IT Audit with COBIT Standard Audit

BACKGROUND

The IT Audit course is designed to provide practical view in conducting IT audit and assurance in one organization. The course is designed to support professional staffs to expand their understanding of information technology (IT) audit.

The course presents a more in-depth view on the fundamentals of IT auditing by highlighting on topics such as: IT audit and control analysis, examination of control evidence in conducting IT audit, application control, and management of IT audit. The course will include discussion and exercises related to general control examinations and application system auditing. The course will also focus on control research and analysis for IT-related topic areas. In addition, through discussion and exercises, students will gain a working understanding of the process of developing audit work programs.

Participants will be expected to gain a working understanding of how to identify, reference and implement IT management and control policies, standards and related auditing standards. Regarding the latter, the objective is to learn how to identify and interpret the requirements of the standards and. implement the standards in auditing process.

Each class session will include discussion on an IT audit management, security, control or audit issues that participants should be familiar with.

OBJECTIVES

At the completion of this course, the participants should be able to :

• Participants shall obtain an expanded understanding the role of IT auditors in evaluating IT-related operational and control risk and in assessing the appropriateness and adequacy of management control practices and IT-related controls inside participants? organization
• Participants shall obtain the capability in conducting IT audit and implement techniques in performing assurance, attestation, and audit engagements
• Participants shall obtain an expanded familiarity with the principle references in IT governance, control and security as related to IT audit
• Participants shall obtain the working ability to plan, conduct, and report on information technology audits
• Participants shall obtain an understanding of the role of IT auditors regarding IT-related compliance and regulatory audits, such as evaluating control standards?

SYLLABUS

Audit Overview

At the completion of this course, the Participant should be able to :

• Participant shall obtain an expanded understanding the role of IT auditors in evaluating IT-related operational and control risk and in assessing the appropriateness and adequacy of management control practices and IT-related controls inside Participant' organization
• Participant shall obtain the capability in conducting IT audit and implement techniques in performing assurance, attestation, and audit engagements
• Participant shall obtain an expanded familiarity with the principle references in IT governance, control and security as related to IT audit
• Participant shall obtain the working ability to plan, conduct, and report on information technology audits
• Participant shall obtain an understanding of the role of IT auditors regarding IT-related compliance and regulatory audits, such as evaluating control standards?

Building an Effective IT Audit Function

• Participant shall understanding how to build an Effective IT Audit, how to plan and organize team, how to communicate with client and how to dig properly and correctly, so that the audit objectives achieved.

The Audit Process

• Participant shall understanding and how the audit process should be run in a standard structured and effectiveness.

Auditing Techniques.

• Ten key areas that have different characteristics in the information technology organization. Participant will be equipped with the knowledge of how to perform techniques that correct and effective audit.

Auditing Entity-Level Controls

• This chapter covers the areas that the auditor generally should expect to see centralized. Most of these topics set the "tone at the topfor the IT organization and provide overall governance of the IT environment.

Auditing Data Centers and Disaster Recovery

• Participant will understand the purpose of audit data center; we will explore the facilities-based controls, security systems and control sites, as well as policies, plans, and procedures used in managing data center operations.

Auditing Switches, Routers, and Firewalls

• Participant should be able to understand the International Standards Organization's (ISO) Open System Interconnection (OSI) model to understand routers, switches, and firewalls. The seven-layer OSI model will help Participant to understand the essentials so that you can comfortably audit your networking environment. We will do this using simple analogies and examples while avoiding overly complex issues.

Auditing Windows Operating Systems

• There are some key things that you need to know about auditing Windows that will make you more accurate and efficient. Remember that Windows is just a platform, and you have to consider the overlying applications that make use of the platform before you can bless off a machine as passing an audit. The more applications you add to the platform, the more potential trouble areas you have as an auditor. Participant should be able considering the challenges the other applications bring to the table. This concept is true for any platform, including Unix, Solaris, Mac, and others.

Auditing Unix and Linux Operating Systems

• Participant shall obtain an understanding Unix and Linux Operating System, understanding the risk on Unix and Linux, known some essential command and function
• Participant also described for using some of the tools listed in the "Tools and Technologysection later in this chapter that can automate the process of identifying open ports and applications that run on them.
  • Account management and password controls
  • File security and controls
  • Network security and controls
  • Audit logs
  • Security monitoring and other controls

Auditing Web Servers

• Participant shall know and understand the trick to auditing web servers understands how to communalize the task and then correctly specify the scope of the work you want to accomplish. Auditing in case is trying to use 20 percent of the tools and technologies available to discover 80 percent of the possible risks implemented into the system or processes around the system. We are going to equip you with the tools to outline and begin execution for your audit. Release yourself from the guilt of not being perfect, or you will either never get started or you'll end up ineffective as you try to cover too much with too few resources and knowledge.

Auditing Databases

• Participants have to a basic understanding of how a database works. Here, we will cover a broad set of components that participants as the auditor will need to understand to audit a database properly.

Auditing Applications

• This chapter should be used to generate thoughts and ideas regarding audit program steps more specific to the application being audited. Staying on top of every new technology that attaches itself to your environment is tough. It's our job as auditors to quickly drill down into new applications to find potential control weaknesses. We're going to discover how to examine applications conceptually using big-picture and abstract frameworks. We also will suggest a fairly comprehensive set of checks that will greatly assist you in covering the vast majority of common control weaknesses.
• Application Auditing Essentials. It's perfect when you have a perfect audit program you can apply quickly to your perfect application. However, the reality is that you're faced with new ideas and approaches for solving business problems with new technology that requires a new audit program. As you struggle with the questions to ask, you will find the frameworks and best practices below helpful.
• Generalized Frameworks. Generalized frameworks are useful for meetings where you've been put on the spot to come up with questions and possible risks associated with a new application. You might even find yourself walking into a meeting, taking out a blank sheet of paper, and writing "PPTM,"STRIDE,and "PDIOat the top before the meeting ever starts.

Auditing WLAN and Mobile Devices

• Participant shall understanding and how the audit WLAN and Mobile Devices, known the risk in this area. For the purpose of our discussion, wired network gateways include those items physically touching our network and acting as the interface or gateway between the wireless world and our organization's network. An audit of the wired network components includes verifying the security of the underlying platform and the settings on that platform. Management software for our purposes includes the software that manages the process enabling our mobile clients to communicate with the network. This may be Cisco's software that manages our access points or Blackberry Enterprise Server's software that manages client access. The management software may or may not run on the gateway component that isolates clients from your physical network. The clients in our case present unique risks to data theft, and we'll explore some very easy and very common methods for mitigating the risk.

Auditing Company Projects

Frameworks, Standards, and Regulations

• Participants will be taken in a discussion about
  • o Coso framework
  • o COBIT framework
  • o IT Infrastructure Library
  • o ISO 27001 / ISO 17799 / BS 7799
  • o Framework and Standards Trend

Frameworks and Standards

• All over the globe, accounting- and technology-related professional associations are collaborating on standards. Business practices vary significantly around the world, so a single set of frameworks and standards will not appear in the near future. However, these developing frameworks and standards generate discussions that do serve to clarify and provide understanding among disparate foreign bodies in the conduct of trade. While a single set of international standards is not imminent, the tools described in this chapter are nonetheless serving to bridge understanding and promote trade that ultimately benefits all the participants

Regulations

• Participants will be taken in a discussion about
  • Regulatory Impact on IT Audit
  • History of Corporate Financial Regulation
  • The Sarbanes-Oxley Act 2002
  • Specific IT Controls Required for Sarbanes-Oxley Compliance
  • IT Security
  • Change Control
  • Data Management
  • IT Operation
  • Network Operations
  • Asset Management
  • Payment Card Industry - Data Security Standard (PCI-DSS)

Risk Management

• Finally, participants should be know and understand IT Risk Management. Classes will be taken in a deep discussion about :
• Benefit of Risk Management
• Risk Analysis
• Risk Elements. Asset, Threat, Vulnerabilities.
• IT Risk Scenarios
• Risk Management Processes

TRAINING METHOD

Pelatihan ini menggunakan metode interaktif, dimana peserta dikenalkan kepada konsep, diberikan contoh aplikasinya, berlatih menggunakan konsep, mendiskusikan proses dan hasil latihan.

1. 50% Theory
2. 50% Practices
3. Dynamic and interactive training presentation.

AUDIENCE TARGET

• IT Managers
• Security Managers
• Auditing Staffs
• IT Operation Staffs

Course Leader :

Tatto Sugiopranoto

More...