Developing a Risk-based Audit Plan

1
Developing a Risk-based Audit Plan
Information System (IS) Audit- Concept Process
and Implementation
Roshan Regmi IT/MIS Department Nepal Bank
Limited October 2009

• Kathy Underhill
• Vice-President, Risk and Internal Audit
• December 2005

2
1
2
3
How Business was Planned
Business Strategy
What IT Understood
4
5
How was it Implemented
What was delivered to User
2
Frustration
3
Outline

• Snapshots
• Information System Fundamentals
• Core Banking System Basics
• IS Audit
• IS Audit Responsibilities
• COSO Framework
• COSO ERM Framework
• Risk Based IS Audit and Examples
• CoBIT Framework
• Using CoBIT in IS Audit

4
IS in Business
5
Trends in Information Systems
6
Types of Information System
7
IS Resources and Activities
8
Core Banking Architecture - NEWTON
9
Core Banking Architecture - FINACLE
10
Information System Audit

• the process of collecting and evaluating
  evidence to determine whether acomputer system
  (information system) safeguards assets, maintains
  data integrity, achieves organizational goals
  effectively and consumes resources efficiently
• Purpose of IS Audit
• Will the organization's computerized systems be
  available for the business at all times when
  required? (Availability)
• Will the information in the systems be disclosed
  only to authorized users? (Confidentiality)
• Will the information provided by the system
  always be accurate, reliable, and timely?
  (Integrity).

11
Areas of IS Audit

12
Spectrum of IS Audit

• Systems and Applications An audit to verify that
  systems and applications are appropriate, are
  efficient, and are adequately controlled to
  ensure valid, reliable, timely, and secure input,
  processing, and output at all levels of a
  system's activity
• Information Processing Facilities An audit to
  verify that the processing facility is controlled
  to ensure timely, accurate, and efficient
  processing of applications under normal and
  potentially disruptive conditions
• Systems Development An audit to verify that the
  systems under development meet the objectives of
  the organization, and to ensure that the systems
  are developed in accordance with generally
  accepted standards for systems development
• Management of IT and Enterprise Architecture An
  audit to verify that IT management has developed
  an organizational structure and procedures to
  ensure a controlled and efficient environment for
  information processing
• Client/Server, Telecommunications, Intranets,
  and Extranets An audit to verify that controls
  are in place on the client (computer receiving
  services), server, and on the network connecting
  the clients and servers

13
IS Audit Responsibilities
Strategic and Business Audit Roles Strategic risk assurance Participate in oversight committee for the risk management process Test managements mitigation policy Test/verify assumptions behind key decisions Audit Roles Strategic risk assurance Participate in oversight committee for the risk management process Test managements mitigation policy Test/verify assumptions behind key decisions
Strategic and Business Risks Product line expansion Acquisitions/JV/Divestiture Threats to company reputation Shift in market competitive dynamics New Capabilities Transfer strategic risks into auditable risk activities Link strategic direction to risk priorities Identify and incorporate external conditions into audit plans
14
IS Audit Audit Responsibilities
Operational Audit Roles Identify risk trends and communicate to management Facilitate continuous improvement of controls Recommend improvements on the adequacy and effectiveness of managements risk processes Identify gaps in managements plans to achieve goals Audit Roles Identify risk trends and communicate to management Facilitate continuous improvement of controls Recommend improvements on the adequacy and effectiveness of managements risk processes Identify gaps in managements plans to achieve goals
Operational Risks Ineffective risk management system Supply chain and outsourcing management Customer contact quality New Capabilities Risk management experience Understand companys corporate values and goals Understand companys IT infrastructure
15
IS Audit Audit Responsibilities
Financial Reporting and Regulatory Compliance Audit Roles Perform proactive, risk-based audit of management processes Drive self-service tool usage for management testing Evaluate effectiveness of controls encompassing reliability and integrity of financial information based upon risk assessments Audit Roles Perform proactive, risk-based audit of management processes Drive self-service tool usage for management testing Evaluate effectiveness of controls encompassing reliability and integrity of financial information based upon risk assessments
Financial Reporting and Regulatory Compliance Risks Inaccurate financial statements Noncompliance with laws, regulations, contracts Integrity of financial information New Capabilities Maintain self-service tools Continuous monitoring/auditing
16
COSO Framework
Issued in 1992 by the Committee of Sponsoring
Organization of the Treadway Commission
(COSO) Framework has long served as a blueprint
for establishing/Evaluate internal controls that
promote efficiency, minimize risks, help ensure
the reliability of financial statements, and
comply with laws and regulations.
17
COSO Key Components of Internal Control
Risk Assessment- Company-wide Objectives-
Process-level Objectives- Risk Identification
and Analysis- Managing Change.
Control Environment- Integrity and Ethical
Values- Commitment to Competence- BOD and Audit
Committee- Managements Philosophy and Operating
Style- Organizational Structure- Assignment of
Authority and Responsibility- Human Resource
Policies and Procedures.
Information and Communication- Quality of
Information- Effectiveness of Communication.
Monitoring- On-going Monitoring- Separate
Evaluations- Reporting Deficiencies
Control Activities- Policies and Procedures-
Security (Application and Network)- Application
Change Management- Business Continuity /
Backups- Outsourcing
18
Enterprise Risk Management (ERM) Framework
19
Enterprise Risk Management (ERM) Framework
The enterprise risk management framework is
geared to achieving an entitys objectives, set
forth in four categories Strategic high-level
goals, aligned with and supporting the
mission Operations effective and efficient use
of resources Reporting reliability of
reporting Compliance compliance with applicable
laws and regulations
20
The ERM Framework
The eight components of the framework are
interrelated
21
The ERM Framework

• Entity objectives can be viewed in the
• context of four categories
• Strategic
• Operations
• Reporting
• Compliance

22
In a riskier World!

• Global village moving to a unified economy
• Borderless world a quiver of new threats
• Mergers and Acquisitions order of the day
• Unprecedented dependence and pace of IT and
  networks used by business
• Increasing potential of cyber crime
• IT Operational failures
• Outsourcing an accepted way
• Stringent Regulatory Compulsions
• Demanding customers online real time customers
• Ethics climate!

23
The Risk World
24
Using Risk Management to determine IS areas to be
audited

• Enables management to effectively allocate
  limited IS audit resources
• Provides reasonable assurance that relevant
  information has been obtained from all levels of
  management, including the board of directors
  and functional area management. Generally,
  the information includes areas that will
  assist management in effectively discharging
  their responsibilities and provides
  reasonable assurance that the IS audit
  activities are directed to high business risk
  areas and will add value to management.
• Establishes a basis for effectively managing the
  IS audit function
• Provides a summary of how the individual review
  subject is related to the overall organization as
  well as to the business plans

25
Example of an Organizational Risk Assessment
Process

• Identify risk factors and give them weights
• Identify objectives/assets/auditable activities
• Analyze the risks by considering their
  likelihood and consequence
• Assign ratings to the risks
• Review with audit client/management
• Use rankings to develop audit priorities

26
(No Transcript)
27
EXAMPLE IIIS RISK ASSESSMENT MEASUREMENT
EVALUATION INCORPORATING BUSINESS RISK FACTORS

• B

28
(No Transcript)
29
IS Risk Assessment of Auditable Units

• Data centre operations
• Application systems (production)
• Application systems (development)
• IS procurement (manpower and material)
• Software package acquisition
• Other IS functions

30
(No Transcript)
31
(No Transcript)
32
New

• B

33
New

• B

34
Case StudySoftware Acquisition
Implementation Details
Specifics
Perceived Benefits

• A company has received an approval to install
  software to improve its services in the
  competitive market
• RFP has been developed, approved and gone for
  tendering process
• In the process of selecting a vendor based on
  competitive bidding 2 envelop system is adopted
  to ensure fairness and transparency

• Enhanced service services
• Competitive
• Better MIS reporting and Asset/Liability position

Size of systems Deployment

• Centralised systems
• Possibility of decentralised systems
• Application controls and auditing
• Leased lines, Wireless IEEE 802.11b and VSAT
  Connectivity

35
EXAMPLE IVRISK ASSESSMENTIS AUDIT v. SOFTWARE
PACKAGE ACQUISITION
Rating factor Weight Score Assigned score
1. Scope of the system Part of a department Complete department Multi department Organization wide Organization and external 5 1 2 3 4 5 25
2. Financial exposure (AED) associated with the system None Small (lt100,000) Moderate (100,000 -1 m) High (1m10 m) Very high (gt10 m) 5 1 2 3 4 5 25
3. Nature of package Off the shelf product Custom built by vendor, maintained by vendor Vendor developed, in-house maintained Jointly developed, vendor maintained Jointly developed, in-house maintained 2 1 2 3 4 5 10
4. Type of evaluation By the user department/IS/consultant By IS/user By consultant By IS By the user department 1 1 2 3 4 5 5
5. Cost and complexity of the package Negligible Small Moderate Significant Very high 2 1 2 3 4 5 10
Rating Factor Wt Sc Assigned Score
Detailed Example
36
CoBIT Framework

• Control Objectives for Information and related
  Technology (COBIT) is a set of best practices
  (framework) for information technology (IT)
  management created by the Information Systems
  Audit and Control Association (ISACA), and the IT
  Governance Institute (ITGI) in 1996.
• COBIT provides managers, auditors, and IT
  users with a set of generally accepted measures,
  indicators, processes and best practices to
  assist them in maximizing the benefits derived
  through the use of information technology and
  developing appropriate IT governance
  and control in a company

37
CoBIT Background

• Generally applicable and accepted international
  standard of good practice for IT control
• C Control
• OB OBjectives
• I for Information
• T and Related Technology
• An authoritative, up-to-date, international set
  of generally accepted Information Technology
  Control Objectives for day-to-day use by business
  managers and auditors.

38
CoBITs Scope and Objectives

• COBIT 4.0 was developed and by the IT Governance
  Institute (www.itgi.org) and was released in
  December, 2005
• COBIT has evolved into an IT governance /
  control framework
• A toolkit of best practices for IT control
  representing the consensus of experts
• IT Governance focus
• Linkage with business requirements (bridges the
  gap between control requirements, technical
  issues, and business risks).
• Management process owner orientation
  (accountability)
• Measurement and maturity driven
• Generic focus applicable to multiple
  environments
• Organizes IT activities into a generally
  accepted process model (in alignment with ITIL,
  ISO, and other relevant best practices)
• Identifies the major IT resources to be
  leveraged
• Defines control objectives and associated
  assurance guidelines

39
CoBIT For IT Governance

• Focus Area
• Strategic alignment
• Value delivery
• Resource management
• Risk management
• Performance measurement

40
CoBIT As A Framework

• Enables the auditor to review specific IT
  processes against COBITs Control Objectives to
  determine where controls are sufficient or
  advise management where processes need to be
  improved.
• Helps process owners answer questions - Is what
  Im doing adequate and in line with best
  practices? If not, what should I be doing and
  where should I focus my efforts?
• COBIT is a framework and is NOT exhaustive or
  definitive.
• The scope and breadth of a COBIT implementation
  varies from organization to organization.
• COBIT prescribes what best practices should
  be in place. An effective implementation requires
  that COBIT be supplemented with other sources of
  best practice that prescribe the how for IT
  governance and controlled process execution.

41
Relationship Between CoBIT Components

• B

42
CoBIT Structure overview
IT Domains

• Starts from the premise that IT needs to deliver
  the information that the enterprise needs to
  achieve its objectives
• Promotes process focus and process ownership
• Divides IT into 34 processes belonging to four
  domains (providing a high level control objective
  for each process)
• Looks at fiduciary, quality and security needs of
  enterprises, providing seven information criteria
  that can be used to generically define what the
  business requires from IT
• Is supported by a set of over 200 detailed
  control objectives

• Plan Organize
• Acquire Implement
• Deliver Support
• Monitor Evaluate

• Effectiveness
• Efficiency
• Availability
• Integrity
• Confidentiality
• Reliability
• Compliance

Business Requirement
43
CoBIT Cube

• B

44
CoBIT Structure
45
CoBIT High Level Processes/Objectives

• B

46
CoBIT High Level Processes/Objectives

• B

47
CoBIT High Level Processes/Objectives

• B

48
CoBIT High Level Processes/Objectives

• B

49
Linking Control to Process Objectives34 High
Level and 200 Detailed Objectives
50
Example of CoBIT DS 5 Page-1

• B

51
Example of CoBIT DS 5 Page-2

• B

52
Example of CoBIT DS 5 Page-3

• B

53
Example of CoBIT DS 5 Page-4

• B

54
Example of CoBIT DS 5 Page-4

• B

55
Summing It All UPBusiness goals drives IT goals

• B

56
Using CoBIT in IS Audit

• B

57
Understand Technology Layers

• B

58
Understand The IT Governance Domain

• B

59
Technology Audit Universe

• B

60
Security Audit Univesie

• B

61
MAP Audit Universe to CoBIT

• B

62
Using CoBIT to Tie It All Together

• B

63
CoBIT Control Assessment Quetions
64
CoBITs Audit Report Template

• Sample Audit Report

65
Questions!