680 likes | 820 Views
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor. INTRODUCTION. Michael Burch, IS Audit Supervisor Lisa Outlaw, IS Audit Supervisor Michelle Wicker, IS Auditor - Team Leader. IIPS Fall Conference 2007. Office of State Auditor Michael Burch, CPA, CISA
E N D
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor INTRODUCTION Michael Burch, IS Audit Supervisor Lisa Outlaw, IS Audit Supervisor Michelle Wicker, IS Auditor - Team Leader IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor Summary of Community College Audits 2002/2003 Audits and Follow Ups 2006 and 2007 Limited General Controls Fiscal Year 2007 Financial Audit Files IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor Community College Audits for 2008 Shift of Focus From Limited General Controls To Penetration and Vulnerability Assessments Assistance to Financial Audits Financial Audit File Datatel Colleague Access File Random General Controls if Needed IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE Every organization has some form of IT Governance by default Good IT Governance Ensures IT investments are optimized and aligned with business strategy. Delivers value within acceptable risk boundaries IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE What is Definition of IT Governance? IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE What is Definition of IT Governance? No Standard Definition! IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE Evolved from “corporate governance” Which define proper management of business Compliance with regulatory requirements Has gained prominence from recent events IT Governance applies to organization’s IT environment IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE Specifies the decision rights and accountability framework to encourage and force desirable behavior in the use of IT for the organization Is the strategic alignment of IT with the business’ goals such that maximum value is achieved through the development and maintenance of effective IT controls and accountability, performance management, and risk management IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE Involves management, processes, and resources Aligns IT goals and objectives with those of the business as a whole Purpose is to ensure optimum and uninterrupted service delivery IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEMethodologies COBIT (Controls Objectives for Information Technology) ITIL (Information Technology Infrastructure Library) ISO Standards ISO 17799 (renamed 27002 July 2007) ISO 27001 IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEInformation System Security Security is about managing risks Risk management covers opportunity and asset protection Provides value in providing Business Enablement Asset Protection IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE IT GOVERNANCE IS ABOUT: Control Accountability Responsibility Authority Who defines the rules and who is responsible for compliance and monitoring of the rules IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEOften Confused with IT Management IT Governance: Who makes the decisions Getting right people involved with IT decisions Not leaving it to IT IT Management: Making and implementation of decisions consistent with the governance framework IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEFour Objectives IT VALUE and ALIGNMENT Creates necessary structure and processes around IT to ensure that IT projects are aligned with the business goals and objectives IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEFour Objectives RISK MANAGEMENT IT risks often same as business risk for organization Therefore managing IT risks is paramount for the organization as a whole IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEFour Objectives IT RISKS include: Security risks arising from hackers and insiders Denial of service attacks Privacy risks from Identity Theft Recovery from disasters Resiliency of systems from outages and project failures IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEFour Objectives ACCOUNTABILITY At end of day, governance is about accountability. Current legislation is holding senior management accountable for the integrity and credibility of financial system and controls. IT management is held accountable for return of investment in IT as well as the credibility of IT’s controls IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE FRAMEWORK Formal methodology of establishing a corporate model for setting and delivery business strategy, measuring performance, managing risk, and establishing a corporate culture with ethical standards To fit within the governance framework, IS security must be aligned to deliver on the business strategy IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEFour Objectives PERFORMANCE MEASUREMENT Accountability requires score keeping to measure how well the organization is doing IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEIS Security Policy Must clearly define roles and responsibilities for security, including owners, custodians, and managers Define the owners of business processes and data Define acceptable parameters for IT operations Define communications between owners and IT Define monitoring for compliance IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEIS Security Policy Polices must have effective processes (procedures) for implementation and compliance Require knowledge and support for maintenance (must change as requirements change) Security issues often arise from deficiencies in the procedures and people area Awareness of individuals’ responsibilities for security must be embedded within the culture of the organization from induction to exit IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEIS Security Needs to be integrated into the enterprise risk management framework. Covers the whole enterprise Security awareness and responsibility must apply to those with external or temporary access rights to information systems as well as permanent staff Must become part of the organization’s culture, not an afterthought IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEMethodologies COBIT (Controls Objectives for Information Technology) and ISO 27001 and 27002 Defines what should be done ITIL (Information Technology Infrastructure Library) Provides the “how” from a service management perspective IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEMethodologies These “best” practices have been significant not from the AUDIT perspective but from management’s for defining IT governance for the organization In private industry there is now regulatory requirements for effective information system controls Sarbanes Oxley HIPPA IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCEMethodologies It’s only matter of time before the shareholders of government (taxpayers) demand the same of governmental agencies. IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE It’s not a question of IF but rather the question is WHEN. Government will be forced to implement IT governance, whether by legislation or good management practices. The time is start implementation of IT governance for the community colleges, is NOW rather than LATER. IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor IT GOVERNANCE Who is Responsible? The Board of Directors/Executive Management Business Processes and Data Owners IT Auditors The Board of Director and Executive Management must take ownership of IT Governance and set its direction IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT IT Governance in simple terms is management’s policy for controlling IT’s strategic impact and value for the organization Structure and set of processes and related procedures to aid in providing effective IT services to the organization and the monitoring of the IT process IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT COBIT is the most recognized framework for support of IT governance Office of State Auditor has selected COBIT as the framework for IS Audits of state agencies. IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Based on best practices Focuses on the processes of the IT Provides for IT performance assessment and monitoring IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Effective IT governance would actually build a framework using all three of the above methodologies For our discuss today, we will focus on COBIT since it provides the best overall control practices and framework. COBIT provides move detail than ITIL and ISO standards for developing IT governance IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT ITIL Provides best practice for service management and delivery Does not cover strategic impact of IT and relation between IT and business processes ISO 17799 (27002) and 27001 Focus is on security and does not provide for planning and delivery of IT services IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT COBIT 4.0 released in 2005 COBIT 4.1 released May 2007 Downloadable from ISACA website (www.isaca.org) Set of 34 high-level control objectives containing 215 detail control objectives. Reduced from 314 in previous versions IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Control objectives are grouped into four main domains Planning and Organizing Acquisition and Implementation Delivery and Support Monitoring IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Planning and Organizing Strategy Planning Communications Strategy Management Risk Management Resource Management IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Acquisition and Implementation Identify, develop, or acquire and implementation solutions to business processes Management of the life cycle of systems through maintenance, enhancements, and retirement IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Delivery and Support Service and support including Performance and Security Training IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Monitoring All processes needed to regularly assess for compliance with control requirements Addresses management’s oversight of the organization control processes Self-Assessments, Internal and External Audit IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Provides management and business processes owners with an IT governance model that helps in delivering value from IT and understanding and managing the risks associated with IT Helps bridge the gaps between business requirements, control needs, and technical issues IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Is a control model to meet the needs of IT governance and ensure the integrity of information systems and data IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBITWho Uses IT? Those who have primary responsibilities for business processes and technology. Those who depends on technology for relevant and reliable information Those who provide quality, reliability, and control of information technology IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBITWho Uses IT? COBIT is not only used by the IT department, but by the organization as a whole, including business processes and data owners Provides business processes owners with a framework to control activities for IT Provides management with a set of tools for self-assessment and monitoring of IT function IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBITWhy Use IT? COBIT is business oriented, therefore using it to understand IT control objectives to deliver IT value and manage IT related business risks is straight forward IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBITManagement Guidelines Provide tools for management to perform self-assessments to make choices for control implementation and improvement over the organization’s information and related technology. Guidelines are provided for each of the 34 IT Processes, with a management and performance measurement perspective IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBITManagement Guidelines Tools are provided by the guidelines to support management decision making process COBIT 4.0 and 4.1 integrates the management guidelines with the control objectives in one publication IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Overall COBIT is a management tool for IT controls Not necessarily just an audit tool COBIT provides management, auditors, users with a set of generally accepted measures, indicators, processes and best practices to assist the organization in maximizing the benefits derived through the use of information technology and development of IT governance and controls IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Helps management, auditors, and users understand the organization’s IT systems and decide the level of security and controls that is necessary to protect the organization’s assets through the development of an effective IT governance model. IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Product Family The complete COBIT package is a set of six publications Executive Summary Framework Control Objectives Audit Guidelines Implementation Tool Set Management Guidelines IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Product Family Executive Summary Consists of an Executive Overview which provides a thorough awareness and understanding of COBIT’s key concepts and principles IIPS Fall Conference 2007
Office of State Auditor Michael Burch, CPA, CISA IS Audit Supervisor COBIT Product Family Framework Explains how IT processes deliver the information that the business needs to achieve its objectives Delivered through the 34 high-level control objectives, one for each IT process, contained in the four domains IIPS Fall Conference 2007