l’audit it integre · management, de réengineering des processus, et ce, dans des plannings...

XXII Convegno Nazionale di Information Systems Auditing5-6 giugno 2008

Monique Garsoux, ViceVice PresidentPresident IT AuditIT Audit IsacaIsaca BelgiumBelgium ChaperChaper

Dexia Bank Belgium AuditDexia Bank Belgium Audit ProcessProcess MethodologyMethodologyQualifiedQualified AuditAudit PartnersPartners –– [email protected]@QAP.EU

L’AUDIT IT INTEGRE

2

Que se passe t-il dans les“Processus du Business” ?

La Technologie !

BankStatement

Qu’est-ce qui est manuel, visible, non IT ?

3

Effets de la technologie ?

• Rend les procédures d’audit traditionnelles peuefficaces, de valeur ajoutée moindre et donnent unmessage de gouvernance incomplet par rapportaux réels enjeux des managers

• Les transactions se déroulent de manière directe,automatique, invisible avec un aperçu limité suite àune intervention manuelle réduite ou inexistante

• Les nouveaux produits et services ainsi que lacompétition augmentent l’informatisation ou biensont des produits informatiques

4

Logical security

DB2

Client Accounts

Manage Problems& Incidents

Networks

CardsDonnezmoi unevue des

risques etcontrôles

ComplianceOperational risk, Basle II

GOUVERNANCE ?

Rapports d’audit …

5

Effet des approches traditionnelles surl’audit des processus fortementinformatisés

• Plans d’audit peu coordonnés

• Audit séparés de sujets proches

• Audit parallèles; 2 ou + d’audits

• Audits concurrents avec des initiatives du riskmanagement, de réengineering des processus, etce, dans des plannings proches ou non

• Résultats de la réponse de l’organisation de l’audito Spécialisation et Audit en silos

o Ségrégation des équipes en IT, financier, opérationnel

o Le(s) mur(s) dans les divisons d’audit

6

Le besoin d’une vue managérialeindépendante et intégrée du système decontrôle interne et des risques

• Le besoin potentiel du business= que l’audit donne une vue globale plutôt quefractionnée

• Ceci impliqueo Sur le terrain :

IT, organisation des approches

o Sur le message :Message orienté IT et gouvernance d’entreprise dansles rapports

o Sur les missions :

audit IT, audit interne, audit des processus, auditorientés risques (tous les risques), bon positionnementdes types d’audit.

7

L’univers d’audit et les types d’audit

L’univers d’audit contient :

Des Unités d’audit relatives aux processus du business(produits et services) et aux processus de support(comptabilité, gestion des bâtiments, du personnel, etc)

Des Unités d’audit IT (Processus d’audit IT)

Les principales caractéristiques de l’approche par processusintégrés pour les unités d’audit du business et de support sont :

Processus, risques, contrôles : pas d’approche “département”mais une approche “end to end” (stratégie, marketing,distribution, opérations, comptabilisation, …)

L’approche processus suit l’information

L’audit intégré qui tient compte dans une seule approche desaspects pertinent d’IT, de compliance, des aspectsréglementaires, financiers, opérationnels,…

Audit orienté risques : il repose sur une analyse préalable desprocessus du business et de leurs risques

Des tests intensifs (utilisation des outils CAATs, IT,…)

8

Basé sur les processus et les risques

Implications de l’orientation processus et risques :

Dans les processus opérationnels : examen de la situation globale

Depuis ‘événement d’origine

Jusqu’à la fin du produit ou service

Le guide étant le flux d’information

Concernant les flux applicatifs ou manuels

Cela implique que l’audit des systèmes applications est obligatoiresi le processus repose sur des systèmes IT clés ( remplissent desprocessus cruciaux, des contrôles clés, que des erreurs neseraient pas détectées, quel le produit est IT,…)

Le risque IT fait part de chaque audit

9

Le rôle émergent et renforcé de l’audit IT

• Le challenge pour l’audit IT (CobiT) est depromouvoir une valeur ajoutée intégrée avec l’auditdes processus du business dans les technologiesde l’information mais aussi à) l’extérieur d’IT

• CobiT est orienté business mais les risques réels etleurs impacts qui soient clairementcompréhensibles pour le management sont parfoisdifficiles à appréhender dans les rapports pour lemanagement

• Il y a donc un besoin de reconsidérer un meilleurpositionnement de la fonction d’audit IT qui soitvisible et donne une valeur ajoutée accrue dansl’audit global des fonctions du business

10

ValIT Evals Auditsde processus

IT

Auditsdes

Ressources IT

Risqueset ImpactsBusiness

Documentés

Auditsdu Management

de IT(gouvernance IT)

ManagementDu

risque

Les tendances émergentes dans l’audit IT

AuditsIntégrés

Flux du businessIncluant IT et manuels

AuditsInternes etFinanciers

1

11

Audits des processus IT

COBIT® Control Objectives for Information and related Technology

12

Liens entre les besoins du business et ITdans Cobit 4.1


13


IT

Auditsdes

Ressources IT


Documentés

Auditsdu Management


ManagementDu

risque

AuditsIntégrés



2

Les tendances émergentes dans l’audit IT

14

L’audit des ressources IT


15


L’audit des ressources IT

16

Les risques Business documentés

ITRessources

General Mainframe Unix WAN LAN Client/Server PersonalEnvironm

ent

ITProcesses

ManageProjects

Nosignificant

impact

Changemanagement

Nondistribution ofnew business

parameters

Operations Delayeddetectionof errors

Lost oftransactions

AccessSecurity

Too largeaccesses,no needto havebasis

Reducedintegrity of

transactions

17

L’objectif de Cobit

• CobiT is an IT governanceframework and supporting toolsetthat allows managers to bridge thegap between control requirements,technical issues and business risks.


18


IT

Auditsdes

Ressources IT


Documentés

Auditsdu Management


ManagementDu

risque

AuditsIntégrés



3

Les tendances émergentesdans l’audit IT

19

Les audits intégrés

Orientés risqueEt

Processus

Application

IT

Les audits intégrés pourUn message gouvernance

global

Audit d’application

20

Ou se situe l’approche intégrée ?

Batch

Traitement desOrdres clients

DB ordresclient

Comptabilité

Card processor

Agences

Calcul d’intérêt

Asynchrone

Synchrone

Dialog Appl

InventaireOrdrescptables

Reconciliation

Operations

SecurityOracleDB2

Accounting

Application

Problemmanagement

NetworkCics

MQM

Compliance

AuditAudit IntIntéégrgréé

21

Batch

Comptabilisationclient

Client OrdersDB

Comptabilité

Cardprocessor

Agences

Calcul d’intérêt

Asynchrone

Synchrone

Dialog Appl

InventaireCptes

Audit intégré

FlowchartedApplication

Impacts et risquesBusiness documentés

22

Framework contrôles de processus

Control Objective: PC. 1 Process Goals and Objectives

Define and communicate S-M-A-R-T-T process goals and objectives (specific, measurable, achievable,realistic, tangible and time framed/) for the effective execution of each IT process.

Ensure they are linked to the business goals and supported by suitable metrics.

Value• Key processes deliver value for the organisation Processes are in line with business requirements

• People focus on the right things• Efficiency and effectiveness of IT processes

Risk• Processes are not measurable

• Accountabilities cannot be enforced• Processes are inefficient and do not support business needs• People are not focused on the right things

Control Practices1 Define and communicate process goals and objectives for the effective execution of each IT process.

2 Link process goals and objectives to the business goals.3 Ensure that process goals are defined in a S-M-A-R-T-T (specific, measurable, achievable, realistic,tangible and time framed) manner. 4 Define process outputs and measurable quality targets to assessoutput quality. Use personal targets to motivate positive results.

Testing the Control Design1 Enquire and confirm that process goals and objectives have been defined. Verify that process

stakeholders understand these goals.2 Enquire and confirm that the IT process goals link back to business goals.3 Enquire and confirm through interviews with process stakeholders that the IT process goals are specific,

measurable, achievable, realistic, tangible and time framed.4 Enquire and confirm that outputs and associated quality targets are defined for each IT process.


23

Framework contrôles applicatifs

Control Objective AC. 1 Source Data Preparation and Authorisation

Source documents are prepared by authorised and qualified personnel following established procedures including adequatesegregation of duties regarding the origination and approval of these documents. Minimise errors and omissions throughgood input form design. Detect errors and irregularities so that they can be reported and corrected.

Value• Business data integrity

• Standardised and authorised transaction documentation• Improved application performance• Accuracy of transaction data

Risk• Compromised integrity of critical business data

• Unauthorised and/or erroneous transactions• Processing inefficiencies and rework

Control Practices1 Design source documents in a way that they increase accuracy with which data can be recorded, control the workflow and

facilitate subsequent reference checking. Where possible, completeness controls should be included in the design of thesource documents.2 Create and document procedures for preparing source data entry and ensure they are effectively and properlycommunicated to appropriate and qualified personnel. These procedures establish and communicate requiredauthorisation levels (input, editing, authorising, accepting, and rejecting source documents). The procedures also identifythe acceptable source media for each type of transaction.3 The function responsible for data entry maintains a list of authorised personnel, including their signatures.4 Ensure that all source documents include standard components and contain proper documentation (e.g. timeliness,predetermined input codes and default values) and are authorised by the management.5 Automatically assign a unique and sequential identifier to every transaction (e.g., index, date and time,…).6 Return documents that are not properly authorised or incomplete to submitting originators for correction and log the factthat they have been returned. Review logs periodically to verify that corrected documents are returned by originators in atimely fashion, and to enable pattern analysis and root cause review.

Testing the Control Design1 Ensure that the deign of the system provides for the identification and management of authorization levels2 Enquire and confirm that the design of the system provides for the use of pre-approved authorizations lists and related signatures

for use in determine that documents have be appropriately authorized include3 Assess whether source documents and/or input screens are designed with pre-determined coding, choices, etc to encourage

timely completion and minimize the potential for error.4 Enquire and confirm that the design of the system encourages review of the forms for completeness and authorization and

identifies situations where attempts to process incomplete and/or unauthorized documents occur5 Enquire and conform that, once identified, the system is designed to tract and report upon incomplete and/or unauthorized

documents that are rejected and retuned to the owner for correction.COBIT® Control Objectives for Information and related Technology

24

Programme de travail générique

Information Systems Audit and Control Association : www.isaca.orgGeneric Application Review

AUDIT PROGRAM&

INTERNAL CONTROL QUESTIONNAIRE

The Information Systems Audit and Control AssociationWith more than 23,000 members in over 100 countries, the Information Systems Audit and Control Association® (ISACA™) is a

recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors internationalconferences, administers the globally respected CISA® (Certified Information Systems Auditor™) designation earned bymore than 25,000 professionals worldwide, and develops globally applicable information systems (IS) auditing and controlstandards. An affiliated foundation undertakes the leading-edge research in support of the profession. The IT GovernanceInstitute, established by the association and foundation in 1998, is designed to be a "think tank" offering presentations atboth ISACA and non-ISACA conferences, publications and electronic resources for greater understanding of the roles andrelationship between IT and enterprise governance.

Purpose of These Audit Programs and Internal Control QuestionnairesOne of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support member and

industry information needs. Responding to member requests for useful audit programs, the Education Board has recentlyreleased audit programs and internal control questionnaires on various topics for member use through the member-onlyweb site and K-NET. These products are intended to provide a basis for audit work.

E-business audit programs and internal control questionnaires were developed from material recently released in ISACA’s e-Commerce Security Technical Reference Series. These technical reference guides were developed by Deloitte & Toucheand ISACA’s Research Board and are recommended for use with these audit programs and internal control questionnaires.

Audit programs and internal questionnaires on other subjects were developed by ISACA volunteers and reviewed and edited by theEducation Board. The Education Board cautions users not to consider these audit programs and internal controlquestionnaires to be all-inclusive or applicable to all organizations. They should be used as a starting point to build uponbased on an organization’s constraints, policies, practices and operational environment.

DisclaimerThe topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the

professional development of ISACA members and others in the IS Audit and Control community. Although wetrust that they will be useful for that purpose, ISACA cannot warrant that the use of this material would beadequate to discharge the legal or professional liability of members in the conduct of their practices.

September 2001


25

Audit d’application : un exempled’objectif de contrôle

Generic Application ReviewAudit Program and ICQApplication Generic Controls Procedure Step :

Data OriginObjective:To determine that controls over the preparation,

collection, and processing of source documents ensure theaccuracy, completeness, and timeliness of data before theyreach the application.

Details/Test:Review the source document(s) and determinethat the document design contributes to the accuracy andefficiency of the input. Identify any cost beneficialimprovements in source documents and related forms.Determine that source document(s) are retained for aneffective period of time.


26

Quand réaliser des audits d’application ?Viser les grands risques

• Des audits d’applicatifs détaillés pour :o Les systèmes transactionnels

o Les processus critiques

o Les grands risques (légaux, fraude,…)

o “pain et beurre”

o En examinant les contrôles applicatifs il estindispensable de comprendre comment ilscontribuent au processus du business etcomment les systèmes et ressources ITassistent les fonctions de l’entreprise

27

L’approche pratique

• En complément des audits IT classiques, nous avonsabordé la manière dont 3 couches d’audit IT peuventcontribuer aux audits intégrés.

• Les Audits IT occupent un rôle clé dans les auditsdes processus du Business s’ils sont orientésprocessus et risques.

• Les temps ont changé : l’approche intégrée remplacel’ancienne approche ou les auditeurs IT étaientappelés quand nécessaire et étaientsystématiquement séparés.

• Le besoin en compétence s’accroît : nous avonsbesoin d’auditeurs possédant une compétence en ITet dans le business.

28

QUESTIONS ?

l’audit it integre · management, de réengineering des processus, et ce, dans des plannings...

Documents