Upload
infosecurity2010
View
757
Download
0
Tags:
Embed Size (px)
DESCRIPTION
As the IT auditors arrives….
Citation preview
IT ADVISORY
As the IT auditors arrives ….
InfoSecurity 20104 November 2010
ADVISORY
4 November 2010
As the IT Auditor arrives …Understand the Purpose of the IT Audit
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 1
Se As the IT Auditor arrives … Be aware of your own Attitude
Effectiveness and Efficiency of AuditEffectiveness and Efficiency of Auditdepend on behaviour
ClientSoft Controls
AuditorSoft Controls
Audit Sponsor is leading by example
Involving stakeholders
Soft Controls
Seeking for Facts
Clearly in providing JudgmentTransparence, providing adequate Information
Be involved with Audit
C ea y p o d g Judg e t
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 2
As the IT Auditor arrives … Consider the Auditor’s perspective
First line of Defense
Second line of Defense
Third line of Defense
• Self-assessment by operational
• Management Assessment
• Audit
operational staff
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 3
As the IT Auditor arrives … Be specific regarding your expected maturity of IT
Cobit maturity levels
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 4
As the IT Auditor arrives … Understand each Phase of the Audit
• Scope of Objects to be assessedRisk-based
• Scope of Objects to be assessed• Requirements to be applied
Compliance-based
• Fact findingbased
• Evaluation of noted DeficienciesRisk-based
• Evaluation of noted Deficiencies
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 5
As the IT Auditor arrives … Risk-based scoping – Financial Reporting
AAccounts and disclosures Focus of financial audit Accou s a d d sc osu es
Entities
Business processes
Manual controlsKey controls
IT-dependent Manual controls
Automated controls
Generic ICT infrastructure
Application-specific ICT
Key application controls IT management processes
Focus of IT audit B
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 6
Generic ICT infrastructure Focus of IT audit
As the IT Auditor arrives … Risk-based scoping – Assess an IT service
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 7
As the IT Auditor arrives …Compliance-based fact-findingBe aware that the auditor evaluates also your own (Continuous) Monitoring
Eventevent
Deduction of
Event
Deduction of events
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 8
As the IT Auditor arrives …Risk-based evaluation Business
critical list of
Risk based
critical list of Applications
Sensitivity(CIA)
PeopleSoft controls
Risk-basedSelection of controls
(CIA)
Selection of Controls
- Soft controls
Processes-Three levels of defenseMonitoring
Compliance-basedmonitoring IT Environment
Technology- Compliance monitoring
- Vulnerabilities monitoringIncident detection
o to g
Analysis of Issues
Issue Tracking- Incident detection
Risk-basedevaluation andfollow-up
Follow-up(improve or
accept)
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 99
As the IT Auditor arrives …You can help to make it effective and efficient !
Consider how the IT Auditor can help you, to improve your IT environment
RegardingRegarding
People
ProcesesProceses
Technology
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 10
Questions
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 111
1
Contact details
Name Ir Peter Kornelisse RE CISAName Ir. Peter Kornelisse RE CISA
Position Director, experienced with regard to Information Security and Technology, having performed and coordinated many advisory services, as well as compliance audits and security tests, since 1990.Peter is globally responsible for security testing services at KPMG and Peter is globally responsible for security testing services at KPMG, and mainly delivers IT audit support for Financial Audits, and Information Protection and Business Continuity services in the Netherlands.
E-mail [email protected]
Telephone +31 (0)6 – 53 165 596
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative. 121
2