benchmarking automated controls
play

Benchmarking Automated Controls Vijay Venkatesh, IT Audit Lead - PowerPoint PPT Presentation

Apr 10, 2024 •166 likes •879 views

Benchmarking Automated Controls Vijay Venkatesh, IT Audit Lead Carrie Gilstrap, IT Audit Manager Brad Ames, Internal Audit Director Hewlett-Packard Company San Francisco Chapter San Francisco Chapter Premise for Continuous Monitoring

  1. Benchmarking Automated Controls Vijay Venkatesh, IT Audit Lead Carrie Gilstrap, IT Audit Manager Brad Ames, Internal Audit Director Hewlett-Packard Company San Francisco Chapter San Francisco Chapter

  2.  Premise for Continuous Monitoring  HP’s Continuous Monitoring Model  Illustrations  Take Away Learnings San Francisco Chapter San Francisco Chapter

  3. The Opportunity The Opportunity Post SOX organizations are inclined to embed compliance and assessment (audit) teams to assure good internal controls and are committed to operational excellence, solid metrics for measuring the process and continuous improvement. We believe that with some additional focus and prioritization, that these organizations can move to a continuous monitoring approach and create a better control environment with much less investment and expense than today ’ s environment.. Continuous Monitoring will allow for far fewer audits including SOX automated control benchmarking. San Francisco Chapter San Francisco Chapter

  4. Build toward a Strategy Build toward a Strategy  Continuous Control Measurement (CCM) is a monitoring and benchmarking approach adopted by HP internal audit to see emerging risk across the enterprise  The CCM tools and methodology enable the examiner and governance to shift from a historical view to an ongoing strategic perspective  Since risk and response to risk can be analyzed remotely, HP is reducing time and intrusion in the field by implementing the CCM tools and methodology San Francisco Chapter San Francisco Chapter

  5. Premise for Continuous Control Premise for Continuous Control Measurement Measurement  Uncertainty Uncertainty - Less comfort regarding how risk is managed results in more testing.  Tolerance Tolerance - Tolerance and control activities go together. Low tolerance for risk mean more control processes which reduces testing.  Response Response - CCM provides a way for auditors to gain visibility to risk tolerance, response to risk and generates confidence.  Interdependence Interdependence - It all goes together. Not all of the controls in the environment need to be tested to conclude on risk. When one control is strengthened it will effect another. San Francisco Chapter San Francisco Chapter

  6. Continuous Control Measurement (CCM) Continuous Control Measurement (CCM)  Provides a way to reduce uncertainty and assess risk  Gives ongoing visibility to risk and the control environment  Measures key control indicators to isolate outliers  Allows a more timely conclusion regarding the control environment Continuous Control Measurement makes complex things simple to see. . San Francisco Chapter San Francisco Chapter

  7. From project to progress: From project to progress: Ongoing benefits of CCM Ongoing benefits of CCM  Modeling Key Control Indicators enables us to: ◦ Link change to real risk and risk response ◦ Reduce audit uncertainty ◦ Simplify Sarbanes Oxley testing ◦ Focus prospectively  Measuring Key Control Indicators provides: ◦ Early possession of information regarding emerging risk ◦ Current disclosure of changes in the control environment ◦ Transparent attestation: Precise auditor deployment San Francisco Chapter San Francisco Chapter

  8. The Steps Toward Continuous Monitoring The Steps Toward Continuous Monitoring 
 COSO Guidance on Monitoring Internal Control Systems COSO Guidance on Monitoring Internal Control Systems Steps 1, 2 &- 3 would be accomplished in collaboration with IA… before implementation San Francisco Chapter San Francisco Chapter

  9. How Continuous Monitoring Works How Continuous Monitoring Works 
 COSO Guidance on Monitoring Internal Control Systems COSO Guidance on Monitoring Internal Control Systems Trending and comparing changes to a predefined threshold will Trending and comparing changes to a predefined threshold will sustain and carry forward the Baseline Certification with minimal sustain and carry forward the Baseline Certification with minimal examination. examination. Baseline Certification Re- validation Response More Coverage, Less Frequent Baseline Certifications San Francisco Chapter San Francisco Chapter

  10. Measuring IT Risk Measuring IT Risk Key Performance Indicators (KPIs) of IT Controls exist at  various levels in the organization: 1. IT Infrastructure Operations 2. Applications 3. Financial Processes How does audit assess these controls by area?  San Francisco Chapter San Francisco Chapter

  11. Accounts Receivable (AR) Cycle: Accounts Receivable (AR) Cycle: 
 3 areas of KPIs 3 areas of KPIs 3. Financial Process KPIs Clear problems Exception Data Blocked & unblock Analytics Transactions transaction Transaction Configurable Configurable Control Input Controls Settings 2. Apps KPIs Change Management Clean AR Processing Security Transactions Operations 1. IT Infrastructure Ops KPIs Updated Output Changes/Access/Incidents AR File San Francisco Chapter San Francisco Chapter

  12. Alignment is the Key Alignment is the Key Compliance Continuous Control Measurement Tools and Methodology IT Operations Risks Application Risks Financial Process Risks • Change Management • Release & Config Mgt • Configurable Controls • Security • Identity Management • Exception Data • Operations • Incident Management Accepted Assurance Frameworks San Francisco Chapter San Francisco Chapter

  13. Walkthrough Illustrations Walkthrough Illustrations  Carrie.Gilstrap@hp.com  IT Audit Manager  Vijay.Venkatesh@hp.com  IT Audit Lead San Francisco Chapter San Francisco Chapter

  14. What is HP Currently Monitoring? What is HP Currently Monitoring?  Change Management ◦ Number of transports ◦ Users with the ability to develop and migrate changes to production  Security ◦ Number of users (active, locked, expired) ◦ Password parameters ◦ Privileged access (SAP_ALL, users with ability to maintain customer credit terms) ◦ Terminated employee check ◦ Segregation of Duties  Operations ◦ Number of users with the ability to create/modify/delete jobs  Configurable Application Controls San Francisco Chapter San Francisco Chapter

  15. Maintenance Maintenance  Change Management: Move to Production Process Segregation ◦ Controls exist to ensure that Developers cannot move changes to the Production environment San Francisco Chapter San Francisco Chapter

  16. D7 Maintenance – KPI values D7 Maintenance – KPI values • Users with Dev Key on DEV instance - showing users from production with a developer key on DEV • All users with Dev Key on DEV instance - showing all users with a developer key on DEV Last Current San Francisco Chapter San Francisco Chapter

  17. Users with DEV Key and Transport Users with DEV Key and Transport Management – Comparison Across Systems Management – Comparison Across Systems San Francisco Chapter San Francisco Chapter

  18. Number of Transports – D7C (November 2007 Number of Transports – D7C (November 2007 through August 2008) through August 2008) Version Upgrade in May San Francisco Chapter San Francisco Chapter

  19. Number of Transports across applications Number of Transports across applications (October 2007 through August 2008) (October 2007 through August 2008) San Francisco Chapter San Francisco Chapter

  20. Number of Transports across applications – Number of Transports across applications – Detail Report Detail Report San Francisco Chapter San Francisco Chapter

  21. Last / Current Month Number of Users San Francisco Chapter San Francisco Chapter

  22. San Francisco Chapter San Francisco Chapter

  23. San Francisco Chapter San Francisco Chapter

  24. Active Users (USED) vs. Active Users (USED) vs. 
 Privileged Users (SAP_ALL) Privileged Users (SAP_ALL) History for System: R00 KPI: Oct-06 Nov-06 Dec-06 Jan-07 Feb-07 Mar-07 USED 4,230 4,292 4,262 4,200 4,176 4,182 SAP_ALL 5 5 5 5 5 5 San Francisco Chapter San Francisco Chapter

  25. SAP_ALL Comparison Across Similar SAP_ALL Comparison Across Similar Applications (October 2006 – March 2007) Applications (October 2006 – March 2007) San Francisco Chapter San Francisco Chapter

  26. SAP_ALL Comparison Across Similar SAP_ALL Comparison Across Similar Applications (October 2006 – March 2007) Applications (October 2006 – March 2007) History for KPI:SAP_ALL System Oct-06 Nov-06 Dec-06 Jan-07 Feb-07 Mar-07 APL 9 9 10 10 10 12 (Asia Pacific) R00 5 5 5 5 5 5 (North America) R01 3 3 3 2 1 2 (Europe) San Francisco Chapter San Francisco Chapter

  27. SAP_ALL Comparison Across Similar SAP_ALL Comparison Across Similar Applications (June 2008 – Sept 2008) Applications (June 2008 – Sept 2008) Investigate San Francisco Chapter San Francisco Chapter

  28. SAP_ALL Comparison Across Similar SAP_ALL Comparison Across Similar Applications (June 2008 – Sept 2008) Applications (June 2008 – Sept 2008) Investigate San Francisco Chapter San Francisco Chapter

  29. SAP_ALL Details for IJ1 – September 2008 SAP_ALL Details for IJ1 – September 2008 San Francisco Chapter San Francisco Chapter

  30. SAP_ALL Details for APL – September 2008 SAP_ALL Details for APL – September 2008 San Francisco Chapter San Francisco Chapter

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Automated Controls Jay Swaminathan San Francisco Chapter Agenda Defining

Introduction to Automated Controls Jay Swaminathan San Francisco Chapter Agenda Defining

Introduction to Automated Controls Jay Swaminathan San Francisco Chapter Agenda Defining Automated Controls The Value of Automated Controls Common Testing Approaches ITGC considerations The Concept of Benchmarking

395 views • 26 slides
Automated and Modern Trading Markets Subcommittee FIA Best Practices for Exchange Risk Controls

Automated and Modern Trading Markets Subcommittee FIA Best Practices for Exchange Risk Controls

Automated and Modern Trading Markets Subcommittee FIA Best Practices for Exchange Risk Controls October 3, 2019 FIA Best Practices for Exchange Risk Controls Electronic trading has become an integral tool for an increasingly large percentage of

136 views • 10 slides
Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own

1.03k views • 77 slides
Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracles

Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracles

Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracles Governance, Risk and Compliance Suite with Real-time Policy Enforcement October 26, 2007 Disclaimer The following is intended to outline our general product

408 views • 17 slides
AEP OHIO Automated Benchmarking Program Introductions Rick Sullivan, AEP Ohio Program

AEP OHIO Automated Benchmarking Program Introductions Rick Sullivan, AEP Ohio Program

AEP OHIO Automated Benchmarking Program Introductions Rick Sullivan, AEP Ohio Program Lead Alex Burke, JadeTrack Program Manager What is ENERGY STAR? EPA voluntary climate protection partnership with energy users, service,

200 views • 19 slides
Pushing Prometheus until it breaks. The bumpy road to a fully automated benchmarking. Krasi

Pushing Prometheus until it breaks. The bumpy road to a fully automated benchmarking. Krasi

Pushing Prometheus until it breaks. The bumpy road to a fully automated benchmarking. Krasi Georgiev, Harsh Agarwal @krazygeorgiev @thesipian Prometheus Krasi Georgiev no problem if you pronounce it crazy Climbing and Carrots

440 views • 32 slides
eSulabSolutions Integrating Automated Scalability

eSulabSolutions Integrating Automated Scalability

eSulabSolutions Integrating Automated Scalability Assessment into DevOps Alberto Avritzer et al. The Eighth International Workshop on Load Testing and Benchmarking of Software Systems (LTB 2020) Our

748 views • 31 slides
Reports on Demand Makes Benchmarking Your Renewals Simple Webinar: March 23 rd @ 11am EDT

Reports on Demand Makes Benchmarking Your Renewals Simple Webinar: March 23 rd @ 11am EDT

Reports on Demand Makes Benchmarking Your Renewals Simple Webinar: March 23 rd @ 11am EDT Advisens automated on-demand reports make benchmarking as easy as 1-2-3. Why do it yourself when a summary report illustrating premiums, limits,

539 views • 20 slides
IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or countermeasures to avoid, detect, counteract, or minimize security risk Types of Controls Preventive Controls (E.g. Password lockout after 5 failed

483 views • 31 slides
Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT

Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT

Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT Controls Objectives of IT Controls are Interrelated Prevent & Detect Fraud Automate Ensure controls Prevent integrity & accidental

308 views • 16 slides
Benchmarking Lunch-n-Learn March 18, 2019 Agenda 1. Why Benchmarking? 2. Introduction to

Benchmarking Lunch-n-Learn March 18, 2019 Agenda 1. Why Benchmarking? 2. Introduction to

Benchmarking Lunch-n-Learn March 18, 2019 Agenda 1. Why Benchmarking? 2. Introduction to SoCalREN 3. Benchmarking and Compliance Overview What is Energy Benchmarking What is ENERGY STAR Portfolio Manager California Building

368 views • 35 slides
ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls?

ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls?

ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls? Behavior Modification versus lighting controls Implementation and outcomes Typical Controls Keyed Switches Dual switching

973 views • 15 slides
Dockerization Impacts in Database Performance Benchmarking ..,

Dockerization Impacts in Database Performance Benchmarking ..,

Dockerization Impacts in Database Performance Benchmarking .., -05-18 The Problems of Benchmarking Confjguration process of a single node is complex and involves a lot of efgort Benchmarking client;

466 views • 7 slides
B3 Benchmarking B3 Building Benchmarking Program Overview www.CleanEnergyResourceTeams.org B3

B3 Benchmarking B3 Building Benchmarking Program Overview www.CleanEnergyResourceTeams.org B3

B3 Benchmarking B3 Building Benchmarking Program Overview www.CleanEnergyResourceTeams.org B3 Benchmarking: Background B3 stands for: Buildings Benchmarking and Beyond www.CleanEnergyResourceTeams.org B3 Benchmarking: Background The

297 views • 25 slides
Benchmarking benchmarking, and optimizing optimization Daniel J. Bernstein University of

Benchmarking benchmarking, and optimizing optimization Daniel J. Bernstein University of

1 Benchmarking benchmarking, and optimizing optimization Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven 2 Bit operations per bit of plaintext (assuming precomputed subkeys), as listed in recent

1.07k views • 46 slides
2016 FALL CONFERENCE TRAVEL AND EXPENSE POLICY COMMON PRACTICES AND CONTROLS Agenda

2016 FALL CONFERENCE TRAVEL AND EXPENSE POLICY COMMON PRACTICES AND CONTROLS Agenda

2016 FALL CONFERENCE TRAVEL AND EXPENSE POLICY COMMON PRACTICES AND CONTROLS Agenda Policy Benchmarking The Basics Travel Personal Corporate Credit Cards Expense Reports Overview of Lyndon Group Questions To Ask

186 views • 15 slides
SOx EMISSION REGULATIONS Only two ways to achieve 0.1% SOx Emissions: Use MGO (MDO phased out

SOx EMISSION REGULATIONS Only two ways to achieve 0.1% SOx Emissions: Use MGO (MDO phased out

SOx EMISSION REGULATIONS Only two ways to achieve 0.1% SOx Emissions: Use MGO (MDO phased out in EU ECA) Scrub the exhaust The Need for an EcoSilencer Solution ARACON 2006 - Conference on ship emissions Jerome Louvel, Total Marine Fuels

445 views • 12 slides
Investment Environment for Energy September 2015 Overview of the RBC Group & RBC Capital

Investment Environment for Energy September 2015 Overview of the RBC Group & RBC Capital

Creating the Investment Environment for Energy September 2015 Overview of the RBC Group & RBC Capital Markets Leading global energy and infrastructure team with over 70 dedicated professionals ranked 2 nd in the UK & 5th globally

223 views • 10 slides
Ireland Strategic Investment Fund 21 April 2016 The Convention Centre Dublin Conor OKelly

Ireland Strategic Investment Fund 21 April 2016 The Convention Centre Dublin Conor OKelly

Ireland Strategic Investment Fund 21 April 2016 The Convention Centre Dublin Conor OKelly Chief Executive, NTMA Michael Noonan, TD Minister for Finance Eugene OCallaghan Director, Ireland Strategic Investment Fund T +353 1 238 4066 E

517 views • 51 slides
ESG Criteria: ESG Criteria: ESG Criteria: ESG Criteria: New paradigm that will redefine the

ESG Criteria: ESG Criteria: ESG Criteria: ESG Criteria: New paradigm that will redefine the

ESG Criteria: ESG Criteria: ESG Criteria: ESG Criteria: New paradigm that will redefine the New paradigm that will redefine the New paradigm that will redefine the New paradigm that will redefine the Precious Metals Supply Chain? Precious

244 views • 12 slides
Presenting a live 90-minute webinar with interactive Q&A Private Employers and Expanded SOX

Presenting a live 90-minute webinar with interactive Q&A Private Employers and Expanded SOX

Presenting a live 90-minute webinar with interactive Q&A Private Employers and Expanded SOX Whistleblower Reach: Mitigating Risks after New Supreme Court Ruling Structuring and Implementing Robust Compliance Programs, Crafting Defense

542 views • 31 slides
SPC Reform in the EU Marleen H.J. van den Horst 27th Annual Intellectual Property & Policy

SPC Reform in the EU Marleen H.J. van den Horst 27th Annual Intellectual Property & Policy

SPC Reform in the EU Marleen H.J. van den Horst 27th Annual Intellectual Property & Policy Conference Fordham University School of Law, New York, 26 April 2019 SPC Reform in the EU Study Max Planck Institute (MPI), ordered by European

510 views • 10 slides
Staged Pedestrian Crossings Megan Fowler and Axel Wilke ViaStrada Ltd, Christchurch

Staged Pedestrian Crossings Megan Fowler and Axel Wilke ViaStrada Ltd, Christchurch

Presentation to IPENZ Transportation Conference New Plymouth, Monday 3 November 2008 Staged Pedestrian Crossings Megan Fowler and Axel Wilke ViaStrada Ltd, Christchurch www.viastrada.co.nz Presentation outline Introduction Components

313 views • 18 slides
Gerald Haberkorn Director Statistics for Development Programme Secretariat of the Pacific

Gerald Haberkorn Director Statistics for Development Programme Secretariat of the Pacific

Paris21 SPC Mission to the Cook Islands National Strategies for the Development of Statistics (NSDS) in the Pacific Community Rarotonga 29 July 1 August 2013 Strengthening Pacific Island countries national statistical systems (NSS)

178 views • 13 slides

More recommend