INTRODUCTION The board of directors and management are responsible for ensuring adequate management practices are in place for effective oversight and management of the institution’s IT environment. All institutions should adopt an effective audit and review program regardless of whether the technology services are provided internally or externally.

The board of directors and management are responsible for ensuring adequate management practices are in place for effective oversight and management of the institution’s IT environment. All institutions should adopt an effective audit and review program regardless of whether the technology services are provided internally or externally.

Examination Objectives Board Direction and Oversight – Evaluate the board’s involvement in establishing IT audit scope and reporting requirements and ensuring the availability of competent IT audit resources. Audit Program – Assess the quality and effectiveness of the IT audit program

Board Direction and Oversight – Evaluate the board’s involvement in establishing IT audit scope and reporting requirements and ensuring the availability of competent IT audit resources.

Audit Program – Assess the quality and effectiveness of the IT audit program

Examination Procedures Examination activities should be based on the criticality and complexity of the business functions . examination should begin with a review of audit results and the adequacy of corrective actions . The Essential Practices for IT Audit should be clearly documented and functioning within the internal control environment.

Examination activities should be based on the criticality and complexity of the business functions .

examination should begin with a review of audit results and the adequacy of corrective actions .

The Essential Practices for IT Audit should be clearly documented and functioning within the internal control environment.

Essential Practices 1. Risk Assessment : A risk assessment provides the internal auditor and the board with objective information to prioritize the allocation of audit resources properly. Industry Standard Reference : COBIT: Control Objectives for Information and related Technology. 4.1 ed. 2000, PO9.

1. Risk Assessment : A risk assessment provides the internal auditor and the board with objective information to prioritize the allocation of audit resources properly.

Industry Standard Reference : COBIT: Control Objectives for Information and related Technology. 4.1 ed. 2000, PO9.

Essential Practices 2. Audit Plan : The IT audit plan defines the IT scope, objectives and strategies. It establishes a balance between scope, timeframes, and staff days to ensure optimum use of resources. 3.Audit Resources : Ensure audit resources are independent, competent, and have the necessary experience to accomplish the IT audit objectives.

2. Audit Plan :

The IT audit plan defines the IT scope, objectives and strategies. It establishes a balance between scope, timeframes, and staff days to ensure optimum use of resources.

3.Audit Resources :

Ensure audit resources are independent, competent, and have the necessary experience to accomplish the IT audit objectives.

Essential Practices Reporting : Reports communicate audit findings to the board. They also assist management in evaluating the quality of its IT department and identifying methods for correcting or improving adverse conditions.

Reporting : Reports communicate audit findings to the board. They also assist management in evaluating the quality of its IT department and identifying methods for correcting or improving adverse conditions.

IT-Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC Common Criteria (CC)

CobiT

BS 7799 - Code of Practice (CoP)

BSI - IT Baseline Protection Manual

ITSEC

Common Criteria (CC)

CobiT Governance, Control & Audit for IT Developed by ISACA Releases CobiT 1: 1996 32 Processes 271 Control Objectives CobiT 2: 1998 34 Processes 302 Control Objectives

Governance, Control & Audit for IT

Developed by ISACA

Releases

CobiT 1: 1996

32 Processes

271 Control Objectives

CobiT 2: 1998

34 Processes

302 Control Objectives

CobiT - Framework

CobiT - IT Process Matrix Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Resources People Applications Technology Facilities Data IT Processes

Information Criteria

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability

IT Resources

People

Applications

Technology

Facilities

Data

CobiT - Summary Mainly used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998 Only high-level control objectives described Detailed IT control measures are not documented Not very user friendly - learning curve! Evaluation results not shown in graphic form

Mainly used for IT audits, incl. security aspects

No detailed evaluation methodology described

Developed by international organisation (ISACA)

Up-to-date: Version 2 released in 1998

Only high-level control objectives described

Detailed IT control measures are not documented

Not very user friendly - learning curve!

Evaluation results not shown in graphic form

CobiT - Summary May be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks CobiT package from ISACA: $ 100.-- 3 parts freely downloadable from ISACA site Software available from Methodware Ltd., NZ (www.methodware.co.nz) CobiT Advisor 2nd edition: US$ 600.--

May be used for self assessments

Useful aid in implementing IT control systems

No suitable basis to write security handbooks

CobiT package from ISACA: $ 100.--

3 parts freely downloadable from ISACA site

Software available from Methodware Ltd., NZ (www.methodware.co.nz)

CobiT Advisor 2nd edition: US$ 600.--