Download presentation
Presentation is loading. Please wait.
1
Dr. Ir. Yeffry Handoko Putra
Chap 8 – IT Audit Driver Dr. Ir. Yeffry Handoko Putra MAGISTER SISTEM INFORMASI
2
Multiple factors drive IT Audit
SSAE 16/SOC
3
System Development Life Cycle : ISO / IEC 15288
4
Law and Regulation Sarbanes–Oxley Act of 2002 (SOX)
Regulates public companies and their auditors; applies to all issuers of securities exchanged in US markets European Council Directive 2006/43/EC Sets standards for auditors and audits in the public interest; applies to organizations subject to statutory audit requirements Graham–Leach–Bliley Act of 1999 (GLBA) Enabled consolidation of different types of financial services firms within a single holding company; applies to financial institutions Health Insurance Portability and Accountability Act of 1996 (HIPAA) Protects the privacy and security of health-related personal information; applies to health-care providers, plans, and clearinghouses
5
Law and Regulation Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) HIPAA-covered entities, business associates, and contractors and subcontractors European Council Directive 95/46/EC Protects personal data privacy; applies to all organizations in European Union countries Computer Fraud and Abuse Act of 1986 Criminalizes unauthorized access or damage to protected computers; applies to all computing devices used in interstate or international commerce or communications Electronic Communications Privacy Act of 1986 (ECPA) Protects the content of personal communications; applies to electronic communications service providers, government organizations Federal Information Security Management Act of 2002 (FISMA) US federal executive agencies; applies to systems and informatio
6
ISO 9001 Quality management systems
Organizational Certifications and Associated Subject Areas Certification Subject Area CMMI for Services Maturity of service provider capabilities and processes ISO 9001 Quality management systems ISO Environmental management systems ISO/IEC IT security evaluation of computer systems and software ISO/IEC IT service management ISO/IEC Information security management systems Service Organization Control (SOC) Reports Security, privacy, and system controls implemented by service providers
7
Certification standards
Quality certification : ISO 9001 Information security : ISO/IEC 27000 Service management : ITIL or Capability Maturity Model Integration (CMMI)
8
Operational effectiveness
Six Sigma Total Quality Management ISO 9004:2009 (Managing for thesustained success of an organization – A quality management approach ) ISO 15504
9
Quality assurance and continuous improvement
Quality management initiatives such as quality assurance, quality control, and continuous improvement represent significant internal drivers for many organizations ISO [38] and ISO/IEC 17021
10
Why standards? Quality orientated process approaches and standards are maturing and gaining acceptance in many companies Standards emphasize communication and shared understanding For example: if one person says, “Testing is complete”, will all affected bodies understand what those words mean? This kind of understanding is not only important in a global development environment; even a small group working in the same office might have difficulties in communication and understanding of shared issues Standards can help in these and other areas to make the business more profitable because less time is spent on non-productive work
11
The use of standards has many potential benefits for any organization
Improved management of software Schedules and budgets are more likely to be met Quality goals are likely to be reached Employee training and turnover can be managed Visible certification can attract new customers or be required by existing ones Partnerships and co-development, particularly in a global environment, are enhanced 11 11
12
More business benefits
Regulation Cost effective compliance Customer assurance Reduce product liability Risk management Governance Cost Optimization Reduced transaction costs Product/process interoperability Flexibility in supply chain Best practice & management systems Maximizing Revenue Improve speed to market Product acceptance Product life cycle management Business Opportunities Develop new markets & future sales Influence technology change Influence industry evolution Structure regional/international competition 12 12
13
Importance of standards
Encapsulation of best practice avoids repetition of past mistakes Framework for quality assurance process it involves checking standard compliance Provide continuity new staff can understand the organisation by the standards applied
14
Problems with standards
There is evidence that the majority of small software organizations are not adopting existing standards as they perceive them as being orientated towards large organizations. Studies have shown that small firms’ negative perceptions of process model standards are primarily driven by negative views of cost, documentation and bureaucracy it has been reported that VSEs find it difficult to relate standards to their business needs and to justify the application of the international standards in their operations
15
IT Audit Processes Most IT audit approaches include one or more activities conducted within the process areas of audit planning, audit performance, audit reporting, and responding to audit findings and recommendations. Successfully implementing IT audit processes depends to a large extent on organizational commitments and the
16
Audit planning Audit preparation Resource allocation
Preliminary data gathering Audit procedures and protocols Planning internal and external audits
17
Audit performance Evidence collection
IT auditors collect evidence from multiple sources using a variety of methods, examining procedural and technical documentation, observing process execution and personnel behavior, testing controls, and checking system and environment configuration settings.
18
Audit performance Analysis of evidence
19
Reporting findings purpose and objectives for performing the audit;
audit scope, including organizational, functional, or technical elements to which the audit applies; identification of the audit client; identification of audit participants, including auditors and those subject to the audit; time frame during which the audit took place;
20
Reporting findings locations where auditing occurred, including organization facilities and auditor work sites outside the organization, if any; criteria specified for the audit; audit findings and supporting evidence; audit conclusions, including auditor recommendations; and •audit results
21
Process life cycles and methodologies
PDCA model ISACA’s IT Audit Framework defines information system audit and assurance guidelines in three major categories: general (preparatory), performance, and reporting The Federal Information System Controls Audit Manual (FISCAM) used in audits of U.S. government agencies defines an audit methodology organized into the three core steps of plan, perform, and report National Institute of Standards and Technology (NIST) special publication , Guide for Conducting Risk Assessments, prescribes a three-step process of preparing, conducting, and maintaining assessments
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.