Computer Science
IT AUdit process for attahed ONC TEFCA draft document

Question Description

I need support with this Computer Science question so I can learn better.

*** Plagiarism is not acceptable ***

Overview of Project –For this assignment, you will tackle the comprehensive task of auditing the IT and IS for an organization operating in a domain of your choice.

You will apply the IT auditing process to a selected case study.

The case study I have chosen is ONC Releases Second Draft of TEFCA PAPER -Appendix 3: QHIN Technical frame work (Page 70 onward only not entire document)

Instructions:

  • Research Paper in in APA format. Plagiarism is not acceptable. (Please consider this top priority).
  • For Week 1 project complete instructions are specified. All instructions or tasks must be addressed.(Try to address all the information specified in each task )
  • Kindly Review the attached PPT.
  • Paper must be included APA format References only and in-text citations. The references you cite should be credible, scholarly, or professional sources and Not older than 3 years

Unformatted Attachment Preview

(For this week we need to complete Week1 Project only) The selected case study is: ONC Releases Second Draft of TEFCA PAPER (Appendix 3: QHIN Technical frame work – Page 70 onwards only) Weeks 1–5 Project Overview For this assignment, you will tackle the comprehensive task of auditing the IT and IS for an organization operating in a domain of your choice. You will apply the IT auditing process to a selected case study for your organization. You will first define the scope of your organization, describe its IT capability, and explain how it supports the organization’s critical mission. You will then conduct an evaluation of how the IT capability aligns with the organization’s goals. Your evaluation will examine IT/IS practices and operations in your organization. Your evaluation will include an assessment of internal controls within the IT environment to assure validity, reliability, and security of information, as well as an assessment of the efficiency and effectiveness of the IT capability. Fina lly, you will describe your findings and discuss recommendations in terms of specific controls improvements to key IT processes for your selected case study. Your main objective is to formulate a solution in the form of decisions that will aim at assuring the integrity of your organization’s information assets. You will be completing this assignment in five weeks. In each week, you will work on a component of the report. By the end of Week 5, you will integrate these separate components into a final report. The final project deliverable will be a report reviewing the organization’s enterprise goals, IT-related goals, architecture, and summarizing the findings based on your evaluation, and your final analysis and recommendations (in the form of decisions). The report will include: • • • • A description of the organization’s main business and mission, including the enterprise goals The IT/IS capability for your organization, including IT/IS infrastructure, systems, and applications, as well as the organization’s IT-related goals An evaluation of IT/IS practices and operations in your organization, including an assessment of internal IT controls in terms of achieving IT assurance for your organization A description of the findings and an analysis of the risks and remedia l measures, arriving at specific, qualifiable decisions (that can be verified when implemented) • A summary of how your IT auditing will achieve greater IT assurance and will ensure a stronger alignment of the IT-related goals with the enterprise goals Include a copy of all the references used in APA format. The following is the modular breakdown of the project: o Week 1: ▪ Conduct a preliminary review of your case study’s organization. This review should include business mission, organizational structures, culture, IS, products and services, infrastructure and applications, people skills, and competencies. Explain the need for an IT audit of your organization. Support your analysis in IT governance terms. Identify the stakeholders for your case study. Identify enterprise goals and IT-related goals for your case study and then create a mapping of the two sets, indicating primary relationships and secondary relationships. Start developing an IT audit plan that addresses the following components: Define scope, state objectives, structure approach, provide for measurement of achievement (identify the areas you intend to measure; specific metrics will be addressed later), address how you will assure comprehensiveness, and address how you will provide approach flexibility. ▪ ▪ ▪ o ▪ ▪ ▪ ▪ o ▪ ▪ ▪ ▪ o ▪ ▪ ▪ Week 2: Discuss how you will apply a single auditing framework like COBIT 5 to structure your IT audit. Describe the IT audit procedures that you will rely on in your IT audit. Start defining a balanced scorecard that lists IT-related goals and tracks some performance metrics against the goals. Review and revise your IT audit plan as needed by improving components in your plan based on additional insight you have developed. Week 3: Identify your case study’s IT processes in key areas of the IS lifecycle and describe them according to the major domains. Conduct a preliminary evaluation of internal IT processes, focusing primarily on project management and software development. Refine your balanced scorecard as needed, possibly expanding the IT-related goals and the performance metrics. Create a process RACI chart that maps management practices to their related roles and indicate levels of responsibility for each role. Week 4: Conduct an evaluation of internal controls for service management. Conduct an evaluation of internal controls for systems management. Conduct an evaluation of internal controls for operations management. ▪ Refine your balanced scorecard as needed, possibly expanding the IT -related goals and the performance metrics. o Week 5: Using the three-phase model of IT assurance initiative provided in the online lectures, build and execute an IT assurance initiative as follows: • o o o o Identify potential IT-related issues based on documented assumptions and your evaluation of your case study in Weeks 1–4. Scope the IT assurance initiative based on the subset of the organizational system that should be targeted. State relevant enablers and suitable assessment criteria to perform the assessment. Integrate the totality of your work from Weeks 1–4 and report the results of your assessment including your findings and recommendations. MIS6230 IT Audit, Control, and Compliance MIS6230 IT Audit, Control, and Compliance Ricardo Silva, Ph.D., C.C.E. Auditing Approaches MIS6230 IT Audit, Control, and Compliance ISO 19011 : 2002 • Process Flow for the management • Of an Audit Programme MIS6230 IT Audit, Control, and Compliance ISO 19011 : 2002 • Typical Audit Activities MIS6230 IT Audit, Control, and Compliance The Assurance Process based on COBIT 5 MIS6230 IT Audit, Control, and Compliance MIS6230 IT Audit, Control, and Compliance Assurance Engagement Scoping Summary Define Identify Refine Use Refine Use Define the assurance objective in simple language Identify the enterprise goals that are most related to the high-level assurance objective Refine the list of potential enterprise goals to a manageable set of key goals and additional goals Use the mapping table between enterprise goals and IT goals to identify potential IT goals that need to be achieved Refine – taking into account the specific environment – the set of potential IT goals to a manageable set of key IT goals and additional IT goals Use the mapping table between IT goals and COBIT 5 processes to identify potential processes that support the IT goals MIS6230 IT Audit, Control, and Compliance Assurance Engagement Scoping Summary Refine Refine the list of selected processes to a manageable list Use Use the RACI charts of the selected processes to identify potential Organizational structures in scope, and refine the list Use Use the RACI charts of the selected processes to identify potential people, skills and competencies in scope and refine the list. Use Use the input/output tables of the selected processes to identify potential information items in scope, and refine the list. Identify Consolidate Identify which other enablers support the achievement of the selected IT goals Consolidate the list of enablers in scope and remove redundancies. MIS6230 IT Audit, Control, and Compliance Use the “COBIT5_and_Assurance_Toolkit.pdf” • Read: • Assurance Engagement Approach • Determine the Scope of the Assurance Initiative • Appendix A: Example Scope • Appendix J Audit Program Template MIS6230 IT Audit, Control, and Compliance Audit Planning (ITAF 1201 / 2201) A plan containing the nature, timing and extent of audit procedures to be performed by engagement team members in order to obtain sufficient appropriate audit evidence to form an opinion. the areas to be audited, type of work planned, high-level objectives and scope of the work, and topics such as budget, resource allocation, schedule dates, type of report and its intended audience, and other general aspects of the work A high-level description of the audit work to be performed in a certain period of time. MIS6230 IT Audit, Control, and Compliance ITAF - Performance Standard 1201 1201.1 IS audit and assurance professionals shall plan each IS audit and assurance engagement to address: • Objective(s), scope, timeline and deliverables • Compliance with applicable laws and professional auditing standards • Use of a risk-based approach, where appropriate • Engagement-specific issues • Documentation and reporting requirements 1201.2 IS audit and assurance professionals shall develop and document an IS audit or assurance engagement project plan, describing the: • Engagement nature, objectives, timeline and resource requirements • Timing and extent of audit procedures to complete the engagement Audit Example Using COBIT 5 (Please use the COBIT5_and_Assurance _Toolkit document as you are going over the following exercise and replicate the findings) MIS6230 IT Audit, Control, and Compliance SDLC Life Cycle Control – Activities and Documentation MIS6230 IT Audit, Control, and Compliance SDLC Life Cycle Control – Activities and Documentation Operations Incident Management Problem Management Change Management Access Management MIS6230 IT Audit, Control, and Compliance MIS6230 IT Audit, Control, and Compliance BAI06 Manage Changes – COBIT 5 Enabling Processes MIS6230 IT Audit, Control, and Compliance BAI06 Manage Changes: Process Goals and Metrics MIS6230 IT Audit, Control, and Compliance (R)esponsible Who is getting the task done? Fulfilling activity listed/creating the intended outcome (A)ccountable Who accounts for the success of the task? RACI Charts Where the buck stops (C)onsulted Who is providing input? Key roles that provide input (I)nformed Who is receiving information? Informed of achievements and/or deliverables of task MIS6230 IT Audit, Control, and Compliance BAI06 Manage Changes: RACI MIS6230 IT Audit, Control, and Compliance From the RACI chart -> Roles and Responsibilities MIS6230 IT Audit, Control, and Compliance BAI06.01 Evaluate, Prioritize and Authorize Change Requests MIS6230 IT Audit, Control, and Compliance BAI06.01 Evaluate, Prioritize and Authorize Change Requests MIS6230 IT Audit, Control, and Compliance BAI06.02 Manage Emergency Changes MIS6230 IT Audit, Control, and Compliance BAI06.03 Track and report change status MIS6230 IT Audit, Control, and Compliance BAI06.04 Close and document the changes MIS6230 IT Audit, Control, and Compliance Activity 1: Understanding the Audit Goals and Establishing the Environment Develop the following using the templates provided, along with the required reading and methodology presented in class: Identify the Assurance Objective(s) and create a context within the goals of the controls. Note that the level of abstraction/detail of the assurance objectives depends on the actual topic of the assurance engagement (Please refer to COBIT5_and_Assurance_Toolkit.docx and the Goal Cascading effect). By the end of this step you will have identified the Stakeholder Needs, Enterprise Goals, IT Goals, and Processes involved. Select an Assurance Objective that falls within one of the following categories (Recommendation: Selecting the very low level of abstraction/detail will allow you to start building the Audit Plan with a single COBIT control.): Assignment • If the level of abstraction/detail is high • Identify first the “Stakeholder Need(s)” that are involved, • identify the Enterprise Goals, • identify the IT Goals, and finally • the Processes involved by using the tables in the COBIT 5 – Cascading Effect of the COBIT5_and_Assurance_Toolkit.docx document • If the level of abstraction/detail is medium • Identify the Enterprise Goal(s) that are involved, • identify the IT Goals, and finally • the Processes involved by using the tables in the COBIT 5 – Cascading Effect of the COBIT5_and_Assurance_Toolkit.docx document • If the level of abstraction/detail is low • Identify the IT Goal(s) that are involved, and • use reverse logic to identify the Enterprise Goals by using the tables in the COBIT 5 – Cascading Effect, and finally • the Processes involved by using the tables in the COBIT 5 – Cascading Effect of the COBIT5_and_Assurance_Toolkit.docx document • If the level of abstraction/detail is very low • Identify the Process(es) that are involved, • use reverse logic to identify the IT Goals, and finally For the identified in theGoals previous step COBIT5_and_Assurance_Toolkit.docx document, • useProcess(es) reverse logic you to identify the Enterprise by using the and tablesusing in the the COBIT 5 – Cascading Effect provide the: • Process Description, Process Purpose Statement, Key Management Practices (KMP) and their description, as well as their associated activities (this will be used to assess whether the management practices are effectively implemented) • Process Goals and Related Metrics • Identify the RACI chart for the Key Management Practices involved (the interested parties) • Identify the Inputs/Outputs for each of the Key Management Practices that are part of your selected process(es) • Identify the respective IT and Enterprise Goals and Metrics Deliverable: Create a report between 1000 and 5000 words in a Microsoft Word document and save it as SU_MIS6230_A1_LastName_FirstInitial.doc. Cite any sources you use using correct APA format on a separate page. Introduction to ITAF MIS6230 IT Audit, Control, and Compliance Assertions (statements) • 1007.1 IS audit and assurance professionals shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant. 1007 1008 Criteria • 1008.1 IS audit and assurance professionals shall select criteria, against which the subject matter will be assessed, that are objective, complete, relevant, measureable, understandable, widely recognised, authoritative and understood by, or available to, all readers and users of the report. • 1008.2 IS audit and assurance professionals shall consider the source of the criteria and focus on those issued by relevant authoritative bodies before accepting lesser-known criteria. MIS6230 IT Audit, Control, and Compliance Engagement Planning • 1201 Engagement Planning • 1201.1 IS audit and assurance professionals shall plan each IS audit and assurance engagement to address: • Objective(s), scope, timeline and deliverables • Compliance with applicable laws and professional auditing standards • Use of a risk-based approach, where appropriate • Engagement-specific issues • Documentation and reporting requirements • 1201.2 IS audit and assurance professionals shall develop and document an IS audit or assurance engagement project plan, describing the: • Engagement nature, objectives, timeline and resource requirements • Timing and extent of audit procedures to complete the engagement MIS6230 IT Audit, Control, and Compliance Risk Assessment • 1202 Risk Assessment in Planning • 1202.1 The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources. • 1202.2 IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements. • 1202.3 IS audit and assurance professionals shall consider subject matter risk, audit risk and related exposure to the enterprise. MIS6230 IT Audit, Control, and Compliance Performance and Supervision • 1203 Performance and Supervision • 1203.1 IS audit and assurance professionals shall conduct the work in accordance with the approved IS audit plan to cover identified risk and within the agreed-on schedule. • 1203.2 IS audit and assurance professionals shall provide supervision to IS audit staff whom they have supervisory responsibility for so as to accomplish audit objectives and meet applicable professional audit standards. • 1203.3 IS audit and assurance professionals shall accept only tasks that are within their knowledge and skills or for which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the task under supervision. • 1203.4 IS audit and assurance professionals shall obtain sufficient and appropriate evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence. • 1203.5 IS audit and assurance professionals shall document the audit process, describing the audit work and the audit evidence that supports findings and conclusions. • 1203.6 IS audit and assurance professionals shall identify and conclude on findings. MIS6230 IT Audit, Control, and Compliance Materiality • 1204 Materiality • 1204.1 IS audit and assurance professionals shall consider potential weaknesses or absences of controls while planning an engagement, and whether such weaknesses or absences of controls could result in a significant deficiency or a material weakness. • 1204.2 IS audit and assurance professionals shall consider audit materiality and its relationship to audit risk while determining the nature, timing and extent of audit procedures. • 1204.3 IS audit and assurance professionals shall consider the cumulative effect of minor control deficiencies or weaknesses and whether the absence of controls translates into a significant deficiency or a material weakness. • 1204.4 IS audit and assurance professionals shall disclose the following in the report: • Absence of controls or ineffective controls • Significance of the control deficiency • Likelihood of these weaknesses resulting in a significant deficiency or material weakness MIS6230 IT Audit, Control, and Compliance Evidence • 1205 Evidence • 1205.1 IS audit and assurance professionals shall obtain sufficient and appropriate evidence to draw reasonable conclusions on which to base the engagement results. • 1205.2 IS audit and assurance professionals shall evaluate the sufficiency of evidence obtained to support conclusions and achieve engagement objectives MIS6230 IT Audit, Control, and Compliance Using the Work of Other Experts • 1206 Using the Work of Other Experts • 1206.1 IS audit and assurance professionals shall consider using the work of other experts for the engagement, where appropriate. • 1206.2 IS audit and assurance professionals shall assess and approve the adequacy of the other experts’ professional qualifications, competencies, relevant experience, resources, independence and quality-control processes prior to the engagement. • 1206.3 IS audit and assurance professionals shall assess, review and evaluate the work of other experts as part of the engagement, and document the conclusion on the extent of use and reliance on their work. • 1206.4 IS audit and assurance professionals shall determine whether the work of other experts, who are not part of the engagement team, is adequate and complete to conclude on the current engagement objectives, and clearly document the conclusion. • 1206.5 IS audit and assurance professionals shall determine whether the work of other experts will be relied upon and incorporated directly or referred to separately in the report. • 1206.6 IS audit and assurance professionals shall apply additional test procedures to gain sufficien ...
Purchase answer to see full attachment
Student has agreed that all tutoring, explanations, and answers provided by the tutor will be used to help in the learning process and in accordance with Studypool's honor code & terms of service.

Final Answer

The files below contain a well done work of your assignment. Kindly check it and let me know if you need any clarification. Thank you.

Running Head: IT AUDIT PLAN

1

IT Audit Plan
Name
Institutional Affiliation
Date

IT AUDIT PLAN

2

IT Audit Plan
Introduction
The Johns Hopkins Hospital adopted Qualified Health Information Network (QHIN) to make
delivery of its services easily to the patents and other interested parties such as Labs. The
Hospital tries its level best make sure it adheres to all standards and framework established by
the Office of National Coordinator for Health Information Technology (ONC). After Adoption
of the QHIN the hospital services and process improved and the system proved to be of high
benefit (Johns Hopkins Medicine, n.d.).
Organization Overview
Business Mission
The Mission of the hospital is to provide care to all the people without discrimination of sex, race
or creed.
Organizational Structure
The organization has a board of management at the top that makes sure all operations are going
smoothly. The organization has an administration with various departments. The departments
include the information technology department, Therapeutic department, diagnostics department,
and support department. Each and every department provides various services. The IT
department makes sure that all other departments have the necessary technologies to support
their services.

IT AUDIT PLAN

3

Culture
The organization has a culture of embracing teamwork. Proper communications channels and
frameworks have been established within the hospitals. This framework enables various
departments to work together as a team and it is easy to raise any emerging issues.
Information System
The information system in the organization is used for providing various services and most
important to support QHIN. The organization has various servers running various services,
various user end devices used for medical support and computer network. The computer network
provides connectivity to the user end devices.
Product...

Engr_Audrey (4061)
UCLA

Anonymous
Solid work, thanks.

Anonymous
The tutor was great. I’m satisfied with the service.

Anonymous
Goes above and beyond expectations !

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4