410 likes | 1.22k Views
IT-Audit Concept, Approach and Methodologies. Christian Roman Gutzwiller. Internal IT Audit. Stakeholder in the Internal IT Audit Process Key Objectives & Requirements Methodological Framework Internal IT Audit Organization and Scope Proposed Approach and Methodology
E N D
IT-Audit Concept, Approach and Methodologies Christian Roman Gutzwiller
IT-Audit Concept, Approach and Methodologies Internal IT Audit • Stakeholder in the Internal IT Audit Process • Key Objectives & Requirements • Methodological Framework • Internal IT Audit Organization and Scope • Proposed Approach and Methodology • Co-ordination with External Regulatory and Auditing Bodies • Conclusion
Internal IT Audit IT-Audit Concept, Approach and Methodologies Stakeholders in the Internal IT Audit Process Internal IT External IT • WDR, PB, AM, • PC&C IT • IT Security Perot Systems Systor Internal Audit & Business External to UBS • GIA Business • line • BOD/GEB, ASB, • AC • Business lines • Regulatory • Bodies • External Audit • Prof Bodies
Breadth vs Depth • Increased technological solutions • Quality/Relevance of recommendations • Increased involvement up front • Detailed knowledge over increasingly • specialized areas • Rationalization of Bank’s • systems/technology • Global Focus, Adherence to standards IT-Audit Concept, Approach and Methodologies Stakeholder Demands on Internal IT Audit Internal IT Internal IT Audit
Staff Recruitment/Retention • Increased technological complexity/ • new technologies • Pace of IT Technology Development & • Implementation • Increased reliance on technical solutions • Outsourcing • Best practices/benchmarks IT-Audit Concept, Approach and Methodologies Stakeholder Demands on Internal IT Audit External IT Internal IT Audit
Ensure completeness of coverage • between IT & Fin audit • Budgetary, Headcount • Standards & Quality of work • Resource allocation • Reporting & Follow Up IT-Audit Concept, Approach and Methodologies Stakeholder Demands on Internal IT Audit Internal Audit and Business Internal IT Audit
Acquisitions & JVs - economies • through/leveraging technology • Globalization - increased regulatory • requirement • Costs reduction - rationalization • across group • Increased regulatory requirements IT-Audit Concept, Approach and Methodologies Stakeholder Demands on Internal IT Audit External to UBS Internal IT Audit
IT-Audit Concept, Approach and Methodologies Key Objectives and Requirements • Global and independent • Risk focus • Experts in IT internal control • IT project involvement • Frequency of reviews • Standardization and depth of reviews • Recommendations • IT and control knowledge • Effective co-ordination with external and regulatory bodies • Application / infrastructure audit co-ordination
IT-Audit Concept, Approach and Methodologies Key Objectives and Requirements Objective Course of Action Global and independent • Independence - the reporting structure of Group Audit within the bank ensures this • Organization & Technical Competence Center (TCC) concept Risk focus • PASKOR planning (risk-planning) • Incorporation of IT risk framework in Internal IT Audit fieldwork & reporting • self assessment process and IT Audit risk & control database Experts in IT internal control • CobiT framework and IT Audit planning and fieldwork with technology competence centre
IT-Audit Concept, Approach and Methodologies Key Objectives and Requirements Objective Course of Action IT project involvement • Stress point matrix • Infrastructure / Application Interface Frequency of reviews • PASKOR planning Standardisation and depth of reviews • TCC concept Recommendations • Primary controls audit (PCA) • Primary controls review (PCR) • Self Assessment approach (SA)
IT-Audit Concept, Approach and Methodologies Key Objectives and Requirements Objective Course of Action IT and control knowledge • TCC concept • Training re-emphasis Effective co-ordination with external and regulatory bodies • Planning and co-ordination of requirements • Outsourcing of work (external lead) • Insourcing on IT Audit (internal lead) • IT Audit work standards • IT Audit location database Application / infrastructure audit co-ordination • Scope and coverage definition • Infrastructure / Application Interface
IT-Audit Concept, Approach and Methodologies Methodological Framework Main Areas of Use • IT audits • Risk analysis • Health checks (security benchmarking) • Security concepts • Security manuals / handbooks
IT-Audit Concept, Approach and Methodologies IT Audit Methodologies • CobiT • www.isaca.org • BS 7799 - Code of Practice (CoP) • www.bsi.org.uk/disc/ • BSI -IT baseline protection manual • www.bsi.bund.de/gshb/english/menue.htm • ITSEC • www.itsec.gov.uk • Common Criteria (CC) • csrc.nist.gov/cc/
IT-Audit Concept, Approach and Methodologies Comparison of Methods - Results Standardisation Independence Ease of use CobiT BS 7799 Certifyability Update frequency BSI ITSEC Applicability in practice Efficiency Adaptability Presentation of results Extent of scope
IT-Audit Concept, Approach and Methodologies Methods: Example for CobiT CobiT Processes PASKOR AutoAudit Audit Type Mgmt & Control Year 2000 IT Development IT Operations IT Network IT Security DR & CP Change Mgmt Risk control matrices (detailed risks & controls CobiT objectives) Monitoring Planning & organization Acquisition &implementation Delivery &support CobiT control objectives
IT-Audit Concept, Approach and Methodologies IT Risk Management responsibility of ensuring proper management lies at the execution level apply IT risk management within a consistent andrepeatable framework independent risk manage-ment function with clearlyroles and responsibility link between risk manage-ment group, strategic plan-ning and the IT management strategy & governance risk mgmt organisation IT Risk Management measurement & reporting categories of risk risk mgmt process controls in place to ensurecompleteness, accuracy and timeliness of risk capture measures continually evolve as advances in methodo-logies and modeling techniques improve clearly segmented categoriesdefines which are easily understood throughout the organization comprehensive categoriesto capture all risks structured interview process,risk collection and feedback programme minimal administrative burden; usage of automated tools (intranet, database etc) wherever possible
IT-Audit Concept, Approach and Methodologies IT Risk Categories UBS risk categories IT risk categories reputation risk business / IT alignment business value of IT emerging technology project evaluation IT architecture management project management development standards IT development project risk data and information management development / testing environments operation management production availability IT change management system and network security contingency & capacity planning IT costs (project and operations) IT investment appraisal VAR (system financial exposure) skill / knowledge management success planning / career mgmt HR polices IT / business organisation alignment supplier & third party management non-conformance to regulations regulatory reporting IT contacts Impacts on: • Customer / clients • Shareholders • Counterparties • Suppliers • Regulators Strategic Credit risk Market risk Funding risk Operational risk IT risk Legal risk Liability risk Compliance risk Tax risk Physical/crime risk IT development IT delivery Financial IT organisation Legal & compliance
IT-Audit Concept, Approach and Methodologies Internal IT Audit Organization IT Audit Group IT Aud Domestic CH IT Aud International CAATT’s Audit SW Technical CoE Centre of Excellence Technical Competence Centres TCC Basel /Zurich (CH) International Basel /Zurich Distributed technology EMEA Asia Pacific Americas IT Consulting/Services SSP Task Forces
IT-Audit Concept, Approach and Methodologies CoE, TCC Schematic - Migration Path Actual: Generalists General IT audit activities (good all round knowledge) depth of knowledge techn. or process techn. or process techn. or process techn. or process TCC Mainstream distributed technologies CoE
IT-Audit Concept, Approach and Methodologies CoE, TCC Schematic - Migration Path Future: Specialists Specialist techn. or process Specialist techn. or process Specialist techn. or process Specialist techn. or process TCC depth of knowledge Mainstream distributed technologies CoE
IT-Audit Concept, Approach and Methodologies Generic IT Environment Application Architecture (AA) Application Audit Application: Development Environment, Application Security Software Change Management (SCM) Middleware / Services System Management & Operations Telecommunication Technical Security Operating System IT Audit Hardware
IT-Audit Concept, Approach and Methodologies Generic IT Environment Application audit Products Overall project mgmt appl level security app/business controls business contingency system functionality user testing a b c d Applications a b c d IT audit Operating system level security & admin disaster recovery operations & systems support network controls capacity planning database mgmt data access change mgmt process System technology divisional IT processes System technology global IT processes
IT-Audit Concept, Approach and Methodologies Proposed Approach and Methodology COSO-Model: Internal Control - Integrated Framework • Control environment • Risk assessment • Control activities • Pertinent information • Monitoring
IT-Audit Concept, Approach and Methodologies Production Audit Approach Primary Controls Audit (PCA) TCC / CoE Primary Controls Review (PCR) Self-Assessment (SA)
IT-Audit Concept, Approach and Methodologies Pre- / Post-Implementation Audit Post-implementation Pre-implementation Primary Controls Audit (PCA) project plan existing processes TCC / CoE results Primary Controls Review (PCR) Self- Assessment (SA) stress point matrix testing
IT-Audit Concept, Approach and Methodologies Principles and Co-operation IT Audit / 3rd Party Regulator external Internal IT Audit Basis Laws Regulations Standards Divisions Requirements Audit areas Audit objectives Divisions Legal entities Processes Audit areas Audit objectives Special Assignments
Thank you for your interest in IT Audit Concept, Approach and Methodologies