Fundamentals of IT Auditing
This course provides a comprehensive overview of the fundamental concepts of IT auditing, and how to apply them on the job. Learn about IT governance and the regulatory environment, general controls, application controls, and end-user computing, and how to perform various IT audits, and more.
Upon completion of this course, participants will be able to:
Explore the steps to perform an audit of IT applications that support key business processes, utilizing general IT control audit concepts.
Examine the steps for coordinating the assessment of IT risks with the evaluation of IT general controls.
Recognize the concepts of application controls as they relate to auditing systems in development.
Identify the steps to perform a risk assessment and an evaluation of controls over end-user computer applications, utilizing general IT control concepts.
Detailed Course Outline
Overview of IT Auditing Concepts and Controls
Types of audits internal auditors perform.
The responsibilities, objectives, and skills needed to perform IT audits.
How COSO relates to IT auditing.
Commonly referenced regulations affecting IT audits.
Overview of Key Technical Processes and IT General Controls
Key technical processes.
Traditional IT general controls (ITGCs).
Common physical security controls.
Common environmental controls.
Computer operations controls.
Introduction to IT Change Management
The IT change management process.
Standard types of technology changes.
Risks and costs of ineffective or inefficient IT change management.
Controls by function.
Internal Audit’s role in IT change management.
Fundamentals of Logical Security
General system security concepts.
The IAAA Model.
Primary activities regarding access management.
Availability and Corrective Controls
Auditing availability and corrective controls recovery processes.
System Development Life Cycle
System development life cycle concepts.
System development life cycle frameworks.
Auditing the system development life cycle.
Types of application controls.
Purpose, risks, and control activities relating to:
Audit trails (log files).
General application security.
End-User Computing – Shadow IT
Overview of end-user computing.
User-developed applications (UDA) risks and controls.
Dependence on spreadsheets within financial activities.
User-acquired-systems (UAS) risks and controls.
Auditing end-user computing.
Key networking concepts and technologies.
Typical networking risks.
Traditional networking controls and tools.
Basics of cloud computing.
Benefits of cloud computing
Cloud service risks.
Importance of the Statement on Standards for Attestation Engagements (SSAE) System and Organizational Controls (SOC) reports.
No prerequisites required.
Megan is currently the Chief Information Officer for the First National Bank of Paragould. Prior to becoming the CIO, Megan was the Director of Internal Audit at Simmons Bank, where she was primarily responsible for IT Auditing, Audit Data Analytics and Innovation, Auditor Development, and Quality Assurance. Previous responsibilities included developing policies, processes, standards, and work programs for operational, compliance, branch and financial audits and overseeing audit projects. She has led Simmons Bank in preparing for the transition from a community bank to a regional banking organization (over $10 Billion in total assets) and transitioned the department from a fully outsourced model to a co-sourced function. She has been heavily involved in new technology implementation, both within the audit department and across the organization, and developed a risk assessment tool to enable Internal Audit to use risk-based approaches for auditing technology implementations and has audit and management experience with significant mergers and acquisitions activities.
Prior to joining Simmons Bank, Megan worked for the Office of the Comptroller of the Currency, where she served as a commissioned National Bank Examiner and participated and oversaw bank examinations for national banks of all sizes. She served as a Training Team Leader and Training Team Assistant for the OCC, delivering an intensive training curriculum to new hires.
TAC Rule 523.142(g) requires the CPE Sponsor to monitor individual attendance and assign the correct number of CPE credits. Participants will be asked to document their time of arrival and departure in compliance with this Rule. Additionally, attendance will be monitored throughout the day and CPE certificates will reflect actual attendance of each participant.
To see answers to our Frequently Asked Questions, visit http://www.sao.texas.gov/training/faq.html.