Fangzhou Hou

Priya, good example of using the COSO 5 components. I agree with what you said “Control activities are the policies”, and do you think the control activities also include the three types of control like preventive control, detective control, and corrective control? I believe that most of these policies and procedures are preventive control to sto…[Read more]

Why do we need control framework to guide IT auditing?

An integrated framework can enhance the effectiveness and efficiency of internal control, and guiding IT auditing. According to the COSO cube, there are five components can help management establishes an integrated framework:

– Control environment. As we discussed in previous class, the…[Read more]

Question:　Comparing ITIL and COBIT: list some key similarities and difference based on your understanding

Similarities:
– Both have been used by IT professionals in the IT service management (ITSM)
– Both provide guidance for the governance and management of IT-related services by the organization.

Difference:
– ITLT focus on the way to m…[Read more]

Question: What are the key activities within each phase?

1. Requesting Documents
– preparing checklists
– collecting documents

2. Preparing an audit plan
– Considering the collected information
– Developing an audit plan

3. Scheduling an open meeting
– Developing the scope of audit
– Open meeting with the employees

4.…[Read more]

Question: Explain the key IT audit phases

According to Sharon Penn’s article “Six-Step Audit Process”, the key audit phases include：

1. Requesting Documents: Before an audit program officially carry on, the auditors are required to list an audit preliminary checklist includes documents like a copy of previous audit reports and origina…[Read more]

Good example of user name and passwords. The personal identification is a very important preventive control in business and mitigate the loss by data leak. I believe that the user name and passwords are one of the most commonly used tools in preventive control. Some organizations now even required the employees set a secondary password on the PCs,…[Read more]

Question: What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are preventive, detective, and corrective.

Preventive control – this type of mitigating control is preventing the harm of loss before them actually happened. For example, one p…[Read more]

I completely agree with your point that with some understanding of technology, auditors can spend less time in educating themselves. The audit resource is limited, the efficiency and how to organize an audit project is important to auditors. With these background understanding in technology, auditors can spend more time in other objectives, and…[Read more]

That’s a good point! Indeed, the data analysis tools are very useful for auditors. Besides, with the understanding of technology, auditors will not limit their mind in financial reports, but also the information security and the effectiveness of protecting organization’s information assets. For example, an auditor with technical background can ide…[Read more]

That’s true! In my previous work experience in college library, most employees would leave their screen open, even when they have a 3-hours meeting. The librarian management system has every students’personal information which is only available under manager accounts. Keep login the system and not locked PC may cause data leak. Even worse, peo…[Read more]

I agree with Sean and Vu. Auditors shouldn’t underestimate the importance of understanding some basic technology knowledge. In fact, most of major public companies now own huge amount technical related equipment which have millions value include other information assets. Without the understanding of technology, auditors may not find out p…[Read more]

Good point in mobile device management (MDM). Indeed, mobile device has potential risks in data leak includes personal information or even sensitive business documents. If the mobile device with internet connection information is stolen, the remoter attacker may have the access authority and replace the firmware on a device like router and take…[Read more]

I agree with your opinion that the information security both related technical and business problems. You mentioned the potential risk in information leak because of the authorized access issues. If management barely have basic understanding in technical operation, they might underestimate the importance of protecting information assets. Without…[Read more]

Question 4： What issues did you identify from this video?

1. Employee underestimates the importance of properly training in basic information technology controls.
2. Employee writes down her system user name and passcode.
3. Employee shares his passcode with someone else.
4. Employee loss his USB which have sensitive i…[Read more]

Question 3: What is the purpose of all auditors having some understanding of technology?

Most of major public corporations today have millions of IT related assets like PCs, servers, and many other technical equipment. Without the common knowledge of technology, the auditors may not find potential risks which related to these technical devices.…[Read more]

Question 2: How does the control environment affect IT?

The control environment includes the factors that have important influence in establishing a policy or project to minimize the risks. It also stands for the understanding, attitude, and action about the internal control of upper management. The control environment ensures the efficiency…[Read more]

Yes, I agree with you opinion. You mentioned that the upper management now are required to sign on the 10K’s and 10Q’s, which is a good example to explain the management needs to take responsibility in confirming the financial reports under the requirement of the SOX. According to the Section 404 of SOX, management now also needs to confirm the…[Read more]

Good point that the employee may become the weakest link in the IT security chain. Information security is a complex problem which related both technical and business. As what you mentioned about security process, IT professionals and the management sometimes focus on different strategies. Indeed, the technical tools like hardware, antivirus…[Read more]

Article: “Inteno Router Flaw Could Give Remote Hackers Full Access.”

According to this article, a critical new router vulnerability could allow “remoter attackers to replace the firmware on a device to take complete control over it, and monitor all internet traffic flowing in and out.”There are three models confirmed exist the potential risk to…[Read more]

Question 1: What are some current system-related risks that you have experienced in your organization?

System-related risks in my organization:

1. Some employees would like to write down the user name and code of their PC, which may allow others login to their PC.
2. Around 20% computers in the organization still using the Windows XP…[Read more]