Uploaded by9535814851
PPTX, PDF2,523 views

it grc

Information technology has significantly impacted the accounting discipline by introducing new ways to retrieve and process performance and control information. IT systems like ERP separate financial from non-financial data, enabling better accounting. However, they also provide new potential for management control as data becomes more shareable. Information system auditing evaluates information systems to assess control effectiveness and adequacy in helping an organization achieve its objectives. It identifies risks from IT usage and suggests control improvements. Key elements of IS audits include assessing data, applications, technology, facilities, people, and reviewing system administration, software, network security, business continuity, and data integrity.

Embed presentation

Downloaded 113 times
INTRODUCTION Information technology has a tremendous impact on the discipline of accounting by introducing new ways of retrieving and processing information about performance deviations and control effectiveness. It for managing organizational controls by analyzing value drivers for particular accounting information systems that commonly runs under the label of governance, risk management and compliance (GRC IS). Information systems such as enterprise resource planning systems separate financial from nan-financial data and therefore enable better financial accounting. On the other hand, they provide new potential for management control as “data become accurate, shareable and available to many different parties but does hardly create the panoptic dreams of visibility and action at a distance”.
Governance The process by which policy is set and decision making is executed. Governance is the of policies, laws, culture, and institutions that define how an organization should be managed.
• The process for preventing an unacceptable level of uncertainty in business objectives with a balance of avoidance through reconsideration of objectives, mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms. It is also the process to ensure that important business processes and behaviors remain within the tolerances associated with policies and decisions set through the provenance process. Risk management is coordinate activities that direct and control an organization forecasting and managing events/risks that might have a negative impact on the business.
The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements. Compliance is the act of adhering to regulations as well as corporate policies and procedures.
 Create and distribute policies and controls and map them to regulations and internal compliance requirements.  Assess whether the controls are actually in place and working and fix them if they are not.  Ease risk assessment and mitigation.  IT GRC provide coordination and standardization of policies and controls.  Automate information gathering.  It enable enterprises to rapidly adapt to change.
governance Enterprise risk management and assessment Board compliance capabilities such as options policy compliance, ethics and policy compliance, etc. Business performance reporting such as balanced scorecards, risk scorecards, operational controls dashboards, etc Policy management, documentation and communication
• Risk assessment • Risk analysis and prioritization • Root cause analysis of issues and mitigation • Risk analytics and trend analysis
• Flexible controls hierarchy • Assessments and audits • Issues tracking and remediation • analytics
Importance of IT-GRC • An improvement in the quality and availability of information; • A reduction in breaches and errors; • A reduction in costs and greater efficiencies; • A more flexible and externally focused workforce capable of rapid change to meet customer and organizational needs; • A greater assurance for the organization and its board and senior management that grace issues are being appropriately dealt with and the organization remains “on target” with its performance objectives; and • Improved levels of communication across the organization the organization.
BUSINESS IS MORE DEPENDENT ON IT • IT environment is more complex. • Less time between IT failures and organizational impact. • Increase in threats related to IT. • Increase in threats related to IT. • Increase in regulations, standards and controls.
IT GRC Challenges • Mapping the policies and control • Audit fatigue • Security exposure • Redundancy and inefficiency
Other Challenges • A perception by staff that the initiative may have an ulterior motive, for example a cost recovery drive or head count reduction. • Business unit managers or middle management are fearful of being marginalized as GRC responsibilities are devolved to those in lower levels of the hierarchy. • Organizations are sometimes skeptical regarding the targeting and measurement systems proposed and are concerned that there will not ultimately be an appropriate return on investment given the establishment and maintenance costs involved. • Corporate cynicism and skepticism around the outcomes and results achieved from past planned organizational change (and management “fads” generally).
Factors to be consider at the time of implementation of IT GRC • Strategy • Reporting and audit • Legal function • Information technology • Ethics and corporate social responsibility • Corporate culture • Business process management
Information system audit standards
Introduction Information systems auditing involves using technical tools and expertise to evaluate the adequacy and effectiveness of information systems in an organization. Further, it involves working with management to identify weak controls and risk, which arises due to the application of technology in a business. It also suggests ways to enhance these weak controls to increase the reliability of IS, which will help an organization to achieve its strategic objectives.
Meaning Information systems audit is a process to collect and evaluate evidence to determine whether the information systems safeguard assets, maintain data integrity, achieve organizational goals effectively and consume resources efficiently. The common element between any manual audit and IS audit is data integrity. All type of audits (information audits) have to evaluate the data integrity. Since IS audit involves efficiency and effectiveness, it includes some elements of management and proprietary audit too.
IS auditing methodology • Step 1: define objectives of the audit. • Step 2: obtain basic understanding of systems and flow of transactions. • Step 3 : Detailed information gathering • Step 4 : Search for exposures that exist under the system and suggest the control in eliminate the exposure. • Step 5 : Define Auditing procedures to verify controls. • Step 6 : Perform audit test using various techniques and tools. • Step 7 : Evaluation of findings. • Step 8 : Generation of Report.
Scope of IS audit • Data • Application systems • Technology • Facilities • People
Elements of IS audit Exposures Causes Controls Physical and environmental review System administration review System administration review Application software review Network security review Business continuity review Data integrity review
Need for IS audit • Confidentiality • Integrity • Availability • Reliability
Categories of IS audits • Systems and applications • Information processing facilities • Systems development • Management of IT and enterprise architecture • Telecommunications intranets and extranets
Information Security and management standard Meaning information security relates to the physical and logical protection of data or information recorded, processed, shared, transmitted or received from an electronic from. The protection is provided against joss, inaccessibility, alternation, or unauthorized disclosure. The protection is achieved through physical safeguard such as locks, security guard, insurance etc. and logical safeguard as user identifiers, passwords, firewalls.
Information security • Meaning: • It is the practice of defending information from unauthorized access, use discloser, disruption modification, perusal, inspection recording or destruction • Definition • “Information security is the process of protecting the intellectual property of an organization” • IT security: it is referred to as computer security .a computer is any device with a processor and some memory such device can range from non-networked standalone device as simple as calculator to networked mobile computing device such as smart phone ad tablet .IT security is mainly used in major enterprise establishment due to the nature and value of the data within larger business
Information assurance • The act of ensuring that data is not lost when critical issues aries.thes issues include but are not limited to natural disaster computer server malfunction physical theft or any other instance where data potential of being lost.
Threats Computer system threats come in many different forms. some of the most common threats today are software attack, theft of intellectual property identity theft of equipment or info are common example of software attack Key concept of information security Confidentiality Integrity Availability
Risk management ‘Risk management is the process of identifying vulnerabilities and threats to the information resources ‘
control Selecting proper control and implementing those will initially help an organization to bring down risk to acceptable level. Control selection should follow and should be based on the risk assessment .control can vary in nature but they are fundamentally they are ways of protecting the confidentially. Types of control are • Administrative control • Logical control • Physical control
Security organization structure 1. Information security forum (ISF) 2. Information security management group (ISMG) 3. Assistant group security officer (AGSO) 4. System owner 5. Personal security officer (PSO) 6. Line manager 7. Users
Standards For Information Securities The international organization for standardization[ISO] established in 1947, is a non-governmental international body that collaborates with the international commission technology[ITC] standard. The following is commonly referenced ISO security standards.
Introduction to ISO 27001 ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
Framework of ISO 27001 implementation of ISO 27001 is an ideal response legal requirements and potential security threats such as: • Vandalism/Terrorism • Fire • Misuse • Theft • Viral attack
Features of ISO 27001 • Adopted PDCA(PLAN-DO-CHECK-ACT) model. • Adopted a process approach. • Identify-manage actives-function effectively. • Stress on continual process improvements • Scope covers information security not only IT security. • Focused on people, process, technology. • Combination of management control, operational controls and technical control.
Benefits of ISMS ISO 27001 certification: • Independent framework that will take account of all legal and regulatory requirements. • Helps provide a competitive edge to the company. • Helps to identify and meet contractual and regulatory requirements. • Independently verifies that risks to the company are properly identified and managed. • Demonstrates to customers that security of three information is taken seriously.
CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY (COBIT) INTRODUCTION: COBIT was first released in 1996; the current vision, COBIT 5 was published in 2012. Its mission is “to research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.
Theframeworkprovidesgoodpracticesacrossadomainandprocessframework: “The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement and identifying the associated responsibilitiesofbusinessandIT processowners.” COBIT is a framework of generally applicable information systems security and control. The framework allows: 1) Benchmarking of the security andcontrol arrangement. 2) Auditor to review internal controls and advise on ITsecurity matters. 3) Users of IT services to beassured that adequate security and control exist
The framework addresses the issue of control from 3 vantage points
IT Processes Controls are required to be implemented in all the processes, which are broken into 4 domains:  Planning and organization  Acquisition and implementation.  Delivery and support and  Monitoring.
Business objectives To satisfy business objectives, information must satisfy some criteria that COBIT refers to as business requirement for information. The criteria are divided into seven categories:  Effectiveness  Efficiency  Confidentiality  Integrity
IT RESOURCES To protect the IT resources must be developed which includes:  People  Application system  Hardware devices  Facilities and data  Security controls.
Advantages of COBIT I. COBIT is aligned with other standards and best practices and should be used together with them. II. It’s framework and supporting best practices provide a well-managed and flexible IT environment in an organization. III. COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. IV. It provides tools to help manage IT activities.
1) Strategic alignment focuses on ensuring the linkage of business and IT plans; defining maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. 2) Value delivery is about executing the value proposition throughout delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing cost and providing the intrinsic value of IT. Cobit has five IT governance areas of concentration
3) Resource management is about the optimum investment and proper management of critical IT resources: applications. Information, infrastructure and people. 4) Risk management is a clear understanding of the enterprises, appetite for risk, understanding of compliance requirements, and transparency into the organization 5) Performance measurements track and monitors strategy implementation, project completion, resource usage, process performance and service delivery, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. Cobit has five IT governance areas of concentration
Health Insurance Portability And Act(HIPAA)
Introduction • The health insurance portability and accountability act (HIPAA) became law in 1996. The purpose of the HIPAA is to improve the efficiency and effectiveness of healthcare transactions by standardizing the exchange of administrative and financial data, as well as protecting the privacy and security of individual health information that is maintained or transmitted.
• HIPAA imposes stringent privacy and security requirements on health plans, healthcare providers, and healthcare clearinghouses that maintain and/or transmit individual health information in electronic form. The term “healthcare provider” includes individual physicians, physician group practices, dentists, other healthcare practitioners, hospitals, and nursing facilities.
Specific objectives of the regulations are: • Standardizing the format and content of primary commercial and administrative electronic healthcare transactions. • Developing standards to protect confidential patient information from improper use or disclosure and establishing patients rights to control such uses. • Developing standards for computer systems and networks to ensure the security, integrity, and availability of patient data.
HIPAA is also know as public law. The Act has five top-level titles: • Title 1. health access, portability, and renewability. • Title 2. preventing health care fraud and abuse (administrative simplification0, which includes: • (1) transaction and code sets (2) identifiers (3) privacy (4) security. • Title 3. Tax-related health previsions (medical savings accounts and health insurance tax deductions for self-employed individuals).
• Title 4. Group health plan provisions • Title 5. Revenue offset provisions.
HIPAA Transaction And Codes • HIPAA is named for its contribution to portability of insurance and accountability for insurance claims. The administrative simplification section of HIPAA requires the standardization of identifiers, code sets and, transactions. HIPAA provides various limits to the exclusions that insurers may use, provides credit for past insurance, and attempts to assure that insurance can be purchased. As stated previously, HIPAA ensures only that insurance is available, not that it is inexpensive.
The Security Rule: • The security lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the rule.
The Standards And Specifications Are As Follows: • Covered entities must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. • The policies and procedures nust reference management oversight and organizational buy-in to compliance with the documented security controls. • Procedures should clearly identify employees or classes of employees who will have access to protected health information (PHI). • The procedures must address access authorization, establishment, modification, and termination
• A contingency plan should be in place for responding to emergencies. • Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. • Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.
Technical Safeguards: • Controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. • Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized.
• Each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. • Data corroboration, including the use of check sum, double-keying, message authentication, and signature may be used to ensure data integrity. • Covered entities must also authenticate entities it communicates with authentication consists password systems, two or three-way handshakes, telephone call-back, and token systems.
Physical safeguards: • Controlling physical access to protect against inappropriate access to protected data • Controls must govern the introduction and removal of hardware and software from the network. • Access to equipment containing health information should be carefully controlled and monitored. • Access to hardware and software must be limited to properly authorized individuals.
STATEMENT OF AUDITING STANDARDS FOR SERVICE ORGANISATION
Introduction Statement on Auditing Standards No.70: Service Organizations, commonly abbreviated as SAS 70 is an auditing statement issued by the Auditing Standards Board of American Institute of Certified Public Accountants(AICPA), officially titled “Reports on the Processing of Transactions by Service Organizations”. SAS 70 defines the professional standards used by a service auditor to assess the internal control of a service organization and issue a service auditor’s report.
Meaning of SAS SAS 70 (the Statement on Auditing Standards No. 70) defines the standards an auditor must employ in order to asses the contracted internal controls of a service organization. Service organizations, such as hosted data centers , insurance claims processors and credit processing companies, provide outstanding services that affect the operation of the contracting enterprise.
Under SAS 70 (the Statement on Auditor reports are classified as either Type I or Type II. In a Type I report the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. The auditor also evaluate the likelihood that those efforts will produce the future results. A Type II report includes the same information as that contained in a Type I report; in addition, the auditor attempts to determine the effectiveness of agreed-on controls since their implementation. Type II reports also incorporate data complied during a specific time period, usually a minimum of six months.
1. Statement on Auditing Standards (SAS) No. 70, Service Organizations, in an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants(AICPA). 2. SAS 70 provides guidance to enable an independent auditor (“service auditor”) to issue an opinion on a service organization’s description of controls through a Service Auditor’s Report. 3. Service auditors are required to follow the AICPA’s standards for fieldwork, quality control, and reporting. 4. A formal report including the auditor’s opinion (“Service Auditor’s Report”) is issued to the service organization at the conclusion of a 70 examination. CHARACTERSTICS or STATEMENT OF AUDITING standards for service organizations
5. A SAS 70 examination is not a “checklist” audit. SAS No. 70 is generally applicable when an auditor (“user auditor”) is auditing the financial statements of an entity (“user organization”) that obtains services from another organization (“service organization”). Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus. 6. A SAS 70 audit or service auditor’s examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities which generally include controls over information technology and related processes.
Type I SAS 70 audits opinion on controls that are in place of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties. Type II SAS 70 audits opinion on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with fairness of presentation of the controls, the design of the controls in terms of their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports since verification is provided regarding these matters for a substantial period of time. Type I and type ii audit standards
1. A service auditor’s report ensure that all user organization and their auditors have access to the same information and in many cases this will satisfy the user auditor’s requirements. 2. SAS 70 engagements are generally performed by control oriented professionals who have experience in accounting, auditing, and information security. 3. A service auditor’s report with an unqualified opinion that is issued by an independent accounting firm differentiate the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. 4. A SAS 70 engagement allows a service organization who have its control policies procedures evaluated and tested (in the case of a TYPEII engagement) by an independent party 5. A service auditor’s report also helps a service organization build trust with its users organizations (I.e. Customers). Benefits of the service organization
CAPABILTY MATURITY MODEL(CMM) INTRODUCTION: The CMM was developed from 1984 by Watts Humphrey and the Software Engineering Institute(SEI). The SEI is a part of Carnegie Mellon University. The work was funded and continues to be funded by the Department of Defense(DoD), which was originally looking for ways to compare and measure the various contractors that were developing software for the DoD.
Meaning : “A Capability of Maturity Model(CMM) is a formal archetype of the levels through which an organization evolves as it defines, implements , measures, controls and improves its processes in a particular area of operation. It thus enables the organization to consciously choose a certain target level ofmaturityandthen toworktowardsthatlevel.” Definition: “The definition implies that the CMM concept is mainly applicable to organizational processes, such as development processes or business processes. This process orientation underlies the model described in this paper and thus with knowledge within the framework of business processes.
PROCESS OF CAPABILITY MATURITY MODEL(CMM) INITIAL MATURITY LEVEL REPEATABLE MATURITY LEVEL DEFINED MATURITY LEVEL MANAGED MATURITY LEVEL OPTIMIZING MATURITY LEVEL
INITIALMATURITY LEVEL The software process is characterized as inconsistent and occasionally even chaotic. Defined processes and standard practices that exist are abandoned during a crisis. Success of the organization majorly depends on an individual effort, talent and heroics. The heroes eventually move on to other organizations taking their wealth of knowledge or lessons learnt with them.
REPEATABLE MATURITY LEVEL This level of Software Development Organization has a basic and consistent project management processes to track cost, schedule and functionality. The process is in place to replace the earlier successes on projects with similar applications. Program management is a key characteristics of a level two organization.
DEFINED MATURITY LEVEL The software process for both management and engineering activities and documented, standardized and integrated into a standard software process for the entire organization and all projects across the organization use an approved, tailored version of the organization’s standard software process for developing, testing and maintaining the application.
MANAGED MATURITY LEVEL Management can effectively control the software development effort using precise measurements. At this level, organization set a quantitative quality goal for both software process and software maintenance. At this maturity level, the performance of processes is controlled using statistical and other quantitative techniques and is quantitatively predictable.
The key characteristics of this level is focusing on continually improving process performance through both incremental and innovative technological improvements. At this level changes to the process are to improve the process performance and at the same time maintaining statistical probability to achieve the established quantitative process - improvement objectives. OPTIMIZING MATURITY LEVEL
it grc

More Related Content

PDF
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
PPTX
Information Security Governance and Strategy
byDam Frank
 
PPTX
Implementing ISO27001 2013
byscttmcvy
 
PPTX
GRC Fundamentals
by3Sixty Insights
 
PPTX
Governance risk and compliance
byMagdalena Matell
 
PDF
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
 
PPTX
Grc governance, risk management & compliance
byHR Globe Consulting
 
PPSX
GRC Governance, Risk mgmt. & Compliance Executive
byMax Neira Schliemann
 
Cybersecurity Roadmap Development for Executives
byKrist Davood - Principal - CIO
 
Information Security Governance and Strategy
byDam Frank
 
Implementing ISO27001 2013
byscttmcvy
 
GRC Fundamentals
by3Sixty Insights
 
Governance risk and compliance
byMagdalena Matell
 
2022 Webinar - ISO 27001 Certification.pdf
byControlCase
 
Grc governance, risk management & compliance
byHR Globe Consulting
 
GRC Governance, Risk mgmt. & Compliance Executive
byMax Neira Schliemann
 

What's hot

PPTX
Third Party Risk Management
byEC-Council
 
PPT
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
PPTX
Governance, risk and compliance framework
byCeyeap
 
PPTX
Information security governance
byKoen Maris
 
PPTX
PPT-Security-for-Management.pptx
byRSAArcher
 
PDF
Basics in IT Audit and Application Control Testing
byDinesh O Bareja
 
PPTX
Identity and Access Management (IAM): Benefits and Best Practices 
byVeritis Group, Inc
 
PPT
IT System & Security Audit
byMufaddal Nullwala
 
PPTX
27001 awareness Training
byDr Madhu Aman Sharma
 
PPTX
Governance, Risk & Compliance Management Solution
byRishabh Software
 
PDF
ISO 27005:2022 Overview 221028.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PDF
Information security management system (isms) overview
byJulia Urbina-Pineda
 
PPTX
Microsoft Defender for Endpoint Overview.pptx
byBenAissaTaher1
 
PDF
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
byCorporater
 
PDF
Integrated GRC
byTranscendent Group
 
PPSX
Security Awareness Training
byWilliam Mann
 
PPTX
ISO 27001 - Information security user awareness training presentation - part 3
byTanmay Shinde
 
PDF
Why ISO27001 For My Organisation
byVigilant Software
 
PDF
Cybersecurity Incident Management Powerpoint Presentation Slides
bySlideTeam
 
PPTX
Cyber attacks and IT security management in 2025
byRadar Cyber Security
 
Third Party Risk Management
byEC-Council
 
SOC presentation- Building a Security Operations Center
byMichael Nickle
 
Governance, risk and compliance framework
byCeyeap
 
Information security governance
byKoen Maris
 
PPT-Security-for-Management.pptx
byRSAArcher
 
Basics in IT Audit and Application Control Testing
byDinesh O Bareja
 
Identity and Access Management (IAM): Benefits and Best Practices 
byVeritis Group, Inc
 
IT System & Security Audit
byMufaddal Nullwala
 
27001 awareness Training
byDr Madhu Aman Sharma
 
Governance, Risk & Compliance Management Solution
byRishabh Software
 
ISO 27005:2022 Overview 221028.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Information security management system (isms) overview
byJulia Urbina-Pineda
 
Microsoft Defender for Endpoint Overview.pptx
byBenAissaTaher1
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
byCorporater
 
Integrated GRC
byTranscendent Group
 
Security Awareness Training
byWilliam Mann
 
ISO 27001 - Information security user awareness training presentation - part 3
byTanmay Shinde
 
Why ISO27001 For My Organisation
byVigilant Software
 
Cybersecurity Incident Management Powerpoint Presentation Slides
bySlideTeam
 
Cyber attacks and IT security management in 2025
byRadar Cyber Security
 

Viewers also liked

PPT
Corporate compliance powerpoint
bysmcmanus3
 
PPTX
Fix nix, inc
byFixNix Inc.,
 
PDF
Reciprocity_GRC Software Buyers Guide v5
byjustinklooster
 
PPT
Expertool GRC Accelerator
byslideshareneilj
 
PPTX
The Evaluation Checklist
bywmartz
 
PPTX
CMLGroup - What is GRC?
byCML Group
 
PPTX
Enterprise under attack dealing with security threats and compliance
bySPAN Infotech (India) Pvt Ltd
 
DOC
Software Evaluation Checklist
bySalina Saharudin
 
PDF
DFlabs corporate profile 01-2013
byDFLABS SRL
 
PDF
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
byFulcrumWay
 
PPTX
jComply grc_platform_v1.0
byjComply
 
Corporate compliance powerpoint
bysmcmanus3
 
Fix nix, inc
byFixNix Inc.,
 
Reciprocity_GRC Software Buyers Guide v5
byjustinklooster
 
Expertool GRC Accelerator
byslideshareneilj
 
The Evaluation Checklist
bywmartz
 
CMLGroup - What is GRC?
byCML Group
 
Enterprise under attack dealing with security threats and compliance
bySPAN Infotech (India) Pvt Ltd
 
Software Evaluation Checklist
bySalina Saharudin
 
DFlabs corporate profile 01-2013
byDFLABS SRL
 
FulcrumWay - Ed. Webinar - Identify and Eliminate False Positives from your S...
byFulcrumWay
 
jComply grc_platform_v1.0
byjComply
 

Similar to it grc

PDF
IT General Controls Presentation at IIA Vadodara Audit Club
byKaushal Trivedi
 
PPTX
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
PPTX
CISA Training - Chapter 2 - 2016
byHafiz Sheikh Adnan Ahmed
 
PPTX
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PPTX
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
PDF
Internal Controls Over Information Systems
byJeffrey Paulette
 
PDF
Auditing information systems
byKenya Allmond
 
PDF
audit_it_250759.pdf
bymabkhoutaliwi1
 
PPT
Auditing concept
byGanesh Sharma
 
PPTX
crisc_wk_2a.pptx
bydotco
 
PPTX
FRAMEWORKS AND STANDARDS-GRC,GDPR,SOX,PCI DSS,SOX,ISO
byalexangelmary99
 
PPTX
Dancyrityshy 1foundatioieh
byAnne Starr
 
PDF
CNIT 160: Ch 2a: Introduction to Information Security Governance
bySam Bowne
 
PDF
Grc and is audit
byBIBEKCHAUDHARYBScHon
 
PDF
Sem 001 sem-001
bySelectedPresentations
 
DOCX
Task 2
byBIBEKCHAUDHARYBScHon
 
DOCX
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
byLynellBull52
 
PPSX
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
PPT
Project_Paper_Presentation_ISSC471_Intindolo
byJohn Intindolo
 
PPTX
Proactive Risk Management and Compliance in a World of Digital Disruption
byMike Wons
 
IT General Controls Presentation at IIA Vadodara Audit Club
byKaushal Trivedi
 
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
CISA Training - Chapter 2 - 2016
byHafiz Sheikh Adnan Ahmed
 
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Information security
byLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Internal Controls Over Information Systems
byJeffrey Paulette
 
Auditing information systems
byKenya Allmond
 
audit_it_250759.pdf
bymabkhoutaliwi1
 
Auditing concept
byGanesh Sharma
 
crisc_wk_2a.pptx
bydotco
 
FRAMEWORKS AND STANDARDS-GRC,GDPR,SOX,PCI DSS,SOX,ISO
byalexangelmary99
 
Dancyrityshy 1foundatioieh
byAnne Starr
 
CNIT 160: Ch 2a: Introduction to Information Security Governance
bySam Bowne
 
Grc and is audit
byBIBEKCHAUDHARYBScHon
 
Sem 001 sem-001
bySelectedPresentations
 
Task 2
byBIBEKCHAUDHARYBScHon
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
byLynellBull52
 
Does audit make us more secure
byEnterpriseGRC Solutions, Inc.
 
Project_Paper_Presentation_ISSC471_Intindolo
byJohn Intindolo
 
Proactive Risk Management and Compliance in a World of Digital Disruption
byMike Wons
 

More from 9535814851

PPTX
information system and computers
by9535814851
 
PPT
2007 mcom mis module 1.0
by9535814851
 
PPTX
Software development life cycle copy
by9535814851
 
PPTX
Database management system
by9535814851
 
PPTX
it act
by9535814851
 
PPTX
information system and computers
by9535814851
 
PPTX
Health insurance portability and act(hipaa)2
by9535814851
 
PPTX
Information system
by9535814851
 
PPTX
Information technology govenance
by9535814851
 
PPTX
information system and computers
by9535814851
 
PPTX
information system and computers
by9535814851
 
PPTX
information system and computers
by9535814851
 
PPTX
human resource information system
by9535814851
 
PPTX
information system and computers
by9535814851
 
PPTX
marketing information system
by9535814851
 
PPTX
Wireless application prorocol
by9535814851
 
PPTX
Mc card new product launch
by9535814851
 
information system and computers
by9535814851
 
2007 mcom mis module 1.0
by9535814851
 
Software development life cycle copy
by9535814851
 
Database management system
by9535814851
 
it act
by9535814851
 
information system and computers
by9535814851
 
Health insurance portability and act(hipaa)2
by9535814851
 
Information system
by9535814851
 
Information technology govenance
by9535814851
 
information system and computers
by9535814851
 
information system and computers
by9535814851
 
information system and computers
by9535814851
 
human resource information system
by9535814851
 
information system and computers
by9535814851
 
marketing information system
by9535814851
 
Wireless application prorocol
by9535814851
 
Mc card new product launch
by9535814851
 

Recently uploaded

PPTX
Warehouse in Traceability Report - Odoo 19
byCeline George
 
PPTX
Everything You Need to Know About Actions in Odoo 18
byCeline George
 
PPTX
An inclusive AI - Supporting students with special education needs by Andreas...
byEduSkills OECD
 
PDF
BP704T: NOVEL DRUG DELIVERY SYSTEMS UNIT 4 PART 1
byRushiMandali
 
PDF
how to write your research instrument.pdf
byThelma Villaflores
 
PDF
JRF Plant Science Preparation Strategy by Experts | Complete Syllabus Discuss...
bySatyam Sharma
 
PPTX
EARLY CARCINOMA BREAST SURGICAL MANAGEMENT
byJohn Thanakumar
 
PPTX
DepEd_ARAL_Program_Orientation FINAL COPY.pptx
byAljohnEspejo1
 
PDF
JRF Plant Science Syllabus | Complete Unit-Wise Discussion & Preparation Stra...
bySatyam Sharma
 
PPTX
PLAY-IMPORTANCE OF PLAY,FUNCTIONS OF PLAY AND TYPES
byBHUVANESHWARI BADIGER
 
PDF
Genetic Erosion in Crop Plants: Causes, Consequences, and Conservation Strate...
bySatyam Sharma
 
PDF
ARS Nematology Syllabus | Complete Unit-wise Topics, Booklist & Preparation S...
bySatyam Sharma
 
PPTX
major drivers of biodiversity change.pptx
byKajal Kashyap
 
PDF
FABRICATION OF BICMOS ON SILICON AND SOI
byGS Virdi
 
PDF
2025 Caribbean Examinations Council CCSLC Merit List
byCaribbean Examinations Council
 
PDF
Gene Pool in Crop Plants: Diversity, Classification, and Role in Plant Breedi...
bySatyam Sharma
 
PDF
Principle, Construction, and Types of Varactor Diode – A Comprehensive Lectur...
byGS Virdi
 
PPTX
Unit 6- Heme Catabolism.pptx............
byAkanksha Kotangale
 
PPTX
Unit 7- Organ Function Test(Biochemical parameters.
byAkanksha Kotangale
 
PPTX
Emminent personalities from agriculture sciences.pptx
byconvey2vivek
 
Warehouse in Traceability Report - Odoo 19
byCeline George
 
Everything You Need to Know About Actions in Odoo 18
byCeline George
 
An inclusive AI - Supporting students with special education needs by Andreas...
byEduSkills OECD
 
BP704T: NOVEL DRUG DELIVERY SYSTEMS UNIT 4 PART 1
byRushiMandali
 
how to write your research instrument.pdf
byThelma Villaflores
 
JRF Plant Science Preparation Strategy by Experts | Complete Syllabus Discuss...
bySatyam Sharma
 
EARLY CARCINOMA BREAST SURGICAL MANAGEMENT
byJohn Thanakumar
 
DepEd_ARAL_Program_Orientation FINAL COPY.pptx
byAljohnEspejo1
 
JRF Plant Science Syllabus | Complete Unit-Wise Discussion & Preparation Stra...
bySatyam Sharma
 
PLAY-IMPORTANCE OF PLAY,FUNCTIONS OF PLAY AND TYPES
byBHUVANESHWARI BADIGER
 
Genetic Erosion in Crop Plants: Causes, Consequences, and Conservation Strate...
bySatyam Sharma
 
ARS Nematology Syllabus | Complete Unit-wise Topics, Booklist & Preparation S...
bySatyam Sharma
 
major drivers of biodiversity change.pptx
byKajal Kashyap
 
FABRICATION OF BICMOS ON SILICON AND SOI
byGS Virdi
 
2025 Caribbean Examinations Council CCSLC Merit List
byCaribbean Examinations Council
 
Gene Pool in Crop Plants: Diversity, Classification, and Role in Plant Breedi...
bySatyam Sharma
 
Principle, Construction, and Types of Varactor Diode – A Comprehensive Lectur...
byGS Virdi
 
Unit 6- Heme Catabolism.pptx............
byAkanksha Kotangale
 
Unit 7- Organ Function Test(Biochemical parameters.
byAkanksha Kotangale
 
Emminent personalities from agriculture sciences.pptx
byconvey2vivek
 

it grc

  • 2.
    INTRODUCTION Information technology hasa tremendous impact on the discipline of accounting by introducing new ways of retrieving and processing information about performance deviations and control effectiveness. It for managing organizational controls by analyzing value drivers for particular accounting information systems that commonly runs under the label of governance, risk management and compliance (GRC IS). Information systems such as enterprise resource planning systems separate financial from nan-financial data and therefore enable better financial accounting. On the other hand, they provide new potential for management control as “data become accurate, shareable and available to many different parties but does hardly create the panoptic dreams of visibility and action at a distance”.
  • 3.
    Governance The process bywhich policy is set and decision making is executed. Governance is the of policies, laws, culture, and institutions that define how an organization should be managed.
  • 4.
    • The processfor preventing an unacceptable level of uncertainty in business objectives with a balance of avoidance through reconsideration of objectives, mitigation through the application of controls, transfer through insurance and acceptance through governance mechanisms. It is also the process to ensure that important business processes and behaviors remain within the tolerances associated with policies and decisions set through the provenance process. Risk management is coordinate activities that direct and control an organization forecasting and managing events/risks that might have a negative impact on the business.
  • 5.
    The process ofadherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements. Compliance is the act of adhering to regulations as well as corporate policies and procedures.
  • 6.
     Create anddistribute policies and controls and map them to regulations and internal compliance requirements.  Assess whether the controls are actually in place and working and fix them if they are not.  Ease risk assessment and mitigation.  IT GRC provide coordination and standardization of policies and controls.  Automate information gathering.  It enable enterprises to rapidly adapt to change.
  • 7.
    governance Enterprise risk managementand assessment Board compliance capabilities such as options policy compliance, ethics and policy compliance, etc. Business performance reporting such as balanced scorecards, risk scorecards, operational controls dashboards, etc Policy management, documentation and communication
  • 8.
    • Risk assessment •Risk analysis and prioritization • Root cause analysis of issues and mitigation • Risk analytics and trend analysis
  • 9.
    • Flexible controlshierarchy • Assessments and audits • Issues tracking and remediation • analytics
  • 10.
    Importance of IT-GRC •An improvement in the quality and availability of information; • A reduction in breaches and errors; • A reduction in costs and greater efficiencies; • A more flexible and externally focused workforce capable of rapid change to meet customer and organizational needs; • A greater assurance for the organization and its board and senior management that grace issues are being appropriately dealt with and the organization remains “on target” with its performance objectives; and • Improved levels of communication across the organization the organization.
  • 11.
    BUSINESS IS MOREDEPENDENT ON IT • IT environment is more complex. • Less time between IT failures and organizational impact. • Increase in threats related to IT. • Increase in threats related to IT. • Increase in regulations, standards and controls.
  • 12.
    IT GRC Challenges •Mapping the policies and control • Audit fatigue • Security exposure • Redundancy and inefficiency
  • 13.
    Other Challenges • Aperception by staff that the initiative may have an ulterior motive, for example a cost recovery drive or head count reduction. • Business unit managers or middle management are fearful of being marginalized as GRC responsibilities are devolved to those in lower levels of the hierarchy. • Organizations are sometimes skeptical regarding the targeting and measurement systems proposed and are concerned that there will not ultimately be an appropriate return on investment given the establishment and maintenance costs involved. • Corporate cynicism and skepticism around the outcomes and results achieved from past planned organizational change (and management “fads” generally).
  • 14.
    Factors to beconsider at the time of implementation of IT GRC • Strategy • Reporting and audit • Legal function • Information technology • Ethics and corporate social responsibility • Corporate culture • Business process management
  • 15.
  • 16.
    Introduction Information systems auditinginvolves using technical tools and expertise to evaluate the adequacy and effectiveness of information systems in an organization. Further, it involves working with management to identify weak controls and risk, which arises due to the application of technology in a business. It also suggests ways to enhance these weak controls to increase the reliability of IS, which will help an organization to achieve its strategic objectives.
  • 17.
    Meaning Information systems auditis a process to collect and evaluate evidence to determine whether the information systems safeguard assets, maintain data integrity, achieve organizational goals effectively and consume resources efficiently. The common element between any manual audit and IS audit is data integrity. All type of audits (information audits) have to evaluate the data integrity. Since IS audit involves efficiency and effectiveness, it includes some elements of management and proprietary audit too.
  • 18.
    IS auditing methodology •Step 1: define objectives of the audit. • Step 2: obtain basic understanding of systems and flow of transactions. • Step 3 : Detailed information gathering • Step 4 : Search for exposures that exist under the system and suggest the control in eliminate the exposure. • Step 5 : Define Auditing procedures to verify controls. • Step 6 : Perform audit test using various techniques and tools. • Step 7 : Evaluation of findings. • Step 8 : Generation of Report.
  • 19.
    Scope of ISaudit • Data • Application systems • Technology • Facilities • People
  • 20.
    Elements of ISaudit Exposures Causes Controls Physical and environmental review System administration review System administration review Application software review Network security review Business continuity review Data integrity review
  • 21.
    Need for ISaudit • Confidentiality • Integrity • Availability • Reliability
  • 22.
    Categories of ISaudits • Systems and applications • Information processing facilities • Systems development • Management of IT and enterprise architecture • Telecommunications intranets and extranets
  • 23.
    Information Security andmanagement standard Meaning information security relates to the physical and logical protection of data or information recorded, processed, shared, transmitted or received from an electronic from. The protection is provided against joss, inaccessibility, alternation, or unauthorized disclosure. The protection is achieved through physical safeguard such as locks, security guard, insurance etc. and logical safeguard as user identifiers, passwords, firewalls.
  • 24.
    Information security • Meaning: •It is the practice of defending information from unauthorized access, use discloser, disruption modification, perusal, inspection recording or destruction • Definition • “Information security is the process of protecting the intellectual property of an organization” • IT security: it is referred to as computer security .a computer is any device with a processor and some memory such device can range from non-networked standalone device as simple as calculator to networked mobile computing device such as smart phone ad tablet .IT security is mainly used in major enterprise establishment due to the nature and value of the data within larger business
  • 25.
    Information assurance • Theact of ensuring that data is not lost when critical issues aries.thes issues include but are not limited to natural disaster computer server malfunction physical theft or any other instance where data potential of being lost.
  • 26.
    Threats Computer system threatscome in many different forms. some of the most common threats today are software attack, theft of intellectual property identity theft of equipment or info are common example of software attack Key concept of information security Confidentiality Integrity Availability
  • 27.
    Risk management ‘Risk managementis the process of identifying vulnerabilities and threats to the information resources ‘
  • 28.
    control Selecting proper controland implementing those will initially help an organization to bring down risk to acceptable level. Control selection should follow and should be based on the risk assessment .control can vary in nature but they are fundamentally they are ways of protecting the confidentially. Types of control are • Administrative control • Logical control • Physical control
  • 29.
    Security organization structure 1.Information security forum (ISF) 2. Information security management group (ISMG) 3. Assistant group security officer (AGSO) 4. System owner 5. Personal security officer (PSO) 6. Line manager 7. Users
  • 30.
    Standards For InformationSecurities The international organization for standardization[ISO] established in 1947, is a non-governmental international body that collaborates with the international commission technology[ITC] standard. The following is commonly referenced ISO security standards.
  • 31.
    Introduction to ISO27001 ISO 27001 is a specification for creating an ISMS. It does not mandate specific actions, but includes suggestions for documentation, internal audits, continual improvement, and corrective and preventive action.
  • 32.
    Framework of ISO27001 implementation of ISO 27001 is an ideal response legal requirements and potential security threats such as: • Vandalism/Terrorism • Fire • Misuse • Theft • Viral attack
  • 33.
    Features of ISO27001 • Adopted PDCA(PLAN-DO-CHECK-ACT) model. • Adopted a process approach. • Identify-manage actives-function effectively. • Stress on continual process improvements • Scope covers information security not only IT security. • Focused on people, process, technology. • Combination of management control, operational controls and technical control.
  • 34.
    Benefits of ISMSISO 27001 certification: • Independent framework that will take account of all legal and regulatory requirements. • Helps provide a competitive edge to the company. • Helps to identify and meet contractual and regulatory requirements. • Independently verifies that risks to the company are properly identified and managed. • Demonstrates to customers that security of three information is taken seriously.
  • 35.
    CONTROL OBJECTIVES FORINFORMATION AND RELATED TECHNOLOGY (COBIT) INTRODUCTION: COBIT was first released in 1996; the current vision, COBIT 5 was published in 2012. Its mission is “to research, develop, publish and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers, IT professionals and assurance professionals.
  • 36.
    Theframeworkprovidesgoodpracticesacrossadomainandprocessframework: “The business orientationof COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement and identifying the associated responsibilitiesofbusinessandIT processowners.” COBIT is a framework of generally applicable information systems security and control. The framework allows: 1) Benchmarking of the security andcontrol arrangement. 2) Auditor to review internal controls and advise on ITsecurity matters. 3) Users of IT services to beassured that adequate security and control exist
  • 37.
    The framework addressesthe issue of control from 3 vantage points
  • 38.
    IT Processes Controls arerequired to be implemented in all the processes, which are broken into 4 domains:  Planning and organization  Acquisition and implementation.  Delivery and support and  Monitoring.
  • 39.
    Business objectives To satisfybusiness objectives, information must satisfy some criteria that COBIT refers to as business requirement for information. The criteria are divided into seven categories:  Effectiveness  Efficiency  Confidentiality  Integrity
  • 40.
    IT RESOURCES To protectthe IT resources must be developed which includes:  People  Application system  Hardware devices  Facilities and data  Security controls.
  • 41.
    Advantages of COBIT I.COBIT is aligned with other standards and best practices and should be used together with them. II. It’s framework and supporting best practices provide a well-managed and flexible IT environment in an organization. III. COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. IV. It provides tools to help manage IT activities.
  • 42.
    1) Strategic alignmentfocuses on ensuring the linkage of business and IT plans; defining maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. 2) Value delivery is about executing the value proposition throughout delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing cost and providing the intrinsic value of IT. Cobit has five IT governance areas of concentration
  • 43.
    3) Resource managementis about the optimum investment and proper management of critical IT resources: applications. Information, infrastructure and people. 4) Risk management is a clear understanding of the enterprises, appetite for risk, understanding of compliance requirements, and transparency into the organization 5) Performance measurements track and monitors strategy implementation, project completion, resource usage, process performance and service delivery, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. Cobit has five IT governance areas of concentration
  • 44.
  • 45.
    Introduction • The healthinsurance portability and accountability act (HIPAA) became law in 1996. The purpose of the HIPAA is to improve the efficiency and effectiveness of healthcare transactions by standardizing the exchange of administrative and financial data, as well as protecting the privacy and security of individual health information that is maintained or transmitted.
  • 46.
    • HIPAA imposesstringent privacy and security requirements on health plans, healthcare providers, and healthcare clearinghouses that maintain and/or transmit individual health information in electronic form. The term “healthcare provider” includes individual physicians, physician group practices, dentists, other healthcare practitioners, hospitals, and nursing facilities.
  • 47.
    Specific objectives ofthe regulations are: • Standardizing the format and content of primary commercial and administrative electronic healthcare transactions. • Developing standards to protect confidential patient information from improper use or disclosure and establishing patients rights to control such uses. • Developing standards for computer systems and networks to ensure the security, integrity, and availability of patient data.
  • 48.
    HIPAA is alsoknow as public law. The Act has five top-level titles: • Title 1. health access, portability, and renewability. • Title 2. preventing health care fraud and abuse (administrative simplification0, which includes: • (1) transaction and code sets (2) identifiers (3) privacy (4) security. • Title 3. Tax-related health previsions (medical savings accounts and health insurance tax deductions for self-employed individuals).
  • 49.
    • Title 4.Group health plan provisions • Title 5. Revenue offset provisions.
  • 50.
    HIPAA Transaction AndCodes • HIPAA is named for its contribution to portability of insurance and accountability for insurance claims. The administrative simplification section of HIPAA requires the standardization of identifiers, code sets and, transactions. HIPAA provides various limits to the exclusions that insurers may use, provides credit for past insurance, and attempts to assure that insurance can be purchased. As stated previously, HIPAA ensures only that insurance is available, not that it is inexpensive.
  • 51.
    The Security Rule: •The security lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the rule.
  • 52.
    The Standards AndSpecifications Are As Follows: • Covered entities must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. • The policies and procedures nust reference management oversight and organizational buy-in to compliance with the documented security controls. • Procedures should clearly identify employees or classes of employees who will have access to protected health information (PHI). • The procedures must address access authorization, establishment, modification, and termination
  • 53.
    • A contingencyplan should be in place for responding to emergencies. • Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. • Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.
  • 54.
    Technical Safeguards: • Controllingaccess to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient. • Information systems housing PHI must be protected from intrusion. When information flows over open networks, some form of encryption must be utilized.
  • 55.
    • Each coveredentity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner. • Data corroboration, including the use of check sum, double-keying, message authentication, and signature may be used to ensure data integrity. • Covered entities must also authenticate entities it communicates with authentication consists password systems, two or three-way handshakes, telephone call-back, and token systems.
  • 56.
    Physical safeguards: • Controllingphysical access to protect against inappropriate access to protected data • Controls must govern the introduction and removal of hardware and software from the network. • Access to equipment containing health information should be carefully controlled and monitored. • Access to hardware and software must be limited to properly authorized individuals.
  • 57.
    STATEMENT OF AUDITING STANDARDSFOR SERVICE ORGANISATION
  • 58.
    Introduction Statement on AuditingStandards No.70: Service Organizations, commonly abbreviated as SAS 70 is an auditing statement issued by the Auditing Standards Board of American Institute of Certified Public Accountants(AICPA), officially titled “Reports on the Processing of Transactions by Service Organizations”. SAS 70 defines the professional standards used by a service auditor to assess the internal control of a service organization and issue a service auditor’s report.
  • 59.
    Meaning of SAS SAS70 (the Statement on Auditing Standards No. 70) defines the standards an auditor must employ in order to asses the contracted internal controls of a service organization. Service organizations, such as hosted data centers , insurance claims processors and credit processing companies, provide outstanding services that affect the operation of the contracting enterprise.
  • 60.
    Under SAS 70(the Statement on Auditor reports are classified as either Type I or Type II. In a Type I report the auditor evaluates the efforts of a service organization at the time of audit to prevent accounting inconsistencies, errors and misrepresentation. The auditor also evaluate the likelihood that those efforts will produce the future results. A Type II report includes the same information as that contained in a Type I report; in addition, the auditor attempts to determine the effectiveness of agreed-on controls since their implementation. Type II reports also incorporate data complied during a specific time period, usually a minimum of six months.
  • 61.
    1. Statement onAuditing Standards (SAS) No. 70, Service Organizations, in an internationally recognized auditing standard developed by the American Institute of Certified Public Accountants(AICPA). 2. SAS 70 provides guidance to enable an independent auditor (“service auditor”) to issue an opinion on a service organization’s description of controls through a Service Auditor’s Report. 3. Service auditors are required to follow the AICPA’s standards for fieldwork, quality control, and reporting. 4. A formal report including the auditor’s opinion (“Service Auditor’s Report”) is issued to the service organization at the conclusion of a 70 examination. CHARACTERSTICS or STATEMENT OF AUDITING standards for service organizations
  • 62.
    5. A SAS70 examination is not a “checklist” audit. SAS No. 70 is generally applicable when an auditor (“user auditor”) is auditing the financial statements of an entity (“user organization”) that obtains services from another organization (“service organization”). Service organizations that provide such services could be application service providers, bank trust departments, claims processing centers, Internet data centers, or other data processing service bureaus. 6. A SAS 70 audit or service auditor’s examination is widely recognized, because it represents that a service organization has been through an in-depth audit of their control activities which generally include controls over information technology and related processes.
  • 63.
    Type I SAS70 audits opinion on controls that are in place of a date in time. The opinion deals with the fairness of presentation of the controls and the design of the controls in terms of their ability to meet defined control objectives. Since these reports only provide assurance over a single day, they are of limited value to third parties. Type II SAS 70 audits opinion on controls that were in place over a period of time, which is typically a period of six months or more. The opinion deals with fairness of presentation of the controls, the design of the controls in terms of their ability to meet defined control objectives, and the operational effectiveness of those controls over the defined period. Third parties are better able to rely on these reports since verification is provided regarding these matters for a substantial period of time. Type I and type ii audit standards
  • 64.
    1. A serviceauditor’s report ensure that all user organization and their auditors have access to the same information and in many cases this will satisfy the user auditor’s requirements. 2. SAS 70 engagements are generally performed by control oriented professionals who have experience in accounting, auditing, and information security. 3. A service auditor’s report with an unqualified opinion that is issued by an independent accounting firm differentiate the service organization from its peers by demonstrating the establishment of effectively designed control objectives and control activities. 4. A SAS 70 engagement allows a service organization who have its control policies procedures evaluated and tested (in the case of a TYPEII engagement) by an independent party 5. A service auditor’s report also helps a service organization build trust with its users organizations (I.e. Customers). Benefits of the service organization
  • 65.
    CAPABILTY MATURITY MODEL(CMM) INTRODUCTION: TheCMM was developed from 1984 by Watts Humphrey and the Software Engineering Institute(SEI). The SEI is a part of Carnegie Mellon University. The work was funded and continues to be funded by the Department of Defense(DoD), which was originally looking for ways to compare and measure the various contractors that were developing software for the DoD.
  • 66.
    Meaning : “A Capabilityof Maturity Model(CMM) is a formal archetype of the levels through which an organization evolves as it defines, implements , measures, controls and improves its processes in a particular area of operation. It thus enables the organization to consciously choose a certain target level ofmaturityandthen toworktowardsthatlevel.” Definition: “The definition implies that the CMM concept is mainly applicable to organizational processes, such as development processes or business processes. This process orientation underlies the model described in this paper and thus with knowledge within the framework of business processes.
  • 67.
    PROCESS OF CAPABILITY MATURITY MODEL(CMM) INITIAL MATURITYLEVEL REPEATABLE MATURITY LEVEL DEFINED MATURITY LEVEL MANAGED MATURITY LEVEL OPTIMIZING MATURITY LEVEL
  • 68.
    INITIALMATURITY LEVEL The softwareprocess is characterized as inconsistent and occasionally even chaotic. Defined processes and standard practices that exist are abandoned during a crisis. Success of the organization majorly depends on an individual effort, talent and heroics. The heroes eventually move on to other organizations taking their wealth of knowledge or lessons learnt with them.
  • 69.
    REPEATABLE MATURITY LEVEL Thislevel of Software Development Organization has a basic and consistent project management processes to track cost, schedule and functionality. The process is in place to replace the earlier successes on projects with similar applications. Program management is a key characteristics of a level two organization.
  • 70.
    DEFINED MATURITY LEVEL Thesoftware process for both management and engineering activities and documented, standardized and integrated into a standard software process for the entire organization and all projects across the organization use an approved, tailored version of the organization’s standard software process for developing, testing and maintaining the application.
  • 71.
    MANAGED MATURITY LEVEL Managementcan effectively control the software development effort using precise measurements. At this level, organization set a quantitative quality goal for both software process and software maintenance. At this maturity level, the performance of processes is controlled using statistical and other quantitative techniques and is quantitatively predictable.
  • 72.
    The key characteristicsof this level is focusing on continually improving process performance through both incremental and innovative technological improvements. At this level changes to the process are to improve the process performance and at the same time maintaining statistical probability to achieve the established quantitative process - improvement objectives. OPTIMIZING MATURITY LEVEL