it service delivery and support overview n.
Skip this Video
Loading SlideShow in 5 Seconds..
IT Service Delivery and Support Overview PowerPoint Presentation
Download Presentation
IT Service Delivery and Support Overview

Loading in 2 Seconds...

play fullscreen
1 / 32

IT Service Delivery and Support Overview - PowerPoint PPT Presentation

  • Uploaded on

IT Service Delivery and Support Overview. IT Auditing and Cyber Security Spring 2013 Instructor: Liang Yao (MBA MS CIA CISA CISSP). IT Service Delivery and Support. Introduction Goals and Objectives Expectations IT Service and Delivery Overview. Goals and Objectives.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'IT Service Delivery and Support Overview' - pierce

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
it service delivery and support overview

IT Service Delivery and SupportOverview

IT Auditing and Cyber Security

Spring 2013

Instructor: Liang Yao (MBA MS CIA CISA CISSP)

it service delivery and support
IT Service Delivery and Support


Goals and Objectives


IT Service and Delivery Overview

goals and objectives
Goals and Objectives
  • Understanding the Roles and Responsibilities of IT Operations within the Organizations
  • Understanding Risks and Controls Related to IT Service and Delivery
  • Understanding How to Evaluate and Test the Controls Related to IT Operations
  • Passing CISA Examination
  • Seeking Job Opportunities in IT Auditing Field

Join the Discussion

Ask Questions – there are no dumb questions

Do Your Homework

Read the CISA Review Manual (Chapter Four) and Textbook

Take the Final Examination

related isaca curriculum topics
Related ISACA Curriculum Topics

Information Systems Review

Service Level Management Practices

Third-Party Management Practices

End-User Procedures and Operations

Maintenance of Information Systems

Data Administration Practices

Capacity and Performance Monitoring

Problem and Incident Management

Change, Configuration and Release Management

Backup and Restoration of Systems

fundamentals of it audit
Fundamentals of IT Audit
  • Audit Objectives
  • Requirements
  • IT responsibilities within the Organization
  • Manage Risks in an Automated Environment
  • Mitigate Security Risks
  • Addressing Risks – Internal Control
  • Definition of Internal Control
  • Audit Risk
it audit objectives
IT Audit Objectives
  • Provide complete coverage of the organization’s or business unit’s risks.
  • Provide management with a complete opinion on the control environment and how it impacts risk and audit coverage.
  • Include all aspects of audit, both automated and manual procedures.
  • Availability of skilled team member
  • Knowledge of the industry, the organization, and the technology in use
  • Commitment from senior management
  • Commitment from audit client management
  • Commitment from audit management
  • Training
  • Appropriate resources, staffing and planning (possible on loan from IT units for specific expertise)
it responsibilities within the organization
IT Responsibilities within the Organization

A. IT systems are primary artery which allows information to be shared and used directly or via interfaces among various departments and function areas within the organization:

HR, financial, payroll, legal, public and investor relationships, credit, collection, account payable, account receivable, general ledger, manufacturing, distribution, record retention, fulfillment, project management, physical and logical securities, inventory, portals, intranet, extranet, trading partners, business continuity, disaster recovery, external banks, pension, 401K, stock option, firewall, virus, VPN, telecom, database farm, data warehouse

it responsibilities within the organization1
IT Responsibilities within the Organization

B. IT responsibilities within the organization: Information systems are closely knit with companies on what, when and how services are render. Efficient, Accuracy, Confidential, Integrity, Control and Timely are depend on the information systems more than ever and on the increase.

C. Primary control points for business activities – audit trails, historic records of transactions, backup, access, access privileges, segregation of duties, physical and logical securities, built-in monitor and notifications, what, why, when, where, and how to record and store business transactions and how long

D. Basis of business decisions – business decisions are made and approved/rejected based on the information produced by information systems.

manage risks
Manage Risks
  • Inadequate protection of assets (both physical and information)
  • Interruption of the business activities and cycles
  • Loss of revenue
  • Loss of productivity
  • Loss of privacy, confidentiality
  • Loss of competitive edge
  • Lack of data integrity
  • Loss of company reputation
  • Non compliance of regulation or legal requirements
  • Inaccurate reporting
  • No audit trails
  • Business decisions made based on incorrect/inaccurate information – the sin of all sins
mitigate security risks
Mitigate Security Risks
  • 70% of IT risks are related to security risks
  • You can NOT eliminate risks
  • Physical security – absence of the following, - security policy, fire alarm, fire extinguisher (including the expired ones), sign in and sign out control, raise floor in the data center, environment control, power balance, auxiliary power unit (APU - generator), emergency power unit (batteries), locations of primary and secondary data center, data media, location of media storage and its policy.
mitigate security risks1
Mitigate Security Risks
  • Logical security – Security policy, access and its privileges to application programs, procedure to enter information, distribution of paper and electronic output, periodic review/monitor by management, application platforms and its OS, outdated or non-supported platforms and technologies selected and used.
  • Policies – Password, create, approve, and remove of a user, logon process, idle/inactive users, generic system users,
addressing risks though internal control
Addressing Risks though Internal Control

The COSO study provided a uniform definition of control for an organization:

Internal control is a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficient of operations
  • Reliability of financial reporting
  • Compliance with applicable laws and regulations
  • Safeguarding asset
definition of internal control
Definition of Internal Control
  • A process – a means to an end, not the end
  • Effected by people – not just policies and procedures – at all levels of organization
  • A process at a point in time
  • Provides reasonable assurance, not absolute assurance
  • Geared to achievement of objectives in one or more of the four COSO categories.
  • Influenced by the “commitment at the top”
it service delivery and support frameworks
IT Service Delivery and Support Frameworks
  • CoBit: an IT governance and control frame work that focus on what shouldbe addressed to ensure good governance of all IT-related processes
  • Information Technology Infrastructure Library (ITIL): provides best practices describing how to plan, design and implement effective service management capabilities.
components of internal control
Components of Internal Control

From COSO study: Pyramid



Control Activities

Risk Assessment

Control Environment

cobit control objectives for information and related technology
COBIT: Control OBjectives for Information and related Technology

COBIT is from the information Systems Audits Controls Association (ISACA):

Why COBIT? COBIT bridges the gap between business process and purely IT-Focused models. The COBIT framework assumes that control in an IT environment is approached through information:

  • Needed to support the business process
  • As the result of the combined application of IT related resources to be managed by IT processes.
cobit framework
COBIT Framework

The COBIT framework is based on domains, processes, and activities and tasks. COBIT focused on the standards, and procedures of the IT organization. The four domains are:

  • Planning and Organization
  • Acquisition and Implementation
  • Delivery and Support
  • Monitoring
cobit framework continued
COBIT Framework (continued)
  • Four Domains
  • Thirty four processes
  • More than 300 specific activities or tasks
  • Each activity or task describes a specific control objective and how to audit a specific function
  • COBIT version 5 –
planning and organization domain
Planning and Organization Domain

PO1Define a strategic IT Plan

PO2 Define the Information Architecture

PO3 Determine the Technological Direction

PO4 Define the IT Organization and Relationships

PO5 Manage the IT Investment

PO6 Communicate Management Aims and Direction

PO7 Manage Human Resources

PO8 Ensure Compliance with External Requirements

PO9 Asses Risks

PO10 Manage Projects

PO11 Manage Quality

acquisition and implementation domain
Acquisition and Implementation Domain

AI1 Identify Automated Solutions

AI2 Acquire and Maintain Application Software

AI3 Acquire and Maintain Technology Infrastructure

AI4 Develop and Maintain Procedures

AI5 Install and Accredit Systems

AI6 Manage Changes

delivery and support domain
Delivery and Support Domain

DS1 Define and Manage Service levels

DS2 Manage Third-Party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS6 Identify and Allocate Costs

DS7 Educate and Train Users

DS8 Assist and Advise Customers

DS9 Manage the Configuration

DS10 Manage Problem and Incidents

DS11 Manage Data

DS12 Manage Facilities

DS13 Manage Operations


M1 Monitor the Process

M2 Assess Internal Control Adequacy

M3 Obtain Independent Assurance

M4 Provide for Independent Audit

*COBIT is not a complete solution to all IT auditor problems. It serves as complementary to overall IT audit evaluation processes.

audit risk
Audit Risk

Is control adequate and reliable?

When the controls are adequate and reliable, there may be less need to look at the details of transactions.

Therefore, the auditor can take an approach that allows some reviews or test of controls, also called compliance or functional tests, reducing the need for detailed (substantive) tests. This decision is based on risk analysis; control of high-risk transactions or events need to be reviewed first. Controls of low-risk transactions or events can be evaluated as time permit.

audit risk continued
Audit Risk (continued)

When the controls do not appear to exist, or do not function as intended, then auditors need to look much more deeply into the details of balance, doing additional substantive testing of that information.

Additionally the auditor needs to recommend that the missing control is create or the defective control is replaced.

auditing it infrastructure and operations
Auditing IT Infrastructure and Operations
  • Risks
    • Inherent Risk
    • Mitigate Risk/Residual Risk
  • Controls
    • Preventive Controls
    • Detective Controls
    • Deterrent Controls
    • System Controls vs. Application Controls
    • Manual Controls vs. Automated Controls
definition of risk
Definition of Risk
  • Inherent Risk – is something you can not change. Controls can be designed to mitigate the risks.
  • Control Risk – is the risk that the controls do not in fact do the job they were intended to do.
  • Detection Risk – is the risk that the controls will not detect errors or deliberate abuse.
  • Audit Risk – is the combination of all these to express the confidence that the audit will come a conclusion that is in fact correct.
risk assessment likelihood and impact
Risk Assessment – Likelihood and Impact





  • Likelihood
  • Impact
is operations review
IS Operations Review
  • Exhibit 4.26 – IS Operations Review
  • Key areas to focus:
    • Adequate instructions for running programs including emergency procedure
    • Training, peer reviews and performance records
    • Up-to-date standard operation procedures
    • Preventive Maintenance Schedule
    • Tape Backup and offsite procedure
    • Problem management procedures
    • Separation of duties – programmers, operators and database administrators
review and discussion
Review and Discussion
  • What are some current system-related risks that you have experienced in your organization?
  • How does the control environment affect IT?
  • What is the purpose of all auditors having some understanding of technology?