Information System Audit

Essential of IS Audit for IT Engineer

UP-ITTC
October. 2010

1
 U
Summary
Information system Audit (IS Audit), is needed long experience and lot of
skill and knowledge about both Audit and Information Technology.
Because of this, This training course and text book include summary of
knowledge and skill that IS Auditor needs and especially detail skill and
knowledge about IS Audit processes and methods for IT engineers who
want to become IS Auditor or conduct audit tasks.
Acknowledgments
Content of this training and text book is based on Certified Information
Systems Auditor (CISA) and Japan Information Technology Engineers
Examination- .System Auditor Examination
Content of this training and text book is copyrighted to JICA (Japan
International Cooperation Agency) and UP-ITTC(UP Information
Technology Training Center), and developed by Go Ota, PADECO Co.,
Ltd. and UP-ITTC

Expected Trainees
IS Audit is needed wide area of IT skill and knowledge, the training
expects the trainees have ,at least, passed FE exam or have had same
level of IT experience (at least 5 five years, desirable more than 10
years) and knowledge.
2
 U

Chapter 0.
Introduction
What is IS Audit

How to become IS Auditor

&
Task and role of IS Auditor

3
 U
What is Audit? What is IS Audit?
“An official examination of accounts to see that they are
in order” – The Oxford Dictionary
An INDEPENDENT assessment of / opinion on how well
(badly) the financial statements were prepared

IS audit:
- A review of the controls within an entity's technology
infrastructure
- Official examination of IT related processes to see that
they are in order

4
 U
What is IS Audit Activity?
Difference Between Audit and Evaluation
Independent
Audit
Policy and Strategy
Evaluation Audit
Organization and
Regulation/Standard Activity of Independent Activity
Management
Business Activities Process and Result Norm
Doing right Managing right
Business Performance Effeteness and
Infrastructure Efficiency
Next action is
Management improvement

Evaluation Done at the end-of- Done any time

phase
Ex. Ex.
Company Checking progress Checking a regulation
and quality of Project of PM and How to
apply it including
5
current situation.
 U
Viewpoint of an IS Auditor
SLDC (System P1: Feasibility Study R Review
Development Lift
Cycle) R

P2: Requirement Definition

Make (Build) Buy
Buy or Make
P3: System Design P3: System Selection

R R

P4: Development R P4: Configuration

Scope of General P5: Implementation

System
Development R

P6: Post implementation

R Evaluate and
Performance
P7: Disposal Review by an Audit 6
 U
Why IS Audit is needed? Social Background
Information System has been becoming a main function for business.
•Supporting business activity
•Keeping business information
•Main interface to customer
Innovation of ICT gave information system major role in business

Problem of business Problem of security/ risk

management management
•Inappropriate IT system to • Computer virus/ illegal
business strategy Access
• Bug investment for IT • System trouble and Backup
system and unclear ROI of disaster

Effective and Efficient inter management and operation for

Information system should be needed

Independent Information System Audit 7

 U
Why IS Audit is needed? Legal Background (1)
After major corporate and accounting scandals including those
affecting Enron, Tyco International, Adelphia, Peregrine Systems and
WorldCom, the 'Public Company Accounting Reform and Investor
Protection Act' and 'Corporate and Auditing Accountability and
Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or
SOX, is a United States federal law enacted on July 30, 2002
•Directs SEC to enact rules protecting shareholders & the economy
•Honesty in financial reporting
•Responsibility at the Top
•Demonstrate Compliance by Audits
The most contentious aspect of SOX is Section 404, which
requires management and the external auditor to report on the
adequacy of the company's internal control over financial reporting

Internal Control must use Information System now. To evaluate

internal control should needs audit for Information system
8
 U

Why IS Audit is needed? Legal Background (2)

Company Auditor
Financial
Audit Internal Financial Financial Financial
Control Statement Audit Audit Report

SOX
Financial
Internal Financial Financial Financial
Audit
Control Statement Audit Audit Report
(Result)
Operation
Audit Internal Control Internal Control Internal Control
(Process) Statement Audit Audit Report

Integrated
Effectiveness and efficiency Assurance of Compliance Audit
of Operation Financial Statement with lows

Operation Audit assure the clearance of financial statement

9
 U

What is Internal Control?

Financial
Internal Control Model by SOCO Statement
Objectives

Control Environment

Risk Management

Control Activity
Activities
Information and
Communication

Monitoring Organization
Enterprise-level, Division or
subsidiary and Business unit
IT Control

Objective Risk Control 10

 U

Activities of Internal Control

Control The tone for the organization, influencing the control
Environment consciousness of its people. It is the foundation for all
other components of internal control.
Risk Management The identification and analysis of relevant risks to the
achievement of objectives, forming a basis for how the
risks should be managed
Control Activity The policies and procedures that help ensure management
directives are carried out.
Consists of 2 aspects: Policy of what should be and
Procedures to accomplish policy
Information and Support the identification, capture, and exchange of
Communication information in a form and time frame that enable people to
carry out their responsibilities
Monitoring Assess the quality of internal control performance over
time.
IT Control Procedure or policy that provides a reasonable assurance
that the information technology (IT) used by an
organization
11
 U
IT Internal Control <= Target of IS Audit
IT control ITCLC: IT Company Level Control

ITGC:IT general controls

ITAC: IT Application Control

ITGC:IT general controls ITAC: IT Application Control

•Logical access controls. complete and accurate
•System development life cycle controls. •Input Data Control.
•Program change management controls. •Process Control
•Data center physical security controls. •Output Control
•System and data backup and recovery
•Computer operation controls. Application Systems
Accounting Sales
….
System System
Development Operation

IT Infrastructure (Network, Server, PC …)

ITCLC: IT Company Level Control

* IT Governance/Policy *IT Risk Management. *Training
* Quality Assurance *IT Internal Audit
12
Company
 U
What is IS Audit? (Again)
“the process of collecting and evaluating evidence to determine
whether a computer system (information system) safeguards assets,
maintains data integrity, achieves organizational goals effectively and
consumes resources efficiently.” - Ron Weber

Purpose of IS Audit is to realize IT governance by independent and

professional auditors who gave appropriate assurance based on
evaluation of risk management and control of information system.
- “Information System Audit Standard” Japan Minister of Economy,
Trade and Industry

13
 U
Case of ITGC : Project Management

User
Requirements Project
System Project/ Management
Requirements Development Division
Regulation
Global (Basic)
Design
IS Audit
Detail •Is the development
Design
Project Manager
method appropriate?
Programming •Does the selection of
system architecture have
Component appropriate reason?
Test Project •Was the cost estimated
Document by right procedure and
Integration
Test method?
• Does the Integrated
System testing use appropriate
Test
data?
Acceptance •Does the project follow
Test the regulation
14
 U
Who becomes an Auditor?
Certification
CISA (Certified Information Systems Auditor) by
(Account) ISACA (Information Systems Audit and Control
Auditor Association) From 1978
•More than 75,000 professionals in nearly 160
With experiences of countries
• Accounting •for both (Account) Auditor and IT Specialist
• Audit
Information
IT Specialist System Audit

System Auditor by Japan Information Technology

With experiences of Engineers Examination) From 1985
• IT Strategy • mainly for IT Specialist
• Development
• Project Management
• IT Security If (Account ) Auditor want to become IS auditor,
• Service Management he/she should master as least skill and knowledge of
….. FE exam. Level.

15
 U
Target of IS Audit and IS Auditor's Skill and Knowledge

CISA examination domains

(% of num. of question in CISA exam.)

•Domain 1—IS Audit Process (10%)

<= Skill and Knowledge for conducting IT Audit

•Domain 2—IT Governance (15%)

•Domain 3—Systems and Infrastructure Lifecycle Management (16%)
•Domain 4—IT Service Delivery and Support (14%)
•Domain 5—Protection of Information Assets (31%)
•Domain 6—Business Continuity and Disaster Recovery (14%)
<= Target of IS Audit and Skill and knowledge for IT system
and points of audits

16
 U
Map of IS Auditor's kill and knowledge
IT Technical IT Management IT Governance Audit Process &
Method
D3—Systems and Infrastructure Lifecycle D2—IT D1—IS
Management Governance Audit
•Development method Process
•APP control •IT Strategy
•Software Testing •Project Management •Organization Mng. •Process
•System/APP Architecture •SQM •Risk Management •Method
•E-commerce/AP knowledge
•Communic
D4—IT Service Delivery and Support ation
•Service Delivery •Related
•H/W, OS, Middle ware
•Service Support standards
•Network & DB
•Operation & Maintenance •Service Strategy
D5—Protection of Information Assets
•Network security •Logical Security •Security Policy & •IT Security
•Security Technology •Physical Security Strategy Audit

D6—Business Continuity and Disaster

Recovery

•Operation & Maintenance •Business contingency

•Backup & Recovery Planning 17
 U
How to become an IS Auditor (case of CISA)
1.Getting CISA certification
a)Pass the CISA examination
500-600 hours of self learning or 150-200 hours of exam school.
b) Minimum of 5 years of Information Systems Audit, Control or
Security experience within 10 years of applying and within 5 years of
passing exam
c)Compliance with the Information Systems Audit and Control
Association Code of Professional Ethics. <= Excellent Job

2. Keeping CISA certification: SISA Continuing Education Policy

a) annually report a minimum of 20 hours of continuing professional
education
b) report a minimum of 120 contact hours of continuing education for
each fixed three-year period
Certified Information Systems Auditor (CISA)
http://www.isaca.org/
What is meaning of “Keeping CISA certification”? 18
 U
Professional Ethics (ISACA Code)
•Support the implementation of, and encourage compliance with,
appropriate standards, procedures and controls for information
systems.
• Perform their duties with objectivity, due diligence and professional
care, in accordance with professional standards and best practices.
• Serve in the interest of stakeholders in a lawful and honest manner,
while maintaining high standards of conduct and character, and not
engage in acts discreditable to the profession.
•Maintain the privacy and confidentiality of information obtained in the
course of their duties unless disclosure is required by legal authority.
Such information shall not be used for personal benefit or released to
inappropriate parties.
• Maintain competency in their respective fields and agree to
undertake only those activities, which they can reasonably expect to
complete with professional competence.
• Inform appropriate parties of the results of work performed;
revealing all significant facts known to them.
• Support the professional education of stakeholders in enhancing
their understanding of information systems security and control.

19
 U
Overview of D1—IS Audit Process Task & Process
Example:
Small audit for Logical Access Control
Summary of Audit Process ( Control for user and program to access
data, program and application)

Purpose is to evaluate validity of logical

Audit Planning access control (password) in targeted
organization
Reviewing regulation of policy,
Perform Test management and usage of password
Inspect and survey of management of
password
Reporting whether current regulation and
Reporting management of password is appropriate or
not
Follow-UP How to modify and improve the logical
Activity access control for password

Audit mission and planning, Laws and regulations, Standards

and guidelines for IS auditing, Risk analysis, Internal controls,
Performing an IS audit 20
 U
Overview of D2—IT Governance
To provide assurance that the organization has the structure, policies,
accountability, mechanisms, and monitoring practices in place to
achieve the requirements of corporate governance of IT.
Examples of target
• Planning IT Strategy with IT Steering Committee
• Implementation of the IT strategy
• Business Process Reengineering
• Risk management for IT strategy
• Organization and Personnel Management

21
 U
Overview of D3—Systems and Infrastructure Lifecycle
Management
To provide assurance that the management practices for the
development/acquisition, testing, implementation, maintenance, and
disposal of systems and infrastructure will meet the organization’s
objectives.

Examples of target
•Application development process and regulation including needs
analysis, including cost estimation and
•Quality Management
•Validation of computer & system architecture for Application
•Application control
•Management of outsourcing and vender

22
 U
Overview of D4—IT Service Delivery and Support
To provide assurance that the IT service management practices will
ensure the delivery of the level of services required to meet the
organization’s objectives.

Example of Target
• Service level Agreement
• Validation of Hardware and software
• Validation of network infrastructure
• Monitoring of Information System/Infrastructure
• Capacity and Configuration Management
• Configuration Management of software
• Regulation of operation and maintenance
• Help (Service) Desk and Incident/Problem management

23
 U
Overview of D5—Protection of Information Assets
To provide assurance that the security architecture (policies,
standards, procedures, and controls) ensures the confidentiality,
integrity, and availability of information assets.

Examples of Target
•Policy and regulation of IT Security including risk management
•Validation of logical access control such as password and
authentication
•Validation of physical access control with security technology and
devices
• Validation of security of network infrastructure
• Validation of encryption system
• Validation of environmental control against fire, power break down
and …

24
 U
Overview of D6—Business Continuity and Disaster
Recovery
To provide assurance that in the event of a disruption the business
continuity and disaster recovery processes will ensure the timely
resumption of IT services while minimizing the business impact

Examples of Target
•Business Impact Analysis (BIA) and Disaster Recovery Planning
(DRP)
•Validation of backup and recovery against disasters
•Validation of means for continuity against disasters

25
 U
Related important lows, regulations and guidelines
1 2 3 4 5 6
Standards, Guidelines, and Tools and Techniques for X X X X X X
Audit/Assurance and Control Professionals by ISACA
Public Company Accounting Reform and Investor Protection X X X X
Act of 2002 (SOX)
The Control Objectives for Information and related Technology X X X X X X
(COBIT) by ISACA
ISO/IEC 27002: Information technology - Security techniques - X X X X X X
Code of practice for information security management
Information Technology Infrastructure Library (ITIL) X X X X X
Val IT by IT Governance Institute (ITGI) X X
Project Management Body of Knowledge (PMBOK) X X X
COSO (The Committee of Sponsoring Organizations of the X X X
Treadway Commission) Control Framework
CMMI (Capability Maturity Model®Integration) X X X
ISO/IEC 9126 & 25000 Software engineering — Product X X X x X
quality is an international standard for the evaluation of
software quality.
26
 U
Where does an IS auditor work?

Policy and Strategy External Audit

•Accounting Audit
Organization and •IS Audit
Regulation/Standard

Audit Company
Business Activities

Business
IS Consultant
Infrastructure

Internal Audit Consultant Company

•Assurance
•Consulting

Company & Organization

27
 U
New movement of IS Audit : Security
IT Technical IT Management IT Governance Audit Process &
Method
D3—Systems and Infrastructure Lifecycle D1—IS
Management Audit
D2—IT Process
Governance

CISM (Certified Information Security Manager)

D4—IT Service Delivery and Support by ISACA

Information Security Specialist

by Japan Information Technology Engineers Examination
D5—Protection of Information Assets

D6—Business Continuity and Disaster

Recovery

28
 U
Study style of this lecture
•Checking current your
XX Domain of CISA
knowledge and skill about IT
for IS audit
Quiz (about 20Q)
form CISA exam. •Making an anchor to
understand and memory new
Explanation of
knowledge and skill for IS audit
related knowledge •To find and understand
and skill. viewpoint of an IS auditor.

Explanation and •Start of new Chapter or

refraction of Answer Section
of Quiz •Skill and knowledge for IS
Auditing

•Basic IT skill and

knowledge for IS auditor

29
 U

Chapter 1.
Domain 3
Systems and Infrastructure Lifecycle
Management

30
 U
Overview of Tasks for Domain 3
3.1 Evaluate proposed system development/acquisition to ensure that it meets
the business goals.
3.2 Evaluate the project management framework and project governance
practices to ensure that business objectives are achieved in a cost-effective
manner
3.3 Perform reviews to ensure that a project is progressing in accordance with
project plans and project management regulation.
3.4 Evaluate proposed control mechanisms for systems and/or infrastructure
during specification, development/acquisition, and testing.
3.5 Evaluate the processes by which systems and/or infrastructure are
developed/ acquired and tested to ensure that the deliverables meet the
organization’s objectives.
3.6 Evaluate the readiness of the system and/or infrastructure for
implementation and migration into production.
3.7 Perform post-implementation review and periodic reviews of systems and/or
infrastructure to ensure that they meet the organization’s objectives and are
subject to effective internal control.
3.8 Evaluate the process by which systems and/or infrastructure are maintained
to ensure the continued support of the organization’s objectives and are subject
to effective internal control.
3.9 Evaluate the process by which systems and/or infrastructure are disposed of
to ensure that they comply with the organization’s policies and procedures.
31
 U
Overview of skill and knowledge for Domain 3
3.1 benefits management practices
3.2 project governance mechanisms (e.g., steering committee)
3.3 project management practices, tools, and control frameworks
3.4 risk management practices applied to projects
3.5 project success criteria and risks
3.6 configuration, change and release management in relation to development and
maintenance of systems and/or infrastructure
3.7 control objectives and techniques that ensure the completeness, accuracy, validity, and
authorization of transactions and data within IT systems applications
3.8 enterprise architecture related to data, applications, and technology (e.g., distributed
applications, web-based applications, web services, n-tier applications)
3.9 requirements analysis and management practices
3.10 acquisition and contract management processes (e.g., evaluation of vendors,
preparation of contracts, vendor management, escrow)
3.11 system development methodologies and tools and an understanding of their strengths
and weaknesses
3.12 quality assurance methods
3.13 the management of testing processes
3.14 data conversion tools, techniques, and procedures
3.15 system and/or infrastructure disposal procedures
3.16 software and hardware certification and accreditation practices
3.17 post-implementation review objectives and methods
3.18 system migration and infrastructure deployment practices
32
 U
IS Audit Small Quiz No.1

Domain 3 (1) Systems and Infrastructure Lifecycle Management

Subject: Project Plan, Project Management, Architecture, method and
APP

Quiz book

33
 U

IT control ITCLC: IT Company Level Control

ITGC:IT general controls

ITAC: IT Application Control

ITGC:IT general controls ITAC: IT Application Control

•Logical access controls. complete and accurate
•System development life cycle controls. •Input Data Control.
•Program change management controls. •Process Control
•Data center physical security controls. •Output Control
•System and data backup and recovery
•Computer operation controls. Application Systems
Accounting Sales
….
System System
Development Operation

IT Infrastructure (Network, Server, PC …)

ITCLC: IT Company Level Control

* IT Governance/Policy *IT Risk Management. *Training
* Quality Assurance *IT Internal Audit
34
Company
 U
Overview : SLDC (System Development Lift Cycle) by ISACA
P1: Feasibility Study R Review
R

P2: Requirement Definition

Make (Build) Buy
P3: Buy or Make
P3: System Design P3: System Selection

R R

P4: Development R P4: Configuration

Scope of General
P5: Implementation
System
Development R

P6: Post implementation

R

P7: Disposal 35
 U
Overview of Development Organization

Steering Senior Management

Committee
Project Sponsor

User Management
Quality Assurance
Project Management

Project Development Technical Infrastructure User

Project Team Team Leader Project Team

Application/ Program Tester Software Hardware Network

system mer Support Support Support
Analysis

36
 U
Overview of SLDC Phase 1 and 2
Phase 1: Feasibility Study
To determine the strategic benefit of new information system and analyze
possible resolutions to realize needs
•Define business case
•Define the objectives with supporting evidence.
•List up possible resolutions
•Perform preliminary risk assessment
•Agree upon an initial budget and expected return on investment (ROI)

Phase 2: Requirement definition

To create detail definition of needs including inputs, output, current environment
and proposed interaction.
•Collect specifications (requirements) and supporting evidence.
•Identify which standard (technology) will be implemented for the specifications.
•Create a quality control plan to ensure that the design complaints to the
specifications.

37
 U
Overview of SLDC Phase 3 and 4
Phase 3: Plan solution and system design/ system selection
To plan solution (strategy ) whether make (build) or buy based on the objectives
from phase 1 and specifications from phase 2.
Case of Build
•Make design such as user requirement, basic design, detail design and
operation design. ( start development process)
Case of buy
•Make RFP (Request for Proposal) to select best vendor and product based on
specification in Phase 2.
•Conduct bidding to select the vender and product

Phase 4: Development and configuration

Case of Build
•Making program and conducting testing
Case of buy
•Customization is typically limited program configuration settings with a limited
number of customized reports.

38
 U
Overview of SLDC Phase 5,6 and 7
Phase 5: Implementation
To install new system and final user acceptance (mainly function testing) test
begins. The system undergoes a process of final certification and approval.

Phase 6: post implementation

After the system has been in production use, it is reviewed for effectiveness to
full fill the original objectives.
•Compare performance metrics to the original objectives.
•Re-review the specifications and requirement annually.
•Implement request for new requirement, update or disposal

Phase 7: Disposal
Final phase is the proper disposal of equipment and purging data.

39
 U
Overview of Development Models (1)

User
Requirements Water-fall model
System
Requirements

Global (Basic)
Design
Component Test
= Debug
Detail
Design
Integration
Test
Programming
System
Test
Test
Acceptance
Test

40
 U
Overview of Development Models (2)
b. Agile Development
Function 1 Function 2 Function 3
Design
coding
Test

Design
coding
Test

Design
coding
Test 41
 U
Overview of Development models (3)

Water fall Agile Spiral (Prototyping)

Document Document base Minimum Minimum
Confirmation By document By software By software
of requirement
Changing Difficult Easy Easy
requirement
Programmer A few - hundreds A few – 20
1 cycle Months - years Weeks - months Month – a year
Management Initial plan In each cycle
Collaboration Defined by personal
regulation

42
 U
Overview of Design and Development methods

Method Summary
SD/SA: Structured Design/ Structured Design (SD) is concerned with the
Structured analysis development of modules and the synthesis of these
modules in a so called "module hierarchy"
OOD: Object-oriented the process of planning a system of interacting objects
design for the purpose of solving a software problem

43
 U
Overview of Project Management
PMBOK Knowledge Areas
1. Project Integration Management
2. Project Scope Management
3. Project Time Management
4. Project Cost Management
5. Project Quality Management
6. Project Human Resources Management
7. Project Communications Management
8. Project Risk Management
9. Project Procurement Management

Resources

Performance Performance
Project Managing Triangle 44
 U
Overview of Cost estimation and Scheduling

Planning

Cost estimation Analogous estimate

Parametric modeling

Function point
Lines of code

Bottom-up estimate

Scheduling PERT

Gantt chart

WBS (Work
Breakdown
Structure)
45
 U
Overview of Procurement

Define Select
Specification Vender

Make Make
RFP Contract

Vender Bidding Delivery

Evaluation
Criteria
Install
Vender Long
list
Acceptant
Test
Vender short
list

RFP: Request for Proposal

46

Overview of RFP (Request for Proposal)
Qualification of Vender
Commercial Part
U
The vender supplying and supporting the product
should be reputable and should be able to provide
evidence of financial stability

Bidding document To mention about the bidding document the venders

submit
Contract Condition Some conditions such as payment, delivery and
warrantee In the contract
Bid opening and Criteria for selecting the vender
evaluation
Requested document Clients list, other evidence of product and system

Product and system Main content of RFP. Define detail specification of

Requirement requested product and system . It includes not only
Technical Part

functional specifications but also non-functional

specifications such as reliability and performance
Installation schedule When will product and system needed.

Test plan Installation test plan

Client support Training, operation support, maintenance, warrantee

47
 U
Overview of Business APP
APP Summary
E-commerce the buying and selling of products or services over electronic
systems such as the Internet and other computer networks.
E-banking/Online To conduct financial transactions on a secure website
banking operated by their retail or virtual bank, credit union or building
society.
CIM: Computer- Both a method of manufacturing and the name of a
integrated manufacturing computer-automated system in which individual engineering,
production, marketing, and support functions of a
manufacturing enterprise are organized.
DSS: Decision support DSSs serve the management, operations, and planning
system levels of an organization and help to make decisions, which
may be rapidly changing and not easily specified in advance.
SCMS: Supply chain Supply chain transactions, managing supplier relationships
management software and controlling associated business processes. it commonly
includes: Customer requirement processing Purchase order
processing, Inventory management, Goods receipt and
Warehouse management, Supplier Management/Sourcing
CRM: Customer Sales force automation, Marketing and Customer Service
relationship management and Support
48
 U
Overview of Risk of Business APP
APP Summary of Risk
E-commerce Clear business case, Innovation is so rapid, Certification,
Privacy of customer, High reliability and electric signature
E-banking/Online Innovation is so rapid, Security of authentication, Privacy of
banking customer, High reliability and integration to other system.
CIM: Computer- Big system consisting of many systems and software. Clear
integrated manufacturing feasibility study.
DSS: Decision support Difficulty of define purpose and usage. Not clear of ROI.
system
SCMS: Supply chain Changing workflow and business model.
management software
CRM: Customer Innovation is so rapid, Security of authentication, Privacy of
relationship management customer

49
 U
Overview of Technology for Business APP
APP Summary
EDI: Electronic data Structured transmission of data between organizations by electronic
interchange means. It is used to transfer electronic documents or business data
from one computer system to another computer system
Data warehouse To retrieve and analyze data, to extract, transform and load data,
and to manage the data dictionary
Internet-based computing, whereby shared resources, software,
Cloud computing and information are provided to computers and other devices on
demand, like the electricity grid. SaaS
Office suite Office software suite or productivity suite is a collection of programs
intended to be used by knowledge workers, Ex. Google Apps
ERP: Enterprise Integrated computer-based system used to manage internal and
resource planning external resources, including tangible assets, financial resources,
materials, and human resources.
Smart phone Mobile phone that offers more advanced computing ability and
connectivity than a contemporary basic 'feature phone
CTI: Computer technology that allows interactions on a telephone and a computer
telephony integration to be integrated or co-ordinated. As contact channels have
expanded from voice to include email, web, and fax, the definition of
CTI has expanded to include the integration of all customer contact
channels (voice, email, web, fax, etc.) with computer systems. 50
 U
Overview of CMMI

51
 U
Overview of Development tools (IDE)
Tools Summary
CASE :Computer-aided Set of tools and methods to a software system which is
software engineering meant to result in high-quality, defect-free, and maintainable
software products.

Visual Studio .Net It can be used to develop console and graphical user
interface applications along with Windows Forms applications,
web sites, web applications, and web services in both native
code together with managed code for all platforms supported
by Microsoft Windows, Windows Mobile, Windows CE, .NET
Framework, .NET Compact Framework and Microsoft
Silverlight.
Eclipse It is written primarily in Java and can be used to develop
applications in Java and, by means of various plug-ins, other
languages including C, C++, COBOL, Python, Perl, PHP,
Scala, Scheme and Ruby (including Ruby on Rails
framework)

52
 Exsample1: OSS for eclipse (Java)
U
Overview of Actual (Practical) Tools
Test Frame JUnit

Static Analysis Code Metrics

Programming Ecllipse Metrics Plusin
Checkstyle/ PMD
Check style of Code Calculate Code metrics such as complexity
and dependency
Findbugs
Find bad cording that seems to CAP/Jdepend4eclipse
make bugs Show dependency

Test design/ Test case/ Executing TPTP

Component djUnit Supproit Making test code and executing
Test Make Moc-class for testing/ Coverage test case including remote host

Junit Factory Automated Continuous

Integration
Automatically generating Test case Executing test case automatically
Test
Test Executing for Web
System Solex WSUnit
Test Recod, Replay and edit HTML Session Simulate XML web servise

Acceptance Performance Testing

Test Extensible Java Profiler/iMechanic/Eclipse profiler plug-in
Measure Nun.Call, Time and Usage of memory

Test Executing for Web / Performance Testing

Selenium JMeter
Record, Re-play and edit Browser action. Executing Web access session automatically 53
 U
IS Audit Small Quiz No.1 (Answer) (1)
1-1 (A)
The first concern of an IS Auditor should be to ensure that proposal meets the needs of
business, and this should be established by a clear business case.
1-2 (B)
AS IS auditor should not recommend discontinuing or completing the project before
reviewing and updated business case.
1-3 (D)
Lack of adequate user involvement, especially in the system requirement phase, will
usually in a system that does not fully or adequately address the needs of the user.
1-4 (A)
It is important that the project be planned properly and that specific phase and
deliverables be identified during the early stage of the project.
1-5 (B)
A PERT chart will help determine project duration once all the activities and work
involved with those activities are known.
1-6 (D)
Old (legacy) system that have been corrected, adapted and enhanced extensively
require reengineering to remain maintainable. Reengineering is rebuilding activity to
incorporate new technology into existing system.
1-7 (A)
The waterfall model has been best suited to the stable condition like (A).

54
 U
IS Audit Small Quiz No.1 (Answer) (2)
1-8 (A)
If resource allocation is decreased, and increase in quality can be achieved if a delay in
delivery time will be accepted.
1-9 (A)
Cost performance of a project cannot be properly assessed in isolation for schedule
performance.
1-10 (C)
Projects often have a tendency to expand, this expansion often grows to point where the
originally anticipated cost-benefit are diminished. When this occur, the project be
stopped or frozen to allow review of all the cost –benefits and the payback period.
1-11 (C)
A project steering committee is responsible for reviewing the project progress to ensure
that it will deliver the expected result.
1-12(D)
In the case of deviation from the predefined procedure, an IS auditor should first ensure
the procedure followed for acquiring the software is consistent with business objectives
and has been approved by appropriate authorities.
1-13 (B)
Quality plan is essential element of all projects. It is critical that the contracted supplier
be required to produce such test plan.

55
 U
IS Audit Small Quiz No.1 (Answer) (3)
1-14 (C)
Choice A,B and D are not risk, but characteristics of a DDS.
1-15 (B)
Once the data are in a warehouse, no modification should be made to them and access
controls should be in place to prevent data modification.
1-16 (C)
Best resolution.
1-17 (C)
When implementing an application software package, incorrect parameter would be the
great risk.
1-18 (C)
The Project portfolio database contains project data such as organization, schedule,
objectives status and cost.
1-19 (D)
Criteria of CMMI show the development organization follows stable and predictable
software process, CMMI doesn’t guarantee quality of each project.
1-20 (B)
A strength of IDE is that it expands the programming resources and aids available.

56
 U
IS Audit Small Quiz No.2

Domain 3 (2) Testing, Implementation/Migration and APP control

Quiz book

57
 U
Definition of basic terms related bug, error, ….
Error
Human action that produces incorrect result

Without defect,
Defect Human error occurs
Sometimes,
Bug Fault defect appears failure
Flaw in component or as failure
system to fail to perform
its required function

Other Factors Failure

・Malice Deviation of the component or
・Natural Environment system from its expected delivery,
service or result.
One of negative result:
Attribute: impact and likelihood
Factor
Risk
A factor that could result in future negative result
consequences; usually expressed as impact and likelihood 58
 U
Overview of Test Phase
a. Water fall model (V-model )

Preparation Acceptance
User
Requirements Test

Preparation
System System
Requirements Test

Global (Basic) Preparation Integration

Design Test

Preparation
Detail Component
Design Test

Programming

59
 U
Cost of Fixing bugs in Test phases

Cost

Requirement Design Programming Test Operation

Process
Principle 3 – Early testing
60
 U
Target of Testing

reliability
suitability interoperability usability
accuracy security efficiency
compliance maintainability

Functional Testing Non-Functional Testing

Performance Testing
Ordinal Testing Load Testing
Functions of system and/Or Stress Testing
software , that are typically Security Testing
described ( implicitly) in a Usability Testing
Maintenance Testing
requirements specification, a Reliability Testing
functional specification , or in
use cases. System Test
(In Real Environment)
Integration Test
(In Test Environment) 61
 U
Overview of Testing Techniques

Static Without Running Program Dynamic Running Program

Document Code Structure Specification - Experience -

Check Check (Code) - Based Based
(Review) Based
Style Equivalence Err
Formal Check Statement Partitioning Guessing
Review
Boundary
Flow Decision Value Exploratory
Walk- Check
through Analysis Testing
Condition
Bug Decision
Technical Detect
Review Multiple Table
Metrics of Condition
Inspection Code State
Transition
Informal
Review User Case
Testing

White Box Black Box

Testing Testing
62
 U
How to Conduct Component Test and Integration Test
• Component Test
Target Module Dummy Module
Driver

Dummy Module
Stab Target Module

• Integration Test
Bottom up Method Top down Method
Driver for 2 Target Target
Module1 Module1

Driver for 3 Target Stab for 1 Target

Driver for 4 Module2 Module2

Target Target Stab for 2 Target Stab for 2 Target

Module3 Module4 Module3 Module4

63
 U

Overview of Quality Management/Monitoring/Reporting

•Quality of Testing
Coverage
Test Case density
Bug density
•Quality of target software
Num. of bugs in each module
Bug density in each module
Bug history (Num of detect:Open and Num of fixed:Close )
Software reliability growth curve

Num
of
Bugs
Open

Close

Days 64
 U
Ensample: Useful Metrics
What kind of Metrics Microsoft is using
Project Implementation Program/system
Testing
Cost Progress of
Time implementation

Featu LOC: Line of Code Complexity of code Coverage

res LOC for modification Num. of test item
Time for build Mum of test item curried by
automated tools

Qualit Expected MTTF (Mean Num. of bugs for build Num. of bugs in each module
y Time to Failure) Type of problem in build Bug density in each module
Expected MTTF (Mean Bug history
Time to Failure) on stress Software reliability growth curve

65
 U
Type of Test Organization (Independent Tester)
Development Development Development Group
Group Group
Project Manager
Programmers
Programmer = Developme Test team
Tester Testers nt Team
Progra Testers
mmers
A. No independent B. Independent
Tester Testers within
Group C. Independent Tester Team
within Group

Developm User Developm Test Developm Test Group

ent Group Group ent Group Group ent Group
Progra Testers
Testers Testers Outsourcing
Progra for mmers
Progra or
mmers specific
mmers SQM dev.
target
D. Independent
Tester at User E. Independent test specialists F. Independent testers
Group for specific test targets such outsourced or external
as usability , security or
66
certification testers
 U
Activity of Implementation and Migration

•Implementation / Migration Planning

- Preparation of Planning – To be support structure and functions
- User/Operator training Plan
- Data Migration Plan
- Fallback (Rollback) Scenario

•Changeover (Go-live or Cutover) Techniques

Module 1
Module 1 Module 1 Module 1 Module 1
Module 2
Module 2 Module 2 Module 2 Module 2
Module m
Module m Module n Module n Module n
Module 1
Rollout Schedule Rollout Schedule
Module 2
2. Abrupt Change over 3. Phased Change over
Module n

Rollout Schedule
1. Parallel Change over 67
 U
Risk of Operation of Information System
Even if the system of ABC Company doesn't have bugs, there are many risks and failures

ABC Company Mistake of

123 input
Company

Automated E-commerce
transaction System
Operator Customer
without
checking
E-commerce
DB
XYZ
Company Mistake of Throw out Customer
update Error
Transactions reports
master data
Inconsistency Inappropriate
of data procedure for
between error data Criminal
Illegal
companies
access
68
 U
Definition of error, failure and risk in Test and Control
Factor Human Error Human action Malice Chang of Environment
that produces incorrect result Disaster, New standard

Test
Defect
Bug Fault
Flaw in component or
system to fail to perform its
required function

Risk Remaining Bugs Operation error Crime System Break

Risk A factor that could result in future negative result consequences; usually
expressed as impact and likelihood

Appear Control
preventing from failure
and/or occur
Failure
Failure Deviation of the component or system from its expected delivery,
service or result.
Risk management and Control 69
 U
Test and ITAC (Control ) and Audit in context of risk
management
•Test
Activity to get rid of factors to make risks and failures before cut-over
•ITAC (IT Application Control)
Activity, process and means to prevent from risks and failures and/ or to
reduce affect of risks and failures (after cut-over)

Role of Auditors related to ITAC

• Propose and suggest activity, process and means for control
• Audit (monitor and check ) controls

70
 U
System Development and IT Control
Cut - over
Activity
Changing
Requirement Design & Testing Migration Operation
Analysis Program
Maintenance
Monitoring

Regulation Manual & Procedure

Project Management

Software Quality Assurance

Operation Management
Management
Control function IT Control
(ITAC)
All items are targets of IS audit 71
 U

IT control ITCLC: IT Company Level Control

ITGC:IT general controls

ITAC: IT Application Control

ITGC:IT general controls ITAC: IT Application Control

•Logical access controls. complete and accurate
•System development life cycle controls. •Input Data Control.
•Program change management controls. •Processing Control
•Data center physical security controls. •Output Control
•System and data backup and recovery
•Computer operation controls. Application Systems
Accounting Sales
….
System System
Development Operation

IT Infrastructure (Network, Server, PC …)

ITCLC: IT Company Level Control

* IT Governance/Policy *IT Risk Management. *Training
* Quality Assurance *IT Internal Audit
72
Company
 U
Control Items of ITAC

Input Processing Output

Management Management Management
(Control) (Control) (Control)

•Data Entry Controls

• Interface Control • Reconciliation
•Input (Transaction)
• Data file control • Distribution
Authorization
• System Edits • Access
•Batch control
• Error Reporting
•Segregation of Duties
and handling
•System Edits
Major means of control
•Error Reporting and handling

ITAC

ITGC Access Management (Control)

User-IDs/Passwords Data Security

Network Security Security Administration
Access Authorization
73
 U
Overview of Means and Technique
Internal Control
Operation
Regulation of Logs
Human operation Function of
Detecting
Regulation of Error
Working Monitoring System
Record
System Logs &
Transaction Log
Computer
Human & Computer
Human

Checking Testing
regulations Checking functions
System logs
Checking working
Records Testing &
Monitoring
Information System

System Audit 74

Objectives of Control of Input Management (Control)
Objective
Organization make a
regulation of Input
management and complies
with it
Operation of input is
carried based on the
regulation and assures no
repeated nor missing
Enough means and
function realize preventing
from input error and illegal
operation.
Storing and abolishing
data is carried based on
the regulation
Controls are both with IT system and without IT system
Sample of Control
•Regulation including
procedure, method of
verification and authorization
for input activities
•Procedure that to put stamp
on a form sheet after input
•System function to check
serial No. of input data
•System function can detect
invalid data input
•Operators can use only
specific PCs (terminal)
•Regulation for abolishing
report documents.
•Only authorized person
access (see) past data.
U
Sample of Audit
•Checking regulation
documents
•Inspection of working
record of input activity
•All form sheets has stamp
after input
•Checking no repeated data
in a database
•Review and Testing the
system function
•Access log of PC
•Checking record of
abolishing documents.
•Checking access log for
database
75

Objectives of Control of Processing Management (Control)
Objective
Organization make a regulation
of data management and
complies with it
Data access control and
monitoring work effectively
Integrity of data is guaranteed
Data transfer complies with its
regulation.
Data exchange takes
appropriate means to prevent
from illegal access and to keep
security.
Storing , copying and abolishing
data prevent from illegal access
and keep security
U
Sample of Control Sample of Audit
•Regulation including procedure, •Checking regulation documents
method of verification and •Inspection of working record of
authorization for data management backup
•Regulation of access control to •Checking access log for
update master data database
•Regulation of checking data range •Checking test record of data
of master data update
•Regulation of data transfer •Checking record of transfer
data
•Function of error correction during • Log data of exchange error
data exchange correction.
•Regulation for abolishing report •Checking record of abolishing
documents documents
76

Objectives of Control of Output Management (Control)
Objective
Organization make a
regulation of output
management and complies
with it
Operation of output is carried
based on the regulation and
assures no repeated nor
missing
Enough means and function
realize preventing from output
error and illegal operation
Distribution of output is
curried based on its regulation. distribution
Storing and abolishing output
is carried based on the
regulation
U
Sample of Control Sample of Audit
•Regulation including •Checking regulation
procedure, method of documents
verification and authorization •Inspection of working
for output activities record of output
activity
•Regulation defines person for •Checking access log
output procedure for output data
•Regulation of output •Checking distribution
of output report
•Regulation for abolishing •Checking record of
report documents abolishing documents.
77
 U
Technique and Means of Control of Input Management (Control)
Area Description
Date •Good design source document or form
control - Grouping similar input fields
preparati - Providing appropriate code to reduce error
on - Containing appropriate serial No. and cross-reference No.
- Appropriate input filed style to reduce error
- Including Appropriate filed for document authorization
Input •Signature on form or souse document
Authoriza •Online Access Control (Only authorized individual can access specific
tion information)
•Unique password (Don’t share password nor grant password to others)
•Usage of specific terminals or specific area.
•Segregation of duties
Batch •Appropriate batch header form including application name, transaction code,
control preprinted No., identification data,
•Total minatory amount (Verification the total monetary values of items
processed equals the total monetary values of batch documents.
•Total items ( No. of units ordered in the batch and No. of units processed)
•Total num of documents
•Hash totals (Verification of total of Hash value: no meaning in the form, but
preprinted the fixed numbers)
•Reviewing online batching input by manager. 78
 U
Technique and Means of Control of Input ( Processing) Management
Area Description
Regulation •Transaction log ( input process and batch process)
and •Documented Regulation
Monitoring •Transmittal log
•Cancellation of source document ( By pouncing with holes or marking to
avoid duplicate entry)
Error •Appropriate error handing
Reporting - Rejecting only transition with error
and - Rejecting the whole batch of transition
Handling - Holding the batch as suspense
- Accepting the batch and flagging error transactions
•Appropriate error collection procedure
- logging of errors
- Timely corrections
- Upstream resubmission
- Approval of correction
- Suspense file
- Error file
- Validity of corrections

79
 U
Technique and Means of Control of Processing (Input) Management
Area Description
Data •Sequence check ( to avoid duplicated and missing)
validation •Limit check ( not only input data, but also update of master data)
and Editing •Range check
Procedure •Validity check (Checking whether input data is one of date of the set)
•Reasonableness check (requested number of order)
•Table lookup (validity by using table)
•Key verification ( Validity of no duplicated key)
•Completeness check (Null checking data in specific field)
•Duplication check ( Checking duplication of transaction)
•Logical relation check ( ex. If he has wife, his must be over xx old.)
Process •Manual recalculation
validation •Run to run totals ( Checking values among process ex. Sum of middle
and process and sum of end process)
verification •Limits check of amounts
•Reasonableness of amounts
•Exception reports
•Reconciliation (cross comparison) of file totals

80
 U
Technique and Means of Control of Processing Management
Area Description
Data File •Before and after image report ( Difference proves transactions done
Control correctly)
•Maintenance error reporting and handling (Checking and reviewing error
handing by personnel who did not handle)
•Source document retention ( Verification of file and source data)
•Internal and external labeling (labeling on physical removable storage such
as tapes and disk cartridge.
•Version management
•Data file security
•One for one checking ( Verification by comparison between data and source
document)
•Transaction log
•File updating and maintenance authorization
•Parity checking

Type of data files

•System control parameter (Configuration parameter)
•Master data (Standing data) : Not be changed by transaction
•Master data (Balancing data): Be changed by transaction
•Transaction file
81
 U
Technique and Means of Control of Output Management
Area Description
Output •Sequence check ( to avoid duplicated and missing)
validation •Balancing and reconciling
Procedure •Log of online distribution

Output •Logging and storage of negotiable, sensitive and critical forms in secure
delivery place
and •Computer generation of negotiable instrument, forms and signature including
storage intelligent property.
•Appropriate report printing and distribution including electric reporting
- Control of printing spool
- Authentication of printing
- printing in secure and safe room
- Delivery and recipient evidence such as a signature
•Output report retention
•Output error handling

82
 U
Overview of Auditing ITAC (Application Controls)
Internal Control
Computer &
Human Computer
Human

Information System Audit

Preparation
•Checking development
document and regulation
•Analyzing transition flow
•Modeling risk assessment
Observing and testing user
performing procedure
Data integrity Testing
•To assure accuracy, completeness,
consistency and authorization of data
held in a system
Data integrity Testing in online transition
processing system
•To assure tolerance to multi – parallel
user accesses

Test of Application System Continuous online Auditing

•To test the effectiveness of •To collecting evidence from live
application control information system

CAAT (Computer Assisted Audit Tools)

GAS (General Audit System) 83
 U
Preparation of Auditing for ITAC
Area Description
Checking •System methodology documents
document •Function design documents
and interview •User manual/ Operation manual and regulation
•Technical reference document
•Records of program changes
Analyzing •To find important controls
transition flow •To find week point of transitions and controls

Modeling risk Factors of risk model

assessment •Quality of Internal condition
•Economic condition / Regulatory agency impact
•Time in existence
•Staff turn over
•Time elapsed since last audit / Prior audit result
•Complexity of operation
•Recent account system changes / Recent changes in key position
•Transaction volume / Monetary volume
•Sensitivity of transition
•Impact of application failure
84
 U
Methods and Targets of Observing and testing user performing
procedure: Auditing ITAC
Area Description
Separation of duties •Ensure that no individual ha the capability of more than one
following process: input, authorization, verification and distribution by
reviewing job descriptions and authorization levels.

Balancing •Verify run-to-run control totals and other application totals

Error control and •Error and correction reports provide evidence of appropriate review,
correction timely correction and resubmission.
Distribution of •Critical output reports should be produced and maintained in secure
reports area and distributed in an authorized manner.
Review and testing •Access control tables provide information for individual access level,
of access To test appropriate access rule as management intended.
authorization and •Activity report or access (log-in) log provide detail information of
capability actual access, especially violation log of access should be reviewed.

85
 U
Methods and Targets of Data integrity Testing
•Data integrity testing is set of substantive tests that examines Accuracy,
Completeness, Consistency and Authorization.
•Failure of data integrity is result of failure of input and/ processing. Because
of this, data integrity testing uses similar method and technique of testing
input control.
•Two type of data integrity
- Relational integrity
Targets are each record level and/or items in record. Relational integrity is
enforced by checking data function of input process and
- Reference integrity
Targets are existence relationships between entities in deferent tables of a
database. It is necessary that references (by primary key and foreign key )be
kept consistent in the event of Insert, Delete and Update.

86
 U
Methods and Targets of Data integrity Testing in online transition
processing system
Importance of data integrity is known as ACID principal.
•Atomicity
From the user perspective, a transition is either completed or net at all. If an
error or interruption occurred, all changed made up to the point are backed
out.
•Consistency
All integrity conditions in the database are maintained.
•Isolation
Under multi user condition, each transaction is isolated from other transitions.
•Durability
If a transaction has been reported to user as complete, the result of changes
to database survive subsequent hardware or software failures.

87
 U
Overviews of Methods and Targets of Test of Application System and
Continuous online Auditing

Testing and simulation environment

Real data

Test data Simulated

Pressing

Input Processing Output

Checking input
and Processing Validation and
by audit module verification by
Dump and comparison
Tracing among output
Test data

Real environment (Live System)

88
 U
Methods and Targets of Test of Application System and Continuous
online Auditing (1)
Method Description Comment
Mapping •To detect code that is not tested. •To Need function to measure
Similar to measuring testing coverage. coverage
Tracing and •To trace specific transaction in real or •To Need skill for tracing or
Tagging simulated system development of tracing
function
Test data /deck •Inputting teat data to real system. The •It doesn’t prove that all the
result is expected. code done.
Base case system •Testing by using test cases of •To Need a lot of time and
evaluation integrated testing effort to conduct the test
Parallel operation •To compare old system and new
system with same data
Parallel Simulation •To check real (live) data by using •To Need development of
simulation program that has same simulation program
process logic as real system
Extended Record •To extract specific data and •When using audit module, to
transaction to audit files. (Manual or Need development of program
automatically with audit module)

89
 U
Methods and Targets of Test of Application System and Continuous
online Auditing (2)

Method Description Comment

Embedded Audit •Adding audit functions to extract •To need development of specific
Module (System specific transition into review files. alert functions
Control Audit
Review File)
(EAM/SCARF)
Integrated testing •Inputting teat data/ transaction to •To need precise plan not to affect
facility (ITF) live system. The result is expected. real processing

Snapshot •Adding dump modules to system. •To prove program logic

The dump shows passing specific
points and their internal data.
Continuous and •To check processing of each
Intermittent transaction before real processing
simulations (CIS) by using simulation function
Audit hooks •Adding alert functions to detect
risk of error or irregularity before
serious failure
•To need knowledge of IT
development and programming
•To need development of specific
alert functions
•To need development of specific
alert functions

90
 U
Comparison among methods of Continuous online Auditing
Method Complexity Useful When
System Control Audit Review •Very high •Regular Processing cannot be
File and Embedded Audit interrupted.
Module (SCARF/EAM)
Integrated testing facility (ITF) •High •It is not beneficial to use test data.
Snapshot •Medium •An audit trail is required.
Continuous and Intermittent •Medium •Transactions meeting certain criteria
simulations (CIS) need to be examined.
Audit hooks •Low •Only select transaction or processes
need to be examined.

91
 U
Methods and Targets of Observing and testing System development
life cycle controls: Auditing ITGC (1)
Phase/Task Description
Project •Oversight by project committee/board
Management •Risk management and Problem management
•Cost management
•Planning process
•Reporting process to senior manager
•Stakeholder management
•Sign – off and authorization process
Feasibility •Identify and determine the criticality of needs
Study •Determine the reasonability of the chosen solution.
•Determine the justification and benefit of all the cost
Requirement •Identify key stakeholders and verify that they have appropriate
Definition representation in a project team.
•Verify accuracy of requirement document thought interviews with relevant
users
•Determine whether appropriate number of venders can receive the
requirement (some venders can realize a system)
•Verify that project start and cost have been approved proper
management positions/group.
•Review the design to ensure that control specification have been defined.
•Survey and design whether a system needs some embedded audit
92
functions
 U
Methods and Targets of Observing and testing System development
life cycle controls: Auditing ITGC (2)
Phase/Task Description
Software •Determine reasonability to quire a solution by reviewing feasibility study
Acquisition •Reviewing RFP to ensure that it contains all necessary information as RFP
Process •Ensure the fairness to select a vender based on RFP
(Procurement) •Review the vendor contract to ensure that it include the items RFP
mentions.
•Ensure the contract is reviewed by legal counsel before it is singed
Detail Design •Review whether appropriate controls of input , processing and output are
and designed.
Development •Ensure validity of specification of screen design, operation and output
format by interviews with main users.
•Review whether appropriate audit function are designed.
•Review the quality assurance result of design activities.
•Review whether design activity follows the regulation appropriately, such as
authorization and user review.
Testing

93
 U

Chapter 2.
Domain1:
IS Audit Process

94
 U
Overview of Tasks for Domain 1
•1.1 Develop and implement a risk-based IS audit strategy for the organization
in compliance with IS audit standards, guidelines and best practices.
•1.2 Plan specific c audits to ensure that IT and business systems are protected
and controlled.
•1.3 Conduct audits in accordance with IS audit standards, guidelines and best
practices to meet planned audit objectives.
•1.4 Communicate emerging issues, potential risks and audit results to key
stakeholders.
•1.5 Advise on the implementation of risk management and control practices
within the organization, while maintaining independence.

95
 U
Overview of skill and knowledge for Domain 1
•1.1 ISACA IS Auditing Standards, Guidelines and Procedures and the Code of
Professional Ethics
•1.2 IS auditing practices and techniques
•1.3 techniques to gather information and preserve evidence (e.g., observation,
inquiry, interview, CAATTs and electronic media)
•1.4 the evidence life cycle (e.g., the collection, protection, chain of custody)
•1.5 control objectives and controls related to IS (e.g., COBIT)
•1.6 risk assessment in an audit context
•1.7 audit planning and management techniques
•1.8 reporting and communication techniques (e.g., facilitation, negotiation and
confl ict resolution)
•1.9 control self-assessment (CSA)
•1.10 continuous audit techniques

96
 U
IS Audit Small Quiz No.3

Domain 3 IS Audit Process

Subject: Audit Planning, Risk Management, Methods of Audit and
Audit Reporting

Quiz book

97
 U
Type of Audits
Type Description
Financial audits •Purpose is to assess the correctness of an organization’s financial
statement, IT auditors works under Financial suitors and test financial
information integrity and reliability.
Operational •Purpose is to evaluate the internal control structure in a specific process
audits and area, such as application controls and logical security system.
Integrated •Combination of financial audits and operational audits
audits
Administrative •Propose is to evaluate and improve the efficiency of operational
Audits productivity within an organization.
IS Audits •Purpose is to evaluate the internal controls for Information system.
Targets are ITCC. ITGC and ITAC
Specialize •Specialize reviews that examine area such as services performed by
Audits third party. SAS70 (The statement on Auditing standard) developed by
AICPA (American Institute of Certified Public Accountants) is a widely
known.
Forensic Audits •Special audit for discovering , disclosing and following up of frauds and
crimes.

98
 U
Overview of IS audit Process
What you will learn in this Chapter

Audit Process

Audit Report &

Perform Test
Planning Follow-up
Inspection & Test
Methods and Technique
Risk
Assessment
Evidence

Finding

IS Audit Charter / Guideline

99
 U
Framework and Guideline of IS audit (1)
IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance
and Control Professionals (330 pages) (http://www.isaca.org/)

IT Audit and Assurance Standards (Framework)

S1 Audit Charter
S2 Independence
S3 Professional Ethics and Standards
S4 Competence
S5 Planning
S6 Performance of Audit Work
S7 Reporting
S8 Follow-Up Activities
S9 Irregularities and Illegal Acts
S10 IT Governance
S11 Use of Risk Assessment in Audit Planning
S12 Audit Materiality
S13 Using the Work of Other Experts
S14 Audit Evidence
S15 IT Controls
S16 E-commerce
100
 U
Framework and Guideline of IS audit (2)
Index of IT Audit and Assurance Guidelines (G1-G44)
G2 Audit Evidence Requirement
G3 Use of Computer Assisted Audit Techniques (CAATs)
G5 Audit Charter
G6 Materiality Concepts for Auditing Information Systems
G8 Audit Documentation
G9 Audit Considerations for Irregularities and Illegal Acts
G10 Audit Sampling
G11 Effect of Pervasive IS Controls
G12 Organisational Relationship and Independence
G13 Use of Risk Assessment in Audit Planning
G15 Audit Planning
G18 IT Governance
G20 Reporting
G21 Enterprise Resource Planning (ERP) Systems
G23 System Development Life Cycle (SDLC)
G28 Computer Forensics
G31 Privacy
G33 General Considerations on the Use of the Internet
G34 Responsibility, Authority and Accountability
G35 Follow-up Activities
G37 Configuration Management Process
G38 Access Controls
G39 IT Organisation
G40 Review of Security Management Practices
G42 Continuous Assurance
101
 U
Framework and Guideline of IS audit (3)
Index of IT Audit and Assurance Tools and Techniques
P1 IS Risk Assessment
P2 Digital Signatures
P3 Intrusion Detection
P4 Viruses and other Malicious Code
P5 Control Risk Self-assessment
P6 Firewalls
P7 Irregularities and Illegal Acts
P8 Security Assessment—Penetration Testing and Vulnerability Analysis
P9 Evaluation of Management Controls Over Encryption Methodologies
P10 Business Application Change Control
P11 Electronic Funds Transfer (EFT)

102
 U
Audit Risk
Risk in Audit itself:
Risk that is not detected during an audit process
Check & Test Risk

Risk: example Misstatement

Compliance
without control: Test
ex. Process is Control
complex
Control failure: Audit
ex. Human
makes mistake Audit failure:
ex. Inadequate
Test
Substantive
Test

Inherent Risk Control Risk Detection Risk

Overall Audit Risk

103

Flow of Audit Process
Audit Charter
U
•Scope with goals and objectives
•Authority of an audit
•Responsibility and actions among stakeholder

Audit Planning & •Knowledge of the business

Gathering information •Regulatory status
•Prior audit result
•Inherent risk assessment
Risk Assessment & •Survey control functions and procedures
Understanding Internal •Result of control
Control •Control risk and detective risk assessment
•Identify targeted controls
Perform Compliance •Compliance tests on reliability, risk prevention,
Tests organization policy an procedure

Perform Substantive •Analytic procedure

Tests •Detailed testing
•Other substantive testing
Reporting •Audit repot
•Creating recommendation

Follow-UP
Activity
104
 U
Type of Audit Plans
•Usually 3 or 5 year plan
•Define scope and priority based on
Long- or Mid term an audit policy
Audit Plan •Related IT to system development
plan and schedule
Audit Master
Plan
•Define (separate) audits in each
Annual year including a financial audit
Annual
Audit Plan •Define management information
Audit Plan to conduct the audits , such as
Audit cost , schedule and resources
Plan
•Detail planning for each target of
(Separate)
(Separate) an audit
Audit Plan •Define plan of testing method and
Audit Plan
procedure, reporting and follow-up.

Cases of (Separate) Audit

•Reviewing security of a financial application for a large company with many
branches.
•Auditing IT general control to enhance capability of development of a company
•Supervising (Auditing) for development and migration of a big ERP system
•Consulting to applying Internal control of SOX to the company in order to be
listed on the stock market.

105
 U
Example: Summary of Audit Plan Separated small Audit Plan for ITAC
No Item Description
1 Objective The payment system is one of important system for financial statement in ABC
company. To evaluate the internal control of the system.
2 Scope •Validity and reliability of automated (Embedded) controls in the system.
•Validity and Coverage of control functions realized by interaction between the
system and human activities.
3 Audit target ABC payment system
4 Audit item •System specification documents &Operation manual
•Input form & screen design (input and search/reference)
•Data & information stored in the system
5 Audit • Auditor Group: xxxx, xxxx
organization • Auditee: Department of business management and Department of accounting
6 Audit •Preliminary survey for risk assessment (17-30 Oct. 2009)
procedure [Method] Interview and questionnaire
and [Survey item] Summary of the payment system and overview Dept. of business
Schedule management and Dept. of accounting
[Point] Current situation and preparation of controls
• Compliance Testing (No.1) (1-15 Nov. 2009)
[Method] Check list, interview and checking the system specification
[Audit item] Automation (Embedded) controls in the system
[Point] Validity and reliability of design of the controls
• Compliance Testing (No.n)
• Substantive testing (No. 1) (1-20 Jan. 2010)
[Method] Comparison between database and printed quotation. Checking
transaction log.
[Point] Testing of result of control functions. 106
 U
General idea of Risk Assessment (Evaluation)
Basic element of Evaluating risks
•Impact, Effect
•Probabilities, likelihood
Very Simple Risk Evaluation Table (weighting by Impact & Probability)
Impact Big Medium Small
Probability
Often Fatal Serious Serious
Sometimes Serious Serious Minor
Rare Serious Minor Minor

Other (further) Assessment methods

•Weighting by dividing detail factors
Impact => Sensitivity of the function to executive management, Materiality
Probability => Extent of system or process change, Complexity
•Ranking <- one reason of why auditors use risk assessment
To multiple weight of business impact to making ranking score.
Weight of business impact: example: Financial risk, Strategic risk,
Operational risk and Legal compliance
107
 U
Example: Summary of Risk Assessment Document
Contents of risk assessment document
•A description of the risk assessment methodology used
•The identification of significant exposures and the corresponding risks
•The risks and exposures the audit is intended to address
•The audit evidence used to support the IS auditor’s assessment of risk

No Category Risk Description Eva. Control

Covering all payment Missing Invoice by EDI has 1 Checking EDI’s invoice by
transaction invoice by trouble and missing human
EDI
Error Error Transactions are 3 Module for listing out error
transition not reported/ detected transition

Correctness of Input error Mistake of input for 4 Cross checking to order

payment date invoice by FAX transition

Not include Cancel of Payment to cancel 2 Procedure of cancellation of

inappropriate data invoice invoice invoice
Security of operation xxx xxxx xxxxx
Integrity of payment xxx xxxx xxxxx
data
No authorized DB xxx xxxx xxxxx
modification
108
 U
General Idea: Type of Means to Risk and Control
Type of Means to Risk
Avoid Stopping activity that occurs risk. Because the impact of risk is very serious
Reduce Appropriate internal controls reduce the impact and probability of risk
Transfer Other external means such as insurance reduce impact of risk
Accept Impact of risk would be accepted, because impact is low or cost of means is
so expensive.

Type Function Example of Control

Preventive •Prevent errors from happening •Segregate duties
Control •Attempt to predict •Programmed edit checks
•Monitor both operation and •Using access control software
inputs. •Suitable procedure for authorization
Detective •Find out errors and malicious •Hash total
Control •Check points in production job
•Internal audit function
•Echo controls in telecommunications
•Reviewing activity logs
Corrective •Remedy problems •Backup procedure
Control •Identify cause •Return procedure
•Enhance procedures
•Minimize the impact of a threat 109
 U
Overview of Method and Technique for Survey and Testing

Survey and Testing

Audit Planning &
Gathering information Review

Interview & Observation

Risk Assessment &
Understanding Internal
Control Questionnaire

Perform Testing
Compliance Tests

Perform Substantive
Tests CAAT (Computer
Method of
Statistics Assisted Audit
Techniques

Evidence : Fact

110
 U
Review, Interview and observation for gathering Data (1)
Method Description
Reviewing IS •Adequate separation and segregation of duty is a key control.
organization •IS Auditor should be able to review organization structure and assess
structures the level of control they provide.
Reviewing IS •An IT auditor should review whether appropriate policy and procedure
policy and are in place, determine whether personnel understand implemented
procedures policy and procedure, and ensure that policies and procedures are being
followed.
•Periodic review of policies and procedures for appropriateness should
be carried on
Reviewing IS •An IT auditor should understand the existing standards in place in the
standard organization.

Revising •An It auditor should understand functions and controls of the system.
Information •And review whether development activities are following the procedures.
System •And review the enough documents developed and kept integrity.
Documentation

111
 U
Review, Interview and observation for gathering Data (1)
Point Description
Preparation of •Preparation of checklist and interview form
interview •Selecting appropriate interviewees
Actual Function •To ensure to observe adequate person who is assigned and authorized
to perform a particular function and is actually is doing job.
Actual process •Performing a walk-through of the process/procedure allows an IT auditor
and procedure to gain evidence of compliance and observe deviations.
Reporting •Reporting relation ship should be observed to ensure assigned
Relationship responsibility and adequate segregation.
Security •Security awareness should be observed to verify an individual's
Awareness understanding and practice of good preventative and detective security
measures.

Related method
•Re-performance
•Walkthroughs

112
 U
Examples of measures that should be considered to assess materiality
•Criticality of the business processes supported by the system or operation
•Criticality of the information databases supported by the system or operation
•Number and type of application developed
•Number of users who use the information systems
•Number of managers and directors who work with the information systems
classified by privileges
•Criticality of the network communications supported by the system or operation
•Cost of the system or operation (hardware, software, staff, third-party services,
overheads or a combination of these)
•Potential cost of errors (possibly in terms of lost sales, warranty claims,
irrecoverable development costs, cost of publicity
•required for warnings, rectification costs, health and safety costs, unnecessarily
high costs of production, high wastage, etc.)
•Cost of loss of critical and vital information in terms of money and time to
reproduce
•Effectiveness of countermeasures
•Number of accesses/transactions/inquiries processed per period
•Nature, timing and extent of reports prepared and files maintained
•Nature and quantities of materials handled (e.g., where inventory movements are
recorded without values)
•Service level agreement requirements and cost of potential penalties
•Penalties for failure to comply with legal, regulatory and contractual requirements
•Penalties for failure to comply with public health and safety requirements
113
 U
Statistics for IS Audit
If Auditor detected Number of Input errors of order form is 2 during
Substantive testing, Could the Audited think that the internal control
is almost good and work?

Sampling (Statistical) Test

All Input forms

Population Are two errors
acceptable?

Some of Input
forms
SAMPLE

114
 U
Sampling
Normal distribution is commonly encountered in
practice, and is used throughout statistics,
natural sciences, and social sciences as a
simple model for complex phenomena. For
example, the observational error in an
experiment is usually assumed to follow a
normal distribution, and the propagation of
uncertainty is computed using this assumption.

Even if number of data in

samples are same. There are
Population
many possibility to select
samples

SAMPLE

115
 U
Factor of Selecting Sample
feature of population
Accuracy of sample
defined by an auditor
Size (Requested) Similarity of features
among population and sample
= (Requested) Confident Coefficient

Distribution

Acceptable range
= Precision
(Expected) Error rate

NG OK

Need more sampling data when

Size is big ( but ration of sample low ), Error rate is low
Confident coefficient is high, Precision is low
116
 U
Type of Sampling (1)
Sampling

Method of Selection
•(See the previous slide) Objective method to
Statistical Sampling determine sample size and selection criteria

•Judgmental sampling. An auditor design

Non-Statistical Sampling sampling based on importance and risk
Target Data

Attribute sampling •Deal with presence or absence of attribute

•Mainly applied in compliance testing

Variable sampling •Deal with population characteristics that vary,

e.g. dollars and weights
•Provide conclusions related variable
•Mainly applied in substantive testing

117
 U
Type of Sampling (1)
Target Data

Attribute sampling

•Provide conclusions expressed in rates of

Attribute sampling
incidence (frequency –estimate sampling)
•Auditor can change the size of sampling to get a
Stop or go sampling
appropriate result.

Discover sampling •The model can be used when the expected

occurrence is extreme low. Purpose is detecting

Variable sampling

•Sample means are calculated as each group

Stratified mean per unit estimated total

•A sample mean is calculated as an estimated

Uncertified mean per unit
total

Difference estimation •The model uses to estimate total different

between audited value and un-audited value.
118
 U
Computer-Assisted-Audit Techniques (CAAT)
What is CAAT&GAS?
Followings are famous GAS: (General Audit Software)
• ACL: Audit Command Language
ACL Services Ltd.
http://www.acl.com/
• IDEA:Interactive Data Extraction and Analysis
CaseWare International
http://www.caseware.com/

Go to both website

CAAT GAS •ACL, IEDA

Developed Software Tentative Audit Utility

Tentative Audit Module

General Office Tools Online Audit system

•MS-ACCES, MS-EXCEL 119

 U
Advantage of CAAT
• Reduced level of audit risk
• Greater independence from auditee
• Broader and more consistent audit coverage
• Faster availability of info
• Improved exception identification
• Greater flexibility of run times
• Greater opportunity to quantify internal control weaknesses
• Enhanced sampling
• Cost savings in long term

120
 U
Overview of function of GAS

Input Processing Output

System A
Log files Transaction Business Master data
Data Data

Input Processing Output

System B
Log files Transaction Business Master data
Data Data
•Generate
Test Data
•Extract and Check
Log files •Extract and •Making Reports
Test data Audit data
sampling data •Compare and Statistic Analysis
Calculate

GAS
121
 U
CAAT Considerations for installation and usage
• Ease of use, both for existing and future audit staff
• Training requirements
• Complexity of coding and maintenance
• Flexibility of uses
• Installation requirements
• Processing efficiencies
• Effort required to bring source data into CAAT
• Documentations well-referenced to audit program
• Clearly identify audit procedures and objectives
• Request for read-only access to production data
• Data manipulation should be done to copies of production files in controlled
environment
• Reliability of software
• Confidential of the data being proceeded

122
 U
Type of Evidence
Tow primary Type
• Direct Evidence
Existence of fact without inference or presumption.
• Indirect Evidence
Hypothesis without direct evidence to make a claim

Examples of Evidence
• Business evidence including a business record of transaction, receipts,
invoices, and logs
• Data extraction which mines details from data files by CAAT
• Auditee claim in oral or written documents
• Analysis of plans, polices, procedures and workflow.
• Result of compliance and substantive tests
• Auditor’s observation

123
 U

Evidence Grading ( What good evidence is)

Poor Good Excellent
Material Relevance Unrelated Indirect Direct
Objectivity Subjective Requires few Needs no
supporting facts to explanation
explain the meaning
Evidence Source Unrelated third party Indirect involvement Direct involvement
with no evidence by second party by first party
Competency of Biased Nonbiased Nonbiased and
Provider independent
Evidence Analysis Novice Experienced Experts
Method
Resulting Low Medium High
Trustworthiness

124
 U
Content of Reporting
Content Description
Introduction •Audit objectives
•Limitation of audit and a scope
•Period of Audit coverage
•Genera statement on nature and extent of audit process
Overall •Adequacy of the controls and or procedures examined
conclusion and •The actual potential risk identified
opinion
Detailed and •The controls and procedures examined are adequate or in adequate.
important audit •Specific finding based on viewpoint of both audit committee and
finding and organization
recommendation •Recommendation for adding and/or modifying controls, procedures
and organization.
A variety of •All the finding and recommendations. Some are important, others are
finding trivial.

125
 U
Example Report: summary of RCM (Risk and Control Matrix)
N Type Risk Control and Procedure Audit Procedure Result &
o
comment
Covering Missing Sending e-mail when •Program specification •Good
all invoice by EDI •Procedure Reviewing the list
payment EDI and function to make the •Log files is not defined in
transaction list of e-mail •Working record the procedure
Error Function of error •Program specification •Excellent
transition transition •Error transition log work well
•Invoices
Regulation of correct •Procedure •Good
error transition •Working record for Need more detail
correcting error correction method
Correctnes Input Appropriate Editing •Program specification Good
s of error (Checking function) •Record of error input • some filed
payment •Observation of input needed more
date activities checking
functions
Appropriate input form •Checking input form •Fair
(printed) •Record of error input Customer
•Observation of input sometimes
activities mistakes
Cross checking to order •Procedure •None (Very poor)
transition •Program specification

126
 U
Presenting and Communicating Audit Results

Considerations for Presentation to Executive

•Understandable for Exceptive. Because usually they doesn’t know IT
technology, Don’t use technical terms.
•Finding and recommendation should be made form the viewpoint of
business

Considerations for communication

•Communicate with management of audited entity first if possible
•Gain agreement and develop course of corrective action
•Communicate to top management and audit committee
•Audit committee provides independent route to report sensitive info
•Auditor normally is NOT expected to implement recommendations

127
 U
Continuous Audit Approach
• To improve audit efficiency by making greater use of automated tools
• Collect evidence on system reliability while normal processing takes place
• Monitor operations on continuous basis
• Gather selective audit evidence; if not serious, action later
• Cut down needless paperwork
• May report directly through computer on findings
• Especially useful when no paper audit trail
• No disruption to daily operations
• Time lag between misuse and detection is reduced
• Enhance confidence in system’s reliability

128
Control Self-Assessment (CSA)
• Management and/work teams are directly involved in checking
effectiveness of existing controls
• IS auditor act as control expert and assessment facilitator
• Simple questionnaires; facilitated workshops
• Objectives:
– Enhance audit responsibilities
– Educate line management in control responsibility and monitoring
– Concentrate on areas of high risk

129
 U

Chapter 3.
Domain4:
IT Service Delivery and Support

130
 U
Overview of Tasks for Domain 4
•4.1 Evaluate service-level management practices to ensure that the level of
service from internal and external service providers is defined and managed.
•4.2 Evaluate operations management to ensure that IT support functions
effectively meet business needs.
•4.3 Evaluate data administration practices to ensure the integrity and
optimization of databases.
•4.4 Evaluate the use of capacity and performance monitoring tools and
techniques to ensure that IT services meet the organization’s objectives.
•4.5 Evaluate change, configuration and release management practices to
ensure that changes made to the organization’s production environment are
adequately controlled and documented.
•4.6 Evaluate problem and incident management practices to ensure that
incidents, problems and errors are recorded, analyzed and resolved in a timely
manner.
•4.7 Evaluate the functionality of the IT infrastructure (e.g., network components,
hardware and system software) to ensure that it supports the organization’s
objectives.

131
 U
Overview of skill and knowledge for Domain 4
•4.1 Knowledge of service-level management practices
•4.2 Knowledge of operations management best practices (e.g., workload scheduling,
network services management and preventive maintenance)
•4.3 Knowledge of system performance monitoring processes, tools and techniques (e.g.,
network analyzers, system utilization reports and load balancing)
•4.4 Knowledge of the functionality of hardware and network components (e.g., routers,
switches, firewalls and peripherals)
•4.5 Knowledge of database administration practices
•4.6 Knowledge of the functionality of system software including operating systems, utilities
and database management systems
•4.7 Knowledge of capacity planning and monitoring techniques
•4.8 Knowledge of processes for managing scheduled and emergency changes to the
production systems and/or infrastructure including change, configuration, release and patch
management practices
•4.9 Knowledge of incident/problem management practices (e.g., help desk, escalation
procedures and tracking)
•4.10 Knowledge of software licensing and inventory practices
•4.11 Knowledge of system resiliency tools and techniques (e.g., fault tolerant hardware,
elimination of single point of failure and clustering)

132
 U
IS Audit Small Quiz No.4

Domain 4 IT Service Delivery and Support

Service Level Agreement, IT service support and delivery, DB,
Network, System operation, H/W and S/W

Quiz book

133
 U

IT control ITCLC: IT Company Level Control

ITGC:IT general controls

ITAC: IT Application Control

ITGC:IT general controls ITAC: IT Application Control

•Logical access controls. complete and accurate
•System development life cycle controls. •Input Data Control.
•Program change management controls. •Process Control
•Data center physical security controls. •Output Control
•System and data backup and recovery
•Computer operation controls. Application Systems
Accounting Sales
….
System System
Development Operation

IT Infrastructure (Network, Server, PC …)

ITCLC: IT Company Level Control

* IT Governance/Policy *IT Risk Management. *Training
* Quality Assurance *IT Internal Audit
134
Company
Understanding operation of infrastructure
Problem of Current IT system and operation
* IT system became core of business and social activities,
simultaneously it became bigger and more complicated
* Cost of IT is not clear, sometimes investment to IT
development and operation doesn’t realize user needs.

ITIL ( Information Technology Infrastructure Library) is

collection of good practices and knowledge/skill for
operation of infrastructure and realizes;
- Stable and high quality operation of IT infra.
- Providing clear indicator of ROI for IT operation
( Return of Investment)

Note: Quality of Development is usually mentioned by ideas of CMMI

and other standards. 135
 U
Overview of ITIL Ver3.0
•Service Strategy
- Link IT service strategies to customer value
• Service Design
- Design services to satisfy business objectives
•Service Transition
- Implement service designs
- Service knowledge management system
- Refinement of change, configuration and release
processes
• Service Operation
- Deliver and manage services
- Refinement of incident and problem management
processes
- Event and access management
• Continual Service Improvement
- Never-ending review for opportunities

136
 U
Process of ITIL (1)
Cycle Processes and Functions
Financial Management
Service Strategy
Service Portfolio Management
Demand Management
Service Catalog Management
Service Design Service Level Management
Capacity Management
Availability Management
Service Continuity Management
Information Security Management
Supplier Management
Transition planning and support
Service Transition Change Management
Service Asset and Configuration Management
Release and configuration Management
Service validation and testing
Evaluation
Knowledge Management

137
 U
Process of ITIL (2)

Cycle Processes and Functions

Event Management
Service Operation Incident Management
Request fulfillment
Problem Management
Access Management
Monitoring and control
IT operation
Service Desk
-Technical Management
-IT Operations Management
-Applications Management
Continual Service Improvement Process
Improvement Service Report

138
Service Level Agreement
A service level agreement (frequently abbreviated as SLA) is a part of a service contract
where the level of service is formally defined. In practice, the term SLA is sometimes
used to refer to the contracted delivery time (of the service) or performance. As an
example, internet service providers will commonly include service level agreements
within the terms of their contracts with customers to define the level(s) of service being
sold in plain language terms (typically the (SLA) will in this case have a technical
definition in terms of MTTF, MTTR, various data rates, etc.)

Example : Hardware Performance Metrics on SLA

Availability Time hour, percent
Maximum down-time Hardware Hours or percent
Failure frequency Hardware Number
Response time Hardware Duration in minutes
Periods of operation Time
Service times Time
Accessibility in case of problems Yes/no
Backup Time
Processor time Seconds
Instructions per second Number per second
Number of workstations Number 139
Example: Strategy of reformation of IT Operation
Target
Organization Roles Culture Skills Training Metrics
Phase
1 Aligned by Technology Hero- Job Titles in Limited — FTE(M/M),
Technology Specialists Oriented Place Technical Basic record
of work
2 Hierarchical Service Looking at Job Levels Technology Basic QA,
Org. Team Roles Best (Sill by Job Basic record
system Emerge Practices Standard) Levels and
Defined monitoring
3 Process/Ser Process Working on Employee Formal Ordinary
vice - Role Well- Best Skills Training, SLA, Data
Centric; Defined Practices Tracked Job for proactive
Rotations
4 Process Process Best Manage Lifelong Detail SLA
Cycle based Manager Practices Skills Training Data related
and Owner Effectively Portfolio including business
Role Well- Used management
Defined

FTE: Full Time Equivalent , QA: Quality Assurance, SLA: Service Level Agreement
140
Management and Tools for IT operation
Network Service Desk (ITIL)
Management Other tools
Monitoring tools support tools
Incident Management X X
(Detect) (Manage)
Problem Management X X
(Detect) (Manage)
Service Management X (Measure) Excel
Capability Management Excel
X (Measure)

Configuration Management X X
(Monitor) (Manage)
Change Management X
(Manage)
Finance Management Excel
Skill Management Excel or Access
Knowledge Management X
Word, Excel
(Manage)
Evaluation and Report X X
Word, Excel
(Data) (Data/Report)

141
Sample: System for IT support (Medium and Small Class)
Center
NOC
Traffic/QoS Monitoring
System
Configuration Remote
Management
System Trouble detecting System Local Service Desk/ Remote NOC

Traffic/QoS Monitoring System

Info. of
Configura Info. of
tion Traffic/QoS Trouble detecting System

Service Catalog/
Service Level Incident
Management Central Service Desk Management
system (Troubles shooting)

Needs History of
SC/SL DB and Event &
Request Incident Capacity
Development of ICT
Staff
Service Desk Management System
Knowledge
Management
System

Staff Skill / Capacity Management

System
Knowledge
DB
Work Procedure
Capacity Development of ICT Staff
(Document)
142
Conceptual Model of CMS (Change Management System)

143
 U
Tools for IT operation
• Service Desk Plus
http://www.manageengine.com/products/service-desk/index.html

Go to both website

144
 U
Workflow of Change Management for approval
Why is Change management important ?
More than 50% of incident and More than 90% of incident that affect on business
are caused by changing.
CAB Configuration Programmer
User Change Manager (Chang Advisory
Manager Operator
Board)
RFC Review Input RFC
Reject
Initial priority Update RFC
Argent
Request For
Change
Changing Argent
Procedure

Priority &schedule

Serious
Type
Trivial Impact
Approval and Plan assessment & Update RFC
Discussion
Report
changing
Update RFC
Change
Approval Procedure
No Yes

145
 U
Viewpoint of IS audit (Operation: Change Management)

Category Target Description

Testing Testing •Before Changing , Is new module or program tested in
appropriate regulation and approved by management.
Procedure Changing •Is appropriate RFC (Request for Change ) format
procedure established and Is change request treated authorized
process?
•Do personnel follow changing regulations
•Is change history recorded?
•Is any management that makes decision of changing
defined?
•If possible, is any automated changing function developed?
Exception Exception •Is any urgent change procedure established
And failure •When change module/program doesn’t work well, is any
recovery method established.
•Do controls detect unauthorized changing?

146
 U
Overview of Incident/Problem management and service desk

Risk/ Remaining Bugs Operation error Crime System Break

Factor

Failure
Detect risk factor or
Appear Trouble symptoms
and/or
occur
User
Monitoring System
Request 1st level staff
escalation
Service Desk
2nd level staff
Incident Management:
to restore a normal service Problem Management:
operation as quickly as possible to get red of factor of risk or failure or to
and to minimize the impact on resolve the factor that made or will make
business operations failure 147
 U
Viewpoint of IS audit (Incident & Problem management)

Category Target Description

Procedure Regulation •Does the organization have appropriate procedure to resolve
and and the problem, especially escalation root .
situation procedure •Are recording tasks and functions of event, incident and
problem developed?
Situation of •Do problem exist during processing?
Incident/ •Were resolving process resolved in timely manner and was
problem the resolution complete reasonable?
Management •Are all problems identified for verification and resolution?
Help desk Help desk •Does the help desk has appropriate staff?
(Service (Service •Are there any SLA of the help desk?
desk) desk) •Are there any appropriate supporting software for a help
desk?
•Does the help desk have appropriate regulation and
procedures , especially escalation root to resolve the problem.
•Does the help desk record appropriate support and working
record?

148
 U
Overview of Capacity Management
Reactive activities:
•Monitoring and measuring
•Responding and reacting to capacity related events (incidents)

Proactive activities:
•Predicting future requirement and trends
•Budgeting, planning and implementing upgrade.
•Seeking ways to improve service performance.
•Optimizing the performance of a service

149
 U
Viewpoint of IS audit (Hardware)
Category Target Description
Planning & Planning •Is the plan aligned with business requirements?
Acquisition •Is the plan synchronized with IS plans?
•Have criteria for acquisition of hardware been developed and
appropriate?
•Does new hardware suit the current IT environment?
Acquisition •Is the a acquisition in line with hardware acquisition plan?
•Are procurements and document of procurements based on
appropriate procedure an regulation?
•Are procurements processes approved by appropriate
management
Operation& Operation & •Is scheduling adequate to meet workload schedules and user
Incident Maintenance requirements?
manageme •Is scheduling flexible to accommodate required hardware and
nt preventive maintenance?
•Is maintenance done during off-peak workload period?
•Is appropriate maintenance the vendors recommend done?
Monitoring & •Have IS management staff reviewed malfunctions, abnormal
Incident / system termination and operator action?
Problem •Is continuous review performed of hardware and system
management software performance and capacity
•Is monitoring adequate in the case of equipment failure?
•Is monitoring based on logs, maintenance history and
adequate information? 150
 U
Overview of Middleware
Middleware is computer software that connects software components or some people
and their applications. It usually connects OS and application software.

Message-oriented Middleware
•Message-oriented middleware is middleware where transactions or event notifications
are delivered between disparate systems or components by way of messages, often
via an enterprise messaging system.

Enterprise messaging system

•An enterprise messaging system is a type of middleware that facilitates message
passing between disparate systems or components in standard formats, often using
XML, SOAP or web services.

Transaction processing monitors

•Provides tools and an environment to develop and deploy distributed applications.

Application servers
•software installed on a computer to facilitate the serving (running) of other
applications.

SQL-oriented Data Access

•SQL-oriented Data Access is middleware between applications and database servers.
151
 U
Viewpoint of IS audit (OS and System software)
Category Target Description
Planning & Planning •Are the plan aligned with objective of business?
Acquisition •Do they meet the requirements?
•Do they include IS controls?
•Do the comply with short- and long-range IS plans?
Feasibility study •Are the proposed system objectives and purpose
and Acquisition consistent with the request?
process •Has the cost-benefit analysis of system software
procedures addressed?
Operation& Security and •Has the procedures been established to restrict the ability
Incident Control circumvent logical access.
management •Have procedures been implemented to manage software
update?
•Are controls adequate in change, authorization, security,
Audit test, ….
•Is master console secure?
Operation and •Have all appropriate levels of software been
documentations implemented?
•Are there necessary documentations such as access
violation, change management, parameter, active logs and
reports ….?
•Is the latest version with testing?

152
 U
Basic Key word of Network
•LAN/WAN
•DNS, DHCP, Web server, FTP and mail server
•IPV4, IPV6, Port Number, Global IP Address
•ISO architecture, NIC
•TCP/IP , UDP
•HTTP, ARP, SNMP
•NAT, RADUS
•SSL, Applet, CGI, .Net, PHP, Java, Cookie
•Wireless IEEE802.11abg, WiMAX IEEE 802.16, Ubiquitous computing
•WPA (Wifi Protected Access) , WAP (Wireless Application Protocol)
•LADP, H32x, VOD, Streaming
•QoS
•VPN, SSH, DMZ, Proxy, Firewall, Security hole
•Intrusion Detection System (IDS),Intrusion Prevention System (IPS)
•URL, Serch Engine, SEO
•Router, Switch , Hub, Modem , ATM, FR
•Optical fiber, ADSL, FDDI, Ethernet
•SNS, Blog
•ISP
•cloud computing, SaaS

153
 U
Tools for Network Monitoring
Type Category Purpose Example
(Recommendation)
Snap shot Command for Network Detecting trouble ping, tracert, netstat
(Operate by management
manual) Network Analyzer Detecting trouble/ Snuffer, wireshark,
Measuring traffic ASTEC Eyes,
(packet)
Daily tool Traffic Monitor Measuring traffic MRTG
( Operate SNMP manager Configuration NET-SNMP
automatically) management/
Detecting trouble
Server Monitoring Detecting trouble Nagios

Go to both website

154
 U
Viewpoint of IS audit (Network Infrastructure & implementation)

Category Target Description

Physical Physical •Are network devices located in secure facility and
environment security for restricted to the network administrator?
the facility •Are keys to enter the network facility secured?
•Is the wiring physically secured?
Server facility •Is environment of servers well-controlled, (temperature,
humidity and static electricity guards)
•Are there appropriate and sufficient means for fires?
•Are there appropriate and sufficient devices for breakdown
of electricity?
Logical Access and •Is there appropriate regulations to manage password?
access Password •Are network access change requests authorized by
control to appropriate manager with standard forms?
network •Are user assigned unique password?
devices Report and •Are all the login processes recorded in log files.
monitoring •Does any function can detect unauthorized log-in?
•Are security reports reviewed adequately and in a timely
manner?

155
 U
DB Notarization
First Normal Form (1NF)
• Eliminate duplicative columns from the same table.
• Create separate tables for each group of related data and identify each row with a
unique column or set of columns (the primary key).
Second Normal Form (2NF)
• Remove subsets of data that apply to multiple rows of a table and place them in
separate tables.
• Create relationships between these new tables and their predecessors through the
use of foreign keys.
Third Normal Form (3NF)
• •Remove columns that are not dependent upon the primary key.

Order form:
Date 10th, OCT. 2010
Customer name: UP company Customer No. 4650

Item Code Category Name Unit Price Qty

1090 201 Device Mouse xx 50 10
2053 204 Parts IC 7xxxx 5 100
3459 201 Device LAN cable 3 30

156
 U
Viewpoint of IS audit (Data Base)
Category Target Description
Design Logical •Do all entities in the entity diagram exist?
Schema •Are all relations represented through foreign key?
•Are constrains specification clearly?
Physical •Has allocation of initial and extension space been done by the
Schema requirements?
•Are indexes present?
•If the DB is not normalized, is justification accepted?
•Is data redundancy minimized by DBMS?
Design an Reliability •Are adequate change procedure to ensure the integrity of DB
Operation and management software?
integrity •Is the integrity of DBMS’s data directory maintained?
•Are integrity and confidential of data not affected by data import
and export procedures?
Operation •Do backup and disaster recovery procedures exist?
Operation Security •Are security level of users and their roles appropriate and
and secure?
Security •Is access to shared data appropriate?

157
 U
Tasks of operation staff
•Executing and monitoring scheduled job
•Facilitating timely backup
•Monitoring unauthorized access and use of sensitive data
•Monitoring and reviewing the extent to adherence to IT operation
procedures as established by IS and business management
•Participating in test of disaster recovery plans
•Monitoring the performance, capacity, availability and failure of
information resources
•Facilitating troubleshooting and incident handling.

158
 U
Viewpoint of IS audit (Operation)
Category Target Description
Regulation Regulation •Are documented instruction adequate in peripheral , start
and Control and Control and shutdown, trouble-shooting and record to be retained.
•Have controls been put in place to ensure accuracy and
efficiency of operation.
•Is appropriate supervisor or supervisor’s function ?
•Are controls for input appropriate and enough?
Environment Environment •Are online library facility located away from the computer
room
•Do all the storage media have appropriate label?
Operation Operation •Have procedures been established to control the storage
media?
•Are these procedures been followed?
•Are the automated operation software and manual
contingency procedures documented and tested?
•Are all error of automated software notified to operator?
Security •Is access to files and documentation library restricted to
operators?
•Is access to correcting program and data programs
restricted?
•Are responsibility for operation of the computer and other
devices limited?

159
 U

Chapter 4.
Domain6:
Business Continuity and Disaster
Recovery

160
 U
Overview of Tasks for Domain 6
•6.1 Evaluate the adequacy of backup and restore provisions to ensure the
availability of information required to resume processing.
•6.2 Evaluate the organization’s disaster recovery plan to ensure that it enables
the recovery of IT processing capabilities in the event of a disaster.
•6.3 Evaluate the organization’s business continuity plan to ensure its ability to
continue essential business operations during the period of an IT disruption.

161
 U
Overview of skill and knowledge for Domain 6
•6.1 Knowledge of data backup, storage, maintenance, retention and restoration
processes and practices
•6.2 Knowledge of regulatory, legal, contractual and insurance issues related to
business continuity and disaster recovery
•6.3 Knowledge of business impact analysis (BIA)
•6.4 Knowledge of the development and maintenance of the business continuity
and disaster recovery plans
•6.5 Knowledge of business continuity and disaster recovery testing approaches
and methods
•6.6 Knowledge of human resources management practices as related to
business continuity and disaster recovery (e.g., evacuation planning and
•response teams)
•6.7 Knowledge of processes used to invoke the business continuity and disaster
recovery plans
•6.8 Knowledge of types of alternate processing sites and methods used to
monitor the contractual agreements (e.g., hot sites, warm sites and cold sites)

162
 U
IS Audit Small Quiz No.5

Domain 6 Business Continuity and Disaster Recovery

Backup/Recovery, Availability, Continuity, Disaster Discovery
Planning, Business Continuity Planning

Quiz book

163
 U

IT control ITCLC: IT Company Level Control

ITGC:IT general controls

ITAC: IT Application Control

ITGC:IT general controls ITAC: IT Application Control

•Logical access controls. complete and accurate
•System development life cycle controls. •Input Data Control.
•Program change management controls. •Process Control
•Data center physical security controls. •Output Control
•System and data backup and recovery
•Computer operation controls. Application Systems
Accounting Sales
….
System System
Development Operation

IT Infrastructure (Network, Server, PC …)

ITCLC: IT Company Level Control

* IT Governance/Policy *IT Risk Management. *Training
* Quality Assurance *IT Internal Audit
164
Company
 U
Process of ITIL (1)
Cycle Processes and Functions
Financial Management
Service Strategy
Service Portfolio Management
Demand Management
Service Catalog Management
Service Design Service Level Management
Capacity Management
Availability Management
Service Continuity Management
Information Security Management
Supplier Management
Transition planning and support
Service Transition Change Management
Service Asset and Configuration Management
Release and configuration Management
Service validation and testing
Evaluation
Knowledge Management

165
 U
Overview of Disaster Recovery Plan (DRP)

Backup
Network

Disaster

Backup Restore

Headquarters Recovery Site

Data center

166
 U
Type of Disaster and Threats

Natural Man Made

•Flood & Other water based incidents •Political
•Earthquakes •Fires
•Hurricane, Tornadoes, Monsoons •Flood due to equipment, pipes,
•Thunders, Hail and Ice storms sprinklers etc.
•Lightning and Electrical storms •Epidemics
•Snow and Winter storms •Explosions
•Volcanic eruptions, ash fall out •Hazardous / toxic material spills,
•Large natural fires & smoke residues contamination, access denial

167
 U
Overview of BCP: Business Continuity Plan
BCP: Business Continuity Plan
An ongoing process supported by senior management and funded to
insure that the necessary steps are taken to identify the impact of
potential losses, maintain viable recovery strategies and recovery plans,
and ensure continuity of services through personnel training, plan
testing, and maintenance.

BCP vs. DRP

•BCP vs. DRP Business Continuity Plan (BCP) tells us what essential
resources are needed to continue business operations.
•The Disaster Recovery Plan (DRP) tells us how to bring back those
essential resources. The purpose of the DRP is to carry out the BCP

168
 U
Flow of of BCP / DRP

Planning

Risk Assessment & Business Impact Analysis

Developing Plan Strategies & Developing The Plan

Plan Testing & Maintenance

Awareness & Training

169
 U
Flow of of BCP / DRP: Planning
•Define BCP vs. DRP for clear understanding by all.
•Identify Project Sponsors and Leadership.
Defining objectives, policies, critical success factors, scope.
Identifying legal and regulatory requirements.
•Define standard terms and assumptions.
•Develop a Project Plan and Budget.
Hard costs and soft costs such as equipment, personnel
resources, facilities, etc.

170
 U
Flow of of BCP / DRP: Risk Assessment & Business
Impact Analysis
•Process of identifying the risks to an organization, assessing the critical
functions necessary for an organization to continue business operations,
defining the controls in place to reduce organization exposure and
evaluating the cost for such controls.
•Identify the following:
– Risk – Exposure to loss, injury, danger; potential for loss (qualitative or
quantitative).
– Threats – Event that can cause a risk to become an actual loss (natural
or man-made).
– Vulnerabilities –Exposure to an event that can cause actual loss.
Quantitative Risk:
– Assigns a value to the risk.
– Identifies cost of a particular effect, incident or phenomenon.
– Can be state in an ALE (Annualized Loss Exposure or Expectancy).
Qualitative Risk:
– Intangible effects caused by a particular incident.
– Descriptive – Usually relates a cause with an effect.
171
 U
Type of Risk to be considered
Compliance Financial Operational Strategic Technical
Contractual Lost/Deferred People Market Share Cyber crime
Revenue
Regulatory Opportunity Production Partnerships E-Business

Service Level Shareholder Supply Chain Reputation Infrastructure

Agreements Equity Failure
Critical assets
– People;
– Buildings and Facilities;
– Computer Equipment (PCs, Servers, mainframes, etc.);
– Telecom Equipment (PBX’s);
– Communication equipment (Routers, Switches, CSU / DSU etc.);
– Inventory and Materials;
– Production & Plant Equipment;
– Critical Data;
– Critical Computer Applications;
– Operating Systems and Databases;
– Environmental (Power, HVAC, Physical Security); and
– Internal & External Customers & Users. 172
 U
Type of Recovery Site Recovery Site

Compliance Recovery Cost Infrastru Equipm Data Operators

Time cture ent
Redundant Seconds Double Yes Yes Same Same
(Mirror) Same Same (real-time)
Hot site Hours Very High Yes Yes Restore Transfer

Warm Site Days High Yes No Restore Transfer

Cold Site Weeks Low No No Restore Transfer

Mobile Site 8 + hours High Need Yes Restore Transfer

to days

173
 U
RTO and RPO
RTO: the duration of time and a service level within which a business process
must be restored after a disaster (or disruption) in order to avoid
unacceptable consequences associated with a break in business continuity.
RPO: the point in time to which you must recover data as defined by your
organization. This is generally a definition of what an organization determines
is an "acceptable loss" in a disaster situation.

RPO RTO
disaster

- 1day - 2hours - 1hour T =0 + 1hour +2hours + 1day

Tape
Backup
Disk
Backup Real-time
Transaction Backup 174
 U

Design of new Controls for BCP / DRP

Current controls
•Physical Controls
Fire suppression / sprinkler systems Evaluate the effectiveness
Access control systems •Deter the threat
Security guards •Lessen the loss
•Procedural Controls •Ability to deter or reduce risks
Hiring and termination policies
Clean desk policy Improve the effectiveness of controls:
Document receipting • Implementing layers of protection
•Logical Controls where possible
Data storage protection • Training
Protection afforded assets by • Documentation
location in relation to threat • Enforcement

175
 U
Insurance for business including DRP
Insurances cover followings:
•IS equipment and facilities
•Media (software) reconstruction
•Extra expense: based on the availability and cost of backup facility and
operation.
•Business interruption
•Errors and omissions: for legal liability protection in financial loss to client.
•Fidelity coverage: covering loss from dishonest or fraudulent acts by
employees.
•Media transportation

176
 U

Organization for BCP/DRP after disaster

Team Team
Incident Response team User hardware team
Emergency Acton team ( for first action for Data preparation and records team
such as fire)
Administrative support team
Information security team
Supplies team
Damage assessment team
Salvage team (Management of moving a
Emergency management team recovery site)
Offsite Storage team Relocation team (Management of moving
Software team from a recovery site)
Application team Coordination team ( for all the sites
(branches) and recovery site)
Emergency operation team
Legal affair team
Network recovery team ( for Information
system) Recovery test team
Communication team Training team
Transportation team

177
 U
Flow of of BCP / DRP: Developing Plan Strategies &
Developing The Plan
Determine and guide the selection of alternative business recovery
operating strategies for recovery of business and information technologies
within the recovery time objectives, while maintaining the organization’s
critical functions.
Identify Requirements for DRP and BCP Strategies
•Review business recovery issues from BIA
•Review technology recovery issues for each support area
•Review non-technology issues for each support area
Identify Off-Site storage requirements and Alternative facilities
Identify Viable Recovery strategies within business functional areas:
•Service Degradation
•Internal Recovery (Reciprocal Agreement)
•Commercial Recovery Center such as Hot site and Warm site.
Consolidating Strategies across the Enterprise
•Coordination of Technology Recovery
•Enterprise Level Crisis Management
•Enterprise Level Media Handling
•Centralized strategy for interfacing with local
178
 U

RAID: Redundant Array of Independent Disks

Level Description Minimum # Space Fault Read Write
of disks Efficiency Tolerance Benefit Benefit
RAID 0 Block-level striping 2 1 0 (none) nX nX
without parity or mirroring.
RAID 1 Mirroring without parity or 2 1/n n-1 nX 1X
striping. disks
RAID 5 Block-level striping with 3 1 - 1/n 1 disk (n-1)X variable
distributed parity.

179
 U
Backup schemes
Full + incremental
•A full + incremental repository aims to make it more feasible to store several copies of the
source data. At first, a full backup (of all files) is made. After that, any number of
incremental backups can be made. There are many different types of incremental backups,
but they all attempt to only back up a small amount of data (when compared to the size of a
full backup). A incremental backup copies everything that changed after the last backup
(full, differential or incremental)
Differential backup
•A differential backup copies files that have been created or changed since the last full
backup. It does not mark files as having been backed up (in other words, the archive
attribute is not cleared). If you are performing a combination of full and differential backups,
restoring files and folders requires that you have the last full as well as the last differential
backup. Day of modified

day1 Day2 Day3 Day4 Day5 day1 Day2 Day3 Day4 Day5

File1 F I I File1 F D D D D
File2 F I File2 F D D
File3 F I File3 F D D D
File4 F I File4 F D
180
 U
Network Disaster Recovery Methods
Method for Redundancy
•Secondary LAN cable
•Providing multiple paths between routers
•Dynamic routing protocol such a OSPF
•Providing fail over device to avoid single point
•Alternative routing including dial-up, cellular phone and microwave
•Diverse routing
•Lang-haul network diversity
•Voice recovery

181
 U
Flow of of BCP / DRP: Developing Plan Strategies &
Developing The Plan
Detail Plan (1/2)
Content Detail content
Plan Scope and •Definition of Standard Terms
Objective •Selecting the appropriate Methodology
•Scope of Project itself
Business Recovery •BCP Planning Coordinator
Organization (BRO) •Disaster Recovery Teams
and responsibilities •Business Continuity Management Teams
Major Plan •Reduction
Components •Response
•Recovery and Resumption
Escalation, •Disaster Declaration Procedures
notification and plan •Mobilization procedures
activation •Damage assessment concepts
•Recovery Site Activation
Vital records and off- •What goes off-site
site storage program •Inventory of what is off site
•How do you get it back
182
 U
Flow of of BCP / DRP: Developing Plan Strategies &
Developing The Plan
Detail Plan (1/2)
Content Detail content
Salvage and Reclamation •Document extent of damage, items destroyed, items
Procedures recoverable.
•Arrange for removal of recoverable items
Restoration Planning •Preparations of new facility.
•Preparations for moving into new facility.
•Plans for cutting over from temporary site to new facility.
Provisions for testing and •Procedures for periodic and routine update of plan.
maintenance of the plan •Procedures for periodic and routine testing of plan or plan
•components.

183
 U
Flow of of BCP / DRP: Plan Testing & Maintenance
A program to periodically and methodically test all major components of
the plan to ensure that they are functioning as designed.
•Allow for periodic testing of major plan components at least semi-annually.
•Identify scope, goals and objectives for each individual test.
•Provide for an independent auditing of test performance.
•Provide for a post-mortem / report of test results which are communicated
to appropriate management levels.
•Provide a feedback mechanism into the plan maintenance process.
•Provide for the allocation of adequate resources.

184
 U
Flow of of BCP / DRP: Awareness & Training

A program to create corporate awareness and enhance the skills required

to develop, implement, maintain, and execute the Plan:

Method and media for awareness & trining

•Videos / Films;
•Newsletters;
•Posters;
•Promotional Items;
•Brown-Bag Lunch Meetings; and
•Budget and resources must be allocated.

185
 U
Overview of viewpoint IS audit for DRP/BCP

BIA (Business Backup

Impact Network
Assessment)

Disaster

DRP/BCP Backup Restore

Document
Headquarters Recovery
Data center
Site

Offsite
Movement
Storage
Emergency Team Recovering
186
 U

Offsite Storage
Classification Description
Operating Procedure •Application run books, job stream control instructions, operating
system manuals.
System and program •Design document, Program code list, error conditions and user
documentation manual
Special Procedure •Any procedure or instructions that are out of the ordinary
Input source •Duplication copies of reports and summaries required for
documents output auditing, performance of vital work, scarification of legal
document requirement or expending insurance claims.
BCP •A copy of the latest version

187
Viewpoint of IS audit (Overview of DRP and BRP) U

Category Description
Plan •Reviewing business continuity strategy and its connection to business objectives
•Reviewing BIA (Business Impact Assessment) to ensure that they reflect current
business priorities and current controls.
•Ensuring that the process of maintenance plans are in place and reviewed and
modified in appropriate time
•Verify the whether BCP support the overrall business continuity strategy
•Evaluating BCP to determine their adequacy and currency based on BIA
including RTO and RPO.
•Reviewing the identification, priorities, and planned support of critical
applications.Determining whether the all critical applications have been identified
•Determining whether the secondary site has the correct versions of all system
software.
Method & •Evaluating offsite storages
means •Verifying the treatment of backup media including transportation
•Evaluating whether business continuity manual and procedures are written in
simple and easy to understand.
Testing •Verifying that BCP’s effective by reviewing the results of test
Organizat •Evaluating the ability of personal to respond effectively in emergency situation
ion by reviewing emergency procedure, records of training and results of testing
•Reviewing the list of business continuity personnel , emergency site and
venders. And checking address and phone number by sampling
•Interviewing assigned personnel for understanding of their responsibility in case
of interruption situation. 188
 U
Viewpoint of IS audit (Detail of DRP and BRP)
Category Description
Procedure & •Identifying whether transactions reentered are appropriate.
method •Determining whether all recovery/ continuity are documented and teams
have them.
•Determine whether the plan adequately address movement to the
recovery site and recovering from the recovery site.
•Determining whether items necessary for the reconstruction of the
information processing facility are stored offsite
•Does the plan include procedure for merging master data into pre-
disaster data.
Physical •Were is the backup facility site?
preparation •Are regular and systematic backup are taking?
•Are telecommunication backup is working will?

189
 U

Chapter 5.
Domain 5
Protection of Information Assets

190
 U
Overview of Tasks for Domain 5
•5.1 Evaluate the design, implementation and monitoring of logical access controls to
ensure the confidentiality, integrity, availability and authorized use of information assets.
•5.2 Evaluate network infrastructure security to ensure confidentiality, integrity, availability
and authorized use of the network and the information transmitted.
•5.3 Evaluate the design, implementation and monitoring of environmental controls to
prevent or minimize loss.
•5.4 Evaluate the design, implementation and monitoring of physical access controls to
ensure that information assets are adequately safeguarded.
•5.5 Evaluate the processes and procedures used to store, retrieve, transport and dispose
of confidential information assets.

191
 U
Overview of skill and knowledge for Domain 5 (1)
•5.1 Knowledge of the techniques for the design, implementation and monitoring of security
(e.g., threat and risk assessment, sensitivity analysis and privacy impact assessment)
•5.2 Knowledge of logical access controls for the identification, authentication and restriction
of users to authorized functions and data (e.g., dynamic passwords, challenge/response,
menus and profiles)
•5.3 Knowledge of logical access security architectures (e.g., single sign-on, user
identification strategies and identity management)
•5.4 Knowledge of attack methods and techniques (e.g., hacking, spoofing, Trojan horses,
denial of service and spamming)
•5.5 Knowledge of processes related to monitoring and responding to security incidents
(e.g., escalation procedures and emergency incident
•response teams)
•5.6 Knowledge of network and Internet security devices, protocols and techniques (e.g.,
SSL, SET, VPN and NAT)
•5.7 Knowledge of intrusion detection systems and firewall configuration, implementation,
operation and maintenance
•5.8 Knowledge of encryption algorithm techniques (e.g., AESRSA)
•5.9 Knowledge of public key infrastructure (PKI) components (e.g., certification authorities
and registration authorities) and digital signature techniques

192
 U
Overview of skill and knowledge for Domain 5 (2)
•5.10 Knowledge of virus detection tools and control techniques
•5.11 Knowledge of security testing and assessment tools (e.g., penetration testing and
vulnerability scanning)
•5.12 Knowledge of environmental protection practices and devices (e.g., fi re suppression,
cooling systems and water sensors)
•5.13 Knowledge of physical security systems and practices (e.g., biometrics, access cards,
cipher locks and tokens)
•5.14 Knowledge of data classification schemes (e.g., public, confidential, private and
sensitive data)
•5.15 Knowledge of voice communications security (e.g., voiceover IP)
•5.16 Knowledge of the processes and procedures used to store, retrieve, transport and
dispose of confidential information assets
•5.17 Knowledge of controls and risks associated with the use of portable and wireless
devices (e.g., PDAs, USB devices and Bluetooth devices)

193
 U
IS Audit Small Quiz No.6

Domain 6 Protection of Information Assets

Quiz book

194
 U

IT control ITCLC: IT Company Level Control

ITGC:IT general controls
ITAC: IT Application Control

ITGC:IT general controls ITAC: IT Application Control

•Logical access controls. complete and accurate
•System development life cycle controls. •Input Data Control.
•Program change management controls. •Process Control
•Data center physical security controls. •Output Control
•System and data backup and recovery
•Computer operation controls. Application Systems
Accounting Sales
….
System System
Development Operation

IT Infrastructure (Network, Server, PC …)

ITCLC: IT Company Level Control

* IT Governance/Policy *IT Risk Management. *Training
* Quality Assurance *IT Internal Audit
195
Company
 U
What is “Protection of Information Assets”
Information Assets
•all elements of information that either share a common usage, purpose,
associated risk and/or form of storage.
•Something that is considered of worth to the organization.

Protection of information assets

•Protect against loss of nuclear sensitive/classified information,
•Protect against the theft of material (both physical and information),
•Protect against terrorist action,
•Ensure nuclear safety,
•Ensure business continuity,
•Minimize business risk

196
 U
Overview of threats to Information Assets

ABC Company lightning , fire Password by

Malice interview

Virus

E-commerce
123 System
Company Operator Customer

E-commerce
DB

spoofing

Eavesdropping

Scavenging
Intrusion
clacking Criminal

197
 U
3+3 atomic elements of Information Security

element Description Example

Confidentiality •ensuring that unauthorized people, •Access control
resources or processes cannot access •Password
information •cryptogram
Integrity •Protection of information from intentional •Digital signature
or accidental unauthorized changes
Availability •Assurance that information is available •Redundancy of network
whenever needed •RAID

Accountability •Ensuring explanation information are •Access log

genuine by recoded log or signature.
Authenticity •Ensuring that the data, transactions, •Digital signature
communications or documents (electronic •Password
or physical) are genuine.
Reliability •Ensuring that system and process work •Redundancy of network
well •RAID
•Load monitoring

198
 U
Concept of Protection of Information Assets (Attackers)

Owner
value
wish to minimize
impose
to reduce
Countermeasures

may be reduced by may possess

may be aware of
Vulnerabilities

Leading to
Attackers that Risks
exploit

give rise to That increase To

Threats Assets
To

Wish to abuse and/or may damage

199
 U
Type of computer crimes
Source of Attack Target of Attack Example
A Computer is the objectives of the •Target may or may not •Distributed Dos
crimes. (Attackers often use be defined. Attackers •Virus
another computer to launch an launch attack with no •Spam
attack) specific target in mind.
B Computer is the objectives of the •Special identified •Denial of services
crimes. (Attackers often use computer (Dos)
another computer to launch an •Hacking
attack)
D Computer is the tools of the crime. •Target is data of •Fraud
Attacker uses computer but the information stored on •Unauthorized access
target is not the computer. computer or transmitted •Phishing
on network •Key logger
E Computer symbolized the crime. •Target is user of •Social engineering
Attacker lure the user of the computer - Fake website
computer to get confidential - Spam
information - spoofing
F Computer symbolized the crime. •Target is physical •Piggy bag
Attacker get physical information information asset •Scavenging
assets directory.
200
 U
Overview: Common attack methods and techniques
Target of Attack Method
B •Attackers launch •Virus •E-mail bombing
attack with no •Warm •Flooding
specific target in •Interrupt attack •Distributed Dos
mind. •Spam
•Botnets
•Virus
A •Special identified •Network analysis •Message modification •Alternation attack
computer •Port scan •Race condition •Malicious code
•Password crack •Man in the middle attack •Clacking
•Packet replay •Denial of services (Dos)
•Masquerading •SQL injection
•Buffer overflow
D •Target is data of •Key logger •E-mail spoofing
information stored •War driving •Eavesdropping
on computer or •Spy ware •Hacking
transmitted on •Cross site scripting •Remote maintenance
network •Salami

E •Target is user of •Social engineering •Fake website

computer - spoofing •Phishing
F •Target is physical •Scavenging •Piggy bag
information asset

Computer Security Institute/FBI and Ernst & Young say nearly 50% of all network 201
attacks come from the inside
 U
Security control concept (1)
Access Control
•Ability to permit or deny the use of resources by a particular entity
•The ability to allow only authorized users, programs or processes
system or resource access

Authentication
•Who goes there?
•Restrictions on who (or what) can access the system
•Verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources

Authorization
•Are you allowed to do that?
•Restrictions on actions of authenticated users
•The right or a permission that is granted to a system entity to access a
system resource

202
 U
Security control concept (2)
Need-to-know
•Having access to the information that is required to carry out work
•ensuring that access to nuclear sensitive assets is limited to only those
who have the necessary ‘need to know’ and the appropriate security
clearance

Defense-in-depth
•places multiple barriers between an attacker and your assets
•the deeper an attacker tries to go, the more layers they need to get
through undetected

Least privilege and functions

•The minimum level of computer access to an asset in order to
effectively carry out work
•only a minimal set of users have root access
•Users can user only minimum functions

203
 U
General Idea: Type of Means of controls
Example of Control
Avoid Disconnect from network, stopping services
Reduce Backup site, Duplex system, Monitoring
Transfer Insurance, hosting
Accept Enhancement of customer support

Type Example of Control

Preventive Firewall, DMZ , Antivirus software, IPS (Intrude Preventing system)
Control

Detective Log, IDS (Introduce Detecting system), Network monitoring.

Control
Corrective Backup , alternate device, recovery procedure
Control

204
 Technical measures of security
Preventive/ Detective/ Corrective Confidentiality/ Integrity/ Availability

type Method P D C C I A
Network Fortress Firewall X x x x

IPS (Intrude Prevention System) X x x x

IDS (Intrude Detection system) X x x x

DMZ X x x x

Encryption PKI / X.509 X X

VPN (Virtual Private Network)/ IPSec X X
SSL X X X
General Signature Digital signature X X
Hash function X X x X
Encryption DES/AES X x X
Authentication Biometrics X X
Token device X X
One time password X X
Test Test Vulnerability testing (SATAN) X x x x
Penetrate testing X x x x
Mail Mail Spam filter X X x x x
S/ MINE X X X
PC PC Antivirus software X X X x x x
205
Personal firewall X X x x x
 U
Information Security Cycle
•Information security relies on the identification of
Identification of
information assets which is of worth to the organization
Important Information
and needs to be secured

Risk Management •Assessment of risks associated with protection of the

information
•overall specification of all security precautions,
procedures, and systems that are implemented at a
Security Plan facility to protect material, personnel, information
assets, etc. In short, what is the plan to implement our
controls
•Security Plan & supporting procedures, Clearly defined
Implementation roles & responsibilities, Training, awareness, & culture,
Incident response procedures

•Security tends to degrade during the operational

Follow up Measures phase of the life cycle
•regular audits, assessments, tests, and inspections
provides a means of preventing degradation of security
operations.

206
 U
Security Audit
Evaluation of the information security status of all assets
•Identify assets
•Identify vulnerabilities
•Identify threats
•Determination of likelihood •Security tends to degrade during
•Determination of consequence the operational phase of the
•Identify security controls system life cycle. Once it is in
•Risk mitigation place it tends to be forgotten
•One-time or regular evaluation of
Security assessment areas cover; security and controls
•Security Policy •Examine an entire system or a
•Organizational Security single anomalous event
•Asset classification and control •Conformity to the requirements
•Personnel security of relevant legislation or
•Physical and Environmental Security regulations / managements
•Communications and Operations Management
•Access Control
•System development and maintenance
•Business Continuity Management
•Compliance
•other

207
 U
Group roles and Responsibility for Security Management
Executive
manager CISO: Chief
Information Security CPO: Chief privacy
Officer Officer
IS security steering
committee
Security Advisory
Group
Security
Process
Administrator Security
Owners Process
Specialist
Owners

IS Auditor
IT
Process
Developer
Owners

Information asset Process User

Process
Owners Process Process
Owners
Owners Owners Owners

Data Related third

Process
Owners Process
Party
Owners Owners
208
 U
Key elements of information security management
element Description
Senior manager •Commitment and support from senior management are important to
successful of information security management
Policy and •The policy frame work should be established
procedure -Standards to develop minimum security baseline
-Measurement criteria and methods
-Specific guidelines, practices and procedures
Organization •Responsibility for the protection of individual assets should be clearly
defined.
Security •All employees and third party users should receive appropriate
awareness and training and updates to security awareness and compliance with
education written security polices and procedures.
Monitoring and •IS auditor are usually charged to assess , on a regular basis, the
compliance effectiveness of security program
Incident handling •Because security incident is an event adversely affecting the
and response processing of compute usage, the organization should take the
appropriate measures to reduce of incident when it happens.

209

Security baseline recommendation
Item Objective
Inventory for •Establish and maintain
Physical control an inventory
Antivirus •Install antivirus software
with automatic updating
Passwords •Recognize the
importance of passwords
patching •Make it automated
Minimizing •Eliminate unnecessary
services offered services- reduce security
by infrastructure risk
Addressing •Eliminate many
Vulnerabilities vulnerabilities with good
system administration
Backups •Allow easy recovery from •Backups should be made offsite for
user mistakes and decreasing security.
hardware failure
U
Recommendations: Example
•Users are expected to follow standers to
connected network and registered
network address.
•Database of antivirus software should be
updated every day.
•The IT department should provide
password guidance.
•Each machine should be configured to
patch automatically.
•To improve basic security and minimize
effort to maintain systems. Workstations
should offer only needed services
(software)
•Information form enterprise wide scans
helps to identify vulnerabilities on each
system
210
 U
Summary Basic Security Evaluation Check list (1)
Topics Point
Assets/Inventory •What type of data maintained by the company ?
•Is there any confidential information? How do they keep?
•Are there any specific requirement to handling data?
Environment •What kind of ICT devices dose the company have?
•Are there wireless network? How is its security?
•Is there a appropriate network maps for security?
•What kind of OS does the company use?
•How is remote network access?
•How is licenses of software?
•How is a configuration management of H/W and S/W?
•Are there any physical security means for entering IT room?
Anti-virus •Does the company have anti-virus policy?
•Do all workstations and servers have anti-virus software?
•Does antivirus software update virus DB automatically?
•Does each staff understand when he/she finds virus?
Password •Does the company have policy of using password
•Does the company conduct training?
•Is there any software detect weak password?
•Do staff know that they cannot share password?
211
 U
Summary Basic Security Evaluation Check list (2)
Topics Point
Patch •Do all device update automatically? How often?
•Is there any environment for testing new patch?
•Is there any backup before update new patch?
Minimizing •Does the company identify necessary services?
services •Does the IT staff review minimizing services?
•Is there any means to prevent new installation by unauthorized
personnel?
Vulnerabilities •Is vulnerability testing done?
•After testing? Does the company take means to vulnerabilities?
•If someone finds vulnerability, who support next?
•Are there any firewall an IDS in the network?
Backup and •Is backup done regularly?
recovery •Is backup kept in secure area?
•Are there appropriate procedure for backup and recovery?
•Can backup is appropriate to recover business in case of disaster?
•Does IT staff have experience of recover or test of recover?

212
 U
General Idea of Network Security
Proactive Endpoint Security
•Define and deploy a baseline security policy
•Provides instant desktop firewall protection
•Blocks all unsolicited traffic to/from the PC
•Uses stealth technology to make PCs invisible to hackers
•Control how, when, and which resources PCs can access on the network
•Enables very granular least privilege access of network resources
•Safeguards PCs with intrusion prevention with no rule writing
•Blocks traffic containing malicious codes
•Stops execution of any mal-ware it detects on the PC

Outbound threat protection

•Creates inventory of applications that attempt network access
•Only allow the required apps for network access
•Restrict network access by unrecognized programs
•Prevent malicious code from compromising enterprise data
•Ensures approved programs against spoofing, tampering,hijacking

Host Intrusion Prevention

•Blocks buffer overflow & other attacks on PC apps and OS
•Protects hosts against intrusion attempts, unauthorized access
•Screens all network traffic at app layer for malicious codes
•Requires little admin effort to defend enterprise PCs
213
 U
Vulnerability Assessment & Penetration Testing
Vulnerability Assessment
•Overall network infrastructure is assessed to determine any exploitable
vulnerability
•Sophisticated tools are used to identify any potential security weaknesses
•Devices assessed include firewalls, routers, servers, etc.
•Tests are performed to identify system weaknesses from both internal and
external threats
•Comprehensive report submitted with vulnerabilities found and corrective
actions to be taken
•Should be performed at regular intervals or after any major changes

Penetration Testing
•Attempt to scrutinize the true strength of an organization’s security
infrastructure against a real attack
•Assume the role of a real intruder and attempts to breach the network in a
controlled and safe way not affecting your services
•Launches a series of attacks on the network using commonly used techniques
•Various commercial and open source “hacker” tools will be employed during the
tests

214
 U
Environmental exposure and controls
Exposure
•Lightening storm, earthquakes, volcanic eruption, hurricanes, tornados and
other type of extreme weather.
•Power failures : black out, brownout, sag/spikes and surges and
Electromagnetic Interference: EMI.
•Water damage/ flooding
•Fire
•Dust, smoke and other particulate matter including food.
•Mouse and other animals and insects
•Terrorist
Controls
•Alarm control panel
•Uninterruptible power supply/ Generator
•Fireproof walls, floors and cable
•Water and fire/smoke detector
•Fire extinguishers (handheld or equipment)
•Humidity / Temperature control
•Monitoring camera

215
 U

Chapter 6.
Domain 2
IT Governance

216
 U
Overview of Tasks for Domain 2
•2.1 Evaluate the effectiveness of the IT governance structure to ensure adequate board
control over the decisions, directions and performance of IT so that it supports the
organization’s strategies and objectives.
•2.2 Evaluate the IT organizational structure and human resources (personnel)
management to ensure that they support the organization’s strategies and objectives.
•2.3 Evaluate the IT strategy and the process for its development, approval,
implementation and maintenance to ensure that it supports the organization’s strategies
and objectives.
•2.4 Evaluate the organization’s IT policies, standards and procedures and the processes
for their development, approval, implementation and maintenance to ensure that they
support the IT strategy and comply with regulatory and legal requirements.
•2.5 Evaluate management practices to ensure compliance with the organization’s IT
strategy, policies, standard and procedures.
•2.6 Evaluate IT resource investment, use and allocation practices to ensure alignment
with the organization’s strategies and objectives.
•2.7 Evaluate IT contracting strategies and policies and contract management practices to
ensure that they support the organization’s strategies and objectives.
•2.8 Evaluate risk management practices to ensure that the organization’s IT-related risks
are properly managed.
•2.9 Evaluate monitoring and assurance practices to ensure that the board and executive
management receive sufficient and timely information about IT performance.

217
 U
Overview of skill and knowledge for Domain 2
•2.1 Knowledge of the purpose of IT strategies, policies, standards and procedures for an
organization and the essential elements of each
•2.2 Knowledge of IT governance frameworks
•2.3 Knowledge of the processes for the development, implementation and maintenance of
IT strategies, policies, standards and procedures
•2.4 Knowledge of quality management strategies and policies
•2.5 Knowledge of organizational structure, roles and responsibilities related to the use and
management of IT
•2.6 Knowledge of generally accepted international IT standards and guidelines
•2.7 Knowledge of enterprise IT architecture and its implications for setting long-term
strategic goals
•2.8 Knowledge of risk management methodologies and tools
•2.9 Knowledge of the use of control frameworks (e.g., COBIT, COSO and ISO/IEC 17799)
•2.10 Knowledge of the use of maturity and process improvement models (e.g., CMM and
COBIT)
•2.11 Knowledge of contracting strategies, processes and contract management practices
•2.12 Knowledge of practices for monitoring and reporting of IT performance (e.g., balanced
scorecards and key performance indicators)
•2.13 Knowledge of relevant legislative and regulatory issues (e.g., privacy, intellectual
property and corporate governance requirements)
•2.14 Knowledge of IT human resources (personnel) management
•2.15 Knowledge of IT resource investment and allocation practices (e.g., portfolio
management return on investment)
218
 U
IS Audit Small Quiz No.7

Domain 2 IT Governance
IT governance, Governance organization, Governance strategy and
policy, Management of security, outsourcing and human resources.

Quiz book

219
 U

IT control ITCLC: IT Company Level Control

ITGC:IT general controls

ITAC: IT Application Control

ITGC:IT general controls ITAC: IT Application Control

•Logical access controls. complete and accurate
•System development life cycle controls. •Input Data Control.
•Program change management controls. •Process Control
•Data center physical security controls. •Output Control
•System and data backup and recovery
•Computer operation controls. Application Systems
Accounting Sales
….
System System
Development Operation

IT Infrastructure (Network, Server, PC …)

ITCLC: IT Company Level Control

* IT Governance/Policy *IT Risk Management. *Training
* Quality Assurance *IT Internal Audit
220
Company
 U
Framework of IS audit
Plan
COSO
Strategy Internal Control
Val IT COBIT
IT investment and Internal Control
governance &IT Governance

ITIL V.3
(ISO 20000)
Service Delivery
and Operation

ISO 27000
Security

Activity ITCLC ITGC ITAC

ISO 9000 Quality Management

ISCA/CISA IS audit 221

 U
Concept of IT Governance: Definition & Summary
Definition
•IT Governance is the responsibility of executives and the board of
directors, and consists of the leadership, organizational structures and
processes that ensure that the enterprise’s IT sustains and extends the
organization’s strategies and objectives. (CobiT 4.1)
•[IT Governance] Consists of the leadership, organizational structures
and processes that ensure that the enterprise’s information technology
sustains and extends the organization’s strategies and objectives. (IIA
International Professional Practices Framework)

Summary
a) Leadership and Clear Business Ownership
b) Aligned Business-Relevant Measures
c) Complete and Accurate Inventories
d) Linking Technical and Business Risk

222
 U
Concept of IT Governance:

a) Clear Business Ownership and Direction

Alignment of Business and IT Objectives (CobiT 4.1 ‘Framework’)
Example: Objectives of Two different companies

Category for Objectives Company A Company B

Expansion of proven
Enterprise Strategy Rapid global expansion
models
Business Goals Sacrifice standards for
Leverage IT standards
for IT speed
Convert non-standard
IT Goals Buy locally what works
systems
Enterprise Architecture
Minimal Central
for IT
Number of blanches
IT Scorecard % Standard
supported

223
 U
Concept of IT Governance:
Enterprise Architecture for IT

As Is To be
Model Model

Next Model
An enterprise architecture (EA) is a conceptual blueprint that defines
the structure and operation of an organization. The intent of an
enterprise architecture is to determine how an organization can most
effectively achieve its current and future objectives. 224
 U
Concept of IT Governance:
Balanced Scorecard
The core characteristic of the Balanced Scorecard and its derivatives is the presentation of
a mixture of financial and non-financial as well as leading and lagging measures each
compared to a 'target' value within a single concise report.

Action Person in
Strategic target Measuring method Target
plan charge
Improvement in
Net profit 20% rise
profits nature
Financial The expansion of
Sales growth rate 30% rise
a customer
A few air crafts Lease cost 20% down
Expansion of a Repeater ratio 90% or more
customer loyalty Customer rate of increase 30% rise
Customer
Orientation Departure at the right time 90% or more
Keeping a
departure time Less than 10
Average delay time
minutes
Flight cancellation ratio 0%
Business Keeping a
Process schedule. Customer complaint Zero
number of cases affair/month
Learning & Improvement of Training cost 10% of sales
Growth Training Training Time 10% rise
225
 U
Concept of IT Governance:
Balanced Scorecard: example of objectives and metrics
Viewpoint Objective Example Metrics
Business/ IT Alignment Operational budget approval
Financial Value Delivery Business Unit Performance
Risk Management Results of Internal Audits
Customer Customer Satisfaction Business Unit Survey ratings
Orientation
Competitive Costs Attainment of unit cost targets
Business Development Process Function Point Measures
Process
Operational process Change Management effectiveness
Process Maturity Level of IT Processes
Enterprise Architecture State of the infrastructure
assessment
Learning & Human Resource Management Staff Turnover
Growth
Employee Satisfaction Satisfaction survey scores
Knowledge Management Implementation of learned lessons

Genial Balanced Scorecard, Not IT

226
 U
Concept of IT Governance:
b) Aligned Business-Relevant Measures
•Requires translation of traditional IT measures
•Performance against Financial goals, either Business or IT
•Operational efficiency
•Innovation
Example: Changing supply and inventory system

Category for Objectives Measurement

Enterprise Strategy Leverage Scale
Business Goals for IT Take a day out of inventory
Share inventory, orders, safety stock
IT Goals
information with Suppliers
Use existing EDI infrastructure
Enterprise Architecture for IT
For New EDI Message
Cash flow
IT Scorecard
Warehouses not built

227
 U
Concept of IT Governance:
c) Complete and Accurate Inventories
•IT-dependent Business Processes
•Data Repositories and Information Flows
•IT Infrastructure
•IT Resources and Processes
Example: Information flow of sale

Category for Objectives Information Flows

Enterprise Strategy Influence Trade Customer
“Right information, right place, right time”
Business Goals for IT
for Sales
Effectively combine product profitability,
IT Goals
share, store data
Laptops in Shopping Carts
Enterprise Architecture for IT
Efficient (Cheap) communications
Solution cost efficiency
IT Scorecard
Sales Representative Satisfaction
228
 U
Concept of IT Governance:
d) Linking Technical and Business Risk
•Risk is most important factor of business.
•Management needs to be able to compare IT Risks with other risks.
•IT Governance must do an effective job of translating technical risks
to business risks.

IT Risk Business Exposures

Incidents resulting from Disruptions to Critical Business
Changes Processes (i.e.: Orders to Cash)
Input or output error Compromise Company Reputation
Information Security Incidents Reduce Organizational Capacity

229
 U
IT Governance Focus Area: (ITGI)
Enterprise governance is a set of responsibilities and practices
exercised by the board and executive management with the goal of:
• Providing strategic direction
• Ensuring that objectives are achieved
• Ascertaining that risks are managed appropriately
• Verifying that the enterprise’s resources are used responsibly

230
 U
IT Governance Focus Area: (ITGI)
Strategic Focuses on ensuring the linkage of business and IT plans; on defining,
alignment maintaining and validating the IT value proposition; and on aligning IT
operations with enterprise operations
Value delivery Is about executing the value proposition throughout the delivery cycle,
ensuring that IT delivers the promised benefits against the strategy,
concentrating on optimizing costs and proving the intrinsic value of IT
Resource Is about the optimal investment in, and the proper management of,
management critical IT resources: applications, information, infrastructure and people.
Key issues relate to the optimization of knowledge and infrastructure.
Risk Requires risk awareness by senior corporate officers, a clear
management understanding of the enterprise’s appetite for risk, understanding of
compliance requirements, transparency about the significant risks to the
enterprise, and embedding of risk management responsibilities in the
organization
Performance Tracks and monitors strategy implementation, project completion,
measurement resource usage, process performance and service delivery, using, for
example, balanced scorecards that translate strategy into action to
achieve goals measurable beyond conventional accounting

231
 U
IT governance flow and cycle (CobiT)
Business Objectives
Governance Objectives PO1 Define a strategic IT plan
Information PO2 Define the information
M1 Monitor and evaluate IT architecture
Effectiveness PO3 Determine the technological
Performance
M2 Monitor and evaluate internal Efficiency direction
control Confidentiality PO4 Determine the IT Processes,
……. Integrity …….
Monitoring Compliance Planning and
Reliability Organization

IT recourses
DS1 Define and Manage Service
Levels People AI1 Identify automated solutions
DS2 Manage third party services Application AI2 Acquire and maintain
DS3 Manage performance and Systems application software
capacity AI3 Acquire and maintain
Technology
DS4 Ensure continuous service technology infrastructure
DS5 Ensure systems security Facilities AI4 Enable operation and use
DS6 Identify and allocate costs Data AI5 Procure IT resources
……. AI6 Manage …….

Delivery & Application and

Support Implementation

232
 U
IT Management hierarchy (CobiT)

Natural grouping of
Domain ….. Domain processes often matching an
organizational domain of
responsibility

A series of joined activities

Process ….. Process with natural control breaks

Actions needed to achieve a

measurable result—activities
Action ….. Action
have a life cycle, whereas
tasks are discrete

233
 U
IT Government : Type of Planning

Item Strategic Planning Long-tem Planning Operational Planning

Time •3 years + •1-3 years •1 year or less
Frame
Question •What business are •What are the major •What specific tasks
we in? Should we business components? must be done to meet
expand and •What we concentrate on the long term plan?
contract? now?
•What products and
services are planned?
Output •General broad •Financial goals •Assumptions for the
statement of what •Market opportunities period
business the •Management •Changes needing to be
company is in organization made
•Next review period •Production times
•Responsibility
•Budget

234
 U
Organization of steering committee
Board of Directors

IT Strategy /Steering Committee

CEO Office Executive Chairperson

Marketing Sales Legal R&D IT

Production Finance QC HR Admin.

IT Strategy (Committee) IT Steering (Committee)

•Advices the board and management of IT
strategy
•IT delegated by the board to provide input
to the strategy and prepare tits approval
•Focus on current and future strategic IT
issue
•Decides the overall level of IT spending
and how costs will be allocated.
•Assist executive in the delivery of the IT
strategy.
•Oversees day-day management of IT
service delivery and IT projects
•Focus on implementation

235
 U
General role of IS auditor for IT governance
An Auditor is well positioned to provide leading practice
recommendations to senior management to help the quality and
effectiveness of IT governance initiatives implemented.
As an entity that monitors compliance , audit help ensure
compliance with IT conversance initiatives implemented within an
organization. The continual monitoring, analysis and evaluation of
metrics associated with IT governance initiatives require and
independent and balanced view to ensure a qualitative assessment
that subsequently facilitates the qualitative improvement of IT
process and associated IT governance initialtive.

236
 U
Issues and targets of IT governance (1)

Area Issue Description

Information Information •Institute process to integrate security to with business
Security Security process
•Review and assist security strategy and integration effort.
•Ensure that business owners support integration
Risk Risk •Establish risk tolerance.
Management Management •Ensure regulatory compliance.
•Ensure the roles and responsibility include risk management
in all activities.
IT strategy Process •Provide oversight of all assurance functions and plans for
improvement improvement and integration
& assurance •Identify critical business processes and assurance
•Direct assurance integration efforts
IT investment •Crate a positive control environment by assuming
and allocation responsibility for formulating, developing , documenting and
controlling polices covering general goals and directives
Enterprise •Provide oversight of all plans and assurance functions
architecture
237
 U
Issues and targets of IT governance (2)

Area Issue Description

IT Human •Provide oversight of the strategic plan of hireling and training
Management resource
Practice management
Sourcing •Provide oversight of the strategic plan of sourcing
Practice •To ensure the risk for outsourcing and the remaining
accountability
Change •To ensure the process and technology for change
management management
Financial •Provide oversight the financial plan for IT investment
Management •To ensure the appropriate management for IT investment
Quality •Provide oversight of the Quality control
Management •To ensure the situation of QCM
IT •Provide oversight of duty and responsibility including
organization segregation

238
 U

Thanks for you joining the lecture!

Contact: Go Ota
e-mail gohome@v006.vaio.ne.jp
Web www.beyondbb.jp (Japanese)

239