Introduction of Project Management & Korea Information System Audit Young H. Choi Korea IT Consulting Inc., SW Professional Engineer Jun 12, 2014

1. ICT Project Management

Introduction of Project Management & Korea Information System Audit

Young H. Choi Kor ea I T Consul t i ng I nc. ,

SW Pr of essi onal Engi neer

J un 12, 2014

1. ICT Project Management

2. The introduction of Korea IS Audit

3. COBIT Framework of ISACA

4. Key challenges

5. Q&A

In the past, all roads lead to Rome

However now, all roads lead to SNS

Social System Relation

● World is small enough thru 6 stages, 4 stages via Twitter

Be Small World Network

● Word of mouth -> World of mouth

the theory that everyone and everything is six or fewer steps away, by way of introduction, from any other person in the world, so that a chain of "a friend of a friend" statements can be made to connect any two people in a maximum of six steps

Over Worked !! !

▶ To understand the meaning and processes of managing projects to raise its success rate

1. ICT Project Management

Wha t is ICT Pro jec t

▶ To provide benefits for people and their organizations,

and improve the quality of life of citizens,

Given the constraints of funds, time and resources, policymakers,

-Information and Communication Technologies (ICT) is not only with hardware, networking systems, software and applications to achieve a goal,

1. ICT Project Management

ICT Project





but requires a substantial amount of human activity in the projects aligned with the larger goals of the organization.

Definition o f ICT Pro jec t Ma na gement

1. ICT Project Management

■ A set of tools

for planning, implementing, maintaining, monitoring and

evaluating progress of activities in line with larger goals and

objectives of the organization, it defines what has to be


■ A method, a discipline, and a process

Source : AICICT (Th e Un ite d Na tio n s Ec o n o m ic a n d So c ia l C o m m issio n )

▶ People, Process and Technology which are influential factors to project performance in achieving the project’s goals or objectives.

▶ Defining, balancing and integrating the relationships among these factors can result in the project’s optimum performance.

1. ICT Project Management

Vita l Fa c to rs o f Pro jec t Ma na gement

☞ Poor project design

1. ICT Project Management

Ma jo r Rea sons o f Pro jec t Fa ilure

So process, outputs(deliverables) and resources should be managed responsibly

☞ Poor project management

▶ The project plan should detail all areas of discipline that will

answer the question, how do we achieve the goals, objectives

and requirements of the project?

1. ICT Project Management

Disc ip lines o f Pro jec t Ma na gement

▶ Qualified and competent managers must be prepared to

handle the following disciplines:

1. Scope

2. Time

3. Cost

4. Human Resources

5. Risk

6. Quality

7. Procurement

8. Communication

9. Integration

10. Issues & Acceptance

11. Change

1. ICT Project Management

Disc ip lines o f Pro jec t Ma na gement

To be successful Project, the following principles should be observed

1. Participation

– People who are part of the project should be involved at

every stage, from the initial needs assessment through to


1. ICT Project Management

Rec ommend ed Princ ip les fo r Suc c essful Pro jec t

2. Local ownership and capacity development

– For projects to be sustainable, they must be locally owned and accompanied by human and organizational capacity development.

1. ICT Project Management

3. Alignment

– The potential benefits for the poor are more likely to be realized when ICT activities are aligned with the larger demand-driven development efforts of partners, particularly those related to poverty reduction.

4. Institutional ownership and leadership

– A sense of ownership by and leadership of partner institutions are important.

Although successful ICT pilot programs are often driven by individuals, there must also be an institutional base to extend the project’s reach and increase the number of people involved.

1. ICT Project Management

5. Competitive enabling environment

– An enabling ICT policy environment includes respect for freedom of expression, diversity and the free flow of information, completion of ICT infrastructure provisions, and investment in service development, including local content and the adoption of open source solutions

1. ICT Project Management

6. Financial and social sustainability

– In order for projects to be financially sustainable, all potential costs and revenue generation should be included in the planning process from the start.

1. ICT Project Management

7. Risk considerations

– Possible and unforeseeable negative impacts need to be taken into account and

carefully monitored, including watching out for how the benefits of ICT-supported interventions may be unequally distributed

1. ICT Project Management

– i.e. deepening economic, social and cultural divides rather than reducing poverty.

▶ Managing the project scope and resources, particularly time, cost and people

Ma jo r Cha llenges o f Pro jec t Ma na gement

1. ICT Project Management

▶ To manage time, good project management practice observes the different phases of project management, which include: Planning, Implementation, Monitoring and Evaluation

▶ Sta rte d Silve r Dig ita l Era with Sm a rt De vic e s

Ima ge o f Sma rt World

Realize Digital Democratization

Dig ita l Divid e : Sma rtp hone Phob ia e tc

Dig ita l Toy ? Dig ita l Wea p on ?

Sma rt Devic e Boom & Knowled ge Ga p

Illite ra c y = > No PC Knowled ge = > No Sma rtp hone

Digital Divide

2. The introduction of Korea IS Audit

■ IOT all connection via an internet

■ Information Big data

■ Personal information

■ System security

Complex I/F & Security

As- wa s & As- Is ERP

Evolution of ERP System

Page 29: 1. ICT Project Management

Co nfid e ntia l 29

2. Korea Gov. Law of IS Audit

☞ IS Auditor who must not be influenced by project owner and

system developer is to check the information system in view

of 3rd party,

to improve the efficiency and acquire the security about

things which are related for building the system and stable


- Source: Korea Act Article 2, Paragraph 14

Definition of IS Audit

Objective of IS Audit

▶ In view of 3rd party => IS Auditor should be objective of the problems and independent from project owner and other related ones

Correction notice -> Contractor


No Delegation No Control

Contra c tor

IS Aud ito r

Pro jec t owner

2. Korea Gov. Law of IS Audit

▶ Improve the system effectiveness and the contribution to business profitability

▶ Acquire IT’s cost-efficiency ; Response time, Resources etc to meet the pre-defined target

▶ Ensure the system securities; Integrity, Availability and


▶ Monitor whether to follow the procedures defined by IS Audit Act

2. Korea Gov. Law of IS Audit

Objective of IS Audit

▶ To lead the successful system development whilst minimizing the

significant risks ▶ What means the successful system development

Budget : Build IT enabled business system within budget Delivery : To complete the system development by the contractual

date Quality : to satisfy the business system with requirements of

functions, performance and security etc

2. Korea Gov. Law of IS Audit

Key Success Factor for System Development

Page 33: 1. ICT Project Management

NIA (Na tiona l

Info rma tion

Soc ie ty

Agenc y)

Ministry o f Sec urity &

Pub lic Ad ministra tion

Ko rea


Sta tute


Digital Government Act

Enforcement of ordinance for Digital Gov. Act

Notice of IS Audit Standard

Explanation of IS Audit

Guideline of IS Audit

Order / Management

Guideline of IS Audit


Management of requirement and task execution

Business type based

Checklist (48 items)

Responsible By Audit related Law / Notice / Guidance



2. Korea Gov. Law of IS Audit (Law enforcement)

Type IS Audit Mandatory CY 2010 CY 2011 CY 2012


Informatization promotion Act

No. 5669 (1999.1.21) Article 15 paragraph 2 (IS Audit)

Law of effective Introduction and operation of IS

No. 7816 (2005.12.30)

Digital government Law

No.10012 (2010.2.4)

Enforcement Decree

Presidential No.16458Article 10 sub-paragraph 3

Presidential No.19598

(2006. 6.30)

Presidential No. 22151 (2010.5.4)

Enforcement Rule

Enforcement rule Article 11 paragraph

1 sub-paragraph 5

Information & Communication rule No. 198 (2006. 6.30)

Standard Audit Standard of Information System (IC Notice No. 999-104)

Audit Standard of Information System (Ministry of security & public administration notice No. 2008-18)

Audit Standard of Information System (Ministry of security & public administration notice no. 2010-30 (2010.05.04) and

2010-85 (2010.12.22)

Audit Standard of Information System (Ministry of security & public administration notice no. 2010-85 (2011.7.1)

Audit Standard of Information System (Ministry of security & public administration notice no. 2012-11(2012.3.2)

Guideline Audit guideline of IS V1.0 (NIA 2009.05.28)

Audit guideline of IS V1.0 (NIA 2009.05.28)

PO Guideline of IS Audit project


2. Korea Gov. Law of IS Audit (By period)

Required observance by Project owner who is PO Issuer (Article 57,

Paragraph 2)

▶Support IS Auditor by project owner while working with project contractor

▶ No interrupt and unreasonable order for IS Auditor

IS Audit Observance

2. IS Audit Working Process

Mandatory Remediation about issues reported after IS Audit (Article

57, Paragraph 3)

▶ Based on the level of risk IS Auditor checked, all issues must be solved based on

the type of Mandatory correction, Warning and Recommendation

IS Audit applicable for any public company investing more than about 0.5 M USD, which is excluding SW packages and HW in total cost

2. IS Audit Working Process

Mandatory IS Audit

However if investing less than 0.1 M USD which is small project and no worthy to audit, head officer of public company might request its exemption. But exceptions are as below. For any public service which is related with government administration Collaborated systems which many public companies are using each other

or building together In case of the system interface and common use by many public

companies If decided by head officer of public company, IS audit is required

As Is


To Be


QA Activity

Business Management
















Data Base





























ITA ISP System Development DB OP MA

IS Audit A


▶IS Audit processes include EA (Enterprise Architecture), ISP (Info. System

Planning), DB, Operation and Maintenance etc.

2. IS Audit Working Process (Framework V4.0)

• Activities for IS audit are being taken usually at project site. They are serviced with type of stepwise IS audit and continuing audit based on

project characteristics.

• Do audit at major steps based on SW development cycle. Support steps at analysis, design and implementation

• Submit the audit report about all system areas which 4 to 10 IS auditors worked for 1-2 weeks

• Working at project site from the project beginning and guide quality and inform correction to the contractor and report to project owner

• Liaison role between project owner and contractor • Advisory for project owner in manageable and

technically with 1-2 IS auditors

Stepwise Audit

Continuous Audit

2. The execution of IS Audit (Stepwise vs. Continuous Audit)

감리평가(▶▶▶▶ 2010 - 30▶ ) 1. Highly accepted (적정) : No risk found in achieving the project goal at the time of development stage.

2. Accepted (보통) : Small issues found but which are not impacting the project delivery and can be solved with only adjusted strategy and resources

3. Partially accepted (미흡) : Significant problem found in achieving the project goal. It requires slightly changed strategy and resources

4. Not accepted (부 적정) : Significant problems found in achieving the project goal, which can not be solved with current strategy and limited resources

Op tiona l issue s Ma nd a to ry issue s

Short Te rm Short Te rm

Long Te rm Long Te rm

Project owner will decide whether recommended issues must be solved in short or long term basis (negotiable).

2. The execution of IS Audit (Evaluation Level)

ISP Dev Audit


Continuing Audit

Personal Security Planning for IS Security

System Analysis EA




Define Requirement

Decision Selection Mgm’t Maint.

Biz. management & Control





Select Audit Partner


Start Prj.






Biz. M


Issue PO

Prepare RFP

Maintenance Support Biz.


2. IS Audit Working Process (Management w/Service)

• Apply to the best-fit audit model for accomplishing the successful improvement after analyzing the business project with the structural

and logical process in mind

Pro jec t t ype

(Devel opment or Mai n t enance

Progress l evel o f Pro jec t (Anal ys i s , Des i gn et c )

Area al l ocat i on for aud i t process (Management , Arch i t ec t ure et c )

Fi nd check po i n t for each area

IS Audi t v i ew

(Per formance or secur i t y et c )

Pro jec t A


Audit View/ Check basis

Biz. Typ e /Aud it Time

Check items Review items

Check Framework

Guidance by area

Detailed review items Review method

Compliance by a rea

2. IS Audit Working Process (By Biz. Type)

View Check Factors Description


Plan Reasonability Review project plan, resources, progress etc적정성

Process Reasonability

Review procedures defined about development / operation / maintenance and r isk, quality, schedule and change etc

Compliance Review the compliance being maintained while working for the project


Functionality Review the functionalities in view of completeness, integr ity and interoperability

Integr ity Review data correctness and integr ity

Usability Review the easy operation for users

Stability Review system stability in view of backup, business continuity and recovery구 신속성

Security Review system security to avoid from hacking etc

Efficiency Review business eff iciency with a reliable response t ime, scalability and adaptability

Compliance Review the output, procedure, standard and methodology to check the compliance

Consistency Requirements must be traced for any match



Realizability ROI (Return On Investment), Achievement etc

Sufficiency Review the satisfaction of all requirements defined in the project plan







(SD) 유지보수







2. IS Audit Working Process (Perspective)

Step Check Items Explanation




1. Change Management

Does any changes in pre-defined project scope follow the proper procedures and provide a traceability ?

2. Progress Management

Is project schedule managed in time and controlled properly ?

3. Resource Management

Are all resources being taken in schedule and managed properly as defined in the project plan ?

4. Communication Is the communication between project owner and contractor in good and reliable position ?

5. Risk Management

All risks are managed well and reported in time ? And to relieve those any procedures are being taken and traced ?

6. Quality Management

Does contractor provide activities to improve the project quality as always for the project owner and report periodically ?

Page 44: 1. ICT Project Management

IS Audit


Pre Audit

Start Audit








Audit Closing

Adjust Report

Remedy Plan토

Final Confirm

Approval of Audit plan

Confirm key issues

Inform corrections요구

Accepted or rejected인

Submit final scores and approval인



Interview &

Review Docs.

Reflect changes

Plan correction

Confirm correction & report

1 2 3 4 5 6 7 8 9

On site Remote


Page 45: 1. ICT Project Management

Stepwise IS Audit is being taken 3 level of activities normally

as below,

A00. Preliminary

On-site Analysis

B00. On-site


C00. Confirm


001. Report of

Audit Plan

002. Report of

Audit Processing

003. Report of

Issue Correction

Page 46: 1. ICT Project Management

절차도 Preliminary Audit is consisted of 3 steps as below,

A10. Prepare

Preliminary Audit

A20. Execute

Preliminary Audit A30. IS Audit Plan

A11. Scheduling A21. Receive Docs. A31. Write Audit Plan

A12. Resource plan A22. Define a scope

A23. define checklist A24. Meeting with Prj

owner & contractor

A32. Review/Confirm Audit Plan

Page 47: 1. ICT Project Management

개요 ▶ ▶▶ B10. Start IS Audit B20. Kick-off Meeting B30. Execution of IS Audit

B11. Prepare on-site audit B21. Official Audit Meeting B31. Receive documents

B12. Confirm facilities B22. Meeting minutes B32. Review documents

B33. Find issues/risks etc

B34. Communication B35. Meeting with Contractor

B36. Meeting with Prj. owner

B37. Finalize issues

B40. Prepare IS Audit Rpt B50. Closing Meeting B60. Finalize Audit report

B41. Prepare Rpt by area

B42. Report Collection

B42. Review Reports

B51. Prepare meeting

B52. Start meeting

B61. Review issues

B62. Reconciliation

B63. Finalize report

Page 48: 1. ICT Project Management

시정조치는 ▶▶▶▶ ▶▶▶ ▶▶▶▶ ▶▶▶▶ ▶▶▶▶▶ ▶▶▶▶ ▶▶▶ ▶▶▶▶▶ ▶▶▶ ▶▶▶ ▶▶▶▶ ▶▶ C10. Check Remediation C20. Confirm correction

C30. Prepare Confirmation

C11. Receive contractor request

C12. Plan Check Schedule

C13. Share check plan

C21. Confirm results

C22. Mutual review

C31. Draft Report

C32. Review Report

C33. Revise Report

C23. Interview w/2 parties

C24. Submit opinion

C40. Submit Post Audit Rpt

C41. Finalize Report

C42. Submit Report

Ind ex o f IS Aud it Rep ort

Describes all audit areas

1. Project management

2. Application

3. Data Base

4. System Architecture

IS Audit at Design level

Describes IS Audit Plan

Summarized opinion

by Audit leader

2. The execution of IS Audit (Report)

II. Summa rized op inion

2. The execution of IS Audit (Report)

3. COBIT Framework of ISACA

"The advanced economy could not run for thirty seconds without computers." - Alvin To ffle r in Tommrrow’ wea lth -


3. COBIT Framework of ISACA

Source : CISCO 2011

■ Future world is hyper connected environmentally with IOT (Internet

of things) and M2M (machine to machine) which not constrained with

time and space and create new business growth and values

Rapidly Changing Hyper Connected Society

Not increasing World PC Market, Rapidly growing Smartphone/Tab

3. COBIT Framework of ISACA

Page 56: 1. ICT Project Management

3. COBIT Framework of ISACA

COBIT 5 is ISACA’s globally accepted framework, providing an end-to-end business view of the governance of enterprise IT that reflects the central role of information and technology in creating value for enterprises

In 1969 incorporated in US, by a small group of individuals who recognized a need for a centralized source of information and guidance in the growing field of auditing controls for computer system.

* COBIT sta nd s fo r Co ntro l o b je c tive s fo r info rma tio n a nd re la te d te c hno lo g y

• Provide a renewed and authoritative governance and

management framework for enterprise information and

related technology

• Integrate all other major ISACA

frameworks and guidance

• Align with other major frameworks

and standards


3. COBIT Framework of ISACA

▶ COBIT (Control objectives for information and related technology)

is being developed continuously.

3. COBIT Framework of ISACA (Evolution)

Page 59: 1. ICT Project Management

▶ Korea IS Audit is focused on system development in view of functions, security and effectiveness to meet business demand,

3. COBIT Framework of ISACA (vs. Korea IS Audit)

while COBIT is business process oriented in terms of 1) Plan & Organization 2) Acquire & Implementation 3) Deliver & Support 4) Monitor & Evaluate

COBIT Control Model

Page 60: 1. ICT Project Management

3. COBIT Framework of ISACA (Enablers)

Page 61: 1. ICT Project Management

IT Goals


3. COBIT Framework of ISACA (Aligned with IT & Biz Goal)

Page 62: 1. ICT Project Management

4 Doma ins

34 Proc esses

318 (A c t iv it ies/Ta sk s)


Page 63: 1. ICT Project Management

3. COBIT Framework of ISACA (Primary Drivers)

Page 64: 1. ICT Project Management

Key challenges in Auditing Environment

▶ Complex system with always connected !!!

Page 66: 1. ICT Project Management

Wha t is Sma rt d evic e ?

Ma ny func tions a re toge the r in integ ra ted d evic e whic h is fle xib le with c ustomer a p p lic a tio n insta lled a nd tra nsfo rma tive

Smart Device ?

Page 67: 1. ICT Project Management

Key challenges in IS Auditing

1) The scope of IS Audit

2) Communication with partners

4) Management of resource, delivery and quality

3) Process Knowledge about Information system

▶ Need to be clearly well defined about issues below !!!

For more information Please contact:

Korea IT Consulting http://www.itall.net

[email protected]

#1503 Leaders Bldg, Seochojungang-ro, Seocho-gu, Seoul Korea 137-912

Tel 82-2-582-2400 Fax 82-2-583-9242


