Assessing IT Risks & Controls

On-Demand - 24-CPE

Updated 1/14/2023

Cyberattacks, emerging technologies, and complex IT environments require continual training for all auditors to address the enterprise’s increasing information security risks.

This seminar is targeted toward IT auditors, financial & operational auditors and audit management to provide a foundational understanding of key risks, critical controls, IT audit processes and internationally recognized information security frameworks and resources.

During this 24-CPE class you will examine essential IT general controls and business application controls necessary to provide reasonable assurance regarding the confidentiality, integrity and availability of the enterprise’s information assets.

You will leave equipped with the basics of information security as they apply to addressing critical enterprise IT risks.

Which course should I enroll in?

ERP Risk Advisors offers both a 16-CPE Introduction to Assessing IT Risks & Controls course and a 24-CPE Assessing IT Risks & Controls course.

The 24-CPE Assessing IT Risks & Controls class explores a more extensive list of topics relevant to today’s auditors and includes a monthly call with the instructor.

We recommend enrolling in either the 16 or 24-hour CPE course based on the topics covered. See the description of the 16-CPE course for a list of topics covered.

Seminar Agenda:

IT Risks

· IT Risk Definition

· Information Security Objectives

· Data Breach Commonalities

· Defense in Depth

· Security & Control Resources

o Center for Internet Security (CIS) Controls

o IIA Global Technology Audit Guides (GTAGs)

o ISACA COBIT

o NIST Cybersecurity Framework (CSF)

Performing Integrated Audits

· Defining Integrated Auditing

· Scoping Integrated Audits

· Business and Application Controls

· Integrated Audits - Challenges

· COSO – Principle 11

Information Technology Overview

· Operating Systems (OS)

· Mainframe Environment

· Client Server Technology

· Middleware

· Virtualization / Virtual Servers

· Databases

· Cloud Computing

IT Operations - 60 Minutes

· IT Asset Management

· IT Vulnerability Management

· Incident Response Management

· Malware / Ransomware

Access Management

· User Identification and Authentication

· Single Sign-On

· Authorization Controls

· Separation of Duties

· Controlling Privileged Access

· Audit Trail & Review

· Log Management

Change, Patch & Configuration Management

· Change Management

· Patch Management

· Security Configuration Management

Network Perimeter Security

· Network Risks

· Firewalls

· Demilitarized Zone (DMZ)

· Intrusion Detection / Prevention Systems

· Protecting Sensitive Information / Encryption

Web Application Risks

· Web Application Risks

· Web Applications / Web Servers / DMZ

· OWASP Top-10 Web Application Security Risks

· Web Application Vulnerability Scanning

Cloud Computing

· Cloud Security Incidents

· Defining Cloud Characteristics

· Cloud Benefits and Risks

· Cloud Security Organizations- CSA, FedRamp

· Assessing Cloud Controls

Middleware, API, EDI

· Middleware

· API - Application Programming Interface

· EDI - Electronic Data Interchange

Business Application Systems

· Business Application Audit Objectives

· Batch, On-line, Web-facing and Real-time Models

· Enterprise Resource Planning (ERP) Systems

Business Application Transaction Risks

· Determining Application Risks

· Performing Walkthroughs

· Automated & Manual Controls

· IT Dependent Manual Controls

· Application-Level IT General Controls

Business Application Controls

· Completeness & Accuracy of Input

· Error Handling

· Completeness & Accuracy of Processing

· Completeness & Accuracy of Output

· Output Retention & Disposal

· Completeness & Accuracy of Masters

· Completeness & Accuracy of Interfaces

Testing Business Application Controls

· Testing Operating Effectiveness

· Testing Automated Controls

· Testing IT Dependent Manual Controls

· Data Analytics & CAATs

End User Computing (EUC)

· EUC / UDA Computing Risks

· Spreadsheet Risk Factors

· Evaluating End User Controls

· Shadow IT / Shadow Cloud

Assessing Systems Development Projects

· Software Development Risks

· Audit's Primary Objectives

· Staffing the Audit

· Traditional / Waterfall Development Model

· Agile Development Model

· Assessing Project Management

· Assessing System Implementation Plans

Emerging Technologies

· Artificial Intelligence - AI

· Neural Networks

· Business Intelligence - BI

· Machine Learning Risks

· Robotic Process Automation – RPA

· Internet of Things - IoT

Encryption

· Cryptography Concepts

· Symmetric Key Encryption

· Asymmetric Key Encryption

· Digital Signatures

· Certificate Authorities (CAs)

· HTTPS - TLS Protocol

· Key Management Considerations