Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen October 13 th 2004 Lisabon.

Published byAnne Lester Modified over 8 years ago

Similar presentations

Presentation on theme: "Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen October 13 th 2004 Lisabon."— Presentation transcript:

1 Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen October 13 th 2004 Lisabon

2 IS THIS YOUR DAY? ? PO8 PO1 DS11 AI6 PO11 AI1 PO1 DS5

3 The purpose of this session!

4 Presentation Rune Johansen – CISA, CIA, Dipl. Int revisor – 8 years experience in IT audits and quality insurance from various ministries with their subordinate agencies, private companies and system development projects. Børre Lagesen – CISA – 5 years experience in IT audit from various ministries with their subordinate agencies.

5 Agenda 1.What is the objective for this workshop 2.Background 3.Method for Risk-based sampling 4.Case studies 5.Experiences from practical use in Norway. 6.Sum up and questions

6 1. The objective for this workshop. 1.Help the auditor to select the right areas and processes. 2.Contribute to improving the quality and performance of the IT audits in the SAI’s. 3.Contribute to an open discussion and knowledge sharing.

7 2. Background 1.More use of CobiT 2.CobiT is highly comprehensive and its use quite time consuming. 3.This in stark contrast to our everyday situation, where time is a critical factor.

8 Background 4.CobiT does not provide clear guidelines on how to carry out an overall (or “high level”) audit risk assessment.

9 Method for Risk-based sampling 1.The method presented is not intended as a final template. 2.The presentation is based on qualitative assessments of risks. 3.The method uses the following sources: Audit Guidelines Controll Ojectives but could also use the maturity model in “Management Guidelines”

10 Selection based on targets/processes/resources Risk assessment of selected processes IT audit Phase 1 Phase 2 Phase 3 Method for Risk-based sampling

11 P1P2P3

12 Results of Phase 1: The auditor have a list of preferred processes. In our example, AI2 and AI6 were identified as the most relevant within the domain “Acquisitions and implementation”. P1P2P3

13 P1P2P3

14 P1P2P3

15 ScaleControl routines DocumentedThe audited entity has a routine, process or documentation that deals with the matter. Undocumented The audited entity does not have routines, processes or documentation that deal with the matter. P1P2P3

16 Scale Probability H It is regarded as highly probable that this process will be negatively affected by internal or external events. M It is regarded as possible that this process will be negatively affected by internal or external events. L It is not regarded as very probable that this process will be negatively affected by internal or external events P1P2P3

17 Method for Risk-based sampling Scale Consequence H Negative internal or external incidents are expected to have major consequences for the process. M Negative internal or external incidents are expected to have medium consequences for the process. L Negative internal or external incidents are expected to have minor consequences for the process. P1P2P3

18 Each process is then subject to a risk assessment where probability and consequences are considered together. On the basis of how the process is rated in terms of risk (H high, M medium, L low – in our example), they are selected for further IT audit (phase 3). P1P2P3

19 Method for Risk-based sampling IT process and audit questions Results of evaluation and testing RecommendationRef. AI6Change management Has a method been established for prioritisation of change recommendations from users, and if so, is it being used? Have procedures been compiled for sudden changes, and if so, are they being used? Is there a formal procedure for monitoring changes, and if so, is it being used? Etc. Observation: Method for changes… There is no procedure for sudden changes … Etc. Assessments: The methodology is incomplete in terms of sudden changes… Conclusion: The methodology is inadequate … We recommend … P1P2P3

20 WORK!!!! 1.Identify relevant questions for chosen processes (PO9, DS4, DS5) based on your points in “and takes into consideration”. (from 14.10 to 14.30 – 20 minutes) 2.Use the questions on the case study. Evaluate risk and conclude on further audit. (from 14.30 to 15.35 – 65 minutes including break. ) 3.Discussions (from 15.35 to 16.30 – 55 minutes)

21 5. Practical use and experiences from Norway

22 Selection based on targets/processes/resources Risk assessment of selected processes IT audit Phase 1 Phase 2 Phase 3 Method for Risk-based sampling

23 Selection of processes P1P2P3

24 The risk assessment of processes P3P1P2

25 Result of risk assessment in four different government agencies P1P2P3

26 Result of audit P1P3P2

27 Experience it took time to develop the questions good overview of the different processes and their risks in the government agencies able to develop a good risk profile able to select the right process to audit Conclusion The risk evaluation and the IT audit led to a lot of findings that where reported

28 You can’t hide – we see it all

Download ppt "Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen October 13 th 2004 Lisabon."

Similar presentations

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.

Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen June 2005 Lithuania.

Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen June 2005 Lithuania.
Auditing Computer Systems

Auditing Computer Systems
Service Design – Section 4.5 Service Continuity Management.

Service Design – Section 4.5 Service Continuity Management.
COBIT - II.

COBIT - II.
IT Governance Capability Maturity within Government

IT Governance Capability Maturity within Government
S17: Field work. Session Objectives  To explain the manner in which field audit is carried out.  To explain the nature of evidence and the different.

S17: Field work. Session Objectives  To explain the manner in which field audit is carried out.  To explain the nature of evidence and the different.
International Auditing and Assurance Standards Board Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures ISA Implementation.

International Auditing and Assurance Standards Board Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures ISA Implementation.
IS Audit Function Knowledge

IS Audit Function Knowledge
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
Project Risk Management EECS811: IT Project Management Presenter: Gavaskar Ramanathan.

Project Risk Management EECS811: IT Project Management Presenter: Gavaskar Ramanathan.
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session 1.8 1 Internal Control and Risk Assessment.

Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
Conducting the IT Audit

Conducting the IT Audit
Fundamentals of ISO.

Fundamentals of ISO.
REVIEW AND QUALITY CONTROL

REVIEW AND QUALITY CONTROL
Introduction to IT Auditing

Introduction to IT Auditing
The Sarbanes-Oxley Act of 2002 1 PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.

The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.
Harmonization project The long and winding road to level 3…

Harmonization project The long and winding road to level 3…
The Master's research paper on the theme: Risk management of the insurance company (adapted from PJSC Insurance Company Dnipro) Student: Kryklyvets.

The Master's research paper on the theme: "Risk management of the insurance company" (adapted from PJSC "Insurance Company "Dnipro") Student: Kryklyvets.

Similar presentations

Ads by Google