Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Auditor’s Role in IT Governance Fred C. Roth, CISA MIS Training Institute Session 425.

Published byAleesha Robinson Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Auditor’s Role in IT Governance Fred C. Roth, CISA MIS Training Institute Session 425."— Presentation transcript:

1 IT Auditor’s Role in IT Governance Fred C. Roth, CISA MIS Training Institute Session 425

2 2 Agenda Linking IT and Enterprise Governance Who’s Responsible for IT Governance? Impact from Regulations on IT Governance IT Governance Framework & Responsibilities Pro-Active Audit Involvement Using C OBI T ® This is a Perfect Opportunity! C OBI T ® Copyright (1996,1998 and 2000) by IT Governance Institute

3 3 IT Governance Inclusive term which encompasses: –information systems –technology –communication –business –legal –stakeholders –directors and senior management –process owners –IT suppliers –users Source: CISA ® Review Manual

4 4 IT governance “ IT governance is the responsibility of the board of directors and executive management. IT is an integral part of enterprise governance and consists of the leadership and organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.” Who’s Responsible for IT Governance? Source: IT Governance Institute

5 5

6 6 Enterprise / IT Governance Good enterprise governance and ethical practices were always important. Now they are the LAW! EU, UK, US (and many other countries) regulations require compliance with specific information protection requirements. A core element within each of these regulations is information security. IT plays a critical role in your organization’s compliance … or failure to comply.

7 7

8 8

9 9

10 Gramm-Leach-Bliley Act

11 Sarbanes - Oxley Act of 2002

12 California Bill #1386

13 13 IT Governance These regulations have forced more focus on IT governance due to the criticality of IT upon the enterprise. Information technology plays a crucial role in ensuring the confidentiality, integrity and availability of information throughout the business cycle. COSO states... –“Tone at the top” is critical for governance. –The “top” for IT is the CIO... and CEO / BOD

14 IT Governance Framework / Responsibilities

15 15 CIO.COM “IT governance, while always important, is taking on a higher level of significance. CIOs should reflect on their enterprise culture / processes while working with those responsible for corporate-wide governance. The increased scrutiny on corporate governance directly affects IT governance”.

16 16 Establish an IT Governance framework at the BOD level. Ensure CIO is focused on the appropriate priorities. Is IT aligned with the enterprise business strategies? Relate the risk of IT to the enterprise’s risk. Understand the strategic importance of IT within the organization. Board of Directors & Management Responsibilities

17 17 IT Strategy Committee IT Strategy Committee - Board Level –Catalyst for BOD IT governance practices. –Advises the BOD and management on IT strategy: Alignment of IT with business strategies. Strategic IT objectives. Availability of suitable IT resources, skills, infrastructures to meet enterprise strategic objectives. Progress on major IT projects. Exposure to IT risks. Source: IT Governance Institute

18 18 IT Steering Committee IT Steering Committee - Executive Level –Assists executives with IT strategy. –Focuses on implementation and delivery. –Is a major contributor to management’s IT governance responsibilities. Sponsoring executive. Business executives (key users). CIO. Legal/Finance advisors. Source: IT Governance Institute

19 19 “Tone at the Top” from senior corporate management and BOD is critical to the success of security implementation. Critical that security have strategic alignment with the company’s overall goals / objectives. First step - define information that is critical and sensitive by business process owners. Need top-down management support for effective security controls. Information Security Governance

20 Pro-active Audit Involvement

21 21 Pro-active Audit Role IT is strategic, integral and critical to the business. IT involves major investments and risks. Shareholders and regulations are holding the Boards accountable. Boards are holding management responsible. Boards and management will look to auditors to obtain assurance about the risk of IT to the business. Auditors should strive to have the Board and Management focus on IT Governance.

22 22 Auditing Standards Both the IIA and ISACA have issued standards for auditing governance. ISACA - IT Governance - 060.020.050. IIA - included in their International Standards for the Professional Practice of Internal Auditing. –Calls for increased audit participation in the governance process. –Requires that internal auditing proactively assist management and board with their responsibilities by:

23 23 IIA Governance Standard Assessing and promoting strong ethics and values within the organization. Reviewing and improving the process by which accountability is ensured. Evaluating the adequacy of communications about significant residual risk within the organization. Helping to improve the board’s interaction with management and the external and internal auditors. Serving as an educational resource regarding changes and trends in the business and regulatory environment.

24 24 ISACA Guideline on IT Governance 060.020.050 Guideline Purpose: to provide information on how an IT auditor should approach an audit of IT governance. How IT is applied within the enterprise will have an immense effect on whether the enterprise will attain its mission, vision or strategic goals. IT governance is an increasingly important part of the overall enterprise governance.

25 25 Assessment Areas Does IT have the necessary skills and IT infrastructure to achieve objectives and to sustain the necessary level of operations? Communication - is there an effective means of communication of goals/objectives from management to all levels of the organization? Monitoring - is there effective means of monitoring compliance against goals/objectives? Source: ISACA Guideline on IT Governance 060.020.050

26 26 Scope of IT Governance Audit Included in the scope of the audit: –IT Strategic Planning –IT Tactical Planning –IT Delivery Process –Application Development Methodology –Administration of Systems Portfolio –Are there documented policies for key IT processes? Source: ISACA Guideline on IT Governance 060.020.050

27 27 Audit Reporting IT governance audit reports should be issued to the audit committee top-level management. The report should include: –Statement that management is responsible for the organization’s system of internal controls. –Description of key procedures management uses to provide an effective IT governance system. –Areas of noncompliance, ineffective controls and recommendations for improvement. –The auditor’s overall IT governance conclusion. Source: ISACA Guideline on IT Governance 060.020.050

28 Using C OBI T ® C OBI T ® Copyright (1996,1998 and 2000) by IT Governance Institute

29 29 C OBI T ® C OBI T is an IT governance framework issued by ISACA. Generally accepted standards for IT control practices. Provides a framework for management, users, IT audit, security personnel. C OBI T provides an excellent means for companies to assess IT controls against best practices. C OBI T ® Copyright (1996,1998 and 2000) by IT Governance Institute

30 30 Planning and Organization PO 1 Define a Strategic Information Technology Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organization and Relationships PO 5 Manage the Investment in Information Technology PO 6 Communicate Management Aims and Direction PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality

31 31 Acquisition and Implementation AI 1 Identify Automated Solutions AI 2 Acquire / Maintain Application Software AI 3 Acquire / Maintain Technology Infrastructure AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes

32 32 Delivery and Support DS 1 Define Service Levels DS 2 Manage Third-party Services DS 3 Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Allocate Costs DS 7 Educate and Train Users DS 8 Assist and Advise IT Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS 11 Manage Data DS 12 Manage Facilities DS 13 Manage Operations

33 33 Monitoring M 1 Monitor the Process M 2 Assess Internal Control Adequacy M 3 Obtain Independent Assurance M 4 Provide for Independent Audit

34 34 C OBI T ® & CIO.COM CIOs are starting to learn about C OBI T “ C OBI T is a set of documented best practices for IT governance that assists auditors, management and users to bridge the gaps among business risks, control needs and technical issues.” --> CIO.com C OBI T ® Copyright (1996,1998 and 2000) by IT Governance Institute

35 35 C OBI T is a good fit for IT governance. Can be used by IT management and auditors to evaluate governance processes. Includes key goal indicators, critical success factors and key performance indicators that drive IT governance to its goals. C OBI T ® & IT Governance C OBI T ® Copyright (1996,1998 and 2000) by IT Governance Institute

36 36 C OBI T ® - IT Control Framework Executive Summary -- “There is a Method...” Control Objectives -- “Minimum Controls Are...” Audit Guidelines -- “Here’s How You Audit...” Implementation Guide -- “Here’s How You Implement” Management Guide -- “Here’s How You Measure” Control Practices -- “Expected Control Practices” C OBI T ® Copyright (1996,1998 and 2000) by IT Governance Institute

37 37 The C OBI T ® Control Hierarchy High Level Control Objectives PO 1 Define a Strategic IT Plan Detailed Control Objectives PO1.1 IT as Part of the Organization’s Plan Control Practices PO1.1.01 Senior management establishes clear roles ….02 The long/short term plans consider ….03 The plans provide direction to IT planners …

38 38 Control over the IT process of –DEFINING A STRATEGIC IT PLAN (PO-1) that satisfies the business requirement –to strike an optimum balance of information technology opportunities and IT business requirements as well as ensuring its further accomplishment. is enabled by –a strategic planning process undertaken at regular intervals giving rise to long-term plans. –the long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals. and takes into consideration …

39 39 and takes into consideration: –Enterprise business strategy. –Definition of how IT supports the business objectives. –Inventory of technological solutions and current infrastructure. –Monitoring the technology markets. –Timely feasibility studies and reality checks. –Existing systems assessments. –Enterprise position on risk, time-to-market, quality. –Need for senior management buy-in, support and critical review.

40 40 Control Practices PO1.1.01 Senior management establishes clear roles, responsibilities, performance measures and organizational structures for developing, implementing and maintaining the organization’s and IT’s long and short term plans. PO1.1.02 The organization’s long and short term plans consider business factors that could impact the focus of IT resources including new markets, new competitive strategies, strategies to increase revenues and initiatives to improve customer satisfaction.

41 41 C OBI T ® - IT Governance Critical Success Factors IT governance activities are integrated into the enterprise governance process and leadership behaviors. IT governance focuses on the enterprise goals, strategic initiatives, the use of technology to enhance the business and on the availability of sufficient resources and capabilities to keep up with the business demands. IT governance activities are defined with a clear purpose, based on enterprise needs and unambiguous accountabilities. Management practices are implemented to increase efficient and optimal use of resources and increase the effectiveness of IT processes. Control practices are defined to avoid breakdowns in internal control and oversight.

42 42 C OBI T ® - IT Governance Key Performance Indicators Improved cost-efficiency of IT processes. Increased utilization of IT infrastructure. Increased satisfaction of stakeholders. Improved staff productivity. Increased availability of knowledge and information for managing the enterprise. Increased linkage between IT and enterprise governance. Improved performance as measured by IT balanced scorecards.

43 0 Non-Existent. Complete lack of any recognisable processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognised that the issues exist and need to be addressed. There are however no standardised processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganised. 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely. 3 Defined. Procedures have been standardised and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalisation of existing practices. 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimised. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modelling with other organisations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. IT Governance Maturity Model

44 44

45 45 C OBI T ® SOX Control Objectives / Activity Level AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Develop and Maintain Procedures AI5 Install and Accredit Systems AI6 Manage Changes DS1 Define and Manage Service Levels DS2 Manage Third-Party Services DS5 Ensure Systems Security DS9 Manage the Configuration DS10 Manage Problems and Incidents DS11 Manage Data DS13 Manage Operations

46 46 C OBI T ® SOX Control Objectives / Company Level PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO4 Define the IT Organization and Relationships PO6 Communicate Management Aims and Direction PO7 Manage Human Resources PO8 Ensure Compliance with External Requirements PO9 Assess Risks PO11 Manage Quality DS3 Manage Performance and Capacity DS7 Educate and Train Users DS12 Manage Facilities M1-M4 Monitor / Internal Control Adequacy

47 47 IT Governance Implementation Guide ISACA has also issued a guide on using C OBI T to implement IT governance.

48 48 IT Governance IT governance is critical for compliance against the numerous international data privacy / control regulations. Good governance is good business. Good governance makes good sense.

49 49 This is a Perfect Opportunity To position IT Governance where it should be … the responsibility of senior management. Auditors should play a pro-active role in ensuring appropriate communications at senior levels of the organization regarding IT Governance. The timing is right to ensure that IT Governance is a key component of enterprise governance.

50 50 For More Information: Fred C. Roth, CISA MIS Training Institute froth@misti.com

51 Thank you!

Download ppt "IT Auditor’s Role in IT Governance Fred C. Roth, CISA MIS Training Institute Session 425."

Similar presentations

Organizational Governance

Organizational Governance
. . . a step-by-step guide to world-class internal auditing

. . . a step-by-step guide to world-class internal auditing
Alignment of COBIT to Botswana IT Audit Methodology

Alignment of COBIT to Botswana IT Audit Methodology
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Service Delivery – your ticket to play

Service Delivery – your ticket to play
Alignment of Enterprise Governance and IT Governance

Alignment of Enterprise Governance and IT Governance
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
COBIT - II.

COBIT - II.
IT Governance Capability Maturity within Government

IT Governance Capability Maturity within Government
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
IT Governance and Management

IT Governance and Management
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
SAFA- IFAC Regional SMP Forum

SAFA- IFAC Regional SMP Forum

Similar presentations

Ads by Google