powerpoint_ii untuk putera

8/11/2019 Powerpoint_ii Untuk Putera

1/68

Auditors Guide to

IT Auditing

by Richard Cascarino


2/68

Part II: Information Technology Governance

IT Project Management

IS/IT Strategic Planning

IS/IT Management Issues Support Tools and Frameworks

Governance Techniques


3/68

IT Project Management

Tasks include: Aligning the development of the project strategy with the sponsors

(and other stakeholders) business strategy

Defining the requirements (in a testable manner)these lead tospecifications and solutions being designed and developed

Defining and managing the project scope, schedule, resource

requirements, and budget (ensuring this represents optimal financing)

Installing and progressing project control systems

Procuring/inducting resources into the project Building effective project teams

Exercising leadership

Ensuring effective decisions and efficient communications


4/68

Project Life Cycle

Concept

Definition

Design

Development

Application

Post-completionArchibald


5/68

Other Models

Waterfall Cycle

Iterative Spiral Model (Boehm)

Vee Cycle (Fish) Easier to audit

Standards apply at each stage

Other quantitative models GAANT charts

PERT charts

CPA


6/68

Project Quality Control

One of the most difficult areas to achieve

The totality of characteristics of a product or

service that bears on its ability to satisfystated or implied needs

International Organization of Standardization

(ISO)

Two main performance areas

Process quality

Product quality


7/68

Operations and Production

Day-to-day running of:

Information processing facility

Data Communications Input and output controls

Output distribution

Backup and recovery

Disaster recovery plan


8/68

Technical Services

Include:

Operating system support

Network support Technical database support

Hardware support


9/68

Performance Measurement

Balanced Scorecard

Developed by Kaplan and Norton

Emphasis on: Client satisfaction

Business processes

Innovation / learning

Mapped onto: Traditional organizational vision

Mission

Strategy


10/68

Measurement Implementation

Impact analysis

Organizational area

Financial impact Functional impact

Based on the results: a pilot project

Helps create a strategy-focused organization(SFO)

Avoids the use of performance indicators which

are tactical rather than strategic


11/68

Control Risks and Outsourcing

Areas frequently considered for outsourcing

include:

Project functions such as systems analysis,design, and programming

Running of selected application systems such as

payroll

Data capture or transformation prior toprocessing

Operation of the IT facility


12/68

Fundamental Reasons for

Contracts To prepare for things not going well

Options and remedies in the event of partial

or complete failure of the agreement Particularly because of the technical nature

of Services

The software itself may involve escrowprotection


13/68

Cloud Computing

Computing where massively scalable IT-

enabled capabilities are delivered as-a-

service via the Internet May involve a third-party Cloud Provider

alternatively a Private Cloud

In either event, conversion involves multiple

risk factors


14/68

Auditing IT Management

Use of a standard set of indicators

Operational

Systems development General management

Typically audited using conventional audit

techniques

Interviewing

Document review

Observation


15/68

IS/IT Strategic Planning

Using existing knowledge to forecast the

outcome of events and the extent

management can influence them Use of qualitative and quantitative information

Under conditions of uncertainty

Integration of intuition and analysis Adaptability to change a key element

Survival requires adaptive strategies


16/68

Strategic Drivers

Cost of hardware

Breadth of bandwidth

Power of software

Cloud computing

User confusion


17/68

Leveraging IT

Use of IT to support corporate strategic goals

Danger of over-extension

Stability and reliability required of new andamended systems

Internal audits role

Comprehensive operational reviewsUnderstand business processes

Understand information flow

Assist in the Culture of Innovation


18/68

Re-engineering the Business

Radical redesign of business processes

BPR Motivations

Survival Elimination of competitive disadvantage

Generating competitive advantage

Creating a business breakthrough

Breaking out of the mold

IT the enabler


19/68

System Models

Transaction Processing Systems

Business Process support systems

Decision support systems

Increasing degrees of sophistication

Penetrating all business areas


20/68

Information Resource

Management The five fundamentals

1. Information management

2. Technology management3. Distributed management

4. Functional management

5. Strategic management


21/68

Strategic Planning

A process of identifying long-term goals and

objectives

Selecting the most appropriate approach forachieving the goals

The corporate plan

Top management responsibility

Shared vision of corporate intent

Execution framework for a specified period of

time


22/68

Impact on IT

The quality of the communication is critical

Misalignment can be fatal

IT strategy a dynamic process Integration into other business processes

critical

Must be measurable and measured Alignment of IT and organizational strategies

critical


23/68

IT Alignment

Duration of IT projects makes alignment

difficult

Life expectancy of the finished project meanskey requirementflexibility

Within the development process

Within the execution phase

Value for money

Effectiveness of IT

Efficiency of IT


24/68

IT Objectives

Delivery of systems

Fully aligned

Flexible High quality

Reliable

Lowest possible cost


25/68

IT Steering Committees

Expertise in multiple functional areas

Diverse skills and perspectives

Ensure alignment of the IT strategy withcorporate strategy

No rubber stamping

No talk shops No evasion of accountability


26/68

Auditing Strategic Planning

Obtain a business understanding of

managements intentions

Deride the business objectives and controlobjectives

Identify and evaluate critical

Controls

Processes

Apparent exposures

Design the appropriate audit procedures


27/68

Potential Audit Involvement

Planning

Organizing

Motivating Staffing

Controlling


28/68

IS/IT Management Issues

Legal issues relating to the introduction of IT

to the enterprise

Intellectual property issues in cyberspace Trademarks

Copyrights

Patents

Ethical issues

Rights to privacy

Implementation of effective IT governance


29/68

Cyberfraud

Major international growth industry

Creating a false identity on the Internet

Intercepting information sent over the Internet Using the Internet to spread false information

Accessing in manipulating information in the

corporate information systems


30/68

Types of Crime

Identity theft

Phishing

Electronic eavesdropping False rumors for financial gain

New laws may be required


31/68

Data Privacy

Personal information including:

First and last name

Residential mailing address Web cookie

E-mail address

Telephone number

Biometric data

Sensitive information

Health records

Religious information, etc.


32/68

Copyrights, Trademarks, and

Patents Illegal reproduction and distribution of

protected material

Protected by: Cryptography

Effective access control

Permissions management

Biometric authentication

Digital signatures

Certification authorities


33/68

Business Ethics

Within the general dimensions of economic

activity (Rossouw):

Macro or systemic dimension Meso or institutional dimension

Micro or intra-organizational dimension

Impact of ethics on decision-making

(Wheelwright):

Questions requiring reflective choice

Guides of right and wrong

Consequences of decisions


34/68

Corporate Codes of Conduct

Honesty

Integrity

Morality Equity

Equality

Accountability Loyalty

Respect


35/68

IT Governance

Match:

Business behavior

Management conduct Organizational intentions

Organizational mission

Organizational objectives


36/68

IT Governance Responsibilities

Setting the strategy

Managing the risks

Delivering perceived value Measuring achieve performance

Responsibility of:

Board of Directors Executive management


37/68

Management Control

Continuous performance feedback

In person to objectives

Refinement of processes where necessary Realignment of objectives where required


38/68

Sarbanes-Oxley Act

Suggested internal control framework

(COSO)

Addresses IT controls Control objectives and related activities at

discretion of the organisation

Section 404

Management assess the effectiveness of internal

control over financial reporting and report

annually


39/68

Payment Card Industry Data

Security Standards Encompass

Firewall

Changing default passwords and security parameters

Detecting stored cardholder data Encrypting public transmission

Antivirus software

Secure systems and applications

Access on need-to-know

Unique ID for computer access

Restriction of physical access to data

Tracking the monitoring of all Access

Security System testing

Maintaining security policies


40/68

Support Tools and Frameworks

COBIT

COSO

BS 7799 and ISO 17799/27001 / 27002 CoCo

ISO/IEC 38508


41/68

COBIT

Encompasses the full range of IT activities

Focus on achievement of control objectives

Integrates and aligns IT practices withorganizational governance and strategic

requirements

Designed to be utilized at different levels of

management


42/68

Audit Use of COBIT

Evaluate the adequacy of controls

Design appropriate tests to measure

effectiveness Provide management of appropriate advice

on the system of internal controls


43/68

Delivery and Support

DS1 Define and Manage Service Levels

DS2 Manage Third-party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS6 Identify and Allocate Costs

DS7 Educate and Train Users

DS8 Manage Service Desk and Incidents

DS9 Manage the Configuration

DS10 Manage Problems

DS11 Manage Data

DS12 Manage the Physical Environment

DS13 Manage Operations


44/68

Monitoring and Evaluation

ME1 Monitor and Evaluate IT Performance

ME2 Monitor and Evaluate Internal Control

ME3 Ensure Regulatory Compliance ME4 Provide IT Governance


45/68

COBIT Process Measurement

Metrics Nonexistent

Initial / ad hoc

Repeatable but intuitive Defined process

Managed and measurable

Optimized


46/68

COSO Internal Control

Standards Three basic objectives

1. Economy and efficiency of operations,

including achievement of performance goalsand safeguarding of assets against loss

2. Reliable financial and operational data and

reports

3. Compliance with laws and regulations


47/68

Five Components

1. A sound control environment

2. A sound risk-assessment process

3. Sound operational-control activities4. Sound information and communications

systems

5. Effective monitoring


48/68

BS 7799 and ISO 17799/27001 /

27002 BS 7799 and ISO 17799

Assist companies by ensuring security and

control within electronic trading systems

Facilitated the introduction of key controls

ISO 27001

Replaced BS 7799-2

A Certification Standard

Specification for an Information Security

Management System (ISMS)


49/68

Steps in the Process

Organizational decision to implement

Scoping the project

Risk assessment Selection of appropriate controls (see ISO

27002)

Justification recorded in a Statement OfApplicability (SOA)

Controls implemented as appropriate


50/68

ISO 27002

Code of practice for information security

Outlines hundreds of potential controls and

control mechanisms Establishes guidelines and general principles

for:

Initiating

Implementing

Maintaining

Improving

Information security management


51/68

ISO 27001 Addresses

Structure

Risk Assessment and Treatment

Security Policy

Organization of Information Security

Asset Management

Human Resources Security

Physical Security

Communications and Ops Management

Access Control

Information Systems Acquisition, Development, Maintenance

Information Security Incident management

Business Continuity

Compliance


52/68

CoCo

Criteria of Control

Sponsored by the Canadian Institute of

Chartered Accountants Three major control objectives

1. Effectiveness and efficiency of operations

2. Reliability of internal and external reporting

3. Compliance with applicable laws and regulations and internal policies


53/68

Controlled Defined as

Encompassing Purpose

Commitment

Capability Monitoring and learning


54/68

CoCo Promotes

Avoidance of risk

Reducing the likelihood of risk occurring

Reducing the impact should a risk occur Transferring the risk to a third party

Accepting or retaining the risk


55/68

ISO/IEC 38508

Designed as a worldwide formal international IT

Governance Standard

Framework for the boards governance of

information and communications

Six principles for good corporate IT governance

Responsibility

Strategy

Acquisition

Performance

Conformance

Human behavior


56/68

CALDER-MOIR IT Governance

Framework Six main segments

1. Business Strategy

2. Risk, Conformance, and Compliance

3. IT Strategy

4. Change

5. Information and Technology Balance Sheet

6. Operations

Each segment divided into three layers Board

Executive management

IT-governance practitioners


57/68

Governance Techniques

Change control

Problem management

Operational reviews Performance measurement

ISO 9000 reviews


58/68

Change Control

Change may occur as a result of:

Hardware changes

Hardware failures Software error

Legislative changes

Changes to business operations


59/68

Change Control Objective

To ensure that:

All changes are authorized

All changes are specifiedAll changes of cost effective

All authorized changes are made

Only authorized changes are made


60/68

Change Control Committee

Evaluate change requests

Authorize change requests

Ensure testing carried out Ensure documentation carried out

Authorize implementation


61/68

Changes Require

Prior approval

Independent testing

User / IT staff / auditors sign-off Full documentation

Recovery procedures


62/68

Segregated Libraries

Common in mainframes

Production

Development Rare in personal computers

Backups frequently not taken

Change-control process is may differ

Control procedures must be implemented


63/68

Problem Management

Used for unplanned changes

Urgent repairs

To control systems during emergencysituations

Normal control mechanisms may be

bypassed

Permissions sought retrospectively


64/68

Audit Requirements

Proof that:

Change request recorded and stored for

reference

Change is assessed prior to acceptance

Unauthorized changes limited by control

Problem management process in place

Change documentation up to dateAll new software releases pass through Change

Control


65/68

Operational Reviews

Involves evaluation of:

Internal controls

Compliance with laws regulations and companypolicies

Reliability and integrity of financial and operating

information

Efficient and effective use of resources


66/68

Review Standards

Comparison to standards

Management standards

COBIT Use of objective criteria


67/68

Performance Measurement

Use of feedback mechanisms

Integrated performance-measurement

systems Measuring activities of people and processes

Use of significant few measuring criteria


68/68

ISO 9000 Reviews

ISO:

National standard bodies of 91 countries

180 technical committees Quality management and quality-assurance

system standards

Reviewing: Methodology

Project / process

powerpoint_ii untuk putera

Documents