Liang Yao

How do you effectively identify IT Audit Universe and Audit Entities within an organization?

Correct. The trending for IT auditing should adopt risk based apporach, meaning leveraging the frameworks to identify “high risk” areas and develop audit strategy/plan accordingly rather than cover all control objectives…we will discuss further in the class.

Sean – Please remind me to discuss “Solution Development” part during the class.

IT audit relied on those frameworks for risk assessment and control testing. You head to the right direction. A few corrections, (a) from reporting structure, Audit Director should report to Audit Committee/the Board and administratively to CEO. (b) from IT audit aspect, auditors need to get comfortable management has effective controls in place…[Read more]

very detailed…however, re-think about Step 4. Which party is responsible to develop “action plans” to remediate audit findings?

summarized well. Always remember “Risk and Control Assessment”…

One very important task for the IT audit process is to identify the “Audit Universal” – What need to be audited? within the Audit Universe, IT audit senior management identifies audit entities based on risk assessment. and then audit cycle (frequency) will be determined based on risk rating. We will discuss further during our next class.

Sean, thanks for reading my slides…:)

I like the words “what” and “how”. The two frameworks amid IT controls from different aspects. ITIL is often used by technology management to “implement” technical controls and COBIT, on the other hand, is used by technology risk management and IT auditors to assess the control environment.

In these days, business continuous to introduce new technologies to meet internal and external business needs. and meantime, new technology also brings in new risks. What do you think management should do before implementing the new technology?

Organizations should develope information security policies and procedures to provide guidances of securtiy practices including internet access. Most companies use Proxy Servers to control employees’ internet access, some develop “black list” or “white list” for the same purpose. In addtion, downloading executable files from website should be…[Read more]

I assume in this case, you referred to “clear text” passwords. If it’s the case, that’s definetily a concer. All passowrds, systems and applications, should be encrypted.

Same principle applys to internal audit. You will indetify control deficiencies, and recommend “What” need to be done, e.g. the need to develop a disaster recovery plan; However, it’s management’s responsibility to actually develop such plan. Then, as an IT auditor, it’s your job to evaluate the design adequency and operating effectivness of such…[Read more]

Ian – Insider risk indeed is one of the areas business management. risk management and auditors need to pay attention while dealing with cybersecurity. Insiders, especially those with privileged access can cause significant damage if the envrionemnt is not adequately controlled.

Good points. Let’s think what are the most important thing in IT PMO/management? How can they get help to beef-up the control envrionment?

Agree!

Yes. implementing controls means to invest resources/spending. It’s a big chalkenge to management how to balance between making profit and maintaining a safe and sound control environment.

Good point. Remember the OPM data breach in 2015? tone at the top is the key…we will deep dive this when discuss information security. That’s something keep all of us up at night.

Good observations. You explain the “risk event” or fact. Risk means what can go wrong? e.g. what’s wrong with still using Windows XP? let’s discuss during the class.

Auditors “request” information from auditees. Howevr, auditors usually do not access data/information directly via accessing auditees’ production systems or applications. I will explain this briefly on Wednesday briefly.