©2005 deloitte & touche public sector internal audit limited. private and confidential it...


IT Governance

A Process by which an organisations leaders ensure that IT is aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated.


Technology

•Opportunities

•Growth

•Development


Information Technology

• Integral part of all processes

• Accomplish mission and objectives

• Facilitates local and global communications


Technology Threats

•Service Disruption

•Deception

•Theft

•Fraud

•Trusted Users


What Questions Should You Be Asking

•What are IT Controls ?

•What should be protected ?

•Where are IT controls applied ?

•Who is responsible ?

•When do we assess IT Controls ?

•How much control is enough ?


IT Controls

Significant Components

• Automation of business controls

• Control of IT

• Support business management and governance


IT Controls

•Corporate Policies

•Coded instructions

•Physical access

•Audit trails – the ability to trace actions and transactions to responsible individuals

•Automatic edits (data input)

•Data integrity…


Controls Classifications

•General controls – (also known as infrastructure controls), apply to all systems components but also include information security policy, administration, access and authentication

•Application controls – data input, separation of duties, i.e. transaction initiation versus authorisation

•Preventive controls – prevent errors, omissions, or security incidents from occurring, i.e. data entry, access control

•Detective controls – detect errors or incidents, e.g. identify account numbers of inactive accounts flagged for monitoring suspicious activities

•Corrective controls – correct errors, omissions or incidents once they have been detected, e.g. correction of data entry error, identifying and removing unauthorised users or software from systems or networks


Governance Controls

• Primary accountability for internal controls resides with the corporate board

• Ensure that effective information management and security principles, policies, and processes are in place and there is sufficient performance and compliance to demonstrate this

• Controls mandated by the corporate leadership team (CLT), linked with the concept of your corporate governance, which are driven by the organisations goals and strategies and by external regulators

• Performance and Audit Panel’s responsibility is oversight rather than actually performing controls activities, e.g. you don’t do the auditing but oversee both internal and external auditing at Ealing


Management Controls

•Responsibility for reaching into the organisation with special attention to critical assets, sensitive information and operational functions

•Requires close collaboration with the audit committee to ensure IT controls needed to ensure the achieve established objectives are applied, reliable and provide continuous processing

•Management must recognise risks to the organisation its assets and processes

•Implement mechanisms to mitigate these risks (protect, monitor and measure results)


Technical Controls

Form the foundation, which ensures the reliability of virtually every other control in the organisation e.g.

• Protection against unauthorised access and intrusion

• Reliance on integrity of information

• Evidence of all changes and their authenticity


What to Expect GTAG IIA


Information Security

Integral part of all IT controls, with the exception of financial aspects of IT such as Return on Investment, budgetary controls and some Project Management Controls

BS/ISO-1779

ITIL


Information Security

Three key elements of information security

•Confidentiality – information is only divulged as appropriate

•Integrity – data is correct and complete

•Availability – information must be available to the organisation, customers and partners, when, where and in the manner needed. Also the ability to recover from losses, disruption or corruption of data and IT services


Role of Performance and Audit Panel

•What do we mean by IT controls ?

•Why do we need IT controls ?

•Who is responsible for IT controls ?

•When is it appropriate to apply IT controls ?

•Where exactly are IT controls applied ?

•How do we perform IT controls assessments ?


The Structure of IT Auditing GTAG IIA


IT Audit at Ealing

• Essential part of the corporate governance process

• Internal audit have specialist and qualified IT auditors performing audits

• IT auditing is included in the audit universe and annual plan

• Sharing the plan with external audit as in the Response program

• Agresso implementation

• Post Implementation Reviews

• General IT controls – anti-virus, IT security, Network Infrastructure, Operating Systems

• Specialist data integrity (CAATS)

• Data Protection & Freedom of Information

• Applications………


The Audit Process

• Formal structure for addressing IT controls

• Sound technical understanding

• Provide results of risk and control assessments

• Interact with those responsible for controls

• Persue continuous learning through CPD and reassessment of new technologies – new opportunities, risks dependencies, strategies and requirements


IT Control Assurance

IT controls assurance addresses the ability of controls to protect the organisation against the most important threats and provides evidence that remaining risks are unlikely to harm the organisation and its stakeholders significantly. GTAG IIA


Important Roles and Responsibilities

• Corporate Level Performance and Audit panel

Audit Board

• Management Chief Executive Head of IT IT Security Officer

• Audit Internal External


Control Framework

Adoption of formal control framework is beneficial

•COSO – Monitoring, Information and Communication, Control Activities, Risk Assessment, Control Environment The Committee of Sponsoring Organisations of the Treadway Commission

•COBIT – accepted standard for good Information Technology security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners ISACA 2005


Corporate Level

• Oversee risk management and compliance programs concerning information security

• Approve and adopt information security principles and assign key managers responsible for information security

• Protect the interest of all stakeholders who depend on information security

• Review information security policies regarding strategic partners and other third parties

• Ensure business continuity

• Review provisions of internal ad external audits of the IT

• Collaborate with management to specify what information security reviews should be reported to the Corporate Board


Management

• Establish information security management policies

• Assign information security roles, responsibilities, and required skills, and maintain separation of duties

• Training in security matters

• Assess IT risks and manage these risks

• Information security requirements for strategic partners and other third parties

• Identify and classify information assets

• Implement and test business continuity

• Approve IT acquisitions, development, operations and maintenance

• Protect the physical environment

• Collaborate with security personnel to specify what needs to be reported to management


Internal/External Audit

As covered in previous slide (IT Audit at Ealing), but also…

• Advise corporate and management level on IT internal control issues

• Ensure IT is included in the Internal audit plan • IT risks are considered when assigning resources and

prioritising audit activities• Specialist training• IT issues for key systems are considered• Performing IT risk assessments• Performing IT audits…


Some Useful Websites

www.itgi.org - IT Governance Institute

www.coso.org – The Committee of Sponsoring Organisations of the Treadway Commission

www.isaca.org - Information Systems Audit and Control Association

www.theiia.org - Institute of Internal Auditors

www.sans.org – Security Policy Resource Page

http://www.itgi.org/

http://www.coso.org/

http://www.isaca.org/

http://www.theiia.org/

http://www.sans.org/


Shahab Hussein CISA

Senior Manager – Computer Assurance Services

Deloitte & Touche Public Sector Internal Audit

[email protected]

Direct: 01727 886610

Mobile: 07970 884602

mailto:[email protected]


Questions

Member ofDeloitte Touche Tohmatsu

©2005 deloitte & touche public sector internal audit limited. private and confidential it...

Documents

internal controls

governance slide

infrastructure controls

global communications

security incidents

information security

correction of data entry

support business management