Course Information
Fundamentals of IT Auditing
Course Description
This course provides a comprehensive overview of the fundamental concepts of IT auditing, and how to apply them on the job. Learn about IT governance and the regulatory environment, general controls, application controls, and end-user computing, and how to perform various IT audits, and more.
Course Objectives
Behavioral Objectives
Upon completion of this course, participants will be able to:
Explore the steps to perform an audit of IT applications that support key business processes, utilizing general IT control audit concepts.
Examine the steps for coordinating the assessment of IT risks with the evaluation of IT general controls.
Recognize the concepts of application controls as they relate to auditing systems in development.
Identify the steps to perform a risk assessment and an evaluation of controls over end-user computer applications, utilizing general IT control concepts.
Detailed Course Outline
Course Topics
Overview of IT Auditing Concepts and Controls
Types of audits internal auditors perform.
The responsibilities, objectives, and skills needed to perform IT audits.
How COSO relates to IT auditing.
Commonly referenced regulations affecting IT audits.
Overview of Key Technical Processes and IT General Controls
Key technical processes.
IT governance.
Project management.
Traditional IT general controls (ITGCs).
Common physical security controls.
Common environmental controls.
Administrative controls.
Computer operations controls.
Introduction to IT Change Management
The IT change management process.
Standard types of technology changes.
Risks and costs of ineffective or inefficient IT change management.
Controls by function.
Internal Audit’s role in IT change management.
Fundamentals of Logical Security
General system security concepts.
The IAAA Model.
Identification.
Authentication.
Authorization.
Auditing.
Primary activities regarding access management.
Availability and Corrective Controls
Recovery objectives.
Availability concepts.
Business continuity.
Disaster recovery.
Incident response.
Auditing availability and corrective controls recovery processes.
System Development Life Cycle
System development life cycle concepts.
System development life cycle frameworks.
Auditing the system development life cycle.
Application Controls
Types of application controls.
Purpose, risks, and control activities relating to:
Input controls.
Processing controls.
Output controls.
Interface controls.
Audit trails (log files).
General application security.
End-User Computing – Shadow IT
Overview of end-user computing.
User-developed applications (UDA) risks and controls.
Dependence on spreadsheets within financial activities.
User-acquired-systems (UAS) risks and controls.
Auditing end-user computing.
Networking Essentials
Key networking concepts and technologies.
Typical networking risks.
Traditional networking controls and tools.
Cloud Computing
Basics of cloud computing.
Cloud environments.
Benefits of cloud computing
Cloud service risks.
Cloud controls.
Importance of the Statement on Standards for Attestation Engagements (SSAE) System and Organizational Controls (SOC) reports.
Prerequisites
No prerequisites required.
YB 4.23(k)
Instructors
Megan is currently the Chief Information Officer for the First National Bank of Paragould. Prior to becoming the CIO, Megan was the Director of Internal Audit at Simmons Bank, where she was primarily responsible for IT Auditing, Audit Data Analytics and Innovation, Auditor Development, and Quality Assurance. Previous responsibilities included developing policies, processes, standards, and work programs for operational, compliance, branch and financial audits and overseeing audit projects. She has led Simmons Bank in preparing for the transition from a community bank to a regional banking organization (over $10 Billion in total assets) and transitioned the department from a fully outsourced model to a co-sourced function. She has been heavily involved in new technology implementation, both within the audit department and across the organization, and developed a risk assessment tool to enable Internal Audit to use risk-based approaches for auditing technology implementations and has audit and management experience with significant mergers and acquisitions activities.
Prior to joining Simmons Bank, Megan worked for the Office of the Comptroller of the Currency, where she served as a commissioned National Bank Examiner and participated and oversaw bank examinations for national banks of all sizes. She served as a Training Team Leader and Training Team Assistant for the OCC, delivering an intensive training curriculum to new hires.
Additional Information
TAC Rule 523.142(g) requires the CPE Sponsor to monitor individual attendance and assign the correct number of CPE credits. Participants will be asked to document their time of arrival and departure in compliance with this Rule. Additionally, attendance will be monitored throughout the day and CPE certificates will reflect actual attendance of each participant.
To see answers to our Frequently Asked Questions, visit http://www.sao.texas.gov/training/faq.html.