Tan Jenny23 September 2009

SESSION 4:Understanding Your IT Control Environment & Its Readiness

Control Environ

ment

OVERVIEW

Input OutputProcess

Systems & processesTools

SecurityHuman resources

Organisation StructureOrganisation Structure

Policies & ProceduresPolicies & Procedures

Are there policies (e.g. Capex, IT) established and operating in the organisation?

Procedures established and implemented to guide IT and user personnel functions?

Policies & Procedures are approved and regularly reviewed?

Input OutputProcess

Systems & processes

Input OutputProcessInput OutputProcess

Systems & processes

Control Environ

ment

How is the IS function reporting routinely to?

Has the relationship of the IS function to the rest of the business clearly defined and understood?

The IS function is appropriately staffed?

Systems & Applications – HR, Finance, Email, Network, etc

Control procedures in place to guide the system selection, development &/or implementation process?

In-house versus Outsourcing?

ToolsTools

Control Environ

ment

Control Environ

ment

Insurance / ContractsInsurance / Contracts

This is my

passwordThis is my

password

SecuritySecurity

Firewall & Anti-virus Access Control Physical Security

Physical Security

Safe Box

CCTV

Back Up Media

Control Environ

ment

ResumeResume

Appropriate Job DescriptionAppropriate CandidateRelevant Experience

Regular / appropriate training

Vendor selection / assessment

Human resourcesHuman resources

Control Environ

ment

IT Governance

IT Governance can be seen as a structure of relationships and processes to direct and control the enterprise use of IT to achieve the enterprise’s goals by adding value while balancing risk vs return over IT and its processes.

Source: ISACA, IT Governance Institute, 2008

Input OutputProcessInput OutputProcess

Control Environ

ment

Input OutputProcessInput OutputProcess

Why Is IT Governance Important?

Good corporate governance helps to prevent corporate scandals, fraud and potential civil & criminal liability of the organisation.

Good governance is Good to NPOs: Enhances organisation reputation Compliance with applicable Acts, Rules & Regulations and

Code of Governance Trusted by contributors (donors) Reliability of financial reporting

Control Environ

ment

Effective Risk Management

HARD SIDE

Measures and reporting

Risk oversight committees

Policies & procedures

Risk assessments

Risk limits

Audit processes

Systems

SOFT SIDE

Risk awareness

People

Skills

Integrity

Incentives

Culture & values

Trust & communication

Control Environ

ment

Is Your IT Control Environment Ready?

How can you gauge? Remarks

1. Self-assessment, past experiences

o May not have in-house specialisto No benchmark

2. Engage consultant to perform a review

o IT review services not cheap – specialised group of professionals

3. Through annual audit exercises (can be internal or external audit)

o May be a bit late, outcome recorded in audit report

o Not all internal &/or external auditors are IT audit savvy

Control Environ

ment

Do you want to be READY?

Tone from the TOPBoard Members/Management

THE END