IT Service Delivery and Support Overview. IT Auditing and Cyber Security Spring 2013 Instructor: Liang Yao (MBA MS CIA CISA CISSP). IT Service Delivery and Support. Introduction Goals and Objectives Expectations IT Service and Delivery Overview. Goals and Objectives.
IT Auditing and Cyber Security
Instructor: Liang Yao (MBA MS CIA CISA CISSP)
Goals and Objectives
IT Service and Delivery Overview
Join the Discussion
Ask Questions – there are no dumb questions
Do Your Homework
Read the CISA Review Manual (Chapter Four) and Textbook
Take the Final Examination
Information Systems Review
Service Level Management Practices
Third-Party Management Practices
End-User Procedures and Operations
Maintenance of Information Systems
Data Administration Practices
Capacity and Performance Monitoring
Problem and Incident Management
Change, Configuration and Release Management
Backup and Restoration of Systems
A. IT systems are primary artery which allows information to be shared and used directly or via interfaces among various departments and function areas within the organization:
HR, financial, payroll, legal, public and investor relationships, credit, collection, account payable, account receivable, general ledger, manufacturing, distribution, record retention, fulfillment, project management, physical and logical securities, inventory, portals, intranet, extranet, trading partners, business continuity, disaster recovery, external banks, pension, 401K, stock option, firewall, virus, VPN, telecom, database farm, data warehouse
B. IT responsibilities within the organization: Information systems are closely knit with companies on what, when and how services are render. Efficient, Accuracy, Confidential, Integrity, Control and Timely are depend on the information systems more than ever and on the increase.
C. Primary control points for business activities – audit trails, historic records of transactions, backup, access, access privileges, segregation of duties, physical and logical securities, built-in monitor and notifications, what, why, when, where, and how to record and store business transactions and how long
D. Basis of business decisions – business decisions are made and approved/rejected based on the information produced by information systems.
The COSO study provided a uniform definition of control for an organization:
Internal control is a process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
From COSO study: Pyramid
COBIT is from the information Systems Audits Controls Association (ISACA):
Why COBIT? COBIT bridges the gap between business process and purely IT-Focused models. The COBIT framework assumes that control in an IT environment is approached through information:
The COBIT framework is based on domains, processes, and activities and tasks. COBIT focused on the standards, and procedures of the IT organization. The four domains are:
PO1Define a strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine the Technological Direction
PO4 Define the IT Organization and Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and Direction
PO7 Manage Human Resources
PO8 Ensure Compliance with External Requirements
PO9 Asses Risks
PO10 Manage Projects
PO11 Manage Quality
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology Infrastructure
AI4 Develop and Maintain Procedures
AI5 Install and Accredit Systems
AI6 Manage Changes
DS1 Define and Manage Service levels
DS2 Manage Third-Party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Assist and Advise Customers
DS9 Manage the Configuration
DS10 Manage Problem and Incidents
DS11 Manage Data
DS12 Manage Facilities
DS13 Manage Operations
M1 Monitor the Process
M2 Assess Internal Control Adequacy
M3 Obtain Independent Assurance
M4 Provide for Independent Audit
*COBIT is not a complete solution to all IT auditor problems. It serves as complementary to overall IT audit evaluation processes.
Is control adequate and reliable?
When the controls are adequate and reliable, there may be less need to look at the details of transactions.
Therefore, the auditor can take an approach that allows some reviews or test of controls, also called compliance or functional tests, reducing the need for detailed (substantive) tests. This decision is based on risk analysis; control of high-risk transactions or events need to be reviewed first. Controls of low-risk transactions or events can be evaluated as time permit.
When the controls do not appear to exist, or do not function as intended, then auditors need to look much more deeply into the details of balance, doing additional substantive testing of that information.
Additionally the auditor needs to recommend that the missing control is create or the defective control is replaced.