Areas of Coverage

Period

 1

Introduction
IT Audit Objectives and functions in organization.
Building an effective internal IT Audit function
IT Audit planning – a Risk-based approach
IT Risk Assessment methods
Determining what to Audit
Applying  frameworks and standards like COSO, COBIT & ISO27001, ITIL, ITAF etc and Regulations

Physical Identification of IT Infrastructures
Understanding the IT Operations and procedures

Introduction to IT Governance & VAL IT
Auditing the implementation of IT Governance

Sample Audit Charter, Policies, procedures and checklist for various review areas, COBIT 4.1, IS027001 checklist, Sample IT Audit plan etc shall be given to participants.

Day 1

 2

3

4

Auditing Data Centers and Disaster recovery
Access controls systems
Alarm systems
Fire Suppression Systems
Systems and Site Resiliency
Data Centre Operations

• Physical Access controls
• Facility monitoring
• Roles and responsibility of data centre personnel
• Segregation of duties of data center personnel
• Responding to emergencies and disasters
• Data centre capacity planning

Auditing Users Profiles and Privileges (Logical Access Controls)

Auditing the existence of policies and procedure for Accesses to systems and data.
Auditing procedure for creating, changing and terminating  users privileges i.e managing users accounts
Auditing various levels of Authorizations in the system
Reviewing users activities from the activity log or Audit trails.
Review Password policies, password issuance and changes.
Access control best practices.
Reviewing users profile using a typical banking application and an accounting package.
Auditing Change Management Controls

• Change management objectives/risks
• Change requests
• Testing changes
• Implementation approval
• Programme migration
• Contingency plans
• System documentation
• Executable and source code integrity
• Emergency changes
• Library control software
• Vendor-supplied source code

Day 2

5

6

Performing the Application Audit
Reviewing and evaluate data input controls
Reviewing Input error and exception report
Interface controls
Review and evaluate the audit trails in the system
Access controls and users authentication in the application
Review the Software Change Controls.
Reviewing Backup and recovery
Data retention and classification
Reviewing EOD/EOM or end of period activities in applications
Auditing Backup and Recovery/BCP
Reviewing the adequacy of existing backup and recovery policies
Industry regulations on Backup & recovery and BCP
Auditing the procedure of backup and recovery
Understanding the major element of a typical BCP plan.
Auditing BCP plan, procedure and adequacy
Reviewing BCP test result.

Day 3

7

Using SQL (Structured Query Language) for Auditing & Investigation

Understanding DBMS (DataBase Mgt System)
Understanding Oracle SQL
Extracting & analyzing data with SQL
Interrogating data using SQL
Audit enquiries/queries to the databases
SQL continuous online near real time monitoring of customers transaction data and users inputs in the system.

Day 4

8

ACL (Audit Command Language) Audit Software for Revenue assurance
We shall be exposing you a little above the intermediate features of ACL which include:

The Basics of ACL
Acquiring Data for your project.
Accessing your Data on different platform
Verifying the Integrity of your data
Analyzing and manipulating your Data
Reporting your findings.
Automating your Audit exercises

A copy of ACL Software education version shall be installed for participants

Day 5

9

Performing an IT General Control review – Audit Project Exercise using a typical Organization. This Audit exercise must be performed, documented, reported and presented by all participants

Day 6