is audit in insurance.ppt - wirc-icai.org audit in insurance.pdf · basel ii, sox act, etc. ......
TRANSCRIPT
Sometime Ago
Societe Generale ( Rogue trading scandal - Market Risk &
Operational risk )Operational risk )
Sub-Prime Scandal (Mortgage scandal - Retail Credit Risk
scam)
Moolight Maze – Computer break-ins at NASA ( IT Risk )
Northern Rock ( Liquidity Risk )
Confidential Slide
HSBC – Regulatory Risk
WIPRO – Payments fraud
Income Tax Refund Scam – Fraud risk
SocGen – The Rogue Trader Story7 Billion USD loss solely created by rouge trader Jerome Kerviel
Speculative Positions being built: 44 Bln + 26 Bln + 3 Bln
Low level trader not supposed to have any positions & required to hedgeLow level trader not supposed to have any positions & required to hedge
Appl. System Elliot misused – fake trades to offset losses
Misappropriated IT access codes belonging to operators to cancel
operations
Falsification of documents to justify to entry of fictitious operations
Nature of fictitious operations chosen were normally reviewed rarely
Fictitious transactions involved instruments different from speculative
trades
Confidential Slide
trades
Illusion of books being balanced
Background worked in back office with expert knowledge of Elliot system
Regular assessments did not identify risk events & failed to institute
controls
The trader took only four days leave in 2007
Some Reasons …
� Silo Based Approach to managing Risk, Compliance � Silo Based Approach to managing Risk, Compliance
and Audit.
� Management Overview
Confidential Slide
� Integrated GRC
Governance Risk and Compliance
Governance Risk Compliance
Enterprise Risk ManagementEnterprise Risk ManagementEnterprise Risk ManagementEnterprise Risk Management
Corporate VisionCorporate VisionCorporate VisionCorporate Vision
Enterprise Risk ManagementEnterprise Risk ManagementEnterprise Risk ManagementEnterprise Risk Management
Credit Risk Management
Market Risk Management
Operational Risk ManagementOperational Risk ManagementOperational Risk ManagementOperational Risk Management
IT Risk
Fraud Prevention
Security Risk
Risk orientation and culture
Enterprise security
Confidential Slide 5 of
19
Corporate VisionCorporate VisionCorporate VisionCorporate Vision
ValuesValuesValuesValues
Value drivers
Corporate Mission and Objectives
Corporate Strategy
Corporate Plans
Governance Culture
Corporate GovernanceCorporate GovernanceCorporate GovernanceCorporate Governance
IT GovernanceIT GovernanceIT GovernanceIT Governance
Compliance with RegulationsCompliance with RegulationsCompliance with RegulationsCompliance with Regulations
Compliance Standards
Compliance with enterprises policies
Compliance with process
Compliance with Ethics
Compliance Culture
Compliance Tool
DriversPERFORMANCE:
Business GoalsCONFORMANCE
Basel II, SOX Act, etc.
Business Integration of Technical Risks
Enterprise Governance
IT Governance COBIT
Balanced Scorecard COSO
Confidential Slide 6
Best Practice Standards
Processes & Procedures
ISO
9001-2000
ISO
17799
ISO
20000
QA
Procedures
Security
PrinciplesITIL
LawsLawsLawsLaws
BusinessBusinessBusinessBusiness
PolicingPolicingPolicingPolicing
EnvironEnvironEnvironEnviron----
mentmentmentment
KnowKnowKnowKnow----
ledgeledgeledgeledge
CoCoCoCo----
operationoperationoperationoperation
Gaps between as-is and to-be
Insufficient Insufficient Insufficient Insufficient
LegislationLegislationLegislationLegislation
Business At RiskBusiness At RiskBusiness At RiskBusiness At Risk
Policing ShortfallPolicing ShortfallPolicing ShortfallPolicing Shortfall
AsAsAsAsAsAsAsAs--------isisisisisisisis
Effective LegislationEffective LegislationEffective LegislationEffective Legislation
BusinessBusinessBusinessBusiness
ProsperityProsperityProsperityProsperity
Effective PolicingEffective PolicingEffective PolicingEffective Policing
ToToToToToToToTo--------bebebebebebebebe
Confidential Slide 7
LegislationLegislationLegislationLegislation
Hostile EnvironmentHostile EnvironmentHostile EnvironmentHostile EnvironmentInsufficient Insufficient Insufficient Insufficient
KnowledgeKnowledgeKnowledgeKnowledgePoor CooperationPoor CooperationPoor CooperationPoor Cooperation
Controlled Controlled Controlled Controlled
EnvironmentEnvironmentEnvironmentEnvironment
Expert Knowledge Expert Knowledge Expert Knowledge Expert Knowledge
AvailableAvailableAvailableAvailable
United Front United Front United Front United Front
Against Against Against Against
EEEE----CrimeCrimeCrimeCrime
FX risk in a new
Enterprise-Wide Risks Financial RisksCredit Risk
Today’s Risks are highly interdependent
Business
Operational
Risk
Financial
Risk
FX risk in a new
foreign market
Market
Risk
LiquidityCredit
Risk
Credit Risk
Associated with
Investments
Asset Liquidity
Confidential Slide
Business
Risk
Risk
IT and business
process
outsourcing
Derivatives
documentation
& counterparty
risk
Liquidity
RiskRisk
Credit Risk
Associated with
Borrowers and
CounterpartiesFunding Liquidity
Risk Management
IT Risks >> Information Security
IT RisksBusiness Risk
CultureCulture
Risk Management
Data Protection
BCP
Data Integrity
IT Strategy
Systems Integration
Performance & Capacity
CultureCulture
Structure
& Process
Structure
& Process
Resources &Resources &
Confidential Slide
Risk Management
Data Migration
Application Development
Connectivity
Security Tools &
Techniques
Tools &
Techniques
Resources &
Capabilities
Resources &
Capabilities
Changing markets
External factors for change Current values &
behaviors inhibiting
performance
Input Factors for Driving Change
���
CultureStructure &
Processes
Resources
&Capability
Tools &
Techniques
Changing markets
(e.g. privatization, global reach)
Customer
requirements
The virtual
organisation
Emerging
technology
platforms
Culture
�����
���
Confidential Slide
requirements(eg 24-hour
orders)
Changes in
competitors’ strategies (eg alliance marketing,
mergers &
acquisitions)Service orientation
may be insufficient
Cross-boundary
team working may not have worked
Changes in ways of
working (eg portfolio workers, outsourcing)
Virtual team
working
increasing, but of
concern
��
Organization Culture Factors
•Organizational Mindset
•Organizational mindset and support for risk management
(including environment, communication, performance measures,
employee motivation and rewards)
CultureStructure &
Processes
Resources
&Capability
Tools &
Techniques
•Risk management competencies
•Standards and protocols for identifying, assessing, managing and
communicating risks
•Risk Appetite & Tolerance
•The risk culture impacting daily operating activities and decision-making
Culture
Confidential Slide
•The risk culture impacting daily operating activities and decision-making
processes.
� Background �
� Performing IS Audit
� Architecture of an insurance company
AgendaAgenda
� Architecture of an insurance company
� Compliance Requirements
� Governance and Risk Management Requirements
� Guide to Assessment of General IT Controls
� Audit of Anti-Fraud Systems
� Culture
Confidential Slide
� Prevention
� Detection
� Continuous Monitoring
� Emerging IS Audit Roles
12
Performing an IS AuditPerforming an IS Audit
�� General Audit ProceduresGeneral Audit Procedures
�� Risk assessment and audit planningRisk assessment and audit planning
�� Individual audit planningIndividual audit planning
�� Preliminary review of audit area / subjectPreliminary review of audit area / subject
�� Obtaining and recording an understanding of audit area / subjectObtaining and recording an understanding of audit area / subject
�� Evaluating audit area / subjectEvaluating audit area / subject
�� Compliance testing (“test of controls”)Compliance testing (“test of controls”)
Confidential Slide
�� Compliance testing (“test of controls”)Compliance testing (“test of controls”)
�� Substantive testingSubstantive testing
�� Procedures for communication with managementProcedures for communication with management
�� ReportingReporting
�� Follow Follow -- upup
Overall SOA Architecture at RLICOverall SOA Architecture at RLICOverall SOA Architecture at RLICOverall SOA Architecture at RLIC
Confidential Slide
Life Asia (LA) = Back end system ; Savvion = work flow system ; Insure Connect = Auto Underwriting and channel management ;
RCRM – Reliance CRM ; SAP = HR and accounting package ; ODS = Online Data Store; TDS and ADS = Authentication servers
Financial reporting problems from control perspective
� Challenge defining an effective and efficient scope for the annual assessments of ICFRassessments of ICFR
� Internal control assessments and testing by management and external auditors was not focused on risk of material errors (e.g., not following a risk-based approach)
� Lack of established guidance (i.e., inconsistency and subjectivity, reliance on checklists, etc.)
� CobiT and ITGI provide more scope than SOX expects, causing
Confidential Slide
� CobiT and ITGI provide more scope than SOX expects, causing companies to do too much
� Significant cost overruns
� Difficulty in finding the key IT general controls required to address risks of material errors to financial reports
Compliance Requirements
� Payment Card Industry Data Security Standard (PCI-DSS)� Requires review of custom code prior to release to production or customer in order to identify any potential coding
vulnerability
� Requires development of all web applications based on secure coding guidelines
� Requires auditors to look at the development lifecycle and your code validation process
� Federal Information Security Management Act (FISMA)� Specifies the security considerations in the information system development life cycle
� Applicable to systems handling federal data in government agencies, contractors, Medicare/Medicaid, education
(government grants), and state government
� Sarbanes-Oxley Act (SOX)� Requires publicly traded companies, US or foreign, to include, among other things, security measures in applications that
interface with critical financial reporting data
� Health Insurance Portability and Accountability Act (HIPAA)
Confidential Slide
� Health Insurance Portability and Accountability Act (HIPAA)� Dictates that medical information is sensitive and private and due care and due diligence be taken to protect the data
� Gram-Leech-Bliley Act � Requires financial institutions to develop a written information security plan that describes how the company is prepared for,
and plans to continue to protect clients’ non-public personal information;
� COBIT and ISO 17799� Are being implemented in many organizations requiring security controls at application level.
IRDA Requirements
� Exhaustive IT audit requirements – for audit of Systems
dealing with Investments and surrounding information assets dealing with Investments and surrounding information assets
� ISO 27001 Framework requirements
� - a part of the checklist given by ICAI
� BCP –DR
� IT Architecture
� Audit Trail requirements
� Systems Audit mandated once in three years
Confidential Slide
� Systems Audit mandated once in three years
� Concurrent audit monthly
� Privacy requirements – a part of various circular
� Outsourcing Circular mandating data storage within the
insurance company
17
Strategy/ DesignStrategy/ DesignStrategy/ DesignStrategy/ Design ImplementationImplementationImplementationImplementation MitigationMitigationMitigationMitigation
The building blocks
A look at some typical building blocks that are required through out
the value lifecycle
Risk Management consists of :Risk Management consists of :Risk Management consists of :Risk Management consists of :
IdentificationIdentificationIdentificationIdentification MeasurementMeasurementMeasurementMeasurement MonitoringMonitoringMonitoringMonitoring MitigationMitigationMitigationMitigationGovernanceGovernanceGovernanceGovernance
Self AssessmentSelf AssessmentSelf AssessmentSelf Assessment
• Improve
Processes
• Enhance
Technology
• Business
Continuity
Planning
• Board Reporting
• Regulatory
Reporting
• Quality Assurance
• Capital Allocation
• Consistency
across Group
Process MappingProcess MappingProcess MappingProcess Mapping
� Governance: Establishment of policies and the
definition of the framework to implement these
policies
� Identification: Stipulation and documentation of risk
exposure along process and project lines
� Measurement: Qualification and quantification of risk
and loss in financial value and quality
� Monitoring: Identification, tracking and control of risk
Confidential Slide
Capture of LossesCapture of LossesCapture of LossesCapture of Losses • Enhance Business
Controls
• Project Quality
Assurance
• Project Readiness
Assessment
across Group
• Independent
Review
• Audit Control
Economic CapitalEconomic CapitalEconomic CapitalEconomic Capital
Key Risk IndicatorsKey Risk IndicatorsKey Risk IndicatorsKey Risk Indicators
Monitoring: Identification, tracking and control of risk
events and resolution thereof
� Mitigation: Proactive mgmt. of risk exposure
COSO Control Components and Internal Control Framework
1.1.1.1. Control Environment Control Environment Control Environment Control Environment ---- The control environment sets
the tone of an organization, influencing the control
consciousness of its people
2.2.2.2. Risk Assessment Risk Assessment Risk Assessment Risk Assessment ---- Every entity faces a variety of 2.2.2.2. Risk Assessment Risk Assessment Risk Assessment Risk Assessment ---- Every entity faces a variety of
risks from external and internal sources that must be
assessed both at the entity and the activity level
3.3.3.3. Control Activities Control Activities Control Activities Control Activities ---- These policies and procedures
help ensure management directives are carried out
4.4.4.4. Information and Communication Information and Communication Information and Communication Information and Communication ---- Pertinent
information must be identified, captured and
communicated in a form and timeframe that supports
all other control components
5.5.5.5. Monitoring Monitoring Monitoring Monitoring ---- Internal control systems need to be
Confidential Slide
5.5.5.5. Monitoring Monitoring Monitoring Monitoring ---- Internal control systems need to be
monitored – a process that assesses the quality of
the system’s performance over time
Section 404 SOX Act addresses internal control of
financial reporting (ICFR)
Plan& Acquire& Delivery& Monitor&
Organize Implement Support Evaluate
Four Ares’ for an IT Investment…Four Ares’ for an IT Investment…Four Ares’ for an IT Investment…Four Ares’ for an IT Investment…
The strategic question.
• In line with our vision
• Consistent with business principles
The value question.
• A clear & shared understanding of the expected benefits
• Clear accountability for realizing the
Are we doing
the right
things?
Are we getting
the benefits?• Consistent with business principles
• Contributing to strategic objectives
• Optimal value, at affordable cost, at acceptable level of risk
The architecture question.
• In line with our architecture
The delivery question. Do we have :
• Effective & disciplined management,
• Clear accountability for realizing the benefits
• Relevant metrics
• An effective benefits realization process
things?
Confidential Slide
• In line with our architecture
• Consistent with architecture principles
• Contributing to growth of architecture
• In line with other initiatives
• Effective & disciplined management,
delivery and change management process
• Competent & available technical &
business resources to deliver:
� The required capabilities
� The organizational changes
required to leverage the capabilities
Are we doing
them right
way?
Are we getting
them done
well?
A New Perspective
� IT Adoption: Business value is generated by what organizations do with IT – provide significant opportunities to create valuesignificant opportunities to create value
� Board oversight: Harvard Business Review quotes, ‘a lack of board oversight for IT activities is dangerous; it puts the firm at risk in the same way as failure to audit its books’.
IT is an Asset or Service
Confidential Slide
� IT is an Asset or Service
ROI on asset or variable cost of a service
� Is IT the Means or the End
COBIT & VAL IT
�� Different structures, formats, terms, ways of Different structures, formats, terms, ways of
IT Governance FrameworksITIL
IT Service Management /
Internal
Models
Organization’s Proprietary�� Different structures, formats, terms, ways of Different structures, formats, terms, ways of
measuring maturity/efficiencymeasuring maturity/efficiency
�� Causes confusion, especially when using Causes confusion, especially when using
more than one model across enterprisemore than one model across enterprise
�� Hard to integrate them in a combined Hard to integrate them in a combined
improvement /Process Adherence programimprovement /Process Adherence program
�� Cost of Process Adherence /improvement is Cost of Process Adherence /improvement is
very high across individual silosvery high across individual silos
IT Service Management /Improvement
CMMI
Application Development
Organization’s ProprietaryProcess Management
Six
Sigma
Process Improvement
Confidential Slide
COBIT
All IT Functions, Compliance
ISO27000
Information Security
COBIT ArchitectureImplementing IT Governance with strong auditing and
controls perspectiveCOBIT Provides a FOUNDATION…� COBIT Provides a FOUNDATION…
� IT Related Decisions & Investments can be based on this foundation
� Issued and Maintained by ITGI
� Serves IT Governance framework by providing maturity modes, critical success factors, key goal indicators, and KPI’s
� Consists of 34 high-level control objectives and 318 detailed control-objectives classified into four areas
� Planning and organizing
� Acquisition and implementation
� Delivery and Support
� Monitoring
Confidential Slide
� Monitoring
� Each IT Process is supported by
� Critical Success Factors
� Key Goal Indicators
� Key Performance Indicators
� Increasing relevance in SOX era
Goal of Val IT
� Help management ensure that organizations realize � Help management ensure that organizations realize
optimal value from IT-enabled business investments
at an affordable cost with a known and
acceptable level of risk.
� Specifically, VAL IT focuses on investment decisions
Confidential Slide
� Specifically, VAL IT focuses on investment decisions
(are we doing the right things?) and the realization
of benefits (are we getting the benefits?)
What is GGuide to AAssessment of ITIT General Controls
� GAIT provides a set principle and methodology that facilitates
the cost-effective scoping of IT general control assessmentsthe cost-effective scoping of IT general control assessments
� GAIT is a reasoned thinking process that continues the top-
down and risk-based approach to assess risk in ITGCs
� GAIT focuses on identifying risk in IT processes that could
affect critical functionality needed to prevent/detect material
errors
Confidential Slide
errors
� Control objectives are identified in GAIT, but not specific key
controls
Why was GAIT formed?
� Based on the problems described earlier, the IIA noticed the
need to help companies identify key IT general controls
where a failure indirectly result in a material error to the
financial statements
Confidential Slide
How does GAIT work?
� The GAIT document has two main parts:
� Principles� Principles
� Methodology
� Four Core Principles
� Define the relationship between business risk, IT general controls risk, and the IT general controls that can mitigate these threats as they pertain to financial reporting objectives
� Methodology
Confidential Slide
� Methodology
� Helps organizations to examine each financially significant application and determine whether failures in the IT general control processes at each layer of the IT infrastructure represent a likely threat to the consistent operation of the application's critical functionality – HOW TO APPLY THE PRINCIPLES
Advantages of Applying GAIT
� Two Primary Advantages
� Improves cost effectiveness of IT General Controls
auditing by including within audit scope only the elements
or layers of infrastructure and IT general control processes
that are relevant to financial control risks.
� Aids in the documentation of scoping decisions.
Confidential Slide
Overall GAIT Scoping
RISK of material misstatement/fraud to financial statements & disclosures
Significant accounts
Business processes
Business controls
Applications
to financial statements & disclosures
Confidential Slide
General Controls
Scope SOX according to RISK of material misstatement/fraud.
IT Risk Assessment and Scoping
Significant accounts
Business processesSTEP 1: validate
Business processes
Business controls
Applications
IT Process Controls:
Change Mgt, Operations, Security
» Application
» Database
» Operating System
» Network
validate understanding
STEP 2: perform risk assessmentat each layer
Confidential Slide
STEP 3: Conclude: is it REASONABLY LIKELY a failure in this IT Process areacould impact application controls & result in a material misstatement?
Risk is not eliminated; is it reduced to a REASONABLE level.
Risk of not using GAIT
By not applying a top-down and risk based approach starting
at the financial statements and significant account level, there at the financial statements and significant account level, there
is a risk that:
� Controls may be assessed and tested that are not critical,
resulting in unnecessary cost and diversion of resources
Confidential Slide
� Controls that are key may not be tested, or may be tested
late in the process, presenting a risk to the assessment or
audit
GAIT’s Four Principles
1. The identification of risks and related controls in IT business processes should be a continuation of the top-business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.
2. The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.
The IT general control process risks that need to be
Confidential Slide
3. The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and network.
4. Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls
Financially Significant – Definition
� Application: contains functionality relied upon to assure the
integrity of the financial reporting process. integrity of the financial reporting process.
� Should that functionality not function consistently and
correctly, there is at least a reasonable likelihood of a
material misstatement that would not be prevented or
detected.
Data: data that, if affected by an unauthorized change that
Confidential Slide
� Data: data that, if affected by an unauthorized change that
bypasses normal application controls (i.e., as a result of an
ITGC failure), is at least reasonably likely to result in a
material misstatement that would not be prevented or
detected.
The GAIT Methodology
. . . guides you by asking three questions:
1. What IT functionality in the financially significant
applications is critical to the proper operation of the
business process key controls that prevent/detect
material misstatement?
2. For each IT process at each layer in the stack, is there a
reasonable likelihood that a process failure would
Confidential Slide
reasonable likelihood that a process failure would
cause the critical functionality to fail — indirectly
representing a risk of material misstatement?
3. If such IT business process risks exist, what are the
relevant IT control objectives?
Proactive approach to combating frauds
Seven pre-emptive measures help internal auditors to Seven pre-emptive measures help internal auditors to
knockout fraudulent activity
� Perform Employee Background checks
� Increase the use of analytical review
� Perform contract reviews
Confidential Slide
� Perform contract reviews
� Conduct an economic Threat Analysis
� Increase Internal Audit Control evaluation and testing
� Improve Information System security
� Create and maintain a fraud policy
Audit of anti fraud culture
� Intranet� Access to Counter Fraud and Whistle blowing policies� Access to Counter Fraud and Whistle blowing policies
� Key contact details
� Publicity Material� Promote the organisations culture
� Raise awareness and understanding
� Fraud Awareness Presentations� Delivered across all staff
� Relevant legislation
� Organisations approach
Confidential Slide
� Organisations approach
� Potential indicators of fraudulent activity
� What to do if have suspicions
� Induction� Pack for new starters
� Overview of approach to counter fraud
Preventing Fraud
� Policy and procedure review
� Code of Conduct� Code of Conduct
� Financial Procedures
� Tendering
� Gifts and Hospitality
� Expenses
� Audit Work
� Policies understood
� Applied by staff
� Declarations complete
Pro Active Fraud Plan
Confidential Slide
� Pro Active Fraud Plan
� Derive areas from risk assessment
� Consideration of fraud risk when undertaking audits
� Focus on areas of fraud risk and preventative controls
– Cash and banking
– Tuition Fee refunds, waivers and bursaries
– Contract Monitoring
– Purchasing and Payments
– Students Union, Bars, Catering
– Payroll and expenses
Detecting Fraud
� Targeting specific areas
� Not doing a systems audit� Not doing a systems audit
� Influence of risk profiling
� Focused sampling
� Unannounced spot checks
� Contractor payments
� Contractor invoicing
� Use of CAAT’s
� Data Interrogation
� Potential duplicates and fraudulent transactions
Confidential Slide
� CAAT’s
� Data Analysis
� Accounts Payable
� Payroll
� Approach
� System extract
� Number of data analysis tools
� Compared to external information sources
Detecting Fraud
� Identifies potential cases of the following� Duplicate payments� Duplicate payments
� Duplicate suppliers/ employees
� Suppliers with the same bank details as employees
� Suppliers with PO Box addresses
� Employees who are paid weekly and monthly
� Employees with invalid NI numbers
� Employees with matching addresses, NI numbers, DOB’s
� Employee/ Supplier has a C/O address
Confidential Slide
� Employee/ Supplier has a C/O address
� Employee/Supplier has a prison address
CONTINUOUS MONITORING – similar to
concurrent audit in the non IS world
� Key processes and activities can be reviewed on a periodic basis and
transactions can be monitored independently and continuously
� Enables to promptly notify management of transactions that notify control
exceptions
� Helps in timely identifying errors and fraudulent activities
Confidential Slide
� Implement CAATs for auditing critical activities in important functions
� Risk based concurrent review
IS Auditor’s emerging role
Involvement in the business plan development� Involvement in the business plan development
� Participation in Systems development
� Evaluation of IT business processes
� Facilitation - training, controls, best practices
� Partnering SBU, HR, Legal, Risk management
� Inventory of Corporate IT assets
� NPR
� Specialization
Confidential Slide
� Specialization
� Continuous Monitoring & Audit
� FCSA & ITIL
All this without compromising independence!
Specialist Areas – for Information Systems Audit
� Application Security review
Network Security review� Network Security review
� Telecommunications Security review
� IT governance review
� IT Management review
� VAPT
Database Security Review
Confidential Slide
� Database Security Review
� OS Security Review
� IT Framework / Certifications Review
� BCM Review
Continuous Audit ApproachContinuous Audit Approach
�� SCARF/EAMSCARF/EAM
�� SnapshotsSnapshots
�� Audit HooksAudit Hooks
�� Integrated Test FacilitiesIntegrated Test Facilities
Confidential Slide
�� Integrated Test FacilitiesIntegrated Test Facilities
�� Continuous and Intermittent Continuous and Intermittent
SimulationSimulation
Control Self Control Self -- AssessmentAssessment
�� Objectives associated with a CSA program:Objectives associated with a CSA program:
�� Enhancement of audit responsibilities Enhancement of audit responsibilities
(not a replacement)(not a replacement)
�� Education for line management in Education for line management in
control responsibility and monitoringcontrol responsibility and monitoring
Confidential Slide
control responsibility and monitoringcontrol responsibility and monitoring
�� Concentration by all on areas of high Concentration by all on areas of high
riskrisk
Control Self-Assessment
� Self Control is the best control and this � Self Control is the best control and this process manages risks the most preventive way
� Self-Checks, Self-audit and internal controls embedded in the management processes
� Non-routine audit/check on sub-ordinates by
Confidential Slide
� Non-routine audit/check on sub-ordinates by the boss
� The review papers with evidence checked by internal auditors
FCSA and ITIL
� ITIL IT infrastructure Library Process� ITIL IT infrastructure Library Process
� Service Level Management
� Availability Management
� Capacity Management
� Financial Management’
� IT Service Community
Confidential Slide
� IT Service Community
– the organization, customers and users
Disclaimer
� This presentation is not a commercial presentation and is an
attempt to share my experiences with others. attempt to share my experiences with others.
� Not all the slides are of my own creation and the same have
been shared with an educative intent
� The presentation are my own views and neither ICAI nor
Confidential Slide
� The presentation are my own views and neither ICAI nor
Reliance Life Insurance or any of my prior employers are
responsible for its contents
� Please do not share this presentation in any manner without
my prior approval