©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Governance A Process by which an organisations leaders ensure that IT is aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated.
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Technology Opportunities Growth Development
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Information Technology Integral part of all processes Accomplish mission and objectives Facilitates local and global communications
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Technology Threats Service Disruption Deception Theft Fraud Trusted Users
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council What Questions Should You Be Asking What are IT Controls ? What should be protected ? Where are IT controls applied ? Who is responsible ? When do we assess IT Controls ? How much control is enough ?
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Controls Significant Components Automation of business controls Control of IT Support business management and governance
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Controls Corporate Policies Coded instructions Physical access Audit trails – the ability to trace actions and transactions to responsible individuals Automatic edits (data input) Data integrity…
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Controls Classifications General controls – ( also known as infrastructure controls), apply to all systems components but also include information security policy, administration, access and authentication Application controls – data input, separation of duties, i.e. transaction initiation versus authorisation Preventive controls – prevent errors, omissions, or security incidents from occurring, i.e. data entry, access control Detective controls – detect errors or incidents, e.g. identify account numbers of inactive accounts flagged for monitoring suspicious activities Corrective controls – correct errors, omissions or incidents once they have been detected, e.g. correction of data entry error, identifying and removing unauthorised users or software from systems or networks
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Governance Controls Primary accountability for internal controls resides with the corporate board Ensure that effective information management and security principles, policies, and processes are in place and there is sufficient performance and compliance to demonstrate this Controls mandated by the corporate leadership team (CLT), linked with the concept of your corporate governance, which are driven by the organisations goals and strategies and by external regulators Performance and Audit Panel’s responsibility is oversight rather than actually performing controls activities, e.g. you don’t do the auditing but oversee both internal and external auditing at Ealing
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Management Controls Responsibility for reaching into the organisation with special attention to critical assets, sensitive information and operational functions Requires close collaboration with the audit committee to ensure IT controls needed to ensure the achieve established objectives are applied, reliable and provide continuous processing Management must recognise risks to the organisation its assets and processes Implement mechanisms to mitigate these risks (protect, monitor and measure results)
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Technical Controls Form the foundation, which ensures the reliability of virtually every other control in the organisation e.g. Protection against unauthorised access and intrusion Reliance on integrity of information Evidence of all changes and their authenticity
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council What to Expect GTAG IIA
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Information Security Integral part of all IT controls, with the exception of financial aspects of IT such as Return on Investment, budgetary controls and some Project Management Controls BS/ISO-1779 ITIL
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Information Security Three key elements of information security Confidentiality – information is only divulged as appropriate Integrity – data is correct and complete Availability – information must be available to the organisation, customers and partners, when, where and in the manner needed. Also the ability to recover from losses, disruption or corruption of data and IT services
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Role of Performance and Audit Panel What do we mean by IT controls ? Why do we need IT controls ? Who is responsible for IT controls ? When is it appropriate to apply IT controls ? Where exactly are IT controls applied ? How do we perform IT controls assessments ?
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council The Structure of IT Auditing GTAG IIA
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Audit at Ealing Essential part of the corporate governance process Internal audit have specialist and qualified IT auditors performing audits IT auditing is included in the audit universe and annual plan Sharing the plan with external audit as in the Response program Agresso implementation Post Implementation Reviews General IT controls – anti-virus, IT security, Network Infrastructure, Operating Systems Specialist data integrity (CAATS) Data Protection & Freedom of Information Applications………
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council The Audit Process Formal structure for addressing IT controls Sound technical understanding Provide results of risk and control assessments Interact with those responsible for controls Persue continuous learning through CPD and reassessment of new technologies – new opportunities, risks dependencies, strategies and requirements
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Control Assurance IT controls assurance addresses the ability of controls to protect the organisation against the most important threats and provides evidence that remaining risks are unlikely to harm the organisation and its stakeholders significantly. GTAG IIA
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Important Roles and Responsibilities Corporate Level Performance and Audit panel Audit Board Management Chief Executive Head of IT IT Security Officer Audit Internal External
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Control Framework Adoption of formal control framework is beneficial COSO – Monitoring, Information and Communication, Control Activities, Risk Assessment, Control Environment The Committee of Sponsoring Organisations of the Treadway Commission C OBI T – accepted standard for good Information Technology security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners ISACA 2005
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Corporate Level Oversee risk management and compliance programs concerning information security Approve and adopt information security principles and assign key managers responsible for information security Protect the interest of all stakeholders who depend on information security Review information security policies regarding strategic partners and other third parties Ensure business continuity Review provisions of internal ad external audits of the IT Collaborate with management to specify what information security reviews should be reported to the Corporate Board
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Management Establish information security management policies Assign information security roles, responsibilities, and required skills, and maintain separation of duties Training in security matters Assess IT risks and manage these risks Information security requirements for strategic partners and other third parties Identify and classify information assets Implement and test business continuity Approve IT acquisitions, development, operations and maintenance Protect the physical environment Collaborate with security personnel to specify what needs to be reported to management
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Internal/External Audit As covered in previous slide (IT Audit at Ealing), but also… Advise corporate and management level on IT internal control issues Ensure IT is included in the Internal audit plan IT risks are considered when assigning resources and prioritising audit activities Specialist training IT issues for key systems are considered Performing IT risk assessments Performing IT audits…
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Some Useful Websites - IT Governance Institute – The Committee of Sponsoring Organisations of the Treadway Commission - Information Systems Audit and Control Association - Institute of Internal Auditors – Security Policy Resource Page
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Shahab Hussein CISA Senior Manager – Computer Assurance Services Deloitte & Touche Public Sector Internal Audit Direct: Mobile:
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Questions
©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council This Presentation covers IT Governance only in general terms and is intended to give the audience an outline understanding of issues in IT Governance, and therefore cannot be relied on to cover specific situations; applications of the principles set out will depend on the particular circumstances involved. Furthermore, responses given in the presentation to questions are based on only an outline understanding of the facts and circumstances of the cases and therefore do not form an appropriate substitute for considered specific advice tailored to your circumstances. We recommend that you obtain professional advice before acting or refraining from acting on any of its contents. We would be pleased to advise you on the application of the principles demonstrated at the presentation to specific circumstances but in the absence of such specific advice cannot be responsible or liable. Deloitte & Touche Public Sector Internal Audit Limited. Registered in England and Wales with registered number Registered office: Hill House, 1 Little New Street, London EC4A 3TR. Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte & Touche LLP which is the United Kingdom member firm of Deloitte Touche Tohmatsu (‘DTT’), a Swiss Verein whose member firms are separate and independent legal entities. Neither DTT nor any of its member firms has any liability for each other’s acts or omissions. Services are provided by member firms or their subsidiaries and not by DTT.
Member of Deloitte Touche Tohmatsu