Developing a Risk-based Audit Plan

Kathy UnderhillVice-President, Risk and Internal AuditDecember 2005

Information System (IS) Audit- Concept Process and Implementation

Roshan RegmiIT/MIS DepartmentNepal Bank LimitedOctober 2009

2

Business Strategy What IT UnderstoodHow Business was Planned

How was it Implemented

What was delivered to User Frustration

1 2 3

4 5

Outline

Snapshots

Information System Fundamentals

Core Banking System Basics

IS Audit

IS Audit Responsibilities

COSO Framework

COSO ERM Framework

Risk Based IS Audit and Examples

CoBIT Framework

Using CoBIT in IS Audit

IS in Business

Trends in Information Systems

Types of Information System

IS Resources and Activities

Core Banking Architecture - NEWTON

Core Banking Architecture - FINACLE

Information System Audit“the process of collecting and evaluating evidence to determine whether acomputer system (information system) safeguards assets, maintains data integrity, achieves organizational goals effectively and consumes resources efficiently “

Purpose of IS Audit

Will the organization's computerized systems be available for the business at all times when required? (Availability)

Will the information in the systems be disclosed only to authorized users? (Confidentiality)

Will the information provided by the system always be accurate, reliable, and timely? (Integrity).

Areas of IS Audit

Spectrum of IS Audit Systems and Applications: An audit to verify that systems and applications

are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity

Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions

Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development

Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing

Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers

IS Audit Responsibilities

Strategic and Business

Audit Roles Strategic risk assuranceStrategic risk assurance Participate in oversight committee for the risk

management process Test management’s mitigation policy Test/verify assumptions behind key

decisions

Risks ProductProduct line

expansion Acquisitions/JV/

Divestiture Threats to company

reputation Shift in market

competitive dynamics

New Capabilities Transfer strategic Transfer strategic

risks into auditable risks into auditable risk activitiesrisk activities

Link strategic direction to risk priorities

Identify and Identify and incorporate incorporate external conditions external conditions into audit plansinto audit plans

IS Audit Audit Responsibilities

Operational Audit Roles Identify risk trends and communicate to Identify risk trends and communicate to

managementmanagement Facilitate continuous improvement of controls Recommend improvements on the adequacy

and effectiveness of management’s risk processes

Identify gaps in management’s plans to achieve goals

Risks Ineffective risk

management system

Supply chain and outsourcing management

Customer contact quality

New Capabilities Risk management Risk management

experienceexperience Understand company’s

corporate values and goals

Understand company’s IT infrastructure

IS Audit Audit Responsibilities

Financial Reporting and Regulatory Compliance

Audit Roles Perform proactive, risk-based audit of

management processes Drive self-service tool usage for

management testing Evaluate effectiveness of controls

encompassing reliability and integrity of financial information based upon risk assessments

Risks Inaccurate financial

statements Noncompliance

with laws, regulations, contracts

Integrity of financial information

New Capabilities Maintain self-service

tools Continuous Continuous

monitoring/auditinmonitoring/auditingg

COSO FrameworkIssued in 1992 by the Committee of Sponsoring Organization of the Treadway Commission (COSO)

Framework has long served as a blueprint for establishing/Evaluate internal controls that promote efficiency, minimize risks, help ensure the reliability of financial statements, and comply with laws and regulations.

COSO – Key Components of Internal Control

Control Environment- Integrity and Ethical Values- Commitment to Competence- BOD and Audit Committee- Management’s Philosophy and Operating Style- Organizational Structure- Assignment of Authority and Responsibility- Human Resource Policies and

Procedures.

Information and Communication- Quality of Information

- Effectiveness of Communication.

Control Activities- Policies and Procedures- Security (Application and Network)- Application Change Management- Business Continuity / Backups- Outsourcing

Risk Assessment- Company-wide Objectives- Process-level Objectives- Risk Identification and Analysis

- Managing Change.

Monitoring- On-going Monitoring- Separate Evaluations- Reporting Deficiencies

Enterprise Risk Management (ERM) Framework

Enterprise Risk Management (ERM) Framework

The enterprise risk management framework is geared to achieving an entity’s objectives, set forth in four categories:

Strategic – high-level goals, aligned with and supporting the mission

Operations – effective and efficient use of resources

Reporting – reliability of reporting

Compliance – compliance with applicable laws and regulations

The eight components

of the framework

are interrelated …

The ERM Framework

The ERM Framework

Entity objectives can be viewed in thecontext of four categories:

Strategic Operations Reporting Compliance

In a riskier World!

Global village – moving to a unified economy

Borderless world – a quiver of new threats

Mergers and Acquisitions – order of the day

Unprecedented dependence and pace of IT and networks used by business

Increasing potential of cyber crime

IT Operational failures

Outsourcing – an accepted way

Stringent Regulatory Compulsions

Demanding customers – online real time customers

Ethics climate!

The Risk World

Competition Risk

Country Risk

Culture Risk

Information Risk

Legal and Regulatory compliance Risk

Project Risk

Market Risk

Environmental Risk

Technological Risk

Management Risk

Reputational Risk

Financial Risk

Outsourcing Risk

Business Risk

Human Resource Risk

Using Risk Management to determine IS areas to be audited:

Enables management to effectively allocate limited IS audit resources

Provides reasonable assurance that relevant information has been obtained from all levels of management, including the board of directors and functional area management. Generally, the information includes areas that will assist management in effectively discharging their responsibilities and provides reasonable assurance that the IS audit activities are directed to high business risk areas and will add value to management.

Establishes a basis for effectively managing the IS audit function

Provides a summary of how the individual review subject is related to the overall organization as well as to the business plans

Example of an Organizational Risk Assessment Process

Identify risk factors and give them weights

Identify objectives/assets/auditable activities

Analyze the risks by considering their likelihood and consequence

Assign ratings to the risks

Review with audit client/management

Use rankings to develop audit priorities

EXAMPLE II—IS RISK ASSESSMENT MEASUREMENT EVALUATION INCORPORATING BUSINESS RISK FACTORS

B

IS Risk Assessment of Auditable Units

Data centre operations

Application systems (production)

Application systems (development)

IS procurement (manpower and material)

Software package acquisition

Other IS functions

New

B

New

B

Perceived Benefits

Case Study:Software Acquisition

A company has received an approval to install software to improve its services in the competitive market

RFP has been developed, approved and gone for tendering process

In the process of selecting a vendor based on competitive bidding 2 envelop system is adopted to ensure fairness and transparency

Enhanced service services

Competitive

Better MIS reporting and Asset/Liability position

Implementation Details Specifics

Size of systems Deployment

Centralised systems

Possibility of decentralised systems

Application controls and auditing

Leased lines, Wireless IEEE 802.11b and VSAT Connectivity

EXAMPLE IV—RISK ASSESSMENT—IS AUDITv. SOFTWARE PACKAGE ACQUISITION

Rating factor Weight Score Assigned score

1. Scope of the system Part of a department Complete department Multi department Organization wide Organization and external

5 12345

25

2. Financial exposure (AED) associated with the systemNoneSmall (<100,000) Moderate (100,000 -1 m)High (1m—10 m) Very high (>10 m)

5 12345

25

3. Nature of packageOff the shelf productCustom built by vendor, maintained by vendorVendor developed, in-house maintained Jointly developed, vendor maintained Jointly developed, in-house maintained

2 12345

10

4. Type of evaluationBy the user department/IS/consultantBy IS/userBy consultantBy ISBy the user department

1 12345

5

5. Cost and complexity of the packageNegligibleSmall Moderate Significant Very high

2 12345

10

Rating Factor Wt Sc Assigned Score

Detailed Example

CoBIT Framework

Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996.

COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company

CoBIT Background

“Generally applicable and accepted international standard of good practice for IT control”

C ControlOB OBjectivesI for InformationT and Related Technology

“An authoritative, up-to-date, international set of generally accepted Information Technology Control Objectives for day-to-day use by business managers and auditors.”

CoBIT’s Scope and Objectives COBIT® 4.0 was developed and by the IT Governance Institute (www.itgi.org)

and was released in December, 2005

COBIT® has evolved into an IT governance / control framework: A toolkit of “best practices” for IT control representing the consensus of

experts

IT Governance focus

Linkage with business requirements (bridges the gap between control requirements, technical issues, and business risks).

Management – process owner – orientation (accountability)

Measurement and maturity driven

Generic focus – applicable to multiple environments

Organizes IT activities into a generally accepted process model (in alignment with ITIL, ISO, and other relevant ‘best practices’)

Identifies the major IT resources to be leveraged

Defines control objectives and associated assurance guidelines

CoBIT For IT Governance

Focus Area Strategic alignment

Value delivery

Resource management

Risk management

Performance measurement

CoBIT As A Framework Enables the auditor to review specific IT processes against

COBIT’s Control Objectives to determine where controls are sufficient or advise management where processes need to be improved.

Helps process owners answer questions - “Is what I’m doing adequate and in line with best practices? If not, what should I be doing and where should I focus my efforts?”

COBIT® is a framework and is NOT exhaustive or definitive.

The scope and breadth of a COBIT® implementation varies from organization to organization.

COBIT® prescribes “what” best practices should be in place. An effective implementation requires that COBIT® be supplemented with other sources of best practice that prescribe the “how” for IT governance and controlled process execution.

Relationship Between CoBIT Components

B

CoBIT Structure overview Starts from the premise that IT needs to

deliver the information that the enterprise needs to achieve its objectives

Promotes process focus and process ownership

Divides IT into 34 processes belonging to four domains (providing a high level control objective for each process)

Looks at fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT

Is supported by a set of over 200 detailed control objectives

Plan & Organize

Acquire & Implement

Deliver & Support

Monitor & Evaluate

Effectiveness

Efficiency

Availability

Integrity

Confidentiality

Reliability

Compliance

IT Domains

Business Requirement

CoBIT Cube

B

CoBIT Structure

CoBIT High Level Processes/Objectives

B

CoBIT High Level Processes/Objectives

B

CoBIT High Level Processes/Objectives

B

CoBIT High Level Processes/Objectives

B

Linking Control to Process Objectives34 High Level and 200+ Detailed Objectives

Example of CoBIT DS 5 Page-1

B

B

Example of CoBIT DS 5 Page-2

Example of CoBIT DS 5 Page-3

B

Example of CoBIT DS 5 Page-4

B

Example of CoBIT DS 5 Page-4

B

Summing It All UPBusiness goals drives IT goals

B

Using CoBIT in IS Audit

B

Understand Technology Layers

B

Understand The IT Governance Domain

B

Technology Audit Universe

B

Security Audit Univesie

B

MAP Audit Universe to CoBIT

B

Using CoBIT to Tie It All Together

B

CoBIT Control Assessment Quetions

CoBIT’s Audit Report Template

Sample Audit Report

Questions!