Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen October 13 th 2004 Lisabon.

Slides:



Advertisements
Similar presentations
Integra Consult A/S Safety Assessment. Integra Consult A/S SAFETY ASSESSMENT Objective Objective –Demonstrate that an acceptable level of safety will.
Advertisements

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen June 2005 Lithuania.
Auditing Computer Systems
Service Design – Section 4.5 Service Continuity Management.
COBIT - II.
IT Governance Capability Maturity within Government
S17: Field work. Session Objectives  To explain the manner in which field audit is carried out.  To explain the nature of evidence and the different.
International Auditing and Assurance Standards Board Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures ISA Implementation.
IS Audit Function Knowledge
Office of Inspector General (OIG) Internal Audit
Project Risk Management EECS811: IT Project Management Presenter: Gavaskar Ramanathan.
Financial Audit Autonomous Bodies Internal Control and Risk Assessment Session Internal Control and Risk Assessment.
Conducting the IT Audit
Fundamentals of ISO.
REVIEW AND QUALITY CONTROL
Introduction to IT Auditing
The Sarbanes-Oxley Act of PricewaterhouseCoopers Introduction of Panel Members The Sarbanes-Oxley Act of 2002 What Companies Should Be Doing Now.
Harmonization project The long and winding road to level 3…
The Master's research paper on the theme: "Risk management of the insurance company" (adapted from PJSC "Insurance Company "Dnipro") Student: Kryklyvets.
New Auditing Standards Laurie Ball, CPA Swenson Advisors, LLP (Murrieta) Audit Director Accounting Day May 12, 2008.
Portfolio Committee Presentation Government printing Works Audit and Compliance 07 May 2013 Presented by: Chief Executive Officer.
Fundamental Auditing Concepts. Materiality Evidence Independence Audit risk IS and general audit responsibilities for fraud Assurance.
Internal Control in a Financial Statement Audit
International Auditing and Assurance Standards Board (IAASB) Issues:
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
N O T E “CLICK” TO CONTINUE… If the slide show is not launched, click on View  Slide Show in the menu bar at the top of the Power Point window. When the.
Audit Planning Process
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.
Mr. Walter Balfe, Development Officer, FETAC Provider Self Evaluation of Programmes and Services Walter Balfe Development Officer – FETAC 4 October 2007.
The Strategic Importance of IT for SAIs Vilnius, June 16th, 2005 Paul Mantelaers.
1 Ch. 4 Outline Introduction to Planning 1.Planning Fundamentals 2.Levels of Planning 3.Strategic Planning.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Compliance Audit Subcommittee Reporting Work Plan Copenhagen, Denmark 6th of May 2010.
International Federation of Accountants April 28, 2009 Impact Assessment Process for IFAC Linda Lach and Alta Prinsloo.
Measuring Results of Improvement Actions Márcio Rodrigues, Tallin, 13/01/2015.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
ISSAI 400 Compliance Audit Subcommittee
IS 630 : Accounting Information Systems Auditing Computer-based Information Systems Lecture 10.
Session 1.31 RISK BASED AUDITING AN OVERVIEW BY R T I JAIPUR.
Gaps to Caps project Why we need a discussion on capability and scenario analysis and why task group C and task group D need to work together when it comes.
Internal and external quality evaluation of internal audit in public sector in Ukraine Maxim Timokhin, Head of CHU, Public Financial Inspection, Ukraine.
RTI, MUMBAI / CH 81 FOLLOW UP PROCEDURES DAY 8 SESSION NO.3 (THEORY) BASED ON CHAPTER 8 PERFORMANCE AUDITING GUIDELINES.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
S19: Documentation of fieldwork. Session Objectives ♂ In the last session, we have discussed the standards of documentation and the standard files to.
Company LOGO. Company LOGO PE, PMP, PgMP, PME, MCT, PRINCE2 Practitioner.
Overview of the handbook Chapter 5: Levee inspection, assessment and risk attribution.
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
6/11/2016 Filename Session 135 Control Practices and Control Theories Jeff Roth, CISA.
Change Management and COBIT®. Estonia & Finland Chapters Presentation Friday, November 5 th 2004 Charles Mansour CISA Tere päevast! ©Charles Mansour.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
RTI, MUMBAI / CH 61 REPORTING PROCESS DAY 6 SESSION NO.1 (THEORY ) BASED ON CHAPTER 6 PERFORMANCE AUDITING GUIDELINES.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
 Planning an audit of cost statements, records and other related documents is considered necessary to ensure achievement of audit objectives with available.
Multilateral national cooperation agreement why we do it?
INTERNAL AUDIT REPORTS
PLANNING, MATERIALITY AND ASSESSING THE RISK OF MISSTATEMENT
Joint Seminar Brussels 2017.
Dr. Ir. Yeffry Handoko Putra
Fundamentals of ISO.
Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8th Edition William C. Boynton California Polytechnic State University at.
INTRODUCTION TO Compliance audit METHODOLGY and CAM
Alignment of COBIT to Botswana IT Audit Methodology
PERFOMING THE AUDIT & EVALUATION OF MISSTATEMENTS
Change Management and COBIT®. ISACA London Chapter Presentation
Generic Service Delivery Toolkit
Performance improvement observations
Nadine Cormier Director, Performance Audit Methodology
Presentation transcript:

Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen October 13 th 2004 Lisabon

IS THIS YOUR DAY? ? PO8 PO1 DS11 AI6 PO11 AI1 PO1 DS5

The purpose of this session!

Presentation Rune Johansen – CISA, CIA, Dipl. Int revisor – 8 years experience in IT audits and quality insurance from various ministries with their subordinate agencies, private companies and system development projects. Børre Lagesen – CISA – 5 years experience in IT audit from various ministries with their subordinate agencies.

Agenda 1.What is the objective for this workshop 2.Background 3.Method for Risk-based sampling 4.Case studies 5.Experiences from practical use in Norway. 6.Sum up and questions

1. The objective for this workshop. 1.Help the auditor to select the right areas and processes. 2.Contribute to improving the quality and performance of the IT audits in the SAI’s. 3.Contribute to an open discussion and knowledge sharing.

2. Background 1.More use of CobiT 2.CobiT is highly comprehensive and its use quite time consuming. 3.This in stark contrast to our everyday situation, where time is a critical factor.

Background 4.CobiT does not provide clear guidelines on how to carry out an overall (or “high level”) audit risk assessment.

Method for Risk-based sampling 1.The method presented is not intended as a final template. 2.The presentation is based on qualitative assessments of risks. 3.The method uses the following sources: Audit Guidelines Controll Ojectives but could also use the maturity model in “Management Guidelines”

Selection based on targets/processes/resources Risk assessment of selected processes IT audit Phase 1 Phase 2 Phase 3 Method for Risk-based sampling

P1P2P3

Results of Phase 1: The auditor have a list of preferred processes. In our example, AI2 and AI6 were identified as the most relevant within the domain “Acquisitions and implementation”. P1P2P3

P1P2P3

P1P2P3

ScaleControl routines DocumentedThe audited entity has a routine, process or documentation that deals with the matter. Undocumented The audited entity does not have routines, processes or documentation that deal with the matter. P1P2P3

Scale Probability H It is regarded as highly probable that this process will be negatively affected by internal or external events. M It is regarded as possible that this process will be negatively affected by internal or external events. L It is not regarded as very probable that this process will be negatively affected by internal or external events P1P2P3

Method for Risk-based sampling Scale Consequence H Negative internal or external incidents are expected to have major consequences for the process. M Negative internal or external incidents are expected to have medium consequences for the process. L Negative internal or external incidents are expected to have minor consequences for the process. P1P2P3

Each process is then subject to a risk assessment where probability and consequences are considered together. On the basis of how the process is rated in terms of risk (H high, M medium, L low – in our example), they are selected for further IT audit (phase 3). P1P2P3

Method for Risk-based sampling IT process and audit questions Results of evaluation and testing RecommendationRef. AI6Change management Has a method been established for prioritisation of change recommendations from users, and if so, is it being used? Have procedures been compiled for sudden changes, and if so, are they being used? Is there a formal procedure for monitoring changes, and if so, is it being used? Etc. Observation: Method for changes… There is no procedure for sudden changes … Etc. Assessments: The methodology is incomplete in terms of sudden changes… Conclusion: The methodology is inadequate … We recommend … P1P2P3

WORK!!!! 1.Identify relevant questions for chosen processes (PO9, DS4, DS5) based on your points in “and takes into consideration”. (from to – 20 minutes) 2.Use the questions on the case study. Evaluate risk and conclude on further audit. (from to – 65 minutes including break. ) 3.Discussions (from to – 55 minutes)

5. Practical use and experiences from Norway

Selection based on targets/processes/resources Risk assessment of selected processes IT audit Phase 1 Phase 2 Phase 3 Method for Risk-based sampling

Selection of processes P1P2P3

The risk assessment of processes P3P1P2

Result of risk assessment in four different government agencies P1P2P3

Result of audit P1P3P2

Experience it took time to develop the questions good overview of the different processes and their risks in the government agencies able to develop a good risk profile able to select the right process to audit Conclusion The risk evaluation and the IT audit led to a lot of findings that where reported

You can’t hide – we see it all

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.