IS audit in Insurance Companies

26.11.2011

Sometime Ago

Societe Generale ( Rogue trading scandal - Market Risk &

Operational risk )Operational risk )

Sub-Prime Scandal (Mortgage scandal - Retail Credit Risk

scam)

Moolight Maze – Computer break-ins at NASA ( IT Risk )

Northern Rock ( Liquidity Risk )

Confidential Slide

HSBC – Regulatory Risk

WIPRO – Payments fraud

Income Tax Refund Scam – Fraud risk

SocGen – The Rogue Trader Story7 Billion USD loss solely created by rouge trader Jerome Kerviel

Speculative Positions being built: 44 Bln + 26 Bln + 3 Bln

Low level trader not supposed to have any positions & required to hedgeLow level trader not supposed to have any positions & required to hedge

Appl. System Elliot misused – fake trades to offset losses

Misappropriated IT access codes belonging to operators to cancel

operations

Falsification of documents to justify to entry of fictitious operations

Nature of fictitious operations chosen were normally reviewed rarely

Fictitious transactions involved instruments different from speculative

trades

Confidential Slide

trades

Illusion of books being balanced

Background worked in back office with expert knowledge of Elliot system

Regular assessments did not identify risk events & failed to institute

controls

The trader took only four days leave in 2007

Some Reasons …

� Silo Based Approach to managing Risk, Compliance � Silo Based Approach to managing Risk, Compliance

and Audit.

� Management Overview

Confidential Slide

� Integrated GRC

Governance Risk and Compliance

Governance Risk Compliance

Enterprise Risk ManagementEnterprise Risk ManagementEnterprise Risk ManagementEnterprise Risk Management

Corporate VisionCorporate VisionCorporate VisionCorporate Vision

Enterprise Risk ManagementEnterprise Risk ManagementEnterprise Risk ManagementEnterprise Risk Management

Credit Risk Management

Market Risk Management

Operational Risk ManagementOperational Risk ManagementOperational Risk ManagementOperational Risk Management

IT Risk

Fraud Prevention

Security Risk

Risk orientation and culture

Enterprise security

Confidential Slide 5 of

19

Corporate VisionCorporate VisionCorporate VisionCorporate Vision

ValuesValuesValuesValues

Value drivers

Corporate Mission and Objectives

Corporate Strategy

Corporate Plans

Governance Culture

Corporate GovernanceCorporate GovernanceCorporate GovernanceCorporate Governance

IT GovernanceIT GovernanceIT GovernanceIT Governance

Compliance with RegulationsCompliance with RegulationsCompliance with RegulationsCompliance with Regulations

Compliance Standards

Compliance with enterprises policies

Compliance with process

Compliance with Ethics

Compliance Culture

Compliance Tool

DriversPERFORMANCE:

Business GoalsCONFORMANCE

Basel II, SOX Act, etc.

Business Integration of Technical Risks

Enterprise Governance

IT Governance COBIT

Balanced Scorecard COSO

Confidential Slide 6

Best Practice Standards

Processes & Procedures

ISO

9001-2000

ISO

17799

ISO

20000

QA

Procedures

Security

PrinciplesITIL

LawsLawsLawsLaws

BusinessBusinessBusinessBusiness

PolicingPolicingPolicingPolicing

EnvironEnvironEnvironEnviron----

mentmentmentment

KnowKnowKnowKnow----

ledgeledgeledgeledge

CoCoCoCo----

operationoperationoperationoperation

Gaps between as-is and to-be

Insufficient Insufficient Insufficient Insufficient

LegislationLegislationLegislationLegislation

Business At RiskBusiness At RiskBusiness At RiskBusiness At Risk

Policing ShortfallPolicing ShortfallPolicing ShortfallPolicing Shortfall

AsAsAsAsAsAsAsAs--------isisisisisisisis

Effective LegislationEffective LegislationEffective LegislationEffective Legislation

BusinessBusinessBusinessBusiness

ProsperityProsperityProsperityProsperity

Effective PolicingEffective PolicingEffective PolicingEffective Policing

ToToToToToToToTo--------bebebebebebebebe

Confidential Slide 7

LegislationLegislationLegislationLegislation

Hostile EnvironmentHostile EnvironmentHostile EnvironmentHostile EnvironmentInsufficient Insufficient Insufficient Insufficient

KnowledgeKnowledgeKnowledgeKnowledgePoor CooperationPoor CooperationPoor CooperationPoor Cooperation

Controlled Controlled Controlled Controlled

EnvironmentEnvironmentEnvironmentEnvironment

Expert Knowledge Expert Knowledge Expert Knowledge Expert Knowledge

AvailableAvailableAvailableAvailable

United Front United Front United Front United Front

Against Against Against Against

EEEE----CrimeCrimeCrimeCrime

FX risk in a new

Enterprise-Wide Risks Financial RisksCredit Risk

Today’s Risks are highly interdependent

Business

Operational

Risk

Financial

Risk

FX risk in a new

foreign market

Market

Risk

LiquidityCredit

Risk

Credit Risk

Associated with

Investments

Asset Liquidity

Confidential Slide

Business

Risk

Risk

IT and business

process

outsourcing

Derivatives

documentation

& counterparty

risk

Liquidity

RiskRisk

Credit Risk

Associated with

Borrowers and

CounterpartiesFunding Liquidity

Risk Management

IT Risks >> Information Security

IT RisksBusiness Risk

CultureCulture

Risk Management

Data Protection

BCP

Data Integrity

IT Strategy

Systems Integration

Performance & Capacity

CultureCulture

Structure

& Process

Structure

& Process

Resources &Resources &

Confidential Slide

Risk Management

Data Migration

Application Development

Connectivity

Security Tools &

Techniques

Tools &

Techniques

Resources &

Capabilities

Resources &

Capabilities

Changing markets

External factors for change Current values &

behaviors inhibiting

performance

Input Factors for Driving Change

���

CultureStructure &

Processes

Resources

&Capability

Tools &

Techniques

Changing markets

(e.g. privatization, global reach)

Customer

requirements

The virtual

organisation

Emerging

technology

platforms

Culture

�����

���

Confidential Slide

requirements(eg 24-hour

orders)

Changes in

competitors’ strategies (eg alliance marketing,

mergers &

acquisitions)Service orientation

may be insufficient

Cross-boundary

team working may not have worked

Changes in ways of

working (eg portfolio workers, outsourcing)

Virtual team

working

increasing, but of

concern

��

Organization Culture Factors

•Organizational Mindset

•Organizational mindset and support for risk management

(including environment, communication, performance measures,

employee motivation and rewards)

CultureStructure &

Processes

Resources

&Capability

Tools &

Techniques

•Risk management competencies

•Standards and protocols for identifying, assessing, managing and

communicating risks

•Risk Appetite & Tolerance

•The risk culture impacting daily operating activities and decision-making

Culture

Confidential Slide

•The risk culture impacting daily operating activities and decision-making

processes.

� Background �

� Performing IS Audit

� Architecture of an insurance company

AgendaAgenda

� Architecture of an insurance company

� Compliance Requirements

� Governance and Risk Management Requirements

� Guide to Assessment of General IT Controls

� Audit of Anti-Fraud Systems

� Culture

Confidential Slide

� Prevention

� Detection

� Continuous Monitoring

� Emerging IS Audit Roles

12

Performing an IS AuditPerforming an IS Audit

�� General Audit ProceduresGeneral Audit Procedures

�� Risk assessment and audit planningRisk assessment and audit planning

�� Individual audit planningIndividual audit planning

�� Preliminary review of audit area / subjectPreliminary review of audit area / subject

�� Obtaining and recording an understanding of audit area / subjectObtaining and recording an understanding of audit area / subject

�� Evaluating audit area / subjectEvaluating audit area / subject

�� Compliance testing (“test of controls”)Compliance testing (“test of controls”)

Confidential Slide

�� Compliance testing (“test of controls”)Compliance testing (“test of controls”)

�� Substantive testingSubstantive testing

�� Procedures for communication with managementProcedures for communication with management

�� ReportingReporting

�� Follow Follow -- upup

Overall SOA Architecture at RLICOverall SOA Architecture at RLICOverall SOA Architecture at RLICOverall SOA Architecture at RLIC

Confidential Slide

Life Asia (LA) = Back end system ; Savvion = work flow system ; Insure Connect = Auto Underwriting and channel management ;

RCRM – Reliance CRM ; SAP = HR and accounting package ; ODS = Online Data Store; TDS and ADS = Authentication servers

Financial reporting problems from control perspective

� Challenge defining an effective and efficient scope for the annual assessments of ICFRassessments of ICFR

� Internal control assessments and testing by management and external auditors was not focused on risk of material errors (e.g., not following a risk-based approach)

� Lack of established guidance (i.e., inconsistency and subjectivity, reliance on checklists, etc.)

� CobiT and ITGI provide more scope than SOX expects, causing

Confidential Slide

� CobiT and ITGI provide more scope than SOX expects, causing companies to do too much

� Significant cost overruns

� Difficulty in finding the key IT general controls required to address risks of material errors to financial reports

Compliance Requirements

� Payment Card Industry Data Security Standard (PCI-DSS)� Requires review of custom code prior to release to production or customer in order to identify any potential coding

vulnerability

� Requires development of all web applications based on secure coding guidelines

� Requires auditors to look at the development lifecycle and your code validation process

� Federal Information Security Management Act (FISMA)� Specifies the security considerations in the information system development life cycle

� Applicable to systems handling federal data in government agencies, contractors, Medicare/Medicaid, education

(government grants), and state government

� Sarbanes-Oxley Act (SOX)� Requires publicly traded companies, US or foreign, to include, among other things, security measures in applications that

interface with critical financial reporting data

� Health Insurance Portability and Accountability Act (HIPAA)

Confidential Slide

� Health Insurance Portability and Accountability Act (HIPAA)� Dictates that medical information is sensitive and private and due care and due diligence be taken to protect the data

� Gram-Leech-Bliley Act � Requires financial institutions to develop a written information security plan that describes how the company is prepared for,

and plans to continue to protect clients’ non-public personal information;

� COBIT and ISO 17799� Are being implemented in many organizations requiring security controls at application level.

IRDA Requirements

� Exhaustive IT audit requirements – for audit of Systems

dealing with Investments and surrounding information assets dealing with Investments and surrounding information assets

� ISO 27001 Framework requirements

� - a part of the checklist given by ICAI

� BCP –DR

� IT Architecture

� Audit Trail requirements

� Systems Audit mandated once in three years

Confidential Slide

� Systems Audit mandated once in three years

� Concurrent audit monthly

� Privacy requirements – a part of various circular

� Outsourcing Circular mandating data storage within the

insurance company

17

Strategy/ DesignStrategy/ DesignStrategy/ DesignStrategy/ Design ImplementationImplementationImplementationImplementation MitigationMitigationMitigationMitigation

The building blocks

A look at some typical building blocks that are required through out

the value lifecycle

Risk Management consists of :Risk Management consists of :Risk Management consists of :Risk Management consists of :

IdentificationIdentificationIdentificationIdentification MeasurementMeasurementMeasurementMeasurement MonitoringMonitoringMonitoringMonitoring MitigationMitigationMitigationMitigationGovernanceGovernanceGovernanceGovernance

Self AssessmentSelf AssessmentSelf AssessmentSelf Assessment

• Improve

Processes

• Enhance

Technology

• Business

Continuity

Planning

• Board Reporting

• Regulatory

Reporting

• Quality Assurance

• Capital Allocation

• Consistency

across Group

Process MappingProcess MappingProcess MappingProcess Mapping

� Governance: Establishment of policies and the

definition of the framework to implement these

policies

� Identification: Stipulation and documentation of risk

exposure along process and project lines

� Measurement: Qualification and quantification of risk

and loss in financial value and quality

� Monitoring: Identification, tracking and control of risk

Confidential Slide

Capture of LossesCapture of LossesCapture of LossesCapture of Losses • Enhance Business

Controls

• Project Quality

Assurance

• Project Readiness

Assessment

across Group

• Independent

Review

• Audit Control

Economic CapitalEconomic CapitalEconomic CapitalEconomic Capital

Key Risk IndicatorsKey Risk IndicatorsKey Risk IndicatorsKey Risk Indicators

Monitoring: Identification, tracking and control of risk

events and resolution thereof

� Mitigation: Proactive mgmt. of risk exposure

COSO Control Components and Internal Control Framework

1.1.1.1. Control Environment Control Environment Control Environment Control Environment ---- The control environment sets

the tone of an organization, influencing the control

consciousness of its people

2.2.2.2. Risk Assessment Risk Assessment Risk Assessment Risk Assessment ---- Every entity faces a variety of 2.2.2.2. Risk Assessment Risk Assessment Risk Assessment Risk Assessment ---- Every entity faces a variety of

risks from external and internal sources that must be

assessed both at the entity and the activity level

3.3.3.3. Control Activities Control Activities Control Activities Control Activities ---- These policies and procedures

help ensure management directives are carried out

4.4.4.4. Information and Communication Information and Communication Information and Communication Information and Communication ---- Pertinent

information must be identified, captured and

communicated in a form and timeframe that supports

all other control components

5.5.5.5. Monitoring Monitoring Monitoring Monitoring ---- Internal control systems need to be

Confidential Slide

5.5.5.5. Monitoring Monitoring Monitoring Monitoring ---- Internal control systems need to be

monitored – a process that assesses the quality of

the system’s performance over time

Section 404 SOX Act addresses internal control of

financial reporting (ICFR)

Plan& Acquire& Delivery& Monitor&

Organize Implement Support Evaluate

Four Ares’ for an IT Investment…Four Ares’ for an IT Investment…Four Ares’ for an IT Investment…Four Ares’ for an IT Investment…

The strategic question.

• In line with our vision

• Consistent with business principles

The value question.

• A clear & shared understanding of the expected benefits

• Clear accountability for realizing the

Are we doing

the right

things?

Are we getting

the benefits?• Consistent with business principles

• Contributing to strategic objectives

• Optimal value, at affordable cost, at acceptable level of risk

The architecture question.

• In line with our architecture

The delivery question. Do we have :

• Effective & disciplined management,

• Clear accountability for realizing the benefits

• Relevant metrics

• An effective benefits realization process

things?

Confidential Slide

• In line with our architecture

• Consistent with architecture principles

• Contributing to growth of architecture

• In line with other initiatives

• Effective & disciplined management,

delivery and change management process

• Competent & available technical &

business resources to deliver:

� The required capabilities

� The organizational changes

required to leverage the capabilities

Are we doing

them right

way?

Are we getting

them done

well?

A New Perspective

� IT Adoption: Business value is generated by what organizations do with IT – provide significant opportunities to create valuesignificant opportunities to create value

� Board oversight: Harvard Business Review quotes, ‘a lack of board oversight for IT activities is dangerous; it puts the firm at risk in the same way as failure to audit its books’.

IT is an Asset or Service

Confidential Slide

� IT is an Asset or Service

ROI on asset or variable cost of a service

� Is IT the Means or the End

COBIT & VAL IT

�� Different structures, formats, terms, ways of Different structures, formats, terms, ways of

IT Governance FrameworksITIL

IT Service Management /

Internal

Models

Organization’s Proprietary�� Different structures, formats, terms, ways of Different structures, formats, terms, ways of

measuring maturity/efficiencymeasuring maturity/efficiency

�� Causes confusion, especially when using Causes confusion, especially when using

more than one model across enterprisemore than one model across enterprise

�� Hard to integrate them in a combined Hard to integrate them in a combined

improvement /Process Adherence programimprovement /Process Adherence program

�� Cost of Process Adherence /improvement is Cost of Process Adherence /improvement is

very high across individual silosvery high across individual silos

IT Service Management /Improvement

CMMI

Application Development

Organization’s ProprietaryProcess Management

Six

Sigma

Process Improvement

Confidential Slide

COBIT

All IT Functions, Compliance

ISO27000

Information Security

COBIT ArchitectureImplementing IT Governance with strong auditing and

controls perspectiveCOBIT Provides a FOUNDATION…� COBIT Provides a FOUNDATION…

� IT Related Decisions & Investments can be based on this foundation

� Issued and Maintained by ITGI

� Serves IT Governance framework by providing maturity modes, critical success factors, key goal indicators, and KPI’s

� Consists of 34 high-level control objectives and 318 detailed control-objectives classified into four areas

� Planning and organizing

� Acquisition and implementation

� Delivery and Support

� Monitoring

Confidential Slide

� Monitoring

� Each IT Process is supported by

� Critical Success Factors

� Key Goal Indicators

� Key Performance Indicators

� Increasing relevance in SOX era

Goal of Val IT

� Help management ensure that organizations realize � Help management ensure that organizations realize

optimal value from IT-enabled business investments

at an affordable cost with a known and

acceptable level of risk.

� Specifically, VAL IT focuses on investment decisions

Confidential Slide

� Specifically, VAL IT focuses on investment decisions

(are we doing the right things?) and the realization

of benefits (are we getting the benefits?)

What is GGuide to AAssessment of ITIT General Controls

� GAIT provides a set principle and methodology that facilitates

the cost-effective scoping of IT general control assessmentsthe cost-effective scoping of IT general control assessments

� GAIT is a reasoned thinking process that continues the top-

down and risk-based approach to assess risk in ITGCs

� GAIT focuses on identifying risk in IT processes that could

affect critical functionality needed to prevent/detect material

errors

Confidential Slide

errors

� Control objectives are identified in GAIT, but not specific key

controls

Why was GAIT formed?

� Based on the problems described earlier, the IIA noticed the

need to help companies identify key IT general controls

where a failure indirectly result in a material error to the

financial statements

Confidential Slide

How does GAIT work?

� The GAIT document has two main parts:

� Principles� Principles

� Methodology

� Four Core Principles

� Define the relationship between business risk, IT general controls risk, and the IT general controls that can mitigate these threats as they pertain to financial reporting objectives

� Methodology

Confidential Slide

� Methodology

� Helps organizations to examine each financially significant application and determine whether failures in the IT general control processes at each layer of the IT infrastructure represent a likely threat to the consistent operation of the application's critical functionality – HOW TO APPLY THE PRINCIPLES

Advantages of Applying GAIT

� Two Primary Advantages

� Improves cost effectiveness of IT General Controls

auditing by including within audit scope only the elements

or layers of infrastructure and IT general control processes

that are relevant to financial control risks.

� Aids in the documentation of scoping decisions.

Confidential Slide

Overall GAIT Scoping

RISK of material misstatement/fraud to financial statements & disclosures

Significant accounts

Business processes

Business controls

Applications

to financial statements & disclosures

Confidential Slide

General Controls

Scope SOX according to RISK of material misstatement/fraud.

IT Risk Assessment and Scoping

Significant accounts

Business processesSTEP 1: validate

Business processes

Business controls

Applications

IT Process Controls:

Change Mgt, Operations, Security

» Application

» Database

» Operating System

» Network

validate understanding

STEP 2: perform risk assessmentat each layer

Confidential Slide

STEP 3: Conclude: is it REASONABLY LIKELY a failure in this IT Process areacould impact application controls & result in a material misstatement?

Risk is not eliminated; is it reduced to a REASONABLE level.

Risk of not using GAIT

By not applying a top-down and risk based approach starting

at the financial statements and significant account level, there at the financial statements and significant account level, there

is a risk that:

� Controls may be assessed and tested that are not critical,

resulting in unnecessary cost and diversion of resources

Confidential Slide

� Controls that are key may not be tested, or may be tested

late in the process, presenting a risk to the assessment or

audit

GAIT’s Four Principles

1. The identification of risks and related controls in IT business processes should be a continuation of the top-business processes should be a continuation of the top-down and risk-based approach used to identify significant accounts, risks to those accounts, and key controls in the business processes.

2. The IT general control process risks that need to be identified are those that affect critical IT functionality in financially significant applications and related data.

The IT general control process risks that need to be

Confidential Slide

3. The IT general control process risks that need to be identified exist in processes and at various IT layers: application program code, databases, operating systems, and network.

4. Risks in IT general control processes are mitigated by the achievement of IT control objectives, not individual controls

Financially Significant – Definition

� Application: contains functionality relied upon to assure the

integrity of the financial reporting process. integrity of the financial reporting process.

� Should that functionality not function consistently and

correctly, there is at least a reasonable likelihood of a

material misstatement that would not be prevented or

detected.

Data: data that, if affected by an unauthorized change that

Confidential Slide

� Data: data that, if affected by an unauthorized change that

bypasses normal application controls (i.e., as a result of an

ITGC failure), is at least reasonably likely to result in a

material misstatement that would not be prevented or

detected.

The GAIT Methodology

. . . guides you by asking three questions:

1. What IT functionality in the financially significant

applications is critical to the proper operation of the

business process key controls that prevent/detect

material misstatement?

2. For each IT process at each layer in the stack, is there a

reasonable likelihood that a process failure would

Confidential Slide

reasonable likelihood that a process failure would

cause the critical functionality to fail — indirectly

representing a risk of material misstatement?

3. If such IT business process risks exist, what are the

relevant IT control objectives?

Sample GAIT Matrix

Confidential Slide

Proactive approach to combating frauds

Seven pre-emptive measures help internal auditors to Seven pre-emptive measures help internal auditors to

knockout fraudulent activity

� Perform Employee Background checks

� Increase the use of analytical review

� Perform contract reviews

Confidential Slide

� Perform contract reviews

� Conduct an economic Threat Analysis

� Increase Internal Audit Control evaluation and testing

� Improve Information System security

� Create and maintain a fraud policy

Audit of anti fraud culture

� Intranet� Access to Counter Fraud and Whistle blowing policies� Access to Counter Fraud and Whistle blowing policies

� Key contact details

� Publicity Material� Promote the organisations culture

� Raise awareness and understanding

� Fraud Awareness Presentations� Delivered across all staff

� Relevant legislation

� Organisations approach

Confidential Slide

� Organisations approach

� Potential indicators of fraudulent activity

� What to do if have suspicions

� Induction� Pack for new starters

� Overview of approach to counter fraud

Preventing Fraud

� Policy and procedure review

� Code of Conduct� Code of Conduct

� Financial Procedures

� Tendering

� Gifts and Hospitality

� Expenses

� Audit Work

� Policies understood

� Applied by staff

� Declarations complete

Pro Active Fraud Plan

Confidential Slide

� Pro Active Fraud Plan

� Derive areas from risk assessment

� Consideration of fraud risk when undertaking audits

� Focus on areas of fraud risk and preventative controls

– Cash and banking

– Tuition Fee refunds, waivers and bursaries

– Contract Monitoring

– Purchasing and Payments

– Students Union, Bars, Catering

– Payroll and expenses

Detecting Fraud

� Targeting specific areas

� Not doing a systems audit� Not doing a systems audit

� Influence of risk profiling

� Focused sampling

� Unannounced spot checks

� Contractor payments

� Contractor invoicing

� Use of CAAT’s

� Data Interrogation

� Potential duplicates and fraudulent transactions

Confidential Slide

� CAAT’s

� Data Analysis

� Accounts Payable

� Payroll

� Approach

� System extract

� Number of data analysis tools

� Compared to external information sources

Detecting Fraud

� Identifies potential cases of the following� Duplicate payments� Duplicate payments

� Duplicate suppliers/ employees

� Suppliers with the same bank details as employees

� Suppliers with PO Box addresses

� Employees who are paid weekly and monthly

� Employees with invalid NI numbers

� Employees with matching addresses, NI numbers, DOB’s

� Employee/ Supplier has a C/O address

Confidential Slide

� Employee/ Supplier has a C/O address

� Employee/Supplier has a prison address

CONTINUOUS MONITORING – similar to

concurrent audit in the non IS world

� Key processes and activities can be reviewed on a periodic basis and

transactions can be monitored independently and continuously

� Enables to promptly notify management of transactions that notify control

exceptions

� Helps in timely identifying errors and fraudulent activities

Confidential Slide

� Implement CAATs for auditing critical activities in important functions

� Risk based concurrent review

IS Auditor’s emerging role

Involvement in the business plan development� Involvement in the business plan development

� Participation in Systems development

� Evaluation of IT business processes

� Facilitation - training, controls, best practices

� Partnering SBU, HR, Legal, Risk management

� Inventory of Corporate IT assets

� NPR

� Specialization

Confidential Slide

� Specialization

� Continuous Monitoring & Audit

� FCSA & ITIL

All this without compromising independence!

Specialist Areas – for Information Systems Audit

� Application Security review

Network Security review� Network Security review

� Telecommunications Security review

� IT governance review

� IT Management review

� VAPT

Database Security Review

Confidential Slide

� Database Security Review

� OS Security Review

� IT Framework / Certifications Review

� BCM Review

Continuous Audit ApproachContinuous Audit Approach

�� SCARF/EAMSCARF/EAM

�� SnapshotsSnapshots

�� Audit HooksAudit Hooks

�� Integrated Test FacilitiesIntegrated Test Facilities

Confidential Slide

�� Integrated Test FacilitiesIntegrated Test Facilities

�� Continuous and Intermittent Continuous and Intermittent

SimulationSimulation

Control Self Control Self -- AssessmentAssessment

�� Objectives associated with a CSA program:Objectives associated with a CSA program:

�� Enhancement of audit responsibilities Enhancement of audit responsibilities

(not a replacement)(not a replacement)

�� Education for line management in Education for line management in

control responsibility and monitoringcontrol responsibility and monitoring

Confidential Slide

control responsibility and monitoringcontrol responsibility and monitoring

�� Concentration by all on areas of high Concentration by all on areas of high

riskrisk

Control Self-Assessment

� Self Control is the best control and this � Self Control is the best control and this process manages risks the most preventive way

� Self-Checks, Self-audit and internal controls embedded in the management processes

� Non-routine audit/check on sub-ordinates by

Confidential Slide

� Non-routine audit/check on sub-ordinates by the boss

� The review papers with evidence checked by internal auditors

FCSA and ITIL

� ITIL IT infrastructure Library Process� ITIL IT infrastructure Library Process

� Service Level Management

� Availability Management

� Capacity Management

� Financial Management’

� IT Service Community

Confidential Slide

� IT Service Community

– the organization, customers and users

Disclaimer

� This presentation is not a commercial presentation and is an

attempt to share my experiences with others. attempt to share my experiences with others.

� Not all the slides are of my own creation and the same have

been shared with an educative intent

� The presentation are my own views and neither ICAI nor

Confidential Slide

� The presentation are my own views and neither ICAI nor

Reliance Life Insurance or any of my prior employers are

responsible for its contents

� Please do not share this presentation in any manner without

my prior approval

Thank you

Date: 26-11-2011