IT audito irpatikimumo užtikrinimo valdymas Information Technology Assurance Framework
Information Technology Assurance Framework Content ITAF objectives Organization and Structure The Key Standards Guidelines Using ITAF ITAF and Other Standards and Guidance
Objectives ITAF objectives ITAF is designed to provide IT audit and assurance professionals with a single source through which IT audit and assurance standards, guidelines and tools and techniques can be accessed in a way that assists in establishing an IT audit and assurance function and in the planning, scoping, execution and reporting on IT audit and assurance work ITAF is designed for use by IT audit and assurance professionals as well as the audit and assurance community to increase understanding of the role of IT audit and assurance professionals and the value they bring to the organization.
What is ITAF? Information Technology Assurance Framework ITAF is a comprehensive and good-practice-setting framework that: • Provides information on business and technology principles and concepts • Provides guidance on the design, conduct and reporting of IT audit and assurance assignments • Defines terms and concepts specific to IT assurance • Establishes standards, guidelines, and tool and techniques that address IT audit and assurance professionals’ roles and responsibilities, knowledge and skills, diligence, conduct and reporting requirements • Provides a single source from which to obtain IT audit and assurance information
Who Should use ITAF ? Primary Users ITAF is primarily designed for use by individuals who: • Act in the capacity of IT audit or assurance professional • Provide assurance over some aspects of IT systems, applications, operations and infrastructure Other Users ITAF can be used by anyone in the assurance profession ITAF also provides benefits to wider audiences including senior management, boards and users of IT assurance reports
Who Should use ITAF ? ITAF recognizes that the IT audit and assurance professionals may be engaged in different types of work, ranging from IT focused audits to support financial, operational or regulatory requirements to specific audits designed to meet more narrowly defined needs. ITAF is currently not designed to address specific requirements with respect to consultative and advisory work.
General Standards(bendrieji) Performance Standards(vykdymo) Reporting Standards(atskaitomybės) 3200 Guidelines Enterprise wide IT Assurance Considerations 3400 Guidelines IT Management 3600 Guidelines IT Assurance Processes 3800 Guidelines IT Assurance Management Tools and Techniques Tools and Techniques Tools and Techniques Tools and Techniques How is ITAF Organized?- The Taxonomy Tools and Techniques will be directly linked to specific Guidelines. They may be in a variety of forms, such as discussion documents, technical direction, white papers, audit programs or books; such as the ISACA publication on SAP, which would support the ERP Systems Guideline.
General Standards are the guiding principles under which the IT assurance profession operates. They focus on the IT assurance professional’s ethical values, qualifications, independence, objectivity and technical capabilities. Performance Standards deal with the conduct of the assignment, such as planning and supervision, scoping, risk and materiality, assignment management, audit and assurance evidence and the exercising of professional judgment and due care. Reporting Standards address the types of reports, means of communication and the information to be communicated. General Standards(bendrieji) Performance Standards(vykdymo) Reporting Standards(atskaitomybės) Guidelines provide the IT assurance Professional with information and direction about an audit or assurance area and the various approaches, methodologies, tools and techniques and related material to assist in planning, executing and reporting on an IT audit or assurance area . Tools and Techniques provide specific information on various methodologies, tools and techniques and provides direction in their application and use to operationalize the information provided in the Guidance. Guidelines Tools and Techniques ITAF Definitions ITAF is composed of five elements, these include three categories of standards—general, performance and reporting—as well as guidelines and finally tools and techniques.
Knowledge About Business and IT Comprises 4 Sections Areas of IT Audit and Assurance Knowledge Knowledge About IT Audit Processes & Management IT Assurance Guidelines (3000) What the IT Audit and Assurance Professional Should Know
3250 Implication of Enterprise wide Audit or Assurance initiatives on IT Audit and Assurance Plans and Activities 3210 Implication of Enterprise wide polices, practices and standards on the IT Function 3230 Implication of Enterprise wide Audit and Assurance initiatives on the IT Function 3270 Additional Enterprise wide Issues and their Impact of the IT Function IT Assurance Guidelines (3200) Enterprise wide IT Assurance Considerations Guidelines in this section provide the IT assurance professional with an understanding of the enterprise wide issues that must be considered by the IT auditor when planning, designing, executing and reporting on IT assurance work.
3430 IT Plans and Strategy (budgets, funding, metrics) 3410 IT Governance (mission, goals, strategy, corporate alignment, reporting) 3412 Impact of Enterprise Initiatives on IT Assurance Activities 3415 Using Work of Other experts in Conducting IT Assurance Work 3425 IT Information Strategy 3420 IT Project Management (scoping, resourcing, performing, etc.) 3427 IT Information Management, (e-mail, security, access, documents portfolios, etc.) 3450 IT Processes (operations, HR, development, etc.) 3470 IT Department Addressing and Managing Risk 3490 IT Support of Regulatory Compliance IT Assurance Guidelines (3400) IT Management Guidelines in this section provide the IT assurance processional with an understanding of various IT management and IT operations topics as a background to the planning and scoping of IT assurance activities. Guidance in this section may also provide the IT assurance professional with direction on information that will be of assistance in conducting an assurance engagement and information the IT assurance professional is likely to, or should expect to encounter during the conduct of IT assurance work.
3660 Auditing Specific Requirements 3657 Auditing Web Based Applications 3655 Auditing Enterprise Resource Planning Systems 3630 IT General Controls 3610 IT Assurance Guide Using CobiT 3662 Industry Specified Criteria 3605 Relying on Specialists and Others 3661 Government Specified Criteria 3653 Auditing Traditional Application Controls 3607 Integrating IT audit and others assurance work 3650 Auditing Application Controls 3680 IT Auditing and Regulatory Reporting 3670 Auditing with Computer Assisted Auditing Techniques 3690 Selecting Items of Audit Interest Auditing SAP, Oracle, PeopleSoft, etc. IT Assurance Guidelines (3600) IT Assurance Processes The existing SAP publication could be classified as an Auditing Techniques document, as could Oracle, etc. The term Audit has been used to include audit and assurance engagements
3830 Planning an Scoping the IT Assurance Objectives 3835 Planning and Scoping Risk Assessments 3820 IT Assurance Planning and Scoping 3850 Integrating Audit and Assurance Processes 3810 IT Assurance Function 3840 Managing the IT Assurance Process Execution 3870 Documenting IT Audit & Assurance Work 3875 Documenting and Confirming IT Assurance Findings 3880 Evaluating Results, Developing Recommendations 3890 Effective IT Audit and Assurance Reporting 3896 Lessons Learned, IT Audit and Assurance Debrief 3892 Reporting IT Audit and Assurance Recommendations 3860 Gathering Evidence 3894 Reporting on IT Advisory and Consultancy Reviews IT Assurance Guidelines (3800) IT Assurance Management Guidelines in this section provide information on the establishment of an IT assurance function and its role in planning, scoping, conducting, concluding and reporting on IT audit and assurance engagements.
Section # Title Subsection Discussion of the Topic Future Guidelines Guideline Content Existing ISACA ITGI Resources ITAF Structure - Guidelines
Subsection Discussion of the Topic Guideline Content Existing ISACA ITGI Resources ITAF Structure - Guidelines
Discussion of the Topic Section # Title Subsection Guideline Content Existing ISACA ITGI Resources Some Guideline Sections are Resource Rich ITAF Structure - Guidelines
Using ITAF – An Example Using ITAF – Designing and Conducting the Engagement • Determine Audit or Assurance Activity • Identify the Appropriate Sections of ITAF • Review the Section Descriptions • Select the Desired Sections • Review the Section Guidelines • Review List of Tools and Techniques • Select Appropriate Tools to Techniques • Develop or Obtain Audit or Assurance Programs • Conduct Audit Work in Accordance with Section 3800 Guidance
3605 Relying on Specialists and Others 3830 Planning an Scoping the IT Assurance Objectives 3835 Planning and Scoping Risk Assessments 3820 IT Assurance Planning and Scoping Determine Audit or Assurance Activity Review Descriptions of Relevant Sections Using ITAF – An Example Audit and Assurance Planning Plan Identify Likely Sections Related to Planning and Scoping Review Section Descriptions
Develop Audit Assurance Program & Documentation Select Desired Sections Review Section Guidelines Review Tools and Techniques List Select Appropriate Tools and Techniques Using ITAF – An Example Audit and Assurance Planning Tools & Techniques • Guidelines: • G15 Planning Revised • COBIT • S5 Planning • S6 Performance of Audit Work • S7 Reporting • G13 Use of Risk Assessment in Audit Planning • G1 Using the Work of Other Auditors • COBIT • To be developed to include: • Audit programs • Reporting information • Software sources • Articles • Books Select Review Review Select Develop
Using ITAF – An Example Several critical hypotheses are inherent in any IT assurance or audit assignment. These include: • The subject matter is identifiable and subject to audit. • The audit or assurance project, if undertaken, has a significant likelihood of successful completion. • The audit or assurance approach and methodology is free from bias. • The IT audit or assurance project is of sufficient scope to meet the audit or assurance objectives. • The IT audit or assurance project will lead to a report that is objective and that will not mislead the reader.