Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audit on IT System Management -Focusing on how to audit IT systems -

Published byJonathan Brøgger Modified over 6 years ago

Similar presentations

Presentation on theme: "Audit on IT System Management -Focusing on how to audit IT systems -"— Presentation transcript:

1 Audit on IT System Management -Focusing on how to audit IT systems -
Workshop Paper on The 13th Working-level Meeting for the SAIs of China, Japan, and Korea July 10-12, 2017

2 A recent trend of Japanese IT audit cases
---Angles and Areas--- For 27th WGITA meeting at Sydney SAI-JAPAN Board of Audit of Japan Daisuke Sakuraba Auditor Agricultural Infrastructure Audit Division, ASTRA

3 Before starting Daisuke Sakuraba means “Minister of Cherry garden”
From ASTRA Means “IT Audit Skill-up TRAining team” Has educated 46 members in 1,244 staffs Have attended WGITA meetings since 2006 You may know Eri, Kae, Michiko, Shimon, Fujii and Tommy → Remember ASTRA please !!

4 Today’s goal Sharing our characteristic IT audit results from recent special reports Showing our angles for IT audit with mapping on WGITA’s context

5 Contents Recent large scale of IT projects and incidents in Japanese Gov. Our special audit reports Recent trend of SAI-Japan’s audit results -Comparisons with WGITA–IDI handbook on IT audit for SAIs- Conclusion

6 Recent large scale of IT projects and incidents in Japanese Gov.

7 1. Recent large scale of IT projects and incidents of Japanese gov.
New Social Security and Tax Number System (2017) Leaks of personal information from the Japan Pension Service (2015)

8 New Social Security and Tax Number System(SSTNs)
【Context】 Before this system, different ID numbers for social security and tax were given and operated by different agencies and their own systems. Key tags were only address and name, accordingly IDs were not perfectly coordinated Creating brand new system would cost too huge money because more than 5000 entities should renew the systems Accordingly, decided to build a only coordinating system with creating new common ID number tying both of the social security data and tax information

9 【New System】 Budget : 420 million $(2014) 570 million $(2015) 460 million $(2016)    total billion $ By 2017, they were building cooperating system among 190 systems of 170 organizations Issuing ID card with the photo if you want

10 Structure of SSTNS Complicated cooperation among huge number of stake holders Portal Site Internet storage Connecting by codes IT System of inter-LGs. Codes My Numbers Identification System system Number, personal data… Number, personal data,… Server Number Data Welfare Data Tax Data Address Data Citizen Core System Notification Entity A Entity B Local Governments Gov. Shared System

11 Leaks of personal information from the Japan Pension Service
In May 2015, personal information of about 1,250,000 people related to the National Pension was leaked by the attack of Advanced Persistent Threats The Japan Pension Service has already given new numbers to the people and several improvement plans were conducted The restoration of the reliability on the system and the foundation itself should be needed

12 We conducted special audits on these special project and incident !!

13 2. Our special audit reports

14 2. Our special audit reports
New Social Security and Tax Number System(SSTNs) SSTNs operations in local entities Reports on the IT projects in local areas funded by the grants related to the introduction of The Social Security and Tax Number System (Special report to the Diet and the Cabinet, FY2017) SSTNs coordination in central government Reports on the progress of the arrangement of relevant IT systems related to the introduction of The Social Security and Tax Number System (Special report to the Diet and the Cabinet, FY2017)

15 Leaks of personal information from the Japan Pension Service
After the information leak Reports on the state of implementation of information security policies concerning the personal information within the National Pension System and the impacts on the operations of the Foundation of the Japan Pension Service made by the information leaks (Special report to the Diet and the Cabinet, FY2016)

16 SSTNs operations in local entities
Reports on the IT projects in local areas funded by the grants related to the introduction of The Social Security and Tax Number System (Special report to the Diet and the Cabinet, FY2017) 【Audit findings (Excerpt) 】 Too tight schedules and less know-how tended to cause operational delays The specification sheets for 1,173 systems (28.0%) in MIC and 3,201 systems (27.9%) in MHLW totally lacked the the requirements for results

17 【Recommendations(excerpt)】
More guidance concerning specification sheet, estimate sheet, and schedule planning know-how for system tests should be provided with the staffs of local governments To prevent occurrence of delay, more careful supports and supervisions to the local government staffs by relevant ministries are needed

18 SSTNs coordination in central government
Reports on the progress of the arrangement of relevant IT systems related to the introduction of The Social Security and Tax Number System (Special report to the Diet and the Cabinet, FY2017) 【Audit findings (Excerpt) 】 Time-lag in data synchronization and insufficient utilization of intermediate servers were likely to reduce the effectiveness of SSTNs Lack of the necessary data item for coordination in the guidance caused and 1 year delay of start in 127/190 systems of 127/170 entities Lack of identification of necessary data caused 1 year delay of cooperation starting in 127/190 systems

19 【Recommendations(excerpt)】
More careful reviews on operation process, more correct requirement definition, and more appropriate information sharing procedures with contractors should be required. The directing ministries must instruct more communication and more information sharing among relevant entities.

20 After the information leak
Reports on the state of implementation of information security policies concerning the personal information within the National Pension System and the impacts on the operations of the Foundation of the Japan Pension Service made by the information leaks (Special report to the Diet and the Cabinet, FY2016) 【Audit findings (Excerpt) 】 Security polices were not updated in appropriate timing before the incident Meaningful information collected in the recovering process was not properly utilized in the amendment of data Personal data which should be stored in the secured server was found in the HDD even after the incident

21 【Recommendations(excerpt)】
Quick synchronization of security policies and better way of operations should be discussed Effectiveness of information security audits, supervising, and internal audits should be improved

22 ---Comparisons with WGITA–IDI handbook on IT audit for SAIs---
3. Recent trend of SAI-Japan’s audit results ---Comparisons with WGITA–IDI handbook on IT audit for SAIs---

23 ---Comparisons with WGITA–IDI handbook on IT audit for SAIs---
3. Recent trend of SAI-Japan’s audit results ---Comparisons with WGITA–IDI handbook on IT audit for SAIs--- Auditable IT areas suggested in the handbook IT Governance Development & Acquisition IT Operations Outsourcing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Information Security Application Controls Additional Topics of Interest

24 Audit viewpoints in each area suggested in the handbook
IT Governance Business Needs Identification, Direction & Monitoring IT Strategy Organizational Structures, Policy, & Procedures People & Resources Risk Assessment and Compliance mechanisms Development & Acquisition Requirements Development & Management Project Management & Control Quality Assurance & Testing Solicitation Configuration Management IT Operations Service Management Capacity Management Problem & Incident Management Change Management

25 Outsourcing Outsourcing Policy Solicitation Vendor or Contractor Monitoring Data Rights Overseas Service Provider Retaining Business Knowledge/ Ownership of business process Cost control and management Service Level Agreement Security Back-up and disaster recovery for outsourced services Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Business Continuity Policy Organization of Business Continuity Function Business Impact Assessment Disaster Recovery Plan Environment Control Documentation Testing the BCP/DRP

26 Information Security Risk Assessment Information Security Policy Organization of IT Security Communications & Operations Management Assets Management Human Resources Security Physical Security Access Control Application Controls Input Processing Output Application Security Additional Topics of Interest Websites/portals Mobile computing Forensics Audit (or Computer Forensics) e-Gov E-commerce

27 Almost all of these aspects are covered
in our IT audit process, but… → From which areas are the findings mostly found in our recent audit special reports ?

28 SSSTNs operations in local entities Cooperation with and within SSTNs
Comparisons with WGITA–IDI handbook on IT audit for SAIs Auditable areas SSSTNs operations in local entities (FY2017) Cooperation with and within SSTNs After the incident (FY2016) IT Governance Development & Acquisition IT Operations Outsourcing Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) Information Security Application Controls Additional Topics of Interest

29 4. Conclusion Our recent special IT audits reported findings in Development & Acquisition, IT operations , Outsourcing, and Information Security areas Particularly, problems related to cooperation failures in aligning behavior systems

30

Download ppt "Audit on IT System Management -Focusing on how to audit IT systems -"

Similar presentations

WV High Quality Standards for Schools

WV High Quality Standards for Schools
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
1 Guidance for the American Recovery and Reinvestment Act of 2009 By David G. Bullock, Partner Macias Gini & O’Connell LLP.

1 Guidance for the American Recovery and Reinvestment Act of 2009 By David G. Bullock, Partner Macias Gini & O’Connell LLP.
 Capacity Development; National Systems / Global Fund Summary of the implementation capacities for National Programs and Global Fund Grants For HIV /TB.

 Capacity Development; National Systems / Global Fund Summary of the implementation capacities for National Programs and Global Fund Grants For HIV /TB.
1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.

1  AGA-DC and GWSPCA 6 th ANNUAL CONFERENCE OMB Circular A-123, Appendix A Internal Control Over Financial Reporting Innovative Approaches Jerome A. Vaiana.
Commonwealth of Dominica Presenter: Yvonne Alexander Assistant Superintendent of Police.

Commonwealth of Dominica Presenter: Yvonne Alexander Assistant Superintendent of Police.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
Cyberspace and the Police Mamoru TAKAHASHI Head of Computer Forensic Center, Hi-tech Crime Technology Division National Police Agency, Japan.

Cyberspace and the Police Mamoru TAKAHASHI Head of Computer Forensic Center, Hi-tech Crime Technology Division National Police Agency, Japan.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.
Information Technology Service Management

Information Technology Service Management
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
Overview of Systems Audit

Overview of Systems Audit
“Building sustainable capabilities across all phases of Emergency Management in Kansas through selfless service” KDEM EMPG 2012 OVERVIEW 13 September 2011.

“Building sustainable capabilities across all phases of Emergency Management in Kansas through selfless service” KDEM EMPG 2012 OVERVIEW 13 September 2011.
ISA 562 Internet Security Theory & Practice

ISA 562 Internet Security Theory & Practice
Workshop on Programming in support of Anti-Corruption Agencies Bratislava, 30 June - 1 July 2009 A methodology for capacity assessment of AC agencies:

Workshop on Programming in support of Anti-Corruption Agencies Bratislava, 30 June - 1 July 2009 A methodology for capacity assessment of AC agencies:
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.

Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
Recreation & Security HPR 413. General Security Must encompass all operations of the organization Should be written into management plans – Plans include.

Recreation & Security HPR 413. General Security Must encompass all operations of the organization Should be written into management plans – Plans include.

Similar presentations

Ads by Google