*** Plagiarism is not acceptable *** Overview of Project –For this assignment, you will tackle the comprehensive task of auditing the IT and IS for an organization operating in a domain of your choice. You will apply the IT auditing process to a selected case study. The case study I have chosen is ONC Releases Second Draft of TEFCA PAPER -Appendix 3: QHIN Technical frame work (Page 70 onward only not entire document)Instructions: Research Paper in in APA format. Plagiarism is not acceptable. (Please consider this top priority). For Week 1 project complete instructions are specified. All instructions or tasks must be addressed.(Try to address all the information specified in each task ) Kindly Review the attached PPT. Paper must be included APA format References only and in-text citations. The references you cite should be credible, scholarly, or professional sources and Not older than 3 years
instructions_for_project.docx
ppt_for_it_audit_class.pdf
Unformatted Attachment Preview
(For this week we need to complete Week1 Project only)
The selected case study is: ONC Releases Second Draft
of TEFCA PAPER (Appendix 3: QHIN Technical
frame work – Page 70 onwards only)
Weeks 1–5 Project Overview
For this assignment, you will tackle the comprehensive task of auditing the IT and
IS for an organization operating in a domain of your choice. You will apply the IT
auditing process to a selected case study for your organization. You will first
define the scope of your organization, describe its IT capability, and explain how
it supports the organization’s critical mission. You will then conduct an evaluation
of how the IT capability aligns with the organization’s goals. Your evaluation will
examine IT/IS practices and operations in your organization. Your evaluation will
include an assessment of internal controls within the IT environment to assure
validity, reliability, and security of information, as well as an assessment of the
efficiency and effectiveness of the IT capability. Fina lly, you will describe your
findings and discuss recommendations in terms of specific controls improvements
to key IT processes for your selected case study. Your main objective is to
formulate a solution in the form of decisions that will aim at assuring the integrity
of your organization’s information assets.
You will be completing this assignment in five weeks. In each week, you will work
on a component of the report. By the end of Week 5, you will integrate these
separate components into a final report.
The final project deliverable will be a report reviewing the organization’s
enterprise goals, IT-related goals, architecture, and summarizing the findings
based on your evaluation, and your final analysis and recommendations (in the
form of decisions). The report will include:
•
•
•
•
A description of the organization’s main business and mission, including the
enterprise goals
The IT/IS capability for your organization, including IT/IS infrastructure, systems,
and applications, as well as the organization’s IT-related goals
An evaluation of IT/IS practices and operations in your organization, including an
assessment of internal IT controls in terms of achieving IT assurance for your
organization
A description of the findings and an analysis of the risks and remedia l measures,
arriving at specific, qualifiable decisions (that can be verified when implemented)
•
A summary of how your IT auditing will achieve greater IT assurance and will
ensure a stronger alignment of the IT-related goals with the enterprise goals
Include a copy of all the references used in APA format.
The following is the modular breakdown of the project:
o
Week 1:
▪
Conduct a preliminary review of your case study’s organization. This review
should include business mission, organizational structures, culture, IS, products
and services, infrastructure and applications, people skills, and competencies.
Explain the need for an IT audit of your organization. Support your analysis in IT
governance terms. Identify the stakeholders for your case study.
Identify enterprise goals and IT-related goals for your case study and then create
a mapping of the two sets, indicating primary relationships and secondary
relationships.
Start developing an IT audit plan that addresses the following components: Define
scope, state objectives, structure approach, provide for measurement of
achievement (identify the areas you intend to measure; specific metrics will be
addressed later), address how you will assure comprehensiveness, and address
how you will provide approach flexibility.
▪
▪
▪
o
▪
▪
▪
▪
o
▪
▪
▪
▪
o
▪
▪
▪
Week 2:
Discuss how you will apply a single auditing framework like COBIT 5 to structure
your IT audit.
Describe the IT audit procedures that you will rely on in your IT audit.
Start defining a balanced scorecard that lists IT-related goals and tracks some
performance metrics against the goals.
Review and revise your IT audit plan as needed by improving components in your
plan based on additional insight you have developed.
Week 3:
Identify your case study’s IT processes in key areas of the IS lifecycle and
describe them according to the major domains.
Conduct a preliminary evaluation of internal IT processes, focusing primarily on
project management and software development.
Refine your balanced scorecard as needed, possibly expanding the IT-related
goals and the performance metrics.
Create a process RACI chart that maps management practices to their related
roles and indicate levels of responsibility for each role.
Week 4:
Conduct an evaluation of internal controls for service management.
Conduct an evaluation of internal controls for systems management.
Conduct an evaluation of internal controls for operations management.
▪
Refine your balanced scorecard as needed, possibly expanding the IT -related
goals and the performance metrics.
o
Week 5:
Using the three-phase model of IT assurance initiative provided in the online
lectures, build and execute an IT assurance initiative as follows:
•
o
o
o
o
Identify potential IT-related issues based on documented assumptions and your
evaluation of your case study in Weeks 1–4.
Scope the IT assurance initiative based on the subset of the organizational
system that should be targeted.
State relevant enablers and suitable assessment criteria to perform the
assessment.
Integrate the totality of your work from Weeks 1–4 and report the results of your
assessment including your findings and recommendations.
MIS6230 IT Audit, Control, and Compliance
MIS6230 IT Audit, Control,
and Compliance
Ricardo Silva, Ph.D., C.C.E.
Auditing Approaches
MIS6230 IT Audit, Control, and Compliance
ISO 19011 : 2002
• Process Flow for the management
• Of an Audit Programme
MIS6230 IT Audit, Control, and Compliance
ISO 19011 : 2002
• Typical Audit Activities
MIS6230 IT Audit, Control, and Compliance
The Assurance Process based on COBIT 5
MIS6230 IT Audit, Control, and Compliance
MIS6230 IT Audit, Control, and Compliance
Assurance Engagement Scoping Summary
Define
Identify
Refine
Use
Refine
Use
Define the assurance objective in simple language
Identify the enterprise goals that are most related to the high-level assurance objective
Refine the list of potential enterprise goals to a manageable set of key goals and additional goals
Use the mapping table between enterprise goals and IT goals to identify potential IT goals that need to be achieved
Refine – taking into account the specific environment – the set of potential IT goals to a manageable set of key IT goals and additional
IT goals
Use the mapping table between IT goals and COBIT 5 processes to identify potential processes that support the IT goals
MIS6230 IT Audit, Control, and Compliance
Assurance Engagement Scoping Summary
Refine
Refine the list of selected processes to a manageable list
Use
Use the RACI charts of the selected processes to identify potential Organizational structures in scope, and refine the list
Use
Use the RACI charts of the selected processes to identify potential people, skills and competencies in scope and refine the list.
Use
Use the input/output tables of the selected processes to identify potential information items in scope, and refine the list.
Identify
Consolidate
Identify which other enablers support the achievement of the selected IT goals
Consolidate the list of enablers in scope and remove redundancies.
MIS6230 IT Audit, Control, and Compliance
Use the
“COBIT5_and_Assurance_Toolkit.pdf”
• Read:
• Assurance Engagement Approach
• Determine the Scope of the Assurance Initiative
• Appendix A: Example Scope
• Appendix J Audit Program Template
MIS6230 IT Audit, Control, and Compliance
Audit Planning (ITAF 1201 / 2201)
A plan containing the nature, timing and extent of audit procedures to be performed by engagement
team members in order to obtain sufficient appropriate audit evidence to form an opinion.
the areas to be
audited,
type of work
planned,
high-level objectives
and scope of the
work, and topics
such as
budget, resource
allocation,
schedule dates,
type of report and
its intended
audience, and
other general
aspects of the work
A high-level description of the audit work to be performed in a certain period of time.
MIS6230 IT Audit, Control, and Compliance
ITAF – Performance Standard 1201
1201.1 IS audit and assurance
professionals shall plan each IS audit
and assurance engagement to address:
• Objective(s), scope, timeline and
deliverables
• Compliance with applicable laws and
professional auditing standards
• Use of a risk-based approach, where
appropriate
• Engagement-specific issues
• Documentation and reporting
requirements
1201.2 IS audit and assurance
professionals shall develop and
document an IS audit or assurance
engagement project plan, describing the:
• Engagement nature, objectives, timeline
and resource requirements
• Timing and extent of audit procedures
to complete the engagement
Audit Example Using
COBIT 5
(Please use the
COBIT5_and_Assurance
_Toolkit document as you
are going over the
following exercise and
replicate the findings)
MIS6230 IT Audit, Control, and Compliance
SDLC Life Cycle Control – Activities and Documentation
MIS6230 IT Audit, Control, and Compliance
SDLC Life Cycle Control – Activities and
Documentation
Operations
Incident Management
Problem Management
Change Management
Access Management
MIS6230 IT Audit, Control, and Compliance
MIS6230 IT Audit, Control, and Compliance
BAI06 Manage Changes – COBIT 5 Enabling Processes
MIS6230 IT Audit, Control, and Compliance
BAI06 Manage Changes: Process Goals and Metrics
MIS6230 IT Audit, Control, and Compliance
(R)esponsible
Who is getting the task done?
Fulfilling activity listed/creating the intended outcome
(A)ccountable
Who accounts for the success of the task?
RACI Charts
Where the buck stops
(C)onsulted
Who is providing input?
Key roles that provide input
(I)nformed
Who is receiving information?
Informed of achievements and/or deliverables of task
MIS6230 IT Audit, Control, and Compliance
BAI06 Manage Changes: RACI
MIS6230 IT Audit, Control, and Compliance
From the RACI chart -> Roles and Responsibilities
MIS6230 IT Audit, Control, and Compliance
BAI06.01 Evaluate, Prioritize and Authorize Change Requests
MIS6230 IT Audit, Control, and Compliance
BAI06.01 Evaluate, Prioritize and Authorize Change Requests
MIS6230 IT Audit, Control, and Compliance
BAI06.02 Manage Emergency Changes
MIS6230 IT Audit, Control, and Compliance
BAI06.03 Track and report change status
MIS6230 IT Audit, Control, and Compliance
BAI06.04 Close and document the changes
MIS6230 IT Audit, Control, and Compliance
Activity 1: Understanding the Audit Goals and Establishing the Environment
Develop the following using the templates provided, along with the required reading and methodology presented in class:
Identify the Assurance Objective(s) and create a context within the goals of the controls. Note that the level of abstraction/detail of the
assurance objectives depends on the actual topic of the assurance engagement (Please refer to COBIT5_and_Assurance_Toolkit.docx and
the Goal Cascading effect). By the end of this step you will have identified the Stakeholder Needs, Enterprise Goals, IT Goals, and
Processes involved. Select an Assurance Objective that falls within one of the following categories (Recommendation: Selecting the very low
level of abstraction/detail will allow you to start building the Audit Plan with a single COBIT control.):
Assignment
• If the level of abstraction/detail is high
• Identify first the “Stakeholder Need(s)” that are involved,
• identify the Enterprise Goals,
• identify the IT Goals, and finally
• the Processes involved by using the tables in the COBIT 5 – Cascading Effect of the COBIT5_and_Assurance_Toolkit.docx document
• If the level of abstraction/detail is medium
• Identify the Enterprise Goal(s) that are involved,
• identify the IT Goals, and finally
• the Processes involved by using the tables in the COBIT 5 – Cascading Effect of the COBIT5_and_Assurance_Toolkit.docx document
• If the level of abstraction/detail is low
• Identify the IT Goal(s) that are involved, and
• use reverse logic to identify the Enterprise Goals by using the tables in the COBIT 5 – Cascading Effect, and finally
• the Processes involved by using the tables in the COBIT 5 – Cascading Effect of the COBIT5_and_Assurance_Toolkit.docx document
• If the level of abstraction/detail is very low
• Identify the Process(es) that are involved,
• use reverse logic to identify the IT Goals, and finally
For the
identified
in theGoals
previous
step
COBIT5_and_Assurance_Toolkit.docx
document,
• useProcess(es)
reverse logic you
to identify
the Enterprise
by using
the and
tablesusing
in the the
COBIT
5 – Cascading Effect
provide the:
• Process Description, Process Purpose Statement, Key Management Practices (KMP) and their description, as well as their associated activities (this will be used to assess whether
the management practices are effectively implemented)
• Process Goals and Related Metrics
• Identify the RACI chart for the Key Management Practices involved (the interested parties)
• Identify the Inputs/Outputs for each of the Key Management Practices that are part of your selected process(es)
• Identify the respective IT and Enterprise Goals and Metrics
Deliverable:
Create a report between 1000 and 5000 words in a Microsoft Word document and save it as SU_MIS6230_A1_LastName_FirstInitial.doc.
Cite any sources you use using correct APA format on a separate page.
Introduction to ITAF
MIS6230 IT Audit, Control, and Compliance
Assertions (statements)
• 1007.1 IS audit and assurance professionals shall review the
assertions against which the subject matter will be assessed to
determine that such assertions are capable of being audited
and that the assertions are sufficient, valid and relevant.
1007
1008
Criteria
• 1008.1 IS audit and assurance professionals shall select criteria,
against which the subject matter will be assessed, that are
objective, complete, relevant, measureable, understandable,
widely recognised, authoritative and understood by, or
available to, all readers and users of the report.
• 1008.2 IS audit and assurance professionals shall consider the
source of the criteria and focus on those issued by relevant
authoritative bodies before accepting lesser-known criteria.
MIS6230 IT Audit, Control, and Compliance
Engagement Planning
• 1201 Engagement Planning
• 1201.1 IS audit and assurance professionals shall plan each IS audit and assurance engagement to
address:
• Objective(s), scope, timeline and deliverables
• Compliance with applicable laws and professional auditing standards
• Use of a risk-based approach, where appropriate
• Engagement-specific issues
• Documentation and reporting requirements
• 1201.2 IS audit and assurance professionals shall develop and document an IS audit or assurance
engagement project plan, describing the:
• Engagement nature, objectives, timeline and resource requirements
• Timing and extent of audit procedures to complete the engagement
MIS6230 IT Audit, Control, and Compliance
Risk Assessment
• 1202 Risk Assessment in Planning
• 1202.1 The IS audit and assurance function shall use an appropriate risk
assessment approach and supporting methodology to develop the overall IS
audit plan and determine priorities for the effective allocation of IS audit
resources.
• 1202.2 IS audit and assurance professionals shall identify and assess risk
relevant to the area under review, when planning individual engagements.
• 1202.3 IS audit and assurance professionals shall consider subject matter risk,
audit risk and related exposure to the enterprise.
MIS6230 IT Audit, Control, and Compliance
Performance and Supervision
• 1203 Performance and Supervision
• 1203.1 IS audit and assurance professionals shall conduct the work in accordance with the approved IS audit plan
to cover identified risk and within the agreed-on schedule.
• 1203.2 IS audit and assurance professionals shall provide supervision to IS audit staff whom they have supervisory
responsibility for so as to accomplish audit objectives and meet applicable professional audit standards.
• 1203.3 IS audit and assurance professionals shall accept only tasks that are within their knowledge and skills or for
which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the
task under supervision.
• 1203.4 IS audit and assurance professionals shall obtain sufficient and appropriate evidence to achieve the audit
objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of
this evidence.
• 1203.5 IS audit and assurance professionals shall document the audit process, describing the audit work and the
audit evidence that supports findings and conclusions.
• 1203.6 IS audit and assurance professionals shall identify and conclude on findings.
MIS6230 IT Audit, Control, and Compliance
Materiality
• 1204 Materiality
• 1204.1 IS audit and assurance professionals shall consider potential weaknesses or absences of controls while
planning an engagement, and whether such weaknesses or absences of controls could result in a significant
deficiency or a material weakness.
• 1204.2 IS audit and assurance professionals shall consider audit materiality and its relationship to audit risk while
determining the nature, timing and extent of audit procedures.
• 1204.3 IS audit and assurance professionals shall consider the cumulative effect of minor control deficiencies or
weaknesses and whether the absence of controls translates into a significant deficiency or a material weakness.
• 1204.4 IS audit and assurance professionals shall disclose the following in the report:
• Absence of controls or ineffective controls
• Significance of the control deficiency
• Likelihood of these weaknesses resulting in a significant deficiency or material weakness
MIS6230 IT Audit, Control, and Compliance
Evidence
• 1205 Evidence
• 1205.1 IS audit and assurance professionals shall obtain sufficient and
appropriate evidence to draw reasonable conclusions on which to base the
engagement results.
• 1205.2 IS audit and assurance professionals shall evaluate the sufficiency of
evidence obtained to support conclusions and achieve engagement objectives
MIS6230 IT Audit, Control, and Compliance
Using the Work of Other Experts
•
1206 Using the Work of Other Experts
•
1206.1 IS audit and assurance professionals shall consider using the work of other experts for the engagement, where appropriate.
•
1206.2 IS audit and assurance professionals shall assess and approve the adequacy of the other experts’ professional qualifications,
competencies, relevant experience, resources, independence and quality-control processes prior to the engagement.
•
1206.3 IS audit and assurance professionals shall assess, review and evaluate the work of other experts as part of the engagement, and
document the conclusion on the extent of use and reliance on their work.
•
1206.4 IS audit and assurance professionals shall determine whether the work of other experts, who are not part of the engagement team, is
adequate and complete to conclude on the current engagement objectives, and clearly document the conclusion.
•
1206.5 IS audit and assurance professionals shall determine whether the work of other experts will be relied upon and incorporated directly or
referred to separately in the report.
•
1206.6 IS audit and assurance professionals shall apply additional test procedures to gain sufficien …
Purchase answer to see full
attachment
