24
RELATIONSHIP BETWEEN IT RISK AND THE IT AUDIT PLAN Presenter: Mr Vincent M. Kgwale – CISA, CISM Deputy Director: IT Audit, National Treasury | 31 October 2012
RELATIONSHIP BETWEEN IT RISK AND THE IT AUDIT PLAN
Presenter: Mr Vincent M. Kgwale – CISA, CISM
Deputy Director: IT Audit, National Treasury | 31 October 2012
1
Contents
Pioneers Of Corporate Governance
Acceptance of corporate governance in the public sector
Corporate Governance Principles
Auditor General 2010/11 results
Elements of IT Governance
Definition of IT Risk
Definition of IT Risk Management
ISACA – Risk IT Framework
IT Risk Management Approach
IT Risk Management Approach – Unpacking the IT Risks
Unpacking the IT Risks – IT Environment
The Relationship Between IT Risk and IT Audit
Crafting the IT Audit Plan
IT Risk Standards and Framework
Pioneers Of Corporate Governance
3
Sir Adrian Cadbury chaired the Committee on Financial Aspects of Corporate Governance set up in 1990 and published its report in 1992.
4
Mervyn King S.C chaired the King Committee on Corporate Governance which published King Report on Corporate Governance (King I) in 1994 aimed at promoting the highest standards of corporate governance in South Africa.
Pioneers Of Corporate Governance Cont….
Acceptance of corporate governance in
the public sector
• Limited adoption in government and the public services.
• Compliance with the Public Finance Management Act (PFMA) and the Municipal Finance Management Act (MFMA), as minimum requirements in the public sector.
• In contrast, the provisions of King III are specifically intended to be ‘applied or explained’ within all economic sectors, including the public sector.
5
• Parliament – key stakeholder and it will determine the level of compliance that each public institution should strive to achieve in addition to its statutory compliance required in terms of the PFMA, MFMA and other applicable acts.
• National and provincial institutions will have similar compliance obligations and these will reside with the executive authority, who delegates these responsibilities to the accounting officer or equivalent.
6
Acceptance of corporate governance in
the public sector contint…..
Ethical leadership and corporate citizenship
Boards and directors (Municipal councils)
Audit committees
The governance of risk
Corporate Governance Principles
The governance of information technology
Compliance with laws, rules, codes and standards
Internal audit
Governing stakeholder relationships
Integrated reporting and disclosure
Corporate Governance Principles Cont….
Auditor General 2010/11 results
• 79% of departments did not implement some IT governance aspects according to General Report on National Audit Outcomes 10/11 Financial Year
9
Strategic Alignment
Value Delivery
Risk Management
Resource Management
Performance Measurement
Elements of IT Governance
Definition of IT Risk
Every organization has a mission and in this digital age government also use automated information technology (IT) systems to process its information for better support of its objectives.
Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission or objectives, from IT-related risk.
IT risk can be defined as any threat to information technology, data, critical systems and business processes.
IT risk provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.
11
Definition of IT Risk
Management has a responsibility to identify areas of control weakness and respond in a timely fashion to these by improving processes, augmenting controls and even reducing the cycle time between control testing to ensure that the organization is properly identifying and responding to IT risks.
12
Definition of IT Risk Management
IT risk is a business risk specifically associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise.
It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives;
Aims to prioritize and manage IT risk;
Senior executives need a frame of reference and a clear understanding of the IT
function and IT risk associated with it;
IT risk is not just a technical issue; and
13
Definition of IT Risk Management Cont….
• Organisation managers determine what IT needs to do to support their business; they set the targets for IT and are accountable for managing the associated risks.
14
ISACA – Risk IT Framework
15
Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture
Risk Evaluation: Describing business impact and risk scenarios
Risk Response: Key risk indicators
(KRI) and risk response definition and prioritisation
Source: ISACA Risk IT Framework
IT Risk Management Approach
IT risk is a component of the overall risk universe of an organisation.
16 Source: ISACA Risk IT Framework
IT Risk Management Approach – Unpacking the IT Risks
17 Source: ISACA Risk IT Framework
IT Risk Management Approach – Unpacking the IT Risks
18 Source: ISACA Risk IT Framework
Unpacking the IT Risks – IT Environment
19
ST
RA
TE
GIC
AP
PL
ICA
TIO
NIN
FR
AS
TR
UC
TU
RE
DATABASE
NETWORK
HOST
PHYSICAL
APPLICATION
IT STRATEGY
IT STANDARDS, POLICIES, PROCEDURES & GUIDELINES
SERVICE LEVEL AGREEMENTS
IT ENVIRONMENT
Source: National Treasury Internal Audit – Information Systems Audit Methodology
The Relationship Between IT Risk and IT Audit
20
STRA
TEGI
CAP
PLIC
ATIO
NIN
FRAS
TRUC
TURE
DATABASE
NETWORK
HOST
PHYSICAL
APPLICATION
IT STRATEGY
IT STANDARDS, POLICIES, PROCEDURES
& GUIDELINES
SERVICE LEVEL AGREEMENTS
IT ENVIRONMENT AUDIT TYPE
GENERAL CONTROL REVIEWIT Strategy
IT Standards, Policies, Procedures and
Guidelines
Service Level Agreements
SPECIFIC CONTROL REVIEWApplication Control Review
SPECIFIC CONTROL REVIEWDatabase Management Review
Data Integrity Review
Network Review
Operating System Review
Physical and Environmental Review
GENERAL CONTROL REVIEW(Controls Around the Computing Layers
Supporting the Infrastructure)
User Profile Management
Change Management
Logical Access Controls
Physical Access Controls
Environmental Controls
Software Development
Business Continuity and Disaster Recovery
Source: National Treasury Internal Audit – Information Systems Audit Methodology
Crafting the IT Audit Plan
21
IT AUDIT PLAN
Risk Identified Inherent
Priority
Residual
Priority Audit Description Audit Objectives
Interruptions to availability
and access to business
critical systems
Priority 1 Priority 2
IT Strategy Framework and Operational
Plan Review
Assess the adequacy of the IT strategy framework and
operational plan to assist business in the achievement of
their objectives.
Interruptions to availability
and access to business
critical systems
Priority 1 Priority 2 IT Governance Review
Assess the adequacy of the IT governance framework to
ensure compliance with the King 3 requirements.
Interruptions to availability
and access to business
critical systems
Priority 1 Priority 2 Information Security Policy Review
Review of information security management policies.
Unauthorised malicious
activity by internal users Priority 1 Priority 2 Internal Network Security Review
Assess the level of internal network threats and
vulnerabilities.
Unauthorised malicious
activity by internal users Priority 1 Priority 2 Wireless Network Security Review
Assess the configurations of the wireless network to
prevent malicious activity.
Unauthorised malicious
activity by external users Priority 1 Priority 2 External Network Security Review
Assess the level of external network threats and
vulnerabilities.
Unauthorised malicious
activity by external users Priority 1 Priority 2 Perimeter Firewall Review
Assess the configurations of the firewall located on the
external network perimeter to prevent malicious activity.
Source: National Treasury Internal Audit – IT Audit Plan
IT Risk Standards and Framework
ISACA – The Risk IT Framework; COSO – Enterprise Risk Management: Integrated Framework; ISO 31000 – Risk Management; and Public Sector Risk Management Framework.
22
?
QUESTIONS
23
THANK YOU
24
