tan jenny 23 september 2009 session 4: understanding your it control environment & its readiness
TRANSCRIPT
Tan Jenny23 September 2009
SESSION 4:Understanding Your IT Control Environment & Its Readiness
Control Environ
ment
OVERVIEW
Input OutputProcess
Systems & processesTools
SecurityHuman resources
Organisation StructureOrganisation Structure
Policies & ProceduresPolicies & Procedures
Are there policies (e.g. Capex, IT) established and operating in the organisation?
Procedures established and implemented to guide IT and user personnel functions?
Policies & Procedures are approved and regularly reviewed?
Input OutputProcess
Systems & processes
Input OutputProcessInput OutputProcess
Systems & processes
Control Environ
ment
How is the IS function reporting routinely to?
Has the relationship of the IS function to the rest of the business clearly defined and understood?
The IS function is appropriately staffed?
Systems & Applications – HR, Finance, Email, Network, etc
Control procedures in place to guide the system selection, development &/or implementation process?
In-house versus Outsourcing?
ToolsTools
Control Environ
ment
Control Environ
ment
Insurance / ContractsInsurance / Contracts
This is my
passwordThis is my
password
SecuritySecurity
Firewall & Anti-virus Access Control Physical Security
Physical Security
Safe Box
CCTV
Back Up Media
Control Environ
ment
ResumeResume
Appropriate Job DescriptionAppropriate CandidateRelevant Experience
Regular / appropriate training
Vendor selection / assessment
Human resourcesHuman resources
Control Environ
ment
IT Governance
IT Governance can be seen as a structure of relationships and processes to direct and control the enterprise use of IT to achieve the enterprise’s goals by adding value while balancing risk vs return over IT and its processes.
Source: ISACA, IT Governance Institute, 2008
Input OutputProcessInput OutputProcess
Control Environ
ment
Input OutputProcessInput OutputProcess
Why Is IT Governance Important?
Good corporate governance helps to prevent corporate scandals, fraud and potential civil & criminal liability of the organisation.
Good governance is Good to NPOs: Enhances organisation reputation Compliance with applicable Acts, Rules & Regulations and
Code of Governance Trusted by contributors (donors) Reliability of financial reporting
Control Environ
ment
Effective Risk Management
HARD SIDE
Measures and reporting
Risk oversight committees
Policies & procedures
Risk assessments
Risk limits
Audit processes
Systems
SOFT SIDE
Risk awareness
People
Skills
Integrity
Incentives
Culture & values
Trust & communication
Control Environ
ment
Is Your IT Control Environment Ready?
How can you gauge? Remarks
1. Self-assessment, past experiences
o May not have in-house specialisto No benchmark
2. Engage consultant to perform a review
o IT review services not cheap – specialised group of professionals
3. Through annual audit exercises (can be internal or external audit)
o May be a bit late, outcome recorded in audit report
o Not all internal &/or external auditors are IT audit savvy
Control Environ
ment
Do you want to be READY?
Tone from the TOPBoard Members/Management
THE END