1. CIO Challenges …..Forever Metha Suvanasarn : CGEIT,CRISC;CIA,CPA 240211 Monitoring & Auditing for Business Perspectives
2. What is Integrated Audit and Management ? Why Integrated Audit / Management ? What is the roles of CIO++ Understanding Career Path of CIO +++ And Capabilities What do you want to be ? Collaborative e - Business/e-Government GRC+++ Monitor / Audit Perspectives & CIO
3. Continuous Controls & Audit vs. Infrastructure Source: The Institute of Internal Auditors Continuous Auditing Inverse Relationship: Level of Effort Expended by Management and the Audit Activity. Relationship of Continuous Auditing to Continuous Assurance and Continuous Monitoring
4. Roles to Competencies to Functions Mapping Diagram (Conceptual) FUNCTIONS Manage Implement Design Evaluate ROLES C O M P E T E N C I E S Information Technology (IT) Security and TISA Source : Office of Cybersecurity and Communications National Cyber Security Division United States Department of Homeland Security , Washington, D.C. 20528
5. การถ่ายทอดความคิดที่เป็นกระบวนการไปสู่การบริหาร / การปฏิบัติ วัตถุประสงค์ขององค์กร ( กำไร / ความมั่นคง / สังคม / ประสิทธิผล / ประสิทธิภาพ Common Data Structure Common Technology Architecture Common Risk & Control Processes สายงาน 1 สายงาน N สายงาน 2 สายงาน 3 สายงาน 4 Process 1 Process 2 Process 3 Process N … . P-D-C-A
6.
7.
8. IT organization/Processes Audit assurance of real depth and rigour Program Development Program Change Access to data and program Computer Operation IT General Controls Application Controls Business Controls Equipments/ IT infrastructure IT Applications Data Base Data Base Hardware Network Impact Hardware Impact Core GL Core Loan System Collateral Treasury System ATM Deposit System Loan Origination Loan Operation Loan Collateral Loan Settlement Loan Disbursement Loan Payment Loan Monitoring Loan Regulation Business Processes Impact Financial Statements audit approach Source : The PwC Experience* / Pricewaterhouse Coopers / Nov. 2008
9. Source: The Institute of Internal Auditors Understanding the IT environment in a business context CIO & Understanding the Business IT Environment Factors Developing the IT Audit Plan & Audit / Management Universe Critical& Controls?
10. เปรียบเทียบการตรวจสอบแนวทางเดิมกับแนวทางใหม่ที่ได้ผลมาก Operational Risk Management SR98-9 IT Risks แนวการตรวจสอบข้ามสายงาน - ยุค ปัจจุบัน IT Audit & Non-IT Audit Integrated Audit Deposit Loan FX Central IT Dept. E-Banking FFIEC 1996 Transactional Approach Audit Management Process to identify, Measure, Monitor, Control MGT. (incl. Audits & MIS) Security Integrity/Privacy (icl.SDLC) Availability FI Bus.Tech Platform IT-RBS Deposit Loan FX E- Banking Central IT Dept.
12. The Role of the Integrated Architecture Framework & Infrastructure Business As Is Integrated Architecture Framework ICT enabled Enterprise ICT As Is Business and ICT Transformation ICT Vision Business Vision Vision, Strategy Architectural Design Development,Change Operation, Maintenance Source: IAF
13. The ICT enabled Enterprise & Infrastructure Information Systems Co-operation of SW Components Technology Infrastructure Co-operation of SW&HW Components Business Processes Collaboration of Human Beings IS services TI services External Relations Information Provision Collaboration of Human Beings Business System ICT System information services business products, services information services External ICT Systems Source: IAF
15. Source : IT Security Governance Guidebook / FRED COHEN Integrated Audit & IT Security Governance / CIO / CISO+ Business Perspectives Top Executives / Board of Directors Policy Standards Procedures CISO - Chief Information Security Officer Functions and Management HR Legal Risk Testing and Change Control Incident Handling Audit Knowledge Awareness Documents Business Function Operations Assurance Process Project Management Project Teams Security Technology Systems Administrators Developers Risk team Change Users Incidents Auditors Trainers Experts Everyone documents HR Legal Policy Team Technical Safeguards Physical Information Systems Technologies Content
19. External – regulators, operators, analysts, investors+ Stakeholders++ Business Unit Business Unit Business Unit Business Unit GCG + Risk Mgmt. + Internal Audit Financial + CSR Legal/ compliance Sustainable + Ethics Information technology Bsc : + Other Risk Convergence & Management Model Common Data Structure Common Technology Architecture Common Risk & Control Processes Board / senior management oversight Audit committee Risk Mgmt. committee Other Committee
20. Risk IT Practitioner Guide Source : ISACA DEFINING A RISK UNIVERSE AND SCOPING RISK MANAGEMENT IT Risk in the Risk Hierarchy
21. GRC & Risk IT Practitioner Guide Source : ISACA IT Risk Scenario Development RISK SCENARIOS
22. GRC & Risk IT Practitioner Guide Source : ISACA IT Risk Scenario Components RISK SCENARIOS
23. IT Control Source: The Institute of Internal Auditors Information Technology Control and Audit
30. ภาพรวมของ TH e-GIF TH e-GIF - Framework TH e-GIF - Technical Standards TH e-GIF - Guideline National Standard Committee National Standardize Data Set National Service Registry National Repository Domain Working Group e-Government Promotion and Development Bureau - Ministry of Information and Communication Technology M-D-I-E & Business The Roles of CIO อนุกรรมการมาตรฐาน กับ e-GIF
These developments do not only give rise to new opportunities, but also to new questions that must be answered to successfully integrate new business models and new technologies in an enterprise: The first and most important question is what kind of new business models and products/services are enabled by ICT and how can ICT be used as a strategic means for business innovation. The second question is how can we assess the implications of ICT on the business. A derived question is how to integrate new developments in existing business and ICT systems. The final question is how to synchronise changes in business and ICT systems. In particular, how can we define a migration and transformation path in order to reduce the inherent risks of innovation? The answers for these questions can be found in the tight integration of business and ICT policies and management of the transformation of business and ICT. Cap Gemini regards integrated architectural design of business and ICT system as the prime means to establish this integration of policies and transformation and to realise ICT enabled business innovation. The core of this integrated architectural design approach is the Integrated Architecture Framework (IAF) that relates the architectural description of the business architecture with that of the ICT system architecture that supports the business. In this way, the impact of new business models on ICT systems can be evaluated quickly, and the other way around, the consequences of technology innovations can be assessed at the business level. The role and objectives of Architectural Design based on IAF is depicted in the above figure. The business vision and the ICT vision of the enterprise are aligned through an integrated architectural design of Business and ICT system. IAF supports this alignment. The Architectural Design is input for the business and ICT transformation that results in a new ICT enabled Enterprise. The alignment of the business and ICT vision in the architectural design goes further than only a simple supporting role for ICT in the existing business processes. ICT is also used in an innovative way as enabler for renewed or even totally new business. This new ICT enabled Enterprise will show new forms of organisation, new business processes, new products, new services and new channels and relations to the customer, which are only possible by designing the business and the supporting ICT systems as one co-operating whole.
The four main architecture areas of IAF are based on a “holistic” view on business and ICT system of the ICT enabled enterprise. In this view, the business system is seen as two interrelated network systems. The Business processes consist of communicating and collaborating people in the role of employee, and of organisational units such as teams, departments. The business processes are organised as one or more supply chains of individuals, organisational units and companies working together in delivering products or services to the customers. The environment of a company is seen as network connecting the company with customers, suppliers and other third parties. Information and knowledge are important enablers of the business. The people in the business processes are supported by an Information provision system formed by people and organisational units in specific information and knowledge oriented roles such as information provider, information user and information manager. The same people and units that already have a business role in the business processes may perform these information roles. The information provision enables the business by supporting the creation, processing, exchange, storage and use of information and knowledge. The Information provision in fact acts as the collective memory and frame of reference of the organisation. The ICT system that supports the business is also seen as two interrelated systems: the information system(s) and the technology infrastructure. The information system(s) encompass a network of communicating and co-operating software components that deliver IS (automated) services to the people that have a business role and/or information role in the business system. These automated services enable the communication and control in the business processes, and the creation, processing, exchange, storage and use of information and knowledge in the information provision. The technology infrastructure is seen as a network of communicating and co-operating hardware devices and system software and middleware. The Technology Infrastructure (TI) delivers processing, communication and storage capabilities to the information systems and human/computer interfaces to the people in the business system. The next four slides provide an overview of WHAT is designed in the four architecture areas.
This slide shows how C OBI T fits into the hierarchy—from business drivers at the top, down to specific governance processes and procedures. C OBI T is the bridge between business and enterprise governance requirements and specific IT governance practices.