The board of directors and management are responsible for
ensuring adequate management practices are in place for effective
oversight and management of the institutions IT environment. All
institutions should adopt an effective audit and review program
regardless of whether the technology services are provided
internally or externally.
3. Examination Objectives
Board Direction and Oversight Evaluate the boards involvement
in establishing IT audit scope and reporting requirements and
ensuring the availability of competent IT audit resources.
Audit Program Assess the quality and effectiveness of the IT
audit program
4. Examination Procedures
Examination activities should be based on the criticality and
complexity of the business functions .
examination should begin with a review of audit results and the
adequacy of corrective actions .
TheEssential Practicesfor IT Audit should be clearly documented
and functioning within the internal control environment.
5. Essential Practices
1. Risk Assessment :A risk assessment provides the internal
auditor and the board with objective information to prioritize the
allocation of audit resources properly.
Industry Standard Reference :COBIT: Control Objectives for
Information and related Technology. 4.1 ed. 2000, PO9.
6. Essential Practices
2. Audit Plan :
The IT audit plan defines the IT scope, objectives and
strategies. It establishes a balance between scope, timeframes, and
staff days to ensure optimum use of resources.
3.Audit Resources :
Ensure audit resources are independent, competent, and have the
necessary experience to accomplish the IT audit objectives.
7. Essential Practices
Reporting : Reports communicate audit findings to the board.
They also assist management in evaluating the quality of its IT
department and identifying methods for correcting or improving
adverse conditions.
8. IT-Audit Methodologies
CobiT
BS 7799 - Code of Practice (CoP)
BSI - IT Baseline Protection Manual
ITSEC
Common Criteria (CC)
9. CobiT
Governance, Control & Audit for IT
Developed by ISACA
Releases
CobiT 1: 1996
32 Processes
271 Control Objectives
CobiT 2: 1998
34 Processes
302 Control Objectives
10. CobiT - Framework 11. CobiT - IT Process Matrix
Information Criteria
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
People
Applications
Technology
Facilities
Data
IT Processes 12. CobiT - Summary
Mainly used for IT audits, incl. security aspects
No detailed evaluation methodology described
Developed by international organisation (ISACA)
Up-to-date: Version 2 released in 1998
Only high-level control objectives described
Detailed IT control measures are not documented
Not very user friendly - learning curve!
Evaluation results not shown ingraphic form
13. CobiT - Summary
May be used for self assessments
Useful aid in implementing IT control systems
No suitable basis to write security handbooks
CobiT package from ISACA:$ 100.--
3 parts freely downloadable from ISACA site
Software available from Methodware Ltd.,
NZ(www.methodware.co.nz)