Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council."— Presentation transcript:

1 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council

2 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Governance A Process by which an organisations leaders ensure that IT is aligned with the business and delivers value, its performance is measured, its resources properly allocated and its risks mitigated.

3 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Technology Opportunities Growth Development

4 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Information Technology Integral part of all processes Accomplish mission and objectives Facilitates local and global communications

5 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Technology Threats Service Disruption Deception Theft Fraud Trusted Users

6 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council What Questions Should You Be Asking What are IT Controls ? What should be protected ? Where are IT controls applied ? Who is responsible ? When do we assess IT Controls ? How much control is enough ?

7 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Controls Significant Components Automation of business controls Control of IT Support business management and governance

8 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Controls Corporate Policies Coded instructions Physical access Audit trails – the ability to trace actions and transactions to responsible individuals Automatic edits (data input) Data integrity…

9 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Controls Classifications General controls – ( also known as infrastructure controls), apply to all systems components but also include information security policy, administration, access and authentication Application controls – data input, separation of duties, i.e. transaction initiation versus authorisation Preventive controls – prevent errors, omissions, or security incidents from occurring, i.e. data entry, access control Detective controls – detect errors or incidents, e.g. identify account numbers of inactive accounts flagged for monitoring suspicious activities Corrective controls – correct errors, omissions or incidents once they have been detected, e.g. correction of data entry error, identifying and removing unauthorised users or software from systems or networks

10 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Governance Controls Primary accountability for internal controls resides with the corporate board Ensure that effective information management and security principles, policies, and processes are in place and there is sufficient performance and compliance to demonstrate this Controls mandated by the corporate leadership team (CLT), linked with the concept of your corporate governance, which are driven by the organisations goals and strategies and by external regulators Performance and Audit Panel’s responsibility is oversight rather than actually performing controls activities, e.g. you don’t do the auditing but oversee both internal and external auditing at Ealing

11 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Management Controls Responsibility for reaching into the organisation with special attention to critical assets, sensitive information and operational functions Requires close collaboration with the audit committee to ensure IT controls needed to ensure the achieve established objectives are applied, reliable and provide continuous processing Management must recognise risks to the organisation its assets and processes Implement mechanisms to mitigate these risks (protect, monitor and measure results)

12 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Technical Controls Form the foundation, which ensures the reliability of virtually every other control in the organisation e.g. Protection against unauthorised access and intrusion Reliance on integrity of information Evidence of all changes and their authenticity

13 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council What to Expect GTAG IIA

14 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Information Security Integral part of all IT controls, with the exception of financial aspects of IT such as Return on Investment, budgetary controls and some Project Management Controls BS/ISO-1779 ITIL

15 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Information Security Three key elements of information security Confidentiality – information is only divulged as appropriate Integrity – data is correct and complete Availability – information must be available to the organisation, customers and partners, when, where and in the manner needed. Also the ability to recover from losses, disruption or corruption of data and IT services

16 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Role of Performance and Audit Panel What do we mean by IT controls ? Why do we need IT controls ? Who is responsible for IT controls ? When is it appropriate to apply IT controls ? Where exactly are IT controls applied ? How do we perform IT controls assessments ?

17 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council The Structure of IT Auditing GTAG IIA

18 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Audit at Ealing Essential part of the corporate governance process Internal audit have specialist and qualified IT auditors performing audits IT auditing is included in the audit universe and annual plan Sharing the plan with external audit as in the Response program Agresso implementation Post Implementation Reviews General IT controls – anti-virus, IT security, Network Infrastructure, Operating Systems Specialist data integrity (CAATS) Data Protection & Freedom of Information Applications………

19 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council The Audit Process Formal structure for addressing IT controls Sound technical understanding Provide results of risk and control assessments Interact with those responsible for controls Persue continuous learning through CPD and reassessment of new technologies – new opportunities, risks dependencies, strategies and requirements

20 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council IT Control Assurance IT controls assurance addresses the ability of controls to protect the organisation against the most important threats and provides evidence that remaining risks are unlikely to harm the organisation and its stakeholders significantly. GTAG IIA

21 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Important Roles and Responsibilities Corporate Level Performance and Audit panel Audit Board Management Chief Executive Head of IT IT Security Officer Audit Internal External

22 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Control Framework Adoption of formal control framework is beneficial COSO – Monitoring, Information and Communication, Control Activities, Risk Assessment, Control Environment The Committee of Sponsoring Organisations of the Treadway Commission C OBI T – accepted standard for good Information Technology security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners ISACA 2005

23 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Corporate Level Oversee risk management and compliance programs concerning information security Approve and adopt information security principles and assign key managers responsible for information security Protect the interest of all stakeholders who depend on information security Review information security policies regarding strategic partners and other third parties Ensure business continuity Review provisions of internal ad external audits of the IT Collaborate with management to specify what information security reviews should be reported to the Corporate Board

24 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Management Establish information security management policies Assign information security roles, responsibilities, and required skills, and maintain separation of duties Training in security matters Assess IT risks and manage these risks Information security requirements for strategic partners and other third parties Identify and classify information assets Implement and test business continuity Approve IT acquisitions, development, operations and maintenance Protect the physical environment Collaborate with security personnel to specify what needs to be reported to management

25 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Internal/External Audit As covered in previous slide (IT Audit at Ealing), but also… Advise corporate and management level on IT internal control issues Ensure IT is included in the Internal audit plan IT risks are considered when assigning resources and prioritising audit activities Specialist training IT issues for key systems are considered Performing IT risk assessments Performing IT audits…

26 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Some Useful Websites www.itgi.orgwww.itgi.org - IT Governance Institute www.coso.orgwww.coso.org – The Committee of Sponsoring Organisations of the Treadway Commission www.isaca.orgwww.isaca.org - Information Systems Audit and Control Association www.theiia.orgwww.theiia.org - Institute of Internal Auditors www.sans.orgwww.sans.org – Security Policy Resource Page

27 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Shahab Hussein CISA Senior Manager – Computer Assurance Services Deloitte & Touche Public Sector Internal Audit shussein@deloitte.co.uk Direct: 01727 886610 Mobile: 07970 884602

28 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council Questions

29 ©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council This Presentation covers IT Governance only in general terms and is intended to give the audience an outline understanding of issues in IT Governance, and therefore cannot be relied on to cover specific situations; applications of the principles set out will depend on the particular circumstances involved. Furthermore, responses given in the presentation to questions are based on only an outline understanding of the facts and circumstances of the cases and therefore do not form an appropriate substitute for considered specific advice tailored to your circumstances. We recommend that you obtain professional advice before acting or refraining from acting on any of its contents. We would be pleased to advise you on the application of the principles demonstrated at the presentation to specific circumstances but in the absence of such specific advice cannot be responsible or liable. Deloitte & Touche Public Sector Internal Audit Limited. Registered in England and Wales with registered number 4585162. Registered office: Hill House, 1 Little New Street, London EC4A 3TR. Deloitte & Touche Public Sector Internal Audit Limited is a subsidiary of Deloitte & Touche LLP which is the United Kingdom member firm of Deloitte Touche Tohmatsu (‘DTT’), a Swiss Verein whose member firms are separate and independent legal entities. Neither DTT nor any of its member firms has any liability for each other’s acts or omissions. Services are provided by member firms or their subsidiaries and not by DTT.

30 Member of Deloitte Touche Tohmatsu

Download ppt "©2005 Deloitte & Touche Public Sector Internal Audit Limited. Private and Confidential IT Governance - Ealing Council."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Organizational Governance

Organizational Governance
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Alignment of COBIT to Botswana IT Audit Methodology

Alignment of COBIT to Botswana IT Audit Methodology
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
© 2013 Deloitte LLP IASB deliberates further to move closer to the publication of its final draft IFRS 4 Phase II Update IASB meetings – December 2012.

© 2013 Deloitte LLP IASB deliberates further to move closer to the publication of its final draft IFRS 4 Phase II Update IASB meetings – December 2012.
Deloitte UK screen 4:3 (19.05 cm x 25.40 cm) © 2013 Deloitte LLP. All rights reserved. April 2013 Parameters of Competition for a Turkish International.

Deloitte UK screen 4:3 (19.05 cm x cm) © 2013 Deloitte LLP. All rights reserved. April 2013 Parameters of Competition for a Turkish International.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
COBIT - II.

COBIT - II.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Institute of Municipal Finance Officers & Related Professions

Institute of Municipal Finance Officers & Related Professions
IS Audit Function Knowledge

IS Audit Function Knowledge
Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.

Internal Control Concepts A Guide for Deans, Directors, and Department Chairs.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Purpose of the Standards

Purpose of the Standards
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google