Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ravenswood Consultants Ltd What to Audit & Why Derek J. Oliver Ravenswood Consultants Ltd.

Similar presentations


Presentation on theme: "Ravenswood Consultants Ltd What to Audit & Why Derek J. Oliver Ravenswood Consultants Ltd."— Presentation transcript:

1 Ravenswood Consultants Ltd What to Audit & Why Derek J. Oliver Ravenswood Consultants Ltd

2 Derek J. Oliver Ravenswood Consultants Ltd Derek J. Oliver 20+ years in IS Audit & Security Former Head of UK Internal Audit, FDC Certified Information Systems Auditor Certified Information Security Manager Certified Fraud Examiner Fellow of the British Computer Society Fellow of the Institution of Analysts & Programmers Past President, ISACA, London Chapter Why me ?

3 Derek J. Oliver Ravenswood Consultants Ltd Programme  The Failsafe Approach Essential Audits “Nobody ever got the sack.....”  The Real Life Approach Risk-based auditing  What could go wrong?  Would it matter if it did?  What can we do about it WHO CARES?

4 Ravenswood Consultants Ltd The Failsafe Approach Nobody ever got the sack for scheduling these audits

5 Derek J. Oliver Ravenswood Consultants Ltd The Annual Audit Plan #1  Transaction Processing Trace key transactions through the process from document receipt to final print Input Controls  Validation; credibility etc Processing Controls  Run-to-run totals; check pointing etc Output Controls  System Balancing; Report Distribution etc

6 Derek J. Oliver Ravenswood Consultants Ltd The Annual Audit Plan #2  Logical Security Access Control Hierarchic restrictions Access to Source Code Access to Production Systems Access to Operating Systems Access to Utilities

7 Derek J. Oliver Ravenswood Consultants Ltd The Annual Audit Plan #3  Change Management Access to Source Code Development Libraries Testing Quality Assurance Transfer to Production Implementation Control Division of Duties

8 Derek J. Oliver Ravenswood Consultants Ltd The Annual Audit Plan #4  Physical Security

9 Derek J. Oliver Ravenswood Consultants Ltd Justification  #1: Is the computer system working? Are all the controls working?  #2: Is essential data secure? Are programs secure?  #3: Can unknown changes be made to programs? Are all changes properly tested & authorized  #4: Can strangers or unauthorised people disrupt your systems But this only needs to be done once because systems cannot change themselves But what if confidentiality is not A Business Risk in your Organization? Do you need Sophisticated Change management? Probably a likely annual audit But how do you know what’s Important to your business? Risk Based Audit Planning!

10 Ravenswood Consultants Ltd The “Real Life” Approach Risk Based Auditing Or Meeting the Business Needs!

11 Derek J. Oliver Ravenswood Consultants Ltd The Risk-Based Approach  MUST address BUSINESS risk No other risk is relevant For every audit, you should ask: “How will this audit help my company to achieve it’s stated business objectives” If you can’s answer this, then....  Why are you conducting the audit?

12 Derek J. Oliver Ravenswood Consultants Ltd Why did the Auditor cross the road ? It’s the old, old question..... Because according to the audit file, that’s what they did three years ago !

13 Derek J. Oliver Ravenswood Consultants Ltd Why is RISK important ?  Business must take risks !  Business must live with risks !  Business must understand risks !  Business must control risks ! BUSINESS !

14 Derek J. Oliver Ravenswood Consultants Ltd How can RISK be identified ?  Work backwards What could happen to the business ?  Fail to comply with legislation  Lose business to competitors  Lose customer / public confidence How could it happen ? Are there controls to prevent it happening ? Are there controls to minimise the effect ? What do we need to know?

15 Derek J. Oliver Ravenswood Consultants Ltd Core Businesses and Critical Support Units An Inventory of Core Businesses Should Be Made Has this been done? What are they? Why are they core? When these have been established then we can further analyze the situation.

16 Derek J. Oliver Ravenswood Consultants Ltd  What constitutes a core business operation for an organization? a. Revenue b. Net income c. Cash flow Core Businesses and Critical Support Units

17 Derek J. Oliver Ravenswood Consultants Ltd  What constitutes a critical business unit within core business? What criteria would you use? Would you make any classifications by type?  Productive Operations  Support Operations How would you define them?  Function  Product line  Department Core Businesses and Critical Support Units

18 Derek J. Oliver Ravenswood Consultants Ltd  What is the importance of making these determinations?  What critical computer application systems support these operations or departments? What is the importance of knowing this? Are they in a state of transition? Core Businesses and Critical Support Units

19 Derek J. Oliver Ravenswood Consultants Ltd Why analyse RISK ?  Enable risks to be compared Using a standard approach !  Enable risks to be addressed By an appropriate parameter  By the most serious effect  By the easiest / cheapest / quickest to control  According to Business objectives / strategy  Enable a business decision on Risk strategy

20 Derek J. Oliver Ravenswood Consultants Ltd What is RISK Strategy ?  Linking Risk to Business Objectives  Balancing cost of control against potential loss e.g. Disaster Recovery :

21 Derek J. Oliver Ravenswood Consultants Ltd Managing & Controlling RISK 1. Identify the THREATS 2. Assess the level of RISK 3. Establish the EXPOSURE 4. Design & Implement CONTROL

22 Derek J. Oliver Ravenswood Consultants Ltd Managing Risk  PREVENTION : Remove the THREAT  DETERRENCE : Minimise the RISK  DETECTION : Minimise the EXPOSURE

23 Derek J. Oliver Ravenswood Consultants Ltd Managing Risk ?  Nothing new : Consider the Caveman... ? Not forgetting the Merchant Navy.... ! What about the Romans... !

24 Derek J. Oliver Ravenswood Consultants Ltd Preventive Control  Early Man feared attack from animals so lived in a cave : Most armies fought with the protection of armour.  We may identify confidentiality as a risk so implement strict logical access control

25 Derek J. Oliver Ravenswood Consultants Ltd Deterrent Control  The Romans feared insurgence so maintained a big, well-trained army  We may identify information theft as a risk so log all user online activity

26 Derek J. Oliver Ravenswood Consultants Ltd Detective Control  Ships were sinking through being overloaded so the Plimsoll Line was introduced  We may identify fraud as a risk and implement balancing controls & management checks

27 Derek J. Oliver Ravenswood Consultants Ltd Risk - Summary  RISK must be Managed  RISK must be Controlled  RISK must be Understood  CONTROL must reflect BUSINESS needs  CONTROL must be appropriate  CONTROL must be reasonable

28 Derek J. Oliver Ravenswood Consultants Ltd So, the WHY is likely to be  What represents RISK to the BUSINESS Losing Money  Theft  Fraud Losing Market Share Losing Customers Losing out to Competition Failing to achieve objectives Failing to achieve growth

29 Derek J. Oliver Ravenswood Consultants Ltd That’s the why, but HOW  Loss of: Money –  Poor management controls = opportunity?  Poor logical security = fraud? abuse?  Poor physical security = theft? vandalism?  Incorrect data processing = disappearing money?  Late or over budget projects = disappearing money!!! Information –  Poor logical security = espionage? legislation?  Poor management controls = legislation?  Poor physical security = errors? fraud?  Poor availability = lost or corrupted data?

30 Derek J. Oliver Ravenswood Consultants Ltd Resulting in... apart from the obvious  Lost money = lost cash flow = poor performance = lost market share = shareholder concern  Released data = public humiliation = lost confidence = lost market share = shareholder concern  Lost/bad data = lost business = lost money = lost market share = shareholder concern

31 Derek J. Oliver Ravenswood Consultants Ltd Then, to get to the audit plan  WHERE can this go wrong? Logical Security Physical Security Transaction Control Change Management & QA Project Management Disruption #1 #2 #3 #4 #5 #6

32 Derek J. Oliver Ravenswood Consultants Ltd Which gives us our Annual Audit Plan Transaction Processing Management 2. Logical Security 3. Change Management 4. Physical Security 5. Project Management & QA 6. Disaster Recovery Planning

33 Derek J. Oliver Ravenswood Consultants Ltd So lets start to reach the conclusion  The Audit Plan must be based on ‘What Could Go Wrong?’ ‘What would be the effect if it did?’ ‘How could it happen?’ ‘Can we prevent it by removing the risk?’ ‘Can we minimise the effect by control?’ What risk are we living with?’

34 Derek J. Oliver Ravenswood Consultants Ltd And of course, we now have Is about Risk Management  Identify the inherent risk  Quantify the risk  Control the risk  Assess the residual risk  Evaluate controls  Regularly assess & report residual risk

35 Derek J. Oliver Ravenswood Consultants Ltd Conclusion It’s the BUSINESS NEEDS that count ! When considering how to manage Risk....

36 Derek J. Oliver Ravenswood Consultants Ltd Questions ? Derek J. Oliver CISA, CFE Ravenswood Consultants Limited What to Audit & Why?


Download ppt "Ravenswood Consultants Ltd What to Audit & Why Derek J. Oliver Ravenswood Consultants Ltd."

Similar presentations


Ads by Google