it42015 slides

55
5/7/2015 1 Copyright © 2014 AuditNet® and Richard Cascarino & Associates AuditNet® Training without Travel™ Auditing Contingency Planning May 7 2015 Guest Presenter: Richard Cascarino, MBA, CIA, CISM, CFE Richard Cascarino & Associates Copyright © 2014 AuditNet® and Richard Cascarino & Associates Jim Kaplan CIA CFE President and Founder of AuditNet®, the global resource for auditors (now available on Apple and Android and Windows devices) Auditor, Web Site Guru, Internet for Auditors Pioneer Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award. Author of “The Auditor’s Guide to Internet Resources” 2nd Edition

Upload: jim-kaplan-cia-cfe

Post on 05-Aug-2015

43 views

Category:

Technology


0 download

TRANSCRIPT

5/7/2015

1

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

AuditNet® Training without Travel™ Auditing Contingency Planning May 7 2015

Guest Presenter:Richard Cascarino,

MBA, CIA, CISM, CFERichard Cascarino &

Associates

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Jim Kaplan CIA CFE

• President and Founder of AuditNet®, the global resource for auditors (now available on Apple and Android and Windows devices)

• Auditor, Web Site Guru,

• Internet for Auditors Pioneer

• Recipient of the IIA’s 2007 Bradford Cadmus Memorial Award.

• Author of “The Auditor’s Guide to Internet Resources” 2nd Edition

5/7/2015

2

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Richard Cascarino MBA CIA CISM CFE

• Principal of Richard Cascarino & Associates based in Colorado USA

• Over 30 years experience in IT audit training and consultancy

• Past President of the Institute of Internal Auditors in South Africa

• Member of ISACA

• Member of Association of Certified Fraud Examiners

• Author of Auditor's Guide to IT Auditing

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Webinar Housekeeping

• This webinar and its material are the property of AuditNet® and Richard Cascarino and Associates. Unauthorized usage or recording of this webinar or any of its material is strictly forbidden. We are recording the webinar and you will be provided with a link access to that recording as detailed below. Downloading or otherwise duplicating the webinar recording is expressly prohibited.

• Webinar recording link will be sent via email within 5-7 business days.• NASBA rules require us to ask polling questions during the Webinar and CPE

certificates will be sent via email to those who answer ALL the polling questions• The CPE certificates and link to the recording will be sent to the email address you

registered with in GTW. We are not responsible for delivery problems due to spam filters, attachment restrictions or other controls in place for your email client.

• Submit questions via the chat box on your screen and we will answer them either during or at the conclusion.

• After the Webinar is over you will have an opportunity to provide feedback. Please complete the feedback questionnaire to help us continuously improve our Webinars

• If GTW stops working you may need to close and restart. You can always dial in and listen and follow along with the handout.

5/7/2015

3

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Disclaimers

• The views expressed by the presenters do not necessarily represent the views, positions, or opinions of AuditNet® or the presenters’ respective organizations. These materials, and the oral presentation accompanying them, are for educational purposes only and do not constitute accounting or legal advice or create an accountant‐client relationship. 

• While AuditNet® makes every effort to ensure information is accurate and complete, AuditNet® makes no representations, guarantees, or warranties as to the accuracy or completeness of the information provided via this presentation. AuditNet® specifically disclaims all liability for any claims or damages that may result from the information contained in this presentation, including any websites maintained by third parties and linked to the AuditNet® website

• Any mention of commercial products is for information only; it does not imply recommendation or endorsement by AuditNet®

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Today’s Agenda

• What is a Disaster?

• What is a Disaster Recovery Plan?

• Who is Accountable?

• What are the Options?

• What is the cost?

• How can a C.P. be tested?

• What is Management's Role?

• What is the User's Role?

• What is the Information Services Role?

• What is the Internal Auditor's Role?

5/7/2015

4

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Before and After

Perhaps the best prepared organiZations are the ones who have lived through a calamity

7

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

The Risks

FireFloodBuilding CollapseExplosionIndustrial FailurePower FailureLoss of dataDeliberate sabotage

8

5/7/2015

5

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Computer Abuse

Deliberate action by staff"Hacking" into systemsInternet penetrationEDI abuse

9

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

DISASTER - A

LOSS OF CAUSESPeople ExplosionBuilding Aircraft

CrashFactories Total FireFinance FloodCredibility Industrial

ActionMaterials EarthquakeComputers Sabotage

10

5/7/2015

6

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

DISASTER - B

LOSS OF CAUSESHardware ExplosionSoftware FireIn-house data Flood

Industrial Action(Temporary Loss)

11

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

DISASTER - C

LOSS OF CAUSESSoftware and the ability to recover Explosion

In-house data FireFloodFreak Atmospheric ForceDeliberate DestructionBad Systems DesignPoor Operating Standards

12

5/7/2015

7

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

DISASTER - D

LOSS OF CAUSESSoftware - Partial loss only and the Computer Operational

inability to recover ErrorDeliberate Destruction Bad Systems Design Poor Operating Standards

13

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Inefficiency Production control Lost production Schedule disruption

LegalPenalty clauses

Ill-willCustomersShareholdersStaff

Consequences of Disruption

Loss of RevenuesDelays in invoicingLost interestLost salesLost future business

Incurred CostsExtra manningInterest on loansLoss of discount

14

5/7/2015

8

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

DRP Status

2011 Survey by RC&A

M/frame LANs CloudDRP 77% 51% 35%Planning 18% 18% 29%No Plans 5% 30% 32%

That does not mean they work

15

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

The Future

Increasing dependence on Cloud systemsIntegrated data warehousesIntegrated office automationEDIInternet tradingDRP must be considered during systems planning

16

5/7/2015

9

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Corporate Survival

MenMoneyMaterialsMachinesMethodsAll resources

17

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Corporate Survival

Not a computer problemThereforeThe responsibility of

The boardExecutive managementSenior managementJunior managementUsersThe cleaning staff

18

5/7/2015

10

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

The Computer Role

A prime resourceExpertise neededRecovery not instantaneousReturn to normal even longerIn-depth planning requiredOne objective - survival

19

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

A Plan must be

ComprehensiveDynamicUseableRelevantTestedUp to dateKnown

20

5/7/2015

11

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

A Disaster can be

Application dependentCalendar dependentInstallation dependentTotal loss

Probability is lowImpact on business is high

Minor lossProbability is highImpact on business is low

21

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

How to Get Started

Establish terms of referenceIdentify emergency lines of reportingEstablish emergency strategyTerms of referenceIt must be firmly recognized and accepted that policy decisions and overall responsibility rest entirely with top management

22

5/7/2015

12

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Disaster Planning

3 levels of concernHardware reliabilitySoftware and data integrityLoss of Facility

Why has loss of facility become the predominant concern?

23

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Preparedness for a Disaster

PoorOrganisation highly vulnerable to damage to its data processing capability; could jeopardize corporate survival

WeakDisaster would result in conspicuous interruption of IT services ; could result in loss of business

AdequateOrganisation could recover from the loss of computer capabilities at some cost and public embarrassment

GoodOrganisation could recover from the loss of computing capability with some cost but little embarrassment

Very GoodOrganisation is ready for virtually any eventuality. Disaster should have no material effect on the business

24

5/7/2015

13

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Contingency Plan

Board-level sponsor requiredCommittee or individual

Identify the key systems and prioritize24 hours2-3 days1 week1 monthnever?

Calendarized

25

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Risk analysisDevelop the plan outlineEstablish the recovery teamResource analysisSelection of backup facilitiesDocumenting the plan / procedures / tasksPrepare off-site storageTest and educateMaintain and review

26

The Methodology

5/7/2015

14

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Risk Analysis

Must beSimpleQuickEasily understoodEasily updated

Must cover all systems ManualAutomated

Must determine dependencies

27

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Planning - 1

DefinePurposeScopeStrategy

Determine recovery requirementsWhich jobsIn which orderWhat resources

Arrange backup siteHotWarmCold

28

5/7/2015

15

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Planning - 2

Define recovery activitiesDefine responsibilities and staffingDefine procedures to test & maintainTest and Amend

Possible strategiesFallback to manual

Rarely possible

Fallback within the organisationEffective but expensive

Reciprocal agreementsMany inherent problems

29

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Minimum Requirements to Recover

Copies of filesCopies of programsOperating SystemDocumentationAlternate facilityContingency plan

30

5/7/2015

16

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Where to Start

Model the business

Accounting Marketing Payroll

Production MIS

How do we identify critical applications?

Disaster Recovery Planning is a Business Problem !!!!!!

31

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Model the Business

Identify data flow and dependencies

Identify the critical business performance areasCritical success factors

Accounting Marketing Payroll

Production MIS

32

5/7/2015

17

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Identify the Critical Systems

Also dependent systems (incl. manual)

Accounting Marketing Payroll

Production MIS

Plan for the DRP when you plan for the systemAt the Feasibility Study stage

33

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Polling Question 1

5/7/2015

18

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Making the First Move

Establish the terms of referenceIt must be firmly recognised and accepted that policy decisions and overall responsibility rests entirely with top management

Identify emergency lines of reportingEstablish emergency strategies

35

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Need to Define

Allocation of responsibilityList of all possible perilsStudy of all components under threatEffectiveness of existing defencesHigh risk / high exposure areasCurrent insurance positionManagement awareness levels

36

5/7/2015

19

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Components Include

HardwareSystems softwareApplication softwareDataData storage mediumsDocumentationStationeryPeople

37

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Also Affected

Cash flowVulnerable remote sitesContracts / commitmentsTelecomms and networksBuildingsServicesManual interfacing systems

38

5/7/2015

20

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Work in Progress

Systems under development should be accounted for:Time schedulesLocation of all documentationTest versions of systemsSDLC status reports

39

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Documentation

Must be up-to-dateMust be stored securelyMust record known weaknessesMust reflect dependenciesMust reflect changesMust include authority levels

40

5/7/2015

21

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Insured Areas for Review (1)

Schedule of coverDamage or loss to/of:PropertyPlant and equipmentComputer hardwareComputer software and dataDocumentationKey Personnel

Degree of damage:Slight to total loss

41

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Insured Areas for Review (2)

ProtectionAgainst computer misuseOf misuse of data Of disclosure of dataAgainst other organizations consequential claims

42

5/7/2015

22

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Insured Areas for Review (3)

Loss of people includingPublic liabilityEmployers liabilityBusiness interruption

General exceptionsGeneral conditionsOngoing declarations

43

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Lines of Reporting

In an emergencyWho is in charge ?What is his role ?Who is his backup ?Who are the key personnel ?What autonomous groups exist ? Who maintains the plan ?

44

5/7/2015

23

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Emergency Strategies

Must contain alternativesApply to:

Key systemsDisaster potentialDisruption periods

Define impact of a DP area disaster on all operating areas

45

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Strategies Defined Under:

Pre-planning definition stageFunctional requirements stageDesign stageImplementation stageTesting stageContinuity and maintenance stage

46

5/7/2015

24

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Teams Involved

Management teamUser teamFacilities teamTelecomms teamSystems software teamOperations teamHardware teamRecovery team

47

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Identify Types of System - IT

By operating objectivesCentralisedStand-aloneDistributedReal timeOn-lineBatchTogether with degrees of priority

48

5/7/2015

25

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Categorize Systems

Effect of stoppage identifiedEssential interfacing systems identified (computer and manual)Document all systemsPriorities to include:Business loss ratingAlternative service level reqd.Maximum down time

49

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Other Systems - Manual

Document all manual systemsIdentify relationshipsEffect of stoppage identifiedCheck alternative:AccommodationPeopleStationery suppliesOffice equipmentControl procedures

50

5/7/2015

26

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

If only Limited Resources Available

Grade systems for recoveryAgree with managementDependencies must be taken account ofDocumentation must be archivedRun priorities agreed with management (these may vary by time period)

51

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Polling Question 2

5/7/2015

27

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Backups

For all systems?For essential systems only?Required:HardwareSoftwarePeople

SpecialistsUsers

53

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Infrastructure

Infrastructure includes:Computer siteOffice accommodationPower and servicesCommunicationsComputerClericalAir conditioning

54

5/7/2015

28

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Backup Operating Standards

Run documentationSystems specsProgram specsSource codeObject codeJCLSupport documentationControl documentationCommunication protocols

55

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Points of Contact

Who does what ?Who is the backup ?Who is needed for recovery ?Who can declare a disaster ?How can they be reached ?

56

5/7/2015

29

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Identify User Data - IT

Storage media must be identifiedData elements must be classifiedBy creationOrganisationRetrieval typeImportanceConfidentialityAccess restrictions

57

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Data also Defined by:

Method of processingUsagePresentationActive life spanLocationDisposal timescaleDisposal methodNote also transitory data

58

5/7/2015

30

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Data Elements

InterrelationshipsValidation rulesInput and reinput proceduresInterim processesControl requirementsSecurity requirements

59

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Grading of Data

By applicationTherefor by strategic importanceBy alternate method of sourcingBy degree of pain in lossBy disruption periodEach application is therefor graded but not all of its data is of the same importance

60

5/7/2015

31

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Planning and Development Data

Not all data reqd is for processingTest data for WIPStrategic plans of the siteAdministrative data for the siteAll must be backed up

61

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Preparation of Back-up Data

The most important elementShould be designed into application systemsShould be an enforced standardMust be maintained safelyMust be maintained securely

62

5/7/2015

32

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Acquisition

Reputable vendorsSupport levelsSecond sourcingInternal backupKnown backup sitesVendor's DRP policies

63

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Contracts Should Include

Equipment life spanMaintenance agreementsEnvironmental requirementsPower requirementsPower failure reactionTraining scheduleSafety and security measures

64

5/7/2015

33

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Register of Hardware Including:

Importance in processingLocationAvailability of replacementImportance in DRPNeeds of application systemsVendorReplacement lead timePurchase/lease/rentalInsurance cover

65

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Hardware Availability Assured by:

Agreements with suppliersStandby sitesPortable computer centresReciprocal arrangementsBackup optionsIn-company backupReciprocal arrangementsCold sitesWarm sitesHot sitesManual procedures

66

5/7/2015

34

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Polling Question 3

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

For Recovery Establish:

Minimum configuration reqdContinuity agreements with vendorsBackup procedures agreedCompatibility of equipmentCompatibility of firmwareSecurity arrangementsTesting of h/w backup

68

5/7/2015

35

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Consider Also

Redundant hardwareDual control of peripheralsSwitchable commsComms linesUPSStandby generators

69

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Types of Stoppage

Hardware failureMicrocode failureMechanical problemPower failureDamageEnvironmental failureHuman errorBuilding damage

70

5/7/2015

36

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Ancillary Equipment

SwitchboardsElectrical equipmentPower stabilizersModemsData prep equipmentStandby generators

71

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Is it Useable?

Review for obsolescenceSpares may by unobtainableBackup may have to be secondhandManuals may be missingTransport may be required

72

5/7/2015

37

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Systems Software

Software categoriesSystems support softwareCompilersUtilitiesAll otherTypesSource codeBinaryExecutable

73

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Systems Software

Operating systemsFile back-up softwareFile restore softwareSecurity softwareCommunications software

74

5/7/2015

38

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Problem Areas

Differing versionsConfiguration timesPortability to backup sitesIncompatibility of minor programsFrequency of useWork in progress

75

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Software Data Required

Supply sourceRelease level and dateSecurity classificationSupport criteriaAmendments madeContingency arrangementsTesting proceduresRecovery procedures

76

5/7/2015

39

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Documentation Must Include

How to use the softwareHow to generate the software productWhere the software residesListings of source codeHow to handle error conditions

77

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Amendment Notes Must Include

Date of amendmentLevel and version noamendment sourcewho amendedDate amendment testedDate/release & level when put into productionPurpose of the amendment

78

5/7/2015

40

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Software Acquisition

Level of software supportDuration of support for release levelCan previous levels be obtained?How far back?Cost of replacingLicense agreementsTimescale for replacement

79

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Software Disasters

Stoppage due to:Specific program problemsProject problemsDepartmental problemsCompany problemsOther problems

80

5/7/2015

41

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Software Failure?

orProgram logic faultOperational errorWrong version of software usedJCL ErrorInput errorHuman error

81

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Other Problems

Snapped magnetic tapesHead crashesUnreadable magnetic mediaLost source codeDeleted recordsDeleted filesIncompatible softwareOperational difficultiesActs of God

82

5/7/2015

42

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Polling Question 4

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Testing the Plan

Management needs must:Be fully definedBe approvedCover all in-houseand third party risksDefine all 'retained' risks

84

5/7/2015

43

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

The Plan Must

Be knownBe secureBe up-to-dateBe availableBe workableBe cost-effective

85

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Testing the Plan

Must be plannedMust be practicalShould be realisticShould be unexpectedWill comprise discrete elementsWill not work the first time

86

5/7/2015

44

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

We Must Know

The critical systemsThe critical dataThe critical hardwareThe critical softwareThe timing of backupsAll retained risksThe insurance positionContractual agreements

87

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Continuity

Change control must operateRisk evaluation of the corporation is dynamicAgreements expirePeople leaveTraining is forgottenTesting is ongoingPolicies changeCost/benefits change

88

5/7/2015

45

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Polling Question 5

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

The Audit Program

PoliciesApplication systemsUser dataHardwareSystems softwareTestingContinuity

90

5/7/2015

46

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Policies - Terms of Reference

Ensure contingency policy existsEnsure policy is sufficient and realisticEnsure high risk areas identifiedEnsure adequacy of insuranceEnsure all levels of managementUnderstand their responsibilitiesIf insufficient in-house expertise - call in a consultant

91

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Policies - Strategies

Assess levels of competence expectedReview the estimated financial effectsReview the projected costReview the current planning statusReview current contractsReview contingency team staffingReview security and distribution of plan

92

5/7/2015

47

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Who Does What?

Ensure a definitive organisation chart existsEnsure it is up-to-dateEnsure all reporting relationships are coveredEnsured security arrangements existEnsure security will continue in an emergency

93

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Application Systems - IT

Review key systems of the CorporationCheck for their computer componentCheck the priority ratingsEnsure contingency plan allows for differing time spansCheck for adequate and up-to-date documentationReview previous tests

94

5/7/2015

48

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Manual Systems

Check manual systems are includedEnsure adequate and up-to-date documentation existsCheck for back-up facilitiesReview training program for manual backupReview previous tests

95

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Systems Under Development

Check all WIP is coveredCheck details are up-to-dateCheck for backups of test librariesReview staff responsibilitiesCheck level of documentation

96

5/7/2015

49

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

User Data - Computer

Check file layouts of key systemsCheck layouts to actual filesReview data relationshipsReview linkage to manual dataCheck costs of alternate data sourcesCheck backups are as recordedCheck backups are appropriateReview the results of previous tests

97

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Hardware

Check an acquisition policy existsCheck it is enforcedEnsure documentation exist for all hardwareReview hardware registerTest check the register to actualSpot check remote equipmentCheck for immediate availability of the registerReview the results of previous tests

98

5/7/2015

50

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

More Hardware

Ensure hardware backup plan existsReview for essential systems usageEnsure the essential hardware has been identifiedReview contingency agreementsReview contractual arrangementsEnsure the plan is tested on an ongoing basisReview the results of previous tests

99

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Hardware Stoppages

Ensure an incident log is maintainedEnsure recovery procedures exist for previous stoppage typesSample hardware log for serious interruptionsCheck latest contacts listEnsure maintenance routines are followedCheck fire fighting equipment maintenanceCheck physical security 100

5/7/2015

51

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Systems Software

Establish software usedCheck backup proceduresCheck software securityCheck that recoverability has been testedCheck software contracts existCheck all amendments are recordedCheck backup copies of software documentationCheck previous test results

101

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Software Problems

Check previous problems have been recorded including the fixCheck incident logs are maintainedCheck offsite documentation storageCheck current backup proceduresCheck backups are currentEnsure all new software is adequately testedCheck regular testing is done

102

5/7/2015

52

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Testing

Review all relevant files,Charts, meeting minutesReview policy objectivesReview costs, budgets and estimatesCheck progressive nature of test planCheck that all previously identified deficiencies have been remediedInvestigate inefficiencies highlighted in testingTest prioritizationInspect remote sites

103

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Continuity

Ensure responsibility for plan maintenanceEnsure management kept informedEnsure master copy of plan is secureEnsure distributed copies are kept up-to-date, available but secure

104

5/7/2015

53

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Polling Question 6

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Remember

It could be a corporate survival planIt is not one person's planManagement commitment is required

106

5/7/2015

54

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Questions?

• Any Questions?Don’t be Shy!

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Coming Up Next

IT AUDIT BASIC

5. IT Fraud and Countermeasures May 12

IT AUDIT ADVANCED

1. Advanced IT Audit Risk Analysis for Auditors May 19

2. Advanced IT Audit Securing the Internet May 21

3. Advanced IT Audit IT Security Reviews May 26

4. Advanced IT Audit  Performance Auditing of the IT Function May 28

5. Advanced IT Audit Managing the IT Audit Function June 2

5/7/2015

55

Copyright © 2014 AuditNet® and Richard Cascarino & Associates

Thank You!Richard Cascarino, MBA, CIA, CISM, CFE

Richard Cascarino & Associates970-291-1497

[email protected]

Jim KaplanAuditNet LLC®800-385-1625

[email protected]