Course Information
Information Technology Audit Boot Camp: Demystifying IT and Process Analysis in Complex Systems
Parking for SAO, Professional Development courses is in Garage B (1511 San Jacinto Blvd.). The Garage signage may read 1511 San Jacinto or Garage B. The elevator in Garage B is not reliable. If you are unable to walk the stairs, please contact the professionaldevelopment@sao.texas.gov for alternate parking arrangements. Handicapped parking is free at the meters around the downtown area.
A course coordinator will Email you a parking permit prior to the course start date. A permit must be displayed or you will be ticketed.
Course Description
As a generalization… the younger you are…the more technology proficient you are. There, I said it. Sometimes, however, these same technology-charged folks have a difficult time “seeing the business risk, AND audit risk in technology-enabled applications”. Can you easily “see” how a firewall “thinks” (which is different than how a router thinks), or the various I.T. componentry necessary to place kiosks throughout the DMV? Further, can you “translate” I.T. risk into business risk ... and audit risk. I have found that even the most tech-savvy folks, sometimes, get “lost in translation”.
And, yet, when you really look at their apps … slowly and analytically, there really AREN’T so complex! Maybe we just need to DEMYSTIFY the seemingly mystical world of I.T.? So, how about we take a slow ride into the world technology … enabling an IT infrastructure and business applications. Along the way, we’ll discover this truism…
I.T. RISK = BUSINESS RISK
Business Risk = Audit Risk, therefore
I.T. Risk= Audit Risk
The days of “integrated auditing” arrived…20 years ago! Every audit has an I.T. component! And, every auditor “audits computer enabled apps”, thus all auditor are I.T. auditor (I.T. auditors, now, have a different set of concern). Thinks like access controls, once a bastion of “those I.T. audit guys: are now squarely in the sandbox of ALL auditors. The business world has evolved from “Brick & Mortar to Click and Order!
The key to all this is understanding General and Application controls, and their interplay. Can you rely on the application controls if the general controls are vapor? Are all general controls needed to secure a specific application. Which controls are “over” an app, versus the controls “in” the app? How can I see them??? HELP!
We will delve into 1) network architectures, 2) Public Key Infrastructure, 3) firewalls and scanning and 4) access controls/schemas. Additionally, let’s differentiate real-time from run time, database versus a base of data and edits versus validations. Then we’ll take typical business applications, like kiosks or phone apps, and look at the related business risks.
Another part of this course is Business Process Analysis (BPA) in complex systems. Here is the typical “groans list” of frustrations that Dr. Dan receives from Internal Audit managers regarding BPA, “Our audit staff doesn’t understand the process, focus on the critical processes/functions or focus on the essential controls.”
Course Objectives
Upon completion of this course, participants will be able to:
· Understand an IT network diagram.
· Realize the audit assertions relevant to IT systems.
· Ponder the impact of IT upon internal controls.
· Realize that IT risk = business risk = audit risk.
· Explain the AICPA paradigm on General and Application controls and their interplay.
· Differentiate controls “over” an app/database versus controls “in” an app/database.
· Realize the importance of “asking the right questions” to Business Unit Managers as regards to computerized controls.
· Identify the critical metrics useful for determining “in/out” of control for an IT process.
· Discover the evolution of shifting audit efforts from field work phase to the planning phase.
· Explain the Internal Control trilogy.
· Differentiate preventive, detective and corrective controls.
· Realize the vast informational content contained in a process flowchart.
· Apply a structured methodology to capturing essential information for process analysis.
· Draw a process-level application flowchart.
· Differentiate Tests of Design (TODs) from Tests of Operating Effectiveness (TOES) for Tests of Controls.
· Discover the evolution of shifting audit efforts from field work phase to the planning phase.
· Differentiate between controls “placed in operation” and controls “operating effectively.”
· Explain a control “review” versus a control “test.”
· Identify embedded controls opportunities in SAP, Oracle, PeopleSoft and … COBOL!
· Assess the business risks, and audit risks of automated applications.
· Determine the key process and control points in automated applications.
· Propose multiple audit strategies for automated application audits.
· Identify the fraud potential in automated applications.
· Document key application controls.
· Test key application controls
· Tie basic financial audit assertions to automated applications.
· Discuss advanced application concepts (C2B, B2B, E2B, and Oracle Triggers).
Course Outline
A. The Digital Economy Landscape: What’s Needed is Secure Electronic Commerce
1. Emerging e-Commerce Models (C2B, B2B, and E2B) and Issues
a. General Flow: External Consumer Touching Systems
B. A Deep Dive into I.T. … Don’t Get Scared
1. I.T. networks and Architecture
2. Routers, Firewalls ... and hackers
3. Encryption and VPNs
4. You employees…the biggest risk
5. User schemas
6. Typical apps, and “what can go wrong”
C. Audit Assertions … Bridged to the Auditing of Automated Applications
2. Do Classic (COSO) Audit Assertions Change Automated Applications?
3. Translating Financial Audit Assertions into Automated Application Objectives (a.k.a., “IT Department Lingo”)
D. Control and Security Frameworks
1. AICPA’s General and Application Controls
2. Dr. Dan’s Control and Security Framework
3. The Blurring of General and Application Controls
a. The CobiT: Domains à Processes à Activities/Tasks
4. TAC 202
E. Risk Assessment
a. Why is an Automated Application Risky?
F. Audit Strategies for Automated Applications (and CAATs)
1. “What” to Test and “How” to Test Automated Applications
2. Auditing Upside Down
3. Tests of Controls (TOCs): TODs and TOEs
4. Auditing “Around,” “Thru”, and “With” the Computer
G. General Controls
1. General Control Risks and Key Control Points in Automated Applications
a. You are Here … Our Red Table
b. The Top 2 All-Time General Control Risks
c. Access Control
d. Program Change Management and Change Control (Who Can Touch the Code)
e. Interfaces
f. Business Continuity
g. Process Maps
h. Classic Application Flowcharts
i. Application Flowcharting: Getting Started
H. Application Controls
1. Application control Risks and Key Control Points
a. You are Here … Our Red Table
b. The Evolving Nature of Process Level Controls
c. Input Controls
i. Detailed Listing of Input Controls
ii. Edits versus Validations
d. Processing Controls
i. Detailed Listing of Process Controls
e. Output Controls
i. Detailed Listing of End-User Controls
ii. Don’t Poo-poo Manual Controls
I. Fraud Issues in Automated Applications
1. Case Study: Fraud Issues in Automated Applications Environments
J. The Future of Controls … Embedded in the Apps (ERPs)
a. A re-visit to great concepts: edits and validation controls
b. Process-level controls IN the apps … they never sleep!
c. SAP configurables and Oracle/PeopleSoft triggers
d. Helping management: process optimization
K. Control TESTING, not “reviews”
1. Tests of Operating Effectiveness (TOEs) versus Tests of Design (TODs)
2. Auditing around, thru, with and continuous) and dangerous assumptions
L. Evolving to a World of Continuous Controls Monitoring
1. How to “ping” embedded controls
2. How to assure control integrity
Instructors
Amanda has a Bachelor degree in Business with a double major in Accountancy and Public Sector Financial Management, is a qualified CPA and is a member of both the Institute of Internal Auditors (IIA) Australia and the Association of Certified Fraud Examiners. With 12 years of practical experience in the field of audit (internal and external audit) plus over four years as a professional development instructor, Amanda’s goal is to proactively “make a difference”.
Amanda began her career in Australia as a Governmental auditor with the Queensland Audit Office, and got her first taste of teaching when she nominated to lead the Office’s Graduate Development Program as their in-house trainer, over and above her role as a field audit team leader for financial statement audits. After nine years in the field of external audit, Amanda transitioned to the field of internal audit. As an internal auditor she headed the team for the State’s Environmental Protection Agency and subsequently worked with one of the State’s largest Government departments, Queensland Health. It was at Queensland Health where Amanda was introduced to the popular and innovative techniques of Dr. Dan Kneer. Amanda is now proud to be sharing these cutting edge techniques globally.
As a professional development instructor, Amanda promotes techniques helping colleagues to ‘audit smarter, not harder’. Her speaking engagements and workshops have taken her to various international destinations beyond her home base in Australia, including Taiwan, Dubai, Fiji, Thailand, New Zealand, Papua New Guinea, the Philippines and Singapore. Amanda encourages innovation in the field of audit, teaching techniques ranging from statistical data analytics and continuous controls monitoring to statistical sampling and business process analysis in an IT pervasive environment.
Additional Information
If you are making travel plans to come to Austin, we recommend making "refundable" air and hotel reservations or waiting until 14 days before the class to actually book your reservations. Courses are occasionally canceled or rescheduled due to low enrollment. We determine whether a course has enough participants 16 days prior to the course date. If we cancel or reschedule, we will email the participant and his or her billing contact no later than 14 days before the original class date.
The course coordinator will contact you with parking information. Handicapped parking is free at the meters around the downtown area.
Vending machines with Coca-Cola products and various snack items are available. There is also a refrigerator and microwave in our coffee bar area. Feel free to bring in your own drinks and food if you prefer.
You might want to bring a light sweater or jacket, as room temperatures vary.
To see answers to our Frequently Asked Questions, visit http://www.sao.texas.gov/training/faq.html.