1 / 29

Risk-based sampling using CobiT

Risk-based sampling using CobiT. By Rune Johannessen and Børre Lagesen June 2005 Lithuania. IS THIS YOUR DAY?. AI1. ?. DS5. PO1. PO8. PO1. AI6. DS11. PO11. The purpose of this session!. Presentation. Rune Johansen CISA, CIA, Dipl. Int revisor

herman-hardy
Download Presentation

Risk-based sampling using CobiT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk-based sampling using CobiT By Rune Johannessen and Børre Lagesen June 2005 Lithuania

  2. IS THIS YOUR DAY? AI1 ? DS5 PO1 PO8 PO1 AI6 DS11 PO11

  3. The purpose of this session!

  4. Presentation Rune Johansen CISA, CIA, Dipl. Int revisor 9 years experience in IT audits and quality insurance from various ministries with their subordinate agencies, private companies and system development projects. Børre Lagesen CISA 6 years experience in IT audit from various ministries with their subordinate agencies.

  5. Agenda What is the objective for this workshop? Background Method for Risk-based sampling Case study Experiences from practical use in Norway. Sum up and questions

  6. 1. The objective for this workshop. Help the auditor to select the right areas and processes for IT auditing. Contribute to improvement and quality in the performance of the IT risk assessment Contribute to an open discussion and knowledge sharing.

  7. 2. Background Why CobiT? Why this risk assessment approach? CobiT is highly comprehensive and its use quite time consuming. This in stark contrast to our everyday situation, where time is a critical factor. CobiT does not provide clear guidelines on how to carry out an overall (or “high level”) audit risk assessment.

  8. Method for Risk-based sampling The method presented is not intended as a final template. The presentation is based on qualitative assessments of risks. The method uses the following sources: Audit Guidelines Controll Ojectives but could also use the maturity model in “Management Guidelines”

  9. Method for Risk-based sampling Selection based on criterias/processes/resources Phase 1 Phase 2 Risk assessment of selected processes Phase 3 IT audit

  10. P1 P2 P3

  11. P1 P2 P3

  12. P1 P2 P3 Results of Phase 1: The auditor have a list of relevant processes. In our last example, AI2 and AI6 were identified as the most relevant within the domain “Acquisitions and implementation”.

  13. P1 P2 P3

  14. P1 P2 P3 Don’t exist

  15. Scale Control routines Doc The audited entity has a documented routine or process that deals with the matter. Undoc The audited entity does not have a documented routine or documented processes that deal with the matter. Don’t exist The process does not exist in this organisation. Futher actions and consequences for other types of audits needs to be considered. P1 P2 P3

  16. Scale Probability H It is regarded as highly probable that this process will be negatively affected by internal or external events. M It is regarded as possible that this process will be negatively affected by internal or external events. L It is not regarded as very probable that this process will be negatively affected by internal or external events P1 P2 P3

  17. Scale Consequence H Negative internal or external incidents are expected to have major consequences. M Negative internal or external incidents are expected to have medium consequences. L Negative internal or external incidents are expected to have minor consequences. P1 P2 P3 Method for Risk-based sampling

  18. P1 P2 P3 Each process is then subject to a risk assessment where probability and consequences are considered together. On the basis of how the process is rated in terms of risk (H high, M medium, L low – in our example), they are selected for further IT audit (phase 3).

  19. IT process and audit questions Results of evaluation and testing Recommendation Ref. P1 P2 P3 AI6 Change management Has a method been established for prioritisation of change recommendations from users, and if so, is it being used? Have procedures been compiled for sudden changes, and if so, are they being used? Is there a formal procedure for monitoring changes, and if so, is it being used? Etc. Observation: Method for changes… There is no procedure for sudden changes … Etc. Assessments: The methodology is incomplete in terms of sudden changes… Conclusion:  The methodology is inadequate … We recommend … Method for Risk-based sampling

  20. WORK!!!! • Identify relevant questions for chosen processes (PO9, DS4, DS5) based on your points in “and takes into consideration”. (from 14.05 to 14.30 – 25 minutes) • Use the questions on the case study. Evaluate risk and conclude on further audit. (from 14.30 to 15.30 – 60 minutes including break. ) • Discussions (from 15.30 to 16.15 – 45 minutes)

  21. 5. Practical use and experiences from Norway

  22. Method for Risk-based sampling Selection based on targets/processes/resources Phase 1 Phase 2 Risk assessment of selected processes Phase 3 IT audit

  23. P1 P2 P3 Selection of processes

  24. P1 P2 P3 The risk assessment of processes

  25. P1 P2 P3 Result of risk assessment in four different government agencies

  26. P1 P2 P3 Short about developing our IT audit program Control objektive Audit program Audit guidelines

  27. P1 P2 P3 Result of audit

  28. Experience • Pros • able to develop a good risk profile • able to select the right process to audit • reuse of questionnaire and risk profile • Cons • it took time to develop the questions • takes time to perform such a comprehensive risk assessment.

  29. You can’t hide – we see it all

More Related