National Electronics and Computer Technology CenterChayakorn Piyabunditkul – CSPM, 15504 Assessor
Information Technology for Non-IT Audit
The Process Audit
The Process Audit is…“A new framework,
as comprehensive as it is easy to apply, is helping companies plan and execute
process based transformations.
Michael Hammer, Harvard Business Review, April 2007.
The Process and Enterprise Maturity Model
There are 5 process enablers…1. Design:
The comprehensiveness of the specification of how the process is to be executed.2. Performers:
The people who execute the process, particularly in terms of their skills and knowledge.
3. Owner:A senior executive who has responsibility for the process and its results.
4. Infrastructure:Information and management systems that support the process.
5. Metrics:The measures the company uses to track the process’s performance.
Michael Hammer, Harvard Business Review, April 2007.
The Process and Enterprise Maturity Model
And 4 enterprise capabilities…1. Leadership:
Senior executives who support the creation of processes.2. Culture:
The values of customer focus, teamwork, personal accountability, and a willingness to change.
3. Expertise:Skills in, and methodology for, process redesign.
4. Governance:Mechanisms for managing complex projects and change initiatives. Companies can use their evaluations of the enablers and capabilities, in tandem, to plan and assess the progress of process-based transformations.
Michael Hammer, Harvard Business Review, April 2007.
Certified Information System Auditor
Chapter 1: The IS Audit ProcessChapter 2: IT GovernanceChapter 3: Systems and Infrastructure
Life Cycle Management Chapter 4: IT Service Delivery and SupportChapter 5: Protection of Information AssetsChapter 6: Business Continuity and
Disaster Recovery
Michael Hammer, Harvard Business Review, April 2007.
Certified Information System Auditor
Chapter 3: Systems and Infrastructure Life Cycle Management
ISACA, CISA Review Manual, 2008.
Group 1: Project Management Group 2: Business Application Development (SDLC) Group 3: Process Improvement Practice (ISO 15504/ISO 9126/CMMI)Group 4: Auditing Control (V-model Testing)Group 5: Business Application Systems
Certified Information System Auditor
Chapter 4: IT Service Delivery and Support
ISACA, CISA Review Manual, 2008.
Group 1: Information System Operations Group 2: Information System HardwareGroup 3: Information System Architecture and SoftwareGroup 4: Information System Network InfrastructureGroup 5: Auditing Infrastructure and Operations
1. Overview2. Software Development Life Cycle (SDLC)3. Capability Maturity Model Integration (CMMI)4. Information System with Hardware, Software
and Network Infrastructure
Course Index
IT Audit frameworkIT audit is
“The process of collecting and evaluating evidence
to determine weather a computer system has been designed to
maintain data integrity, safeguard assets, allows organizational goals to be
achieved effectively and uses resources efficiently”1.
ASOSAI-Weber, R., Information Systems Control and Audit, 1999
Need for IT AuditConfidentiality
“concerns the protection of sensitive information from unauthorized disclosure”2
Integrity“the accuracy and completeness of information as well as to its validity in
accordance with business values and expectations”2
Availability“availability relates to information being available when required by the
business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities”2
Reliability“the degree of consistency of a system or the ability of a system to perform its
required function under stated conditions”2
Compliance with legal and regulator requirement
ISACA
With ensure IT and the controls supporting technology
IT Audit ObjectivesIT audit objective is
“To evaluate an auditee’s computerized information system (CIS) in order to ascertain whether the CIS produces timely, accurate, complete and reliability
information outputs”3.
The National Audit Department of Malaysia, ICT Audit Guideline 2001
IT Audit Organization
IT Standard Comparison
1. IT Controls Frameworks: COSO
Internal Control-integrated Framework of COSO in September 1992 byThe Committee of Sponsoring Organizations of the Treadway Commission (COSO)Official name: National Commission on Fraudulent Financial Reporting
5 interrelated components;1. Risk assessment2. Control environment3. Control activities4. Information and communication5. Monitoring
“COSO Internal Controls Framework”
IT Controls Frameworks: COSO
Operations/Finance/Information risks
5
1. (Condition)
2. (Criteria)
3. (Effect)
4. (Cause)
5. (Recommendation)
Risk Appetite Map
2. IT Controls Frameworks: COBIT
The COBIT Framework includes policies, structures, practices and organizational procedures to ensure adequate IT governance, with a set of IT processes, grouped into four domains: planning & organization, procurement & implementation, delivery (service) and monitoring.
COBIT, standard for Control Objectives for Information and related Technology in 1998 (3rd Edition) by IT Governance Institute of ISACA identifies 5 types of IT resources: people, application systems, technology, facilities, and data with 34 high level control objectives, grouped into 4 domains.
4 domain identified for high level classifications;1. Planning and Organizing 2. Acquisition and implementation3. Delivery and Support4. Monitoring
With COBIT ‘s 318 recommended detailed control objectives
“CobiT to Perform IT Audits”
COBIT: IT Governance focus area
Robert R. Moeller, IT Audit, Control and Security, John Wiley & Son, Inc.
COBIT: Cube
Robert R. Moeller, IT Audit, Control and Security, John Wiley & Son, Inc.
COBIT Principle
COBIT: Goal with Enterprise Architecture
Robert R. Moeller, IT Audit, Control and Security, John Wiley & Son, Inc.
3. IT Infrastructure Library (ITIL)
The IT Infrastructure Library (ITIL) has become the de facto world standard in IT Service Management. Defines five stages in the life cycle of the service: Strategy, Design, Transition, Operation and Continual Service Improvement and Management includes the processes of Change, Configuration, Incident Management, Problem Management, Service Level Management, etc.
IT Infrastructure Library (ITIL) Service Management
IT Infrastructure Library (ITIL) Service Management
INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING
2554
(Attribute Standards) #1
1000 - 1100 –1200 –1300 –
2000 –2100 –2200 –2300 –2400 –2500 –2600 –
Attribute Standards) #2
Attribute Standards) #3
Internal Control Classifications
1. Preventative;- Detect Problems before they arise.- Monitor both operation and inputs.- Attempt to predict Potential problems.- Prevent an error from occurring
2. Detective;- Use Controls that detect and report the occurrence of an error.
3. Corrective;- Minimize the Impact of a threat.- Remedy problems discovery by detective control.- Identify the cause of a problem.- Correct errors arising from a problem.- Modify the processing systems to minimize future occurrences of
the problem.
IA Relate to ISO Standards
ISO 9001: Quality Management SystemsISO IT Security Standards: ISO 27001 and 270002ISO 20000: Service Quality Management ISO 19011: Quality Management Systems Audit
1. Ethical Conduct 2. Fair Presentation3. Exercise due professional care4. Independence5. Evidence-based approaches
Computer-Assisted Audit Tools and Techniques
Robert R. Moeller, IT Audit, Control and Security, John Wiley & Son, Inc.
SDLC Content1. System Development2. System Development Life Cycle3. Requirement4. External and Internal Design5. Programming6. Testing7. Operating and Maintenance8. SDLC MODEL
8.1 Waterfall Model8.2 Prototyping Model8.3 Spiral Model8.4 RAD Model8.5 Package Model8.6 Agile SDLC
9. Summary of System Development Methodology10. Software Engineering Standard
Ref: Jirapun Daengdej (Ph.D.,Asst.Prof.)
1. System Development• System is…?• Software + Hardware• Functions meeting the business
requirements are called…?• Software• The environment on which software is
executed is called…?• Hardware• System Development is…?• Developing SW programs for a system
2. System Development Life Cycle• SDLC is…?
• With…?• And providing with operational environment
such as servers, networks and terminals
58
Summary of System Development Methodology #1
59
Summary of System Development Methodology #2
3. Requirements Definition1. Objective2. Size3. Design conditions4. System Configuration5. List of the products to purchase6. Policy for the migration7. Operation and maintenance policy8. Operation plan9. Development schedule10. Organization chart11. Development environment12. Development costs (Cost-to-Effect Ratio)
4. External and Internal Design
Work scope of External Design1. Decomposition into subsystems2. Screen/Report Layout Design3. Logic design of database4. System configuration
(hardware, software, network)5. Migration plan
Work scope of Internal Design1. Decomposition into modules2. Module structure design3. Module specification4. Test plan
Decomposition into modules
IT Control #2
ASOSAI
Work scope of the Test stage1. Module Test2. Integration Test3. System Test
(+ *Quality Evaluation) 4. Operational Test
(User Acceptance Test)
8.5 Package Model
Customization of the package SWAdd-on development
When the target package software is not equipped with necessary functions, developers have to develop additional functions. Such customization is called “”add-on’ development.
Parameter setting
Many packaged software are adjustable to the business of each company by setting parameters. (e.g. setting digit number of goods code/ customer code, depreciation methods)
8.6 Agile SDLC1 .Agile SDLC Agile aims to reduce risk by breaking projects into small, time-limited modules or timeboxes ("iterations") 2. Each iteration being approached like a small, self-contained mini-project, each lasting only a few weeks. Each iteration has it own self-contained stages of analysis, design, production, testing and documentation. 3. In theory, a new software release could be done at the end of each iteration, but in practice the progress made in one iteration may not be worth a release and it will be carried over and incorporated into the next iteration. 4. The project's priorities, direction and progress are re-evaluated at the end of each iteration.
Agile SDLC property
• Speed up or bypass one or more life cycle phases • Usually less formal and reduced scope• Used for time-critical applications• Used in organizations that employ disciplined method
Agile Methods
• Adaptive Software Development (ASD) • Feature Driven Development (FDD) • Crystal Clear • Dynamic Software Development Method (DSDM) • Rapid Application Development (RAD)• Scrum • Extreme Programming (XP) • Rational Unify Process (RUP)
Agile SDLC: The Scope of Life Cycles
3. Capability Maturity Model Integration (CMMI)
Capability Maturity Model Integration (CMMI)
The Capability Maturity Model in Systems Engineering (CMMI) is devoted to assessing the current situation and implement practices to gain maturity in the Systems Engineering activities.
CMMI, framework given by Carnegie Mellon University of Pittsburg, USA sponsored by the Department of Defense (DoD), USA
2 categories of CMMI (by 22 key process area)
1. Maturity level (ML); 5 MLs level; Initial, Managed, Defined, Quantitatively Managed, Optimizing
2. Capability level (CL); 4 group CLs; Project management, Engineering, Support, Process
Management with 6 CLs level; Incomplete, Performed, Managed, Defined, Quantitatively Managed, Optimizing
HardwareSpeakersModemMicrophoneRAMCPUKeyboardMouseCD-ROM DriveDiskette driveHard drivePrinterPortsMonitorExpansion boardZip drive
Hardware
National Electronics and Computer Technology CenterChayakorn Piyabunditkul – CSPM, 15504 Assessor
Top Related