WAPO06 Manage Budget and Costs Audit Assurance Program Icq Eng 0814

 APO06 Manage Budget Budget and Costs  Audit/Assurance  Audit/Assurance Program ISACA®  With more than 115,000 115,000 constituents in 180 countries, ISACA (www.isaca.org  ( www.isaca.org )) helps business and IT leaders build trust in, and value rom, inormation and inormation s!stems" #stablished in 1$%$, ISACA is the trusted source o &no'lede, standards, net'or&in, and career development or inormation s!stems audit, assurance, securit!, securit!, ris&, privac! and overnance proessionals" ISACA oers oers the C!bersecurit! e*us+, a comprehensive set o resources or c!bersecurit! proessionals, and C-IT ., a business rame'or& that helps enterprises overn and manae their inormation and technolo!" technolo!" ISACA also advances and validates business/critical s&ills and &no'lede throuh the loball! respected Certiied Inormation S!stems Auditor . (CISA.), Certiied Inormation Securit! anaer . (CIS.), Certiied in the overnance o #nterprise IT . (C#IT .) and Certiied in 2is& and Inormation S!stems Control+ (C2ISC+) credentials" The association has more than 300 chapters 'orld'ide" Disclaimer  ISACA has desined and created APO06 created  APO06 Manage Budget Budget and Costs Audit/Assurance Audit/Assurance Program (the Program  (the 4Wor&) primaril! as an educational resource or assurance proessionals" ISACA ISACA ma&es no claim that use o an! o the Wor& 'ill assure a successul outcome" The Wor& should not be considered inclusive o all proper inormation, procedures and tests or e*clusive o other inormation, procedures and tests that are reasonabl! directed to obtainin the same results" In determinin the propriet! o an! speciic inormation, procedure or test, assurance proessionals should appl! their o'n proessional 6udement to the speciic circumstances presented b! the particular s!stems or inormation technolo! environment" Reservation of Rights 7 301 ISACA" All rihts reserved" 9or usae uidelines, see www.isaca.org/COBITuse " ISACA :;01 AlonSA oanna BarcGe's&a, CISA, ?oland ?atricia ?randini, CISA, C2ISC, >niversidad de -uenos Aires, Arentina  Abdul 2aeSA, International ?resident Steven A" -abb, C#IT, C2ISC, ITI=, Eodaone, >B, Eice ?resident arr! " -arnes, CISA, CIS, C#IT, C2ISC, -A# S!stems Detica, Australia, Eice ?resident 2obert A" Cl!de, CIS, Adaptive Computin, >SA, Eice ?resident 2amses alleo, CIS, C#IT, CCSB, CISS?, SC?, Si* Sima -lac& -elt, Dell, Spain, Eice ?resident Theresa raenstine, CISA, C#IT, C2ISC, CA?, CA, CIA, C?A, >S Fouse o 2epresentatives, >SA, Eice ?resident Eittal 2" 2a6, CISA, CIS, C#IT, C2ISC, C9#, CIA, CISS?, 9CA, Bumar J 2a6, India, Eice ?resident Ton! Fa!es, C#IT, A9CFS#, CF#, 9ACS, 9C?A, 9IIA, ueensland overnment, Australia, ?ast International ?resident reor! T" rochols&i, CISA, The Do' Chemical Co", >SA, ?ast International ?resident Debbie A" =e', CISA, C2ISC, #rnst J Koun ==?, >SA, Director  9ran& B"" Kam, CISA, CIA, 9FBCS, 9FBIoD, 9ocus Strateic roup Inc", Fon Bon, Director   Ale*ander Hapata =enis, CISA, C#IT, C2ISC, ITI=, ??, rupo C!nthus S"A" de C"E", e*ico, Director 

 APO06 Manage Budget and Costs  Audit/Assurance Program

Ta%le of Contents ?ae Introduction"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5  Assurance #naement Approach -ased on C-IT 5""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 5 eneric AuditLAssurance ?roram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" % CustomiGation o the AuditLAssurance ?roram"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""%  About the #*ample AuditLAssurance ?roram@ A?0% """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""%  Assurance #naement@ anae -udet and Costs""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""";  Assurance Topic""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ; oal o the 2evie'""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" ; Scopin"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" """ ; C-IT 5/based Assurance #naement Approach"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""; ?hase AMDetermine Scope o the Assurance Initiative""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" 8 ?hase -M>nderstand #nablers, Set Suitable Assessment Criteria and ?erorm the Assessment"""""""""""""""""""""13 ?hase CMCommunicate the 2esults o the Assessments"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""3$

 APO06 Manage Budget and Costs  Audit/Assurance Program

Intro#ction This document contains an e*ample auditLassurance proram or a C-IT 5 process, %ase on the eneric structure developed in section 3- o COBIT  for Assurance1" &ig#re '("eneric C)BIT *+%ase Ass#rance Engagement Approach

 APO06 Manage Budget and Costs  Audit/Assurance Program

•

•

Some aspects o a process also relate to another enabler and are assessed there, e"", inputs and outputs can also be classiied under the Inormation enabler headin and covered in detail there" Some aspects relatin to S&ills and Competencies are to a lare e*tent covered b ! process A?0;  Manage human resources"

In practice, assurance proessionals 'ill have to use their o'n proessional 6udment 'hen developin their o 'n customiGed auditLassurance prorams, to avoid duplication o 'or&" In addition, 'hile auditLassurance prorams 'ill be available or each process, in practice, a roup o processes are oten selected or audit" Thereore, a relevant set o auditLassurance prorams o the applicable processes 'ill need to be selected or conductin assurance"

"eneric A#it,Ass#rance $rogram The assurance approach depicted in fig#re ' is described in more detail and developed into a generic a#it,ass#rance programMincludin uidance on ho' to proceed durin each stepMin section 3- o COBIT  for  Assurance" This auditLassurance proram is@ 9ull! alined 'ith C-IT 5@ It e*plicitl! reerences all seven enablers" In other 'ords, it is no loner e*clusivel! process/ocusedP it also uses the dierent dimensions o the enabler model to cover all aspects contributin to the perormance o the enablers" It reerences the C-IT 5 oals cascade to ensure that detailed ob6ectives o the assurance enaement can be put into the enterprise and IT conte*t, and concurrentl! it enables lin&ae o the assurance ob6ectives to enterprise and IT ris& and beneits" Comprehensive !et le*ible" The eneric proram is comprehensive because it contains assurance steps coverin all enablers in nderstand ood practices r elated to the ?rinciples, ?olicies and 9ram e'or&s and e*pected values" Assess the ?rinciples, ?olicies and 9rame'or&s desin, i"e", assess the e*tent to 'hich e*pected ood practices are applied" The assurance professiona" wi""4 '2 using appropriate auditing techni:ues assess the fo""owing aspects. "oo $ractice Criteria Assessment Step S co pe an d v al id it ! T he sco pe is de scr ib ed an d th e Eeri! that the scope o the rame'or& is described and the validit! validit! date is indicated" date is indicated" #*ception and The e*ception and escalation Eeri! that the e*ception and escalation procedure is described, escalation procedure is e*plained and e*plained and commonl! &no'n" commonl! &no'n" Throuh observation o a representative sample, veri! that the • •

• •

•

-/:"

-/:"5

•

•

The e*ception and escalation e*ception and escalation procedure has not become de facto procedure has not become de standard procedure" -/:"5 facto standard procedure" Cont" Compliance The compliance chec&in mechanism Eeri! that the compliance chec&in mechanism and non/compliance and non/compliance consenderstand the oals o the ranisational Structure, the related metrics and aree on e*pected values" >nderstand ho' these oals contribute to the achievement o the enterprise oals and IT/related oals" )rganisational Str#ct#re "oal Assessment Step Determine throuh intervie's 'ith &e! sta&eholders and This step onl! applies i speciic oals are deined" In that case, the documentation revie' the oals o the ranisational Structures, assurance proessional 'ill use appropriate auditin techninderstand the Inormation item conte*t@ here and when is it used =or what purpose is it used ?nderstand the connection with other ena'"ers in scope4 e.g. ?sed '2 which processes hich Organisationa" *tructures are in&o"&ed 3see a"so B#8.7 hich ser&ices/app"ications are in&o"&ed -/%"3 >nderstand the ma6or sta&eholders o the Inormation item" ?nderstand the sta)eho"ders for the Information item4 i.e.4 identif2 the Information producer  Information custodian Information consumer  *ta)eho"ders shou"d 'e at the appropriate organisationa" "e&e". -/%": >nderstand the ma6or nderstand the ma6or oals or the ?eople, S&ills and Competencies, the related metrics and aree on e*pected values"  Assess 'hether the $eople8 S1ills an Competencies goals (outcomes) are achieved, i"e", assess the eectiveness o the ?eople, S&ills and Competencies" • • •

-/8"

9or the ?eople, S&ills and Competencies at hand, the ollo'in oals and associated criteria can be addressed" "oal Criteria Assessment Step #*perience Appl! appropriate auditin techninderstand and document 'ea&nesses and their impact on the achievement o process oals" >nderstand and document 'ea&nesses and their impact on enterprise oals"

"#iance • • •

•

• •

C+6 C/3"1

Comm#nicate the wor1 performe an finings0 Communicate the 'or& perormed"

C/3"3

Communicate preliminar! indins to the assurance enaement sta&eholders deined in A/1"

• • •

• • • •

C/3":

Illustrate the impact o enabler ailures or 'ea&nesses 'ith numbers and scenarios o errors, ineiciencies and misuse" Clari! vulnerabilities, threats and missed opportunities that are li&el! to occur i enablers do not perorm eectivel!" Illustrate 'hat the 'ea&nesses 'ould aect (e"", business oals and ob6ectives, enterprise architecture elements, capabilities, resources)" 2elate the impact o not achievin the enabler oals to actual cases in the same industr! and leverae industr! benchmar&s" Document the impact o actual enabler 'ea&nesses in terms o bottom/line impact, interit! o inancial reportin, hours lost in sta time, loss o sales, abilit! to manae and react to the mar&et, customer and shareholder rese benchmar&in and surve! results to compare the enterprises perormance 'ith others" >se e*tensive raphics to illustrate the issues" Inorm the person responsible or the assurance activit! about the preliminar! indins and veri! hisLher correct understandin o those indins"

Deli ver a report (alined 'ith the terms o reerence, scope and areed/ on reportin standards) that supports the results o the initiative and enables a clear ocus on &e! issues and important actions"

7 ISACA 301

All rihts reserved"

3$