2. INTRODUCTION
- The board of directors and management are responsible for
ensuring adequate management practices are in place for effective
oversight and management of the institutions IT environment. All
institutions should adopt an effective audit and review program
regardless of whether the technology services are provided
internally or externally.
3. Examination Objectives
- Board Direction and Oversight Evaluate the boards involvement
in establishing IT audit scope and reporting requirements and
ensuring the availability of competent IT audit resources.
- Audit Program Assess the quality and effectiveness of the IT
audit program
4. Examination Procedures
- Examination activities should be based on the criticality and
complexity of the business functions .
- examination should begin with a review of audit results and the
adequacy of corrective actions .
- TheEssential Practicesfor IT Audit should be clearly documented
and functioning within the internal control environment.
5. Essential Practices
- 1. Risk Assessment :A risk assessment provides the internal
auditor and the board with objective information to prioritize the
allocation of audit resources properly.
- Industry Standard Reference :COBIT: Control Objectives for
Information and related Technology. 4.1 ed. 2000, PO9.
6. Essential Practices
- The IT audit plan defines the IT scope, objectives and
strategies. It establishes a balance between scope, timeframes, and
staff days to ensure optimum use of resources.
- Ensure audit resources are independent, competent, and have the
necessary experience to accomplish the IT audit objectives.
7. Essential Practices
- Reporting : Reports communicate audit findings to the board.
They also assist management in evaluating the quality of its IT
department and identifying methods for correcting or improving
adverse conditions.
8. IT-Audit Methodologies
- BS 7799 - Code of Practice (CoP)
- BSI - IT Baseline Protection Manual
9. CobiT
- Governance, Control & Audit for IT
10. CobiT - Framework 11. CobiT - IT Process Matrix
IT Processes 12. CobiT - Summary
- Mainly used for IT audits, incl. security aspects
- No detailed evaluation methodology described
- Developed by international organisation (ISACA)
- Up-to-date: Version 2 released in 1998
- Only high-level control objectives described
- Detailed IT control measures are not documented
- Not very user friendly - learning curve!
- Evaluation results not shown ingraphic form
13. CobiT - Summary
- May be used for self assessments
- Useful aid in implementing IT control systems
- No suitable basis to write security handbooks
- CobiT package from ISACA:$ 100.--
- 3 parts freely downloadable from ISACA site
- Software available from Methodware Ltd.,
NZ(www.methodware.co.nz)
-
- CobiT Advisor 2nd edition: US$ 600.--