Why struggle with hiring and retaining IT audit resources within your internal audit group? IT audit co-sourcing is a cost effective alternative!
The world of IT audit today requires breadth and depth of technology skills that are seldom found in one resource. Accordingly, many organizations rely on the diversity and depth of skills that only a firm like Sunera can bring to the table. Each resource possesses technological skills within various specialties such as infrastructure and security, ERP systems, database management, UNIX, Windows, project management, application security, or business continuity.
Our projects are defined within small manageable engagements with short timelines designed for high impact and value-add. We can supplement your internal audit plan with IT audit projects that bring added value and positive exposure to your department. Furthermore, each project can be independently evaluated for the return on investment prior to commencement. Therefore, you only engage us for what you need.
We begin with a master services agreement that doesn’t obligate you to purchase any services but establishes us as your IT audit provider. Secondly, we prepare individual project statements of work or provide specific skills and resources for periods of time. Our typical IT audit projects include:
Sarbanes-Oxley
We can assist with all aspects of your Sarbanes-Oxley documentation project and on-going testing including IT general controls, application controls, baseline application testing, and segregation of duties testing.
ERP Quality Assurance
We have ERP qualified resources (e.g., SAP, Oracle, PeopleSoft, JD Edwards, Lawson, etc.) that maintain involvement during an integration project to report on project quality and control issues as they arise. By closely monitoring the ERP implementation, our resources can dramatically improve the likelihood that your project completes on time and meets user requirements.
Pre and Post Integration Reviews
Nearing the end of an integration project? Our resources can determine if your company is ready to “go-live” by performing a pre-integration review. We examine all components of the integration project to determine the entity's readiness including testing, reporting, training, user documentation and control processes. This service provides added comfort that all the risks of “go-live” are being managed.
Our post implementation reviews identify both the strengths and the opportunities for ERP optimization and improvement in internal controls subsequent to "go-live". We include these in an overall report detailed to a level appropriate for internal use and summarized accordingly for your audit committee.
Application Security & Control Audits
For any application, at any time in its lifecycle, we can evaluate the risks, controls and opportunities for improvement in both efficiency and compliance. We have extensive application control libraries that we use to benchmark your ERP's configurable controls. In addition, we can efficiently perform a segregation of duties (SOD) analysis for any of the major ERPs using our suite of SOD tools.
IT Governance Reviews
These assessments provide your IT department with a detailed analysis of Project Management, Operations, Systems Development, Change Management, Problem Management, Information Security and Organizational Management. We incorporate benchmarking information as well as our experience with best practices in IT to support our findings and recommendations.
Information Security Assessments
We can evaluate the security design and related risks of most any operating system or database component. These are normally very detailed and technical and occur mainly at the operating system level. Our practitioners are skilled with all common system software products and platforms, including AS/400, UNIX, Windows, Active Directory, Oracle, SQLServer, RACF and more. In addition, we tailor our reports to meet the needs of multiple audiences. For example, the findings in the body of the report are sufficiently detailed so as to be actionable by your IT department whereas the executive summary is business and risk focussed, which is more appropriate for senior management and the audit committee.
Internal & External Vulnerability Testing
Using the attack and penetration skills of our information security practice, we bring this expertise to internal IT audit at affordable rates. These assignments can be targeted from outside your organization with little or no information, or could be targeted from inside to determine the level of exposure to your in-house personnel. Our reports are concise and include screen shots of vulnerabilities identified and incorporate an appropriate summary for an audit committee or executive.
Web Application Testing
Before you roll out a new web application, make sure you have it audited. Our skilled team can test the application for exploits and provide additional assurance that the application and associated infrastructure cannot be compromised or release sensitive information to the outside world. In addition, we can identify platform and other processing issues that may affect the successful operation or efficiency of your application.
