You are on page 1of 19


Anuj Tagra (25)

Anuja Deora (28)
Mehul Jain (12)
A Few Questions…
 What do we mean by IT controls?
 Why do we need IT controls?
 Who is responsible for IT controls?
 When is it appropriate to apply IT controls?
 Where exactly are IT controls applied?
 How do we perform IT control assessments?
Assessing IT Controls
Control Classifications
Information Security
 Confidentiality
 Integrity
 Availability
IT Controls Framework
 IT controls are not automatic.
 No well defined standards for all purpose controls
 Each organization should use the most applicable
components of these frameworks to categorize
 assess IT controls and to provide and document its own
internal control framework for:
 Compliance with applicable regulations and legislation.
 Consistency with the organization’s goals and objectives.
 Reliable evidence (assurance) that activities are in compliance
with management’s governance policies and are consistent with
the organization’s risk appetite.
IT Roles in the Organization
Board of Directors/Governing Body

Audit Committee

Compensation Committee

Governance Committee

Risk Management Committee

Finance Committee
IT Roles in the Organization….



IT Roles in the Organization….

Internal Auditing – CAE and Audit Staff External Auditing
Analyzing Risk
 Risk Determines Response
 Risk Considerations in Determining the
adequacy of IT Controls:
 The IT Infrastructure
 IT Risks Faced by the Organization
 Risk Appetite and Tolerance
 Performing Risk analysis
 Value of Information
 Appropriate IT Controls
Analyzing Risk…contd
 Risk Mitigation Strategies
 Accept the risk
 Eliminate the risk
 Share the risk
 Control/mitigate the risk
Digital Dozen (VISA)
1. Install and maintain a working firewall to protect data.
2. Keep security patches up-to-date.
3. Protect stored data.
4. Encrypt data sent across public networks.
5. Use and regularly update anti-virus software.
6. Restrict access by "need to know."
7. Assign an unique Identification Code (ID) to each person
with computer access.
8. Don't use vendor-supplied defaults for passwords and
security parameters.
9. Track all access to data by unique ID.
10. Regularly test security systems and processes.
11. Implement and maintain an information security policy.
12. Restrict physical access to data.
Fundamental Five
1. Identity and Access Management
(including privilege assignment and authentication)
2. Change Management (including patch management)
3. Configuration Management
4. Firewalls (workstation, host, sub-network,
and perimeter)
5. Malware protection (including worms and viruses)
Monitoring and Techniques
 Choosing a Control Framework
 Monitoring IT Controls
 Ongoing Monitoring
 Daily/Periodic
 Event-driven
 Continuous
 Special Reviews
 Annual (or quarterly) control assessment
 Audit reviews
 What Audit Methodology to Use?
 Testing IT Controls and Continuous Assurance
 Automated Continuous Monitoring
 Automated Internal Control Analysis Tools
 Automated Risk Analysis
 Audit Committee/Management/Audit Interfaces
 Metrics and reporting
 Audit Report Summaries
 Assessing IT controls is an ongoing process
 The CAE should keep assessments of IT controls
that support business objectives near the top of the
audit agenda.
 experienced IT auditors are a major asset for any
internal audit function
 assessing IT controls effectively is communication
with technical staff, management, and board