British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 16th...

British Computer SocietyNORTH LONDON BRANCH

AudIT to BenefIT- 6 sides of the dice

Wednesday 16th January 2008, 18.30 – 20.30

1 topic, 2 hours, 4 sponsors

6 views, 6 expert presenters

1 great audience


AreYouan

Auditor?


4 Sponsors:

• * Gotham Digital Science www.gdssecurity.com *

• * ISACA London Chapter www.isaca-london.org *

• *IT Faculty of the Institute of Chartered Accountants in England and Wales www.icaew.com/itfac*

• * SUPINFO The International Institute of Information Technology www.supinfo.com/uk *

http://www.gdssecurity.com/



http://www.isaca-london.org/





http://www.icaew.com/itfac*





http://www.supinfo.com/uk





6 Views – plus more!• [Target start time 18.30]• BCS NLB Intro [10 mins.] - Dalim• Why audit? Who needs it? [15 mins.] - Justin• What does the auditor do? [15 mins.] - Nick• What’s audited? [20 mins.] - Fraser• IT audit tools and techniques [15 mins.] - Martin• How auditors use COBIT & IT Assurance Guide [15] Lynn• How to plan to get value from your audits [15] - Steven• BCS NLB end of formal event [10 mins.] - Dalim• [Target end time 20.30]• Informal networking (with food & drink) ALL


6 Expert Presenters• [MC] Dalim Basu, BCS NLB

1. FRASER NICOL, Ernst & Young

2. JUSTIN CLARKE, Gotham Digital Science

3. LYNN LAWTON, ISACA

4. MARTIN ALLEN, PwC

5. NICK FELLOWS, Barclays Plc

6. STEVEN BABB, KPMG & ISACA

• [Supporting Cast: NLB team for this event]Jude Umeh, Patrick Roberts, Rebecca King

©2007 Gotham Digital Science Ltd

Why audit? Who needs it?Justin Clarke, Director

CISA, CISM, CISSP, A.Inst.ISP

7©2007 Gotham Digital Science Ltd

What is an audit?

Anyone? A Definition An audit is a professional, independent

examination of a company's financial statements and accounting documents according to generally accepted accounting principles (Traditional)

an evaluation of a person, organization, system, process, project or product. Audits are performed to ascertain the validity and reliability of information, and also provide an assessment of a system's internal control (Wikipedia)


Understanding your auditor

Internal or External? Assurance or Audit? Key ideas

– Independence– Reasonable assurance– Material error– Evidence– Testing/Sampling


Why audit?

Mitigate risk Regulatory/legal - financial Measurement/management

– Conformity/Compliance– Quality– Environmental

How are we doing?


Who needs it?

Organisations– Large and small– Private, public and government

Stakeholders– Shareholders– Management– Tax payers


Types of audit

External – ITGC, ITAC, SAS70 Internal – Operational, Business Process,

CobIT, COSO Regulatory - Sarbanes Oxley, Basel II,

MiFID Conformity/Compliance –

ISO17799/27001 Quality – ISO9001 Environmental – ISO14001


Contact

Exploring the world of Internal Audit

What does the auditor do and why?

Nick Fellows, CISA - Audit Manager

16 January 2008

Agenda

•The Audit Charter

•The Audit Universe and the Audit Plan

•This audit

The Audit Charter

This is a document that defines the Internal Audit function

Its purpose, responsibility, authority and accountability.• What we are there to do• How we will maintain our independence and objectivity• How we will do it and conduct ourselves whilst doing it• The relationship between IA and its stakeholders• The KPIs, what they are and how they are measured

Standard S1 and Guideline G5 for Audit Charter can be found on the ISACA website www.isaca.org

The Audit Universe and the Audit Plan

How does the audit department work out what to do?

• Populate the audit universe

• Prioritise based on risk ranking

• Plan

• Agree with stakeholders and get sign off from the Board Audit Committee

The audit

• Understanding the processes, working out the key controls.

• The ‘intention to audit’.

• Testing the controls.

• And the consequence was…

• The report and follow up actions.

Closing thoughts

• Risks are mitigated by controls. Whose controls? – yours.

• An audit is not something that is done to you. It is something that is done with you.

• The more you prepare, the less painful the review will be.

What is Audited?Fraser Nicol – Technology Security and Risk Services,Ernst and Young

AudIT to BenefIT

Presentation to British Computer Society

IT audit – who, why, what and how?

• Internal auditing – is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations

• External auditing – is an independent opinion on whether or not financial statements are relevant, accurate, complete, and fairly presented

• Both approaches are characterised by a systematic approach to the evaluation of risk management, control and governance processes. A common industry standard for IT auditing is:

• COBIT 4.1 – Control Objectives for Information and Related Technology. Set of leading practises (framework) for information technology (IT) management. Created and governed by Information Systems Audit and Control Association (ISACA). COBIT is organised into 4 domains:

– Plan and Organise

– Acquire and Implement

– Delivery and Support

– Monitor and Evaluate

ME - Monitor and Evaluate

DS - Delivery and Support

AI - Acquire and Implement

Cross DomainReviews

Who audits what?

PO - Plan and Organise

IT Strategic Alignment

Online Sales Application

Project

Third Party Managed Services

IT Project Managemen

t

IT Risk Management

Network Management

Review

Data Centre Management

Review

Exp

ect Inte

rnal A

ud

it Fo

cus

Exp

ect

Ext

ern

al A

ud

it F

ocu

s

IT Procuremen

tSDLC

Change Management

Application Review

DRP /BCP

System Security

IT Control Operation

Software Licensing

KPI / SLA Review

Example IT risk identified

1. IT Infrastructure Scalability

2. Exploitation of Security Vulnerabilities

3. IT Strategy not formulated

4. IT Upgrade Activities lead to loss of service

5. Inappropriate IT User activity

Key IT audit approach chart

A – Potential Over Control

B – Low Risk / Mature Controls

C – Low Risk / Limited Controls

D – Higher Risk / Mature Controls

E – Higher Risk / Limited Controls

What gets audited and why?

Very significant threat

Significant threat

Moderatethreat

Low threat

No threat

1

23

45

21–25

16–20

11–15

6–10

1–5

1 2 3 4 5

Ove

r con

trolle

d

Fu

lly con

trolle

d

Pa

rtially

con

trolle

d

Ad

ho

c

No

con

trols

Inherent risk / Control maturity

# Risk (risk owner)Current Control Environment

GovernanceStrategy

Action Owner

Completion Date Status

Higher Risk / Limited Controls

1 Current IT infrastructure is not scalable to support anticipated service requirements

Ad Hoc Controls

KPIs between IT and key user groups are in place

IT occasional performs capacity and service monitoring

IT Management

IT Management to perform a full scale assessment with key user groups as to future IT needs

IT Management to review current capacity and infrastructure upgrade plans to align to user needs

IT Management to continuously monitor the provision of key services and agreed service levels

Open

How – can IT benefit?

Summary

• Understand who the auditors are, what they are looking for, and what the output of the audit is going to be

• Understand the risks to your own areas, be proactive in engaging with the auditors to explain your area and align their understanding of key risks with yours

• Early planning is always performed at a high level, sometimes the principle actions sit with IT or the business. You need to be involved as closely as possible in audit planning to

Contact

Fraser Nicol, Senior Manager

Tel: 020 7951 0748

Mob: 07776047344

[email protected]

PricewaterhouseCoopers LLP

Tools and Techniques

Martin Allen FIIA, QiCA, CISA

16 January 2008

PricewaterhouseCoopers LLPJanuary 2008

Raw goods and services

Income

Laws and regulations

Competitor Intelligence

Social responsibilities

Tools and TechniquesThe Environment

Finished goods and services

Expenditure

Financial Accountants

Corporate Reporting

Non-financial/regulatory reporting

Financial RecordsManagement

AccountsMIS/ Datawarehouse

Corporate Entity

Computer System



Indicators that computer tools and techniques would help audit process:• Requirement to analyse large volumes of data or complex

calculations• Reliance upon reports generated from computer systems• ‘Black box’ style systems where complex processing of data is

not transparent• Key reconciliation reports regularly highlight differences• New or modified systems• Interfaces between computer systems poorly controlled



Tools available on the desktop:

• Spreadsheets• Databases• MS Query



Tools that can be acquired:

• IDEA• ACL• OAK• Datanomic



Risks:• Can allow the auditor to reach the wrong conclusion• Easy for inexperienced auditors to be caught out• Data interrogation does not test controls

Benefits:• Allows 100% sample size• Allows quick identification of unusual or required data• Allows auditor to use the power of the computer to improve the

efficiency and effectiveness of the audit

PricewaterhouseCoopers LLP

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2008 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.


ISACA and The IT Governance Institute

• Over 70,000 members in 140 countries• Develop and maintain tools for IT and business

management, e.g. COBIT and ValIT• Develop and administer certifications, e.g. CISA, CISM,

and, coming soon, CGEIT• Deliver conferences and educational events around the

world• Deliver research and thought leadership on topical issues• www.isaca.org and www.itgi.org

http://www.isaca.org/



http://www.itgi.org/




BUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVES

Efficiency

ApplicationsInformation

InfrastructurePeople

DELIVER AND

SUPPORT

MONITORAND

EVALUATE

ACQUIREAND

IMPLEMENT

INFORMATION

ITRESOURCES

C O B I TF R A M E W O R K

Effectiveness

Confidentiality

Integrity

AvailabilityCompliance

DS1 Define and manage service levels.

DS2 Manage third-party services.DS3 Manage performance and

capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and

incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical

environment.DS13 Manage operations.

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.

PO1 Define a strategic IT plan.PO2 Define the information

architecture.PO3 Determine technological

direction.PO4 Define the IT processes,

organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims

and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.

AI1 Identify automated solutions.AI2 Acquire and maintain application

software.AI3 Acquire and maintain technology

infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and

changes.

PLANAND

ORGANISE

Reliability

COBIT Framework


Scoping Control Objectives

Scop

ing

IT R

esou

rces

I T Process Selection

AssuranceInitiativeDrivers

BusinessControl

Requirements

EnterpriseArchitecture

for IT

BusinessControl

Requirements

AssuranceInitiativeDrivers

IT Control

Framework

Will not achieving this control objective for this IT resource be material?

EnterpriseArchitecture

for IT


Measuring progress

IT Process/Maturity Levels for Process XX

Awarenessand

Communication

Policies, Standardsand Procedures

Tools andAutomation

Skills and Expertise

Responsibility and

Accountability

Goal Settingand

Measurement

3 Defined Process

2 Repeatable but Intuitive

1 Initial/Ad Hoc

5 Optimised

4 Managed and Measurable

Start point Interim target status Where you want to be


Measuring progress

IT Process/Maturity Levels for Process XX

2007Q1

3 Defined Process

2 Repeatable but Intuitive

1 Initial/Ad Hoc

5 Optimised

4 Managed and Measurable

Start point Interim target status Where you want to be

2007Q2

2007Q3

2007Q4

2008Q1

2008Q2


ISACA and The IT Governance Institute

For more information, visit:

www.isaca.org

www.itgi.org







How to plan to get value from your audits

16 January 2008

AUDIT

42© 2008 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. This document is confidential and its circulation and use are restricted.

KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.

Disclaimer

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.



Agenda

Recap – What is audit?

Pre-audit activities

During the audit

What happens next?



Recap – What is audit?

Internal auditing

Internal, yet independent assurance over internal controls

Designed to add value and improve an organisations operations

External auditing

External, independent opinion over financial statements

Audit should be viewed as a critical friend rather than a hindrance

It can add value to your organisation – so treat it this way

An audit is not something that is done to you; It is something that is done with you



Pre-audit activities

What to do before the audit takes place

Understand who the auditors are, their scope, objectives and deliverables

Get involved in audit planning – understand the risks and issues in your own areas

You can influence – are there any areas you want covered?

Plan – The more you prepare, the less painful the review will be

Have a central point of contact

Confirm logistical arrangements



During the audit

Maintain contact with your auditors

The central point of contact will be key in ensuring a smooth audit

Arrange regular catch-up meetings

Understand what the key findings are

Have the auditors got a clear handle on the risks?

Are the key findings valid?

Is the audit on track?

What are the next steps?



What happens next?

How to reap the benefits for your organisation

Ensure that you get to review findings

Draft report stage

Be positive about the findings – Don’t take the outcome as personal criticism

Prepare a plan to address any issues identified and publish it – make sure the plan is implemented!

Roll-out learning points across your organisation, wherever possible

Prepare for your next audit!

© 2008 KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved. This document is confidential and its circulation and use are restricted.


Presenter’s contact details

Steven Babb

KPMG LLP (UK)

+44 (0)7717 511 554

[email protected]

www.kpmg.co.uk

British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 16th...

Documents

Transcript of British Computer Society NORTH LONDON BRANCH AudIT to BenefIT - 6 sides of the dice Wednesday 16th...