RELATIONSHIP BETWEEN IT RISK AND THE IT AUDIT PLAN

Transcription

1 RELATIONSHIP BETWEEN IT RISK AND THE IT AUDIT PLAN Presenter: Mr Vincent M. Kgwale CISA, CISM Deputy Director: IT Audit, National Treasury 31 October 2012

2 Contents Pioneers Of Corporate Governance Acceptance of corporate governance in the public sector Corporate Governance Principles Auditor General 2010/11 results Elements of IT Governance Definition of IT Risk Definition of IT Risk Management ISACA Risk IT Framework IT Risk Management Approach IT Risk Management Approach Unpacking the IT Risks Unpacking the IT Risks IT Environment The Relationship Between IT Risk and IT Audit Crafting the IT Audit Plan IT Risk Standards and Framework 1

3 Pioneers Of Corporate Governance Sir Adrian Cadbury chaired the Committee on Financial Aspects of Corporate Governance set up in 1990 and published its report in

4 Pioneers Of Corporate Governance Cont. Mervyn King S.C chaired the King Committee on Corporate Governance which published King Report on Corporate Governance (King I) in 1994 aimed at promoting the highest standards of corporate governance in South Africa. 4

5 Acceptance of corporate governance in the public sector Limited adoption in government and the public services. Compliance with the Public Finance Management Act (PFMA) and the Municipal Finance Management Act (MFMA), as minimum requirements in the public sector. In contrast, the provisions of King III are specifically intended to be applied or explained within all economic sectors, including the public sector. 5

6 Acceptance of corporate governance in the public sector contint.. Parliament key stakeholder and it will determine the level of compliance that each public institution should strive to achieve in addition to its statutory compliance required in terms of the PFMA, MFMA and other applicable acts. National and provincial institutions will have similar compliance obligations and these will reside with the executive authority, who delegates these responsibilities to the accounting officer or equivalent. 6

7 Corporate Governance Principles Ethical leadership and corporate citizenship Boards and directors (Municipal councils) Audit committees The governance of risk

8 Corporate Governance Principles Cont. The governance of information technology Compliance with laws, rules, codes and standards Internal audit Governing stakeholder relationships Integrated reporting and disclosure

9 Auditor General 2010/11 results 79% of departments did not implement some IT governance aspects according to General Report on National Audit Outcomes 10/11 Financial Year 9

10 Elements of IT Governance Strategic Alignment Value Delivery Risk Management Resource Management Performance Measurement

11 Definition of IT Risk Every organization has a mission and in this digital age government also use automated information technology (IT) systems to process its information for better support of its objectives. Risk management plays a critical role in protecting an organization s information assets, and therefore its mission or objectives, from IT-related risk. IT risk can be defined as any threat to information technology, data, critical systems and business processes. IT risk provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues. 11

12 Definition of IT Risk Management has a responsibility to identify areas of control weakness and respond in a timely fashion to these by improving processes, augmenting controls and even reducing the cycle time between control testing to ensure that the organization is properly identifying and responding to IT risks. 12

13 Definition of IT Risk Management IT risk is a business risk specifically associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. It consists of IT-related events that could potentially impact the business. It can occur with both uncertain frequency and magnitude, and it creates challenges in meeting strategic goals and objectives; Aims to prioritize and manage IT risk; Senior executives need a frame of reference and a clear understanding of the IT function and IT risk associated with it; IT risk is not just a technical issue; and 13

14 Definition of IT Risk Management Cont. Organisation managers determine what IT needs to do to support their business; they set the targets for IT and are accountable for managing the associated risks. 14

15 ISACA Risk IT Framework Risk Governance: Risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, and risk culture Risk Evaluation: Describing business impact and risk scenarios Risk Response: Key risk indicators (KRI) and risk response definition and prioritisation Source: ISACA Risk IT Framework 15

16 IT Risk Management Approach IT risk is a component of the overall risk universe of an organisation. Source: ISACA Risk IT Framework 16

17 IT Risk Management Approach Unpacking the IT Risks Source: ISACA Risk IT Framework 17

18 IT Risk Management Approach Unpacking the IT Risks Source: ISACA Risk IT Framework 18

19 Unpacking the IT Risks IT Environment IT ENVIRONMENT STRATEGIC IT STRATEGY IT STANDARDS, POLICIES, PROCEDURES & GUIDELINES SERVICE LEVEL AGREEMENTS APPLICATION INFRASTRUCTURE APPLICATION DATABASE NETWORK HOST PHYSICAL Source: National Treasury Internal Audit Information Systems Audit Methodology 19

20 The Relationship Between IT Risk and IT Audit IT ENVIRONMENT AUDIT TYPE STRATEGIC IT STRATEGY IT STANDARDS, POLICIES, PROCEDURES & GUIDELINES SERVICE LEVEL AGREEMENTS GENERAL CONTROL REVIEW IT Strategy IT Standards, Policies, Procedures and Guidelines Service Level Agreements APPLICATION APPLICATION SPECIFIC CONTROL REVIEW Application Control Review INFRASTRUCTURE DATABASE NETWORK HOST PHYSICAL SPECIFIC CONTROL REVIEW Database Management Review Data Integrity Review Network Review Operating System Review Physical and Environmental Review GENERAL CONTROL REVIEW (Controls Around the Computing Layers Supporting the Infrastructure) User Profile Management Change Management Logical Access Controls Physical Access Controls Environmental Controls Software Development Business Continuity and Disaster Recovery Source: National Treasury Internal Audit Information Systems Audit Methodology 20

21 Crafting the IT Audit Plan Risk Identified Inherent Priority Residual Priority IT AUDIT PLAN Audit Description Audit Objectives Interruptions to availability and access to business critical systems Priority 1 Priority 2 IT Strategy Framework and Operational Plan Review Assess the adequacy of the IT strategy framework and operational plan to assist business in the achievement of their objectives. Interruptions to availability and access to business critical systems Priority 1 Priority 2 IT Governance Review Assess the adequacy of the IT governance framework to ensure compliance with the King 3 requirements. Interruptions to availability and access to business critical systems Unauthorised malicious activity by internal users Unauthorised malicious activity by internal users Unauthorised malicious activity by external users Priority 1 Priority 2 Information Security Policy Review Priority 1 Priority 2 Internal Network Security Review Priority 1 Priority 2 Wireless Network Security Review Priority 1 Priority 2 External Network Security Review Review of information security management policies. Assess the level of internal network threats and vulnerabilities. Assess the configurations of the wireless network to prevent malicious activity. Assess the level of external network threats and vulnerabilities. Unauthorised malicious activity by external users Priority 1 Priority 2 Perimeter Firewall Review Assess the configurations of the firewall located on the external network perimeter to prevent malicious activity. Source: National Treasury Internal Audit IT Audit Plan 21

22 IT Risk Standards and Framework ISACA The Risk IT Framework; COSO Enterprise Risk Management: Integrated Framework; ISO Risk Management; and Public Sector Risk Management Framework. 22

23 ? QUESTIONS 23

24 THANK YOU 24