Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Controls”
System Analyst
Control Group
Administrator
Administrator
Administrator
Administrator
Support Mgr.
Programmer
Programmer
Help Desk &
Data Entry
Application
Assurance
End User
Computer
Operator
Librarian
Network
Security
System
System
Quality
Tape
DB
Control Group X x x x x x x x x
System Analyst x x x x
x
Application Programmer X X X X X X
x
Help Desk & Support Mgr x x x x x x x
X X X
End User x x X X X
X X
Data Entry x x x x x x
X
Computer Operator x x x x x
X X X X X
DB Administrator
Network Administrator x
X X X X X
System Administrator x x
X X X X
Security Administrator x x
X X X
Tape Librarian x
X X X X X X
System Programmer x
X X X X X X X X X
Quality Assurance x x
X X X
Performing an IS Audit
• General audit steps
Understanding of the audit area/subject
Risk assessment and general audit plan
Detailed audit planning
Preliminary review of audit area/subject
Evaluating audit area/subject
Compliance testing
Substantive testing
Reporting(communicating results)
Follow-up
Risk-based Auditing
Testing IT General Controls
• Tests of security and access controls could
include evaluating the general system security
settings and password parameters; evaluating the
process for adding, deleting, and changing
security access; and evaluating the access
capabilities of various types of users.
• Tests of controls over computer operations could
include evaluating the backup and recovery
processes, reviewing the process of identifying
and handling operational problems, and, if
applicable, assessing control over job scheduling.
Testing IT General Controls
• Examples of possible tests of controls over
systems development and system changes
include examining the processes for selecting,
acquiring, and installing new software;
evaluating the process for implementing
software upgrades or patches; determining
whether upgrades and patches are authorized
and implemented on a timely basis; and
assessing the process for testing new
applications and updates.
Testing Application Controls
• Regardless of the complexity of the IT environment,
the audit plan for testing application controls could
include a combination of inquiry, observation,
document inspection, and re-performance of the
controls.
• Efficiencies can be achieved through altering the
nature, timing, and extent of testing procedures
performed related to automated and IT-dependent
application controls if IT general controls are designed
and operating effectively.
• In some situations, benchmarking of certain automated
controls might be an appropriate audit strategy.
Testing Application Controls
Procedures for testing & evaluating include:
– Flow-charting techniques for documenting automated
applications and business process
– “Test of one” to see all aspects of the control operate
(“walkthrough”)
– Executing samples of transactions and comparing to
expected results
– Evaluating the logic of the program through the inspection
of system configuration or vendor documentation
– Use of generalized audit software to survey the contents
of data files
COSO Framework
The process to determine
whether internal control is
adequately designed, executed
effective and adaptive
Management Analysis
Disclosure Committee
Internal Audits
Cultural Assessment
Control Ojectives for IT
CobiT® – Control Objectives for Information and Related
Technology
– COBIT is the generally accepted internal control framework
for IT
– A framework with 34 high-level control objectives
Planning and organization
Acquisition and implementation
Delivery and support
Monitoring and evaluation
– Use of 40 major IT related standards and regulations (such as
COSO, ITIL, ISO/IEC 27000, SEI CMM, etc)
IT Governance
IT governance is a structure of relationships:
IT Value
Delivery
Performance
Measurement
IT Governance
IT Governance
IT Governance encompasses:
• Information systems
• Technology
• Communication
IT Governance helps ensure the alignment of IT and enterprise
objectives.
Fundamentally IT governance is concerned with two issues:
• IT delivers value to the business:
driven by strategic alignment of IT with the business.
• IT risks are mitigated.
driven by embedding accountability into the
enterprise.
IT Governance is the responsibility of the board of directors
and executive management
IT Governance Structure
• The Board
– Overall responsibility for IT governance
• Board steering & strategy committees
– IT governance principles and decision-making hierarchy
– IT strategy and architecture
– IT risk management
– IT services, performance and requirements
– IT investment criteria
– IT project governance
– Information security
– IT regulatory compliance
• Executive IT management
– CIO, CISO
IT Governance Roles
• IT governance structure starts at Board level to ensure adequate
board control over the decisions, directions and performance of
IT, so it supports the organization’s strategies and objectives.
• Typically, the executive director, with the board of directors, sets
the tone for the risk management program. Operations staff and
board members should assist the risk management committee in
identifying risks and developing suitable loss control and
intervention strategies.
• IT governance is an inclusive term that encompasses information
systems, technology and communication; business, legal and
other issues; and all concerned stakeholders - directors, senior
management, process owners, IT suppliers, users and auditors.
• IS department management along with the IS steering committee
and the strategy committee, which provides valuable strategic
input related to stakeholder’s value, plays a key role in IT Strategic
Plan development and implementation.
IT Governance Roles
IT Strategy committee :
• Is a mechanism for incorporating IT governance into
enterprise governance
• As a committee of the board, it assists the board on
overseeing the enterprise’s IT related matters by ensuring
that the board has the internal and external information IT
requires for effective IT governance decision making
• Organizations have had steering committees at an executive
level to deal with IT issues that are relevant organization-
wide. There should be a clear understanding of both the IT
strategy and steering levels. The ITGI issued a document
where a clear analysis is made between them.
IT Governance Roles
Audit Role in IT Governance:
• Audit plays a significant role in a successful
implementation of IT governance. Audit is best positioned
to provide leading practice recommendations to help
improve the quality and effectiveness of the IT governance
initiatives implemented.
• Audit helps ensure compliance with IT governance
initiatives implemented within an organization. IT
governance initiatives requires an independent and
balanced view to ensure a qualitative assessment that
subsequently facilitates the qualitative improvement of IT
processes and associated IT governance initiatives.
Closing Quotes …
“IT Governance is no longer some stand-alone function, but
is an integral part of any organization’s overall corporate
governance. If your organization cannot survive as a
competitive player without IT, then your Board cannot
apply acceptable corporate governance without overt IT
Governance.”
“It is not simply a case of having a set of procedures and
processes, nor is it just about having controls in place.
Reliance on a poor control is often worse than having no
control at all.”
“If management is about running the business, governance
is about seeing that it is run properly.”
Questions ...