SlideShare a Scribd company logo

Orientation in IT Audit

Download as PPTX, PDF
S
Suman Thapaliya

This is the general orientation for the new beginner who wants to make their career in IT Audit. This contains very less technical and more counselling terms and topics.

Related slideshows

information security awareness course
information security awareness courseinformation security awareness course
information security awareness course
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
1 of 38
WE SHOW YOUR PROBLEM YOU SOLVE IT 
INTRODUCTION When most people hear the word “audit,” their first reflex is to cringe. Usually, it means having some outside team come in to review everything and tell them what they’re doing wrong in technical term. An IT audit is the - Examination and evaluation of an organization’s information technology infrastructure, policies and operations. - Information technology audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business’s overall goals. - IT auditors examine not only physical security controls, but also overall business and financial controls that involve information technology systems.
What is IT Audit? An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement First, it’s important to define exactly what an IT audit is. Simply put, it’s the process of collecting and evaluating an organization’s information systems, practices and operations. In this process, an IT auditor not only looks at the physical controls but also the business and financial controls within a company. The audit takes place to ensure that a business is compliant with legislation, ensuring that their data and records are secure. The IT audit is just an assessment and provides recommendations to fix any gaps or challenges.
What is an IT Auditor? While an IT auditor may have various responsibilities, their main job is to lead projects that improve internal processes and performances. They report problems related to IT systems, analyze data and increase internal controls. Much of their work time is spent collecting and reviewing data from databases, software programs and information management systems. An IT auditor may work in a variety of industries, with the most common being technology, finance, healthcare and education.
Salary of IT Auditors
IT Auditor Skills • The skills you need as an IT auditor will vary depending on your specific role and industry, but there’s a general set of skills that all IT auditors need to be successful. Some of the most commonly sought skills for IT auditor candidates include: • IT security and infrastructure • Internal audit • IT risk • Data analysis • Data analysis and visualization tools (ACL, MS Excel, SAS, Tableau) • Security risk management • Security testing and auditing • Computer security • Internal auditing standards including SOX, MAR, COSO and COBIT • Analytical and critical thinking skills • Communication skills
IT Auditor Job Requirements • Entry-level IT auditor positions require at least a bachelor’s degree in computer science, management information systems, accounting or finance. • You’ll want a strong background in IT or IS and experience in public accounting or internal auditing. • The job requires a strong set of technical skills, with a strong emphasis on security skills, but you’ll also need soft skills like communication. • You’ll be responsible for not only identifying issues during an IT audit but also explaining to leaders outside of IT what is wrong and what needs to change. • Analytical and critical thinking skills are also crucial, as you’ll need to evaluate data to find trends and patterns to identify IT security and infrastructure issues.
What is the purpose of an IT Audit ? • The purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing. • The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following: • Will the organization's computer systems be available for the business at all times when required? (known as availability) • Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) • Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity)
IT Auditor Certifications • ISO 27001:2013, ISMS • Certified Information Systems Auditor (CISA) • Certified Information Security Manager (CISM) • Certified Internal Auditor (CIA)
What is ISO 27001:2013 • Technological position audit • Systems and Applications Audit • Information Processing Audit • Systems Development Audit • Management of IT and Enterprise Architecture Audit • Client/Server, Intranets, and Extranets Audit • Information System Audit or Information Technology Audit (IT Audit) • Compliance Audit • Operational Audit • Special Audit • Integrated Audit • Agreed Upon Procedures (AUP) Audit
ISO/IEC 27001, 27017 & 27018- Information Security Management System (ISMS) Increasing data breaches are a concern for most organizations. Technologies are constantly changing and thus we need to keep pace with the environment and adapt a process of change to enable the use of these new technologies in a safe manner. Implementing an ISMS standard such as ISO/IEC 27001:2013 is one way to ensure that those organizations follow a process for its information systems to provide an assurance to its vendors and third-parties that the systems and data are appropriately protected. The ISMS provides an audit certificate of Confidentiality, Integrity and Availability (CIA) of cybersecurity of the organization that follows an Internationally recognized process to manage their customer's information. The ISO 27017 demonstrates Cloud Service Providers (CSP’s) controls overs its cloud services. The ISO 27018 is used for Personal Data (PII) data in the cloud.
Why ISMS • Assures your customers about your organization's standards in managing the data. • The organization follows an established ISO process that could reduce the likelihood of a potential security breach. • Third-Parties or Vendors accept ISO 27001 (ISMS) Certificate as a vendor due diligence process. • The add on such as ISO 27017 or ISO 27018 provides assurance for CSP’s.
NEWS COVERAGE In the world of cybersecurity, the position of IT auditor has become very significant and is a growing occupation, with thousands of job openings now available in the U.S. This growth has been fueled by new regulations and compliance requirements such as Sarbanes-Oxley. https://resources.infosecinstitute.com/category/cybersecurity-careers/how-to-become-an-it-auditor/what- does-an-it-auditor-do/#gref
Conclusion • The career of IT auditor has a bright future, as almost every enterprise has the need to improve its controls and remain in compliance. I hope this walkthrough of the requirements and responsibilities of an IT auditor will help you to decide whether you’d like to pursue this course of study. My Investment My Income ISO 27001:2013, 7 days, 60 hours, 90 K CISA 8 Days, 70 hours, 150 K CISSP 8 Days, 70 hours, 150 K 75K per Audit/ 6 Audit Per Year 85K per Audit/ 6 Audit Per Year 95K per Audit/ 6 Audit Per Year
Orientation in IT Audit
Peter Drucker “There are: Companies, That make thing happen …… Companies, That watch things happen …. Companies, That wonder what happened ….. “
WHY TO AUDIT • Company knows only after attack • Are client/ customer safe to invest ? - Invest Data - Invest Information - Invest Money - Invest Career and so on. • Are promoter and shareholder safe ? • What will be the loss value ? • When will you recover ? • What sort of Disaster you may face ?
CYBER ATTACK • Story Time 
PAST ATTACK NATURE
PURPOSE • The purposes of an IT audit are to evaluate the system's internal control design and effectiveness. • This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.
Finance: 22 Microfinance: 91 Commercial Bank: 27 Development Bank: 24 Co-operative: 2,800 0 10000 20000 30000 40000 50000 60000 70000 80000 90000 Small Office Corporate Finance Bank IT Companies Number of Data Storage Sector Data
STATEMENT OF PROBLEM • Many organizations are spending large amounts of money on IT because they recognize the tremendous benefits that IT can bring to their operations and services. However, they need to ensure that their IT systems are reliable, secure and not vulnerable to computer attacks. • Introduction of New Threads and Attack are you updated ? • Assurance of IT system adequately protected • Less knowledge on IT • Not providing importance to data • Continuous loss of data and hacked
PROBLEM STATEMENT – Practical Gap
SOLUTION • To give assurance that IT systems are adequately protected. • Provide reliable information to user and properly managed to achieve their intended benefits. • Reduce Risk of data tampering ��� Reduce Data loss or leakage • Reduce Service disruption • Provide Proper management of IT System
MOTIVATION Different kinds of cyber attacks that are mostly transpired in Nepal. List of those cyber attacks are as mentioned: • Attacks on social media • Piracy • Identity Threat • Unauthorized access • Website hacking
CASE STUDY 1.Pune Citibank MphasiS Call Center Fraud some ex employees of BPO arm of MPhasis Ltd MsourcE, defrauded US Customers of Citi Bank to the tune of RS 1.5 crores has raised concerns of many kinds including the role of "Data Protection". The crime was obviously committed using "Unauthorized Access" to the "Electronic Account Space" of the customers. It is therefore firmly within the domain of "Cyber Crimes". 2.SONY.SAMBANDH.COM CASE India saw its first cyber crime conviction recently. It all began after a complaint was filed by Sony India Private Ltd, which runs a website called www.sony- sambandh.com.
3. The Bank NSP Case The Bank NSP case is the one where a management trainee of the bank was engaged to be married. The couple exchanged many emails using the company computers. After some time the two broke up and the girl created fraudulent email ids such as "indianbarassociations" and sent emails to the boy's foreign clients. She used the banks computer to do this. The boy's company lost a large number of clients and took the bank to court. The bank was held liable for the emails sent using the bank's system.
Nepal Bank Got Hacked 
IS Risk Measure/ Level
IT Audit Process • The below provided are the basic steps in performing the Information Technology Audit Process.
Final Prototype
METHODOLOGY • Quantitative Research Methodology has been used in this research. The research theory of this paper has been to construct knowledge and meaning from Researchers experience, that is, Constructivism, which has direct application to education. The research theory indicates technological Constructivism. • Primary data were collected by means of online survey, Questionnaire and Interview where professionals from different areas of ICT were chosen, which helped to study current situation in Nepal. Secondary data were collected from several comparative studies of different research papers/ journals, websites, newspaper which helped to gather information on international level.
RESULT & DISCUSSION A survey was conducted to support this research and different charts are presented for further clarifications. There were 108 respondents to qualify in Fig.
RESULT & DISCUSSION Shows attacks from 2007 to 2014 has been growing relatively with prominent probability of attacks in any components of security audit mentioned in Fig.
Depicts experience on the different types of attacks or vulnerabilities experienced by user from 2007-2014 by ICT users from different fields as in Fig.
Depicts IS Audit Awareness in Nepal by 83.58% which looks promising as IS Audit practicing would not be very difficult job to begin.
CONCLUSION Information Security is an increasingly important part of our life today, and the degree of interconnectivity of Networks implies that anything and everything can be exposed, and everything from national critical Infrastructure to our basic human rights can be compromised. Governments are therefore urged to Consider policies that support continued growth in technology sophistication, access and security, and as a crucial first step, to adopt a national cyber security strategy. Risk assessment and security audit has to be conducted eventually to minimize and mitigate risks. Local law, local and international standards and policy must be followed while preparing the ICT Security policies in an organization. Audit is must for data security assurance. This research has proposed an audit model for IS Audit which is highly recommended for IS Audit in any IS Audit and Security Vulnerability minimizing.
QUESTION & ANSWER THANK YOU 

More Related Content

Orientation in IT Audit

  • 1. WE SHOW YOUR PROBLEM YOU SOLVE IT 
  • 2. INTRODUCTION When most people hear the word “audit,” their first reflex is to cringe. Usually, it means having some outside team come in to review everything and tell them what they’re doing wrong in technical term. An IT audit is the - Examination and evaluation of an organization’s information technology infrastructure, policies and operations. - Information technology audits determine whether IT controls protect corporate assets, ensure data integrity and are aligned with the business’s overall goals. - IT auditors examine not only physical security controls, but also overall business and financial controls that involve information technology systems.
  • 3. What is IT Audit? An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement First, it’s important to define exactly what an IT audit is. Simply put, it’s the process of collecting and evaluating an organization’s information systems, practices and operations. In this process, an IT auditor not only looks at the physical controls but also the business and financial controls within a company. The audit takes place to ensure that a business is compliant with legislation, ensuring that their data and records are secure. The IT audit is just an assessment and provides recommendations to fix any gaps or challenges.
  • 4. What is an IT Auditor? While an IT auditor may have various responsibilities, their main job is to lead projects that improve internal processes and performances. They report problems related to IT systems, analyze data and increase internal controls. Much of their work time is spent collecting and reviewing data from databases, software programs and information management systems. An IT auditor may work in a variety of industries, with the most common being technology, finance, healthcare and education.
  • 5. Salary of IT Auditors
  • 6. IT Auditor Skills • The skills you need as an IT auditor will vary depending on your specific role and industry, but there’s a general set of skills that all IT auditors need to be successful. Some of the most commonly sought skills for IT auditor candidates include: • IT security and infrastructure • Internal audit • IT risk • Data analysis • Data analysis and visualization tools (ACL, MS Excel, SAS, Tableau) • Security risk management • Security testing and auditing • Computer security • Internal auditing standards including SOX, MAR, COSO and COBIT • Analytical and critical thinking skills • Communication skills
  • 7. IT Auditor Job Requirements • Entry-level IT auditor positions require at least a bachelor’s degree in computer science, management information systems, accounting or finance. • You’ll want a strong background in IT or IS and experience in public accounting or internal auditing. • The job requires a strong set of technical skills, with a strong emphasis on security skills, but you’ll also need soft skills like communication. • You’ll be responsible for not only identifying issues during an IT audit but also explaining to leaders outside of IT what is wrong and what needs to change. • Analytical and critical thinking skills are also crucial, as you’ll need to evaluate data to find trends and patterns to identify IT security and infrastructure issues.
  • 8. What is the purpose of an IT Audit ? • The purposes of an IT audit are to evaluate the system's internal control design and effectiveness. This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate security. People responsible for security must consider if the controls are installed as intended, if they are effective if any breach in security has occurred and if so, what actions can be done to prevent future breaches. These inquiries must be answered by independent and unbiased observers. These observers are performing the task of information systems auditing. In an Information Systems (IS) environment, an audit is an examination of information systems, their inputs, outputs, and processing. • The primary functions of an IT audit are to evaluate the systems that are in place to guard an organization's information. Specifically, information technology audits are used to evaluate the organization's ability to protect its information assets and to properly dispense information to authorized parties. The IT audit aims to evaluate the following: • Will the organization's computer systems be available for the business at all times when required? (known as availability) • Will the information in the systems be disclosed only to authorized users? (known as security and confidentiality) • Will the information provided by the system always be accurate, reliable, and timely? (measures the integrity)
  • 9. IT Auditor Certifications • ISO 27001:2013, ISMS • Certified Information Systems Auditor (CISA) • Certified Information Security Manager (CISM) • Certified Internal Auditor (CIA)
  • 10. What is ISO 27001:2013 • Technological position audit • Systems and Applications Audit • Information Processing Audit • Systems Development Audit • Management of IT and Enterprise Architecture Audit • Client/Server, Intranets, and Extranets Audit • Information System Audit or Information Technology Audit (IT Audit) • Compliance Audit • Operational Audit • Special Audit • Integrated Audit • Agreed Upon Procedures (AUP) Audit
  • 11. ISO/IEC 27001, 27017 & 27018- Information Security Management System (ISMS) Increasing data breaches are a concern for most organizations. Technologies are constantly changing and thus we need to keep pace with the environment and adapt a process of change to enable the use of these new technologies in a safe manner. Implementing an ISMS standard such as ISO/IEC 27001:2013 is one way to ensure that those organizations follow a process for its information systems to provide an assurance to its vendors and third-parties that the systems and data are appropriately protected. The ISMS provides an audit certificate of Confidentiality, Integrity and Availability (CIA) of cybersecurity of the organization that follows an Internationally recognized process to manage their customer's information. The ISO 27017 demonstrates Cloud Service Providers (CSP’s) controls overs its cloud services. The ISO 27018 is used for Personal Data (PII) data in the cloud.
  • 12. Why ISMS • Assures your customers about your organization's standards in managing the data. • The organization follows an established ISO process that could reduce the likelihood of a potential security breach. • Third-Parties or Vendors accept ISO 27001 (ISMS) Certificate as a vendor due diligence process. • The add on such as ISO 27017 or ISO 27018 provides assurance for CSP’s.
  • 13. NEWS COVERAGE In the world of cybersecurity, the position of IT auditor has become very significant and is a growing occupation, with thousands of job openings now available in the U.S. This growth has been fueled by new regulations and compliance requirements such as Sarbanes-Oxley. https://resources.infosecinstitute.com/category/cybersecurity-careers/how-to-become-an-it-auditor/what- does-an-it-auditor-do/#gref
  • 14. Conclusion • The career of IT auditor has a bright future, as almost every enterprise has the need to improve its controls and remain in compliance. I hope this walkthrough of the requirements and responsibilities of an IT auditor will help you to decide whether you’d like to pursue this course of study. My Investment My Income ISO 27001:2013, 7 days, 60 hours, 90 K CISA 8 Days, 70 hours, 150 K CISSP 8 Days, 70 hours, 150 K 75K per Audit/ 6 Audit Per Year 85K per Audit/ 6 Audit Per Year 95K per Audit/ 6 Audit Per Year
  • 16. Peter Drucker “There are: Companies, That make thing happen …… Companies, That watch things happen …. Companies, That wonder what happened ….. “
  • 17. WHY TO AUDIT • Company knows only after attack • Are client/ customer safe to invest ? - Invest Data - Invest Information - Invest Money - Invest Career and so on. • Are promoter and shareholder safe ? • What will be the loss value ? • When will you recover ? • What sort of Disaster you may face ?
  • 20. PURPOSE • The purposes of an IT audit are to evaluate the system's internal control design and effectiveness. • This includes, but is not limited to, efficiency and security protocols, development processes, and IT governance or oversight.
  • 21. Finance: 22 Microfinance: 91 Commercial Bank: 27 Development Bank: 24 Co-operative: 2,800 0 10000 20000 30000 40000 50000 60000 70000 80000 90000 Small Office Corporate Finance Bank IT Companies Number of Data Storage Sector Data
  • 22. STATEMENT OF PROBLEM • Many organizations are spending large amounts of money on IT because they recognize the tremendous benefits that IT can bring to their operations and services. However, they need to ensure that their IT systems are reliable, secure and not vulnerable to computer attacks. • Introduction of New Threads and Attack are you updated ? • Assurance of IT system adequately protected • Less knowledge on IT • Not providing importance to data • Continuous loss of data and hacked
  • 23. PROBLEM STATEMENT – Practical Gap
  • 24. SOLUTION • To give assurance that IT systems are adequately protected. • Provide reliable information to user and properly managed to achieve their intended benefits. • Reduce Risk of data tampering • Reduce Data loss or leakage • Reduce Service disruption • Provide Proper management of IT System
  • 25. MOTIVATION Different kinds of cyber attacks that are mostly transpired in Nepal. List of those cyber attacks are as mentioned: • Attacks on social media • Piracy • Identity Threat • Unauthorized access • Website hacking
  • 26. CASE STUDY 1.Pune Citibank MphasiS Call Center Fraud some ex employees of BPO arm of MPhasis Ltd MsourcE, defrauded US Customers of Citi Bank to the tune of RS 1.5 crores has raised concerns of many kinds including the role of "Data Protection". The crime was obviously committed using "Unauthorized Access" to the "Electronic Account Space" of the customers. It is therefore firmly within the domain of "Cyber Crimes". 2.SONY.SAMBANDH.COM CASE India saw its first cyber crime conviction recently. It all began after a complaint was filed by Sony India Private Ltd, which runs a website called www.sony- sambandh.com.
  • 27. 3. The Bank NSP Case The Bank NSP case is the one where a management trainee of the bank was engaged to be married. The couple exchanged many emails using the company computers. After some time the two broke up and the girl created fraudulent email ids such as "indianbarassociations" and sent emails to the boy's foreign clients. She used the banks computer to do this. The boy's company lost a large number of clients and took the bank to court. The bank was held liable for the emails sent using the bank's system.
  • 28. Nepal Bank Got Hacked 
  • 30. IT Audit Process • The below provided are the basic steps in performing the Information Technology Audit Process.
  • 32. METHODOLOGY • Quantitative Research Methodology has been used in this research. The research theory of this paper has been to construct knowledge and meaning from Researchers experience, that is, Constructivism, which has direct application to education. The research theory indicates technological Constructivism. • Primary data were collected by means of online survey, Questionnaire and Interview where professionals from different areas of ICT were chosen, which helped to study current situation in Nepal. Secondary data were collected from several comparative studies of different research papers/ journals, websites, newspaper which helped to gather information on international level.
  • 33. RESULT & DISCUSSION A survey was conducted to support this research and different charts are presented for further clarifications. There were 108 respondents to qualify in Fig.
  • 34. RESULT & DISCUSSION Shows attacks from 2007 to 2014 has been growing relatively with prominent probability of attacks in any components of security audit mentioned in Fig.
  • 35. Depicts experience on the different types of attacks or vulnerabilities experienced by user from 2007-2014 by ICT users from different fields as in Fig.
  • 36. Depicts IS Audit Awareness in Nepal by 83.58% which looks promising as IS Audit practicing would not be very difficult job to begin.
  • 37. CONCLUSION Information Security is an increasingly important part of our life today, and the degree of interconnectivity of Networks implies that anything and everything can be exposed, and everything from national critical Infrastructure to our basic human rights can be compromised. Governments are therefore urged to Consider policies that support continued growth in technology sophistication, access and security, and as a crucial first step, to adopt a national cyber security strategy. Risk assessment and security audit has to be conducted eventually to minimize and mitigate risks. Local law, local and international standards and policy must be followed while preparing the ICT Security policies in an organization. Audit is must for data security assurance. This research has proposed an audit model for IS Audit which is highly recommended for IS Audit in any IS Audit and Security Vulnerability minimizing.