Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deloitte Internal Audit

Published byRobert Lichtenberg Modified over 6 years ago

Similar presentations

Presentation on theme: "Deloitte Internal Audit"— Presentation transcript:

1 Deloitte Internal Audit
Wednesday 18 October Paul McGinty / Adnan Saleem

2 Deloitte Internal Audit
The role of internal audit The Deloitte team Our experience Our objectives Work so far Audit planning An integrated approach IT internal audit The audit plan and associated reviews Further Internal audit services Discussion Management, the board and the audit committee look to Internal Audit to provide assurance that appropriate controls are designed and operating effectively to manage technology risks both today and in the future. Dedicated IT internal auditors should form part of an Internal Audit team and assist in addressing the risks arising from and relating to the use of technology. The importance of IT is continually growing and this needs to be matched by the skills of the auditors who provide assurance over IT controls.

3 The role of internal audit
Provide independent assurance to the Audit Committee and to the University Court that an adequate system of internal control is in place within the University. Management look to internal audit to provide assurance that appropriate controls are designed and operating to manage business processes and technology risks both today and in the future. How? By reviewing and auditing the most important risks and the most important processes within the University Add value, process improvement and increased assurance to the University and its operations.

4 The Deloitte Team Colin Gibson- Partner
Paul McGinty- Director (Internal Audit) Laura Green- Assistant manager (Internal Audit) Adnan Saleem- Manager (IT Internal Audit)

5 Our Experience Team dedicated to internal audit, risk management and governance Experience working with a number of other Scottish Universities Strong credentials across UK and internationally Broad experience across public and private sector and across key process areas

6 Our Objectives Work openly and constructively with you
Understand you and the University of Glasgow Work towards developing and improving internal control and assurance Meet with you again soon.

7 Work so far Appointed in August 2006
Undertaken Business Risk Workshop with senior management team Developed Internal Audit plan for approval by Audit Committee Undertaken initial work on key process and risk areas including Purchasing, Accounts Payable, Revenue, Payroll and the IT security framework. Detailed plan of work outlined for 2006/7.

8 Audit planning IA Project Plan Process Universe Business Risks

9 Conducting a review Initial planning with key stakeholders
Produce draft scope / specification Agree scope Perform review Discuss findings with management Present draft report Obtain management comment and agree action plan

10 Aligning IT internal audit and operational audit plans
Aligning Operational and IT Audit is extremely important for a number of reasons Many business risks faced are dependant upon IT Management is dependant on IT supporting the business An integrated audit approach consists of one team of operational and IT specialists working together to look at the business events and transactions, determining the controls and identifying the most efficient and effective ways to test these controls. Why is important? Timely alignment of audit effort across IT and business auditors What does it mean? Example GL review for Agresso

11 Integrated Approach The ‘traditional’ approach
An ‘integrated’ approach Figure 2.1 – An Integrated IT Internal Audit approach Business Processes (process controls) Business Processes (process controls) Process A Process B Process C Process D Process A Process B Process C Process D Business Events & Transactions Applications (application controls) Application 1 Application 2 Application 3 IT Infrastructure (general controls) IT Infrastructure (general controls) General Controls General Controls General Controls General Controls Key Features Separate business and IT Internal Audit teams Work not co-ordinated Detailed technical focus to IT Internal Audit work which is difficult to relate to business processes Business audit teams test what they can see – automated controls are assumed to work Key Features One team comprising process and IT specialists working side-by-side IT findings are business process specific Key benefits The IT specialists gain an understanding of the business elements of the cycle while the business specialists develop an understanding of which applications are integral to the business process. The integrated audit approach focuses the scope of IT Internal Audit on the applications and IT infrastructure which are directly linked to the business process, reducing redundant or unnecessary work. The IT findings are business process specific which increases management’s understanding of their relevance and impact as well as ensuring their support.

12 IT Internal Audit & answering the difficult questions
Can I trust the integrity of information being used to make business decisions? What are my most significant IT risks? …and what is being done in my organisation to address these? Are applications being developed, implemented and maintained in a well-controlled manner? Do my IT governance efforts support wider regulatory and compliance efforts? Are third party outsourcers meeting service levels and control commitments? As internal audit we work closely with our clients to understand the challenges they face, bringing added benefits such as knowledge transfer, specialist skills and best practice methodologies. Key Questions that IT internal audit can play a role in addressing How good is my IT security? Will my systems and information be available when I need them? …and does it fit together in an efficient and cohesive manner?

13 Emerging areas of risk Some Key Challenges: Data Governance;
Ownership, classification, storage, assessment of risk (e.g. third party access) IT Governance; Risk management, KPIs, reporting, communication Regulation; Data Protection Act, Computer Misuse Act Data Gov:- Who owns data, how do we assign ownership, how is it communicated, storage (shared drive), assessment of risk IT Gov:- risk management process- how are risk raised, key performance indictors, representative reporting Regulations:- risk management process key performance indictors

14 Audit planning IA Project Plan Process Universe Business Risks

15 IT internal Audit plan Review Of Business Continuity Planning
Arrangements for business continuity in the event of a significant incident or disaster require formal review, covering all key aspects of B.C.P. Review Of ICT Strategy and Governance This review will assess how ICT strategy and overall governance of IT is managed and controlled in order to provide a comprehensive view of the current and forward strategic plan for IT. Review Of Information and Network Security It is critical that information assets and network structures are robust, well managed and protected from threats. This review will assess the quality of controls around information and network security. Review Of Software License Management It is critical that software in use within the University is properly managed and controlled and that software license arrangements are effective. This review will assess the adequacy and effectiveness of controls in this area.

16 What happens next Risk register Regular follow-up
Report updates/current status Audit committee See some of you soon

17 Emerging technologies
Keeping pace with emerging technologies. Increasing security threats and the pressure to work faster and be more effective poses a significant challenge. Operating systems security SekChek® benchmarks computer security against real-life averages by industry sector. SekChek offers: Comprehensive reporting on system-based security controls, not sample-based; An independent assessment of security against international standards; Bench-marking against industry averages for security compiled from 20,000 systems in 80 countries; Minimal client intervention.

18 IT Security & Privacy IT Project Assurance Business Continuity Data Management IT Governance Infrastructure security; Security governance; Web applications; Biometrics; Identity & Access Management. Project management co-sourcing; Project review and risk assessment; Project audit against specific standards (e.g. Prince2, COBIT 4.0). Crisis Management; Business Continuity & Resumption; IT Disaster Recovery. Data investigation; Data migration; Data investigation. Strategic IT planning; IT monitoring and risk reporting, IT change

19 Project Risk Management Process
Project Goals & Objectives Identify & Assess Project Risks Project Risk Management Strategies Improve Risk Management Process Information or Decision Making Monitor Project Risk Management Process Project Risk Control Processes Our project assurance capabilities across the project life cycle Project Initiation Project Development Project Roll-out Project Monitoring Business case and cost / benefit analysis Design and implementation of project management and control processes Project strategy and testing Data migration Control framework design and implementation Contingency planning Development and modification of technical and process documentation User support Management information and project reporting Third party management controls and reporting Pre and post implementation reviews

20 Disaster! Business Continuity Management Normal Operations
Time Normal Operations Business Recovery Resilience, Redundancy etc. BCP, DRP and Contingency plans Lessons Learned implemented Business Continuity Management

21 Gaps in Control Framework Mapping to frameworks/regulations
An effective IT Governance framework should be an integral part of the existing governance and reporting structure, fully supported by management and deployed throughout the organisation. It should enable IT to demonstrate: How it supports the business strategy; Compliance with all relevant laws and regulations; and Demands on IT are managed and met in an efficient, cost effective and consistent manner. We have a proven methodology supported by a comprehensive compliance tool that enables us to: Analyse your current control environment; Our IT Governance model Sarbox SYSC (FSA) Basel II DPA UK Acts Computer Misuse etc. COBIT BS7799 /2 Select the frameworks and regs to be included. Control Requirements Output Control requirements. Current Controls Gaps in Control Framework Output Gap analysis of current control coverage. ITIL ITIL ITIL Chosen Control Set Output Chosen control set. Mapping of chosen control set to frameworks and regulations. Mapping to frameworks/regulations Output

22 Close Questions Discussion

23 Contact Us pmcginty@deloitte.co.uk 304 5112

Download ppt "Deloitte Internal Audit"

Similar presentations

Options appraisal, the business case & procurement

Options appraisal, the business case & procurement
Alignment of COBIT to Botswana IT Audit Methodology

Alignment of COBIT to Botswana IT Audit Methodology
Strategy 2022: A Holistic View Tony Hayes International President ISACA 2013-2014 © 2012, ISACA. All rights reserved.

Strategy 2022: A Holistic View Tony Hayes International President ISACA © 2012, ISACA. All rights reserved.
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
Viewpoint Consulting – Committed to your success.

Viewpoint Consulting – Committed to your success.
PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.

1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
PAINTING THE FULL PICTURE

PAINTING THE FULL PICTURE
1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.

1 Business Continuity and Compliance Working Together Kristy Justice, AVP WaMu Card Services 08/19/2008.
Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.

Challenges Faced in Developing Audit Plans and Programs 21 st March, 2013.
Roles and Responsibilities

Roles and Responsibilities
Commissioning Self Analysis and Planning Exercise activity sheets.

Commissioning Self Analysis and Planning Exercise activity sheets.

Similar presentations

Ads by Google