessments of IT controls
that support business objectives near the top of the
audit agenda.
experienced IT auditors are a major asset for any
internal audit function
assessing IT controls effectively is communication
with technical staff, management, and board
members.
References
www.theiia.org
www.google.com
www.wikipedia.org
????????????