Transcript Document

SESSION 4:
Understanding Your IT Control Environment & Its Readiness
Tan Jenny
23 September 2009
OVERVIEW
Control
Environ
ment
Input
Process
Output
Systems & processes
Tools
Security
Human resources
Input
Process
Output
Systems & processes
Control
Environ
ment

Organisation Structure



Policies & Procedures


How is the IS function reporting
routinely to?
Has the relationship of the IS
function to the rest of the
business clearly defined and
Are
there policies (e.g. Capex,
understood?
IT)
operating in
Theestablished
IS function and
is appropriately
the
organisation?
staffed?
Procedures established and
implemented to guide IT and
user personnel functions?
Policies & Procedures are
approved and regularly
reviewed?
Tools
Control
Environ
ment



Systems & Applications – HR,
Finance, Email, Network, etc
Control procedures in place to
guide the system selection,
development &/or
implementation process?
In-house versus Outsourcing?
Security
Control
Environ
ment
Back Up Media
Firewall & Anti-virus
Access Control
Physical Security
Safe Box
Insurance / Contracts
my
s
i
s
i
Th
word
s
s
a
p
Physical Security
CCTV
Human resources
Control
Environ
ment
Resume
Appropriate Job Description
Appropriate Candidate
Relevant Experience
Vendor selection /
assessment
Regular /
appropriate training
IT Governance
Control
Environ
ment
IT Governance can be seen as a structure of relationships and
processes to direct and control the enterprise use of IT to
achieve the enterprise’s goals by adding value while balancing
risk vs return over IT and its processes.
Source: ISACA, IT Governance Institute, 2008
Input
Process
Output
Why Is IT Governance Important?
Control
Environ
ment
Good corporate governance helps to prevent corporate scandals, fraud
and potential civil & criminal liability of the organisation.
Good governance is Good to NPOs:
 Enhances organisation reputation
 Compliance with applicable Acts, Rules & Regulations and
Code of Governance
 Trusted by contributors (donors)
 Reliability of financial reporting
Input
Process
Output
Effective Risk Management
Control
Environ
ment
HARD SIDE
SOFT SIDE
 Measures and reporting
 Risk awareness
 Risk oversight committees
 People
 Policies & procedures
 Skills
 Risk assessments
 Integrity
 Risk limits
 Incentives
 Audit processes
 Culture & values
 Systems
 Trust & communication
Is Your IT Control Environment Ready?
Control
Environ
ment
How can you gauge?
Remarks
Self-assessment, past
experiences
o
2.
Engage consultant to perform
a review
o
IT review services not cheap –
specialised group of
professionals
3.
Through annual audit
exercises (can be internal or
external audit)
o
May be a bit late, outcome
recorded in audit report
Not all internal &/or external
auditors are IT audit savvy
1.
o
o
May not have in-house specialist
No benchmark
Do you want to be READY?
Control
Environ
ment
Tone from the TOP
Board Members/Management
THE END