1 / 89

INTOSAI IT Audit IT Methods Awareness

Explore IT audit methods for project selection, control, and evaluation in this comprehensive guide. Understand the stages of investment maturity and critical processes under ITIM assessment.

adavis
Download Presentation

INTOSAI IT Audit IT Methods Awareness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. INTOSAI IT AuditIT Methods Awareness

  2. Outline • Scope • Overview • It Methods • Methods Description • Methods Usage • Audit Reporting

  3. Scope • It Methods Described For: • Project Selection, Control, Evaluation • Systems Development • Systems Acquisition • Enterprise Architecture Development • Security Assessment

  4. Overview • Methods Listed Here Are Generally Accepted in The Community • Methods Assess or Prescribe “What” Must Be Done Not “How” to Accomplish Activity • Methods Provide a Framework to Audit It Activity

  5. It Methods

  6. Methods Description Module 1 Project Selection, Control, Evaluation

  7. Project Selection, Control, Evaluation • Wisely Managed Investments in It Can Improve Organizational Performance • Internet and Local Area Networks Enable Data Sharing and Research • Data Warehouse Permits Organizations to Discover Unknown Fiscal or Physical Resources

  8. Project Selection, Control, Evaluation • However, Along With the Potential to Improve Organizations, It Projects Can Become Risky, Costly, Unproductive Mistakes • In Response, Gao Developed Guidance, That Provides a Method for Evaluating and Assessing How Well an Agency Is Selecting and Managing Its It Resources

  9. Project Selection, Control, Evaluation • The Select/control/evaluate Model Has Become a Central Tenet of the It Investment Management Approach

  10. Project Selection, Control, Evaluation • During the Selection Phase the Organization • Selects Those It Projects That Will Best Support Its Mission Needs and • Identifies and Analyzes Each Project’s Risks and Returns Before Committing Significant Funds to a Project.

  11. Project Selection, Control, Evaluation • During the Control Phase the • Organization Ensures That, As Projects Develop, the Project Is Continuing to Meet Mission Needs at Expected Levels of Cost and Risk • If the Project Is Not Meeting Expectations Steps Are Taken to Address the Deficiencies

  12. Project Selection, Control, Evaluation • Lastly, During the Evaluation Phase, • Actual Versus Expected Results Are Compared to • Assess the Project’s Impact on Mission Performance, • Identify Any Changes or Modifications to the Project That May Be Needed, and • Revise the Investment Management Process Based on Lessons Learned

  13. Project Selection, Control, Evaluation • Gao’s Information Technology Investment Model (Itim) Model Is Comprised of Five Stages of Maturity • Each Stage Builds Upon the Lower Stages and Enhances the Organization’s Ability to Manage Its It Investment Stages

  14. Project Selection, Control, Evaluation Five Stages Of Investment Maturity

  15. Project Selection, Control, Evaluation Progressing Through the ITIM Stages of Maturity

  16. Project Selection, Control, Evaluation • Itim Is a Tool for Assessing the Maturity of an Organization • An Itim Assessment Can Be Conducted for an Entire Organization or For One of Its Lower Divisions • Itim Is Applicable to Organizations of Different Sizes

  17. Project Selection, Control, Evaluation • Itim Allows Auditors to Assesses the Maturity of Organizations to Manage Investments • Itim Provides a Maturity Stage or “Level” for an Organization • Each Maturity Stage or “Level” Has Required Practices or Activities

  18. Project Selection, Control, Evaluation ITIM Required Processes

  19. Project Selection, Control, Evaluation • Applying the Model Requires Assessing • Critical Processes, Such As the Processes Used to Create an It Investment Portfolio • Core Elements, (Purpose, Organizational Commitment, Prerequisites, Activities, and Evidence of Performance)

  20. Questions / Discussion • Questions • Comments • Discussion • Etc.

  21. Methods Description Module 2 Systems Development

  22. Systems Development • Systems Development Includes Activities Such As • Project Management, • Requirements Management, • Configuration Management • Software Development, Testing, Etc.

  23. Systems Development • Many Organizations Rely on Software-intensive Systems to Perform Their Missions • Software Quality Is Governed by the Quality of the Processes Used To Develop the Software • (Provide Reference)

  24. Systems Development • The Software Engineering Institute Has Developed a Number of Models That Facilitate Assessing the Maturity of Organizations Developing Software • The Models Are Called Capability Maturity Models (Cmm)

  25. Systems Development • What Is the Cmm? • An Ordered Collection of Practices for the Acquisition, Development or Maintenance of Systems • Ordered by “Key Process Area” • Practices Determined by the Community Through Broad Peer Reviews • Defines the Stages Through Which Organizations Evolve As They Improve Their Acquisition Process • Identifies Key Priorities, Goals and Activities on the Road to Improving an Organization's Capability to Do Its Job

  26. Systems Development • The Cmm Provides a Framework for • Identifying an Organization’s Process Strengths and Weaknesses • Assisting an Organization Develop a Structured Plan for Process Improvement

  27. Systems Development • Who Uses the Sw-cmm? • Organizations That Develop or Maintain Products That Contain Software • Organizations Who Want to Improve Their Software Development Processes • Audit Organizations Who Want to Assess the Maturity Of Organizations Developing or Maintaining Software Products

  28. Systems Development • The Cmm Is Structured Into • Five Maturity Levels • Each Level Has Key Process Areas (Kpa) • Each Kpa Has Goals • Goals Require Certain Activities Be Performed • Management Provides Support and Verifies That Activities Are Being Performed

  29. Systems Development

  30. Systems Development • The Five Levels Are • 1. Initial: The Software Process Is Characterized As Ad Hoc and Few Processes Are Defined • 2. Repeatable: Basic Project Management Processes Are Established; Improvement Activities Are Begun • 3. Defined: Software Processes Are Documented and Standardized; All Projects Use an Approved, Tailored Version of the Organization’s Standard Software Processes

  31. Systems Development • The Five Levels Are (Contd.) • 4. Managed/quantitative: Detailed Measures of the Software Processes, Products, and Services Are Collected; the Software Processes and Products Are Quantitatively Measured and Controlled • 5. Optimizing: Continuous Process Improvement Is Enabled by Quantitative Feedback From the Process and From Piloting Innovative Ideas and Technologies

  32. Systems Development Software CMM Levels and KPAs

  33. Systems Development • Cmm Common Features • Commitment To Perform • Ability To Perform • Activities • Measurement & Analysis • Verification

  34. Systems Development • Commitment To Perform • Describes What an Organization Must Do to ‘Set the Stage’ for Process Improvement / Implementation • Involves Establishing Policy • Assigning Responsibility

  35. Systems Development • Ability To Perform • Describes the Preconditions That Must Be Present to Facilitate Process Improvement / Implementation • Assignment of Duties to Groups • Providing Trained or Experienced Personnel • Ensuring Adequacy of Resources

  36. Systems Development • Activities • Describe the Activities, Roles, and Procedures That Are Necessary to Implement the Key Process Area • Requires Formal and Informal Planning Documents • Requires Formally Documented Procedures • Requires (Depending on Kpa) Coordination With Other Affected Groups, Tracking Contractor Performance, Etc.

  37. Systems Development • Measurement & Analysis • Describes the Practices That Must Be Accomplished to Enable the Group to Track the Status of the Kpa • Effort & Funds Expended by the Project Team in Conducting Its Activities • Tracking Their Schedule and Progress (for Developing Formal Plans, Requirements, Etc.)

  38. Systems Development • Verification • Describes the Practices That Must Be Performed to Ensure That Project and Senior Management Oversee the Activities of the Group • Includes Periodic or As Needed • Project Level Reviews • Senior Management Level Reviews

  39. Systems Development Example From Model

  40. Questions / Discussion • Questions • Comments • Discussion • Etc.

  41. Methods Description Module 3 Systems Acquisition

  42. Systems Acquisition • Systems Acquisition Includes Activities Such As • Project Management, • Requirements Management, • Solicitation, Contractor Tracking • Evaluation, Risk Management, Etc.

  43. Systems Acquisition • Many Organizations Rely on Software-intensive Systems to Perform Their Missions • Organizations Have Been Increasingly Contracting Out for Software or Engineering Services

  44. Systems Acquisition • The Software Engineering Institute Has Developed a Number of Models That Facilitate Assessing the Maturity of Organizations That Acquire Software or Systems • The Models Are Called Capability Maturity Models (Cmm)

  45. Systems Acquisition • Just As For Software Development There Is the Sw-cmm (or Just Cmm) • For Assessing or Improving Acquisition Related Activities, The Sei Has Developed the Software Acquisition Capability Maturity Model (Sa-cmm)

  46. Systems Acquisition • Who Uses The Sa-cmm? • Organizations That Acquire or Support Acquisition of Products That Contain Software, Including Software Support and Maintenance • Organizations That Are Responsible for Acquisition Life Cycle From Requirements Development Through System Delivery and Support • Audit Institutions That Want To Assess How Effectively Software or Services Are Being Acquired

  47. Systems Acquisition • The Sa-cmm Is Also Structured Into • Five Maturity Levels • Each Level Has Key Process Areas (Kpa) • Each Kpa Has Goals • Goals Require Certain Activities Be Performed • Management Provides Support and Verifies That Activities Are Being Performed

  48. Systems Acquisition

  49. Systems Acquisition • The Five Levels Are • 1. Initial: The Software Process Is Characterized As Ad Hoc and Few Processes Are Defined • 2. Repeatable: Basic Project Management Processes Are Established; Improvement Activities Are Begun • 3. Defined: Software Processes Are Documented and Standardized; All Projects Use an Approved, Tailored Version of the Organization’s Standard Software Processes

  50. Systems Acquisition • The Five Levels Are (Contd.) • 4. Managed/quantitative: Detailed Measures of the Software Processes, Products, and Services Are Collected; the Software Processes and Products Are Quantitatively Measured and Controlled • 5. Optimizing: Continuous Process Improvement Is Enabled by Quantitative Feedback From the Process and From Piloting Innovative Ideas and Technologies

More Related