IT Governance&

IT Auditing(Why You, Why Me, Why Us?)

John MitchellLHS Business Control47 Grangewood Tel: +44 (0)1707 851454Potters Bar Fax: +44 (0)1707 851455Herts. EN6 1SL john@lhscontrol.comEngland www.lhscontrol.com

LHSLHS

© John Mitchell

LHSLHS

© John Mitchell

Corporate Governance

• The leadership and organizationalstructures and processes that ensurethat the organization sustains andextends its strategies and objectiveswithin the constraints of the statutory &regulatory framework.

LHSLHS

© John Mitchell

IT Governance

A structure of relationships andprocesses to direct and control the ITfunction in order to achieve theenterprise’s goals by sustaining andextending the enterprise’s strategiesand objectives by the cost effective useof information technology

LHSLHS

© John Mitchell

The Official Drivers

■ Turnbull & the LSE Combined Code■ The annual report should contain a

statement that the Board has examinedthe effectiveness of its system ofinternal control

■ Internal control includes:➾ financial control➾ operational control➾ compliance control➾ risk management

LHSLHS

© John Mitchell

The Real Drivers

■ CEO wants IT to provide more to thebusiness

■ HR wants IT to use less resource■ Operations Director wants it done

quicker■ Finance Director wants it done cheaper■ Compliance officer wants assurance

that IT are legal

LHSLHS

© John Mitchell

Internal Forces

Hardware

Base Software(Operating System & DBMS)

Network

ApplicationSoftware

DataUser Processes

IT Processes

LHSLHS

© John Mitchell

External ForcesHosted bycompany

“G”

Managed bycompany “B”

ISP company “A”Developed bycompany “C”

Companies“D” and “E”

Developed bycompany “F”

Managed bycompany “B”

LHSLHS

© John Mitchell

Does Your IT Department?

■ Operate to national/international standards?■ Have a majority of professionally qualified staff

who belong to professional associations?■ Measure itself against recognised benchmarks?■ Know the true cost of its operations?■ Know the real cost of its developments?■ Bring developments in on time, to budget with

correct functionality?■ Provide value for money?

LHSLHS

© John Mitchell

Does Your IT Department?

■ Suggest innovative solutions to help extend theenterprise?

■ Regularly assess risks and promote ways ofmitigating them?

■ Respond quickly and effectively to problems?■ Operate a sound change management

process?■ Have the respect of its customers?■ Have a proven business continuity program?■ Add value to the enterprise?

LHSLHS

© John Mitchell

Some Problem Indicators

■ IT not on Board Room agenda

■ IT not directly represented at Board level

■ IT and Business strategy not concurrently prepared and aligned

■ IT managed by technology rather than by business focus

■ History of late or failed business system implementations

■ IT seen as a cost rather than as a provider of value

■ A perception that the enterprise is not making the most of technology

■ Inadequate or non-existent IT related metrics

■ Technology investments justified on cost savings rather than onrevenue enhancement

LHSLHS

© John Mitchell

IT GovernanceDeliverables

■ Effectiveness■ Efficiency■ Economy■ Confidentiality■ Integrity■ Availability■ Compliance■ Reliability

LHSLHS

© John Mitchell

IT Assets■ Hardware■ Software

– Base– Application

■ Network(s)■ Data■ Facilities■ People

LHSLHS

© John Mitchell

IT Governance & Risk■ Has the enterprise identified the potential IT risks to

the organisation?■ Has it assessed the likelihood and consequence of

the significant risks being realised?■ Has it assessed those risks that could:

– Damage its reputation?– Affect its market position?– Result in prosecution?

■ Has it established controls to manage the significantIT risks?

LHSLHS

© John Mitchell

IT Governance Encompasses

■ Planning & Organisation

■ Acquisition and Implementation

■ Delivery and Support

■ Monitoring and Learning

LHSLHS

© John Mitchell

IT Governance Measurement

Governance over IT and its processes with the goal of adding value tothe business, while balancing risk versus return

ensures delivery of information to the business that addressesthe required information criteria and is measured by Key GoalIndicators (KGIs)

is enabled by creating and maintaining a system ofprocess and control appropriate for the business

considers Critical Success Factors (CSFs) thatleverage all IT resources, which are measured byKey Performance Indicators (KPIs)

LHSLHS

© John Mitchell

Indicators

■ Key Goal Indicators– Where you want to be

■ Critical Success Factors– Those things that must happen for the Key Goal to be met

■ Key Performance Indicators– Relevant metrics to show that you are succeeding

(embedded monitors) or are going off course (early warningindicators)

LHSLHS

© John Mitchell

Embedded Monitors

■ Inform you that your mitigatingactions are succeeding - you areokay

– Green light indicates that the power is on

– 20% spare disk capacity means that youwill not immediately run out of disk space

LHSLHS

© John Mitchell

Early Warning Indicators

■ Tells you that things are goingwrong, but are not yet critical

– Amber light shows that the UPS has kickedin

– < 20% of spare disk capacity indicates theneed to free up space

LHSLHS

© John Mitchell

0 1 2 3 4 5

Non-Existent Initial Repeatable Defined Managed Optimised

Enterprise current status

International standard guidelines

Industry best practice

Enterprise strategy

Legend for symbols used Legend for rankings used

0 - Management processes are not applied at 1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communica4 - Processes are monitored and measured5 - Best practices are followed and automated

IT GovernanceMaturity Models

LHSLHS

© John Mitchell

IT Balanced Scorecard

CorporateContribution

OperationalExcellence

FutureOrientation

UserOrientation

LHSLHS

© John Mitchell

Standards That SupportIT Governance

■ ISO 9000

■ ISO 17799

■ ISO 9126

LHSLHS

© John Mitchell

CobiT

■ Control objectives for IT (CobiT)

■ Open standard from the InformationSystems Audit & Control Association(ISACA)

■ Used by over 33,000 IT auditors in over120 countries

LHSLHS

© John Mitchell

CobiT & GovernanceIT GOVERNANCE PROGRAMME

Planning & Organisation Acquisition & Impl. Delivery & Support Monitoring

- Strategic Planning- Information Architecture- Technological Direction- IT Organisation & Relationships- Manage the IT Investment- Communicate Aims & Direction- Manage human resources- Ensure Compliance- Assess Risks- Manage Projects- Manage Quality

- Identify Solutions- Acquire & Maintain Application Software- Acquire & Maintain Technology Architecture- Develop & Maintain IT Procedures- Install & Accredit systems- Manage Changes

- Define Service Levels- Manage third-party services- Manage performance and capacity- Ensure continuous service- Ensure systems security- Identify and attribute costs- Educate and train users- Assist & advise IT customers- Manage the configuration- Manage problems & incidents- Manage data- Manage facilities- Manage operations

- Monitor the processes- Assess internal control adequacy- Obtain independent assurance- Provide for independent audit

LHSLHS

© John Mitchell

Planning & Organisation■ Define strategic IT plan■ Define the information architecture■ Determine the technological direction■ Define the IT organisation and relationships■ Manage the IT investment■ Communicate management aims and direction■ Manage human resources■ Ensure compliance with external requirements■ Assess risks■ Manage projects■ Manage quality

LHSLHS

© John Mitchell

Acquisition &Implementation

■ Identify automated solutions■ Acquire & maintain application software■ Acquire & maintain technological

infrastructure■ Develop & maintain procedures■ Install and accredit systems■ Manage changes

LHSLHS

© John Mitchell

Delivery & Support■ Define & manage service levels■ Manage third-party services■ Manage performance & capacity■ Ensure continuous service■ Ensure systems security■ Identify & allocate costs■ Educate & train users■ Assist & advise customers■ Manage the configuration■ Manage problems & incidents■ Manage data■ Manage facilities■ Manage operations

LHSLHS

© John Mitchell

Monitoring & Learning■ Monitor the process

■ Assess internal control adequacy

■ Obtain independent assurance

■ Provide for independent audit

LHSLHS

© John Mitchell

0 1 2 3 4 5

Non-Existent Initial Repeatable Defined Managed Optimised

Enterprise current status

International standard guidelines

Industry best practice

Enterprise strategy

Legend for symbols used Legend for rankings used

0 - Management processes are not applied at 1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communica4 - Processes are monitored and measured5 - Best practices are followed and automated

IT GovernanceMaturity Models

LHSLHS

© John Mitchell

Where CobiT Fits-inCorporate

Governance

ITGovernance

FinanceGovernance

MarketingGovernance

CobiT

ISO17799 BS15000 CMM

ITIL

ISO9126

ISO15504 ISO 12207

ISO9000

TickIT

LHSLHS

© John Mitchell

Useful Sites & Tools

■ Sites– www.isaca-london.org– www.bcs-irma.org– www.itgi.org– www.bsi-global.com

■ Tools– Control Objectives for IT (CobiT)– International Standards (ISO 9126, ISO 17799,

etc.)

LHSLHS

© John Mitchell

Summary■ IT Governance is about measurement &

control of IT within the corporateframework to ensure that it supportsand extends the enterprise’s capabilities

■ Good IT Governance will:– Increase effectiveness– Improve efficiency– Provide better economy

LHSLHS

© John Mitchell

Questions?John Mitchell

LHS Business Control47 GrangewoodPotters BarHertfordshire EN6 1SLEngland

Tel: +44 (0)1707 851454Fax: + 44 (0)1707 851455

john@lhscontrol.comwww.lhscontrol.com

IT/IS Auditing

(Why You, Why Me, Why Us?)

John MitchellLHS Business Control47 Grangewood Tel: +44 (0)1707 851454Potters Bar Fax: +44 (0)1707 851455Herts. EN6 1SL john@lhscontrol.comEngland www.lhscontrol.com

LHSLHS

© John Mitchell

LHSLHS

© John Mitchell

What Qualifications?

■ Certified Information Systems Auditor (CISA)

■ Qualification in Computer Audit (QiCA)

■ Chartered Information Technology Professional (CITP)

■ Diplomas in Internal Auditing (PIIA, MIIA, CIA)

■ Certified Information System Security Practitioner(CISSP)

■ Certified Information Security Manager (CISM)

■ Chartered Software Engineer (CEng)

■ BSc/MSc in Computer Science or Computer SecuritySmartyPants

LHSLHS

© John Mitchell

IT/IS Auditing

■ Is the process of collecting and evaluating evidenceto determine whether IS management:– adequately safeguards IS assets– maintains data and system integrity,– provides relevant and reliable information– achieves organizational goals effectively– consumes resources efficiently– has controls that provide reasonable assurance that

operational and control objectives will be met– provides assurance that undesired events will be prevented or

detected and corrected in a timely manner.

LHSLHS

© John Mitchell

Why You?

Hardware

Base Software(Operating System & DBMS)

Network

ApplicationSoftware

DataUser Processes

IT Processes

LHSLHS

© John Mitchell

Why Me?

LHSLHS

© John Mitchell

What I Need

■ In-depth knowledge of IT & IS■ Business knowledge■ Risk management knowledge■ Interviewing skills■ Good written & oral communication■ Excellent analytical ability■ Investigative skills■ Project management skills■ Documentation skills■ Knowledge of the law■ Social skills

LHSLHS

© John Mitchell

A Typical Audit Report?

LHSLHS

© John Mitchell

What I’m Looking For(Perfect System Behaviour)

■ The Holy Grail of IT staff, users &management

■ It requires the existence of a mechanism thatconsistently ensures the company is:➾ running the correct software➾ using the correct master files➾ processing data correctly➾ using the correct operating procedures➾ using the correct clerical procedures

LHSLHS

© John Mitchell

The Four Main Principles

■ Confidentiality– Secret

■ Integrity– Reliable

■ Availability– When required

■ Compliance– Legal

LHSLHS

© John Mitchell

Risk Based Auditing

■ Ascertain business objective (e.g. provide real-timeaccess to customers)

■ Identify potential causes of failure (non-availability)■ Identify root causes (loss of power, etc.)■ Map at the inherent level (pre-control)■ Make key risk decision (tolerate, terminate, transfer,

treat)■ Identify mitigating actions (controls)■ Map at the residual level (post control)■ Provide objective assurance that the residual level is

being reached and is appropriate (audit)■ Agree remedial action plan where necessary

LHSLHS

© John Mitchell

Inherent Risk The likelihood and consequence of

risk crystallisation before mitigatingactions (controls) have been put inplace

LHSLHS

© John Mitchell

Residual Risk The likelihood and consequence of

risk crystallisation after mitigatingactions (controls) have been put inplace

LHSLHS

© John Mitchell

Risk Sequence

EVENT (loss of power)leads to a

CONSEQUENCE (non-availability)resulting in an

IMPACT (loss of income) on a business objective (make money)

LHSLHS

© John Mitchell

Risk Management

High

E

LIKE

D

LIHO

C

OD B

Low

A

A B C D ELow CONSEQUENCE High

Senior ManagementAttention

Local ManagementAttention

No ActionContro

lsIR

RR

LikelihoodReduction

ConsequenceReduction

LHSLHS

© John Mitchell

Real Risk Management

Why Us?

John MitchellLHS Business Control47 Grangewood Tel: +44 (0)1707 851454Potters Bar Fax: +44 (0)1707 851455Herts. EN6 1SL john@lhscontrol.comEngland www.lhscontrol.com

LHSLHS

© John Mitchell

LHSLHS

© John Mitchell

Why Us?(Generic Risk Management Process)

MBXC

Risk Director(Key Corporate Risks)

How arethese key

risks managed ?

(Residual Operational Risks)

Key OperationalRisks

This ishow

LocalRisk

Management

Internal Auditaudit these processes

Risk Director

MB = Main BoardXC = Executive Committee

Internal Auditaudit theseprocesses

LHSLHS

© John Mitchell

Why Us?(Co-Active Auditing)

EmbeddedMonitoring

PersonalAppearances

FormalAssertionsManagement

Assurance

Internal Audit

ObjectiveAssurance

Main BoardXC AC

Local Compliance Officers

KPIs, EWI’s, CSA

AC = Audit CommitteeXC = Executive Committee

LHSLHS

© John Mitchell

An Example of Co-ActiveAuditing

■ Moving from an inward focussed to

a customer facing strategy

■ 600,000 customers world-wide

■ Need for a secure, high integrity &

high availability system

LHSLHS

© John Mitchell

Critical Success Factors

■ Confidentiality of customer data■ Integrity of content presented to the

customer■ Availability of the system to the

customer■ Compliance with statutory

obligations

LHSLHS

© John Mitchell

Availability KGI

Availability of the service presentedto the customer never drops below100% (unless planned outage)

LHSLHS

© John Mitchell

Availability CSF

Availability of the service to thecustomers when they require it

(24 x 7)

LHSLHS

© John Mitchell

Availability KPIs

■ Sufficient bandwidth

■ Server availability

■ Disk capacity

■ Etc, etc.

LHSLHS

© John Mitchell

Non-AvailabilityRoot Causes (1)

1) Failure of connectivity as a result of loading company recommended third-party software on to customer computers

2) Failure of connectivity as a result of loading company produced software onto customer computers

3) Failure of the company’s internet connection4) Company firewall prevents legitimate access5) Company internal network failure6) Key hardware failure7) Key software failure

LHSLHS

© John Mitchell

Non-AvailabilityRoot Causes (2)

8) Customer forgets access information 9) Inadequate capacity10) Hacking attack:

a) Halts servers b) Halts network11) Virus/worm infestation disrupts the system12) Power loss13) Failure of the back-up/restore process14) Ineffective third-party support for critical

software15) Complete destruction of computer facilities

LHSLHS

© John Mitchell

Inadequate SupportRoot Causes

16) Support staff not available when required17) Support staff unresponsive to requests for

help18) Support staff have inadequate knowledge to

deal with the problem

LHSLHS

© John Mitchell

E-Commerce Availability(Inherent Risk Mapping)

High

E 8

LIKE

D 2,18 3,4,5,6,7,9, 10,11,13,14 12

LIHO

C 16

OD B 1

Low

A 17 15

A B C D ELow CONSEQUENCE High

12) PowerLoss

15) Loss ofComputing

14) 3rd PartySupport

8) Forgetspassword

LHSLHS

© John Mitchell

E-Commerce Availability(Residual Risk Mapping)

High

E 8

LIKE

D 2,18 3,4,5,6,7,9, 10,11,13,14 12

LIHO

C 16

OD B 1

Low

A 17 15

A B C D ELow CONSEQUENCE High

12) PowerLoss

15) Loss ofComputing

14) 3rd PartySupport

8) Forgetspassword

LHSLHS

© John Mitchell

Summary

■ IT has high risks, but can provide highreturns

■ Senior management need assurancethat IT is being well managed

■ The auditor provides that assurance inconjunction with IT management andthe company’s risk managementprocess

LHSLHS

© John Mitchell

What You Don’t Want

LHSLHS

© John Mitchell

Questions?John Mitchell

LHS Business Control47 GrangewoodPotters BarHertfordshire EN6 1SLEngland

Tel: +44 (0)1707 851454Fax: + 44 (0)1707 851455

john@lhscontrol.comwww.lhscontrol.com