Internal Audit Training, IT Audit Training Courses, Information Security Training - CPE Interactive

Continuing Professional Education for Audit, Assurance, & Info Security

View Training Register Now

Course Description

The basis for all auditing is the reliance on a control environment. The general controls review assesses the IT control environment, and through the evaluation of specific control activities, monitoring and communications, and risk assessment, provides the basis for the assessment’s conclusion. The process itself focuses on numerous areas affecting IT management, data integrity, accuracy, and security, as well as availability.

This course focuses on the planning, execution, and reporting of general IT controls reviews. Recognizing that the scope of the review is too wide to perform as one omnibus review, we provide you with an approach to assessing the highest risk areas, focusing on these on a routine basis, and developing a cycle approach to the less significant control processes. In addition, we utilize a maturity model, an objective repeatable assessment basis, which provides management with a measurement that can show improvement of controls over time.

In this course, we will discuss:

  • The IT General Control Review components
  • Frameworks to support the audit process
  • Compliance requirements (AS5, PCI-DSS, GLBA, HIPAA, state/federal privacy legislation)
  • The scope of a full-scope general controls review
  • Planning the scope of the general controls review
  • Integrating compliance requirements into the planning process
  • How to execute the review
  • Effective reporting processes using scorecards and maturity models

Learning Objectives:

  • Plan and execute a general controls review
  • Utilize risk assessment techniques to address the highest risk control issues
  • Provide management with a meaningful assessment of the maturity of the controls

Course Outline

Objective of General IT Control Reviews (GITC)

  • Why perform a GITC review
  • How the GITC supports audit objectives

Defining the General Control Review Components

  • The views of General Controls
  • Regulatory compliance
  • Performance reviews
  • Scope of the GITC review

Linking General Control Review to CobiT 4.1

  • Defining Cobit 4.1 control model
  • Using maturity models to promote controls/

Planning for GITC Audits

  • Audit Planning
  • System vs Data Integrity
  • Developing Audit Objectives

GITC Audit Areas – What to Audit and How

  • IT Governance & Management
    • IT Organization Placement within the Organization
    • Typical organization models
    • Evaluating IT governance
  • Systems Development
    • Defining a Systems Development Framework
    • Applying the SDLC for Project Management
    • Functions of the Project Management Office
    • Understanding the Phases of Systems Development
    • Audit’s Role in Systems Development
  • Information Security Management
    • Roles, responsibilities, and organization of an Information Security function
    • Information Security Goals
    • Information Security Standards
    • Information Security Incident Management
    • Reliance on the Information Security function
  • Network Security
    • Network Concepts
    • Network Components
    • Network Security Good Practices
    • Audit Approach
  • Identity and Access Management
    • Authentication controls
    • User ID Provisioning, Maintenance, and Termination
    • Access Control Maintenance and Monitoring
    • Separation of Duties Analysis
  • Data Management
    • Relational Database Concepts
    • Database Access Controls
    • Data Storage Locations
    • Data Ownership and Custodial Controls
    • Data Classification
    • Data Loss Protection
  • Change Management
    • Software Library Controls
    • Promotion to Production Controls
    • Distributed Computing Controls
    • Patch Management
  • Service Desk & Incident Management
    • Understanding the Service Desk and Incident Management Processes
    • Using the Incident Management Process as an Audit Tool
  • Third-Party Services
    • Third-Party role in IT
    • Service Level Agreements
    • Relationship Management
  • Configuration Management
    • Defining configuration management
    • Types of servers
    • Accreditation
    • Evaluating Configuration Baselines
  • Operations Management
    • Job scheduling
    • Interface with Incident Management
    • Sensitive Documents

Planning and Reporting the GITC Audit

Additional Information

Who Should Attend
  • IT audit professionals responsible for managing and performing general control reviews
  • Internal Audit departments seeking to establish a focused and responsive presence with their audit customers
Level

Intermediate

Recommended Prerequisites

Introduction to IT Auditing (AA01) or equivalent training.

Session Duration

Online: Four 3 hour sessions

On Site: 2 Days

CPE Credits: 16