Information systems auditing

Background

Information systems are one of the most crucial resources to be found at your organization. The threats they face are many and varied and, therefore, their protection and security are essential.

Information systems managers contend with their challenges on a daily basis, in addition to the necessity to comply with many and varied regulatory requirements that provide new challenges on a regular basis.

Fahn Kanne Control Management has the know-how and experience in the areas of auditing and consultancy and integrate these capabilities with expertise in the area of information systems.

The key word found in professional service is “specialization”. Auditing information systems requires appropriate theoretical knowledge, together with practical experience in the area of information systems. The sophistication of information systems requires that audits are conducted through the use of advanced methods, in accordance with accepted standards, including inter alia tools for data analysis, simulations, identification of “needle in the haystack” deviances, etc. Our firm has the know-how, the expertise and the experience that you require.

Information and cyber security

The service rendered by the Information systems and cyber consultancy department

• The effectiveness of the organization’s cyber framework: the fairness of the processes dealing with the management of the protection against intrusion to organizational network, protection against viruses, firewall management, intrusion testing, etc.
• Information security reading the organizational network: the fairness of the processes of active directory security management and directory management, securing remote access, firewall management, etc.
• Information security of the organizational information systems: the fairness of the processes of user management and access hierarchy, password mechanisms, etc.
• Physical data security: the fairness of restricting access to sensitive areas such as the server room and the control of access thereto.
• Information security regarding cloud services: the fairness of cloud-related monitoring and control processes and regulating the obligations of the vendors toward the organization from the standpoints of service level, non-disclosure, privacy protection, etc.
• Development and implementation of procedures in the fields of information system and cyber security: adapting the written procedures to the needs of the organization and the structure of the information systems.
• Protection of privacy of information assessment: the fairness of the compliance with the Israeli privacy protection standards and/or the European standards (GDPR), identification of gaps, definition, classification and registration of private databases.

Risk assessments

• They can be performed on two levels, based on the needs and requirements of the client: a general risk assessment and a more in-depth risk assessment.
• A risk assessment in the area of information security in the organization: identification of the existing risks in the organization in the area of information security, documentation of the controls being implemented against those risks and the treatment of the residual risk.
• A risk assessment in the area of information systems operation: identification of the existing risks in the organization in the areas of backups, restorations, controls regarding interfaces and automated processing, documentation of the controls being implemented against those risks and the treatment of the residual risks.

Strategy and processes in the area of information technologies

• Consulting and selection of information systems strategy: assistance in adapting the IT strategy and the work plan in the organization’s IT unit so as to bring them into line with the realization of the strategy and the business goals.
• Auditing to assess the information systems strategy and the support of the organizations activity: the fairness of the adapting of the organization’s IT strategy to the business strategy and the goals of the organization.
• Consulting, control and auditing of the implementation of the organization’s models and methodologies, such as ISO and COBIT: the fairness of the compliance with accepted standards and identification of gaps.
• Consulting on the improvement of processes in the area of information technologies: the fairness of the organization’s IT management, including IT maintenance, mapping and management of components, a work plan and orderly areas of responsibility, setting benchmarks for levels of service and user satisfaction.
• Consulting and accompaniment of the implementation of processes in the IT units: accompaniment of system installation projects, organizational changes, arrangement of support processes, security management, steering and work plans.
• Consulting, control and auditing of business continuation plans (BCP) and disaster recovery plans (DRP): management of the organization’s backup framework, an assessment of the impact on business processes (BIA) and definition of recovery benchmarks, the existence of a written disaster recovery plan and an assessment of its effectiveness.

Project management and system development

• Assistance in processes involving the selection of information systems: accompaniment of the processes of installation of information systems including the identification and refining of requirements, system wide definitions, performance of market surveys, and accompaniment of the processes of examination, adaptation and implementation in the organization.
• Consultation and auditing in the field of IT project management, including projects being performed by outsourced parties: working with vendors, regulating steering processes, control and monitoring of IT projects, IT project risk management.
• Consulting and auditing on the issue of information system development and management of changes: the fairness of the access to system code, segregation of duties in release management, the fairness of the manner in which changes are managed in the organization’s systems including the processes of approved requirement/definition, acceptance testing, approval of the implementation in the production environment, controls pertaining to changes and emergency change, use of systems for the management of code and releases.
• Consultation and accompaniment of information system implementation processes.
• Assistance in the planning and performance of testing the conversion of databases: accompaniment of the processes of classification of the critical data needed for conversion, identification and adaptation of conversion rulers, the process of testing conversion, such as comparison of major reports.
• Consultation and auditing on the issue of segregation of duties in the IT units and the area of information system development: the fairness of the access to the system code in the production environment, segregation of duties in the management of releases, use of systems for the management of code and releases.
• Auditing of the functioning of vendors and the service rendered to the organization: the existence and implementation of non-disclosure agreements and service level agreements, controls pertaining to IT vendors, regulating the obligations of the vendors with regard to disaster recovery and privacy protection.

GRC

• Consulting regarding adapting the organization to SOX: documentation of the ITGC (Information Technologies General Controls) maintained at the organization, in connection with the information systems that have an impact on financial reporting, checking the effectiveness and the implementation of the controls in accordance with the requirements, in connection with the management of users and access rights, mechanisms for the management of changes and developments, segregation of duties and management of the backup framework.
• Guidelines of the Supervisor of Banks.
• Guidelines of the Supervisor of Insurance.
• ISO27031, ISO27032, ISO27001: the fairness of compliance with accepted standards and identification of gaps.
• Compliance with the Israeli privacy protection guidelines and standards, the European GDPR and the U.S. CCPA, the fairness of the compliance with the standards, identification of gaps, definition, classification and registration of private information databases.

Independent audit

• Rendering an opinion on the internal controls at the service bureau (SOC1 / SOC2): SAS 70 documentation of controls implemented by the service bureau (an organization that renders information system services for the calculation of salaries, etc., and rendering an opinion as to the effectiveness and implementation of the controls in accordance with the requirements.
• Compliance with SOX requirements.
• Auditing information systems in connection with financial statements and other reports: securing information systems that impact the financial reporting, including management of users and access rights, mechanisms for the management of changes and developments, segregation of duties and management of the backup framework.

IT operations

• Consulting and auditing on the operational efficiency of the IT unit.
• Consulting on the drafting of procedures in the IT realm, adaptation of written procedure on the basis of the needs of the organization and the structure of the information systems.

Additional services

• Data analysis and pulling information from databases and information systems for purposes of performing specialty testing: identification of deviancies and integrity testing.
• Performance of root cause analyses: mapping, classification and investigation of deviancies and bugs, identifying root causes and updating and improving processes.
• Assistance in the performance of data cleansing.

Our added value

• A department dedicated entirely to consulting on cyber and information systems.
• Service based on professionalism and the involvement of senior staff.
• The assistance of the firm’s professional departments in the fields of accounting, internal auditing, payroll controls, taxation and economic consultancy
• The performance of projects around the world, utilizing the services of local experts at the member firms of the Grant Thornton International network of which we are the Israeli member firm.