Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen June 2005 Lithuania.

Slides:



Advertisements
Similar presentations
Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Advertisements

Dd. This learning session will help the auditor: Design audit objectives understand why audit criteria are used in performance audits; learn how to develop.
Service Design – Section 4.5 Service Continuity Management.
ECVET WORKSHOP 2 22/23/24 November The European Quality Assurance Reference Framework.
COBIT - II.
IT Governance Capability Maturity within Government
MethodAssess System Assessment. Methoda Computers Ltd 2 List of Subjects 1. Introduction 2. Actions and deliverables 3. Lessons and decisions.
IS Audit Function Knowledge
Quality evaluation and improvement for Internal Audit
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
Conducting the IT Audit
Fundamentals of ISO.
REVIEW AND QUALITY CONTROL
Effectively applying ISO9001:2000 clauses 5 and 8
Introduction to IT Auditing
Topic 2- 1ICT 327 Management of IT Projects Semester 1, 2005 Topic 2 Project Planning & Initiation Schwalbe: Chapter 3 Compiled by Diana Adorno and contributions.
EGR Workshop Rome April-2010 EGR developments for statistical uses.
PILOT PROJECT: External audit of quality assurance system on HEIs Agency for Science and Higher Education Zagreb, October 2007.
Harmonization project The long and winding road to level 3…
Internal Control in a Financial Statement Audit
Fundamental Auditing Concepts. Materiality Evidence Independence Audit risk IS and general audit responsibilities for fraud Assurance.
Slide 1 Final Conference Stratos Papadimitriou Cracow, September 2009 Work Package C A Quality Management Approach for Managing Mobility in Medium and.
Internal Control in a Financial Statement Audit
International Auditing and Assurance Standards Board (IAASB) Issues:
Standard Setting in Auditing (Sri Lanka). The Background The findings and recommendations of the Presidential Commission on Finance and Banking foreshadowed.
Module 2 Stakeholder analysis. What’s in Module 2  Why do stakeholder analysis ?  Identifying the stakeholders  Assessing stakeholders importance and.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
N O T E “CLICK” TO CONTINUE… If the slide show is not launched, click on View  Slide Show in the menu bar at the top of the Power Point window. When the.
Session 9 & 10. Definition of risk assessment and pre condition for risk assessment Establishment of clear, consistent agency objectives. Risk assessment.
Audit Planning Process
FEASIBILITY REPORTS WHAT IS A FEASIBILITY REPORT? A feasibility report assesses if an idea or plan is practical based on specific criteria. Variety of.
The Strategic Importance of IT for SAIs Vilnius, June 16th, 2005 Paul Mantelaers.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Compliance Audit Subcommittee Reporting Work Plan Copenhagen, Denmark 6th of May 2010.
Tier III Implementation. Define the Problem  In general - Identify initial concern General description of problem Prioritize and select target behavior.
International Federation of Accountants April 28, 2009 Impact Assessment Process for IFAC Linda Lach and Alta Prinsloo.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
ISSAI 400 Compliance Audit Subcommittee
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen October 13 th 2004 Lisabon.
National Quality Assurance and Accreditation Committee & Quality Assurance and Accreditation Project Action Planning Workshop January 2007.
Session 1.31 RISK BASED AUDITING AN OVERVIEW BY R T I JAIPUR.
RTI, MUMBAI / CH 81 FOLLOW UP PROCEDURES DAY 8 SESSION NO.3 (THEORY) BASED ON CHAPTER 8 PERFORMANCE AUDITING GUIDELINES.
LABORATORY MANAGEMENT Lecture 4. Planning at the Departmental Level The laboratory director must determine both laboratory goals and objectives, as well.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
The Power of Recommendations Dainius Jakimavičius National Audit Office of Lithuania Vilnius, April 23, 2013.
S19: Documentation of fieldwork. Session Objectives ♂ In the last session, we have discussed the standards of documentation and the standard files to.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
6/11/2016 Filename Session 135 Control Practices and Control Theories Jeff Roth, CISA.
Change Management and COBIT®. Estonia & Finland Chapters Presentation Friday, November 5 th 2004 Charles Mansour CISA Tere päevast! ©Charles Mansour.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Introduction to Compliance Auditing
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
TAIEX-REGIO Workshop on Applying the Partnership Principle in the European Structural and Investment Funds Bratislava, 20/05/2016 Involvement of Partners.
ESTABLISHMENT AND DEVELOPMENT OF THE PIFC SYSTEM IN BOSNIA AND HERZEGOVINA Fatima Obhođaš Assistant Minister THE CENTRAL HARMONISATION UNIT FEDERAL MINISTRY.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.
Multilateral national cooperation agreement why we do it?
Jean-Pierre Garitte Budapest 29 March 2017
Internal Audit & Accounting Systems Review
INTERNAL AUDIT REPORTS
Dr. Ir. Yeffry Handoko Putra
Alignment of COBIT to Botswana IT Audit Methodology
Canadian Auditing Standards (CAS)
Change Management and COBIT®. ISACA London Chapter Presentation
Survey-Document Examination-Observation-Benchmarking
USE OF PEMPAL KNOWLEDGE PRODUCTS
Generic Service Delivery Toolkit
Performance improvement observations
Presentation transcript:

Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen June 2005 Lithuania

IS THIS YOUR DAY? ? PO8 PO1 DS11 AI6 PO11 AI1 PO1 DS5

The purpose of this session!

Presentation Rune Johansen – CISA, CIA, Dipl. Int revisor – 9 years experience in IT audits and quality insurance from various ministries with their subordinate agencies, private companies and system development projects. Børre Lagesen – CISA – 6 years experience in IT audit from various ministries with their subordinate agencies.

Agenda 1.What is the objective for this workshop? 2.Background 3.Method for Risk-based sampling 4.Case study 5.Experiences from practical use in Norway. 6.Sum up and questions

1. The objective for this workshop. 1.Help the auditor to select the right areas and processes for IT auditing. 2.Contribute to improvement and quality in the performance of the IT risk assessment 3.Contribute to an open discussion and knowledge sharing.

2. Background 1.Why CobiT? 2.Why this risk assessment approach? –CobiT is highly comprehensive and its use quite time consuming. –This in stark contrast to our everyday situation, where time is a critical factor. –CobiT does not provide clear guidelines on how to carry out an overall (or “high level”) audit risk assessment.

Method for Risk-based sampling 1.The method presented is not intended as a final template. 2.The presentation is based on qualitative assessments of risks. 3.The method uses the following sources: Audit Guidelines Controll Ojectives but could also use the maturity model in “Management Guidelines”

Selection based on criterias/processes/resources Risk assessment of selected processes IT audit Phase 1 Phase 2 Phase 3 Method for Risk-based sampling

P1P2P3

P1P2P3

Results of Phase 1: The auditor have a list of relevant processes. In our last example, AI2 and AI6 were identified as the most relevant within the domain “Acquisitions and implementation”. P1P2P3

P1P2P3

P1P2P3 Don’t exist

Scale Control routines Doc The audited entity has a documented routine or process that deals with the matter. Undoc The audited entity does not have a documented routine or documented processes that deal with the matter. Don’t exist The process does not exist in this organisation. Futher actions and consequences for other types of audits needs to be considered. P1P2P3

Scale Probability H It is regarded as highly probable that this process will be negatively affected by internal or external events. M It is regarded as possible that this process will be negatively affected by internal or external events. L It is not regarded as very probable that this process will be negatively affected by internal or external events P1P2P3

Method for Risk-based sampling Scale Consequence H Negative internal or external incidents are expected to have major consequences. M Negative internal or external incidents are expected to have medium consequences. L Negative internal or external incidents are expected to have minor consequences. P1P2P3

Each process is then subject to a risk assessment where probability and consequences are considered together. On the basis of how the process is rated in terms of risk (H high, M medium, L low – in our example), they are selected for further IT audit (phase 3). P1P2P3

Method for Risk-based sampling IT process and audit questions Results of evaluation and testing RecommendationRef. AI6Change management Has a method been established for prioritisation of change recommendations from users, and if so, is it being used? Have procedures been compiled for sudden changes, and if so, are they being used? Is there a formal procedure for monitoring changes, and if so, is it being used? Etc. Observation: Method for changes… There is no procedure for sudden changes … Etc. Assessments: The methodology is incomplete in terms of sudden changes… Conclusion: The methodology is inadequate … We recommend … P1P2P3

WORK!!!! 1.Identify relevant questions for chosen processes (PO9, DS4, DS5) based on your points in “and takes into consideration”. (from to – 25 minutes) 2.Use the questions on the case study. Evaluate risk and conclude on further audit. (from to – 60 minutes including break. ) 3.Discussions (from to – 45 minutes)

5. Practical use and experiences from Norway

Selection based on targets/processes/resources Risk assessment of selected processes IT audit Phase 1 Phase 2 Phase 3 Method for Risk-based sampling

Selection of processes P1P2P3

The risk assessment of processes P3P1P2

Result of risk assessment in four different government agencies P1P2P3

Short about developing our IT audit program P1P3P2 Audit program Audit guidelines Control objektive

Result of audit P1P3P2

Experience Pros able to develop a good risk profile able to select the right process to audit reuse of questionnaire and risk profile Cons it took time to develop the questions takes time to perform such a comprehensive risk assessment.

You can’t hide – we see it all

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.