WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814
Short Description
GUIA...
Description
APO06 Manage Budget Budget and Costs Audit/Assurance Audit/Assurance Program ISACA® With more than 115,000 115,000 constituents in 180 countries, ISACA (www.isaca.org ( www.isaca.org )) helps business and IT leaders build trust in, and value rom, inormation and inormation s!stems" #stablished in 1$%$, ISACA is the trusted source o &no'lede, standards, net'or&in, and career development or inormation s!stems audit, assurance, securit!, securit!, ris&, privac! and overnance proessionals" ISACA oers oers the C!bersecurit! e*us+, a comprehensive set o resources or c!bersecurit! proessionals, and C-IT ., a business rame'or& that helps enterprises overn and manae their inormation and technolo!" technolo!" ISACA also advances and validates business/critical s&ills and &no'lede throuh the loball! respected Certiied Inormation S!stems Auditor . (CISA.), Certiied Inormation Securit! anaer . (CIS.), Certiied in the overnance o #nterprise IT . (C#IT .) and Certiied in 2is& and Inormation S!stems Control+ (C2ISC+) credentials" The association has more than 300 chapters 'orld'ide" Disclaimer ISACA has desined and created APO06 created APO06 Manage Budget Budget and Costs Audit/Assurance Audit/Assurance Program (the Program (the 4Wor&) primaril! as an educational resource or assurance proessionals" ISACA ISACA ma&es no claim that use o an! o the Wor& 'ill assure a successul outcome" The Wor& should not be considered inclusive o all proper inormation, procedures and tests or e*clusive o other inormation, procedures and tests that are reasonabl! directed to obtainin the same results" In determinin the propriet! o an! speciic inormation, procedure or test, assurance proessionals should appl! their o'n proessional 6udement to the speciic circumstances presented b! the particular s!stems or inormation technolo! environment" Reservation of Rights 7 301 ISACA" All rihts reserved" 9or usae uidelines, see www.isaca.org/COBITuse " ISACA :;01 AlonSA oanna BarcGe's&a, CISA, ?oland ?atricia ?randini, CISA, C2ISC, >niversidad de -uenos Aires, Arentina Abdul 2aeSA, International ?resident Steven A" -abb, C#IT, C2ISC, ITI=, Eodaone, >B, Eice ?resident arr! " -arnes, CISA, CIS, C#IT, C2ISC, -A# S!stems Detica, Australia, Eice ?resident 2obert A" Cl!de, CIS, Adaptive Computin, >SA, Eice ?resident 2amses alleo, CIS, C#IT, CCSB, CISS?, SC?, Si* Sima -lac& -elt, Dell, Spain, Eice ?resident Theresa raenstine, CISA, C#IT, C2ISC, CA?, CA, CIA, C?A, >S Fouse o 2epresentatives, >SA, Eice ?resident Eittal 2" 2a6, CISA, CIS, C#IT, C2ISC, C9#, CIA, CISS?, 9CA, Bumar J 2a6, India, Eice ?resident Ton! Fa!es, C#IT, A9CFS#, CF#, 9ACS, 9C?A, 9IIA, ueensland overnment, Australia, ?ast International ?resident reor! T" rochols&i, CISA, The Do' Chemical Co", >SA, ?ast International ?resident Debbie A" =e', CISA, C2ISC, #rnst J Koun ==?, >SA, Director 9ran& B"" Kam, CISA, CIA, 9FBCS, 9FBIoD, 9ocus Strateic roup Inc", Fon Bon, Director Ale*ander Hapata =enis, CISA, C#IT, C2ISC, ITI=, ??, rupo C!nthus S"A" de C"E", e*ico, Director
APO06 Manage Budget and Costs Audit/Assurance Program
Ta%le of Contents ?ae Introduction"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5 Assurance #naement Approach -ased on C-IT 5""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5 eneric AuditLAssurance ?roram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" % CustomiGation o the AuditLAssurance ?roram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""% About the #*ample AuditLAssurance ?roram@ A?0% """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""% Assurance #naement@ anae -udet and Costs"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""; Assurance Topic""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ; oal o the 2evie'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ; Scopin"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """ ; C-IT 5/based Assurance #naement Approach"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""; ?hase AMDetermine Scope o the Assurance Initiative""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 8 ?hase -M>nderstand #nablers, Set Suitable Assessment Criteria and ?erorm the Assessment"""""""""""""""""""""13 ?hase CMCommunicate the 2esults o the Assessments"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3$
APO06 Manage Budget and Costs Audit/Assurance Program
Intro#ction This document contains an e*ample auditLassurance proram or a C-IT 5 process, %ase on the eneric structure developed in section 3- o COBIT for Assurance1" &ig#re '("eneric C)BIT *+%ase Ass#rance Engagement Approach
APO06 Manage Budget and Costs Audit/Assurance Program
•
•
Some aspects o a process also relate to another enabler and are assessed there, e"", inputs and outputs can also be classiied under the Inormation enabler headin and covered in detail there" Some aspects relatin to S&ills and Competencies are to a lare e*tent covered b ! process A?0; Manage human resources"
In practice, assurance proessionals 'ill have to use their o'n proessional 6udment 'hen developin their o 'n customiGed auditLassurance prorams, to avoid duplication o 'or&" In addition, 'hile auditLassurance prorams 'ill be available or each process, in practice, a roup o processes are oten selected or audit" Thereore, a relevant set o auditLassurance prorams o the applicable processes 'ill need to be selected or conductin assurance"
"eneric A#it,Ass#rance $rogram The assurance approach depicted in fig#re ' is described in more detail and developed into a generic a#it,ass#rance programMincludin uidance on ho' to proceed durin each stepMin section 3- o COBIT for Assurance" This auditLassurance proram is@ 9ull! alined 'ith C-IT 5@ It e*plicitl! reerences all seven enablers" In other 'ords, it is no loner e*clusivel! process/ocusedP it also uses the dierent dimensions o the enabler model to cover all aspects contributin to the perormance o the enablers" It reerences the C-IT 5 oals cascade to ensure that detailed ob6ectives o the assurance enaement can be put into the enterprise and IT conte*t, and concurrentl! it enables lin&ae o the assurance ob6ectives to enterprise and IT ris& and beneits" Comprehensive !et le*ible" The eneric proram is comprehensive because it contains assurance steps coverin all enablers in nderstand ood practices r elated to the ?rinciples, ?olicies and 9ram e'or&s and e*pected values" Assess the ?rinciples, ?olicies and 9rame'or&s desin, i"e", assess the e*tent to 'hich e*pected ood practices are applied" The assurance professiona" wi""4 '2 using appropriate auditing techni:ues assess the fo""owing aspects. "oo $ractice Criteria Assessment Step S co pe an d v al id it ! T he sco pe is de scr ib ed an d th e Eeri! that the scope o the rame'or& is described and the validit! validit! date is indicated" date is indicated" #*ception and The e*ception and escalation Eeri! that the e*ception and escalation procedure is described, escalation procedure is e*plained and e*plained and commonl! &no'n" commonl! &no'n" Throuh observation o a representative sample, veri! that the • •
• •
•
-/:"
-/:"5
•
•
The e*ception and escalation e*ception and escalation procedure has not become de facto procedure has not become de standard procedure" -/:"5 facto standard procedure" Cont" Compliance The compliance chec&in mechanism Eeri! that the compliance chec&in mechanism and non/compliance and non/compliance consenderstand the oals o the ranisational Structure, the related metrics and aree on e*pected values" >nderstand ho' these oals contribute to the achievement o the enterprise oals and IT/related oals" )rganisational Str#ct#re "oal Assessment Step Determine throuh intervie's 'ith &e! sta&eholders and This step onl! applies i speciic oals are deined" In that case, the documentation revie' the oals o the ranisational Structures, assurance proessional 'ill use appropriate auditin techninderstand the Inormation item conte*t@ here and when is it used =or what purpose is it used ?nderstand the connection with other ena'"ers in scope4 e.g. ?sed '2 which processes hich Organisationa" *tructures are in&o"&ed 3see a"so B#8.7 hich ser&ices/app"ications are in&o"&ed -/%"3 >nderstand the ma6or sta&eholders o the Inormation item" ?nderstand the sta)eho"ders for the Information item4 i.e.4 identif2 the Information producer Information custodian Information consumer *ta)eho"ders shou"d 'e at the appropriate organisationa" "e&e". -/%": >nderstand the ma6or nderstand the ma6or oals or the ?eople, S&ills and Competencies, the related metrics and aree on e*pected values" Assess 'hether the $eople8 S1ills an Competencies goals (outcomes) are achieved, i"e", assess the eectiveness o the ?eople, S&ills and Competencies" • • •
-/8"
9or the ?eople, S&ills and Competencies at hand, the ollo'in oals and associated criteria can be addressed" "oal Criteria Assessment Step #*perience Appl! appropriate auditin techninderstand and document 'ea&nesses and their impact on the achievement o process oals" >nderstand and document 'ea&nesses and their impact on enterprise oals"
"#iance • • •
•
• •
C+6 C/3"1
Comm#nicate the wor1 performe an finings0 Communicate the 'or& perormed"
C/3"3
Communicate preliminar! indins to the assurance enaement sta&eholders deined in A/1"
• • •
• • • •
C/3":
Illustrate the impact o enabler ailures or 'ea&nesses 'ith numbers and scenarios o errors, ineiciencies and misuse" Clari! vulnerabilities, threats and missed opportunities that are li&el! to occur i enablers do not perorm eectivel!" Illustrate 'hat the 'ea&nesses 'ould aect (e"", business oals and ob6ectives, enterprise architecture elements, capabilities, resources)" 2elate the impact o not achievin the enabler oals to actual cases in the same industr! and leverae industr! benchmar&s" Document the impact o actual enabler 'ea&nesses in terms o bottom/line impact, interit! o inancial reportin, hours lost in sta time, loss o sales, abilit! to manae and react to the mar&et, customer and shareholder rese benchmar&in and surve! results to compare the enterprises perormance 'ith others" >se e*tensive raphics to illustrate the issues" Inorm the person responsible or the assurance activit! about the preliminar! indins and veri! hisLher correct understandin o those indins"
Deli ver a report (alined 'ith the terms o reerence, scope and areed/ on reportin standards) that supports the results o the initiative and enables a clear ocus on &e! issues and important actions"
7 ISACA 301
All rihts reserved"
3$
View more...
Comments