caacm’s 7th annual general meeting & conference
DESCRIPTION
CAACM’s 7th Annual General Meeting & Conference. David Hall President Institute of Internal Auditors, Jamaica July 29, 2013. “ Demystifying IT Audit Issues and Jargon for More Effective Reporting and Issues Resolution.” . Agenda. IT Jargon - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/1.jpg)
CAACM’s 7th Annual General Meeting &
Conference
David HallPresident
Institute of Internal Auditors, Jamaica
July 29, 2013
![Page 2: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/2.jpg)
“Demystifying IT Audit Issues and Jargon for More Effective Reporting and Issues Resolution.”
![Page 3: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/3.jpg)
Agenda
1. IT Jargon2. What is Information Technology Audit3. Categories of IT Audit4. Wireless Network5. Mobile network6. System Interface7. Data Management 8. Segregation of Duties9. Administrative Access10.What is IT Governance11.What should IT Governance Deliver12.Questions for Executive Management & CEO13.Questions for the Board
![Page 4: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/4.jpg)
Information
Technology
Jargon
IT
What Is It ?
![Page 5: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/5.jpg)
APPLE – it is not a fruit
IT IS an American company famous for developing the Macintosh computer and the iPod MP3 player
APPLE
![Page 6: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/6.jpg)
APPLICATION – It is not an application form
IT IS a program used to perform a specific task, e.g. a word-processor. Microsoft – Suite of products
APPLICATION
![Page 7: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/7.jpg)
BACKUP - IT IS NOT A CAR BACKIN UP
IT IS a secondary copy of important documents and data kept as insurance against loss due to a hardware failure or accidental deletion.
![Page 8: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/8.jpg)
ADSL - Asymmetric Digital Subscriber Line.
Technology that allows rapid transmission of data over a telephone line. ADSL provides a convenient method of accessing the Internet at broadband speeds without the need for a cable connection. Unlike dial-up, ADSL allows you to make phone calls whilst online.
![Page 9: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/9.jpg)
BIT – IT IS NOT SOMETHING IN A HORSES MOUTH
The smallest element of computer data. A bit is a number equal to 1 or 0.
The number is represented in digital electronics by a switch that is either
On or off. Larger numbers can be stored as groups of several bits.
A group of eight bits is known as a byte
![Page 10: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/10.jpg)
BLUETOOTH – IT IS NOT A DECAYING TOOTH
IT IS a short-range wireless technology used to transfer data between mobile
phones, computers and other devices.
![Page 12: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/12.jpg)
BUG –IT IS NOT A CREEPY INSECT
It is a mistake in the design of a computer program that prevents it from
working correctly. The term originates from a malfunction in one of the
earliest computers which was caused by a moth
Debugging - The process of finding and correcting bugs in a computer program
![Page 13: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/13.jpg)
COOKIE – IT IS NO A CHOCOLATE CHIP
A small file created by a browser to store information about a web site.
Cookies are typically used to identify previous visitors to the site, remember
their user names and passwords, and customize the site to suite their preferences.
It is usually safe to delete all the cookies on your computer
![Page 14: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/14.jpg)
THE “MAC” IS NOT A HAMBURGER
IT IS A COMPUTER
![Page 15: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/15.jpg)
FIREWALL - IT IS NOT A WALL ON FIRE
A program or device that limits access to a computer from an external network for security reasons. A computer connected to the Internet without a firewall is more vulnerable to hackers.
.
![Page 16: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/16.jpg)
A device that controls a pointer on the screen and allows objects to be manipulated by clicking or dragging them.
A MOUSE – IS NOT THAT ANNOYING RODENT
![Page 17: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/17.jpg)
PHISING
A form of Internet fraud that involves tricking people into revealing confidential information (e.g. credit card details, user names, passwords etc.) by means of a fake e-mail that appears to come from a well-known, legitimate organisation (e.g. a bank).
![Page 19: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/19.jpg)
IIA Research Foundation
WORMWORM
A self-replicating program that spreads from one computer to another, usually causing damage and compromising security in the process.
They are purposefully written by vandals to cause as much disruption as possible, or by hackers to compromise the security of a computer.
![Page 20: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/20.jpg)
IIA Research Foundation
A type of compression commonly applied to text-based files.
A file that has been compressed in Zip format must be extracted
(i.e. decompressed) before it can be opened.
ZIP
Compressed files
![Page 22: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/22.jpg)
There's a good chance you've already used some form of cloud computing.
If you have an e-mail account with a Web-based e-mail service like Hotmail, Yahoo! Mail or Gmail, then you've had some experience with cloud computing.
Instead of running an e-mail program on your computer, you log in to a Web e-mail account remotely.
The software and storage for your account doesn't exist on your computer -- it's on the service's computer cloud
![Page 23: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/23.jpg)
Software as a service (SaaS)
Cloud-based applications—or software as a service (SaaS)—run on distant computers “in the cloud” that are owned and operated by others and that connect to users’ computers via the Internet and, usually, a web browser
Platform as a service (PaaS)
Platform as a service provides a cloud-based environment with everything required to support the complete lifecycle of building and delivering web-based (cloud) applications—without the cost and complexity of buying and managing the underlying hardware, software, provisioning and hosting
![Page 24: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/24.jpg)
An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure.
The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively to achieve the organization's goals or objectives.
These reviews may be performed in conjunction with a financial statement audit, internal audit, or other forms.
What is an Information Technology Audit ?
![Page 25: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/25.jpg)
Further Definition: An information technology audit is an examination of the checks and balances, or controls, within an information technology (IT) group.
An IT audit collects and evaluates "evidence" of an organization's information systems, practices, and operations.
The evaluation of this evidence determines if the information systems are safeguarding the information assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's business goals or objectives.
![Page 26: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/26.jpg)
The IT audit aims to evaluate the following:
1. Availability - Will the organization's computer systems be available for the business at all times when required?
2. Security and Confidentiality - Will the information in the systems be disclosed only to authorized users?
3. Integrity - Will the information provided by the system always be accurate, reliable, and timely?
The audit hopes to assess the risk to the company's valuable asset (its information) and establish methods of minimizing those risks.
![Page 27: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/27.jpg)
Five (5) Categories of IT Audits
(1) Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.
(2) Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.
![Page 28: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/28.jpg)
—
Five (5) Categories of IT Audits
(3) Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development.
(4) Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.
![Page 29: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/29.jpg)
—
Five (5) Categories of IT Audits
(5) Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that telecommunications controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.
![Page 30: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/30.jpg)
I. Wireless Networks
Wireless networks are proliferating throughout organizations, because they are useful and can support business objectives directly.
However, they are also easy to set up (as any person who has set up a home wireless network can likely attest to) and provide a potential entry point into the corporatenetwork.
CAEs should be concerned both with the security of wireless networks that are authorized by the organization as well as rogue wireless networks that users have established without authorization
![Page 31: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/31.jpg)
IIA Research Foundation
2. Role of the Audit Committee
![Page 32: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/32.jpg)
•
I. Wireless Network Risks
Intrusion – Wireless networks may allow unauthorized entry into the corporate network.
Eavesdropping – Wireless networks may allow unauthorized personnel to access confidential information that is transmitted across wireless networks.
Hijacking – An unauthorized user may hijack the session of an authorized user connected to a wireless network and use that session to access the corporate network.
![Page 33: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/33.jpg)
•
I. Wireless Network Risks
Radio Frequency (RF) Management – The wireless network may send transmissions into unwanted areas, which may have other impacts.
For example, hospitals may have equipment that reacts poorly to radio wave transmissions and therefore should not be exposed to wireless networks.
![Page 34: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/34.jpg)
I. Recommendations for Wireless Networks. Perform a thorough wireless network audit that includes the following two components:
The IT function should assess the existence and location of all approved and non-approved networks across all locations. This will entail an IT auditor physically going through business unit locations with an antenna, trying to detect the presence of wireless devices.
![Page 35: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/35.jpg)
I. At a minimum, the IT auditor should obtain and review a listing of all wireless networks approved by the organization.
Corporate policies and procedures should be established for wireless networks and should provide guidelines for securing and controlling these networks, including the use of data encryption and authentication to the wireless network.
The IT auditor should review the configuration of the known wireless networks to ensure compliance with developed policies and procedures.
![Page 36: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/36.jpg)
II. Mobile Devices
Most organizations have recognized the value of wireless devices such as Blackberrys, Personal Digital Assistants (PDAs) or smart phones.
However, not all organizations have grasped the risk of using these devices.
![Page 38: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/38.jpg)
II. Mobile Device Risks
If the device is not configured in a secure fashion, the confidentially of this data may be impacted if the device is lost or stolen.
The transmission of data to the device itself may not be secure, potentially compromising the confidentiality or integrity of that data.
![Page 39: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/39.jpg)
II. Mobile Device Risks
Furthermore, these devices may allow remote access into corporate networks.
Consider, for example, a beverage distribution company that equips route drivers with wireless devices that are used to book inventory transactions as they deliver product to each customer.
![Page 40: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/40.jpg)
II. Recommendations for Mobile Devices
The IT auditor should review mobile device management
At a minimum, consideration should be given to:
Provisioning – The process for a user to procure a device.
Standardization – Are devices standardized?
Security Configuration – What policies and procedures have been established for defining security baselines for devices?
![Page 41: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/41.jpg)
II. Recommendations for Mobile Devices
Data Transmission – How is data transmission controlled?
Access Into Corporate Networks – Do devices provide access into the corporate network? If so, how is that controlled?
Lost or Stolen Devices – How would the company identify lost or stolen devices and terminate service to them?
Interface Software – If these devices initiate business transactions, how is that information interfaced into the corporate applications?
![Page 42: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/42.jpg)
III. Interfaces
Complex IT environments often require complex interfaces to integrate their critical business applications.
These interfaces may be enabled with middleware technology, which acts a central point of communication and coordination for interfaces.
This may be because interfaces are difficult to classify.
They are similar in function to an infrastructure, or supporting technology, yet they are software applications that may actually process transactions.
![Page 44: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/44.jpg)
III. Interface Risks
Interfaces, and middleware in particular, are a critical link in the end-to-end processing of transactions. At a minimum, they move data from one system to another.
Interfaces may also pose a single point of failure to the organization. Consider Company XYZ, which is running an ERP system for financial consolidation.
The distributed business units all maintain interfaces from a variety of disparate systems up to the central corporate system. of the company
![Page 45: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/45.jpg)
III. Interface Risks
There are approximately 200 of these interfaces, all running through a single middleware server and application.
That middleware server suddenly stops functioning. This would have a substantial impact on the operations of the company
![Page 46: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/46.jpg)
III. Recommendations for Interfaces
The CAE should ensure the IT risk assessment and audit universe considers interfaces and middleware. Specific items that should be considered are:
Use of Software to Manage Interfaces – Does the software transform data or merely move it from place to place?
Interface IDs – The interface software will probably need access into the systems to/from which it is moving data. How is this access managed? Are generic IDs used? What access are these IDs granted, and who has access to use these IDs?
![Page 47: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/47.jpg)
III. Recommendations for Interfaces
Interface Directories – Are all data moved through a single interface directory? Who has access to that directory? How is it secured and controlled?
If so, does the directory also contain data used in wire transfers or outbound electronic payments? How is the clerk restricted from these data sets?
![Page 48: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/48.jpg)
Interface Types – What types of interfaces are used? Are they real-time or batch-oriented? What transactionsdo they support? Do they initiate the processing ofother transactions (e.g. interfaced sales orders initiatingthe shipment of goods).
![Page 49: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/49.jpg)
IV. Data Management
Organizations are automating more and more business processes and functions. At the same time, the cost of data storage is becoming cheaper and cheaper.
These issues have led to the proliferation of large corporate data storage solutions.
As organizations begin to manage these large repositories of data, many issues emerge.
![Page 50: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/50.jpg)
IIA Professional Practices Framework
![Page 51: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/51.jpg)
IV. Data Management Risks
Failure to manage data repositories, or storage area networks. may result in the loss of critical business data availability.
Organizations must ensure that the integrity of these storage solutions is maintained adequately. New management and maintenance technologies must be deployed, and new management processes must be defined.
Moreover, the growth in data storage also coincides with the promulgation of many new laws, statutes, and regulations regarding the management of data.
![Page 52: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/52.jpg)
Data Management Recommendations - Perform a thorough data management review. At a minimum, consideration should be given to:
Data Classification – Has the organization gone through a data classification exercise? What types of data categories have been established, and what were the criteria for organizing data into those categories?
Data Ownership – Has the organization formally assigned ownership of data to specific data owners? Have the responsibilities of these data owners been documented?
Data Retention – Has a data retention strategy been developed?
![Page 53: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/53.jpg)
V. Privacy
Data privacy and consumer rights are highly visible topics today. A large number of data privacy laws with which large companies must comply have been promulgated.
For example, a large organization that does business in Europe and North America is subject to the EU Privacy Directive on Data Protection, Canada’s Personal information Protection and Electronic Documents Act of2000, any number of U.S. state-level regulations.
If an organization wants to put up a Web site that providesgames or media that children might access, they need to be aware of child-protection data privacy laws as well.
![Page 54: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/54.jpg)
IIA Professional Practices Framework
![Page 55: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/55.jpg)
V. Privacy Risks
Failure to comply with certain privacy laws could result in fines and/or criminal prosecution. In addition, there could be a significant impact to brand equity.
![Page 56: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/56.jpg)
v.Recommendations for Privacy
Perform a privacy audit. At a minimum, the organization should consider:
What Privacy Laws Apply to the Organization – Has the organization identified all various laws, regulations, and statutes with which it must comply?
Responsibility for Privacy – Has a chief privacy officer role been created?
![Page 57: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/57.jpg)
VI. Segregation of Duties
As organizations integrate their environments into larger, more complex applications, segregation of duties is less a function of job role and more a function of what transactions the user can perform in the system.
Consequently, appropriate segregation of duties is largely dependent on application level security.
Application level security is becoming increasingly complex and requires a greater level of expertise to administer.
![Page 58: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/58.jpg)
IIA Professional Practices Framework
![Page 59: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/59.jpg)
vi. Segregation of Duty Risks
Inadequate segregation of duties could expose the organization to theft, fraud, or unauthorized use of information resources.
![Page 60: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/60.jpg)
vi. Recommendations for Segregation of Duties
Perform a segregation of duties audit, which should include:
Understanding How Segregation of Duties is Being Managed and Controlled – What processes, people, and tools are used to support the management of segregation of duties?
Defining Conflicts – Has the organization developed a comprehensive listing of all job functions that are deemed to be incompatible?
Determining Specific Deficiencies – Has the organization used the list of conflicts to identify either specific security roles, or specific individuals who have been granted access that presents a violation of segregation of duties?
![Page 61: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/61.jpg)
VII. Administrative Access
Systems administration personnel are generally granted high levels of access to IT resources. This is explained away because they are presumed to be administrators who need this access to perform their job.
Recommendations for Administrative Access
In every environment, administrative access is required to operate the systems. However, the IT audit function should help ensure that systems administrators only have access to data and functions required to perform job responsibilities.
![Page 62: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/62.jpg)
The IT auditor should also consider:
Splitting the access to perform a function so that two people are needed to perform the function.
Reviewing generic Ids which are shared by more than one users.
Limit access to administrative functions to a small number of persons
Periodic independent reviews of audit trails.
![Page 63: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/63.jpg)
WHAT IS IT GOVERNANCE ?
IT governance has been defined by the Information Systems Audit & Control Association ( ISACA ) as:
…the responsibility of executives and the board of directors.
It consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.
The term ‘governance’ is derived from the Latin word gubernare, which means to direct or to steer.
![Page 64: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/64.jpg)
ISACA – Information Systems Audit & Control Association
WWW.ISACA.ORG
COBIT FRAMEWORK
- 4 Domains
- 32 processes
![Page 65: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/65.jpg)
WHAT IS IT GOVERNANCE ?
(i) Primarily determines how IT decisions are made,
(ii) Who makes the decisions,
(iii) Who is held accountable, and
(iv) How the results of decisions are measured and monitored
![Page 66: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/66.jpg)
What Should IT Governance Deliver?
IT governance can thus be pictured as focusing primarily on the following five areas:
• Strategic alignment —Alignment of IT Strategy and Business Strategy
• Value delivery —Creating new value for the enterprise through IT, maintaining and increasing value derived from existing IT investments, and eliminating IT initiatives and assets that are not creating sufficient value for the enterprise.
![Page 67: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/67.jpg)
Risk management —Addressing IT-related risks. IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.
Resource management —Ensuring that the right capabilities are in place to execute the strategic plan and sufficient, appropriate and effective resources are provided.
Performance measurement —Tracking the achievement of the objectives of the enterprise’s IT-related services and solutions and compliance with specific external requirements.
![Page 68: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/68.jpg)
Questions for Executive Management & the CEO
1. Is it clear what IT is doing?
2. How often do IT projects fail to deliver what they promised?
3. Are end users satisfied with the quality of the IT service?
4. Are sufficient IT resources and infrastructure available to meet required enterprise strategic objectives?
5. How well are IT outsourcing agreements being managed?
6. How is the value delivered by IT being measured?
![Page 69: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/69.jpg)
. Questions for the Board
1. Does the Board assess the criticality of IT, whether on a project or operational basis?
2. Is the Board aware of IT risk exposures and their containment? Is IT on the Board’s Agenda
3. Does the Board ascertain that management has put processes and practices in place to ensure that IT
delivers value to the business?
4. Does the Board work with the executives to define and monitor high level IT performance?
5. Does the Board ensure that IT investments represent a balance of risk and benefits and that budgets are acceptable?
![Page 70: CAACM’s 7th Annual General Meeting & Conference](https://reader036.vdocuments.site/reader036/viewer/2022070500/56816859550346895dde8cde/html5/thumbnails/70.jpg)
THANK YOU
David A. HallPresidentInstitute of Internal Auditors, Jamaica
Telephone : (876) 997-1040
E-mail : [email protected]