risk-based sampling using cobit
DESCRIPTION
Risk-based sampling using CobiT. By Rune Johannessen and Børre Lagesen June 2005 Lithuania. IS THIS YOUR DAY?. AI1. ?. DS5. PO1. PO8. PO1. AI6. DS11. PO11. The purpose of this session!. Presentation. Rune Johansen CISA, CIA, Dipl. Int revisor - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/1.jpg)
Risk-based sampling using CobiT
By Rune Johannessen and Børre Lagesen
June 2005 Lithuania
![Page 2: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/2.jpg)
IS THIS YOUR DAY?
?PO8PO1
DS11AI6
PO11
AI1
PO1DS5
![Page 3: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/3.jpg)
The purpose of this session!
![Page 4: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/4.jpg)
Presentation
• Rune Johansen– CISA, CIA, Dipl. Int revisor– 9 years experience in IT audits and quality insurance from various ministries with their subordinate agencies, private companies and system development projects.
• Børre Lagesen– CISA– 6 years experience in IT audit from various ministries with their subordinate agencies.
![Page 5: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/5.jpg)
Agenda
1. What is the objective for this workshop?
2. Background
3. Method for Risk-based sampling
4. Case study
5. Experiences from practical use in Norway.
6. Sum up and questions
![Page 6: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/6.jpg)
1. The objective for this workshop.
1. Help the auditor to select the right areas and processes for IT auditing.
2. Contribute to improvement and quality in the performance of the IT risk assessment
3. Contribute to an open discussion and knowledge sharing.
![Page 7: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/7.jpg)
2. Background1. Why CobiT?
2. Why this risk assessment approach?– CobiT is highly comprehensive and its use quite
time consuming. – This in stark contrast to our everyday situation,
where time is a critical factor. – CobiT does not provide clear guidelines on how to
carry out an overall (or “high level”) audit risk assessment.
![Page 8: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/8.jpg)
Method for Risk-based sampling1. The method presented is not intended as a final
template.
2. The presentation is based on qualitative assessments of risks.
3. The method uses the following sources:• Audit Guidelines
• Controll Ojectives
but could also use the maturity model in “Management Guidelines”
![Page 9: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/9.jpg)
Selection based on criterias/processes/resources
Risk assessment of selected processes
IT audit
Phase 1
Phase 2
Phase 3
Method for Risk-based sampling
![Page 10: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/10.jpg)
P1 P2 P3
![Page 11: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/11.jpg)
P1 P2 P3
![Page 12: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/12.jpg)
Results of Phase 1:
The auditor have a list of relevant processes.
In our last example, AI2 and AI6 were identified as the most relevant within the domain “Acquisitions and implementation”.
P1 P2 P3
![Page 13: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/13.jpg)
P1 P2 P3
![Page 14: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/14.jpg)
P1 P2 P3
Don
’t e
xist
![Page 15: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/15.jpg)
Scale Control routines
Doc The audited entity has a documented routine or process that deals with the matter.
Undoc The audited entity does not have a documented routine or documented processes that deal with the matter.
Don’texist
The process does not exist in this organisation. Futher actions and consequences for other types of audits needs to be considered.
P1 P2 P3
![Page 16: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/16.jpg)
Scale Probability
H It is regarded as highly probable that this process will be negatively affected by internal or external events.
M It is regarded as possible that this process will be negatively affected by internal or external events.
L It is not regarded as very probable that this process will be negatively affected by internal or external events
P1 P2 P3
![Page 17: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/17.jpg)
Method for Risk-based samplingScale Consequence
H Negative internal or external incidents are expected to have major consequences.
M Negative internal or external incidents are expected to have medium consequences.
L Negative internal or external incidents are expected to have minor consequences.
P1 P2 P3
![Page 18: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/18.jpg)
Each process is then subject to a risk assessment where probability and consequences are considered together.
On the basis of how the process is rated in terms of risk (H high, M medium, L low – in our example), they are selected for further IT audit (phase 3).
P1 P2 P3
![Page 19: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/19.jpg)
Method for Risk-based samplingIT process and audit
questionsResults of evaluation
and testingRecommendation Ref.
AI6 Change management
Has a method been established for prioritisation of change recommendations from users, and if so, is it being used? Have procedures been compiled for sudden changes, and if so, are they being used? Is there a formal procedure for monitoring changes, and if so, is it being used?Etc.
Observation: Method for changes… There is no procedure for sudden changes … Etc. Assessments: The methodology is incomplete in terms of sudden changes… Conclusion: The methodology is inadequate …
We recommend …
P1 P2 P3
![Page 20: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/20.jpg)
WORK!!!!
1. Identify relevant questions for chosen processes (PO9, DS4, DS5) based on your points in “and takes into consideration”. (from 14.05 to 14.30 – 25 minutes)
2. Use the questions on the case study. Evaluate risk and conclude on further audit. (from 14.30 to 15.30 – 60 minutes including break. )
3. Discussions (from 15.30 to 16.15 – 45 minutes)
![Page 21: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/21.jpg)
5. Practical use and experiences from Norway
![Page 22: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/22.jpg)
Selection based on targets/processes/resources
Risk assessment of selected processes
IT audit
Phase 1
Phase 2
Phase 3
Method for Risk-based sampling
![Page 23: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/23.jpg)
Selection of processes P1 P2 P3
![Page 24: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/24.jpg)
The risk assessment of processesP3P1 P2
![Page 25: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/25.jpg)
Result of risk assessment in four
different government agencies
P1 P2 P3
![Page 26: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/26.jpg)
Short about developing our IT audit program
P1 P3P2
Audit programAudit guidelines
Control objektive
![Page 27: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/27.jpg)
Result of auditP1 P3P2
Agency 1 Agency 2 Agency 3 Agency 4
PO9
Findings reported to
ministry
Findings reported to parlament
Findings reported to parlament
Findings reported to
ministry
DS4
Findings reported to parlament
Findings reported to parlament
Findings reported to parlament
Findings reported to
ministry
DS11
Findings reported to parlament
Findings reported to
agency
Findings reported to
agency
Nothing reported
Government agencies
![Page 28: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/28.jpg)
Experience
Pros
• able to develop a good risk profile
• able to select the right process to audit
• reuse of questionnaire and risk profile
Cons
• it took time to develop the questions
• takes time to perform such a comprehensive risk assessment.
![Page 29: Risk-based sampling using CobiT](https://reader036.vdocuments.us/reader036/viewer/2022062314/5681329a550346895d99334a/html5/thumbnails/29.jpg)
You can’t hide – we see it all