GTAG_Overall1
-
Upload
rachel-delgado -
Category
Documents
-
view
213 -
download
0
Transcript of GTAG_Overall1
-
7/23/2019 GTAG_Overall1
1/29
www.theiia.org
Global Technology Audit Guide
The Institute of Internal Auditors(www.theiia.org/technology)
-
7/23/2019 GTAG_Overall1
2/29
www.theiia.org
This presentation covers:
What is GTAG?
Who is GTAG target audience?
Who are involved the GTAGdevelopment?
How many guides have beenpublished?
What members think of GTAG series?
What are the future GTAG topics?
How to get GTAG?
-
7/23/2019 GTAG_Overall1
3/29
www.theiia.org
What is GTAG
GTAG Global Technology Audit Guide
To provide easytounderstandinformation technology audit guides to
!hief Audit "#ecutives$ Audit!ommittees and "#ecutive %anagement
To provide a mechanism to &uicklyaddress new 'T 'ssues
To produce technical audit guides on aglobal scale
-
7/23/2019 GTAG_Overall1
4/29
www.theiia.org
Who is GTAG target audience
(rimary target !hief Audit "#ecutive )!A"* %any !A"s face the challenge to understand technology$
which is necessary to plan and conduct internal audit. !A"s are not wellserved by many e#isting guides$ such
as !o+'T$ which tend to target technical 'T auditor and'T management
Given the broad responsibility of !A"s$ GTAG seriesprovide them a high level overview on risk managementand control related to 'T.
GTAG is practically immeasurable to busy e#ecutives whoneed to &uickly understand technology issues andevaluate the impact on their organi,ation.
-
7/23/2019 GTAG_Overall1
5/29
www.theiia.org
Who are involved in GTAG
develop!ent Advanced Technology !ommittee - select
topics based on the members needs/ overseedevelopment of guides and develop contents
(artners with other professional organi,ation -broaden audience for guides and contribute tocontent- A'!(A$ 0A!1$ !'2$ 3"'$ '22A$ 2ans 'nstitute$
!arnegie %ellon 2"'
''A global affiliates participate the reviewingprocess
-
7/23/2019 GTAG_Overall1
6/29
www.theiia.org
"# GTAGs published GTAG-1: IT Controls (2005)
GTAG-2: Change and Patch Management Controls (2005)
GTAG-3: Contn!o!s A!dtng (2005)
GTAG-": Management o# IT A!dtng (200$)
GTAG-5: Managng and A!dtng Pr%ac& 'ss (200$)
GTAG-$: Managng and A!dtng IT !lnera*ltes (200$)
GTAG-+: In#ormaton Technolog& ,!tso!rcng (200+)
GTAG-: A!dtng A..lcaton Controls (200+)
-
7/23/2019 GTAG_Overall1
7/29
www.theiia.org
"# GTAGs published GTAG-/: Identt& and Access Management (200+)
GTAG-10: !sness Contn!t& Management (200)
GTAG-11: e%elo.ng the IT A!dt Plan (200)
GTAG-12: A!dtng IT Proects (200/)
GTAG-13: ra!d Pre%enton 4 etecton n an A!tomated orld(200/)
GTAG-1": A!dtng 6ser-de%elo.ed A..lcatons (200/)
GTAG-15: In#ormaton 7ec!rt& Go%ernance (200/)
-
7/23/2019 GTAG_Overall1
8/29
www.theiia.org
GTAG$"
Infor!ation Technology %ontrols't covers4
5nderstanding of 'T controls
'mportance of 'T controls
6rgani,ational roles andresponsibilities for ensuring 'Tcontrols
Analy,ing risks
%onitoring and techni&ues
'T control assessment
-
7/23/2019 GTAG_Overall1
9/29
www.theiia.org
GTAG$&%hange and 'atch anage!ent %ontrols:
%ritical for rgani*ational +uccess't covers4
Why 'T change and patchmanagement controls are
foundational to a healthy 'Tenvironment
How 'T change and patchmanagement controls helpmanage 'T risks and costs
What works and doesnt work inpractice
1escribes sources of change andthe likely impact on businessob7ectives
-
7/23/2019 GTAG_Overall1
10/29
www.theiia.org
GTAG$,%ontinuous Auditing:
I!plications for Assurance- onitoring- and is Assess!ent
't covers4
8ole of continuous auditing intodays internal auditenvironment
8elationship of continuousauditing$ continuous monitoring$and continuous assurance
The application andimplementation of continuousauditing
+enefits of a continuous$integrated approach
-
7/23/2019 GTAG_Overall1
11/29
www.theiia.org
GTAG$0anage!ent of IT Auditing
't covers4
1efining 'T
'Trelated 8isks
1efining 'T Audit 5niverse
"#ecuting 'T Auditing
%anaging 'T Auditing
"merging 'ssues
-
7/23/2019 GTAG_Overall1
12/29
www.theiia.org
GTAG$#anaging and Auditing 'rivacy iss
't covers4
What is (rivacy
(rivacy (rinciples and
3rameworks (rivacy 'mpacts and 8isk %odel
(rivacy !ontrols
Good and +ad (erformers
'nternal Auditing9s 8ole
Auditing (rivacy
!A"9s Top :; (rivacy
-
7/23/2019 GTAG_Overall1
13/29
www.theiia.org
GTAG$1anaging and Auditing IT 2ulnerabilities
't covers4
1efine the vulnerabilitymanagement lifecycle
The scope of a vulnerabilitymanagement audit
6rgani,ational maturity
%etrics to measure
vulnerability managementpractices
Top :; vulnerabilitymanagement &uestions
-
7/23/2019 GTAG_Overall1
14/29
www.theiia.org
GTAG$3Infor!ation Technology utsourcing
't covers4 How to choose the right 'T outsourcing
vendor?
What are the best ways to manage
outsourcing contract agreements? What are the main outsourcing risks and
how to mitigate them?
What are the key outsourcing controlconsiderations from the standing pointsof both client operations and service
provider operations? Which is the most effective framework for
establishing outsourcing controls?
-
7/23/2019 GTAG_Overall1
15/29
www.theiia.org
GTAG$4 playbac lin available
Auditing Application %ontrols't covers4
What is application control?
What is the relationship betweenapplication control and general
controls?
Why rely on application controls?
How to scope a riskbasedapplication control review?
What are the steps to conduct an
application controls review? A list of key application controls
A sample audit program
-
7/23/2019 GTAG_Overall1
16/29
www.theiia.org
GTAG$ 5 playbac lin available
Identity and Access anage!ent't covers4
Insight into what IAM means to anorganization
Access Rights and Entitlement
Provisioning Process Administration of Identities and
Access Rights Process
Use of Technology in IAM
Suggests internal audit areas forinvestigation
Assists AEs and other internalauditors to understand! analyze! andmonitor their organization"s IAM#rocesses
Includes a chec$list for an IAM
-
7/23/2019 GTAG_Overall1
17/29
www.theiia.org
GTAG$"6
7usiness %ontinuity anage!ent't covers4 %el# communicate &usiness
continuity ris$ awareness andsu##ort management in its
develo#ment and maintenance of a'M #rogram(
)isaster recovery #lanning forcontinuity of critical informationtechnology infrastructure! and&usiness a##lication systems(
'usiness Im#act Analysis 'usiness Recovery and ontinuity
Strategy )isaster Recovery for IT risis ommunications
-
7/23/2019 GTAG_Overall1
18/29
www.theiia.org
GTAG$""
8eveloping the IT Audit 'lan
't covers4 Understanding the organization and
how IT su##orts it(
)e*ning and understanding the ITenvironment(
Identifying the role of ris$assessments in determining the ITaudit universe(
+ormalizing the annual IT audit #lan(
-
7/23/2019 GTAG_Overall1
19/29
www.theiia.org
GTAG$"&
Auditing IT 'ro9ects't covers4 ,ey #ro-ect management ris$s( %ow the internal audit activity can
actively #artici#ate in the review of
#ro-ects while maintaininginde#endence(
+ive $ey com#onents of IT #ro-ectsfor internal auditors to considerwhen &uilding an audit a##roach(
Ty#es of #ro-ect audits(
A suggested list of .uestions for usein the IT #ro-ect assessment
-
7/23/2019 GTAG_Overall1
20/29
www.theiia.org
GTAG$", raud 'revention ;
8etection in an Auto!ated World
't covers4
Ste#/&y/ste# #rocess for auditing afraud #revention #rogram
An e0#lanation of the various ty#esof data analysis to use in detectingfraud
A technology fraud ris$ assessmenttem#late
playbac lin available
-
7/23/2019 GTAG_Overall1
21/29
www.theiia.org
GTAG$"0 playbac lin availableAuditing
-
7/23/2019 GTAG_Overall1
22/29
www.theiia.org
GTAG$"#
Infor!ation +ecurity Governance't covers4 )e*ning IS1( %el#ing internal auditors
understand the right .uestions
to as$ and $now whatdocumentation is re.uired(
)escri&ing the internal auditactivity2s 5IAA6 role in IS1(
Ste#s to #lan! test and analyze andaudit of IS1(
http://www.theiia.org/media/images/professional-guidance/GTAG%2015-Cover-SM.jpg -
7/23/2019 GTAG_Overall1
23/29
www.theiia.org
What IIA !e!bers thin of GTAG
GTAG survey tells that4
-n Average- 5&.0= participants
thin GTAG topics are i!portantto their organi*ation.
-n Average- 4"= participantsthin GTAG are useful or veryuseful to their organi*ation.
-
7/23/2019 GTAG_Overall1
24/29
www.theiia.org
uture GTAG topics
'T Governance
1ata Analysis Technology
Third (arty 1evelopment =ifecycle
-
7/23/2019 GTAG_Overall1
25/29
www.theiia.org
>ow to get GTAG
3ree %"%+"8 download toelectronic copy from ''A technology
websitewww.theiia.org>technology
(urchase printed copy from ''A
+ookstore)52 @ for ''A member*
)52 B; for nonmember*
http://www.theiia.org/technologyhttp://www.theiia.org/technology -
7/23/2019 GTAG_Overall1
26/29
www.theiia.org
GAITGuide to the Assess!ent of IT is
(GAIT) series describes therelationships among business risk$ key
controls within business processes$automated controls and other critical 'Tfunctionality$ and key controls within 'Tgeneral controls. "ach practice guide in
the series addresses a specific aspect of'T risk and control assessments.
-
7/23/2019 GTAG_Overall1
27/29
www.theiia.org
GAIT
The GAIT MethodologyPG:
a riskbasedapproach to assessing the scope of 'T generalcontrols as part of managements assessmentof internal control re&uired by 2ection C;C of
26D GAIT for IT General Control Deficiency A
ssessmentPG:an approach for evaluating whether any'TG! deficiencies identified during 2ection C;Cassessments represent material weaknesses orsignificant deficiencies
http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-m/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-d/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-d/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-d/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-d/http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-m/ -
7/23/2019 GTAG_Overall1
28/29
www.theiia.org
GAIT
GAIT for Business and IT RiskPG:
guidance for helping identify the 'T controlsthat are critical to achieving business goals
and ob7ectives
- !ase 2tudies of 5sing GA'T8 to 2cope (!'
!ompliance4 3ollowing the GA'T8 principles and
methodology$ this paper provides two casestudies of applying GA'T8 to (!'compliance.
http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-r/http://www.theiia.org/download.cfm?file=24876http://www.theiia.org/download.cfm?file=24876http://www.theiia.org/download.cfm?file=24876http://www.theiia.org/download.cfm?file=24876http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/gait/gait-r/ -
7/23/2019 GTAG_Overall1
29/29
www.theiia.org
Want to learn !ore
''A (ractice Guide 2eries
%onthly web event free to members
Authors discuss ''A practices guides (layback links available4
http4>>www.theiia.org>guidance>standardsandguidance>practiceguideseries>
http://www.theiia.org/guidance/standards-and-guidance/practice-guide-series/http://www.theiia.org/guidance/standards-and-guidance/practice-guide-series/http://www.theiia.org/guidance/standards-and-guidance/practice-guide-series/http://www.theiia.org/guidance/standards-and-guidance/practice-guide-series/