Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Ā
it grc
1.
2. INTRODUCTION
Information technology has a tremendous impact on the
discipline of accounting by introducing new ways of retrieving
and processing information about performance deviations and
control effectiveness. It for managing organizational controls by
analyzing value drivers for particular accounting information
systems that commonly runs under the label of governance, risk
management and compliance (GRC IS). Information systems
such as enterprise resource planning systems separate financial
from nan-financial data and therefore enable better financial
accounting. On the other hand, they provide new potential for
management control as ādata become accurate, shareable and
available to many different parties but does hardly create the
panoptic dreams of visibility and action at a distanceā.
3. Governance
The process by which policy is set
and decision making is executed.
Governance is the of policies, laws,
culture, and institutions that define
how an organization should be
managed.
4. ā¢ The process for preventing an unacceptable level of
uncertainty in business objectives with a balance of
avoidance through reconsideration of objectives,
mitigation through the application of controls, transfer
through insurance and acceptance through governance
mechanisms. It is also the process to ensure that
important business processes and behaviors remain
within the tolerances associated with policies and
decisions set through the provenance process. Risk
management is coordinate activities that direct and
control an organization forecasting and managing
events/risks that might have a negative impact on the
business.
5. The process of adherence to policies and decisions.
Policies can be derived from internal directives, procedures
and requirements, or external laws, regulations, standards
and agreements. Compliance is the act of adhering to
regulations as well as corporate policies and procedures.
6. ļ¶ Create and distribute policies and controls and map
them to regulations and internal compliance
requirements.
ļ¶ Assess whether the controls are actually in place and
working and fix them if they are not.
ļ¶ Ease risk assessment and mitigation.
ļ¶ IT GRC provide coordination and standardization of
policies and controls.
ļ¶ Automate information gathering.
ļ¶ It enable enterprises to rapidly adapt to change.
7. governance
ļEnterprise risk management and assessment
ļBoard compliance capabilities such as options policy
compliance, ethics and policy compliance, etc.
ļBusiness performance reporting such as balanced
scorecards, risk scorecards, operational controls
dashboards, etc
ļPolicy management, documentation and communication
8. ā¢ Risk assessment
ā¢ Risk analysis and prioritization
ā¢ Root cause analysis of issues and mitigation
ā¢ Risk analytics and trend analysis
9. ā¢ Flexible controls hierarchy
ā¢ Assessments and audits
ā¢ Issues tracking and remediation
ā¢ analytics
10. Importance of IT-GRC
ā¢ An improvement in the quality and availability of
information;
ā¢ A reduction in breaches and errors;
ā¢ A reduction in costs and greater efficiencies;
ā¢ A more flexible and externally focused workforce capable
of rapid change to meet customer and organizational
needs;
ā¢ A greater assurance for the organization and its board and
senior management that grace issues are being
appropriately dealt with and the organization remains āon
targetā with its performance objectives; and
ā¢ Improved levels of communication across the organization
the organization.
11. BUSINESS IS MORE DEPENDENT ON IT
ā¢ IT environment is more complex.
ā¢ Less time between IT failures and
organizational impact.
ā¢ Increase in threats related to IT.
ā¢ Increase in threats related to IT.
ā¢ Increase in regulations, standards and
controls.
12. IT GRC Challenges
ā¢ Mapping the policies and control
ā¢ Audit fatigue
ā¢ Security exposure
ā¢ Redundancy and inefficiency
13. Other Challenges
ā¢ A perception by staff that the initiative may have an ulterior
motive, for example a cost recovery drive or head count
reduction.
ā¢ Business unit managers or middle management are fearful of
being marginalized as GRC responsibilities are devolved to
those in lower levels of the hierarchy.
ā¢ Organizations are sometimes skeptical regarding the targeting
and measurement systems proposed and are concerned that
there will not ultimately be an appropriate return on
investment given the establishment and maintenance costs
involved.
ā¢ Corporate cynicism and skepticism around the outcomes and
results achieved from past planned organizational change
(and management āfadsā generally).
14. Factors to be consider at the time of
implementation of IT GRC
ā¢ Strategy
ā¢ Reporting and audit
ā¢ Legal function
ā¢ Information technology
ā¢ Ethics and corporate social responsibility
ā¢ Corporate culture
ā¢ Business process management
16. Introduction
Information systems auditing involves using
technical tools and expertise to evaluate the
adequacy and effectiveness of information systems
in an organization. Further, it involves working with
management to identify weak controls and risk,
which arises due to the application of technology in
a business. It also suggests ways to enhance these
weak controls to increase the reliability of IS, which
will help an organization to achieve its strategic
objectives.
17. Meaning
Information systems audit is a process to collect
and evaluate evidence to determine whether the
information systems safeguard assets, maintain
data integrity, achieve organizational goals
effectively and consume resources efficiently.
The common element between any manual audit
and IS audit is data integrity. All type of audits
(information audits) have to evaluate the data
integrity. Since IS audit involves efficiency and
effectiveness, it includes some elements of
management and proprietary audit too.
18. IS auditing methodology
ā¢ Step 1: define objectives of the audit.
ā¢ Step 2: obtain basic understanding of systems and flow of
transactions.
ā¢ Step 3 : Detailed information gathering
ā¢ Step 4 : Search for exposures that exist under the system
and suggest the control in eliminate the exposure.
ā¢ Step 5 : Define Auditing procedures to verify controls.
ā¢ Step 6 : Perform audit test using various techniques and
tools.
ā¢ Step 7 : Evaluation of findings.
ā¢ Step 8 : Generation of Report.
19. Scope of IS audit
ā¢ Data
ā¢ Application systems
ā¢ Technology
ā¢ Facilities
ā¢ People
20. Elements of IS audit
Exposures
Causes
Controls
Physical and environmental review
System administration review
System administration review
Application software review
Network security review
Business continuity review
Data integrity review
21. Need for IS audit
ā¢ Confidentiality
ā¢ Integrity
ā¢ Availability
ā¢ Reliability
22. Categories of IS audits
ā¢ Systems and applications
ā¢ Information processing facilities
ā¢ Systems development
ā¢ Management of IT and enterprise architecture
ā¢ Telecommunications intranets and extranets
23. Information Security and management
standard
Meaning
information security relates to the physical and
logical protection of data or information recorded,
processed, shared, transmitted or received from an
electronic from. The protection is provided against
joss, inaccessibility, alternation, or unauthorized
disclosure. The protection is achieved through
physical safeguard such as locks, security guard,
insurance etc. and logical safeguard as user
identifiers, passwords, firewalls.
24. Information security
ā¢ Meaning:
ā¢ It is the practice of defending information from unauthorized
access, use discloser, disruption modification, perusal, inspection
recording or destruction
ā¢ Definition
ā¢ āInformation security is the process of protecting the intellectual
property of an organizationā
ā¢ IT security: it is referred to as computer security .a computer is
any device with a processor and some memory such device can
range from non-networked standalone device as simple as
calculator to networked mobile computing device such as smart
phone ad tablet .IT security is mainly used in major enterprise
establishment due to the nature and value of the data within larger
business
25. Information assurance
ā¢ The act of ensuring that data is not lost
when critical issues aries.thes issues
include but are not limited to natural
disaster computer server malfunction
physical theft or any other instance
where data potential of being lost.
26. Threats
Computer system threats come in many different
forms. some of the most common threats today are
software attack, theft of intellectual property
identity theft of equipment or info are common
example of software attack
Key concept of information security
Confidentiality
Integrity
Availability
28. control
Selecting proper control and implementing those will initially
help an organization to bring down risk to acceptable level.
Control selection should follow and should be based on the risk
assessment .control can vary in nature but they are
fundamentally they are ways of protecting the confidentially.
Types of control are
ā¢ Administrative control
ā¢ Logical control
ā¢ Physical control
29. Security organization structure
1. Information security forum (ISF)
2. Information security management group
(ISMG)
3. Assistant group security officer (AGSO)
4. System owner
5. Personal security officer (PSO)
6. Line manager
7. Users
30. Standards For Information Securities
The international organization for
standardization[ISO] established in 1947, is a
non-governmental international body that
collaborates with the international commission
technology[ITC] standard. The following is
commonly referenced ISO security standards.
31. Introduction to ISO 27001
ISO 27001 is a specification for
creating an ISMS. It does not mandate
specific actions, but includes suggestions
for documentation, internal audits,
continual improvement, and corrective and
preventive action.
32. Framework of ISO 27001
implementation of ISO 27001 is an ideal
response legal requirements and potential
security threats such as:
ā¢ Vandalism/Terrorism
ā¢ Fire
ā¢ Misuse
ā¢ Theft
ā¢ Viral attack
33. Features of ISO 27001
ā¢ Adopted PDCA(PLAN-DO-CHECK-ACT) model.
ā¢ Adopted a process approach.
ā¢ Identify-manage actives-function effectively.
ā¢ Stress on continual process improvements
ā¢ Scope covers information security not only IT
security.
ā¢ Focused on people, process, technology.
ā¢ Combination of management control, operational
controls and technical control.
34. Benefits of ISMS ISO 27001
certification:
ā¢ Independent framework that will take account of
all legal and regulatory requirements.
ā¢ Helps provide a competitive edge to the
company.
ā¢ Helps to identify and meet contractual and
regulatory requirements.
ā¢ Independently verifies that risks to the company
are properly identified and managed.
ā¢ Demonstrates to customers that security of three
information is taken seriously.
35. CONTROL OBJECTIVES FOR INFORMATION AND
RELATED TECHNOLOGY (COBIT)
INTRODUCTION:
COBIT was first released in 1996; the
current vision, COBIT 5 was published in 2012.
Its mission is āto research, develop, publish and
promote an authoritative, up-to-date,
international set of generally accepted information
technology control objectives for day-to-day use
by business managers, IT professionals and
assurance professionals.
36. Theframeworkprovidesgoodpracticesacrossadomainandprocessframework:
āThe business orientation of COBIT consists of linking business goals to IT goals, providing
metrics and maturity models to measure their achievement and identifying the associated
responsibilitiesofbusinessandIT processowners.ā
COBIT is a framework of generally applicable information systems security and
control. The framework allows:
1) Benchmarking of the security andcontrol arrangement.
2) Auditor to review internal controls and advise on ITsecurity matters.
3) Users of IT services to beassured that adequate security and control exist
38. IT Processes
Controls are required to be implemented in all the
processes, which are broken into 4 domains:
ļ Planning and organization
ļ Acquisition and implementation.
ļ Delivery and support and
ļ Monitoring.
39. Business objectives
To satisfy business objectives,
information must satisfy some criteria
that COBIT refers to as business
requirement for information. The
criteria are divided into seven
categories:
ļ¶ Effectiveness
ļ¶ Efficiency
ļ¶ Confidentiality
ļ¶ Integrity
40. IT RESOURCES
To protect the IT resources must be developed
which includes:
ļ¼ People
ļ¼ Application system
ļ¼ Hardware devices
ļ¼ Facilities and data
ļ¼ Security controls.
41. Advantages of COBIT
I. COBIT is aligned with other standards and best
practices and should be used together with them.
II. Itās framework and supporting best practices provide
a well-managed and flexible IT environment in an
organization.
III. COBIT provides a control environment that is
responsive to business needs and serves management
and audit functions in terms of their control
responsibilities.
IV. It provides tools to help manage IT activities.
42. 1) Strategic alignment focuses on ensuring the
linkage of business and IT plans; defining
maintaining and validating the IT value
proposition; and aligning IT operations with
enterprise operations.
2) Value delivery is about executing the value
proposition throughout delivery cycle, ensuring
that IT delivers the promised benefits against the
strategy, concentrating on optimizing cost and
providing the intrinsic value of IT.
Cobit has five IT governance areas of
concentration
43. 3) Resource management is about the optimum investment
and proper management of critical IT resources: applications.
Information, infrastructure and people.
4) Risk management is a clear understanding of the
enterprises, appetite for risk, understanding of compliance
requirements, and transparency into the organization
5) Performance measurements track and monitors strategy
implementation, project completion, resource usage, process
performance and service delivery, for example, balanced
scorecards that translate strategy into action to achieve goals
measurable beyond conventional accounting.
Cobit has five IT governance areas of
concentration
45. Introduction
ā¢ The health insurance portability and
accountability act (HIPAA) became law in
1996. The purpose of the HIPAA is to improve
the efficiency and effectiveness of healthcare
transactions by standardizing the exchange of
administrative and financial data, as well as
protecting the privacy and security of
individual health information that is
maintained or transmitted.
46. ā¢ HIPAA imposes stringent privacy and security
requirements on health plans, healthcare
providers, and healthcare clearinghouses
that maintain and/or transmit individual
health information in electronic form. The
term āhealthcare providerā includes
individual physicians, physician group
practices, dentists, other healthcare
practitioners, hospitals, and nursing facilities.
47. Specific objectives of the regulations are:
ā¢ Standardizing the format and content of primary
commercial and administrative electronic
healthcare transactions.
ā¢ Developing standards to protect confidential
patient information from improper use or
disclosure and establishing patients rights to
control such uses.
ā¢ Developing standards for computer systems and
networks to ensure the security, integrity, and
availability of patient data.
48. HIPAA is also know as public law. The
Act has five top-level titles:
ā¢ Title 1. health access, portability, and renewability.
ā¢ Title 2. preventing health care fraud and abuse
(administrative simplification0, which includes:
ā¢ (1) transaction and code sets (2) identifiers (3)
privacy (4) security.
ā¢ Title 3. Tax-related health previsions (medical
savings accounts and health insurance tax
deductions for self-employed individuals).
49. ā¢ Title 4. Group health plan provisions
ā¢ Title 5. Revenue offset provisions.
50. HIPAA Transaction And Codes
ā¢ HIPAA is named for its contribution to portability of
insurance and accountability for insurance claims.
The administrative simplification section of HIPAA
requires the standardization of identifiers, code
sets and, transactions. HIPAA provides various
limits to the exclusions that insurers may use,
provides credit for past insurance, and attempts to
assure that insurance can be purchased. As stated
previously, HIPAA ensures only that insurance is
available, not that it is inexpensive.
51. The Security Rule:
ā¢ The security lays out three types of security
safeguards required for compliance:
administrative, physical, and technical. For
each of these types, the rule identifies various
security standards, and for each standard, it
names both required and addressable
implementation specifications. Required
specifications must be adopted and
administered as dictated by the rule.
52. The Standards And Specifications Are
As Follows:
ā¢ Covered entities must adopt a written set of privacy
procedures and designate a privacy officer to be
responsible for developing and implementing all
required policies and procedures.
ā¢ The policies and procedures nust reference
management oversight and organizational buy-in to
compliance with the documented security controls.
ā¢ Procedures should clearly identify employees or classes
of employees who will have access to protected health
information (PHI).
ā¢ The procedures must address access authorization,
establishment, modification, and termination
53. ā¢ A contingency plan should be in place for
responding to emergencies.
ā¢ Internal audits play a key role in HIPAA compliance
by reviewing operations with the goal of identifying
potential security violations.
ā¢ Procedures should document instructions for
addressing and responding to security breaches
that are identified either during the audit or the
normal course of operations.
54. Technical Safeguards:
ā¢ Controlling access to computer systems and
enabling covered entities to protect
communications containing PHI transmitted
electronically over open networks from being
intercepted by anyone other than the intended
recipient.
ā¢ Information systems housing PHI must be
protected from intrusion. When information flows
over open networks, some form of encryption must
be utilized.
55. ā¢ Each covered entity is responsible for ensuring that
the data within its systems has not been changed
or erased in an unauthorized manner.
ā¢ Data corroboration, including the use of check sum,
double-keying, message authentication, and
signature may be used to ensure data integrity.
ā¢ Covered entities must also authenticate entities it
communicates with authentication consists
password systems, two or three-way handshakes,
telephone call-back, and token systems.
56. Physical safeguards:
ā¢ Controlling physical access to protect against
inappropriate access to protected data
ā¢ Controls must govern the introduction and
removal of hardware and software from the
network.
ā¢ Access to equipment containing health
information should be carefully controlled and
monitored.
ā¢ Access to hardware and software must be
limited to properly authorized individuals.
58. Introduction
Statement on Auditing Standards No.70: Service Organizations,
commonly abbreviated as SAS 70 is an auditing statement issued by the
Auditing Standards Board of American Institute of Certified Public
Accountants(AICPA), officially titled āReports on the Processing of
Transactions by Service Organizationsā. SAS 70 defines the professional
standards used by a service auditor to assess the internal control of a
service organization and issue a service auditorās report.
59. Meaning of SAS
SAS 70 (the Statement on Auditing Standards
No. 70) defines the standards an auditor must
employ in order to asses the contracted
internal controls of a service organization.
Service organizations, such as hosted data
centers , insurance claims processors and
credit processing companies, provide
outstanding services that affect the operation
of the contracting enterprise.
60. Under SAS 70 (the Statement on Auditor reports are
classified as either Type I or Type II. In a Type I report the
auditor evaluates the efforts of a service organization at the
time of audit to prevent accounting inconsistencies, errors
and misrepresentation. The auditor also evaluate the
likelihood that those efforts will produce the future results. A
Type II report includes the same information as that
contained in a Type I report; in addition, the auditor attempts
to determine the effectiveness of agreed-on controls since
their implementation. Type II reports also incorporate data
complied during a specific time period, usually a minimum
of six months.
61. 1. Statement on Auditing Standards (SAS) No. 70, Service
Organizations, in an internationally recognized auditing
standard developed by the American Institute of Certified
Public Accountants(AICPA).
2. SAS 70 provides guidance to enable an independent
auditor (āservice auditorā) to issue an opinion on a service
organizationās description of controls through a Service
Auditorās Report.
3. Service auditors are required to follow the AICPAās
standards for fieldwork, quality control, and reporting.
4. A formal report including the auditorās opinion (āService
Auditorās Reportā) is issued to the service organization at
the conclusion of a 70 examination.
CHARACTERSTICS or STATEMENT OF AUDITING
standards for service organizations
62. 5. A SAS 70 examination is not a āchecklistā audit. SAS
No. 70 is generally applicable when an auditor (āuser
auditorā) is auditing the financial statements of an
entity (āuser organizationā) that obtains services from
another organization (āservice organizationā). Service
organizations that provide such services could be
application service providers, bank trust departments,
claims processing centers, Internet data centers, or
other data processing service bureaus.
6. A SAS 70 audit or service auditorās examination is
widely recognized, because it represents that a service
organization has been through an in-depth audit of
their control activities which generally include
controls over information technology and related
processes.
63. Type I SAS 70 audits opinion on controls that are in place of a date
in time. The opinion deals with the fairness of presentation of the
controls and the design of the controls in terms of their ability to
meet defined control objectives. Since these reports only provide
assurance over a single day, they are of limited value to third
parties.
Type II SAS 70 audits opinion on controls that were in place over a
period of time, which is typically a period of six months or more.
The opinion deals with fairness of presentation of the controls, the
design of the controls in terms of their ability to meet defined
control objectives, and the operational effectiveness of those
controls over the defined period. Third parties are better able to rely
on these reports since verification is provided regarding these
matters for a substantial period of time.
Type I and type ii audit standards
64. 1. A service auditorās report ensure that all user organization and their
auditors have access to the same information and in many cases this
will satisfy the user auditorās requirements.
2. SAS 70 engagements are generally performed by control oriented
professionals who have experience in accounting, auditing, and
information security.
3. A service auditorās report with an unqualified opinion that is issued
by an independent accounting firm differentiate the service
organization from its peers by demonstrating the establishment of
effectively designed control objectives and control activities.
4. A SAS 70 engagement allows a service organization who have its
control policies procedures evaluated and tested (in the case of a
TYPEII engagement) by an independent party
5. A service auditorās report also helps a service organization build trust
with its users organizations (I.e. Customers).
Benefits of the service organization
65. CAPABILTY MATURITY MODEL(CMM)
INTRODUCTION:
The CMM was developed from 1984 by Watts
Humphrey and the Software Engineering
Institute(SEI). The SEI is a part of Carnegie Mellon
University. The work was funded and continues to be
funded by the Department of Defense(DoD), which
was originally looking for ways to compare and
measure the various contractors that were developing
software for the DoD.
66. Meaning :
āA Capability of Maturity Model(CMM) is a formal archetype of the levels through which an
organization evolves as it defines, implements , measures, controls and improves its processes in a
particular area of operation. It thus enables the organization to consciously choose a certain target level
ofmaturityandthen toworktowardsthatlevel.ā
Definition:
āThe definition implies that the CMM concept is mainly applicable to
organizational processes, such as development processes or business processes. This
process orientation underlies the model described in this paper and thus with
knowledge within the framework of business processes.
68. INITIALMATURITY LEVEL
The software process is characterized as inconsistent
and occasionally even chaotic. Defined processes and
standard practices that exist are abandoned during a
crisis. Success of the organization majorly depends on
an individual effort, talent and heroics. The heroes
eventually move on to other organizations taking their
wealth of knowledge or lessons learnt with them.
69. REPEATABLE MATURITY LEVEL
This level of Software Development
Organization has a basic and consistent
project management processes to track cost,
schedule and functionality. The process is in
place to replace the earlier successes on
projects with similar applications. Program
management is a key characteristics of a level
two organization.
70. DEFINED MATURITY LEVEL
The software process for both management and
engineering activities and documented,
standardized and integrated into a standard
software process for the entire organization and
all projects across the organization use an
approved, tailored version of the organizationās
standard software process for developing,
testing and maintaining the application.
71. MANAGED MATURITY LEVEL
Management can effectively control the software
development effort using precise measurements.
At this level, organization set a quantitative
quality goal for both software process and
software maintenance. At this maturity level, the
performance of processes is controlled using
statistical and other quantitative techniques and
is quantitatively predictable.
72. The key characteristics of this level is focusing
on continually improving process performance
through both incremental and innovative
technological improvements. At this level
changes to the process are to improve the
process performance and at the same time
maintaining statistical probability to achieve
the established quantitative process -
improvement objectives.
OPTIMIZING MATURITY LEVEL