Post on 11-Jan-2016
transcript
IT-Audit Concept, Approach and Methodologies
IT-Audit Concept, Approach and Methodologies
Internal IT Audit Stakeholder in the Internal IT Audit Process
Key Objectives & Requirements
Methodological Framework
Internal IT Audit Organization and Scope
Proposed Approach and Methodology
Co-ordination with External Regulatory and Auditing Bodies
Conclusion
IT-Audit Concept, Approach and Methodologies
Stakeholders in the Internal IT Audit Process
InternalIT
ExternalIT
External to UBS
Internal Audit & Business
Internal IT Audit
WDR, PB, AM, PC&C IT
IT Security
Perot Systems Systor
GIA Business line
BOD/GEB, ASB, AC
Business lines
Regulatory Bodies
External Audit Prof Bodies
IT-Audit Concept, Approach and Methodologies
Stakeholder Demands on Internal IT AuditInternal IT
Internal IT Audit Breadth vs Depth Increased technological solutions Quality/Relevance of recommendations Increased involvement up front Detailed knowledge over increasingly
specialized areas Rationalization of Bank’s
systems/technology Global Focus, Adherence to standards
IT-Audit Concept, Approach and Methodologies
Stakeholder Demands on Internal IT AuditExternal IT
Internal IT Audit Staff Recruitment/Retention Increased technological complexity/
new technologies Pace of IT Technology Development &
Implementation Increased reliance on technical
solutions Outsourcing Best practices/benchmarks
IT-Audit Concept, Approach and Methodologies
Stakeholder Demands on Internal IT AuditInternal Audit and Business
Internal IT Audit Ensure completeness of coverage
between IT & Fin audit Budgetary, Headcount Standards & Quality of work Resource allocation Reporting & Follow Up
IT-Audit Concept, Approach and Methodologies
Stakeholder Demands on Internal IT AuditExternal to UBS
Internal IT Audit Acquisitions & JVs - economies
through/leveraging technology Globalization - increased regulatory
requirement Costs reduction - rationalization
across group Increased regulatory requirements
IT-Audit Concept, Approach and Methodologies
Key Objectives and Requirements Global and independent Risk focus Experts in IT internal control IT project involvement Frequency of reviews Standardization and depth of reviews Recommendations IT and control knowledge Effective co-ordination with external and regulatory bodies Application / infrastructure audit co-ordination
IT-Audit Concept, Approach and Methodologies
Key Objectives and Requirements
Global and independent Independence - the reporting structure
of Group Audit within the bank ensures this Organization & Technical
Competence Center (TCC) conceptRisk focus
PASKOR planning (risk-planning) Incorporation of IT risk framework
in Internal IT Audit fieldwork & reporting self assessment process and IT Audit
risk & control databaseExperts in IT internal control
CobiT framework and IT Auditplanning and fieldwork with
technology competence centre
Objective Course of Action
IT-Audit Concept, Approach and Methodologies
Key Objectives and Requirements
IT project involvement Stress point matrix Infrastructure / Application Interface
Frequency of reviews PASKOR planning
Standardisation and depth of reviews TCC concept
Recommendations Primary controls audit (PCA) Primary controls review (PCR) Self Assessment approach (SA)
Objective Course of Action
IT-Audit Concept, Approach and Methodologies
Key Objectives and Requirements
IT and control knowledge TCC concept Training re-emphasis
Effective co-ordination with external and regulatory bodies Planning and co-ordination of requirements Outsourcing of work (external lead) Insourcing on IT Audit (internal lead) IT Audit work standards IT Audit location database
Application / infrastructure audit co-ordination Scope and coverage definition Infrastructure / Application Interface
Objective Course of Action
IT-Audit Concept, Approach and Methodologies
Methodological FrameworkMain Areas of Use IT audits
Risk analysis
Health checks (security benchmarking)
Security concepts
Security manuals / handbooks
IT-Audit Concept, Approach and Methodologies
IT Audit Methodologies CobiT
www.isaca.org BS 7799 - Code of Practice (CoP)
www.bsi.org.uk/disc/ BSI -IT baseline protection manual
www.bsi.bund.de/gshb/english/menue.htm ITSEC
www.itsec.gov.uk Common Criteria (CC)
csrc.nist.gov/cc/
IT-Audit Concept, Approach and Methodologies
Comparison of Methods - Results
Standardisation
Independence
Certifyability
Applicability in practice
Adaptability
Extent of scope
Presentation ofresults
Efficiency
Ease of useCobiT
BS 7799
BSI
ITSEC
Update frequency
IT-Audit Concept, Approach and Methodologies
Methods: Example for CobiT
Audit Type
Mgmt & Control
Year 2000
IT Development
IT Operations
IT Network
IT Security
DR & CP
Change Mgmt
CobiT Processes PASKOR AutoAudit
CobiT control objectives
Risk control matrices
(detailed risks & controls CobiT objectives)
Monitoring
Planning & organization
Acquisition &implementation
Delivery &support
IT-Audit Concept, Approach and Methodologies
IT Risk Management
strategy & governance risk mgmt organisation
IT Risk Managementmeasurement & reporting categories of risk risk mgmt process
responsibility of ensuring proper management lies at the execution level
apply IT risk management within a consistent andrepeatable framework
independent risk manage-ment function with clearlyroles and responsibility
link between risk manage-ment group, strategic plan-ning and the IT management
controls in place to ensurecompleteness, accuracy and timeliness of risk capture
measures continually evolve as advances in methodo-logies and modeling techniques improve
clearly segmented categoriesdefines which are easily understood throughout the organization
comprehensive categoriesto capture all risks
structured interview process,risk collection and feedback programme
minimal administrative burden; usage of automated tools (intranet, database etc) wherever possible
IT-Audit Concept, Approach and Methodologies
IT Risk CategoriesUBS risk categories IT risk categories reputation risk
Impacts on:
Customer / clients
Shareholders
Counterparties
Suppliers
Regulators
Credit risk
Market risk
Funding risk
Operational risk
IT risk
Legal risk
Liability risk
Compliance risk
Tax risk
Physical/crimerisk
business / IT alignmentbusiness value of ITemerging technologyproject evaluationIT architecture management
project managementdevelopment standardsIT development project riskdata and information managementdevelopment / testing environments
operation managementproduction availabilityIT change managementsystem and network securitycontingency & capacity planning
IT costs (project and operations)IT investment appraisalVAR (system financial exposure)
skill / knowledge managementsuccess planning / career mgmtHR policesIT / business organisation alignmentsupplier & third party management
non-conformance to regulationsregulatory reportingIT contacts
Strategic
IT development
IT delivery
Financial
IT organisation
Legal & compliance
IT-Audit Concept, Approach and Methodologies
Internal IT Audit Organization
IT Aud Domestic CH IT Aud International CAATT’s Audit SW
IT Audit Group
Technical Competence Centres TCC
Basel /Zurich (CH)
Technical CoECentre of Excellence
International
EMEA
Asia Pacific
Americas
Basel /Zurich Distributed technology
IT Consulting/ServicesSSP Task Forces
IT-Audit Concept, Approach and Methodologies
CoE, TCC Schematic - Migration Path
Actual: Generalists
TCC
CoE
techn.orprocess
techn.orprocess
techn.orprocess
techn.orprocess
Mainstream distributed technologies
General IT audit activities(good all round knowledge)
depth ofknowledge
IT-Audit Concept, Approach and Methodologies
CoE, TCC Schematic - Migration Path
Future: Specialists
TCC
CoE
Specialist
techn.orprocess
Mainstream distributed technologies
Specialist
techn.orprocess
Specialist
techn.orprocess
Specialist
techn.orprocess
depth ofknowledge
IT-Audit Concept, Approach and Methodologies
Generic IT Environment
Application Architecture (AA)
Application: Development Environment, Application Security
Software Change Management (SCM)
Application Audit
IT Audit
Middleware / Services
Operating System
Hardware
System Management &Operations
Telecommunication
Technical Security
IT-Audit Concept, Approach and Methodologies
Generic IT EnvironmentApplication audit
IT audit
Products
Applications
a b c d
a b c d
System technologydivisional IT processes
System technologyglobal IT processes
Overall project mgmtappl level securityapp/business controlsbusiness contingencysystem functionalityuser testing
Operating system levelsecurity & admindisaster recoveryoperations & systemssupport network controls capacity planning database mgmt data accesschange mgmt process
IT-Audit Concept, Approach and Methodologies
Proposed Approach and MethodologyCOSO-Model: Internal Control - Integrated Framework
Control environment Risk assessment Control activities Pertinent information Monitoring
IT-Audit Concept, Approach and Methodologies
Production Audit Approach
Self-Assessment(SA)
TCC / CoE
Primary Controls Review(PCR)
Primary Controls Audit(PCA)
IT-Audit Concept, Approach and Methodologies
Pre- / Post-Implementation Audit
Self-Assessment (SA)
TCC / CoE
Primary Controls Review(PCR)
Primary Controls Audit(PCA)
stress point matrixtesting
Pre-implementation Post-implementation
project plan
results
existing processes
IT-Audit Concept, Approach and Methodologies
Principles and Co-operation IT Audit / 3rd Party
Basis
Requirements
Regulator external Internal IT Audit
LawsRegulationsStandards
Divisions
Audit areas Audit objectives Divisions Legal entities Processes
Audit areas Audit objectives
Special Assignments
Thank you for your interest in IT Audit Concept, Approach
and Methodologies