IT-Audit Concept, Approach and Methodologies Internal IT Audit
advertisement
IT-Audit Concept, Approach and Methodologies IT-Audit Concept, Approach and Methodologies Internal IT Audit Stakeholder in the Internal IT Audit Process Key Objectives & Requirements Methodological Framework Internal IT Audit Organization and Scope Proposed Approach and Methodology Co-ordination with External Regulatory and Auditing Bodies Conclusion IT-Audit Concept, Approach and Methodologies Stakeholders in the Internal IT Audit Process Internal IT WDR, PB, AM, PC&C IT IT Security Perot Systems Systor External IT Internal IT Audit Internal Audit & Business GIA Business line BOD/GEB, ASB, AC Business lines Regulatory Bodies External Audit Prof Bodies External to UBS IT-Audit Concept, Approach and Methodologies Stakeholder Demands on Internal IT Audit Internal IT Breadth vs Depth Increased technological solutions Quality/Relevance of recommendations Increased involvement up front Detailed knowledge over increasingly specialized areas Rationalization of Bank’s systems/technology Global Focus, Adherence to standards Internal IT Audit IT-Audit Concept, Approach and Methodologies Stakeholder Demands on Internal IT Audit External IT Staff Recruitment/Retention Increased technological complexity/ new technologies Pace of IT Technology Development & Implementation Increased reliance on technical solutions Outsourcing Best practices/benchmarks Internal IT Audit IT-Audit Concept, Approach and Methodologies Stakeholder Demands on Internal IT Audit Internal Audit and Business Ensure completeness of coverage between IT & Fin audit Budgetary, Headcount Standards & Quality of work Resource allocation Reporting & Follow Up Internal IT Audit IT-Audit Concept, Approach and Methodologies Stakeholder Demands on Internal IT Audit External to UBS Acquisitions & JVs - economies through/leveraging technology Globalization - increased regulatory requirement Costs reduction - rationalization across group Increased regulatory requirements Internal IT Audit IT-Audit Concept, Approach and Methodologies Key Objectives and Requirements Global and independent Risk focus Experts in IT internal control IT project involvement Frequency of reviews Standardization and depth of reviews Recommendations IT and control knowledge Effective co-ordination with external and regulatory bodies Application / infrastructure audit co-ordination IT-Audit Concept, Approach and Methodologies Key Objectives and Requirements Objective Course of Action Global and independent Independence - the reporting structure of Group Audit within the bank ensures this Organization & Technical Competence Center (TCC) concept Risk focus PASKOR planning (risk-planning) Incorporation of IT risk framework in Internal IT Audit fieldwork & reporting self assessment process and IT Audit risk & control database Experts in IT internal control CobiT framework and IT Audit planning and fieldwork with technology competence centre IT-Audit Concept, Approach and Methodologies Key Objectives and Requirements Objective Course of Action IT project involvement Stress point matrix Infrastructure / Application Interface Frequency of reviews PASKOR planning Standardisation and depth of reviews TCC concept Recommendations Primary controls audit (PCA) Primary controls review (PCR) Self Assessment approach (SA) IT-Audit Concept, Approach and Methodologies Key Objectives and Requirements Objective Course of Action IT and control knowledge TCC concept Training re-emphasis Effective co-ordination with external and regulatory bodies Planning and co-ordination of requirements Outsourcing of work (external lead) Insourcing on IT Audit (internal lead) IT Audit work standards IT Audit location database Application / infrastructure audit co-ordination Scope and coverage definition Infrastructure / Application Interface IT-Audit Concept, Approach and Methodologies Methodological Framework Main Areas of Use IT audits Risk analysis Health checks (security benchmarking) Security concepts Security manuals / handbooks IT-Audit Concept, Approach and Methodologies IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) www.bsi.bund.de/gshb/english/menue.htm ITSEC www.bsi.org.uk/disc/ BSI -IT baseline protection manual www.isaca.org www.itsec.gov.uk Common Criteria (CC) csrc.nist.gov/cc/ IT-Audit Concept, Approach and Methodologies Comparison of Methods - Results Standardisation Independence Ease of use CobiT Certifyability Update frequency BS 7799 BSI ITSEC Applicability in practice Efficiency Presentation of results Adaptability Extent of scope IT-Audit Concept, Approach and Methodologies Methods: Example for CobiT CobiT Processes PASKOR Monitoring Audit Type Planning & organization Mgmt & Control Acquisition & implementation Delivery & support Year 2000 IT Development IT Operations IT Network IT Security DR & CP Change Mgmt CobiT control objectives AutoAudit Risk control matrices (detailed risks & controls CobiT objectives) IT-Audit Concept, Approach and Methodologies IT Risk Management responsibility of ensuring proper management lies at the execution level apply IT risk management within a consistent and repeatable framework strategy & governance independent risk management function with clearly roles and responsibility link between risk management group, strategic planning and the IT management risk mgmt organisation IT Risk Management measurement & reporting controls in place to ensure completeness, accuracy and timeliness of risk capture measures continually evolve as advances in methodologies and modeling techniques improve categories of risk clearly segmented categories defines which are easily understood throughout the organization risk mgmt process comprehensive categories to capture all risks structured interview process, risk collection and feedback programme minimal administrative burden; usage of automated tools (intranet, database etc) wherever possible IT-Audit Concept, Approach and Methodologies IT Risk Categories UBS risk categories IT risk categories Strategic Credit risk Market risk IT development Funding risk Operational risk IT risk IT delivery Legal risk Liability risk Financial Compliance risk Tax risk Physical/crime risk IT organisation Legal & compliance reputation risk business / IT alignment business value of IT emerging technology project evaluation IT architecture management Impacts on: Customer / clients Shareholders operation management production availability IT change management system and network security contingency & capacity planning Counterparties Suppliers IT costs (project and operations) IT investment appraisal VAR (system financial exposure) Regulators project management development standards IT development project risk data and information management development / testing environments skill / knowledge management success planning / career mgmt HR polices IT / business organisation alignment supplier & third party management non-conformance to regulations regulatory reporting IT contacts IT-Audit Concept, Approach and Methodologies Internal IT Audit Organization IT Audit Group IT Aud Domestic CH Technical CoE Centre of Excellence Distributed technology IT Aud International Technical Competence Centres TCC Basel /Zurich (CH) International EMEA Asia Pacific Americas IT Consulting/Services SSP Task Forces CAATT’s Audit SW Basel /Zurich IT-Audit Concept, Approach and Methodologies CoE, TCC Schematic - Migration Path Actual: Generalists General IT audit activities (good all round knowledge) TCC CoE techn. or process techn. or process techn. or process Mainstream distributed technologies techn. or process depth of knowledge IT-Audit Concept, Approach and Methodologies CoE, TCC Schematic - Migration Path Future: Specialists TCC CoE Specialist Specialist Specialist Specialist techn. or process techn. or process techn. or process techn. or process Mainstream distributed technologies depth of knowledge IT-Audit Concept, Approach and Methodologies Generic IT Environment Application Architecture (AA) Application Audit Application: Development Environment, Application Security Software Change Management (SCM) Middleware / Services IT Audit Operating System System Management & Operations Telecommunication Technical Security Hardware IT-Audit Concept, Approach and Methodologies Generic IT Environment Application audit Products a b c d c d Applications a b System technology divisional IT processes System technology global IT processes IT audit Overall project mgmt appl level security app/business controls business contingency system functionality user testing Operating system level security & admin disaster recovery operations & systems support network controls capacity planning database mgmt data access change mgmt process IT-Audit Concept, Approach and Methodologies Proposed Approach and Methodology COSO-Model: Internal Control - Integrated Framework Control environment Risk assessment Control activities Pertinent information Monitoring IT-Audit Concept, Approach and Methodologies Production Audit Approach Primary Controls Audit (PCA) TCC / CoE Primary Controls Review (PCR) Self-Assessment (SA) IT-Audit Concept, Approach and Methodologies Pre- / Post-Implementation Audit Post-implementation Pre-implementation project plan existing processes Primary Controls Audit (PCA) TCC / CoE results stress point matrix testing Primary Controls Review (PCR) SelfAssessment (SA) IT-Audit Concept, Approach and Methodologies Principles and Co-operation IT Audit / 3rd Party Basis Requirements Special Assignments Regulator external Internal IT Audit Laws Regulations Standards Divisions Audit areas Audit objectives Divisions Legal entities Processes Audit areas Audit objectives Thank you for your interest in IT Audit Concept, Approach and Methodologies
