Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Slides:

Advertisements

Similar presentations

How Will it Help Me Do My Job?

Advertisements

KING III Impact on Government. Contents Introduction Key Principles of King III Governance Framework and Application New Requirements Chapters 1 to 11.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

Chapter 10 Accounting Information Systems and Internal Controls

Global Marketing Overview of Supply Chain Security Assurance Certification/membership in supply chain security programs –Different programs focus on particular.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

2015 – a forward glance 17 February South Africa has a sophisticated credit bureau system

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

SA Constitution Sec 14 – Privacy – RICA – POPI Sec 32 – Access to Information – PAIA – POPI.

The Islamic University of Gaza

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

Security Controls – What Works

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Copyright Security-Assessment.com 2004 Security Governance and Regulatory Controls by Peter Benson.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Computer Security: Principles and Practice

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Records Management and the Law

Session 3 – Information Security Policies

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Session 4: Good Governance: How SAIs influence Good Governance in Public Administration Zahira Ravat 27 & 28 May 2014.

1 25 October EPFL Conference Data Protection in Intergovernmental Organizations Workshop 7 February 2013 K. Ernst S. Lüders C. Viala.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.

Your cybersecurity breach will happen! Here’s what to do to mitigate your risk Thursday, 25 September 2014.

Evolving IT Framework Standards (Compliance and IT)

Postgraduate Educational Course in radiation protection and the Safety of Radiation sources PGEC Part IV The International System of Radiation Protection.

Chapter 3 Internal Controls.

INFORMATION ASSURANCE USING C OBI T MEYCOR C OBI T CSA & MEYCOR C OBI T AG TOOLS.

Chapter 5 Internal Control over Financial Reporting

David N. Wozei Systems Administrator, IT Auditor.

Implementing and Auditing Ethics Programs

Presented by : Miss Vrindah Chaundee

PUBLIC FINANCE MANAGEMENT ACT TREASURY REGULATIONS AND.

Audit of predetermined objectives Presentation: Portfolio Committee on Economic Development March 2013.

Eastern Cape Branch Seminar 5 – 6 September 2013 Good Corporate Governance By: Louise Muller, President of IMFO, 2012/13 – 2013/14.

13.6 Legal Aspects Corporate IT Security Policy. Objectives Understand the need for a corporate information technology security policy and its role within.

DEPARTMENT OF DEFENCE Briefing on Audit Outcomes Year ended 31 March 2010 AGSA AUDIT TEAM.

Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.

IT GOVERNANCE  Objective : The objective of this area is to ensure that the Certified Information Systems Auditor ( CISA ) candidate understands and can.

Assessment of Annual Performance Plan 2014/15 Department of Rural Development and Land Reform 2 July 2014.

IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.

Placing Information Security within an Organization

The importance of oversight and protecting the public purse PRESENTED BY: HON T GODI 11 MAY 2011.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.

Audit of predetermined objectives PFMA Reputation promise/mission The Auditor-General of South Africa has a constitutional mandate and, as the.

Chapter 8 Auditing in an E-commerce Environment

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Session 12 Information management and security. 1 Contents Part 1: Introduction Part 2: Legal and regulatory responsibilities Part 3: Our Procedures Part.

Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.

Audit Committee in the Public Sector 30 September 2015 Corporate Executives: Barry Wheeler.

1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.

Welcome to the ICT Department Unit 3_5 Security Policies.

EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.

Internal Control Principles

Audit of predetermined objectives

IIASA Governance Review

PEMPAL IACOP PUBLIC INTERNAL CONTROL: MANAGEMENT AND CONTROL OF THE PUBLIC ENTITIES Presenter: Malapateng Teka; National Treasury| March 2016.

PEMPAL, Moscow, October 2016 Natalia Pilets Deputy Head,

The ePhyto Solution A Guide to implement the ePhyto System

Kuveyt Turk Participation Bank

PFMA and Parliament’s Oversight

IS4680 Security Auditing for Compliance

Presentation transcript:

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations

Relevant ICT Legislation (across all spheres) ECT Act RICA EC Act PAIA POPI

Relevant ICT Legislation (government specific) Public Services Act and Regulations Public Finance Management Act Intelligence Service Act Electronic Communications Security Act (COMSEC) Protection of State Information State Information Technology Agency Act (SITA) Draft White Paper on eCommunication

No policies that address cross-over aspects pertained in legislation No clear vision as to whom, how and when legislation applies What does it mean seen from a CIO perspective? What do you experience daily as CIOs?

Centrally managed infrastructure environment (databases) leading to improvement of admin and security – but no critical database has been registered thus far in terms of ECT Act! Consolidation and synchronisation of applications and toolsets use – but has the legal implications round POPI been assessed (e.g. Cloud and BYOD)?

Cloud Computing – do CIOs understand the various legal consequences? E – Government – has the legitimacy and underlying validations in terms of the ECT Act been explained?

Developing enabling policies, legislation, norms and standards and guidelines

Standards, Codes and Frameworks (best practise) MISS MIOS ISO ISO SAS 70 / SSAE 16 / ISAE 3402 IT Governance Framework COBIT KING III

Align Legislation, Standards, Frameworks & Codes Establish Compliance function KYC & AO (Know Your Compliance and Accounting Officers!!) Create ICT Regulatory Universe in conjunction with CO TAKE RESPONSIBILITY & OWNERSHIP Simplify legislation Align processes with legislation – e.g. PAIA ( survey - no implementation –– POOR SERVICE DELIVERY) Participate with new legislation by submitting public comment (POPI – very little)

Simplify it by categorising legislation under CIO terms Computer Crimes Document Management / Retention (Duplication) Electronic Communications Data Classification Information Security National Security Intellectual Property Privacy etc.

Public Finance Management Act (Act 1 of 1999 as amended by Act 29 of 1999) section 38(1)(b), (d) & (e) holds an accounting officer responsible for the effective, efficient, economical and transparent use of the resources and to comply with audit commitments as required by legislation and safeguarding of assets.

KING III One key aspect of IT Governance: risk management: addressing the safeguarding of IT assets, disaster recovery and continuity of operations

KING III 5.5.2The board should ensure that the company complies with IT laws and that IT related rules, codes and standards are considered The board should ensure that there are systems in place for the management of information which should include information security, information management and information privacy.

KING III 5.6.2The board should ensure that all personal information is treated by the company as an important business asset and is identified.

According to SITA, National Treasury has embraced Chapter 5 of KING III and although there are Public Service Regulations and Info Security Plans, see how it can be aligned to best practise to gain traction.

Remember! AG audits against best practise!!

ADDITIONAL CONCERNS Special Categories of Personal Information Unsolicited Marketing Automated Processing Cross Border Data Transfers Regulator

CLOUD COMPUTING Is moving data to the CLOUD a bad thing?

CLOUD COMPUTING Will my department have continued access to its information or data (backup and disaster recovery measures) irrespective of the information or data’s location?

CLOUD COMPUTING Can you provide me with assurances that unauthorised access to my department’s information or data is prevented (covers both protection against external “hacking” attacks and access by the cloud provider’s personnel or by other users of the datacentre)?

CLOUD COMPUTING Do you have adequate oversight of any sub- processors (irrespective of their location) you use or might use and subsequent to that, do you have the necessary agreements and contracts in place to ensure the security of my department’s information or data?

CLOUD COMPUTING Do you have sufficient procedures in place in the event of a data breach that would enable my department to take the necessary actions in terms of POPI?

Awareness & Understanding Creates better implementation, which Facilitates best practise, which in return Improves service delivery

© Copyright Francis Cronje All Rights Reserved