1. Master Thesis PresentationLevels of IT audit implementation in Bosnia and HerzegovinaStudent: Supervisor:Nermin atovi Ing. Pavel ech, Ph.D.1

2. Levels of IT audit implementation inBosnia and HerzegovinaIT auditingis the evaluation of IT, practices and operations to assurethe integrity of an entitys information. Such evaluationcan include assessment of the efficiency, effectiveness,and economy of computer-based practices.Derived as an enhancement / support to financialauditingToday important role in modern business2 3. Levels of IT audit implementation in Bosnia and HerzegovinaBackground- Early stages of development in Bosnia and Herzegovina- Chances of huge impact on profession- No ISACA Chapter formed only 24 registered members- EU integrations will require introduction of legislations- Two legislations in 2012 which change future of IT auditing(another two in preparation!):- Decision of Minimum Standards of Information System Management- Decision on Minimum Standards of Externalization/Outsourcing 3 4. Levels of IT audit implementation inBosnia and HerzegovinaGoals and objectives- Determine and confirm needs for legal legislations- Awakening of consciousness about IT auditing- Determine levels of international standard andframework implementation so far- Awareness of companies- Needs to control and monitor processes are critical tobusiness development4 5. Levels of IT audit implementation in Bosnia and HerzegovinaHypothesisGrowing awareness on the evaluation of information technologies to supportmodern business and objectives in Bosnia and Herzegovina is changing. Thisopinion and awareness requires implementation of international standards andframeworks related to control and auditing, risk management, performancemeasures through adoption of legislatures which are necessary to establishhigher level of decision making in management.Research will try to prove positive changes and evolution of informationtechnology auditing compared to previous years. 5 6. Levels of IT audit implementation inBosnia and HerzegovinaResearch- February 2012 ( opened for 1 month)- Email list based on previous contacts and use of LinkedIn group IT revizija- Aimed focus group of 37 people 25 fully filled surveys(67% of aimed number)Easy-to-use filling form onwww.itrevizija.ba6 7. Levels of IT audit implementation inBosnia and HerzegovinaResearch concept was based on 6 parts which include 28questions: Profile Company IT profile Significance and benefits of information technology IT problems and potential solutions Awareness and usage of IT Governance frameworks Awareness and usage of CobiT- Results which prove hypothesis will be shown- Comparison to similar research from 20097 8. Levels of IT audit implementation in Bosnia and HerzegovinaQuestion P1.3 : Please indicateQuestion P1.1: Please indicate positionwhich group does your companywithin the organization?belong to.P1.3 Internal Auditors,IT security officer, Internal IT auditors, Head of IT department,20%20% Auditor,Deputy CEO, IT Supervisor,Project Manager, 0%4% Assistant IT auditor, CSO,12%CIO,IT Department Director, IT Project manager, Assistant Professor 44%Limited Liability Company (d.o.o. BiH)Financial InstitutionCorporation (joint-stock)Public institution or companyNonprofit organizationBudget user 8 9. Levels of IT audit implementation inBosnia and HerzegovinaQuestion P3.2: How strongly would you agree or disagree that IT investmentshave created value for your organization?P3.2 * proof how IT gives out 0% 0% additional, competitive value 12% Absolutely agree16%Agree Partly agree Strong disagree 72% I dont know9 10. Levels of IT audit implementation in Bosnia and HerzegovinaQuestion P3.4: Of these, which is the most important item in themanagement of IT activities of your organization? P3.40% Avoidance of negative incidents0% 8%4% Ensuring that the current IT functionality16%is in compliance with current business needs Achieving a better balance between innovation and risk avoidance Alignment with business and/or legal regulations 72% I dont know10 11. Levels of IT audit implementation in Bosnia and HerzegovinaQuestion P3.7: To what extent does your IT department support thebusiness needs?P3.7 0% 0%4% Does not support at all Does not support enough32% Supports up to some limit Extremely supports I dont know64% 11 12. Levels of IT audit implementation in Bosnia and HerzegovinaComparison to 2009 research- basis in similar research from 2009- clear goal of proving hypothesis and positive changes- MSc. Amra Alagid currently works at Federal Banking Agency (B&H)- best way of determining changes- questions that show difference 12 13. Levels of IT audit implementation inBosnia and HerzegovinaQuestion P2.4: How would you describe Managements level of involvementin IT governance?2012 20090% Low level of 8%8%engagement8% Are informed, but 9% 17% not included 20% 22% Participate in 17% decision making Key people in decision making 35% Fully involved56% I dont know13 14. Levels of IT audit implementation in Bosnia and HerzegovinaQuestion P3.8: How would you describe the fit or alignment between your ITstrategy and your organizations overall business strategy? 2012 2009. Very poor0% 0%0%4% Poor4%9% 4% 17% Average 20%31%44% Good39% Very good I dont know 28% We dont have IT strategy 14 15. Levels of IT audit implementation in Bosnia and HerzegovinaQuestion P5.2: Have you implemented, are you in the process ofimplementing or are you considering implementing improved IT governancepractices? 20122009.Not consideringimplementation4% 13%Considering 11%implementation 28%25% 12% 28%In the process ofimplementing 33%Have implemented46%I dont know 15 16. Levels of IT audit implementation inBosnia and HerzegovinaQuestion P5.3: What solutions/frameworks do you use, are you consideringusing or not using?2012ISO security standards 55% using, 25% considering implementing2009ISO security standards 17% implemented2012COBIT framework 56,5% using, 13% consider implementing2009 (4th place)COBIT framework 11% implementedInteresting data obtained is that 38% of respondents are mostly interestedand considering implementation of Val IT, but only 9.5% of them are usingit which is nearly the same number as from 2009 (9%).16 17. Levels of IT audit implementation inBosnia and HerzegovinaQuestion P6.2: Are you personally aware of the contents of COBIT? 2012 2009.9% 4% 25%YesNo 75%87%I dont know17 18. Levels of IT audit implementation inBosnia and HerzegovinaResearch results - conclusions- Research that was conducted on the territory of Bosnia and Herzegovina hasshown satisfactory conditions- Respondents consider IT generally important for their business- Follow practices of developed countries- Implementation of good practices through intensive cooperation of internaland external auditors.- Reducing risk of information technology --> advise management aboutpractices of strategic approach- Strategic development plan --> strategic plan for implementation of IT- Shows how much management cares about establishment of effectivesystems of internal controls18 19. Levels of IT audit implementation in Bosnia and HerzegovinaCobiT & problems?- Small amount of developed IT organizations mature enough toimplement- Areas of banking and financial activities- Insufficient institutionalized encouragement- COBIT framework must be adapted to use in each individualorganization (if we are using it to improve processes)- Change in mindset, orientation and training of organization andits employees- community of auditors 19 20. Levels of IT audit implementation in Bosnia and HerzegovinaImprovements & suggestions- Not perfect but clear improvements can be seen- Increase popularity of www.itrevizija.ba- Training, on-line educations, consultantlectures, presentations, case studies, etc.- Benefits of organizing first IT auditing conference- Clearer understanding of risk, development of audit programs- Promotion of the frameworks within auditing community- Experiences and examples from similar countries and EuropeanUnion 20 21. Levels of IT audit implementation in Bosnia and HerzegovinaPublication- Research document prepared for all interested individuals- Free publication available on www.itrevizija.ba- Extremely positive comments from leading experts so far- Possibility of publishing results and publication by Institute ofInternal Auditors (IIA BiH)- Invitation to write 2-3 part article about IT auditing withresearch results in leading accounting and auditing magazinePorezni savjetnik Tax advisor 21 22. Thank you for attention! Nermin atovi 22 23. Reviewers questions:Other questions?23 24. Levels of IT audit implementation inBosnia and HerzegovinaQuestion 1: What do you think is the most interestingresult from your survey from the B&H IT industry pointof view? Support it with some sound arguments.Question 2. Was the number of completely filledsurveys high enough for achieving some soundstatistical results?24 25. Levels of IT audit implementation inBosnia and HerzegovinaQuestion P5.4: How important is IT risk management to yourorganization? 2012 20090% 4% 4% 4%14% 5%Not important at all20% Not very important48%9%Not sureSomewhat important24%Very important 68%I dont know 25 26. Levels of IT audit implementation in Bosnia and HerzegovinaQuestion 1: What do you think is the most interesting result from yoursurvey from the B&H IT industry point of view? Support it with somesound arguments.According to a 2009 survey of 280 audit committee members conducted byKPMG in conjunction with the National Association of CorporateDirectors, IT risk is a key area of concern.Banking sector huge risks (cyber attacks) constant increase- Lack of legislations REDUCING RISK takes an essential role- Realization that IT risk management is crucial in protecting their assets- Corporate risk management clearly part of internal controls- Provides guidance to help executives and management ask the key questions, make better, more informed risk-adjusted decisions and guide their enterprises so risk is managed effectively- Helps save time, cost and effort with tools to address business risks 26 27. Levels of IT audit implementation in Bosnia and HerzegovinaQuestion 2. Was the number of completely filled surveys high enough forachieving some sound statistical results?- Undeveloped IT community- Basic statistical data- 2009 research 27 filled questionnaires | 2012 research 25 filled- Physical presence and deep networking abilities crucial for obtainingdata- Professional encouragement from experts- Advices of how to improve future version of research EMPHASIS onlarger group of experts and individual question relationships (multivariable statistical analysis)- Personal opinion IT CAN/MUST BE IMPROVED- Research V2 - extensive research on this topic (from inside industry/profession) 27