Assessing IT Risks & Controls

On-Demand - 16-CPE

Internal and external auditors in today's complex IT environments must understand core IT risks and controls. Information security knowledge is essential in meeting today’s security challenges and for providing assurance that IT risks are being adequately addressed.

This on-demand class is designed to help IT auditors, financial & operational auditors, and audit management meet today’s challenges and will highlight key concepts necessary to address important IT infrastructure and business application risks. 

During this class you will examine essential IT general controls and business application controls that require audit attention to provide reasonable assurance regarding the confidentiality, integrity and availability of the enterprise’s information assets.

Presented in straightforward language, this introductory class will provide you with a comfortable knowledge of IT and Information Security terminology, risks, key controls and internationally recognized information security frameworks and resources.

You will leave with a solid foundation in the basics of information technology as they apply to addressing critical enterprise IT risks.

Which course should I enroll in?

ERP Risk Advisors offers both a 16-CPE Introduction to Assessing IT Risks & Controls course and a 24-CPE Assessing IT Risks & Controls course.

The 24-CPE Assessing IT Risks & Controls class explores a more extensive list of topics relevant to today’s auditors and includes a monthly call with the instructor.

We recommend enrolling in either the 16 or 24-hour CPE course based on the topics covered. See the description of the 24-CPE course for a list of topics covered.

Seminar Agenda:

IT Risks

·      IT Risk Definition

·      Information Security Objectives

·      Data Breach Commonalities

·      Defense in Depth

·      Security & Control Resources

o  Center for Internet Security (CIS) Controls

o  IIA Global Technology Audit Guides (GTAGs)

o  ISACA COBIT

o  NIST Cybersecurity Framework (CSF)

Performing Integrated Audits

·      Defining Integrated Auditing

·      Scoping Integrated Audits

·      Business and Application Controls

·      Integrated Audits - Challenges

·      COSO – Principle-11

Information Technology Overview

·      Operating Systems (OS)

·      Mainframe Environment

·      Client Server Technology

·      Middleware

·      Virtualization / Virtual Servers

·      Databases

·      Cloud Computing

IT Operations

·      IT Asset Management

·      IT Vulnerability Management

·      Incident Response Management

·      Malware / Ransomware
 

Access Management

·      User Identification and Authentication

·      Single Sign-On

·      Authorization Controls

·      Separation of Duties

·      Controlling Privileged Access

·      Audit Trail & Review

·      Log Management

Change, Patch & Configuration Management

·      Change Management

·      Patch Management

·      Security Configuration Management

Network Perimeter Security

·      Network Risks

·      Firewalls 

·      Demilitarized Zone (DMZ)

·      Intrusion Detection / Prevention Systems

·      Protecting Sensitive Information / Encryption

Business Application Systems

·      Business Application Audit Objectives

·      Batch, On-line, Web-facing and Real-time Models

·      Enterprise Resource Planning (ERP) Systems

Business Application Transaction Risks

·      Determining Application Risks

·      Performing Walkthroughs

·      Automated & Manual Controls

·      IT Dependent Manual Controls

·      Application-Level IT General Controls

Business Application Controls

·      Completeness & Accuracy of Input

·      Error Handling

·      Completeness & Accuracy of Processing

·      Completeness & Accuracy of Output

·      Output Retention & Disposal

·      Completeness & Accuracy of Masters

·      Completeness & Accuracy of Interfaces

Testing Business Application Controls

·      Testing Operating Effectiveness

·      Testing Automated Controls

·      Testing IT Dependent Manual Controls

·      Data Analytics & CAATs

End User Computing (EUC)                                                             

·      EUC / UDA Computing Risks                                                   

·      Spreadsheet Risk Factors                                                         

·      Evaluating End User Controls

·      Shadow IT / Shadow Cloud

Middleware, API, EDI

·      Middleware

·      API - Application Programming Interface

·      EDI - Electronic Data Interchange

Web Application Risks

·      Web Application Risks

·      Web Applications / Web Servers / DMZ

·      OWASP Top-10 Web Application Security Risks

·      Web Application Vulnerability Scanning