IT ADVISORY

As the IT auditors arrives ….

InfoSecurity 20104 November 2010

ADVISORY

4 November 2010

As the IT Auditor arrives …Understand the Purpose of the IT Audit

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 1

Se As the IT Auditor arrives … Be aware of your own Attitude

Effectiveness and Efficiency of AuditEffectiveness and Efficiency of Auditdepend on behaviour

ClientSoft Controls

AuditorSoft Controls

Audit Sponsor is leading by example

Involving stakeholders

Soft Controls

Seeking for Facts

Clearly in providing JudgmentTransparence, providing adequate Information

Be involved with Audit

C ea y p o d g Judg e t

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 2

As the IT Auditor arrives … Consider the Auditor’s perspective

First line of Defense

Second line of Defense

Third line of Defense

• Self-assessment by operational

• Management Assessment

• Audit

operational staff

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 3

As the IT Auditor arrives … Be specific regarding your expected maturity of IT

Cobit maturity levels

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 4

As the IT Auditor arrives … Understand each Phase of the Audit

• Scope of Objects to be assessedRisk-based

• Scope of Objects to be assessed• Requirements to be applied

Compliance-based

• Fact findingbased

• Evaluation of noted DeficienciesRisk-based

• Evaluation of noted Deficiencies

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 5

As the IT Auditor arrives … Risk-based scoping – Financial Reporting

AAccounts and disclosures Focus of financial audit Accou s a d d sc osu es

Entities

Business processes

Manual controlsKey controls

IT-dependent Manual controls

Automated controls

Generic ICT infrastructure

Application-specific ICT

Key application controls IT management processes

Focus of IT audit B

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 6

Generic ICT infrastructure Focus of IT audit

As the IT Auditor arrives … Risk-based scoping – Assess an IT service

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 7

As the IT Auditor arrives …Compliance-based fact-findingBe aware that the auditor evaluates also your own (Continuous) Monitoring

Eventevent

Deduction of

Event

Deduction of events

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 8

As the IT Auditor arrives …Risk-based evaluation Business

critical list of

Risk based

critical list of Applications

Sensitivity(CIA)

PeopleSoft controls

Risk-basedSelection of controls

(CIA)

Selection of Controls

- Soft controls

Processes-Three levels of defenseMonitoring

Compliance-basedmonitoring IT Environment

Technology- Compliance monitoring

- Vulnerabilities monitoringIncident detection

o to g

Analysis of Issues

Issue Tracking- Incident detection

Risk-basedevaluation andfollow-up

Follow-up(improve or

accept)

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 99

As the IT Auditor arrives …You can help to make it effective and efficient !

Consider how the IT Auditor can help you, to improve your IT environment

RegardingRegarding

People

ProcesesProceses

Technology

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 10

Questions

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 111

1

Contact details

Name Ir Peter Kornelisse RE CISAName Ir. Peter Kornelisse RE CISA

Position Director, experienced with regard to Information Security and Technology, having performed and coordinated many advisory services, as well as compliance audits and security tests, since 1990.Peter is globally responsible for security testing services at KPMG and Peter is globally responsible for security testing services at KPMG, and mainly delivers IT audit support for Financial Audits, and Information Protection and Business Continuity services in the Netherlands.

E-mail kornelisse.peter@kpmg.nl

Telephone +31 (0)6 – 53 165 596

© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 121

2