information technology for non-it...

National Electronics and Computer Technology CenterChayakorn Piyabunditkul – CSPM, 15504 Assessor

[email protected]

Information Technology for Non-IT Audit

Enterprise Risk Management

The Process Audit

The Process Audit is…“A new framework,

as comprehensive as it is easy to apply, is helping companies plan and execute

process based transformations.

Michael Hammer, Harvard Business Review, April 2007.

The Process and Enterprise Maturity Model

There are 5 process enablers…1. Design:

The comprehensiveness of the specification of how the process is to be executed.2. Performers:

The people who execute the process, particularly in terms of their skills and knowledge.

3. Owner:A senior executive who has responsibility for the process and its results.

4. Infrastructure:Information and management systems that support the process.

5. Metrics:The measures the company uses to track the process’s performance.


The Process and Enterprise Maturity Model

And 4 enterprise capabilities…1. Leadership:

Senior executives who support the creation of processes.2. Culture:

The values of customer focus, teamwork, personal accountability, and a willingness to change.

3. Expertise:Skills in, and methodology for, process redesign.

4. Governance:Mechanisms for managing complex projects and change initiatives. Companies can use their evaluations of the enablers and capabilities, in tandem, to plan and assess the progress of process-based transformations.


Certified Information System Auditor

Chapter 1: The IS Audit ProcessChapter 2: IT GovernanceChapter 3: Systems and Infrastructure

Life Cycle Management Chapter 4: IT Service Delivery and SupportChapter 5: Protection of Information AssetsChapter 6: Business Continuity and

Disaster Recovery



Chapter 3: Systems and Infrastructure Life Cycle Management

ISACA, CISA Review Manual, 2008.

Group 1: Project Management Group 2: Business Application Development (SDLC) Group 3: Process Improvement Practice (ISO 15504/ISO 9126/CMMI)Group 4: Auditing Control (V-model Testing)Group 5: Business Application Systems


Chapter 4: IT Service Delivery and Support

ISACA, CISA Review Manual, 2008.

Group 1: Information System Operations Group 2: Information System HardwareGroup 3: Information System Architecture and SoftwareGroup 4: Information System Network InfrastructureGroup 5: Auditing Infrastructure and Operations

1. Overview2. Software Development Life Cycle (SDLC)3. Capability Maturity Model Integration (CMMI)4. Information System with Hardware, Software

and Network Infrastructure

Course Index

1. Overview

IT framework

IT Audit frameworkIT audit is

“The process of collecting and evaluating evidence

to determine weather a computer system has been designed to

maintain data integrity, safeguard assets, allows organizational goals to be

achieved effectively and uses resources efficiently”1.

ASOSAI-Weber, R., Information Systems Control and Audit, 1999

Need for IT AuditConfidentiality

“concerns the protection of sensitive information from unauthorized disclosure”2

Integrity“the accuracy and completeness of information as well as to its validity in

accordance with business values and expectations”2

Availability“availability relates to information being available when required by the

business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities”2

Reliability“the degree of consistency of a system or the ability of a system to perform its

required function under stated conditions”2

Compliance with legal and regulator requirement

ISACA

With ensure IT and the controls supporting technology

IT Audit ObjectivesIT audit objective is

“To evaluate an auditee’s computerized information system (CIS) in order to ascertain whether the CIS produces timely, accurate, complete and reliability

information outputs”3.

The National Audit Department of Malaysia, ICT Audit Guideline 2001

IT Audit Organization

IT Standard Comparison

IT Standard Comparison

1. IT Controls Frameworks: COSO

Internal Control-integrated Framework of COSO in September 1992 byThe Committee of Sponsoring Organizations of the Treadway Commission (COSO)Official name: National Commission on Fraudulent Financial Reporting

5 interrelated components;1. Risk assessment2. Control environment3. Control activities4. Information and communication5. Monitoring

“COSO Internal Controls Framework”

IT Controls Frameworks: COSO

Operations/Finance/Information risks

5

1. (Condition)

2. (Criteria)

3. (Effect)

4. (Cause)

5. (Recommendation)

IT Controls Frameworks: COSO

COSO II Enterprise Risk Management Framework

Risk Appetite Map

2. IT Controls Frameworks: COBIT

The COBIT Framework includes policies, structures, practices and organizational procedures to ensure adequate IT governance, with a set of IT processes, grouped into four domains: planning & organization, procurement & implementation, delivery (service) and monitoring.

COBIT, standard for Control Objectives for Information and related Technology in 1998 (3rd Edition) by IT Governance Institute of ISACA identifies 5 types of IT resources: people, application systems, technology, facilities, and data with 34 high level control objectives, grouped into 4 domains.

4 domain identified for high level classifications;1. Planning and Organizing 2. Acquisition and implementation3. Delivery and Support4. Monitoring

With COBIT ‘s 318 recommended detailed control objectives

“CobiT to Perform IT Audits”

COBIT: IT Governance focus area

Robert R. Moeller, IT Audit, Control and Security, John Wiley & Son, Inc.

COBIT: Cube


COBIT Principle

COBIT: Goal with Enterprise Architecture


3. IT Infrastructure Library (ITIL)

The IT Infrastructure Library (ITIL) has become the de facto world standard in IT Service Management. Defines five stages in the life cycle of the service: Strategy, Design, Transition, Operation and Continual Service Improvement and Management includes the processes of Change, Configuration, Incident Management, Problem Management, Service Level Management, etc.

IT Infrastructure Library (ITIL) Service Management

IT Infrastructure Library (ITIL) Service Management

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING

2554

(Attribute Standards) #1

1000 - 1100 –1200 –1300 –

2000 –2100 –2200 –2300 –2400 –2500 –2600 –

Attribute Standards) #2

Attribute Standards) #3

Internal Control Classifications

1. Preventative;- Detect Problems before they arise.- Monitor both operation and inputs.- Attempt to predict Potential problems.- Prevent an error from occurring

2. Detective;- Use Controls that detect and report the occurrence of an error.

3. Corrective;- Minimize the Impact of a threat.- Remedy problems discovery by detective control.- Identify the cause of a problem.- Correct errors arising from a problem.- Modify the processing systems to minimize future occurrences of

the problem.

IA Audit in Organization Chart

An Integrate Audit

OperationalAudit

ISAudit

FinancialAudit

IA Relate to ISO Standards

ISO 9001: Quality Management SystemsISO IT Security Standards: ISO 27001 and 270002ISO 20000: Service Quality Management ISO 19011: Quality Management Systems Audit

1. Ethical Conduct 2. Fair Presentation3. Exercise due professional care4. Independence5. Evidence-based approaches

Computer-Assisted Audit Tools and Techniques


2. Software Development Life Cycle (SDLC)

Project Management TriangleCost and Resources

Time (Duration)Deliverables

Project

SDLC

Adherence to Standards by Life Cycle

SDLC vs Management & Control

SDLC Content1. System Development2. System Development Life Cycle3. Requirement4. External and Internal Design5. Programming6. Testing7. Operating and Maintenance8. SDLC MODEL

8.1 Waterfall Model8.2 Prototyping Model8.3 Spiral Model8.4 RAD Model8.5 Package Model8.6 Agile SDLC

9. Summary of System Development Methodology10. Software Engineering Standard

Ref: Jirapun Daengdej (Ph.D.,Asst.Prof.)

1. System Development• System is…?• Software + Hardware• Functions meeting the business

requirements are called…?• Software• The environment on which software is

executed is called…?• Hardware• System Development is…?• Developing SW programs for a system

2. System Development Life Cycle• SDLC is…?

• With…?• And providing with operational environment

such as servers, networks and terminals

58

Summary of System Development Methodology #1

59

Summary of System Development Methodology #2

3. Requirements Definition1. Objective2. Size3. Design conditions4. System Configuration5. List of the products to purchase6. Policy for the migration7. Operation and maintenance policy8. Operation plan9. Development schedule10. Organization chart11. Development environment12. Development costs (Cost-to-Effect Ratio)

4. External and Internal Design

Work scope of External Design1. Decomposition into subsystems2. Screen/Report Layout Design3. Logic design of database4. System configuration

(hardware, software, network)5. Migration plan

Work scope of Internal Design1. Decomposition into modules2. Module structure design3. Module specification4. Test plan

Decomposition into modules

5. Work scope of Programming

1. Programming2. Module test

6. Testing (V-Model)

The Verification and Validation

IT Control #1

ASOSAI

IT Control #2

ASOSAI

Work scope of the Test stage1. Module Test2. Integration Test3. System Test

(+ *Quality Evaluation) 4. Operational Test

(User Acceptance Test)

7. Work scope of the migration and the operation and maintenance stage

Migration Plan

8. SDLC Model

8.1 Waterfall Model

Main Person in Each stage

Main Person in Each stage

Review in the Waterfall Model

Advantages and Disadvantages of Waterfall Model

8.2 Prototyping Model

Stages in Prototyping Model

Advantages and Disadvantages of Prototyping Model

8.3 Spiral Model

Variations in Spiral Model

Advantages and Disadvantages of Spiral Model

8.4 RAD: Rapid Application Development - Model stages

Advantages and Disadvantages of RAD Model

8.5 Package Model

Customization of the package SWAdd-on development

When the target package software is not equipped with necessary functions, developers have to develop additional functions. Such customization is called “”add-on’ development.

Parameter setting

Many packaged software are adjustable to the business of each company by setting parameters. (e.g. setting digit number of goods code/ customer code, depreciation methods)

Package Model Stages

Advantages and Disadvantages of Package Model

8.6 Agile SDLC1 .Agile SDLC Agile aims to reduce risk by breaking projects into small, time-limited modules or timeboxes ("iterations") 2. Each iteration being approached like a small, self-contained mini-project, each lasting only a few weeks. Each iteration has it own self-contained stages of analysis, design, production, testing and documentation. 3. In theory, a new software release could be done at the end of each iteration, but in practice the progress made in one iteration may not be worth a release and it will be carried over and incorporated into the next iteration. 4. The project's priorities, direction and progress are re-evaluated at the end of each iteration.

Agile SDLC property

• Speed up or bypass one or more life cycle phases • Usually less formal and reduced scope• Used for time-critical applications• Used in organizations that employ disciplined method

Agile Methods

• Adaptive Software Development (ASD) • Feature Driven Development (FDD) • Crystal Clear • Dynamic Software Development Method (DSDM) • Rapid Application Development (RAD)• Scrum • Extreme Programming (XP) • Rational Unify Process (RUP)

Agile SDLC: The Scope of Life Cycles

9. Summary of System Development Methodology

SDLC: Life Cycles Process

10. SW Eng Standard

The relationship of ISO/IEC 12207 to ISO/IEC 90003 and ISO/IEC 15504.

3. Capability Maturity Model Integration (CMMI)

Capability Maturity Model Integration (CMMI)

The Capability Maturity Model in Systems Engineering (CMMI) is devoted to assessing the current situation and implement practices to gain maturity in the Systems Engineering activities.

CMMI, framework given by Carnegie Mellon University of Pittsburg, USA sponsored by the Department of Defense (DoD), USA

2 categories of CMMI (by 22 key process area)

1. Maturity level (ML); 5 MLs level; Initial, Managed, Defined, Quantitatively Managed, Optimizing

2. Capability level (CL); 4 group CLs; Project management, Engineering, Support, Process

Management with 6 CLs level; Incomplete, Performed, Managed, Defined, Quantitatively Managed, Optimizing


Example: Implementation International Standard Cost

4. Information System with Hardware, Software and

Network Infrastructure

Information System

HardwareSpeakersModemMicrophoneRAMCPUKeyboardMouseCD-ROM DriveDiskette driveHard drivePrinterPortsMonitorExpansion boardZip drive

Hardware

Network System #1

Network System #2

Network System #3

Network System #4

Database System

Software

Mobile Software

Case Study Scenario

CISA Review Manual, 2008.

Case Study Scenario

CISA Review Manual, 2008.

National Electronics and Computer Technology CenterChayakorn Piyabunditkul – CSPM, 15504 Assessor

[email protected]

information technology for non-it...

Documents