Terms of Reference for an IT Audit of

Transcription

1 National Maritime Safety Authority (NMSA) TASK DESCRIPTION PROJECT/TASK TITLE: EXECUTING AGENT: IMPLEMENTING AGENT: PROJECT SPONSOR: PROJECT LOCATION: To engage a professional and qualified IT Auditor to conduct a comprehensive and independent audit of NMSA s ITC processes and controls. National Maritime Safety Authority (NMSA) ITC Department Executive Manager, Corporate Services National Maritime Safety Authority, Head Office, Level 2, Defense Haus, Port Moresby COMMENCEMENT DATE: Mid-September 2013 PROJECT DURATION: 2-3 Months National Maritime Safety Authority (NMSA) 1

2 I. INTRODUCTION/BACKGROUND The Authority was established by the National Maritime Safety Authority (NMSA) Act 2003 of parliament to oversee all aspects of safety at sea. NMSA through the Department of Information Technology is responsible for delivery of IT solutions and services to meet the Authority s mandated responsibility of ensuring safety at sea and ensuring compliance with laws and regulations. The Authority has invested significantly in the past on the installation and implementation of new technology infrastructures and business solutions to effectively achieve the Authority s stakeholder requirements and business goals and objectives. For instance, the rollout of a Wide Area Network (WAN), connecting five field offices in Papua New Guinea. As an ongoing effort by the Authority to improve controls, ensure an efficient use of IT systems and aligning its IT strategies with business strategies, the Authority seeks to engage a professional and qualified Auditor to conduct an independent IT audit of its IT infrastructures, systems and environment, report any significant issues and/or key findings, and make practical recommendations to address the control deficiencies and risk mitigation strategies. II. OBJECTIVE The objective of the engagement is to review and provide an opinion on the capability of the existing IT framework and controls (hardware, software, facilities, policies, procedures, practices and organizational structures) that strategically supports, add value and improve the business operations of NMSA. The engagement is aimed at helping the Authority to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes within IT. III. STANDARDS AND GUIDANCE The auditor who performs this audit is governed by the ISACA s IS auditing and IS controls standards, and code of professional ethics, which establishes fundamental ethical principles for the Auditor with regard to integrity, objectivity, independence, professional competence and due care, confidentiality, professional behavior and technical standards. IV. REQUIREMENTS FOR THE AUDITOR IV.1. GENERAL PRINCIPLES By accepting the Terms of Reference (ToR), the IT Auditor confirms that he/she meets the following conditions: The IT Auditor is a member of the international association for Information Systems Audit and Control Association or also known as ISACA. The IT Auditor is committed to undertake this engagement in accordance with ISACA s IS auditing and IS controls standards, and code of professional ethics. The IT Auditor is expected to maintain his/her professional independence throughout the course of the engagement. This means that; in all matters related to auditing, the IT auditor is to be independent of the auditee in attitude and appearance. National Maritime Safety Authority (NMSA) 2

3 The IT Auditor is expected to have knowledge of internal control and standards framework such as COSO, COBIT, ITIL, VaLIT and standards such as ISO series (i.e , 27002/17799, etc..) The engaging firm is to be sufficiently independent of the organization (i.e. NMSA) being audited to permit objective completion of the audit. The engaging firm must be currently registered, as required under the PNG Companies Act 1997, and must always comply with the requirements and guidelines of Investment Promotion Auditory (IPA). The engaging firm must comply with all tax requirements, as required by the Internal Revenue Commission (IRC) and must have a current operating Certificate of Compliance (CoC). IV.2. QUALIFICATIONS AND EXPERIENCE The Auditor must have experience in conducting IT Audit of internal control of entities comparable in size and complexity. The Auditor may be requested to provide evidence of similar engagement with previous clients. The Auditor must have suitable experience and adequate professional and technical qualifications with ISACA standards; in particular he/she must have at least one of the listed accreditations. Certified Information Systems Auditor (CISA). Certified Information Security Manager (CISM). Certified in the Governance for Enterprise IT (CGEIT). Certified Information System Security Professional (CISSP). Certified in Risk and Information Systems Control (CRISC). (Note: CISSP not an ISACA certification) V. SCOPE OF WORK (SoW) The engagement is intended to address the internal controls (i.e. policies, procedures, facilities, practices, organizational structures). TABLE 1: MAIN SCOPE OF WORK CATEGORY PROCESS DESCRIPTION CONTROL OBJECTIVES DEFINE A STRATEGIC IT PLAN DEFINE TECHNOLOGICAL DIRECTION DEFINE IT PROCESSES, National Maritime Safety Authority (NMSA) 3

4 ORGANIZATION AND RELATIONSHIPS COMMUICATE MANAGEMENT AND DIRECTION AIMS AASESS AND MANAGE IT RISKS IT GOVERNANCE ENSURE SYSTEMS SECURITY ENSURE CONTINUOUS SERVICE MANAGE SERVICE DESK AND INCIDENTS MANAGE THIRD PARTY SERVICES DEFINE AND MANAGE SERVICE LEVELS IT PROCUREMENT EDUCATE AND TRAIN USERS ENABLE OPERATIONS AND USE MANAGE THE PHYSICAL ENVIRONMENT IDENTIFY AUTOMATED SOLUTIONS ACQUIRE AND MAINTAIN TECHNOLOGY INFRASTRUCTURE ACQUIRE AND National Maritime Safety Authority (NMSA) 4

5 MAINTAIN APPLICATION SOFTWARE MANAGE CHANGES TABLE 2: ADDITIONAL SCOPE OF WORK IT RESOURCES NETWORK TOPOLOGY AND ARCHITECTURE IT STRATEGIC TRAINING AND SUCCESSION PLAN IT OUTSOURCING Vs IN-SOURCING VI. EXPECTED OUTCOMES Upon completion of the above Scope of Work, the IT Auditor should issue the Authority with a Final Audit Report detailing the key findings, risks and practical recommendations for improving the controls and mitigating the risks. National Maritime Safety Authority (NMSA) 5