Download - Powerpoint_ii Untuk Putera
-
8/11/2019 Powerpoint_ii Untuk Putera
1/68
Auditors Guide to
IT Auditing
by Richard Cascarino
-
8/11/2019 Powerpoint_ii Untuk Putera
2/68
Part II: Information Technology Governance
IT Project Management
IS/IT Strategic Planning
IS/IT Management Issues Support Tools and Frameworks
Governance Techniques
-
8/11/2019 Powerpoint_ii Untuk Putera
3/68
IT Project Management
Tasks include: Aligning the development of the project strategy with the sponsors
(and other stakeholders) business strategy
Defining the requirements (in a testable manner)these lead tospecifications and solutions being designed and developed
Defining and managing the project scope, schedule, resource
requirements, and budget (ensuring this represents optimal financing)
Installing and progressing project control systems
Procuring/inducting resources into the project Building effective project teams
Exercising leadership
Ensuring effective decisions and efficient communications
-
8/11/2019 Powerpoint_ii Untuk Putera
4/68
Project Life Cycle
Concept
Definition
Design
Development
Application
Post-completionArchibald
-
8/11/2019 Powerpoint_ii Untuk Putera
5/68
Other Models
Waterfall Cycle
Iterative Spiral Model (Boehm)
Vee Cycle (Fish) Easier to audit
Standards apply at each stage
Other quantitative models GAANT charts
PERT charts
CPA
-
8/11/2019 Powerpoint_ii Untuk Putera
6/68
Project Quality Control
One of the most difficult areas to achieve
The totality of characteristics of a product or
service that bears on its ability to satisfystated or implied needs
International Organization of Standardization
(ISO)
Two main performance areas
Process quality
Product quality
-
8/11/2019 Powerpoint_ii Untuk Putera
7/68
Operations and Production
Day-to-day running of:
Information processing facility
Data Communications Input and output controls
Output distribution
Backup and recovery
Disaster recovery plan
-
8/11/2019 Powerpoint_ii Untuk Putera
8/68
Technical Services
Include:
Operating system support
Network support Technical database support
Hardware support
-
8/11/2019 Powerpoint_ii Untuk Putera
9/68
Performance Measurement
Balanced Scorecard
Developed by Kaplan and Norton
Emphasis on: Client satisfaction
Business processes
Innovation / learning
Mapped onto: Traditional organizational vision
Mission
Strategy
-
8/11/2019 Powerpoint_ii Untuk Putera
10/68
Measurement Implementation
Impact analysis
Organizational area
Financial impact Functional impact
Based on the results: a pilot project
Helps create a strategy-focused organization(SFO)
Avoids the use of performance indicators which
are tactical rather than strategic
-
8/11/2019 Powerpoint_ii Untuk Putera
11/68
Control Risks and Outsourcing
Areas frequently considered for outsourcing
include:
Project functions such as systems analysis,design, and programming
Running of selected application systems such as
payroll
Data capture or transformation prior toprocessing
Operation of the IT facility
-
8/11/2019 Powerpoint_ii Untuk Putera
12/68
Fundamental Reasons for
Contracts To prepare for things not going well
Options and remedies in the event of partial
or complete failure of the agreement Particularly because of the technical nature
of Services
The software itself may involve escrowprotection
-
8/11/2019 Powerpoint_ii Untuk Putera
13/68
Cloud Computing
Computing where massively scalable IT-
enabled capabilities are delivered as-a-
service via the Internet May involve a third-party Cloud Provider
alternatively a Private Cloud
In either event, conversion involves multiple
risk factors
-
8/11/2019 Powerpoint_ii Untuk Putera
14/68
Auditing IT Management
Use of a standard set of indicators
Operational
Systems development General management
Typically audited using conventional audit
techniques
Interviewing
Document review
Observation
-
8/11/2019 Powerpoint_ii Untuk Putera
15/68
IS/IT Strategic Planning
Using existing knowledge to forecast the
outcome of events and the extent
management can influence them Use of qualitative and quantitative information
Under conditions of uncertainty
Integration of intuition and analysis Adaptability to change a key element
Survival requires adaptive strategies
-
8/11/2019 Powerpoint_ii Untuk Putera
16/68
Strategic Drivers
Cost of hardware
Breadth of bandwidth
Power of software
Cloud computing
User confusion
-
8/11/2019 Powerpoint_ii Untuk Putera
17/68
Leveraging IT
Use of IT to support corporate strategic goals
Danger of over-extension
Stability and reliability required of new andamended systems
Internal audits role
Comprehensive operational reviewsUnderstand business processes
Understand information flow
Assist in the Culture of Innovation
-
8/11/2019 Powerpoint_ii Untuk Putera
18/68
Re-engineering the Business
Radical redesign of business processes
BPR Motivations
Survival Elimination of competitive disadvantage
Generating competitive advantage
Creating a business breakthrough
Breaking out of the mold
IT the enabler
-
8/11/2019 Powerpoint_ii Untuk Putera
19/68
System Models
Transaction Processing Systems
Business Process support systems
Decision support systems
Increasing degrees of sophistication
Penetrating all business areas
-
8/11/2019 Powerpoint_ii Untuk Putera
20/68
Information Resource
Management The five fundamentals
1. Information management
2. Technology management3. Distributed management
4. Functional management
5. Strategic management
-
8/11/2019 Powerpoint_ii Untuk Putera
21/68
Strategic Planning
A process of identifying long-term goals and
objectives
Selecting the most appropriate approach forachieving the goals
The corporate plan
Top management responsibility
Shared vision of corporate intent
Execution framework for a specified period of
time
-
8/11/2019 Powerpoint_ii Untuk Putera
22/68
Impact on IT
The quality of the communication is critical
Misalignment can be fatal
IT strategy a dynamic process Integration into other business processes
critical
Must be measurable and measured Alignment of IT and organizational strategies
critical
-
8/11/2019 Powerpoint_ii Untuk Putera
23/68
IT Alignment
Duration of IT projects makes alignment
difficult
Life expectancy of the finished project meanskey requirementflexibility
Within the development process
Within the execution phase
Value for money
Effectiveness of IT
Efficiency of IT
-
8/11/2019 Powerpoint_ii Untuk Putera
24/68
IT Objectives
Delivery of systems
Fully aligned
Flexible High quality
Reliable
Lowest possible cost
-
8/11/2019 Powerpoint_ii Untuk Putera
25/68
IT Steering Committees
Expertise in multiple functional areas
Diverse skills and perspectives
Ensure alignment of the IT strategy withcorporate strategy
No rubber stamping
No talk shops No evasion of accountability
-
8/11/2019 Powerpoint_ii Untuk Putera
26/68
Auditing Strategic Planning
Obtain a business understanding of
managements intentions
Deride the business objectives and controlobjectives
Identify and evaluate critical
Controls
Processes
Apparent exposures
Design the appropriate audit procedures
-
8/11/2019 Powerpoint_ii Untuk Putera
27/68
Potential Audit Involvement
Planning
Organizing
Motivating Staffing
Controlling
-
8/11/2019 Powerpoint_ii Untuk Putera
28/68
IS/IT Management Issues
Legal issues relating to the introduction of IT
to the enterprise
Intellectual property issues in cyberspace Trademarks
Copyrights
Patents
Ethical issues
Rights to privacy
Implementation of effective IT governance
-
8/11/2019 Powerpoint_ii Untuk Putera
29/68
Cyberfraud
Major international growth industry
Creating a false identity on the Internet
Intercepting information sent over the Internet Using the Internet to spread false information
Accessing in manipulating information in the
corporate information systems
-
8/11/2019 Powerpoint_ii Untuk Putera
30/68
Types of Crime
Identity theft
Phishing
Electronic eavesdropping False rumors for financial gain
New laws may be required
-
8/11/2019 Powerpoint_ii Untuk Putera
31/68
Data Privacy
Personal information including:
First and last name
Residential mailing address Web cookie
E-mail address
Telephone number
Biometric data
Sensitive information
Health records
Religious information, etc.
-
8/11/2019 Powerpoint_ii Untuk Putera
32/68
Copyrights, Trademarks, and
Patents Illegal reproduction and distribution of
protected material
Protected by: Cryptography
Effective access control
Permissions management
Biometric authentication
Digital signatures
Certification authorities
-
8/11/2019 Powerpoint_ii Untuk Putera
33/68
Business Ethics
Within the general dimensions of economic
activity (Rossouw):
Macro or systemic dimension Meso or institutional dimension
Micro or intra-organizational dimension
Impact of ethics on decision-making
(Wheelwright):
Questions requiring reflective choice
Guides of right and wrong
Consequences of decisions
-
8/11/2019 Powerpoint_ii Untuk Putera
34/68
Corporate Codes of Conduct
Honesty
Integrity
Morality Equity
Equality
Accountability Loyalty
Respect
-
8/11/2019 Powerpoint_ii Untuk Putera
35/68
IT Governance
Match:
Business behavior
Management conduct Organizational intentions
Organizational mission
Organizational objectives
-
8/11/2019 Powerpoint_ii Untuk Putera
36/68
IT Governance Responsibilities
Setting the strategy
Managing the risks
Delivering perceived value Measuring achieve performance
Responsibility of:
Board of Directors Executive management
-
8/11/2019 Powerpoint_ii Untuk Putera
37/68
Management Control
Continuous performance feedback
In person to objectives
Refinement of processes where necessary Realignment of objectives where required
-
8/11/2019 Powerpoint_ii Untuk Putera
38/68
Sarbanes-Oxley Act
Suggested internal control framework
(COSO)
Addresses IT controls Control objectives and related activities at
discretion of the organisation
Section 404
Management assess the effectiveness of internal
control over financial reporting and report
annually
-
8/11/2019 Powerpoint_ii Untuk Putera
39/68
Payment Card Industry Data
Security Standards Encompass
Firewall
Changing default passwords and security parameters
Detecting stored cardholder data Encrypting public transmission
Antivirus software
Secure systems and applications
Access on need-to-know
Unique ID for computer access
Restriction of physical access to data
Tracking the monitoring of all Access
Security System testing
Maintaining security policies
-
8/11/2019 Powerpoint_ii Untuk Putera
40/68
Support Tools and Frameworks
COBIT
COSO
BS 7799 and ISO 17799/27001 / 27002 CoCo
ISO/IEC 38508
-
8/11/2019 Powerpoint_ii Untuk Putera
41/68
COBIT
Encompasses the full range of IT activities
Focus on achievement of control objectives
Integrates and aligns IT practices withorganizational governance and strategic
requirements
Designed to be utilized at different levels of
management
-
8/11/2019 Powerpoint_ii Untuk Putera
42/68
Audit Use of COBIT
Evaluate the adequacy of controls
Design appropriate tests to measure
effectiveness Provide management of appropriate advice
on the system of internal controls
-
8/11/2019 Powerpoint_ii Untuk Putera
43/68
Delivery and Support
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations
-
8/11/2019 Powerpoint_ii Untuk Putera
44/68
Monitoring and Evaluation
ME1 Monitor and Evaluate IT Performance
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance ME4 Provide IT Governance
-
8/11/2019 Powerpoint_ii Untuk Putera
45/68
COBIT Process Measurement
Metrics Nonexistent
Initial / ad hoc
Repeatable but intuitive Defined process
Managed and measurable
Optimized
-
8/11/2019 Powerpoint_ii Untuk Putera
46/68
COSO Internal Control
Standards Three basic objectives
1. Economy and efficiency of operations,
including achievement of performance goalsand safeguarding of assets against loss
2. Reliable financial and operational data and
reports
3. Compliance with laws and regulations
-
8/11/2019 Powerpoint_ii Untuk Putera
47/68
Five Components
1. A sound control environment
2. A sound risk-assessment process
3. Sound operational-control activities4. Sound information and communications
systems
5. Effective monitoring
-
8/11/2019 Powerpoint_ii Untuk Putera
48/68
BS 7799 and ISO 17799/27001 /
27002 BS 7799 and ISO 17799
Assist companies by ensuring security and
control within electronic trading systems
Facilitated the introduction of key controls
ISO 27001
Replaced BS 7799-2
A Certification Standard
Specification for an Information Security
Management System (ISMS)
-
8/11/2019 Powerpoint_ii Untuk Putera
49/68
Steps in the Process
Organizational decision to implement
Scoping the project
Risk assessment Selection of appropriate controls (see ISO
27002)
Justification recorded in a Statement OfApplicability (SOA)
Controls implemented as appropriate
-
8/11/2019 Powerpoint_ii Untuk Putera
50/68
ISO 27002
Code of practice for information security
Outlines hundreds of potential controls and
control mechanisms Establishes guidelines and general principles
for:
Initiating
Implementing
Maintaining
Improving
Information security management
-
8/11/2019 Powerpoint_ii Untuk Putera
51/68
ISO 27001 Addresses
Structure
Risk Assessment and Treatment
Security Policy
Organization of Information Security
Asset Management
Human Resources Security
Physical Security
Communications and Ops Management
Access Control
Information Systems Acquisition, Development, Maintenance
Information Security Incident management
Business Continuity
Compliance
-
8/11/2019 Powerpoint_ii Untuk Putera
52/68
CoCo
Criteria of Control
Sponsored by the Canadian Institute of
Chartered Accountants Three major control objectives
1. Effectiveness and efficiency of operations
2. Reliability of internal and external reporting
3. Compliance with applicable laws and regulations and internal policies
-
8/11/2019 Powerpoint_ii Untuk Putera
53/68
Controlled Defined as
Encompassing Purpose
Commitment
Capability Monitoring and learning
-
8/11/2019 Powerpoint_ii Untuk Putera
54/68
CoCo Promotes
Avoidance of risk
Reducing the likelihood of risk occurring
Reducing the impact should a risk occur Transferring the risk to a third party
Accepting or retaining the risk
-
8/11/2019 Powerpoint_ii Untuk Putera
55/68
ISO/IEC 38508
Designed as a worldwide formal international IT
Governance Standard
Framework for the boards governance of
information and communications
Six principles for good corporate IT governance
Responsibility
Strategy
Acquisition
Performance
Conformance
Human behavior
-
8/11/2019 Powerpoint_ii Untuk Putera
56/68
CALDER-MOIR IT Governance
Framework Six main segments
1. Business Strategy
2. Risk, Conformance, and Compliance
3. IT Strategy
4. Change
5. Information and Technology Balance Sheet
6. Operations
Each segment divided into three layers Board
Executive management
IT-governance practitioners
-
8/11/2019 Powerpoint_ii Untuk Putera
57/68
Governance Techniques
Change control
Problem management
Operational reviews Performance measurement
ISO 9000 reviews
-
8/11/2019 Powerpoint_ii Untuk Putera
58/68
Change Control
Change may occur as a result of:
Hardware changes
Hardware failures Software error
Legislative changes
Changes to business operations
-
8/11/2019 Powerpoint_ii Untuk Putera
59/68
Change Control Objective
To ensure that:
All changes are authorized
All changes are specifiedAll changes of cost effective
All authorized changes are made
Only authorized changes are made
-
8/11/2019 Powerpoint_ii Untuk Putera
60/68
Change Control Committee
Evaluate change requests
Authorize change requests
Ensure testing carried out Ensure documentation carried out
Authorize implementation
-
8/11/2019 Powerpoint_ii Untuk Putera
61/68
Changes Require
Prior approval
Independent testing
User / IT staff / auditors sign-off Full documentation
Recovery procedures
-
8/11/2019 Powerpoint_ii Untuk Putera
62/68
Segregated Libraries
Common in mainframes
Production
Development Rare in personal computers
Backups frequently not taken
Change-control process is may differ
Control procedures must be implemented
-
8/11/2019 Powerpoint_ii Untuk Putera
63/68
Problem Management
Used for unplanned changes
Urgent repairs
To control systems during emergencysituations
Normal control mechanisms may be
bypassed
Permissions sought retrospectively
-
8/11/2019 Powerpoint_ii Untuk Putera
64/68
Audit Requirements
Proof that:
Change request recorded and stored for
reference
Change is assessed prior to acceptance
Unauthorized changes limited by control
Problem management process in place
Change documentation up to dateAll new software releases pass through Change
Control
-
8/11/2019 Powerpoint_ii Untuk Putera
65/68
Operational Reviews
Involves evaluation of:
Internal controls
Compliance with laws regulations and companypolicies
Reliability and integrity of financial and operating
information
Efficient and effective use of resources
-
8/11/2019 Powerpoint_ii Untuk Putera
66/68
Review Standards
Comparison to standards
Management standards
COBIT Use of objective criteria
-
8/11/2019 Powerpoint_ii Untuk Putera
67/68
Performance Measurement
Use of feedback mechanisms
Integrated performance-measurement
systems Measuring activities of people and processes
Use of significant few measuring criteria
-
8/11/2019 Powerpoint_ii Untuk Putera
68/68
ISO 9000 Reviews
ISO:
National standard bodies of 91 countries
180 technical committees Quality management and quality-assurance
system standards
Reviewing: Methodology
Project / process