170 likes | 185 Views
Learn about the audit objective, types of IT audits, focus areas, key role players, and quick wins to improve IT governance, security management, user access control, and IT service continuity in South African municipalities.
E N D
06 Sep 2013 Information Technology Audits: Western CapeWidaad Solomons (Senior Manager – Information Systems Audit)
Reputation promise/mission The Auditor-General of South Africa has a constitutional mandate and, as the Supreme Audit Institution (SAI) of South Africa, it exists to strengthen our country’s democracy by enabling oversight, accountability and governance in the public sector through auditing, thereby building public confidence.
Audit Objective Assess IT Controls Support RA Regulations (PFMA, MFMA, Public Service Regulations) International Standards on Auditing (ISA 315 & ISA330)
Types of IT Audits • General Controls Review • IT Audit of Predetermined Objectives (AOPO) • Application Controls Review • IT Audits • Project Assurance (SDLC) • Data Analytics • ERP Reviews • Network Security
2011-12: General Controls Review Focus Areas • IT Governance • Security Management • TEST OF CONTROLS: • Design • Implementation • Operating Effectiveness • User Access Control • IT Service Continuity
2011-12: IT Governance (SLAs, monitoring, IT Gov Framework, IT Risk Mgmt)
2011-12: Security Management (IT security policy, password settings)
2011-12: User Access Control (Policy, access requests, monitoring)
2011-12: IT Service Continuity (DRP, policy, backups, testing)
Quick Wins IT Governance - All municipalities to ensure proper SLA’s are entered into with IT service providers including district municipalities as well as the monitoring thereof. Alignment / adoption of IT Governance framework that was approved by DPSA Security Management - IT security policy to be developed and implemented by all municipalities and Information Security Officer can be shared by all municipalities within a district User access management - User access policies and procedures to be developed at all municipalities and period review of user access. IT service continuity planning - Backup and retention procedures to be developed and implemented to ensure critical data backup occurs, data is taken off-site and it’s recoverability is tested
2012-13 Audit Scope • Full coverage (30 Municipalities): • ISA Audit • RA Checklist
2012-13 Audit Approach • 1 • Follow up on 2011-12 findings • 2 • If progress, perform full audit • 3 • If no progress, NO EXECUTION • 4 • Reporting