Page 36 - Quick Insights Book 2022

P. 36

Chap. 6 – Information Technology

 How does existing activity affect brand and Audit Considerations
reputation?
 Is IAM or GRC software currently used effectively
SEGREGATION OF DUTIES/IDENTITY AND ACCESS to manage SoD risk?
MANAGEMENT  What software could be utilized to improve the
level of SoD control, and what are the business
Systematic Segregation Of Duties Review Audit requirements?
Evaluates the process and controls IT has in place to effectively
manage segregation of duties. Performs an assessment to DATA LOSS PREVENTION AND PRIVACY
determine where segregation of duties conflicts exist and
compare to known conflicts communicated by IT. Evaluates the Data Governance and Classification Audit
controls in place to manage risk where conflicts exist. Evaluates the processes management has put in place to
classify data, and develop plans to protect the data based on
Audit Considerations the classification.

 How does IT work with the business to identify
cross application segregation of duties issues? Audit Considerations

 Do business personnel understand ERP roles well  What sensitive data does the organisation hold —
enough to perform user access reviews? what is the most important data?

 While compensating controls identified for SoD  Where does the organisation’s sensitive data
conflicts may detect financial misstatement, would reside, both internally and with third parties?
they truly detect fraud?  Where is the data going?

ROLE DESIGN AUDIT DLP CONTROL REVIEW
Evaluates the design of roles within ERPs and other Audits the controls in place to manage privacy and data in
applications to determine whether inherent SoD issues are motion, in use and at rest. Considers the following scope
embedded within the roles. Provides role design, role clean- areas: perimeter security, network monitoring, use of instant
up or role redesign advisory assistance and pre- and post- messaging, privileged user monitoring, data sanitation, export/
implementation audits to solve identified SoD issues. save control, endpoint security, physical media control, disposal
and destruction, and mobile device protection.
Audit Considerations
Audit Considerations
 Does the organization design roles in a way that
creates inherent SoD issues?  What controls do we have in place to protect data?

 Do business users understand the access being  How well do these controls operate?
assigned to roles they are assigned ownership of?
 Where do our vulnerabilities exist, and what must
Segregation of Duties Remediation Audit be done to manage these gaps?
Follows up on previously identified external and internal audit Privacy Regulation Audit
findings around SoD
Evaluates the privacy regulations that affect the organization,
Audit Considerations and assess management’s response to these regulations
through policy development, awareness and control procedures.
 Does the organisation take appropriate action when
SoD conflicts are identified? Audit Considerations
 Has the organisation proactively addressed SoD  How well does the organisation understand the
issues to prevent year-end audit issues? privacy regulations that affect global business?

IAM/GRC TECHNOLOGY ASSESSMENT  For example, HIPAA is potentially a risk to all
organizations involved in the health care industry of
Evaluates how IAM or GRC software is currently used, or could the USA, not just health care providers or payers.
be used, to improve SoD controls and processes. The General Data Protection Regulation (GDPR)

Quick Insights on Professional Opportunities for Chartered Accountants 23

31 32 33 34 35 36 37 38 39 40 41