Post on 19-Jan-2016
Risk-based sampling using CobiT
By Rune Johannessen and Børre Lagesen
October 13th 2004 Lisabon
IS THIS YOUR DAY?
?PO8PO1
DS11AI6
PO11
AI1
PO1DS5
The purpose of this session!
Presentation
• Rune Johansen– CISA, CIA, Dipl. Int revisor– 8 years experience in IT audits and quality insurance from various ministries with their subordinate agencies, private companies and system development projects.
• Børre Lagesen– CISA– 5 years experience in IT audit from various ministries with their subordinate agencies.
Agenda
1. What is the objective for this workshop
2. Background
3. Method for Risk-based sampling
4. Case studies
5. Experiences from practical use in Norway.
6. Sum up and questions
1. The objective for this workshop.
1. Help the auditor to select the right areas and processes.
2. Contribute to improving the quality and performance of the IT audits in the SAI’s.
3. Contribute to an open discussion and knowledge sharing.
2. Background
1. More use of CobiT
2. CobiT is highly comprehensive and its use quite time consuming.
3. This in stark contrast to our everyday situation, where time is a critical factor.
Background4. CobiT does not provide clear guidelines on
how to carry out an overall (or “high level”) audit risk assessment.
Method for Risk-based sampling1. The method presented is not intended as a final
template.
2. The presentation is based on qualitative assessments of risks.
3. The method uses the following sources:• Audit Guidelines
• Controll Ojectives
but could also use the maturity model in “Management Guidelines”
Selection based on targets/processes/resources
Risk assessment of selected processes
IT audit
Phase 1
Phase 2
Phase 3
Method for Risk-based sampling
P1 P2 P3
Results of Phase 1:
The auditor have a list of preferred processes.
In our example, AI2 and AI6 were identified as the most relevant within the domain “Acquisitions and implementation”.
P1 P2 P3
P1 P2 P3
P1 P2 P3
Scale Control routines
Documented The audited entity has a routine, process or documentation that deals with the matter.
Undocumented The audited entity does not have routines, processes or documentation that deal with the matter.
P1 P2 P3
Scale Probability
H It is regarded as highly probable that this process will be negatively affected by internal or external events.
M It is regarded as possible that this process will be negatively affected by internal or external events.
L It is not regarded as very probable that this process will be negatively affected by internal or external events
P1 P2 P3
Method for Risk-based samplingScale Consequence
H Negative internal or external incidents are expected to have major consequences for the process.
M Negative internal or external incidents are expected to have medium consequences for the process.
L Negative internal or external incidents are expected to have minor consequences for the process.
P1 P2 P3
Each process is then subject to a risk assessment where probability and consequences are considered together.
On the basis of how the process is rated in terms of risk (H high, M medium, L low – in our example), they are selected for further IT audit (phase 3).
P1 P2 P3
Method for Risk-based samplingIT process and audit
questionsResults of evaluation
and testingRecommendation Ref.
AI6 Change management
Has a method been established for prioritisation of change recommendations from users, and if so, is it being used? Have procedures been compiled for sudden changes, and if so, are they being used? Is there a formal procedure for monitoring changes, and if so, is it being used?Etc.
Observation: Method for changes… There is no procedure for sudden changes … Etc. Assessments: The methodology is incomplete in terms of sudden changes… Conclusion: The methodology is inadequate …
We recommend …
P1 P2 P3
WORK!!!!
1. Identify relevant questions for chosen processes (PO9, DS4, DS5) based on your points in “and takes into consideration”. (from 14.10 to 14.30 – 20 minutes)
2. Use the questions on the case study. Evaluate risk and conclude on further audit. (from 14.30 to 15.35 – 65 minutes including break. )
3. Discussions (from 15.35 to 16.30 – 55 minutes)
5. Practical use and experiences from Norway
Selection based on targets/processes/resources
Risk assessment of selected processes
IT audit
Phase 1
Phase 2
Phase 3
Method for Risk-based sampling
Selection of processes P1 P2 P3
The risk assessment of processesP3P1 P2
Result of risk assessment in four
different government agencies
P1 P2 P3
Result of audit
P1 P3P2
Agency 1 Agency 2 Agency 3 Agency 4
PO9
Findings reported to department
Findings reported to department
Findings reported to department
Findings reported to department
DS4
Findings reported to department
Findings reported to department
Findings reported to department
Findings reported to department
DS11
Findings reported to department
Findings reported to
agency
Findings reported to
agency
Nothing reported
Government agencies
Experience
• it took time to develop the questions
• good overview of the different processes and their risks in the government agencies
• able to develop a good risk profile
• able to select the right process to audit
Conclusion
The risk evaluation and the IT audit led to a lot of findings that where reported
You can’t hide – we see it all