- 1. Auditing IT Compliance Auditing IT compliance : a practical
approach (EEMA) November 2005 Mr. Marc Vael Managing
DirectorValuendo 2005 Valuendo. All rights reserved. 1 INFORMATION
CLASSIFICATION = PUBLICAgenda In this session an answer will be
given on: How to manage IT risks & compliance within an
organisation using CobIT, the IT governance standard; How to
present the results of IT risk & compliance audits? 2005
Valuendo. All rights reserved. 2 INFORMATION CLASSIFICATION =
PUBLIC Marc Vael EEMA Valuendo November 20051
2. Auditing IT ComplianceIntroduction Marc Vael Managing
Director Valuendo (value & do) since July 2001 Education Master
Applied Economics (UAntwerp) Master Information Management
(UHasselt) Master+ Applied Economics & ICT (KUL) Core Services
ERM IT Governance Information Security Management Business
Continuity / Disaster Recovery Crisis Management Data Privacy &
Protection IT Audit & Compliance Certifications CISA / CISM /
CISSP / ITIL Service Manager 2005 Valuendo. All rights reserved. 3
INFORMATION CLASSIFICATION = PUBLICIntroduction(Compliance) audits
are executed by independent (internal/external) skilled
parties& result in a report for board of directors, executive
management and/or external parties in order toprovide
comfort/assurance. Scope (what & what not) Execution (D O T)
Facts based (documentation / reports / tests) Reporting (Obs Risk
Rec) 2005 Valuendo. All rights reserved. 4 INFORMATION
CLASSIFICATION = PUBLIC Marc VaelEEMA ValuendoNovember 2005 2 3.
Auditing IT ComplianceIntroduction MONITORIMPLEMENTCOMPLIANCE
ASSESS DESIGN 2005 Valuendo. All rights reserved. 5 INFORMATION
CLASSIFICATION = PUBLIC Need for Audit & Compliance New
legislation & regulation assurance on internal control Stress
governance & responsibility of directors Pervasiveness &
importance of IT Beyond financial risk: towards risks that
adversely affect the organizations ability to achieve its
objectives and execute its strategies SMEsExamples: Sarbanes-Oxley
(SOx), Basel II, GBLA, HIPAA, Code Lippens, Code Buysse 2005
Valuendo. All rights reserved. 6 INFORMATION CLASSIFICATION =
PUBLIC Marc Vael EEMA Valuendo November 20053 4. Auditing IT
ComplianceNeed for Audit & ComplianceNew management practices
IT GovernanceA structure of IT relationships & processes to
direct and control the enterprise to achieve the enterprises goals
by adding value while balancing risk vs. return over IT and its
processes IT Manageability- New tools for management to self-assess
and make choices for control implementation and improvements-
Ability to align the IT organisation with the goals of the
enterprise- Performance measurements that ensure that these goals
are achieved 2005 Valuendo. All rights reserved.7 INFORMATION
CLASSIFICATION = PUBLICIT Governance Compliance 2005 Valuendo. All
rights reserved.8 INFORMATION CLASSIFICATION = PUBLIC Marc Vael
EEMA Valuendo November 20054 5. Auditing IT ComplianceIT Governance
Compliance Implementing Control &
GovernanceDriversInhibitorsCompliance with law, standardsBudget
limitationsand regulations Availability of skilled staffCost
reductionManagement awarenessMission & goals Management
commitmentPerformance improvement Lack of ownershipRisk
reductionExisting architectureReputation and trustNo easy
solutionCompetitive environment Resource
conflicts/prioritiesCorporate valuesLack of toolsPolitical/economic
environmentPolitical/economic environment 2005 Valuendo. All rights
reserved. 9 INFORMATION CLASSIFICATION = PUBLIC 2005 Valuendo. All
rights reserved. 10 INFORMATION CLASSIFICATION = PUBLIC Marc
VaelEEMA ValuendoNovember 20055 6. Auditing IT Compliance CobIT
& IT Governance ComplianceLink between COBIT and IT
GovernanceCOBIDirection Requirements(IT strategy & policy)
ControlGoalsResponsibilitiesObjectives GovernanceBusinessIT
InformationInformation theexecutive and board business needs toneed
to exercise achieve itstheir responsibilities objectives 2005
Valuendo. All rights reserved. 11 INFORMATION CLASSIFICATION =
PUBLICCobIT & IT Governance Compliance Link between COBIT and
IT GovernanceCOBIDirection Requirements(IT strategy & policy)
Control
GoalsResponsibilitiesObjectivesGovernanceBusinessITInformation
(ITInformation thecontrol, risk & business needs to assurance)
achieve its objectives IT Governance 2005 Valuendo. All rights
reserved. 12 INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA
Valuendo November 20056 7. Auditing IT Compliance CobIT CobIT: IT
Control Framework COBITs VisionOBITTo be the (de facto) model for
IT governance To research, develop, publicise and promote an
authoritative,COBITs Mission OBIT up-to-date, international set of
generally accepted IT controlobjectives for day-to-day use by
business managers & auditorsThe policies, procedures, practices
and organisational structuresDefinition ofdesigned to provide
reasonable assurance that businessControl objectives will be
achieved & that undesired events will beprevented or detected
and corrected Definition of IT A statement of the desired result or
purpose to be achievedby implementing control practices in a
particular IT activityControl Objective 2005 Valuendo. All rights
reserved.13 INFORMATION CLASSIFICATION = PUBLICCobITCobIT: IT
Control Framework CobIT basic principles Generally applicable &
internationally accepted open standard Regardless of technology
Starting from business requirements for information Management- and
business process owner-oriented Includes existing standards and
techniquesRisk assessment conceptsBusiness risk / value
assessmentAssurance planning and scopingControl evaluation and
testingControl and process maturity (self-assessment)Substantiating
risk and effective reporting First published in 1992 4th edition is
planned for end 2005 2005 Valuendo. All rights reserved.14
INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo
November 2005 7 8. Auditing IT Compliance CobITCobIT: IT Control
Framework Executive SummaryImplementation Guide Road map for
implementation Planning tools and templatesFrameworkPresentations
Awareness and diagnostic toolswith high-level control
objectivesManagement AuditDetailed Control GuidelinesGuidelines
ObjectivesKey PerformanceCritical Key GoalMaturityControl
PracticesIndicatorsSuccess Factors Indicators Models 2005 Valuendo.
All rights reserved.15 INFORMATION CLASSIFICATION = PUBLICCobIT
CobIT: IT Control FrameworkRelationship between IT resources &
business requirements Business IT ITRequirementsResources
ProcessesPeoplePlan and OrganiseEffectivenessEfficiency Information
Acquire and ImplementConfidentiality ApplicationsDeliver and
SupportIntegrity InfrastructureMonitor and
EvaluateAvailabilityComplianceInformation Reliability 2005
Valuendo. All rights reserved.16 INFORMATION CLASSIFICATION =
PUBLIC Marc VaelEEMA ValuendoNovember 2005 8 9. Auditing IT
ComplianceBUSINESS PO1 Define a strategic IT PlanOBJECTIVESPO2
Define the information architecturePO3 Determine the technological
directionCriteriaPO4 Define the IT organization and relationships
effectiveness PO5 Manage the IT investment efficiencyPO6
Communicate management aims and direction confidentialityPO7 Manage
human resources integrityPO8 Ensure compliance with external
requirements availability compliancePO9 Assess risks reliability
PO10 Manage ProjectsPO11 Manage QualityME1Manage IT
PerformanceME2Monitor Internal ControlsITME3Oversee IT Governance
RESOURCESME4Ensure regulatory compliance information applications
infrastructure people PLAN AND4 Domains ORGANISE 34 Processes
MONITOR & EVALUATE Control Objectives 318 AQUIRE &AQUIRE
&IMPLEMENTDS1 Define and manage service levels DS2 Manage
third-party services DS3 Manage performance and capacity DS4 Ensure
continuous service DS5 Ensure systems securityDELIVER & DS6
Identify and allocate costs SUPPORT DS7 Educate and train users AI1
Identify automated solutions DS8 Assist and advise customers AI2
Acquire and maintain application software DS9 Manage the
configurationAI3 Acquire and maintain technology infrastructure
DS10 Manage problems and incidentsAI4 Develop and maintain
procedures DS11 Manage dataAI5 Install and accredit systems DS12
Manage facilitiesAI6 Manage changes DS13 Manage operations 2005
Valuendo. All rights reserved.17 INFORMATION CLASSIFICATION =
PUBLIC 2005 Valuendo. All rights reserved.18 INFORMATION
CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo November 2005 9 10.
Auditing IT Compliance CobIT results CobIT: IT Control Framework
Maturity Measurement & Reporting InexistentInitial
RepeatableDefinedManaged Optimized 012 3 4 5 Symbols Ranking0
Processes are not applied at all Current status of the
organisation1 Processes are ad hoc & not organised2 Processes
follow a regular pattern Goal of the organisation3 Processes are
documented & communicated4 Processes are monitored &
measured International standard 5 Processes are optimized &
automated Industry best practice 2005 Valuendo. All rights
reserved.19 INFORMATION CLASSIFICATION = PUBLICCobIT What is COBIT
used for in practise? (Result from surveys)COBITo improve audit
approach/programs To support audit work with detailed audit
guidelines To provide guidance for IT governance As a valuable
benchmark for IT control To manage IT risks To improve IT controls
To standardise audit approach/programs To communicate with
management, auditors and IT 2005 Valuendo. All rights reserved.20
INFORMATION CLASSIFICATION = PUBLIC Marc Vael EEMA Valuendo
November 2005 10 11. Auditing IT
ComplianceConclusionMONITORIMPLEMENT COMPLIANCE ASSESSDESIGN 2005
Valuendo. All rights reserved. 21 INFORMATION CLASSIFICATION =
PUBLIC Relevant organisations in Belgium ISACA http://www.isaca.be
http://www.isaca.org ISSA http://www.issa-be.org
http://www.issa.org IIA http://www.iia.be http://www.iia.org 2005
Valuendo. All rights reserved. 22 INFORMATION CLASSIFICATION =
PUBLIC Marc VaelEEMA ValuendoNovember 2005 11 12. Auditing IT
Compliance Contact information Mr. Marc VaelManaging
DirectorValuendoKriebrugstraat 331760 RoosdaalBelgiumT: +32 5 433
61 93M: +32 473 99 30 31M: [email protected] mvael@ valuendo.com
2005 Valuendo. All rights reserved. 23 INFORMATION CLASSIFICATION =
PUBLIC Marc VaelEEMA ValuendoNovember 2005 12