ISACA - Chicago Chapter - Spring Seminar 2009

Chicago Chapter ISACA

Spring Seminar - REGISTRATION CLOSED

We are sorry, but this seminar has reached capacity and we can no longer accept new entries.

April 9th - 10th 2009
8:00AM-5:00PM (15 CPE hours)
Continental Breakfast 8:00 AM, Class 8:30 AM

Special pricing for chapter members. The Chicago Chapter Board is offering this course at a special rate of only $250 to our membership in support of just one of the numerous values of being a Chicago Chapter ISACA member in these difficult economic times.

IT Audit Planning Using a Risk-Based Approach

Focusing on Risk to Improve the Efficiency and Effectiveness of Your IT Audits

Instructor: Richard H. Tarr, CIA, CISA - MIS Training Institute

UBS Tower, 2nd Floor Conference Center
1 North Wacker Drive
Chicago, IL 60606

UBS Telephone: 312-327-2370
UBS Tower Web Site: www.conferencecenteratubstower.com

April 9th - 10th 2009
8:00AM-5:00PM (15 CPE hours)
Continental Breakfast 8:00 AM, Class 8:30 AM

Focus and Features
IT risks are increasingly recognized as critical factors in enterprise risk management. From preventing failures in regulatory compliance to helping avoid devastating harm to the reputation of the organization from headline-making security breaches, IT auditors have an obligation and value-adding opportunities to assess enterprise vulnerabilities through effective risk-based IT audit planning.

In this two-day seminar you will explore the varied aspects of developing an effective risk-based IT audit plan, and examine the use of risk-based standards and frameworks, including COSO ERM. You will review such risk elements in IT audit planning as regulatory compliance risks, IT governance risks, business information risks and IT infrastructure risks. You will also cover the increased risks introduced by outsourced IT operations and functions. Throughout this high-impact seminar you will focus on developing an annual IT audit universe based on assessing enterprise information risks. You will leave this intensive seminar with a proactive strategy that will help you establish a comprehensive risk-based IT audit plan that will boost the efficiency and effectiveness of your IT audits.

Agenda

What You Will Learn
1. Effective IT Audit Coverage Through Risk-Based Planning
- risk definitions: threat, vulnerability, exposure, safeguard
- effects of risk
- risk criteria
- COSO ERM risk definitions
- cost/risk balance
- COSO Risk Assessment
- IIA/ISACA standards on risk assessment
- financial and operational risks
- IT risks and exposures
- linking IT risks to business risks
- IT risk assessment and audit planning strategies
- IT infrastructure risks
- integrated audits: enterprise risk coverage
2. Using Risk-Based IT Standards and Frameworks
- IIA GTAG
- ISO-27002 Security Controls
- FIPS 199 Security Risk Categorization
- NIST 800-53 Security Controls
- NIST 800-53A Assessment Guide
- mapping to COBIT®

3. Using COBIT
- COBIT control objectives
- COBIT framework and domains
- RACI chart, goals/metrics, and maturity model
- COBIT Control Practices
- IT Assurance Guide
- value drives/risk drivers
- COBIT On-line
- COBIT PO 9: Assess and Manage IT Risks

4. COSO Enterprise Risk Management
- definition of enterprise risk management (ERM)
- why use COSO ERM?
- ERM objectives and components
- COSO vs. COSO ERM
- risk definitions
- COSO ERM and technology
5. Developing an IT Risk Assessment Framework
- IT risk assessment steps
- information asset integrity, confidentiality, and availability risks
- examples of risk criteria
- performing IT risk and impact/probability analyses
- developing the IT audit universe
- ISACA Standards/Guidelines: Risk Assessment
- NIST 800-53: IT Systems Risk Management Guide
- OCTAVE Risk Evaluation Process

6. Risk Compliance Critical Success Factors
- building a sustainable risk compliance process
- management and control ownership
- risk management
- sustainability
- change recognition
- risk compliance management structure
- embedded risk control specialists
- standardizing compliance
- risk/control frameworks
- Internal Audit’s role

7. Determining IT Governance Risks
- defining IT governance within enterprise governance
- why IT governance is critical to the enterprise
- IT governance risks, responsibilities, and components
- IT oversight committee
- information security governance
- COBIT® IT governance risks
- IIA and ISACA governance audit standards

8. Information Security Risks
- linking information risks to confidentiality, integrity, availability
- determining information security risks
- insider risks
- user access management
- information classification
- privacy risks
- user authentication and single sign-on risks
- authorization risks
- conflict matrix
- privileged access
- audit trail
- managing user accounts
- security monitoring
- remote access
- sensitive data on PCs and workstations
- social engineering risks

9. System Software Integrity Risks
- operating systems risks
- software parameters
- patch management
- vulnerability testing
- database management risks

10. IT Infrastructure Risks
- physical security
- environmental controls
- change management
- disaster recovery planning
- network perimeter security
- encryption

11. Business Application System Risks and Audit Planning
- transaction life cycle
- input, output, and processing risks/controls
- end-user computing risks
- top-down, risk-based business application audit planning

12. System Development and Acquisition Risks
- business risks of development projects
- determining system development and acquisition risks
- assessing project management
- IT audit’s role in system development projects
- IT audit independence issues

13. Outsourced IT: Identifying the Risks
- outsourcing risks
- offshore outsourcing risks
- ensuring strong contractual agreements
- how to obtain a right to audit
- risks associated with SAS-70 reports
- relationship monitoring risks

14. Developing a Risk-Based Annual IT Audit Plan
- implementing an IT audit strategy
- creating the audit universe
- structuring the audit universe to address risks
- developing a comprehensive risk-based annual IT audit plan

Seminar Registration - We are sorry, but this seminar has reached capacity and we can no longer accept new entries.

REGISTRATION CLOSED

Bob Pardon
Phone: 630-292-6244
bobpardon@aol.com

Home