©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council.
Post on 19-Dec-2015
216 Views
Preview:
Transcript
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
IT Governance
A Process by which an organisations leaders ensure that IT is aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated.
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Technology
•Opportunities
•Growth
•Development
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Information Technology
• Integral part of all processes
• Accomplish mission and objectives
• Facilitates local and global communications
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Technology Threats
•Service Disruption
•Deception
•Theft
•Fraud
•Trusted Users
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
What Questions Should You Be Asking
•What are IT Controls ?
•What should be protected ?
•Where are IT controls applied ?
•Who is responsible ?
•When do we assess IT Controls ?
•How much control is enough ?
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
IT Controls
Significant Components
• Automation of business controls
• Control of IT
• Support business management and governance
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
IT Controls
•Corporate Policies
•Coded instructions
•Physical access
•Audit trails – the ability to trace actions and transactions to responsible individuals
•Automatic edits (data input)
•Data integrity…
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Controls Classifications
•General controls – (also known as infrastructure controls), apply to all systems components but also include information security policy, administration, access and authentication
•Application controls – data input, separation of duties, i.e. transaction initiation versus authorisation
•Preventive controls – prevent errors, omissions, or security incidents from occurring, i.e. data entry, access control
•Detective controls – detect errors or incidents, e.g. identify account numbers of inactive accounts flagged for monitoring suspicious activities
•Corrective controls – correct errors, omissions or incidents once they have been detected, e.g. correction of data entry error, identifying and removing unauthorised users or software from systems or networks
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Governance Controls
• Primary accountability for internal controls resides with the corporate board
• Ensure that effective information management and security principles, policies, and processes are in place and there is sufficient performance and compliance to demonstrate this
• Controls mandated by the corporate leadership team (CLT), linked with the concept of your corporate governance, which are driven by the organisations goals and strategies and by external regulators
• Performance and Audit Panel’s responsibility is oversight rather than actually performing controls activities, e.g. you don’t do the auditing but oversee both internal and external auditing at Ealing
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Management Controls
•Responsibility for reaching into the organisation with special attention to critical assets, sensitive information and operational functions
•Requires close collaboration with the audit committee to ensure IT controls needed to ensure the achieve established objectives are applied, reliable and provide continuous processing
•Management must recognise risks to the organisation its assets and processes
•Implement mechanisms to mitigate these risks (protect, monitor and measure results)
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Technical Controls
Form the foundation, which ensures the reliability of virtually every other control in the organisation e.g.
• Protection against unauthorised access and intrusion
• Reliance on integrity of information
• Evidence of all changes and their authenticity
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
What to Expect GTAG IIA
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Information Security
Integral part of all IT controls, with the exception of financial aspects of IT such as Return on Investment, budgetary controls and some Project Management Controls
BS/ISO-1779
ITIL
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Information Security
Three key elements of information security
•Confidentiality – information is only divulged as appropriate
•Integrity – data is correct and complete
•Availability – information must be available to the organisation, customers and partners, when, where and in the manner needed. Also the ability to recover from losses, disruption or corruption of data and IT services
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Role of Performance and Audit Panel
•What do we mean by IT controls ?
•Why do we need IT controls ?
•Who is responsible for IT controls ?
•When is it appropriate to apply IT controls ?
•Where exactly are IT controls applied ?
•How do we perform IT controls assessments ?
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
The Structure of IT Auditing GTAG IIA
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
IT Audit at Ealing
• Essential part of the corporate governance process
• Internal audit have specialist and qualified IT auditors performing audits
• IT auditing is included in the audit universe and annual plan
• Sharing the plan with external audit as in the Response program
• Agresso implementation
• Post Implementation Reviews
• General IT controls – anti-virus, IT security, Network Infrastructure, Operating Systems
• Specialist data integrity (CAATS)
• Data Protection & Freedom of Information
• Applications………
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
The Audit Process
• Formal structure for addressing IT controls
• Sound technical understanding
• Provide results of risk and control assessments
• Interact with those responsible for controls
• Persue continuous learning through CPD and reassessment of new technologies – new opportunities, risks dependencies, strategies and requirements
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
IT Control Assurance
IT controls assurance addresses the ability of controls to protect the organisation against the most important threats and provides evidence that remaining risks are unlikely to harm the organisation and its stakeholders significantly. GTAG IIA
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Important Roles and Responsibilities
• Corporate Level Performance and Audit panel
Audit Board
• Management Chief Executive Head of IT IT Security Officer
• Audit Internal External
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Control Framework
Adoption of formal control framework is beneficial
•COSO – Monitoring, Information and Communication, Control Activities, Risk Assessment, Control Environment The Committee of Sponsoring Organisations of the Treadway Commission
•COBIT – accepted standard for good Information Technology security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners ISACA 2005
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Corporate Level
• Oversee risk management and compliance programs concerning information security
• Approve and adopt information security principles and assign key managers responsible for information security
• Protect the interest of all stakeholders who depend on information security
• Review information security policies regarding strategic partners and other third parties
• Ensure business continuity
• Review provisions of internal ad external audits of the IT
• Collaborate with management to specify what information security reviews should be reported to the Corporate Board
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Management
• Establish information security management policies
• Assign information security roles, responsibilities, and required skills, and maintain separation of duties
• Training in security matters
• Assess IT risks and manage these risks
• Information security requirements for strategic partners and other third parties
• Identify and classify information assets
• Implement and test business continuity
• Approve IT acquisitions, development, operations and maintenance
• Protect the physical environment
• Collaborate with security personnel to specify what needs to be reported to management
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Internal/External Audit
As covered in previous slide (IT Audit at Ealing), but also…
• Advise corporate and management level on IT internal control issues
• Ensure IT is included in the Internal audit plan • IT risks are considered when assigning resources and
prioritising audit activities• Specialist training• IT issues for key systems are considered• Performing IT risk assessments• Performing IT audits…
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Some Useful Websites
www.itgi.org - IT Governance Institute
www.coso.org – The Committee of Sponsoring Organisations of the Treadway Commission
www.isaca.org - Information Systems Audit and Control Association
www.theiia.org - Institute of Internal Auditors
www.sans.org – Security Policy Resource Page
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Shahab Hussein CISA
Senior Manager – Computer Assurance Services
Deloitte & Touche Public Sector Internal Audit
shussein@deloitte.co.uk
Direct: 01727 886610
Mobile: 07970 884602
IT Governance - Ealing Council ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential
Questions
top related