ISACA

Professional Standards Committee and

Frameworks for IT Audits

2

• Steve Sizemore, CISA, CIA, CGAP • Texas Health and Human Services

Commission – Internal Audit Division• IIA Austin Chapter• ISACA

• Past President of Austin Chapter • Government and Regulatory Agencies

Subcommittee – North America• Professional Standards Committee

3

Professional Standards Committee - Charge

• Develop, maintain, and support professional ethics, standards, and guidelines for the IT assurance, security and control professions.

4

Standards Board Members 2010/11• John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP,

Singapore, Chair• Manuel Aceves, CISSP, CGEIT,CISM,CISA, Cerberian Consulting,

Mexico• Rick De Young, CISA,MBA,CISSP, USA • Murari Kalyanaramani, CISM,CISA,CISSP, British American

Tobacco GSD, Malaysia• Edward J. Pelcher, CGEIT,CISA, Office of the Auditor General,

South Africa• Rao Hulgeri Raghavendra, CISA,CQA,PGDIM, Oracle Financial

Services Software Ltd., India• Steven E. Sizemore, CISA,CIA,CGAP, Texas HHSC, USA• Meera Venkatesh, CISA, CISM, CISSP, CWA, ACS, Microsoft

Corp., USA

5

Professional Standards Committee Objectives1. Refresh, consolidate, and retire IS

auditing guidance issued by ISACA to ensure consistency with other material issued by ISACA and ITGI, such as COBIT 4.1 and the Information Technology Assurance Framework (ITAF).

6

Professional Standards Committee Objectives

2. Continue development of security principles and the Business Model for Information Security (BMIS).

7

Professional Standards Committee Objectives3. IT Assurance Framework

(ITAF)• Ensure all current ISACA guidance is

reflected. • Identify Gaps with our current

guidance. • Develop guidance as determined to

be a priority by the gap analysis.

8

IS Auditing Guidance

• Code of Professional Ethics is a mandatory requirement

• Standards are mandatory requirements

• Guidelines are guidance in applying standards

• Procedures are examples

9

ITAF

• Standards• General• Performance• Reporting

• Guidelines• Tools and techniques

10

ITAF (cont)

• Standards – 3 categories• General standards are the guiding principles

under which the IT assurance profession operates

• Performance standards establish baseline expectations in the conduct of IT assurance engagements

• Reporting standards address the types of reports, the means of communication, and the information to be communicated

11

COBIT

• COBIT 4.1 • COBIT 5

• In development• Will consolidate and integrate  COBIT 4.1,

Val IT 2.0 and Risk IT frameworks• Draw significantly from the Business Model

for Information Security (BMIS) and ITAF.

12

COBIT - among top four IT Governance Frameworks

13

Val IT – A Governance FrameworkIT-enabled investments will:

1. Be managed as a portfolio of investments2. Include the full scope of activities required to achieve

business value3. Be managed through their full economic life cycle

Value delivery practices will:4. Recognize different categories of investments to be

evaluated and managed differently5. Define and monitor key metrics and respond quickly

to any changes or deviations6. Engage all stakeholders and assign appropriate

accountability for delivery of capabilities and realisation of business benefits

7. Be continually monitored, evaluated and improved

14

Risk IT – Risk Management Framework• Risk Governance

• Establish and Maintain a Common Risk View• Integrate with Enterprise Risk Management (ERM)• Make Risk-aware Business Decisions

• Risk Evaluation• Collect Data• Analyze Risk• Maintain Risk Profile

• Risk Response• Articulate Risk• Manage Risk• React to Events

15

Information Security Principles

• Partnership of • ISACA• Information Security Forum (ISF)• International Information Systems

Security Certification Consortium (ISC)2

16

Business Model for Information Security (BMIS)

• Uses a business-oriented approach• Can be used regardless of an enterprise’s size or the

information security framework it has in place• Focuses on people and processes in addition to

technology.• Is independent of any particular technology and is

applicable across all industries, countries, and regulatory and legal systems.

• Includes traditional information security, as well as links to privacy, risk, physical security and compliance.

• Enables information security professionals to align the security program with business objectives by helping to widen the view to the enterprise

17

BMIS (cont)

18

How is IS auditing guidance developed?

Standards Board

Chapter Presidents

Area Rep

General publicOther standard setting

bodies

Members and CISAs

19

How is IS auditing guidance issued?

StandardsBoard

General public(through the internet)

Members and CISAs(through the Internet )

Selected professionalsOther standard setting bodies

(through the exposure process)

Copies of all Standards are available on

the ISACA web sitewww.isaca.org

20

Working with Other Organisations• Work with other

international standard setting bodies (IIA, IFAC, AICPA, etc.)

• Comment on Exposure Drafts

21

Future Pronouncements

22

Guidelines to be Refreshed in 2011

G23 SDLC

G24 Internet Banking

G25 Review of VPNs

G26 Business Process Reengineering

G27 Mobile Computing

23

Guidelines to be Refreshed in 2011

G28 Computer Forensics

G29 Post Implementation Reviews

G30 Competencies

G31 Privacy

G32 Business Continuity Planning

24

Gap Analysis

• Identified gaps between ITAF and the Standards and Guidelines

• Plan to address gaps through development of new standards and guidelines, and consolidation and reorginization of existing standards and guidelines.

25

Conclusion

Questions?