it12015
TRANSCRIPT
4/27/2015
1
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
AuditNet® Training without Travel™ Fundamentals of IT Auditing 28 April 2015
Guest Presenter:
Richard Cascarino,
MBA, CIA, CISM, CFE
Richard Cascarino &
Associates
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Jim Kaplan CIA CFE
• President and Founder of
AuditNet®, the global resource
for auditors (now available on
Apple and Android and Windows
devices)
• Auditor, Web Site Guru,
• Internet for Auditors Pioneer
• Recipient of the IIA’s 2007
Bradford Cadmus Memorial
Award.
• Author of “The Auditor’s Guide
to Internet Resources” 2nd
Edition
4/27/2015
2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Richard Cascarino MBA CIA CISM CFE
• Principal of Richard Cascarino &
Associates based in Colorado USA
• Over 30 years experience in IT
audit training and consultancy
• Past President of the Institute of
Internal Auditors in South Africa
• Member of ISACA
• Member of Association of Certified
Fraud Examiners
• Author of Auditor's Guide to IT
Auditing
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Webinar Housekeeping
• This webinar and its material are the property of AuditNet® and Richard Cascarino and Associates. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided with a link access to that recording as detailed below. Downloading or otherwise duplicating the webinar recording is expressly prohibited.
• Webinar recording link will be sent via email within 5-7 business days.
• NASBA rules require us to ask polling questions during the Webinar and CPE certificates will be sent via email to those who answer ALL the polling questions
• The CPE certificates and link to the recording will be sent to the email address you registered with in GTW. We are not responsible for delivery problems due to spam filters, attachment restrictions or other controls in place for your email client.
• Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.
• After the Webinar is over you will have an opportunity to provide feedback. Please complete the feedback questionnaire to help us continuously improve our Webinars
• If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.
4/27/2015
3
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Disclaimers
• The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant-client relationship.
• While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website
• Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet®
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Today’s Agenda – Technology and Audit
– Control Objectives and Risks
– Batch and On-line Systems
– Programming Computers
– Database Systems
– Computer Risks and Exposures
– Computer Security
– Application Systems and their Development
– Computer Operations Controls
• Your Questions
• Conclusion
4/27/2015
4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Systems of Internal Control
• Key Concepts
–"Reasonable Assurance"
–"Acceptable Levels"
• Control Environments
• Primary Element of Internal Control
• Establishes conditions under which Internal Controls will Operate
–Organisation Structure
–Control Framework
–Organizational policies and procedures
–External Influences
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Control Environment
•Organizational Structure
–Defines individual managers' responsibilities
–Sets limits of authority
–Ensures appropriate segregation of duties
4/27/2015
5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Control Framework
• May be complex or simple
–Large organizations tend to have highly structured control frameworks
–Small organizations frequently use personal contact between employees
• Elements
–Segregation of duties
–Competence and integrity of people
–Appropriate levels of authority
–Accountability
–Adequate resources
–Supervision and review
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Control Framework
• Policies and Procedures
–Describe
•Scope of the function
•Activities
•Interrelationships with other departments
•External Influences
•Laws and Regulations
•Customs
•Union agreements
•Competitive Environments
4/27/2015
6
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Control Framework
• Policies and Procedures
–Describe
•Scope of the function
•Activities
•Interrelationships with other departments
•External Influences
•Laws and Regulations
•Customs
•Union agreements
•Competitive Environments
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Systems Software
–Computer programs and routines controlling computer hardware, processing and non-user functions
–Includes
Operating Systems
Telecommunications software
Data management
Applications Software
–Computer programs written to support business functions
–Includes
General Ledger / Payroll / Inventory / Order Processing
Manual and Automated Systems
4/27/2015
7
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Manual and Automated Systems
End-User Systems
–Generated outside the IT organization to meet specific user needs
–Includes
Micro-based systems
User-developed systems
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Control Procedures
General IT Controls –Computer Operations
Physical Security
Logical Security
Program change control
–Systems Development
Application Controls
Business systems oriented
Accuracy
Completeness
Authorization
4/27/2015
8
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Classification of Controls
Preventative - prevents an undesirable event
–Restrictions on users
–Requirements for passwords
–Separate authorization
Detective - detects undesirable events after the fact
–Effective use of audit trails
–Exception reports
Corrective - allow things to be put right
–Disaster Recovery Plans
–Transaction reversal capability
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Classification of Controls Discretionary - subject to human discretion
–Supervisory review of signatures
Non-discretionary - provided by the system and cannot be overridden –Use of PIN numbers
4/27/2015
9
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Classification of Controls
Voluntary / mandated
–Voluntary - Chosen by the organization to support its business
–Mandatory - required by laws and regulations
Manual / automated
–Manual - implemented by manual intervention
–Automated - Implemented by the computer system
Application / General IS –Application - to do with the business function
–General IS - to do with the running of the IS function
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Classification of Controls
Control Objectives and Risks
–Potential Risks Fraud
Business interruption
Errors
Customer dissatisfaction
Poor public image
Ineffective and Inefficient use of resources
General Control Objectives
–Integrity of Information
–Security
–Compliance
–Integrity of Information
4/27/2015
10
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Data and Transaction Objectives
–Input All transactions are initially and completely recorded
All transactions are completely and accurately entered into the system
All transactions are entered once only
–Controls may include Pre-numbered documents
Control total reconciliation
Data validation
Activity logging
Document scanning
Access authorization
Document cancellation
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Data and Transaction Objectives
Processing –Approved transactions are accepted by the system and processed
–All rejected transactions are reported, corrected and re-input
–All accepted transactions are processed once only
–All transactions are accurately processed
–All transactions are completely processed
4/27/2015
11
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Data and Transaction Objectives
Controls may Include –Control totals
–Programmed balancing
–Segregation of Duties
–Restricted access
–File labels
–Exception reports
–Error logs
–Reasonableness tests
–Concurrent update control
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Data and Transaction Objectives
Output
–Hard copy
–File output
–On-line enquiry files
Primary Objectives
–Assurance that the results of Input and Processing are output
–Output is available only to authorized personnel
Typical Controls
–Complete audit trail
–Output distribution logs
4/27/2015
12
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Data and Transaction Objectives
Integrity of programs and processing
Change Control –Prevention of unwanted changes
–Ensuring adequate design and development control
–Ensuring adequate testing
–Controlled program transfer
–Ongoing maintainability of systems
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Data and Transaction Objectives
Systems Development
Typical Controls –Use of a formal SDLC
–User involvement
–Adequate documentation
–Formalized testing plan
–Planned conversion
–Use of post-implementation reviews
–Establishment of a QA function
–Involvement of Internal Auditors
4/27/2015
13
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 1
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Changing Objectives
Early days - Batch only –All inputs collected centrally
–Input together in "batches"
–Normally punched cards
–May be entered via terminal with update taking place in batch mode
–Primary control objectives
Accuracy
Completeness
4/27/2015
14
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Changing Objectives
Nowadays –On-line, Real-time input with a small batch component
–Input via a terminal
–Instantaneous update
–Overnight report production
–Terminals may be local or remote
–Terminals may be dial-up or dedicated
–Terminals may be differing types
–Primary control objectives Availability
Security
Confidentiality
Accuracy
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Communications
Microwave
Satellite
Cables
–Dedicated
–Dial-up
Line operations
–Digital to analogue
–Simplex - one way only
–Half-duplex - one way at a time
–Duplex - two way communications
Wireless
4/27/2015
15
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Communications
Synchronous Communications
–High speed transmission and reception of long groups of characters
Asynchronous Communications
–Slow, irregular transmissions, one character at a time with start and stop bits
Encryption
–Scrambling of data into unreadable forms such that it can be unscrambled
Protocol
–A set of rules for message transmission in the network
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Network Types
Private Public Switched (PSNs)
Value Added (VANs)
Local Area (LANs)
Wide Area (WANs)
The Internet
The Cloud
4/27/2015
16
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Network Configurations
Point-to-Point
–Separate, direct links
Multidrop –Multiple terminals sharing a single line
Ring Networks
–No central computer, each machine is a "node"
Star Networks –Single central computer coordinating all communications
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Cloud Configurations
Infrastructure as a Service
Platform as a
Service
Applications and Software as a Service
4/27/2015
17
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Online Service Capabilities
On-line enquiry Allows a remote user to retrieve data directly
–Primary concern - Confidentiality
On-line data entry Remote entry of data
Allows concurrent processing of data
–Primary concerns
Transaction authenticity
Accuracy
Completeness
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Online Service Capabilities
On-line update As per on-line data entry but with immediate effect
–Primary concerns
Concurrency control
Availability
4/27/2015
18
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Basic Online Concerns
Availability
Security
–Unauthorized access
–Accidental or intentional changes
Security threatened areas
–Operating system
–Management features
–Inter-computer communication
–Dial-up access
–Gateways
–Poor performance
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Availability
Availability of –Hardware components
–Software
–Data
–Networking capability
–Human resources
4/27/2015
19
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Availability
Ensured by
–Adequate physical environment
–Adequate backups
–Multiple redundancies
–Peer-to-peer networking
–Adequate Disaster Recovery Planning
–Training
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Security
A factor of
–Hardware
–Software
–Human element
Hardware
–Theft
–Sabotage
–Penetration
Operating System Software
–Theft
–Corruption
–Bypassing
4/27/2015
20
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Security
Applications Software
–Theft
–Corruption
–Bypassing
–Substitution
Data
–Theft
–Corruption
–Substitution
–Manipulation
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Sources of Security Risk
Insiders - Users
Insiders - Specialists
Outsiders - Legitimate
Outsiders - Hackers
4/27/2015
21
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 2
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Programming Computers
Programming languages
Who programs?
The SDLC
Change Control
Problem Management
4/27/2015
22
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Programming Languages
Binary Programs
–0110 1001 1110 0101
–0001 0101 0101 0011
Then Symbolic Code
–PACK RATE,RATE1
–L HRS,HRS1
–MVC REG,4
FORTRAN
–PAY:
REGPA=RATE*HOURS
CALL TXCAL
DED=WITTX+UIF+INS+PENS
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
More Languages
COBOL –NET-PAY-CALC-ROUTINE.
MULTIPLY RATE BY HOURS-WORKED
GIVING NORMAL-PAY
Future –4th Generation Languages
–5th Generation Languages
–No Languages?
–Artificial Intelligence
4/27/2015
23
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Programs
Source Code
Object Code
Executable Code
Compilers
Assemblers
Interpreters
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Program Processes
Analyze
Design
Code
Test
Retest
Redesign
Retest
Run
Audit
4/27/2015
24
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
The SDLC
Used to control the generation of programmed systems
Objective - to produce a quality system, as specified, on time, within budget
Primary phases
Feasibility study
Outline system design
Detailed system design
Code
Test
Implement
Post-implementation Review
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
SDLC Problems
–Availability of user staff
–Access to the right level of staff
–"Technology lust"
–Over extended timescales
–Inexperienced staff
–Timescale problems
Too long between milestones
Key staff change
Business objectives change
Costs escalate
Hardware / software may become obsolete
4/27/2015
25
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Conversion Activities
Acquisition of data
Identification of sources
Development of conversion programs
Sanitization of input data
Maintenance of current systems
File conversion
Major task
–Requires strict control
–May jeopardize the whole project
–Rubbish in - rubbish out
–Audit involvement essential
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 3
4/27/2015
26
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Systems Development Exposures
–Erroneous management decisions
–Unacceptable accounting policies
–Inaccurate record keeping
–Business interruption
–Built-in fraud
–Violation of legal statutes
–Excessive operating cost
–Inflexibility
–Overrun budgets
–Unfulfilled objectives
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Causes
–Incomplete economic evaluation
–Management abdication
–Inadequate specifications
–Systems design errors
–Incompetent personnel
–Technical self-gratification
–Poor communications
–No project "kill" points
–Temptations to computer abuse
–Incoherent direction
4/27/2015
27
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Project Management
–Agreed schedules / Schedule review
–Work assignment
–Performance monitoring
–Progress monitoring
–Status reporting and follow-up
–Project planning elements
–Project guidelines
–Work breakdowns
–Start and completion dates
–A monitoring mechanism
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Change Control
Objective - to ensure risk is controlled, not introduced, during a change
–All changes are authorized
–All authorized changes are made
–Only authorized changes are made
–All changes are as specified
–All changes are cost-effective
4/27/2015
28
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Problem Management
Objective - to control systems during emergency situations
–Unforeseen changes
–Bypass normal control mechanisms
–May require direct programmer access to live data
–Must be controlled separately
–Must involve user authorization
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Databases
Definition of Terms
–Database
a collection of data logically organized to meet the information requirements of a universe of users
–Database Management System (DBMS)
a hardware/software system which manages data by providing organization, access and control functions
–Data Dictionary / Data Directory Systems (DD / DS)
the software which manages a repository of information about data and the data base environment
–Database Administration
a human function involved in the co-ordination and control of data related activities
4/27/2015
29
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Databases
Definition of Terms
–User System Interfaces
components of the data base environment which request, manipulate and transform data into information for an end user
–Data Structure
the interrelationships of data
–Storage Structures
methods and techniques used to physically represent data structures on storage devices
–Access Methods
software logic procedures used to retrieve, insert, modify and delete data on a storage device
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Database Types
Sequential
Hierarchical
Network
Relational Model
Components –Data Definition Language (DDL)
–Storage Structure Definition Language (SSDL)
–Data Manipulation Language (DML)
–DBMS Nucleus and Utilities
4/27/2015
30
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Sequential Approach
Fundamental Assumption
–There is a Direct Relationship between data
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Hierarchical Approach
Fundamental Assumption –There is some Hierarchical Relationship between data
Terminology Root Segment
Parent Segment
Child Segment
Twins
4/27/2015
31
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Network Approach
Fundamental Assumption
–There is some General Relationship between data
Terminology
–Records / Pointers
Note Any Structure may be defined
Records may contain multiple fields
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Relational Model
Fundamental Assumption –There is some Mathematical Relationship between data
Employee Table
Emp No Dept No Name
Dept Table
Dept No Name
4/27/2015
32
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
The DBA
Database Administrator
Functions Of The DBA –Co-coordinating the information content of the database
–Deciding the storage structure and access strategy
–Liaising with users
–Defining authorization checks and validation procedures
–Defining a strategy for back-up and recovery
–Monitoring performance and responding to changes in requirements
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Tools of the DBA
Utility Programs –Loading
–Reorganization Routines
–Statistical Analysis
–Journaling (e.g., Logs)
–Recovery
Data Dictionary
Database Analyzers
4/27/2015
33
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Database Recovery
When? Examples
–Action Failure } Insert, Replace } Delete
–DB Operation Fails }
–Transaction Failure Deadlock
–System Failure Power, Hardware, Software
–Media Failure Head Crash
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Recovery Criteria
Reinstate Databases to a known state
Minimize lost work
Allow recovery on a transaction basis
Provide fast recovery
Minimize manual work
Ensure safety of recovery data
Provide mechanism to inform users of "lost" transactions
Cater for various types of failures
4/27/2015
34
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Recovery Tools
The Recovery Log
The Checkpoint
The Database Dump
Database Restart/Recovery Software
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Recovery Logs
Before/after images of the recovery log
–Before Image - Content
Image of Data before modification
Date/Time of change
Processing Program Id of modifying transaction
May be written to Recovery Log stored on a direct access file
–Before Image - Function
Applied to point in time of failure of the environment
Applied to Database to "back out" faulty update transactions
Establishes Database to most recent Quiet Point (Checkpoint)
4/27/2015
35
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
After Image Logs
After Images - Content –Image of data after modification
–Date/Time of change
–Processing Program id of modifying transaction
After Images - Function –Applied to reloaded Database dump
–Brings the Database forward in time to the last checkpoint or point of failure
Database Checkpoint taken at a quiet point of the data base ( i.e., all update activity has terminated
Buffers are flushed and update transactions are queued until checkpoint is taken
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Checkpoints
Database Checkpoints can be taken at anytime
May be difficult to synchronize with O/S Checkpoints
May be procedurally initiated by application programs
May be automatically initiated by algorithm
–Elapsed Time
–Transactions processed
4/27/2015
36
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 4
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Security
What is Computer Security? –Security around and within
The computer and associated equipment
The people using it
–Federal information processing standards (FIPS) Publication 102
Computer Security "The quality exhibited by a computer system that embodies its protection against internal failures, human errors, attacks, and natural catastrophes that might course improper disclosures, modification, destruction, or denial of service".
Attempts at an authorized access
The use of data-processing resources for unauthorized purposes
4/27/2015
37
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Scope of Security
Physical security
Personnel security
Data security
Application software security
Systems software security
Tele-communications security
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Scope of Security
Computer operations security
Vital records retention
EDP insurance
Outside contract services
Disaster recovery plans
Computer crime and fraud
4/27/2015
38
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Security Myths
Computer security is a technical problem
Security breakdowns only happen to other firms
The major threat is the data processing staff
The major threat is outsiders
Only a computer wizard can perpetrate a computer fraud
Computer security is physical security
It's not my problem
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Security Controls
Procedural Controls
Workstation Security
Communications Security
Encryption
Message authentication
Reconciliation
4/27/2015
39
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 5
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Operations
Responding To Equipment Failures
Production Of Backup Copies as Defined
Restoration From Backup when Authorized
Handling "unpredictable" Conditions
4/27/2015
40
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Computer Operations
Mounting And Dismounting Data Files
Loading Paper Into Printers
Aligning Special Forms
Scheduling Runs
Loading Programs
Balancing Run Priorities
Responding To Operating System Prompts
Responding To Application System Prompts
Maintaining Incident Logs
Performing Routine Housekeeping Tasks
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
File and Program Libraries
On-line vs. Off-line
Remote Site Libraries –Program Source vs. Object Code
–Automated Library Functions
–Segregation of Duties
–Output Distribution
Dispatch of hard copy
Control over spool files
Networked printers
Destruction of confidential scrap
4/27/2015
41
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Operations Exposures
Human error Data entry
Console entry
Wrong generations of files
Wrong versions of programs
Media damage in handling
Hardware failure
Software failure
Computer abuse
Disasters
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Operations Controls
Run Controls
Predefined run schedules
Computer and manual run logs
System performance statistics
Budgetary controls
Supervision
4/27/2015
42
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Operations Controls
Segregation of duties
IT cannot initiate transactions
Systems and programming independent from operations
Programmers cannot operate the machine
Operators cannot access file libraries
IT librarian an independent function
IT staff have no control over corporate assets
Operations staff should be rotated
Operations staff must take holidays
Operators should not attempt to correct programs
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Polling Question 6
4/27/2015
43
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Overall IT Objectives
• IT Control
• IT Effectiveness
• IT Efficiency
• IT Auditability
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Questions?
• Any Questions?
Don’t be Shy!
4/27/2015
44
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Coming Up Next
IT AUDIT BASIC
2. IT Basics Auditing Database Structures Apr 30
3. IT Basics Audit use of CAATs May 5
4. Auditing Contingency Planning May 7
5. IT Fraud and Countermeasures May 12
IT AUDIT ADVANCED
1. Advanced IT Audit Risk Analysis for Auditors May 14
2. Advanced IT Audit Securing the Internet May 19
3. Advanced IT Audit IT Security Reviews May 21
4. Advanced IT Audit Performance Auditing of the IT Function May 26
5. Advanced IT Audit Managing the IT Audit Function May 28
Copyright © 2014 AuditNet® and Richard Cascarino & Associates
Thank You!
Richard Cascarino, MBA, CIA, CISM, CFE
Richard Cascarino & Associates
970-291-1497 [email protected]
Jim Kaplan
AuditNet LLC®
800-385-1625
www.auditnet.org