Information Technology Governance
COBIT – IT Governance Standard from the Institute of Systems Audit and Control Association, USA provides a strong framework for organisations to manage the IT infrastructure. The quality of information provided by the IT infrastructure should be as per the needs of the decision being taken. How the various decisions related to the IT infrastructure are taken and implemented forms the core of good IT Governance.
We help organisations structure a sound IT Governance framework and also evaluate the current state of the overall IT governance with recommendations for strengthening the same.
Scope and Methodology for an IT Governance Review Assignment
OBJECTIVE
To provide an assurance on adequacy of IT Governance practices at the company that ensures the following:
SCOPE OF WORK
Approach and Methodology
Adopt ISO/IEC 27002 as the base for the review of the IT Infrastructure with an emphasis on Information Confidentiality, Integrity and Availability. ISO 27001 and ISO 27002 provide a framework for information security or information assurance and covers following areas:
For IT Governance – additional dimensions that are in COBIT ( IT Governance Standard of ISACA, USA) will be reviewed. COBIT is an IT governance framework which enables clear policy development and good practices for IT controls throughout organizations. It emphasizes on various compliances and helps organizations to increase the value attained from IT. The framework provides guidance on:
For report on Integrity issues IDEA – Data Analysis Software will be used.
- Understand the IT Infrastructure and all its components, IT Governance processes, business processes, objectives and factors that drive business performance
- To obtain and understand company’s overall organisation structure, organogram by Line Functions, authority schedule specifying delegation of powers and authorities
- Develop a detailed audit plan identifying the audit reviews to be undertaken during the year
Infrastructure Review and Migration Strategy
Conduct the review based on well established principles and best practices as outlined in ISO/IEC 27002 and COBIT. Each segment of the infrastructure would be taken up for review and opportunity for improvement identified keeping in mind the steps already proposed.
The Migration Strategy will also be assessed and possible improvements identified.
Data Analysis
- Interview each functional person identified during planning as to the system and procedure followed in their area of operation and the reports generated from that area.
- Identifying internal control weaknesses and gaps in the existing systems and procedures.
-
Applying Data Analysis tool – IDEA
| Phase Reference | Phase Description | IT | Functional | SAMA |
|---|---|---|---|---|
|
1 |
Data analysis engagement Objective Definition |
|
|
|
|
2* |
Comprehensive identification of relevant reports/tables with fields from SQL Database for each engagement data analysis objective identified in 1. above |
|
|
|
|
3* |
Devising a SQL Query based on 2. above and creating a single excel/delimited or report file. |
|
|
|
|
4 |
Importing the excel or delimited or report file into IDEA |
|
|
|
|
5 |
Interrogation and analysis of data converted into IDEA database in line with the Objectives/Reports identified in 1. above |
|
|
|
|
6 |
Validation of the reported findings generated from IDEA |
|
|
|
* There are 2 methods of conducting data analysis –
- To query the database and then compare the results with those obtained using the Application Software Reports or as known to the organization or as they should be as per well laid down principles. Deviations, if any are identified as a means of integrity check which are then verified for reasons and corrective action.
- In case of stable implementations, data as available through software reports are taken for further analysis as required for functional audits.
In the current instance, the objective being of specific data integrity tests, it is critical that IT support in terms of database understanding at least ( step 2 of the table above) would be available.
- Reporting to management will be a continuous process throughout the audit. Matters will be brought to the management’s attention with the urgency they require.
- Preparation and submission of ‘Audit Report’ highlighting the weaknesses and gaps in the existing systems and recommendation for improvement thereon on exception basis.
- Discussion on ‘ Audit Report’ with the Operational management for acceptance. Based on acceptability of the recommendations clearly identify person responsible for implementation with specified time frames.
- Report sign off by Auditee’.
- Submission of Audit Report to the Management.
Embedded in above methodology would be – Use of IDEA Data Analysis tool (CAATs) for analysing data.
The matters arising from the audit will be reviewed for compliance in each audit cycle. This will be done by review of records and also as required engaging the auditees in meetings.
- At the time of report sign off.
- At year-end an Auditee survey shall be conducted.