IT Governance&
IT Auditing(Why You, Why Me, Why Us?)
John MitchellLHS Business Control47 Grangewood Tel: +44 (0)1707 851454Potters Bar Fax: +44 (0)1707 851455Herts. EN6 1SL [email protected] www.lhscontrol.com
LHSLHS
© John Mitchell
LHSLHS
© John Mitchell
Corporate Governance
• The leadership and organizationalstructures and processes that ensurethat the organization sustains andextends its strategies and objectiveswithin the constraints of the statutory ®ulatory framework.
LHSLHS
© John Mitchell
IT Governance
A structure of relationships andprocesses to direct and control the ITfunction in order to achieve theenterprise’s goals by sustaining andextending the enterprise’s strategiesand objectives by the cost effective useof information technology
LHSLHS
© John Mitchell
The Official Drivers
■ Turnbull & the LSE Combined Code■ The annual report should contain a
statement that the Board has examinedthe effectiveness of its system ofinternal control
■ Internal control includes:➾ financial control➾ operational control➾ compliance control➾ risk management
LHSLHS
© John Mitchell
The Real Drivers
■ CEO wants IT to provide more to thebusiness
■ HR wants IT to use less resource■ Operations Director wants it done
quicker■ Finance Director wants it done cheaper■ Compliance officer wants assurance
that IT are legal
LHSLHS
© John Mitchell
Internal Forces
Hardware
Base Software(Operating System & DBMS)
Network
ApplicationSoftware
DataUser Processes
IT Processes
LHSLHS
© John Mitchell
External ForcesHosted bycompany
“G”
Managed bycompany “B”
ISP company “A”Developed bycompany “C”
Companies“D” and “E”
Developed bycompany “F”
Managed bycompany “B”
LHSLHS
© John Mitchell
Does Your IT Department?
■ Operate to national/international standards?■ Have a majority of professionally qualified staff
who belong to professional associations?■ Measure itself against recognised benchmarks?■ Know the true cost of its operations?■ Know the real cost of its developments?■ Bring developments in on time, to budget with
correct functionality?■ Provide value for money?
LHSLHS
© John Mitchell
Does Your IT Department?
■ Suggest innovative solutions to help extend theenterprise?
■ Regularly assess risks and promote ways ofmitigating them?
■ Respond quickly and effectively to problems?■ Operate a sound change management
process?■ Have the respect of its customers?■ Have a proven business continuity program?■ Add value to the enterprise?
LHSLHS
© John Mitchell
Some Problem Indicators
■ IT not on Board Room agenda
■ IT not directly represented at Board level
■ IT and Business strategy not concurrently prepared and aligned
■ IT managed by technology rather than by business focus
■ History of late or failed business system implementations
■ IT seen as a cost rather than as a provider of value
■ A perception that the enterprise is not making the most of technology
■ Inadequate or non-existent IT related metrics
■ Technology investments justified on cost savings rather than onrevenue enhancement
LHSLHS
© John Mitchell
IT GovernanceDeliverables
■ Effectiveness■ Efficiency■ Economy■ Confidentiality■ Integrity■ Availability■ Compliance■ Reliability
LHSLHS
© John Mitchell
IT Assets■ Hardware■ Software
– Base– Application
■ Network(s)■ Data■ Facilities■ People
LHSLHS
© John Mitchell
IT Governance & Risk■ Has the enterprise identified the potential IT risks to
the organisation?■ Has it assessed the likelihood and consequence of
the significant risks being realised?■ Has it assessed those risks that could:
– Damage its reputation?– Affect its market position?– Result in prosecution?
■ Has it established controls to manage the significantIT risks?
LHSLHS
© John Mitchell
IT Governance Encompasses
■ Planning & Organisation
■ Acquisition and Implementation
■ Delivery and Support
■ Monitoring and Learning
LHSLHS
© John Mitchell
IT Governance Measurement
Governance over IT and its processes with the goal of adding value tothe business, while balancing risk versus return
ensures delivery of information to the business that addressesthe required information criteria and is measured by Key GoalIndicators (KGIs)
is enabled by creating and maintaining a system ofprocess and control appropriate for the business
considers Critical Success Factors (CSFs) thatleverage all IT resources, which are measured byKey Performance Indicators (KPIs)
LHSLHS
© John Mitchell
Indicators
■ Key Goal Indicators– Where you want to be
■ Critical Success Factors– Those things that must happen for the Key Goal to be met
■ Key Performance Indicators– Relevant metrics to show that you are succeeding
(embedded monitors) or are going off course (early warningindicators)
LHSLHS
© John Mitchell
Embedded Monitors
■ Inform you that your mitigatingactions are succeeding - you areokay
– Green light indicates that the power is on
– 20% spare disk capacity means that youwill not immediately run out of disk space
LHSLHS
© John Mitchell
Early Warning Indicators
■ Tells you that things are goingwrong, but are not yet critical
– Amber light shows that the UPS has kickedin
– < 20% of spare disk capacity indicates theneed to free up space
LHSLHS
© John Mitchell
0 1 2 3 4 5
Non-Existent Initial Repeatable Defined Managed Optimised
Enterprise current status
International standard guidelines
Industry best practice
Enterprise strategy
Legend for symbols used Legend for rankings used
0 - Management processes are not applied at 1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communica4 - Processes are monitored and measured5 - Best practices are followed and automated
IT GovernanceMaturity Models
LHSLHS
© John Mitchell
IT Balanced Scorecard
CorporateContribution
OperationalExcellence
FutureOrientation
UserOrientation
LHSLHS
© John Mitchell
CobiT
■ Control objectives for IT (CobiT)
■ Open standard from the InformationSystems Audit & Control Association(ISACA)
■ Used by over 33,000 IT auditors in over120 countries
LHSLHS
© John Mitchell
CobiT & GovernanceIT GOVERNANCE PROGRAMME
Planning & Organisation Acquisition & Impl. Delivery & Support Monitoring
- Strategic Planning- Information Architecture- Technological Direction- IT Organisation & Relationships- Manage the IT Investment- Communicate Aims & Direction- Manage human resources- Ensure Compliance- Assess Risks- Manage Projects- Manage Quality
- Identify Solutions- Acquire & Maintain Application Software- Acquire & Maintain Technology Architecture- Develop & Maintain IT Procedures- Install & Accredit systems- Manage Changes
- Define Service Levels- Manage third-party services- Manage performance and capacity- Ensure continuous service- Ensure systems security- Identify and attribute costs- Educate and train users- Assist & advise IT customers- Manage the configuration- Manage problems & incidents- Manage data- Manage facilities- Manage operations
- Monitor the processes- Assess internal control adequacy- Obtain independent assurance- Provide for independent audit
LHSLHS
© John Mitchell
Planning & Organisation■ Define strategic IT plan■ Define the information architecture■ Determine the technological direction■ Define the IT organisation and relationships■ Manage the IT investment■ Communicate management aims and direction■ Manage human resources■ Ensure compliance with external requirements■ Assess risks■ Manage projects■ Manage quality
LHSLHS
© John Mitchell
Acquisition &Implementation
■ Identify automated solutions■ Acquire & maintain application software■ Acquire & maintain technological
infrastructure■ Develop & maintain procedures■ Install and accredit systems■ Manage changes
LHSLHS
© John Mitchell
Delivery & Support■ Define & manage service levels■ Manage third-party services■ Manage performance & capacity■ Ensure continuous service■ Ensure systems security■ Identify & allocate costs■ Educate & train users■ Assist & advise customers■ Manage the configuration■ Manage problems & incidents■ Manage data■ Manage facilities■ Manage operations
LHSLHS
© John Mitchell
Monitoring & Learning■ Monitor the process
■ Assess internal control adequacy
■ Obtain independent assurance
■ Provide for independent audit
LHSLHS
© John Mitchell
0 1 2 3 4 5
Non-Existent Initial Repeatable Defined Managed Optimised
Enterprise current status
International standard guidelines
Industry best practice
Enterprise strategy
Legend for symbols used Legend for rankings used
0 - Management processes are not applied at 1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communica4 - Processes are monitored and measured5 - Best practices are followed and automated
IT GovernanceMaturity Models
LHSLHS
© John Mitchell
Where CobiT Fits-inCorporate
Governance
ITGovernance
FinanceGovernance
MarketingGovernance
CobiT
ISO17799 BS15000 CMM
ITIL
ISO9126
ISO15504 ISO 12207
ISO9000
TickIT
LHSLHS
© John Mitchell
Useful Sites & Tools
■ Sites– www.isaca-london.org– www.bcs-irma.org– www.itgi.org– www.bsi-global.com
■ Tools– Control Objectives for IT (CobiT)– International Standards (ISO 9126, ISO 17799,
etc.)
LHSLHS
© John Mitchell
Summary■ IT Governance is about measurement &
control of IT within the corporateframework to ensure that it supportsand extends the enterprise’s capabilities
■ Good IT Governance will:– Increase effectiveness– Improve efficiency– Provide better economy
LHSLHS
© John Mitchell
Questions?John Mitchell
LHS Business Control47 GrangewoodPotters BarHertfordshire EN6 1SLEngland
Tel: +44 (0)1707 851454Fax: + 44 (0)1707 851455
IT/IS Auditing
(Why You, Why Me, Why Us?)
John MitchellLHS Business Control47 Grangewood Tel: +44 (0)1707 851454Potters Bar Fax: +44 (0)1707 851455Herts. EN6 1SL [email protected] www.lhscontrol.com
LHSLHS
© John Mitchell
LHSLHS
© John Mitchell
What Qualifications?
■ Certified Information Systems Auditor (CISA)
■ Qualification in Computer Audit (QiCA)
■ Chartered Information Technology Professional (CITP)
■ Diplomas in Internal Auditing (PIIA, MIIA, CIA)
■ Certified Information System Security Practitioner(CISSP)
■ Certified Information Security Manager (CISM)
■ Chartered Software Engineer (CEng)
■ BSc/MSc in Computer Science or Computer SecuritySmartyPants
LHSLHS
© John Mitchell
IT/IS Auditing
■ Is the process of collecting and evaluating evidenceto determine whether IS management:– adequately safeguards IS assets– maintains data and system integrity,– provides relevant and reliable information– achieves organizational goals effectively– consumes resources efficiently– has controls that provide reasonable assurance that
operational and control objectives will be met– provides assurance that undesired events will be prevented or
detected and corrected in a timely manner.
LHSLHS
© John Mitchell
Why You?
Hardware
Base Software(Operating System & DBMS)
Network
ApplicationSoftware
DataUser Processes
IT Processes
LHSLHS
© John Mitchell
What I Need
■ In-depth knowledge of IT & IS■ Business knowledge■ Risk management knowledge■ Interviewing skills■ Good written & oral communication■ Excellent analytical ability■ Investigative skills■ Project management skills■ Documentation skills■ Knowledge of the law■ Social skills
LHSLHS
© John Mitchell
What I’m Looking For(Perfect System Behaviour)
■ The Holy Grail of IT staff, users &management
■ It requires the existence of a mechanism thatconsistently ensures the company is:➾ running the correct software➾ using the correct master files➾ processing data correctly➾ using the correct operating procedures➾ using the correct clerical procedures
LHSLHS
© John Mitchell
The Four Main Principles
■ Confidentiality– Secret
■ Integrity– Reliable
■ Availability– When required
■ Compliance– Legal
LHSLHS
© John Mitchell
Risk Based Auditing
■ Ascertain business objective (e.g. provide real-timeaccess to customers)
■ Identify potential causes of failure (non-availability)■ Identify root causes (loss of power, etc.)■ Map at the inherent level (pre-control)■ Make key risk decision (tolerate, terminate, transfer,
treat)■ Identify mitigating actions (controls)■ Map at the residual level (post control)■ Provide objective assurance that the residual level is
being reached and is appropriate (audit)■ Agree remedial action plan where necessary
LHSLHS
© John Mitchell
Inherent Risk The likelihood and consequence of
risk crystallisation before mitigatingactions (controls) have been put inplace
LHSLHS
© John Mitchell
Residual Risk The likelihood and consequence of
risk crystallisation after mitigatingactions (controls) have been put inplace
LHSLHS
© John Mitchell
Risk Sequence
EVENT (loss of power)leads to a
CONSEQUENCE (non-availability)resulting in an
IMPACT (loss of income) on a business objective (make money)
LHSLHS
© John Mitchell
Risk Management
High
E
LIKE
D
LIHO
C
OD B
Low
A
A B C D ELow CONSEQUENCE High
Senior ManagementAttention
Local ManagementAttention
No ActionContro
lsIR
RR
LikelihoodReduction
ConsequenceReduction
Why Us?
John MitchellLHS Business Control47 Grangewood Tel: +44 (0)1707 851454Potters Bar Fax: +44 (0)1707 851455Herts. EN6 1SL [email protected] www.lhscontrol.com
LHSLHS
© John Mitchell
LHSLHS
© John Mitchell
Why Us?(Generic Risk Management Process)
MBXC
Risk Director(Key Corporate Risks)
How arethese key
risks managed ?
(Residual Operational Risks)
Key OperationalRisks
This ishow
LocalRisk
Management
Internal Auditaudit these processes
Risk Director
MB = Main BoardXC = Executive Committee
Internal Auditaudit theseprocesses
LHSLHS
© John Mitchell
Why Us?(Co-Active Auditing)
EmbeddedMonitoring
PersonalAppearances
FormalAssertionsManagement
Assurance
Internal Audit
ObjectiveAssurance
Main BoardXC AC
Local Compliance Officers
KPIs, EWI’s, CSA
AC = Audit CommitteeXC = Executive Committee
LHSLHS
© John Mitchell
An Example of Co-ActiveAuditing
■ Moving from an inward focussed to
a customer facing strategy
■ 600,000 customers world-wide
■ Need for a secure, high integrity &
high availability system
LHSLHS
© John Mitchell
Critical Success Factors
■ Confidentiality of customer data■ Integrity of content presented to the
customer■ Availability of the system to the
customer■ Compliance with statutory
obligations
LHSLHS
© John Mitchell
Availability KGI
Availability of the service presentedto the customer never drops below100% (unless planned outage)
LHSLHS
© John Mitchell
Availability CSF
Availability of the service to thecustomers when they require it
(24 x 7)
LHSLHS
© John Mitchell
Availability KPIs
■ Sufficient bandwidth
■ Server availability
■ Disk capacity
■ Etc, etc.
LHSLHS
© John Mitchell
Non-AvailabilityRoot Causes (1)
1) Failure of connectivity as a result of loading company recommended third-party software on to customer computers
2) Failure of connectivity as a result of loading company produced software onto customer computers
3) Failure of the company’s internet connection4) Company firewall prevents legitimate access5) Company internal network failure6) Key hardware failure7) Key software failure
LHSLHS
© John Mitchell
Non-AvailabilityRoot Causes (2)
8) Customer forgets access information 9) Inadequate capacity10) Hacking attack:
a) Halts servers b) Halts network11) Virus/worm infestation disrupts the system12) Power loss13) Failure of the back-up/restore process14) Ineffective third-party support for critical
software15) Complete destruction of computer facilities
LHSLHS
© John Mitchell
Inadequate SupportRoot Causes
16) Support staff not available when required17) Support staff unresponsive to requests for
help18) Support staff have inadequate knowledge to
deal with the problem
LHSLHS
© John Mitchell
E-Commerce Availability(Inherent Risk Mapping)
High
E 8
LIKE
D 2,18 3,4,5,6,7,9, 10,11,13,14 12
LIHO
C 16
OD B 1
Low
A 17 15
A B C D ELow CONSEQUENCE High
12) PowerLoss
15) Loss ofComputing
14) 3rd PartySupport
8) Forgetspassword
LHSLHS
© John Mitchell
E-Commerce Availability(Residual Risk Mapping)
High
E 8
LIKE
D 2,18 3,4,5,6,7,9, 10,11,13,14 12
LIHO
C 16
OD B 1
Low
A 17 15
A B C D ELow CONSEQUENCE High
12) PowerLoss
15) Loss ofComputing
14) 3rd PartySupport
8) Forgetspassword
LHSLHS
© John Mitchell
Summary
■ IT has high risks, but can provide highreturns
■ Senior management need assurancethat IT is being well managed
■ The auditor provides that assurance inconjunction with IT management andthe company’s risk managementprocess
LHSLHS
© John Mitchell
Questions?John Mitchell
LHS Business Control47 GrangewoodPotters BarHertfordshire EN6 1SLEngland
Tel: +44 (0)1707 851454Fax: + 44 (0)1707 851455