isaca geek week clay douglas august 19, 2013 geek week august 19, 2013 ... global technology audit...
TRANSCRIPT
What’s in it for me (IT Auditor)?
What should I continuously audit and why?
How should I continuously audit?
Does this fit my organization?
Food for thought…….?
Source: Global Technology Audit Guide Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment authored by David Coderre, Canadian Mounted Police (RCMP) with Subject Matter Experts John G. Verver, ACL Services Ltd. J. Donald Warren Jr., Center for Continuous Auditing, Rutgers University
Continuous Auditing – used by the IT audit professional to perform control and risk assessments on a more frequent basis using CAATs that enable continuous monitoring of controls and risk while allowing auditors to gather selective audit evidence through automation.
Continuous monitoring is a management process to
monitor whether policies, procedures and business processes are effective on an ongoing basis.
Continuous (Auditing + Monitoring) Satisfies the demands for assurance that: Control procedures are effective Information for decision making is relevant and reliable
Source: IS Auditing Guideline: G42 Continuous Assurance
Source: Global Technology Audit Guide Continuous Auditing: Implications for Assurance, Monitoring and Risk Assessment authored by David Coderre, Canadian Mounted Police (RCMP) with Subject Matter Experts John G. Verver, ACL Services Ltd. J. Donald Warren Jr., Center for Continuous Auditing, Rutgers University
“The power of continuous auditing lies in the
intelligent and efficient continuous testing of
controls and risks that results in timely notification
of gaps and weaknesses to allow immediate follow-
up and remediation.”
Start
Fieldwork
Report
Findings
Report
Improve
Test Report
Improve
Test Report
Improve
Test
Automated Test Procedures
Automated Test Procedures
Automated Test Procedures
1. Managing and retaining data 2. Securing the IT environment 3. Managing IT risk and compliance 4. Ensuring privacy 5. Managing system implementations 6. Preventing and responding to computer fraud 7. Enabling decision support and analytics 8. Governing and managing IT investment/spending 9. Leveraging emerging technologies 10. Managing vendors and service providers
Source: American Institute of CPAs Website
Accounts
Payable
Key
Performance
Indicators
Accounts
Receivable
P Cards
Manual
Journal
Entries
Expense
Reports
Terminated
Employee
Access
Changes that
Cause
Incidents
Project Status
Reporting
User Access
Design Source: ITIL V3 Service Design Volume
5 - CONTINUAL SERVICE IMPROVEMENT • Seven Step Improvement Process
Measurement is the key to the
continuous improvement cycle
(Plan – Do – Check – Act)
12
People Tools Process
Enablers
Process Inputs
Process Triggers
Procedures
Process Activities
Roles & Responsibilities Process Metrics
Process
Process Improvements
Work Instructions
Process Objectives
Process Feedback
Process Policies Process Control
Process Documentation
Process Owner
13
KPIs
Process Outputs
Measurements Reports Reviews
Data identification: starts with vision
broken down to measurements Vision
Mission
Goals
Objectives
CSF
KPI
Metrics
Measurements
"If you can not measure it, you cannot improve it.“
Lord Kelvin (Sir William Thompson, 1824-1907)
14
reporting goes back up the path
15
Respond to the customer’s changing business requirements, maximizing value and reducing incidents, disruption and re-work.
Respond to the business and IT requests for change that will align the services with the business needs.
Ensure that changes are recorded and evaluated, and that authorized changes are prioritized, planned, tested, implemented, documented and reviewed in a controlled manner.
Ensure that all changes to configuration items are recorded in the configuration management system.
Optimize overall business risk – it is often correct to minimize business risk, but sometimes it is appropriate to knowingly accept a risk because of the potential benefit.
CSF - Responding to business and IT requests for change that will align the services with the business needs while maximizing value
CSF - Ensuring that all changes to configuration items are well managed and recorded in the configuration management system
CSF - Optimizing overall business risk
Reduction in disruptions to services, defects and re-work caused by poor or incomplete impact assessment
Increase in change success rate
Reduction in unauthorized changes identified
16
KPI - Reduction in disruptions to services, defects
and re-work caused by poor or incomplete impact
assessment
Change assessment results, Change review results,
Incidents
KPI - Increase in change success rate
Change review results
KPI - Reduction in unauthorized changes identified
Changes, approvals
17
18
Data collection points:
Change records
Change assessment criteria
Change assessment
Build or test plans
Change approval(s)
Review and verification
Are data analytics in place?
What tools are available?
Are there data warehouses, data marts, etc.?
Is there a CPI (continuous process improvement) program?
Is there a Six Sigma program?
Are your IT service management processes mature?
Are the systems centralized or decentralized?
Are there high integrity metrics in place?
Is there a history of fraud?
Do we have senior management support?
Can it be incorporated into the Annual Audit Planning?
32
For your Internal Audit process, what are the:
Goals, Objectives
Critical Success Factors
Key Performance Indicators
Metrics
Measurements