1 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Introduction to IT audits PART II IT Audit International Standards, Practices & Guidance Ljubljana, October 2009 Monique Garsoux ISACA Chapter Vice-President Monique Garsoux ISACA Chapter Vice-President

2 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Introduction The MIS has to be : –Reliable –Continuous –Secure –Efficient/effective –Compliant All authorities need an independent IT audit because –It is their responsibility –They should have reports on the IT risks evaluation based on objective assessment criteria –Their IT system should be effective

3 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 The association of IT auditors : ISACA The IT audit is an internationnally regulated profession. Founded in 1969, as the EDP Auditors Association (EDPAA) More than 86,000 members in 160 countries Members include internal & external auditors, Chief Information Officers, Information security and control professionals and IT consultants More than 175 chapters worldwide 33 Chapters in Europe

4 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 The IT Auditors team The IT auditor has to respect professional standards, certification, skills and expertise. The IT auditor should be qualified for the work. The IT auditor has frameworks and best practices as the support for his work.

5 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 IT auditor has to be competent Hold certifications –Certified Information Systems Auditor™ (CISA ® ) –Certified Information Security Manager ® ( CISM ® ) –Certified in the Governance of Enterprise IT ® (CGEIT ® ) Apply Standards and Frameworks –IS auditing standards, guidelines, procedures, IS control standards –Frameworks to be used :CobiT & IT Assurance Guide and more… Keep informed and trained : –Conferences and education –Information :K-NET ® –Publications

6 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 What the IT auditor does … A formal, independent and systematic assessment of the IT system that must meet specific criteria (effectiveness, integrity, confidentiality, completeness, availability, compliance, reliability). He produces a written report on risks, weaknesses, findings and recommendations. He follows the action plans from the auditees. Code of Professional Ethics : guides the professional and personal conduct of IT Auditors (Independence and Objectivity, Reasonable Expectation, Management’s Acknowledgement, Training and Proficiency, Knowledge of the Subject Matter; Due Professional Care). 6 |

7 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 The steps of the work of the IT auditor presentation7 |

8 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 The IT auditor uses the Cobit Framework (Control Objectives for Information Technology)

9 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Contents of IT audits Contents of IT audits 1.IT General Controls The IT environment audit Audited General Controls –Logical access controls over infrastructure, applications, and data. –System development (Analysis and programming). –Program change controls. –Data centre physical security controls. –System and data backup and recovery controls. –Computer operation controls 9 | MIS Accounting Document ITGCs

10 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 IT application Audits. In the IT systems controls are automated and designed to ensure the complete and accurate processing of data, from input through output. They ensure that only complete, accurate, authorized and valid data is entered, calculated, updated and produced in a computer system. This is verified by the IT Auditor 10 | InputProcessOutput Interfaces Contents of IT audits

11 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Example of the IT audit Framework AC1 Source document preparation & authorisation Example of tests from Cobit to be realized by the IT auditor

12 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 –Reports consist of a written text accompanied with detailed information. –It is organised in such a manner as to permit the reader to understand, in greater depth, the areas included in the scope of the report; the work performed; the findings obtained (audit opinion); and the issues, concerns, risks, etc., identified. –The report is based on the findings and the recommendations themselves substantiated by the tests and investigations performed 12 | Reporting done by the IT Auditor

13 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 References for Cobit and the Assurance Guide and IT assurance framework -> free downloadableWWW.ISACA.ORG For information on IT audit &Training

14 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Conclusion IT audit is a mature and regulated profession with available tools and techniques from ISACA.

15 Homologues Group Meeting Slovenia, October 2009 Republika SlovenijaEuropean Union Ljubljana, October 2009 Thank you for your attention! Tel: Tel: