1 / 25

ISACA

ISACA. Professional Standards Committee and Frameworks for IT Audits. Steve Sizemore, CISA, CIA, CGAP Texas Health and Human Services Commission – Internal Audit Division IIA Austin Chapter ISACA Past President of Austin Chapter

jcaroline
Download Presentation

ISACA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISACA Professional Standards Committee and Frameworks for IT Audits

  2. Steve Sizemore, CISA, CIA, CGAP • Texas Health and Human Services Commission – Internal Audit Division • IIA Austin Chapter • ISACA • Past President of Austin Chapter • Government and Regulatory Agencies Subcommittee – North America • Professional Standards Committee

  3. Professional Standards Committee - Charge • Develop, maintain, and support professional ethics, standards, and guidelines for the IT assurance, security and control professions.

  4. Standards Board Members 2010/11 • John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore, Chair • Manuel Aceves, CISSP, CGEIT,CISM,CISA, Cerberian Consulting, Mexico • Rick De Young, CISA,MBA,CISSP, USA • Murari Kalyanaramani, CISM,CISA,CISSP, British American Tobacco GSD, Malaysia • Edward J. Pelcher, CGEIT,CISA, Office of the Auditor General, South Africa • Rao Hulgeri Raghavendra, CISA,CQA,PGDIM, Oracle Financial Services Software Ltd., India • Steven E. Sizemore, CISA,CIA,CGAP, Texas HHSC, USA • Meera Venkatesh, CISA, CISM, CISSP, CWA, ACS, Microsoft Corp., USA

  5. Professional Standards Committee Objectives 1. Refresh, consolidate, and retire IS auditing guidance issued by ISACA to ensure consistency with other material issued by ISACA and ITGI, such as COBIT 4.1 and the Information Technology Assurance Framework (ITAF).

  6. Professional Standards Committee Objectives 2. Continue development of security principles and the Business Model for Information Security (BMIS).

  7. Professional Standards Committee Objectives 3. IT Assurance Framework (ITAF) • Ensure all current ISACA guidance is reflected. • Identify Gaps with our current guidance. • Develop guidance as determined to be a priority by the gap analysis.

  8. IS Auditing Guidance • Code of Professional Ethics is a mandatory requirement • Standards are mandatory requirements • Guidelines are guidance in applying standards • Procedures are examples

  9. ITAF • Standards • General • Performance • Reporting • Guidelines • Tools and techniques

  10. ITAF (cont) • Standards – 3 categories • General standards are the guiding principles under which the IT assurance profession operates • Performance standards establish baseline expectations in the conduct of IT assurance engagements • Reporting standards address the types of reports, the means of communication, and the information to be communicated

  11. COBIT • COBIT 4.1 • COBIT 5 • In development • Will consolidate and integrate  COBIT 4.1, Val IT 2.0 and Risk IT frameworks • Draw significantly from the Business Model for Information Security (BMIS) and ITAF.

  12. COBIT - among top four IT Governance Frameworks

  13. Val IT – A Governance Framework IT-enabled investments will: 1. Be managed as a portfolio of investments 2. Include the full scope of activities required to achieve business value 3. Be managed through their full economic life cycle Value delivery practices will: • Recognize different categories of investments to be evaluated and managed differently • Define andmonitor key metrics and respond quickly to any changes or deviations • Engage all stakeholders and assign appropriate accountability for delivery of capabilities and realisation of business benefits • Be continually monitored, evaluated and improved

  14. Risk IT – Risk Management Framework • Risk Governance • Establish and Maintain a Common Risk View • Integrate with Enterprise Risk Management (ERM) • Make Risk-aware Business Decisions • Risk Evaluation • Collect Data • Analyze Risk • Maintain Risk Profile • Risk Response • Articulate Risk • Manage Risk • React to Events

  15. Information Security Principles • Partnership of • ISACA • Information Security Forum (ISF) • International Information Systems Security Certification Consortium (ISC)2

  16. Business Model for Information Security (BMIS) • Uses a business-oriented approach • Can be used regardless of an enterprise’s size or the information security framework it has in place • Focuses on people and processes in addition to technology. • Is independent of any particular technology and is applicable across all industries, countries, and regulatory and legal systems. • Includes traditional information security, as well as links to privacy, risk, physical security and compliance. • Enables information security professionals to align the security program with business objectives by helping to widen the view to the enterprise

  17. BMIS (cont)

  18. How is IS auditing guidance developed? Members and CISAs Chapter Presidents General public Other standard setting bodies Area Rep Standards Board

  19. How is IS auditing guidance issued? Selected professionals Other standard setting bodies (through the exposure process) Members and CISAs (through the Internet ) General public (through the internet) Copies of all Standards are available on the ISACA web site www.isaca.org Standards Board

  20. Working with Other Organisations • Work with other international standard setting bodies (IIA, IFAC, AICPA, etc.) • Comment on Exposure Drafts

  21. Future Pronouncements

  22. Guidelines to be Refreshed in 2011

  23. Guidelines to be Refreshed in 2011

  24. Gap Analysis • Identified gaps between ITAF and the Standards and Guidelines • Plan to address gaps through development of new standards and guidelines, and consolidation and reorginization of existing standards and guidelines.

  25. Questions? Conclusion

More Related