A

advertisement
F E AT U R E
Information Technology Auditing
and Facilitated Control Self-assurance
By Ken Doughty, CISA, CBCP, and John O’Driscoll, CISA, CIA
A
fundamental requirement for effective auditing is to
provide an opinion to the executive team and the board
audit committee on the adequacy of the internal control framework operating within the organisation’s information
technology and telecommunications (IT&T) environment. This
requirement, while ongoing, may have specific meaning at
some point, e.g., financial year-end when management is
required to sign off on the end of year accounts.
IT auditors have used a range of audit methodologies and
techniques to support their audit opinions. This paper will outline an approach recently utilised within a financial services
organisation to provide an annual assessment of the IT&T
internal control framework.
The approach used is based on a set of internationally
recognised IT service delivery and support process models
called ITIL (Information Technology Infrastructure Library)
and relies extensively on the use of control self-assurance
(CSA) workshops facilitated by IT audit staff. This approach
can be applied with equal success to internal and outsourced
IT&T environments.
CSA is a risk management program where risks and controls are examined and assessed to provide reasonable assurance to management that business objectives will be met. IT
management and staff involved in the delivery of services and
products to an organisation participate in all phases of the
process. For CSA to be effective it must have support from
IT&T management and staff.
The strengths of this approach are that it:
• Engages stakeholders in the review process
• Provides an end-to-end process perspective
• Increases participants’ knowledge and understanding of their
processes and potential risk exposure
• Provides process participants with an opportunity to air common concerns and participate in process improvement
Preparation
Training and ITIL Certification
A certified ITIL trainer presents a three-day in-house training program on ITIL. The training participants include all
internal IT auditors and representatives from the organisation’s
external auditors, IT department and IT&T service providers.
The training program also incorporates a number of teambuilding activities.
At the end of the three-day training program, all the attendees have completed the ITIL Foundation Level Certification
examination.
The main reason for inviting representatives outside of the
organisation’s IT audit department is to establish and maintain
an open and trusted relationship with all stakeholders. Further,
it helps gain acceptance of the new approach being adopted.
Senior Management Buy-in
A number of presentations are made to senior management
within the organisation and the IT&T service providers to
explain the purpose and approach and gain their acceptance.
A brochure to aid the communication on the purpose and
context of the process is prepared and distributed to all key
stakeholders.
ITIL Processes
The IT&T environment covers a large range of processes that
deliver services and products to the organisation. To ensure there
is effective coverage of the IT&T environment in using FCSA
(facilitated control self-assurance), the auditor utilises a best
practice IT framework with defined supporting processes.
One such framework with well-defined supporting processes is ITIL (www.itil.co.uk), a series of best practice guidelines
in IT management. Developed in the late 1980s when IT professionals gathered to develop a comprehensive life cycle for
all areas of IT service management, it created a common set of
terminology for the IT team to put services into business terms
and align them with key objectives.
This nonproprietary framework consists of a number of
interrelated processes that provide an end-to-end perspective to
IT&T service provision, with the aim to drive continuous
improvement. Today, many industry leaders recognise ITIL as
the de facto world standard in IT service management.
Service management is defined by ITIL as “the process of
maintaining and gradually improving business-aligned IT service quality, through the constant cycle of agreeing, monitoring, reporting and reviewing IT service achievements and
through instigating actions to eradicate unacceptable levels of
service.”
Since the mid-1990s, ITIL has had a proven track record
with corporations and governments worldwide, such as
Microsoft, Procter & Gamble, AXA and ABN AMRO.
The benefits of using ITIL include:
• IT services meeting business requirements, i.e., the IT effort
is focused on assisting the organisation achieve its strategic
objectives
• Improved efficiency and quality of service delivery
• Clear understanding of service delivery and support priorities
• Improved relationship among customers, IT and vendors
• Improved lines of communication between IT and its
customers
• Monitoring of service delivery which facilitates the identification of areas of process weakness
ITIL is particularly effective in an outsourcing environment,
where a business relationship between IT&T supplier(s) and
customers aims to provide an optimal balance between highquality services and controlled costs.
Figure 1 indicates the interrelationships among service
delivery, service support, application management, infrastructure management and the business perspective.
Figure 1—The ITIL Jigsaw
Service
Support
Service
Delivery
Applications
Management
The Business
Perspective
Infrastructure
Management
The ITIL service delivery process model is set out in
figure 2 and further description of each component is included
in table 1.
Table 1
ITIL
Component
Goal
Service level To maintain and gradually improve businessmanagement aligned IT service quality through a constant
cycle of agreeing, monitoring, reporting and
reviewing IT service achievements and
through instigating actions to eradicate
unacceptable levels of service
Availability To optimise the capability of IT infrastructure
management and supporting organisation to deliver a costeffective and sustained level of availability that
enables the business to satisfy its objectives
Capacity
To understand the future business
management requirements (the required service delivery),
the organisation’s operation (the current
serviced delivery), the IT infrastructure (the
means of service delivery), and ensure that
all current and future capacity and
performance aspects of the business
requirements are provided cost-effectively
Financial To provide cost-effective stewardship of the
management IT assets and the financial resources used in
for IT services providing IT services
IT service
continuity
To support the overall business continuity
management process by ensuring that the
required IT technical and services facilities
can be recovered within required and agreed
business time-scales
Figure 3 describes the ITIL service support process model.
Each component is broken down in table 2.
Figure 2—ITIL Service Delivery Process Model
Figure 3—ITIL Service Support Process Model
The Organisation, Customers and Users
The Organisation, Customers and Users
Service Level
Management
Availability
Management
Capacity
Management
Incident
Management
Financial
Management
Problem
Management
Change
Management
IT Service
Continuity
Release
Management
Configuration
Management
Table 2
ITIL
Component
Figure 4
Goal
Incident
To restore normal service operation as
management quickly as possible with minimum disruption
to the business, thus ensuring that the best
achievable levels of availability and service
are maintained
Problem
To minimise the adverse effect on the business
management of incidents and problems caused by errors in
the infrastructure, and to proactively prevent
the occurrence of incidents, problems and errors
Change
To ensure that standardised methods and
management procedures are used for efficient and prompt
handling of all changes, to minimise the
impact of any related incidents upon service
Release
To take a holistic view of change to an IT
management service and ensure that all aspects of a
release, both technical and nontechnical, are
considered together
Configuration To provide a logical model of the IT
management infrastructure by identifying, controlling,
maintaining and verifying the versions of all
configuration items in existence
There are two other critical supporting processes to the ITIL
service management model that the auditor needs to be aware
of when using ITIL as the best practice IT management framework: service desk and security (table 3).
Overview of FCSA Process
WORKSHOP
PARTICIPANTS
RESPONSE TO
STATEMENTS
DEVELOP
PROCESS
CONTROL
STATEMENTS
PROCESS
RISK AND
CONTROL
PROFILE
IDENTIFY
CONTROL RISKS
SELFASSURANCE
CONFIRM
CONTROL
EFFECTIVENESS
REPORT
RESULTS
DEVELOP
SERVICE
IMPROVEMENT
PLAN
workshop. This information is important, as it will assist in
alleviating any misconception the workshop participants may
have about the workshops and its outcomes.
It is important to remember that the workshops should be
structured to include:
• An introduction (overview of workshop process, tools and a
clearly defined purpose and context)
• A description of the IT&T process to be covered
• A description of the process (e.g., problem management) to
capture responses from participants (i.e., information)
• Workshop feedback (i.e., outcomes)
• The way forward
Table 3
ITIL
Component
Goal
Service desk To act as the central point of contact between
the user and IT service management; to
handle incidents and requests and provide an
interface for other activities such as change,
problem, configuration, release service level,
and IT service continuity management
Security
To manage the defined level of security on
information and IT services
FCSA Workshops
Facilitated CSA workshops are conducted by the auditor to
assist IT&T management and staff in identifying risks, assessing the control environment and developing a service improvement plan (SIP) to mitigate the risks.
Workshop Structure
To facilitate workshop participation and outcomes, the
participants should receive a handout describing the FCSA
process (figure 4) including the tools being used in the
Experience shows that:
• The workshop duration should not be more than two hours,
as it requires a large amount of concentration by participants.
• The number of workshop participants should be between five
and nine.
• Workshop statements should be limited to a maximum of 25.
• The workshop should be held in a closed room to minimise
disruptions.
Workshop Participants
It is important that the appropriate participants are selected
to attend all workshops. The participants should include IT&T
management and staff, including the IT&T department managers and senior/experienced staff members who are involved
in the delivery of services and products to the organisation. It
is critical that they know their processes and are empowered to
implement the appropriate controls.
The IT&T department managers are selected, as they are the
process owners. They have the accountability for managing the
IT&T risks on a day-to-day basis. They must take ownership
of the information technology risk and control processes and
proactively manage these over time.
Workshop Statements and Assessment Criteria
One of the critical parts of the FCSA is developing the statements to be asked of the workshop participants for response.
The statements are developed using information technology best
practice standards for service delivery and support.
Up to 25 statements per process form the basis of the FCSA
workshops. Individual workshop participants are asked to
respond to each statement using the following seven-point
scale:
• Strongly disagree
• Disagree
• Slightly disagree
• Neither agree or disagree
• Slightly agree
• Agree
• Strongly agree
In particular, the answers from participants should elicit
discussion based upon their knowledge of and experience
with the processes. An example of a statement in relation
to problem management is: “There are clear criteria for
prioritising a problem.”
Workshop Tool (Optional)
In this approach, an anonymous voting tool is used during
each workshop. Each participant uses a separate keypad to vote
on each statement. A bar chart analysis of all responses is displayed after each statement. This promotes open discussion
and drives suggestions for process improvement. The outcome
of the discussion, i.e., the process risk and control issues, are
clearly identified and recorded.
Workshop Facilitator
It is essential that the workshop facilitator is an experienced
IT audit practitioner with strong communication skills. The
quality of information collected in the workshops is dependent
upon the facilitator gaining the participants’ confidence in their
ability to manage the workshop. Further, the facilitator will be
required to clarify and elicit additional information as needed,
based upon the participants’ responses to the statements.
Deliverables
Workshop Documentation
Each workshop requires a resource to document the risk and
control issues from the discussions based upon the participants’
responses to the statements. It is important that the resource
also is an experienced IT audit practitioner as this person will
assist and support the workshop facilitator seeking clarification
of responses that may otherwise have been either misunderstood or not clearly enunciated.
From the responses collected for each workshop, a detailed
worksheet is prepared. The worksheet details the following
information:
• Workshop participants’ names, job titles and contact details
(this will facilitate follow-up)
• Responses to each statement (option finder)
• Risk and control issues discussed
• Analysis of responses (detailed information of process
control issues)
Figure 5
Response
Strongly
Disagree
Disagree
Slightly
Disagree
Neither
Agree
nor
Disagree
Slightly
Agree
Agree
Strongly
Agree
Total No.
of
Responses
2
2
1
1
2
0
0
8
Control Issues
•
•
•
•
Miscategorisation of severity level by help desk staff
Severity levels definitions are too broad
Severity levels definitions are too loosely applied
“Customers” insist on making all issues a severity level 1
Details from
participants
in support
of their
responses
Service Improvement
• Help desk staff to receive greater training to meet operational requirements
• Existing severity level definitions to be reviewed and revised where appropriate
• Guidelines for the application of severity levels to be developed, documented and training
given to staff on application
• Communications plan to be developed to educate users on severity levels
Recommendations
to address issues
Figure 5 is an example of a workshop worksheet with a
participant’s response to a specific statement in relation to
problem management. The statement used for the example is
“There are clear criteria for prioritising a problem.”
Audit Testing
If evidence is required to support the workshop outcomes,
then audit testing may be performed, particularly where the
radar map (refer to the Audit Report section of this article) indicates that the IT&T service provider exceeds the benchmark.
The extent and type of testing performed, i.e., compliance
and/or substantive, are dependent upon the level of comfort
required to support the workshop outcomes. Experience has
shown that if the IT&T service provider has failed to meet or
exceed the benchmark, then additional evidence to support the
workshop outcome is not required.
Action Plans
Action plans are developed based on the outcome of each
workshop. It is essential that these plans are agreed upon and
accepted by the appropriate parties. Figure 6 indicates the
process model utilised in the FSCA.
Figure 6
Audit
IT Service
Provider
Audit
IT Service
Provider
FCSA
Workshop
Workshop
Worksheet
Workshop
Worksheet
Audit Report
& SIP
– Documentation of
control issues
– Determine if tesing
required
– Prepare
recommendations
for improvement
Review Workshop
Docs for accuracy &
completeness.
Response to
recommendations
Review response,
& prepare Service
Improvement Plan
(SIP) & Audit
Report
Review &
approve for issue
Workshop
Worksheet
Workshop
Worksheet
Audit Report
& SIP
Audit Report
& SIP
Figure 7—Service Improvement Plan Process—
Problem Management
Target
Service
Impact
Date
Improvement
H – High
Action
M – Medium
L - Low
30 June
1. Help desk staff are
H
1. Miscategorisation
to receive additional
of severity level by
training to meet
help desk staff
operational
requirements.
1 May
2. Existing severity
M
2. Severity level
level definitions are
definitions are too
to be reviewed and
broad
revised where
appropriate.
30 June
3. Guidelines for the
H
3. Severity level
application of
definitions are too
severity levels are
loosely applied
to be developed,
documented and
training given to
staff on application.
4. A communications
1 May
L
4. “Customers” insist
plan is to be develon making all
oped to educate
issues a severity
users on severity
level 1
levels.
Control/
Service
Issue
Figure 8—Audit Rating Scale
Executive
Management & IT
Service Provider
Service Improvement Plan
A service improvement plan (SIP) provides the necessary
details upon which the IT&T service provider can act. IT provides details of the control issue and the agreed-upon action to
be taken to address the issue and names the designate who has
responsibility for implementing the agreed action and the
target date for implementation (see figure 7).
Audit Report
After working through the control issues and responses with
the IT&T service provider, a report is prepared. A radar map is
used in the executive summary to assist executive management
to gain an understanding of the issues without having to read
all the detail that supports the auditor’s opinion. A radar map
provides a high-level overview assessment of the results of
FCSA.
Rating
Description
5
Unsatisfactory The auditable activity was not in compliance with policies,
systems and procedures. Major risks were identified that
have adversely impacted the auditable activity’s
contribution to the organisation’s strategies.
4
The auditable activity was not always in compliance with
Needs
policies, systems, and procedures. Major risks were
improvement identified which adversely impact or are likely to adversely
impact the auditable activity’s contribution to the
organisation’s core strategies.
3
The auditable activity was generally in compliance with
Average
policies, systems, and procedures. Some control
deficiencies were identified that, if not promptly
corrected, may lead to major risks adversely impacting
the auditable activity’s contribution to the organisation’s
core strategies.
2
The auditable activity was in compliance with
Good
policies, systems, and procedures. Some control
deficiencies were identified but these did not/are not
expected to lead to major risks or adversely impact the
auditable activities contribution to the organisation’s core
strategies.
1
The auditable activity has achieved its goals and
Commendable objectives. The auditable activity was in compliance with
policies, systems, and procedures. No control
deficiencies that would hinder the attainment of goals
and objectives of the organisation were identified.
The workshop results are converted into a standard fivepoint audit scale to provide consistency for all audit reports
within the organisation (see figure 8).
The following is a hypothetical example of what can be
expected from this type of review. An arbitrary audit rating
benchmark is set, say 2.5. The radar map indicates where the
IT&T service provider’s performance is for each ITIL process.
Two colours are used to indicate performance. Green means it
meets or exceeds benchmark, and red means it failed to meet
or achieve the benchmark.
Figure 9 indicates that two processes exceeded the benchmark and identifies a number of processes that require further
remediation or improvement to achieve or exceed the benchmark.
Figure 9
“…Everyone involved in the review has been very positive
about the approach used, and the value of the outcomes….”
This approach should be considered as a key strategy in the
delivery of IT audit services to an organisation.
References
IT Service Management—IT Service Management Forum Ltd
ISBN 0-9524706-1-6
Ken Doughty, CISA, CBCP
is executive audit manager, IT&T Commonwealth Bank
Group. He has more than 20 years’ IS audit experience with
more than 10 years’ business continuity experience in the
public and private sectors. He speaks regularly at seminars and
conferences in Australia and internationally. He also has published papers on IS auditing and business continuity in
Australia and the US. He can be reached at
doughtke@cba.com.au.
Internal Control Framework Assessment
Incident Management
5.00
Security Management
Problem Management
4.00
3.00
Continuity Management
Change Management
2.00
Service Support
Processes
1.00
0.00
Financial Management
John O’Driscoll, CISA, CIA
is executive audit manager, IT&T Commonwealth Bank
Group. He has more than 15 years’ IS audit experience in
the public and private sectors. He regularly speaks at security
and IS audit seminars and conferences and presents training
courses on behalf of ISACA and IIA Sydney chapters. He can
be reached at john.odriscoll@cba.com.au.
Release Management
© Copyright K. Doughty, J. O’Driscoll 2002
Service Delivery
Processes
Capacity Management
Configuration Management
Areas of Risk
Service Level Management
Availability Management
Exceeded Benchmark
Conclusion
The use of FCSA workshops with an industry-recognised
IT best practice process model provides a valid assessment of
the internal control framework of the IT&T environment which
meets the demands of the organisation’s senior executives.
The experience of using FCSA for IT auditing that was documented in this article has resulted in a saving of more than
35 percent in resources and time for this type of audit compared to a traditional approach. While this is impressive, the
biggest benefit resulted from the enthusiastic acceptance of the
approach by the organisation’s IT&T service providers and key
stakeholders. Commitment to resolving control deficiencies
and implementing process improvement has been outstanding
at the workshop participant and senior management level.
Some of the comments the organisation has received regarding the use of this approach include:
“…The processes and tools used encouraged transparency,
collaboration and contribution from all parts of the organisation involved….”
“…The report and related documents are of excellent quality and easily provide a basis for our organisation to progress
with improving critical areas and there were many areas identified that span the end-to-end service delivery process….”
Download