developing a risk-based audit plan kathy underhill vice-president, risk and internal audit december...
TRANSCRIPT
Developing a Risk-based Audit Plan
Kathy UnderhillVice-President, Risk and Internal AuditDecember 2005
Information System (IS) Audit- Concept Process and Implementation
Roshan RegmiIT/MIS DepartmentNepal Bank LimitedOctober 2009
2
Business Strategy What IT UnderstoodHow Business was Planned
How was it Implemented
What was delivered to User Frustration
1 2 3
4 5
Outline
Snapshots
Information System Fundamentals
Core Banking System Basics
IS Audit
IS Audit Responsibilities
COSO Framework
COSO ERM Framework
Risk Based IS Audit and Examples
CoBIT Framework
Using CoBIT in IS Audit
IS in Business
Trends in Information Systems
Types of Information System
IS Resources and Activities
Core Banking Architecture - NEWTON
Core Banking Architecture - FINACLE
Information System Audit“the process of collecting and evaluating evidence to determine whether acomputer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently “
Purpose of IS Audit
Will the organization's computerized systems be available for the business at all times when required? (Availability)
Will the information in the systems be disclosed only to authorized users? (Confidentiality)
Will the information provided by the system always be accurate, reliable, and timely? (Integrity).
Areas of IS Audit
Spectrum of IS Audit Systems and Applications: An audit to verify that systems and applications
are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity
Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions
Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development
Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing
Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers
IS Audit Responsibilities
Strategic and Business
Audit Roles Strategic risk assuranceStrategic risk assurance Participate in oversight committee for the risk
management process Test management’s mitigation policy Test/verify assumptions behind key
decisions
Risks ProductProduct line
expansion Acquisitions/JV/
Divestiture Threats to company
reputation Shift in market
competitive dynamics
New Capabilities Transfer strategic Transfer strategic
risks into auditable risks into auditable risk activitiesrisk activities
Link strategic direction to risk priorities
Identify and Identify and incorporate incorporate external conditions external conditions into audit plansinto audit plans
IS Audit Audit Responsibilities
Operational Audit Roles Identify risk trends and communicate to Identify risk trends and communicate to
managementmanagement Facilitate continuous improvement of controls Recommend improvements on the adequacy
and effectiveness of management’s risk processes
Identify gaps in management’s plans to achieve goals
Risks Ineffective risk
management system
Supply chain and outsourcing management
Customer contact quality
New Capabilities Risk management Risk management
experienceexperience Understand company’s
corporate values and goals
Understand company’s IT infrastructure
IS Audit Audit Responsibilities
Financial Reporting and Regulatory Compliance
Audit Roles Perform proactive, risk-based audit of
management processes Drive self-service tool usage for
management testing Evaluate effectiveness of controls
encompassing reliability and integrity of financial information based upon risk assessments
Risks Inaccurate financial
statements Noncompliance
with laws, regulations, contracts
Integrity of financial information
New Capabilities Maintain self-service
tools Continuous Continuous
monitoring/auditinmonitoring/auditingg
COSO FrameworkIssued in 1992 by the Committee of Sponsoring Organization of the Treadway Commission (COSO)
Framework has long served as a blueprint for establishing/Evaluate internal controls that promote efficiency, minimize risks, help ensure the reliability of financial statements, and comply with laws and regulations.
COSO – Key Components of Internal Control
Control Environment- Integrity and Ethical Values- Commitment to Competence- BOD and Audit Committee- Management’s Philosophy and Operating Style- Organizational Structure- Assignment of Authority and Responsibility- Human Resource Policies and
Procedures.
Information and Communication- Quality of Information
- Effectiveness of Communication.
Control Activities- Policies and Procedures- Security (Application and Network)- Application Change Management- Business Continuity / Backups- Outsourcing
Risk Assessment- Company-wide Objectives- Process-level Objectives- Risk Identification and Analysis
- Managing Change.
Monitoring- On-going Monitoring- Separate Evaluations- Reporting Deficiencies
Enterprise Risk Management (ERM) Framework
Enterprise Risk Management (ERM) Framework
The enterprise risk management framework is geared to achieving an entity’s objectives, set forth in four categories:
Strategic – high-level goals, aligned with and supporting the mission
Operations – effective and efficient use of resources
Reporting – reliability of reporting
Compliance – compliance with applicable laws and regulations
The eight components
of the framework
are interrelated …
The ERM Framework
The ERM Framework
Entity objectives can be viewed in thecontext of four categories:
Strategic Operations Reporting Compliance
In a riskier World!
Global village – moving to a unified economy
Borderless world – a quiver of new threats
Mergers and Acquisitions – order of the day
Unprecedented dependence and pace of IT and networks used by business
Increasing potential of cyber crime
IT Operational failures
Outsourcing – an accepted way
Stringent Regulatory Compulsions
Demanding customers – online real time customers
Ethics climate!
The Risk World
Competition Risk
Country Risk
Culture Risk
Information Risk
Legal and Regulatory compliance Risk
Project Risk
Market Risk
Environmental Risk
Technological Risk
Management Risk
Reputational Risk
Financial Risk
Outsourcing Risk
Business Risk
Human Resource Risk
Using Risk Management to determine IS areas to be audited:
Enables management to effectively allocate limited IS audit resources
Provides reasonable assurance that relevant information has been obtained from all levels of management, including the board of directors and functional area management. Generally, the information includes areas that will assist management in effectively discharging their responsibilities and provides reasonable assurance that the IS audit activities are directed to high business risk areas and will add value to management.
Establishes a basis for effectively managing the IS audit function
Provides a summary of how the individual review subject is related to the overall organization as well as to the business plans
Example of an Organizational Risk Assessment Process
Identify risk factors and give them weights
Identify objectives/assets/auditable activities
Analyze the risks by considering their likelihood and consequence
Assign ratings to the risks
Review with audit client/management
Use rankings to develop audit priorities
EXAMPLE II—IS RISK ASSESSMENT MEASUREMENT EVALUATION INCORPORATING BUSINESS RISK FACTORS
B
IS Risk Assessment of Auditable Units
Data centre operations
Application systems (production)
Application systems (development)
IS procurement (manpower and material)
Software package acquisition
Other IS functions
New
B
New
B
Perceived Benefits
Case Study:Software Acquisition
A company has received an approval to install software to improve its services in the competitive market
RFP has been developed, approved and gone for tendering process
In the process of selecting a vendor based on competitive bidding 2 envelop system is adopted to ensure fairness and transparency
Enhanced service services
Competitive
Better MIS reporting and Asset/Liability position
Implementation Details Specifics
Size of systems Deployment
Centralised systems
Possibility of decentralised systems
Application controls and auditing
Leased lines, Wireless IEEE 802.11b and VSAT Connectivity
EXAMPLE IV—RISK ASSESSMENT—IS AUDITv. SOFTWARE PACKAGE ACQUISITION
Rating factor Weight Score Assigned score
1. Scope of the system Part of a department Complete department Multi department Organization wide Organization and external
5 12345
25
2. Financial exposure (AED) associated with the systemNoneSmall (<100,000) Moderate (100,000 -1 m)High (1m—10 m) Very high (>10 m)
5 12345
25
3. Nature of packageOff the shelf productCustom built by vendor, maintained by vendorVendor developed, in-house maintained Jointly developed, vendor maintained Jointly developed, in-house maintained
2 12345
10
4. Type of evaluationBy the user department/IS/consultantBy IS/userBy consultantBy ISBy the user department
1 12345
5
5. Cost and complexity of the packageNegligibleSmall Moderate Significant Very high
2 12345
10
Rating Factor Wt Sc Assigned Score
Detailed Example
CoBIT Framework
Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996.
COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company
CoBIT Background
“Generally applicable and accepted international standard of good practice for IT control”
C ControlOB OBjectivesI for InformationT and Related Technology
“An authoritative, up-to-date, international set of generally accepted Information Technology Control Objectives for day-to-day use by business managers and auditors.”
CoBIT’s Scope and Objectives COBIT® 4.0 was developed and by the IT Governance Institute (www.itgi.org)
and was released in December, 2005
COBIT® has evolved into an IT governance / control framework: A toolkit of “best practices” for IT control representing the consensus of
experts
IT Governance focus
Linkage with business requirements (bridges the gap between control requirements, technical issues, and business risks).
Management – process owner – orientation (accountability)
Measurement and maturity driven
Generic focus – applicable to multiple environments
Organizes IT activities into a generally accepted process model (in alignment with ITIL, ISO, and other relevant ‘best practices’)
Identifies the major IT resources to be leveraged
Defines control objectives and associated assurance guidelines
CoBIT For IT Governance
Focus Area Strategic alignment
Value delivery
Resource management
Risk management
Performance measurement
CoBIT As A Framework Enables the auditor to review specific IT processes against
COBIT’s Control Objectives to determine where controls are sufficient or advise management where processes need to be improved.
Helps process owners answer questions - “Is what I’m doing adequate and in line with best practices? If not, what should I be doing and where should I focus my efforts?”
COBIT® is a framework and is NOT exhaustive or definitive.
The scope and breadth of a COBIT® implementation varies from organization to organization.
COBIT® prescribes “what” best practices should be in place. An effective implementation requires that COBIT® be supplemented with other sources of best practice that prescribe the “how” for IT governance and controlled process execution.
Relationship Between CoBIT Components
B
CoBIT Structure overview Starts from the premise that IT needs to
deliver the information that the enterprise needs to achieve its objectives
Promotes process focus and process ownership
Divides IT into 34 processes belonging to four domains (providing a high level control objective for each process)
Looks at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT
Is supported by a set of over 200 detailed control objectives
Plan & Organize
Acquire & Implement
Deliver & Support
Monitor & Evaluate
Effectiveness
Efficiency
Availability
Integrity
Confidentiality
Reliability
Compliance
IT Domains
Business Requirement
CoBIT Cube
B
CoBIT Structure
CoBIT High Level Processes/Objectives
B
CoBIT High Level Processes/Objectives
B
CoBIT High Level Processes/Objectives
B
CoBIT High Level Processes/Objectives
B
Linking Control to Process Objectives34 High Level and 200+ Detailed Objectives
Example of CoBIT DS 5 Page-1
B
B
Example of CoBIT DS 5 Page-2
Example of CoBIT DS 5 Page-3
B
Example of CoBIT DS 5 Page-4
B
Example of CoBIT DS 5 Page-4
B
Summing It All UPBusiness goals drives IT goals
B
Using CoBIT in IS Audit
B
Understand Technology Layers
B
Understand The IT Governance Domain
B
Technology Audit Universe
B
Security Audit Univesie
B
MAP Audit Universe to CoBIT
B
Using CoBIT to Tie It All Together
B
CoBIT Control Assessment Quetions
CoBIT’s Audit Report Template
Sample Audit Report
Questions!