USA: +1(669)289-8683 
Sign in
*** Plagiarism is not acceptable ***
Overview of Project –For this assignment, you will tackle the comprehensive task of auditing the IT and IS for an organization operating in a domain of your choice.
You will apply the IT auditing process to a selected case study.
The case study I have chosen isONC Releases Second Draft of TEFCA PAPER -Appendix 3: QHIN Technical frame work (Page 70 onward only not entire document)
(For this week we need to complete Week1 Project only)
The selected case study is: ONC Releases Second Draft
of TEFCA PAPER (Appendix 3: QHIN Technical
frame work – Page 70 onwards only)
Weeks 1–5 Project Overview
For this assignment, you will tackle the comprehensive task of auditing the IT and
IS for an organization operating in a domain of your choice. You will apply the IT
auditing process to a selected case study for your organization. You will first
define the scope of your organization, describe its IT capability, and explain how
it supports the organization’s critical mission. You will then conduct an evaluation
of how the IT capability aligns with the organization’s goals. Your evaluation will
examine IT/IS practices and operations in your organization. Your evaluation will
include an assessment of internal controls within the IT environment to assure
validity, reliability, and security of information, as well as an assessment of the
efficiency and effectiveness of the IT capability. Fina lly, you will describe your
findings and discuss recommendations in terms of specific controls improvements
to key IT processes for your selected case study. Your main objective is to
formulate a solution in the form of decisions that will aim at assuring the integrity
of your organization’s information assets.
You will be completing this assignment in five weeks. In each week, you will work
on a component of the report. By the end of Week 5, you will integrate these
separate components into a final report.
The final project deliverable will be a report reviewing the organization’s
enterprise goals, IT-related goals, architecture, and summarizing the findings
based on your evaluation, and your final analysis and recommendations (in the
form of decisions). The report will include:
•
•
•
•
A description of the organization’s main business and mission, including the
enterprise goals
The IT/IS capability for your organization, including IT/IS infrastructure, systems,
and applications, as well as the organization’s IT-related goals
An evaluation of IT/IS practices and operations in your organization, including an
assessment of internal IT controls in terms of achieving IT assurance for your
organization
A description of the findings and an analysis of the risks and remedia l measures,
arriving at specific, qualifiable decisions (that can be verified when implemented)
•
A summary of how your IT auditing will achieve greater IT assurance and will
ensure a stronger alignment of the IT-related goals with the enterprise goals
Include a copy of all the references used in APA format.
The following is the modular breakdown of the project:
o
Week 1:
▪
Conduct a preliminary review of your case study’s organization. This review
should include business mission, organizational structures, culture, IS, products
and services, infrastructure and applications, people skills, and competencies.
Explain the need for an IT audit of your organization. Support your analysis in IT
governance terms. Identify the stakeholders for your case study.
Identify enterprise goals and IT-related goals for your case study and then create
a mapping of the two sets, indicating primary relationships and secondary
relationships.
Start developing an IT audit plan that addresses the following components: Define
scope, state objectives, structure approach, provide for measurement of
achievement (identify the areas you intend to measure; specific metrics will be
addressed later), address how you will assure comprehensiveness, and address
how you will provide approach flexibility.
▪
▪
▪
o
▪
▪
▪
▪
o
▪
▪
▪
▪
o
▪
▪
▪
Week 2:
Discuss how you will apply a single auditing framework like COBIT 5 to structure
your IT audit.
Describe the IT audit procedures that you will rely on in your IT audit.
Start defining a balanced scorecard that lists IT-related goals and tracks some
performance metrics against the goals.
Review and revise your IT audit plan as needed by improving components in your
plan based on additional insight you have developed.
Week 3:
Identify your case study’s IT processes in key areas of the IS lifecycle and
describe them according to the major domains.
Conduct a preliminary evaluation of internal IT processes, focusing primarily on
project management and software development.
Refine your balanced scorecard as needed, possibly expanding the IT-related
goals and the performance metrics.
Create a process RACI chart that maps management practices to their related
roles and indicate levels of responsibility for each role.
Week 4:
Conduct an evaluation of internal controls for service management.
Conduct an evaluation of internal controls for systems management.
Conduct an evaluation of internal controls for operations management.
▪
Refine your balanced scorecard as needed, possibly expanding the IT -related
goals and the performance metrics.
o
Week 5:
Using the three-phase model of IT assurance initiative provided in the online
lectures, build and execute an IT assurance initiative as follows:
•
o
o
o
o
Identify potential IT-related issues based on documented assumptions and your
evaluation of your case study in Weeks 1–4.
Scope the IT assurance initiative based on the subset of the organizational
system that should be targeted.
State relevant enablers and suitable assessment criteria to perform the
assessment.
Integrate the totality of your work from Weeks 1–4 and report the results of your
assessment including your findings and recommendations.
MIS6230 IT Audit, Control, and Compliance
MIS6230 IT Audit, Control,
and Compliance
Ricardo Silva, Ph.D., C.C.E.
Auditing Approaches
MIS6230 IT Audit, Control, and Compliance
ISO 19011 : 2002
• Process Flow for the management
• Of an Audit Programme
MIS6230 IT Audit, Control, and Compliance
ISO 19011 : 2002
• Typical Audit Activities
MIS6230 IT Audit, Control, and Compliance
The Assurance Process based on COBIT 5
MIS6230 IT Audit, Control, and Compliance
MIS6230 IT Audit, Control, and Compliance
Assurance Engagement Scoping Summary
Define
Identify
Refine
Use
Refine
Use
Define the assurance objective in simple language
Identify the enterprise goals that are most related to the high-level assurance objective
Refine the list of potential enterprise goals to a manageable set of key goals and additional goals
Use the mapping table between enterprise goals and IT goals to identify potential IT goals that need to be achieved
Refine – taking into account the specific environment – the set of potential IT goals to a manageable set of key IT goals and additional
IT goals
Use the mapping table between IT goals and COBIT 5 processes to identify potential processes that support the IT goals
MIS6230 IT Audit, Control, and Compliance
Assurance Engagement Scoping Summary
Refine
Refine the list of selected processes to a manageable list
Use
Use the RACI charts of the selected processes to identify potential Organizational structures in scope, and refine the list
Use
Use the RACI charts of the selected processes to identify potential people, skills and competencies in scope and refine the list.
Use
Use the input/output tables of the selected processes to identify potential information items in scope, and refine the list.
Identify
Consolidate
Identify which other enablers support the achievement of the selected IT goals
Consolidate the list of enablers in scope and remove redundancies.
MIS6230 IT Audit, Control, and Compliance
Use the
“COBIT5_and_Assurance_Toolkit.pdf”
• Read:
• Assurance Engagement Approach
• Determine the Scope of the Assurance Initiative
• Appendix A: Example Scope
• Appendix J Audit Program Template
MIS6230 IT Audit, Control, and Compliance
Audit Planning (ITAF 1201 / 2201)
A plan containing the nature, timing and extent of audit procedures to be performed by engagement
team members in order to obtain sufficient appropriate audit evidence to form an opinion.
the areas to be
audited,
type of work
planned,
high-level objectives
and scope of the
work, and topics
such as
budget, resource
allocation,
schedule dates,
type of report and
its intended
audience, and
other general
aspects of the work
A high-level description of the audit work to be performed in a certain period of time.
MIS6230 IT Audit, Control, and Compliance
ITAF – Performance Standard 1201
1201.1 IS audit and assurance
professionals shall plan each IS audit
and assurance engagement to address:
• Objective(s), scope, timeline and
deliverables
• Compliance with applicable laws and
professional auditing standards
• Use of a risk-based approach, where
appropriate
• Engagement-specific issues
• Documentation and reporting
requirements
1201.2 IS audit and assurance
professionals shall develop and
document an IS audit or assurance
engagement project plan, describing the:
• Engagement nature, objectives, timeline
and resource requirements
• Timing and extent of audit procedures
to complete the engagement
Audit Example Using
COBIT 5
(Please use the
COBIT5_and_Assurance
_Toolkit document as you
are going over the
following exercise and
replicate the findings)
MIS6230 IT Audit, Control, and Compliance
SDLC Life Cycle Control – Activities and Documentation
MIS6230 IT Audit, Control, and Compliance
SDLC Life Cycle Control – Activities and
Documentation
Operations
Incident Management
Problem Management
Change Management
Access Management
MIS6230 IT Audit, Control, and Compliance
MIS6230 IT Audit, Control, and Compliance
BAI06 Manage Changes – COBIT 5 Enabling Processes
MIS6230 IT Audit, Control, and Compliance
BAI06 Manage Changes: Process Goals and Metrics
MIS6230 IT Audit, Control, and Compliance
(R)esponsible
Who is getting the task done?
Fulfilling activity listed/creating the intended outcome
(A)ccountable
Who accounts for the success of the task?
RACI Charts
Where the buck stops
(C)onsulted
Who is providing input?
Key roles that provide input
(I)nformed
Who is receiving information?
Informed of achievements and/or deliverables of task
MIS6230 IT Audit, Control, and Compliance
BAI06 Manage Changes: RACI
MIS6230 IT Audit, Control, and Compliance
From the RACI chart -> Roles and Responsibilities
MIS6230 IT Audit, Control, and Compliance
BAI06.01 Evaluate, Prioritize and Authorize Change Requests
MIS6230 IT Audit, Control, and Compliance
BAI06.01 Evaluate, Prioritize and Authorize Change Requests
MIS6230 IT Audit, Control, and Compliance
BAI06.02 Manage Emergency Changes
MIS6230 IT Audit, Control, and Compliance
BAI06.03 Track and report change status
MIS6230 IT Audit, Control, and Compliance
BAI06.04 Close and document the changes
MIS6230 IT Audit, Control, and Compliance
Activity 1: Understanding the Audit Goals and Establishing the Environment
Develop the following using the templates provided, along with the required reading and methodology presented in class:
Identify the Assurance Objective(s) and create a context within the goals of the controls. Note that the level of abstraction/detail of the
assurance objectives depends on the actual topic of the assurance engagement (Please refer to COBIT5_and_Assurance_Toolkit.docx and
the Goal Cascading effect). By the end of this step you will have identified the Stakeholder Needs, Enterprise Goals, IT Goals, and
Processes involved. Select an Assurance Objective that falls within one of the following categories (Recommendation: Selecting the very low
level of abstraction/detail will allow you to start building the Audit Plan with a single COBIT control.):
Assignment
• If the level of abstraction/detail is high
• Identify first the “Stakeholder Need(s)” that are involved,
• identify the Enterprise Goals,
• identify the IT Goals, and finally
• the Processes involved by using the tables in the COBIT 5 – Cascading Effect of the COBIT5_and_Assurance_Toolkit.docx document
• If the level of abstraction/detail is medium
• Identify the Enterprise Goal(s) that are involved,
• identify the IT Goals, and finally
• the Processes involved by using the tables in the COBIT 5 – Cascading Effect of the COBIT5_and_Assurance_Toolkit.docx document
• If the level of abstraction/detail is low
• Identify the IT Goal(s) that are involved, and
• use reverse logic to identify the Enterprise Goals by using the tables in the COBIT 5 – Cascading Effect, and finally
• the Processes involved by using the tables in the COBIT 5 – Cascading Effect of the COBIT5_and_Assurance_Toolkit.docx document
• If the level of abstraction/detail is very low
• Identify the Process(es) that are involved,
• use reverse logic to identify the IT Goals, and finally
For the
identified
in theGoals
previous
step
COBIT5_and_Assurance_Toolkit.docx
document,
• useProcess(es)
reverse logic you
to identify
the Enterprise
by using
the and
tablesusing
in the the
COBIT
5 – Cascading Effect
provide the:
• Process Description, Process Purpose Statement, Key Management Practices (KMP) and their description, as well as their associated activities (this will be used to assess whether
the management practices are effectively implemented)
• Process Goals and Related Metrics
• Identify the RACI chart for the Key Management Practices involved (the interested parties)
• Identify the Inputs/Outputs for each of the Key Management Practices that are part of your selected process(es)
• Identify the respective IT and Enterprise Goals and Metrics
Deliverable:
Create a report between 1000 and 5000 words in a Microsoft Word document and save it as SU_MIS6230_A1_LastName_FirstInitial.doc.
Cite any sources you use using correct APA format on a separate page.
Introduction to ITAF
MIS6230 IT Audit, Control, and Compliance
Assertions (statements)
• 1007.1 IS audit and assurance professionals shall review the
assertions against which the subject matter will be assessed to
determine that such assertions are capable of being audited
and that the assertions are sufficient, valid and relevant.
1007
1008
Criteria
• 1008.1 IS audit and assurance professionals shall select criteria,
against which the subject matter will be assessed, that are
objective, complete, relevant, measureable, understandable,
widely recognised, authoritative and understood by, or
available to, all readers and users of the report.
• 1008.2 IS audit and assurance professionals shall consider the
source of the criteria and focus on those issued by relevant
authoritative bodies before accepting lesser-known criteria.
MIS6230 IT Audit, Control, and Compliance
Engagement Planning
• 1201 Engagement Planning
• 1201.1 IS audit and assurance professionals shall plan each IS audit and assurance engagement to
address:
• Objective(s), scope, timeline and deliverables
• Compliance with applicable laws and professional auditing standards
• Use of a risk-based approach, where appropriate
• Engagement-specific issues
• Documentation and reporting requirements
• 1201.2 IS audit and assurance professionals shall develop and document an IS audit or assurance
engagement project plan, describing the:
• Engagement nature, objectives, timeline and resource requirements
• Timing and extent of audit procedures to complete the engagement
MIS6230 IT Audit, Control, and Compliance
Risk Assessment
• 1202 Risk Assessment in Planning
• 1202.1 The IS audit and assurance function shall use an appropriate risk
assessment approach and supporting methodology to develop the overall IS
audit plan and determine priorities for the effective allocation of IS audit
resources.
• 1202.2 IS audit and assurance professionals shall identify and assess risk
relevant to the area under review, when planning individual engagements.
• 1202.3 IS audit and assurance professionals shall consider subject matter risk,
audit risk and related exposure to the enterprise.
MIS6230 IT Audit, Control, and Compliance
Performance and Supervision
• 1203 Performance and Supervision
• 1203.1 IS audit and assurance professionals shall conduct the work in accordance with the approved IS audit plan
to cover identified risk and within the agreed-on schedule.
• 1203.2 IS audit and assurance professionals shall provide supervision to IS audit staff whom they have supervisory
responsibility for so as to accomplish audit objectives and meet applicable professional audit standards.
• 1203.3 IS audit and assurance professionals shall accept only tasks that are within their knowledge and skills or for
which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the
task under supervision.
• 1203.4 IS audit and assurance professionals shall obtain sufficient and appropriate evidence to achieve the audit
objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of
this evidence.
• 1203.5 IS audit and assurance professionals shall document the audit process, describing the audit work and the
audit evidence that supports findings and conclusions.
• 1203.6 IS audit and assurance professionals shall identify and conclude on findings.
MIS6230 IT Audit, Control, and Compliance
Materiality
• 1204 Materiality
• 1204.1 IS audit and assurance professionals shall consider potential weaknesses or absences of controls while
planning an engagement, and whether such weaknesses or absences of controls could result in a significant
deficiency or a material weakness.
• 1204.2 IS audit and assurance professionals shall consider audit materiality and its relationship to audit risk while
determining the nature, timing and extent of audit procedures.
• 1204.3 IS audit and assurance professionals shall consider the cumulative effect of minor control deficiencies or
weaknesses and whether the absence of controls translates into a significant deficiency or a material weakness.
• 1204.4 IS audit and assurance professionals shall disclose the following in the report:
• Absence of controls or ineffective controls
• Significance of the control deficiency
• Likelihood of these weaknesses resulting in a significant deficiency or material weakness
MIS6230 IT Audit, Control, and Compliance
Evidence
• 1205 Evidence
• 1205.1 IS audit and assurance professionals shall obtain sufficient and
appropriate evidence to draw reasonable conclusions on which to base the
engagement results.
• 1205.2 IS audit and assurance professionals shall evaluate the sufficiency of
evidence obtained to support conclusions and achieve engagement objectives
MIS6230 IT Audit, Control, and Compliance
Using the Work of Other Experts
•
1206 Using the Work of Other Experts
•
1206.1 IS audit and assurance professionals shall consider using the work of other experts for the engagement, where appropriate.
•
1206.2 IS audit and assurance professionals shall assess and approve the adequacy of the other experts’ professional qualifications,
competencies, relevant experience, resources, independence and quality-control processes prior to the engagement.
•
1206.3 IS audit and assurance professionals shall assess, review and evaluate the work of other experts as part of the engagement, and
document the conclusion on the extent of use and reliance on their work.
•
1206.4 IS audit and assurance professionals shall determine whether the work of other experts, who are not part of the engagement team, is
adequate and complete to conclude on the current engagement objectives, and clearly document the conclusion.
•
1206.5 IS audit and assurance professionals shall determine whether the work of other experts will be relied upon and incorporated directly or
referred to separately in the report.
•
1206.6 IS audit and assurance professionals shall apply additional test procedures to gain sufficient and appropriate evidence in circumstances
where the work of other experts does not provide sufficient and appropriate evidence.
•
1206.7 IS audit and assurance professionals shall provide an appropriate audit opinion or conclusion, and include any scope limitation where
required evidence is not obtained through additional test procedures.
MIS6230 IT Audit, Control, and Compliance
Irregularity and Illegal Acts
• 1207 Irregularity and Illegal Acts
• 1207.1 IS audit and assurance professionals shall consider the risk of
irregularities and illegal acts during the engagement.
• 1207.2 IS audit and assurance professionals shall maintain an attitude of
professional scepticism during the engagement.
• 1207.3 IS audit and assurance professionals shall document and communicate
any material irregularities or illegal act to the appropriate party in a timely
manner.
MIS6230 IT Audit, Control, and Compliance
Reporting
•
1401 Reporting
•
•
•
1401.1 IS audit and assurance professionals shall provide a report to communicate the results upon completion of the engagement including:
•
Identification of the enterprise, the intended recipients and any restrictions on content and circulation
•
The scope, engagement objectives, period of coverage and the nature, timing and extent of the work performed
•
The findings, conclusions, and recommendations
•
Any qualifications or limitations in scope that the IS audit and assurance professional has with respect to the engagement
•
Signature, date and distribution according to the terms of the audit charter or engagement letter
1401.2 IS audit and assurance professionals shall ensure findings in the audit report are supported by sufficient and appropriate audit evidence
1402 Follow-up Activities
•
1402.1 IS audit and assurance professionals shall monitor relevant information to conclude whether management has planned/taken appropriate,
timely action to address reported audit findings and recommendations.
The Audit Process
MIS6230 IT Audit, Control, and Compliance
The Audit Process
• The audit process requires the IS auditor to gather evidence, evaluate the strengths
and weaknesses of internal controls based on the evidence gathered through audit
tests, and prepare an audit report that presents weaknesses and recommendations
for remediation in an objective manner to stakeholders.
• ISACA, Fundamentals of IS Audit and Assurance: Participant Guide, USA, 2014, p. 29
MIS6230 IT Audit, Control, and Compliance
Typical Audit Process Steps by Phase
• ITAF 1201 Planning Phase (2.1 and 2.4 run
across the following)
• Audit Subject: 1007/2007, 1008/2008,
2201-2.5
• Audit Objectives 2201-2.2
• Audit Scope 2201-2.3
• Preaudit Planning 2201-2.4, 1202/2202
• Determine Procedures 2201-2.5, 1204/2204
• Fieldwork: 1203/2203, 1205/2205
• Reporting: 1401/2401, 1402/2402
MIS6230 IT Audit, Control, and Compliance
Planning Phase Activities by Step
2201 Engagement Planning
1. Determine audit subject. Identify the area to be audited (e.g., business function, system, physical location).
2. Define audit objective. Identify the purpose of the audit. For example, an objective might be to determine whether program
source code changes occur in a well-defined and controlled environment.
3. Set audit scope. Identify the specific systems, function or unit of the organization to be included in the review. For example, in
the previous example (program changes), the scope statement might limit the review to a single application, system or a limited
period of time.
This step is very important because the IS auditor will need to understand the IT environment and its components to identify the
resources that will be required to conduct a comprehensive evaluation. A clear scope will help the IS auditor define a set of testing
points that is relevant to the audit and further determine the technical skills and resources necessary to evaluate different
technologies and their components
MIS6230 IT Audit, Control, and Compliance
4. Perform preaudit planning.
• Conduct a risk assessment, which is
critical in setting the final scope of a riskbased audit. For other types of audits
(e.g., compliance), conducting a risk
assessment is a good practice because
the results can help the IS audit team to
justify the engagement and further
refine the scope and preplanning focus.
• Interview the auditee to inquire about
activities or areas of concern that should
be included in the scope of the
engagement.
• Identify regulatory compliance
requirements.
• Once the subject, objective and scope
are defined, the audit team can identify
the resources that will be needed to
perform the audit work. Some of the
resources that need to be defined are:
– Technical skills and resources needed
– Budget and effort needed to complete
the engagement
– Locations or facilities to be audited
– Roles and responsibilities among the
audit team
– Time frame for the various stages of
the audit
– Sources of information for test or
review, such as functional flowcharts,
policies, standards, procedures and prior
audit work papers
– Points of contact for administrative and
logistics arrangements
– A communication plan that describes to
whom to communicate, when, how often
and for what purposes
MIS6230 IT Audit, Control, and Compliance
5. Determine audit procedures and steps
for data gathering.
• At this stage of the planning phase, the audit team should have enough information to identify and select the audit
approach or strategy and start developing the audit program. Some of the specific activities in this step are:
• • Identify and obtain departmental policies, standards and guidelines for review.
• • Identify any regulatory compliance requirements.
• • Identify a list of individuals to interview.
• • Identify methods (including tools) to perform the evaluation.
• • Develop audit tools and methodology to test and verify controls.
• • Develop test scripts.
• • Identify criteria for evaluating the test.
• • Define a methodology to evaluate that the test and its results are accurate (and repeatable if necessary).
MIS6230 IT Audit, Control, and Compliance
Steps to
develop an
Audit and
Assurance
Program
Steps
Examples
Source of Information
1. Define audit
subject
•ERP system
•Data Center
•BYOD Security
•Annual audit plan
•Risk assessment
•Organizational change plans
•Legal / regulatory changes
•Mergers and Acquisitions
2. Define audit
objective
•ERP Inventory management
•DC environmental controls
•iOS devices
•Annual audit plan
•Audit management
•Executive management
•Previous audit reports
•Internal policies, standards and procedures
•Risk assessments
•Legislation or regulations applicable to enterprise.
3. Set audit
scope
•Assuring compliance with SOX
•SAP MM –Inventory Management
•Data Center Temperature and Humidity
Controls
•Legislation or regulations applicable to enterprise
•Previous audit results
•SLA and compliance issues
•Problem and Incident tickets
MIS6230 IT Audit, Control, and Compliance
Steps to develop an Audit and Assurance Program
Steps
Examples
Sources of information
4. Perform pre-audit
planning
•Location of IT functions
supporting SAP MM,
location of supply
operations personnel.
•Philadelphia Distribution
Center: 2017 Broad Street,
Philadelphia PA
•Mobile Management
organization
•Organization charts
•Previous audit reports
•Process maps and flow
diagrams
•Vendor contracts
•Network maps
MIS6230 IT Audit, Control, and Compliance
Steps to develop an Audit and Assurance Program
Step 5 Determine audit procedures and steps for data gathering
Activity
Identify and obtain departmental policies, standards and
guidelines for review
Identify a list of individuals to interview
Identify methods (including tools) to perform the
evaluation.
Example
•Information security policies
•Segregation of duties (SoD) policies
•Purchasing policies
•Authorization matrix
•Industry standards or guidelines
•Compliance requirements
•Accounts payable clerks
•Subject matter experts (SME)
•Supervisors and Managers
•Compliance Testing
•Substantive Testing
•Tools
•Questionnaires
•Checklists
•Spreadsheets
•Computer Assisted Auditing Tools (CAATs)
MIS6230 IT Audit, Control, and Compliance
Steps to develop an Audit and Assurance Program
Step 5 Determine audit procedures and steps for data gathering
Activity
Example
Develop tools and methodology to test and verify
controls.
See the previous step: “Identify methods (including
tools)…”
Identify criteria for evaluating the tests (similar to a test
script for the auditor to use in conducting the evaluation).
•Organization Structure Review
•Policies, standards and procedures review
•Documentation review (user manuals, training material,
…)
•Interviews with key personnel
•Observation of procedures as they are performed
•Reperformance
•Walk-Throughs
•Data analysis
Define a methodology to evaluate that the testing and its
results are accurate (and repeatable if necessary).
•Refer to standard 1205 –Evidence
MIS6230 IT Audit, Control, and Compliance
Objectives of developing Audit and Assurance Programs
1
The main objectives (value) of developing audit and assurance programs are:
• Formally document audit procedures and sequential steps.
• Create procedures that are repeatable and easy to use by internal or external auditors who need to perform
similar audits.
• Document the type of testing that will be used (compliance and/or substantive).
• Meet general accepted audit standards that relate to the planning phase in the audit process
Determine Scope and
Assurance Initiative
MIS6230 IT Audit, Control, and Compliance
Go to pages 18 to 20
COBIT5_and_Assurance_Toolkit.pdf
Appendix A
MIS6230 IT Audit, Control, and Compliance
Activity 2
• Activity 2: Determine Audit Scope and Goal Criteria and Metrics
• Develop the following using the templates provided, along with the required
reading and methodology presented in class:
• Using the Audit Program Template provided in Appendix J of the
COBIT5_and_Assurance_Toolkit.docx document as well as the results from
Activity 1 to:
• Determine the Scope of the Assurance Initiative (fill out Phase A of the Audit
Program Template).
• Identify the Enterprise and IT-related goals (fill out Phase B.1 of the Audit
Program Template).
Running head: IT audit plan_ IT Assurance Findings and Recommendations
1
Recommendations:
1. Bildk should establish required copyrights certificates from federal government inside USA,
to get the exclusive rights for this new technology inside USA.
2. Bildk should establish a physical branch inside USA, to manage legal responsibilities and
protect its rights.
3.
Bildk should establish an external audit at begin and join its internal audit team in this audit
to get experience and knowledge.
4. Bildk should establish a test on its product on real students in South university to recognize
minimum and maximum number of students which can use their product without technical
problems.
5. Transparency is the cornerstone to start new work and this culture should be among teams in
Bildk, from top management to the last employee in the enterprise.
6. Bildk should establish required SLA with telecommunication providers to secure a high
quality of their services.
7. Bildk should establish required copyrights agreements with all expected customers to protect
investment rights.
8. Bildk should establish required teams for maintenance, training, help desk and technical
support.
9. Bildk should establish required manuals for using
10. Bildk should start online classes to introduce this technology on social media such as
LinkedIn, Facebook, and Twitter.
IT audit plan_ IT Assurance Findings and Recommendations
IT audit plan_ IT Assurance Findings and Recommendations
•
2
“Conduct a preliminary review of our case study’s organization. This review should
include business mission, organizational structures, culture, IS, products and
services, infrastructure and applications, people, skills, and competencies.”
➢ Organization Name: Bildk.
➢ Business mission:
Bildk is a company founded in Delaware and domiciliated in Texas US, that envisions to
become the reference provider for the healthcare industry. It is managed and advised by a
multidisciplinary team of professionals with extensive experience in the practice of: computer
science, biomedicine, medicine, and business development.
Nowadays, more than 4 billion medical imaging studies per year are being carried out and
managed by the main actors of the healthcare system (beneficiaries, providers and payers)
worldwide.
➢ Organizational structures:
The Information Technology organization is led by a Chief Technology Officer who
reports to the Chief Financial Officer and Executive VP. The office of the CIO is responsible
for establishing corporate-wide policies for the use of information services throughout the
enterprise.
➢ Products and services:
Bildk is developing an innovative platform entirely based on the cloud that allows its
stakeholders to manage and share medical imaging studies on a highly and efficient fashion,
overcoming the limitations that afflict this process.
•
“Explain the need for an IT audit of your organization. Support your analysis in IT
governance terms. Identify the stakeholders for your case study.”
IT audit plan_ IT Assurance Findings and Recommendations
➢
3
The need for an IT audit:
The need for the review is to provide an independent assessment of the enterprise compliance
with legal and regulatory requirements. (Senft, Gallegos, & Davis, 2013)
➢
Identify the stakeholders for our case study:
The stakeholders are Chief Technology Officer, Chief Financial Officer, and Executive VP.
(Senft, Gallegos, & Davis, 2013)
•
“Identify enterprise goals and IT-related goals for your case study and then create a
mapping of the two sets, indicating primary relationships and secondary
relationships.”
➢
The main issue (stakeholder needs):
1. Does IT support the enterprise in complying with regulations and service levels?
2. How do I know whether I am compliant with all applicable regulations?
➢ Identify COBIT 5-Enterprise Goals:
Per the COBIT 5 Goals, Cascade Overview illustrated in Figure 3 (ISACA, 2018, p.03),
we need to use the COBIT 5 Enterprise Goals illustrated in Figure 4 (ISACA, 2018, p. 04). There
we can recognize these risk optimization enterprise goals as appropriate for our problem:
“4. Compliance with external laws and regulations”
“15. Compliance with internal policies”
➢ Suggested COBIT 5 Enterprise and IT topic solutions to solve main issue;
Using the COBIT 5 Enterprise Goals from Figure 4, we can identify the IT-Related Goals
from Figure 17, which is Mapping COBIT 5 Enterprise Goals to IT-related Goals (ISACA, 2018,
p.09):
IT audit plan_ IT Assurance Findings and Recommendations
4
– (Enterprise Goals)
“04. Compliance with external laws and regulations”
“15. Compliance with internal policies”
– (IT Related Goals) – primary relationships
“02. IT compliance and support for business compliance with external laws and
regulations”
“10. Security of information, processing infrastructure, and applications”
“15. IT compliance with internal policies”
– (IT Related Goals) – secondary relationships
“04. Managed IT-related business risk”
“07. Delivery of IT services in line with business requirements”
“14. Availability of reliable and useful information for decision making”
➢ Important COBIT 5 processes and sub-processes which are used:
“Evaluate, Direct and Monitor (EDM)”
“Align, Plan, and Organize (APO)”
“Build, Acquire and Implement (BAI)”
“Deliver, Service and Support (DSS)”
“Monitor, Evaluate and Assess (MEA)”
➢ Our recommended COBIT 5 processes and sub-processes which can solve the issue:
● Identify Processes:
Per the Mapping COBIT 5 IT-related Goals to Processes illustrated in Figure 18 (ISACA,
2018, p.p. 14-15):
we can recognize:
IT audit plan_ IT Assurance Findings and Recommendations
5
“EDM03 Ensure Risk Optimization”
“APO01 Manage the IT Management Framework”
“APO12 Manage Risk”
“APO13 Manage Security”
“BAI10 Manage Configuration”
“DSS05. Manage Security Services”
“MEA02 Monitor, Evaluate and Assess the System of Internal Control”
“MEA03 Monitor, Evaluate and Assess Compliance with External Requirements”
, as our required Processes.
Also, additional processes can be addressed such as:
“BAI06 Manage Changes”
“MEA01 Monitor, Evaluate and Assess Performance and Conformance”
These processes will meet the requirements and completing the COBIT 5 processes’ cycle.
•
“Start developing an IT audit plan that addresses the following components: Define
scope, state objectives, structure approach, provide for measurement of achievement
(identify the areas you intend to measure; specific metrics will be addressed later),
IT audit plan_ IT Assurance Findings and Recommendations
6
address how you will assure comprehensiveness, and address how you will provide
approach flexibility.”
1. Define audit subject: Compliance with legal and regulatory requirements. (ISACA, 2016,
p.p. 11-15)
2. Define audit objective: The objective of the review is to provide management with an
independent assessment of the assuring compliance with legal and regulatory
requirements. (ISACA, 2016, p.p. 11-15)
3. Set audit scope: The review will focus on enterprise compliance with legal and regulatory
requirements in the United States (ISACA, 2016, p.p. 11-15). The review will rely on
several sources:
•
Legislations or regulations applicable to the audit subject.
•
Relationships with third parties
•
Organization charts
•
Risk assessments
•
Previous audit reports
4. Perform preaudit planning (ISACA, 2016, p.p. 11-15):
a) Identify locations or facilities to be audited: One branch office located in the
United States.
b) Identify sources of information for test or review (including policies, standards and
procedures): The review will rely on possible sources include:
•
Interview with the auditees
•
Organization charts
IT audit plan_ IT Assurance Findings and Recommendations
7
•
Previous audit reports
•
Security policy
•
Security strategy or strategies
•
Security procedures and standards
•
New employee training materials relating to security.
•
Relevant legal and regulatory information related to security and information
access
•
Vendor contracts, SLAs
•
Supplier due diligence selection criteria, process.
•
Business impact analysis (BIA), business continuity plans (BCPs), disaster
recovery plans (DRPs) and all plans relating to continuity of operations.
•
HR onboarding/offboarding procedures and standards
•
Information security access policies, procedures, and standards
•
Information security computing policies, procedures, and standards
•
Information security acceptable use policies, procedures, and standards
•
Incident response policies, procedures, and standards
•
Monitoring and audit policies, procedures and standards
•
Risk assessments
•
Previous audit reports
5. Determine audit procedures and steps for data gathering (ISACA, 2016, p.p. 11-15):
a) Define and record the audit approach that will be used for the specific audit or assurance
engagement. (Determine audit structure approach):
The approach for this audit/assurance engagement consists of the following steps:
IT audit plan_ IT Assurance Findings and Recommendations
8
1. Issue audit chart. ISACA (ITAF Standard 1001) (ISACA, 2014)
2. Understand the enterprise’s internal and external environment
3. Review documentation.
4. Understand the internal control environment.
– Regulatory statutes
– Control environment
– Control risk assessment
– Control procedures
– Equation of total risk
5. Test controls, document results and conclusions, and gather supporting evidence.
ISACA (ITAF Standard 1205) (ISACA, 2014)
6. Conduct a closing meeting to brief management on the preliminary findings of the
engagement. ISACA (ITAF Standard 1201) (ISACA, 2014)
7. Draft the report and recommendations.
8. Prepare the report and provide it to stakeholders for review and comment.
9. Issue the final report. ISACA (ITAF Standard 1401) (ISACA, 2014)
b) Identify a list of individuals to interview: Possible approaches include:
•
ISACA (ITAF Standard 1201) (ISACA, 2014)
•
Obtain and review the current organization chart.
•
Identify the key legal administration staff, the security manager and the key
stakeholders.
c) Identify methods (including tools) to perform the evaluation:
•
COBIT 5 framework
IT audit plan_ IT Assurance Findings and Recommendations
9
d) Identify criteria for evaluating the test:
•
ISACA (ITAF Standard 1008) (ISACA, 2014)
•
COBIT 5 framework
e) Define a methodology to evaluate that the testing and its results are accurate (and
repeatable if necessary) (Develop audit tools and methodology to test and evaluate internal
controls):
•
ISACA (ITAF Standard 1205) (ISACA, 2014)
f) Define and record the audit approach/strategy:
The approach can consist of the following steps as below;
•
Review documentation.
•
Interview key individuals.
•
Establish audit criteria.
•
Conduct visits to the data center.
•
Conduct a review of high-risk areas.
•
Document findings.
•
Prepare the report and provide it to stakeholders for review and comment.
•
Issue the final report.
g) Identify sources of information to expand the understanding of the audit area/subject
(Identify and request documentation related to the audit subject):
•
Previous audit reports
•
SLAs
•
Internal policies, standards, and procedures
•
Training manuals
IT audit plan_ IT Assurance Findings and Recommendations
•
Supplier websites
•
International standards for specific technologies
10
h) Identify the business risk for the failure to comply with external regulatory:
– ISACA (ITAF Standard 1202) (ISACA, 2014)
– Public relations issues with the customers or the public (reputational risk)
– Inability to comply with regulatory processing requirements (regulatory and financial risk)
– Inability to perform critical business functions (operational and financial risk)
– Inability to maintain payroll and employee privacy (regulatory and reputational risk)
– Inability to meet contractual SLAs with third parties or customers (contractual risk)
1. Scope and assurance initiative assignment
Assurance Topic:
The topic covered by this document is:
Enterprise compliance with legal and regulatory requirements. (Senft, Gallegos, & Davis, 2013).
IT audit plan_ IT Assurance Findings and Recommendations
11
Goals of the Assurance Engagement:
The objective of the review is to provide management with an independent assessment of the
assuring compliance with legal and regulatory requirements. (ISACA, 2016, p.p. 11-15)?
Board/audit committee
The governance body that is charged with evaluating, directing and monitoring the organization’s
audit, risk management and control functions. The board (or the equivalent function that is
charged with the governance of the enterprise) often delegates responsibility for providing
assurance to the audit committee, whose members are usually drawn from the board (nonexecutives). Final accountability, however, stays with the board.
Scoping:
The review will focus on enterprise compliance with legal and regulatory requirements in the
United States (ISACA, 2016, p.p. 11-15). The scope of the assurance engagement is expressed in
function of the seven COBIT 5 enablers, as per the following table.
Phase – A
Phase A—Determine the Scope of the Assurance Initiative
Ref.
A
Assurance Step
Determine scope of the assurance initiative.
Guidance
IT audit plan_ IT Assurance Findings and Recommendations
A-1
12
Determine the stakeholders of the assurance initiative and their stake, i.e., the drivers
for the assurance engagement.
A-1.1
Identify the
Intended user(s) of the assurance
Board/audit
intended user(s)
report
committee: Provide
of the assurance
the board/audit
report and their
committee with an
stake in the
independent
assurance
assessment of the
engagement.
assuring compliance
This is the
with legal and
assurance
regulatory
objective.
requirements.
(ISACA, 2016, p.p.
11-15)
A-1.2
Identify the
Accountable and Responsible parties
interested parties
for the subject matter
The stakeholders are:
•
Chief
accountable and
Technology
responsible for
Officer,
the subject
•
matter over
which assurance
needs to be
provided.
Chief Financial
Officer, and
•
Executive VP.
IT audit plan_ IT Assurance Findings and Recommendations
A-2.1
13
Understand enterprise
Business mission: Bildk is a company founded in
strategy and priorities.
Delaware and domiciliated in Texas US, that envisions to
become the reference provider for the healthcare
industry. It is managed and advised by a
multidisciplinary team of professionals with extensive
experience in the practice of: computer science,
biomedicine, medicine, and business development.
Nowadays, more than 4 billion medical imaging
studies per year are being carried out and managed by the
main actors of the healthcare system (beneficiaries,
providers and payers) worldwide.
A-2.2
Understand the internal context of
Organizational structures: The Information
the enterprise.
Technology organization is led by a Chief
Understanding the internal context
Technology Officer who reports to the Chief
will help the assurance professional
Financial Officer and Executive VP. The
to better understand the enterprise
office of the CIO is responsible for
goals and the relative importance of
establishing corporate-wide policies for the use
enterprise and IT-related goals, as
of information services throughout the
well as the most important threats to
enterprise.
these goals. In turn, this will assist in
defining a better and more relevant
scope for the assurance engagement.
IT audit plan_ IT Assurance Findings and Recommendations
A-2.3
Understand the external context
14
Products and services: Bildk is
of the enterprise.
developing an innovative platform entirely
Understanding the external context
based on the cloud that allows its
will help the assurance
stakeholders to manage and share medical
professional to better understand
imaging studies on a highly and efficient
the enterprise goals and the
fashion, overcoming the limitations that
relative importance of enterprise
afflict this process.
and IT-related goals, as well as the
A-2.4
most important threats to these
Information System Infrastructure: At the heart
goals. In turn, this will assist in
of our operations, helping us manage the entire
defining a better and more relevant
Order-to-Cash cycles, is our ERP system. This
scope for the assurance
system is accessed through our internal networks
engagement.
and managed centrally from headquarters.
Given the overall
Given the overall assurance objective (The objective of the review
assurance
is to provide management with an independent assessment of the
objective,
assuring compliance with legal and regulatory requirements.
translate the
(ISACA, 2016, p.p. 11-15)), the following goals are retained as
identified
key and additional goals to be supported, in reflection of enterprise
strategic
strategy and priorities.
priorities into
Key goals
concrete
(Primary)
(IT Related Goals) – primary relationships:
IT audit plan_ IT Assurance Findings and Recommendations
•
objectives for the
15
“02. IT compliance and support for
assurance
business compliance with external laws
engagement.
and regulations
•
“10. Security of information, processing
infrastructure, and applications”
•
Additional
“15. IT compliance with internal policies”
(IT Related Goals) – secondary relationships:
goals
•
“04. Managed IT-related business risk”
(secondary)
•
“07. Delivery of IT services in line with
business requirements”
•
“14. Availability of reliable and useful
information for decision making”
Considering the specific scope of the audit engagement—
compliance with legal and regulatory requirements—we will focus
on only the (compliance) risk component of the three value
objective components and consider delivering benefits and
optimizing resources out of the scope of this example assurance
initiative.
A-2.5
Define the
IT Organization and Governance:
organizational
The Information Technology organization is led by a Chief
boundaries of the
Technology Officer who reports to the Chief Financial Officer and
Executive VP. The office of the CIO is responsible for
IT audit plan_ IT Assurance Findings and Recommendations
16
assurance
establishing corporate-wide policies for the use of information
initiative.
services throughout the enterprise.
IT services are organized and managed by a group of directors
reporting to the CIO:
• IT Services – The IT Services organization includes the Project
Management Office (PMO), IT Quality Management, and
Organizational Change Management (OCM).
• IT Operations
• ERP Systems Development
• IT Business Intelligence
2. Enterprise and IT goals as well as the metrics and criteria
Phase – B.1
IT audit plan_ IT Assurance Findings and Recommendations
17
Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the
Assessment
Ref.
Assurance Steps and Guidance
B-1
• Agree on metrics and criteria for enterprise goals and IT-related goals.
• Assess enterprise goals and IT-related goals.
B-1.1
• Obtain (and agree on) metrics for enterprise goals and expected values of
the metrics and assess whether enterprise goals in scope are achieved.
• Leverage the list of suggested metrics for the enterprise goals to define,
discuss and agree on a set of relevant, customized metrics for the
enterprise goals, taking care that the suggested metrics are driven by the
performance of the topic of this assurance initiative.
• Next, agree on the expected values for these metrics, i.e., the values
against which the assessment will take place.
• The related metrics for each goal is reviewed and an assessment is made
whether the defined criteria are achieved or not.
• The following metrics and expected values are agreed on for the key
enterprise goals defined in step A-2.4.
• By using Figure 6—Enterprise Goal Sample Metrics as below:
Enterprise Goal
Metric
Expected
Outcome (Ex)-
Assessment
Step-
choose from
Metric
Appendix_I
IT audit plan_ IT Assurance Findings and Recommendations
“04. Compliance
with external
• Cost of
regulatory non-
18
• Cost of
APO12.04
regulatory non-
Articulate risk.
compliance,
laws and
regulations”
including
settlements and
fines
compliance,
including
settlements and
• Number of
regulatory non-
fines < +20%
compliance
issues causing a
public comment
or negative
publicity
• Number of
regulatory noncompliance
issues relating to
contractual
agreements with
business partners
“15. Compliance
with internal
• Number of
incidents related
• Percent of
MEA02.06
policies
Plan assurance
supported by
initiatives.
to nonpolicies”
compliance to
policy
• Percent of
effective
standards and
stakeholders who
understand
policies
• Percent of
policies
working
practices = 90%
IT audit plan_ IT Assurance Findings and Recommendations
19
supported by
effective
standards and
working
practices
B-1.2
• Obtain (and agree on) metrics for IT-related goals and expected values of
the metrics and assess whether IT-related goals in scope are achieved.
• Leverage the list of suggested metrics for IT-related goals to define,
discuss and agree on a set of relevant, customized metrics for IT-related
goals, taking care that the suggested metrics are driven by the
performance of the topic of this assurance initiative.
• Next, agree on the expected values for these metrics, i.e., the values
against which the assessment will take place.
• The related metrics for each goal is reviewed and an assessment is made
whether the defined criteria are achieved or not.
• The following metrics and expected values are agreed on for the key ITrelated goals defined in Step A-2.4.
• the related metrics for each goal is reviewed and an assessment is made
whether the defined criteria are achieved or not.
IT-related Goal
Metric
Expected
Assessment
Outcome (Ex)-
Step-
choose from
Appendix_I
Metric
IT audit plan_ IT Assurance Findings and Recommendations
“02. IT
compliance and
• Cost of IT noncompliance,
20
• Cost of IT non-
APO01.08
compliance,
Maintain
including
compliance
settlements and
with
fines, and the
policies and
procedures.
including
support for
business
compliance with
settlements and
fines, and the
impact of
reputational loss
external laws
• Number of IT-
impact of
and regulations”
related non-
reputational loss
compliance
< +10%
issues reported
to the board or
causing
public comment
or
embarrassment
• Number of
non-compliance
issues relating to
contractual
agreements with
IT
service providers
• Coverage of
compliance
assessments
“10. Security of
information,
Number of
security
• Frequency of
MEA01.04
security
Analyze and
assessment
report
incidents causing
processing
financial loss,
business
IT audit plan_ IT Assurance Findings and Recommendations
infrastructure,
and
disruption or
public
against latest
21
performance.
standards and
embarrassment
applications”
• Number of IT
guidelines >
services with
90%
outstanding
security
requirements
• Time to grant,
change and
remove access
privileges,
compared to
agreed-on
service levels
• Frequency of
security
assessment
against latest
standards and
guidelines
“15. IT
compliance with
• Number of
incidents related
• Percent of
MEA01.02
stakeholders
Set
who understand
performance
policies > 80%
and
to noninternal policies”
compliance to
policy
• Percent of
conformance
stakeholders who
understand
policies
targets.
IT audit plan_ IT Assurance Findings and Recommendations
• Percent of
policies
supported by
effective
standards and
working
Practices
• Frequency of
policies review
and update
3. Assessment plan for principles, policies, and frameworks
A-3.1
Define the
Guiding principles and policies include:
principles,
• Security policies
22
IT audit plan_ IT Assurance Findings and Recommendations
policies, and
• Risk policies
frameworks in
• External laws and regulations
scope.
• Internal enterprise policies
23
4. Assessment plan for the process in scope
A-3.2
Define which
COBIT 5: Enabling Processes distinguishes a governance domain
processes are in
with a set of processes and a management domain, with four sets
the scope of the
of processes. The processes in scope are identified using the goals
review.
of cascade and subsequent customization.
The resulting lists contain key processes and additional processes
to be considered during this assurance engagement. Available
resources will determine whether they can all be effectively
assessed.
Key
Processes
● Identify Processes:
Per the Mapping COBIT 5 IT-related Goals to
Processes illustrated in Figure 18 (ISACA, 2018,
p.p. 14-15): we can recognize:
•
“EDM03 Ensure Risk Optimization”
•
“APO01 Manage the IT Management
Framework”
•
“APO12 Manage Risk”
•
“APO13 Manage Security”
•
“BAI10 Manage Configuration”
IT audit plan_ IT Assurance Findings and Recommendations
24
•
“DSS05. Manage Security Services”
•
“MEA02 Monitor, Evaluate and Assess the
System of Internal Control”
•
“MEA03 Monitor, Evaluate and Assess
Compliance with External Requirements”
, as our required Processes.
Additional
Also, additional processes can be addressed such
Processes
as:
•
“BAI06 Manage Changes”
•
“MEA01 Monitor, Evaluate and Assess
Performance and Conformance”
These processes will meet the requirements and
completing the COBIT 5 processes’ cycle.
5. Assessment plan for the organizational structure
A-3.3
Define which
Based on the key processes identified in A-3.2, the following
organizational
organizational structures and functions are considered to be in the
IT audit plan_ IT Assurance Findings and Recommendations
25
structures will be
scope of this assurance engagement, and available resources will
in scope.
determine which ones will be reviewed in detail.
Key
• IT Services – The IT Services organization
Organizational
includes the Project Management Office
Structures
(PMO), IT Quality Management, and
Organizational Change Management (OCM).
• IT Operations
• ERP Systems Development
• IT Business Intelligence
• Risk management department
• IT security department
• Architecture board
• IT development department
• IT operations department
Create a RACI chart:
Table 3.0 – RACI chart: Process – 1.0 – Recognize Capabilities (ISACA, 2018, p.p. 60-67).
IT audit plan_ IT Assurance Findings and Recommendations
26
EDM
APO
APO
APO
BAI
DSS
MEA
MEA
MEA
MEA
MEA
03.02
01.08
12.04
13.01
10.01
05.06
01.02
01.04
02.06
03.02
03.03
Board
A
Chief
R
I
A
I
C
I
A
R
R
I
R
R
R
R
Executive
Officer
Chief Financial
C
Officer
Chief
C
C
I
R
C
A
A
C
A
R
R
R
R
R
R
I
I
Operating
Officer
Business
Executives
Business
C
R
R
I
C
Process
Owners
Strategy
R
C
I
I
Executive
Committee
Steering
(Programmes/
I
IT audit plan_ IT Assurance Findings and Recommendations
27
Projects)
Committee
Project
I
R
C
I
R
R
C
I
C
A
I
C
C
C
Management
Office
Value
I
Management
Office
Chief Risk
I
Officer
Chief
Information
Security
Officer
Architecture
I
R
C
Board
Enterprise
I
I
C
Risk
Committee
Head Human
Resources
C
R
C
R
C
IT audit plan_ IT Assurance Findings and Recommendations
Compliance
C
C
C
C
Audit
C
I
C
C
Chief
R
R
A
Head Architect
C
R
Head
I
28
C
C
C
R
A
C
C
C
C
R
I
R
C
A
C
C
R
R
R
C
I
I
C
C
C
I
C
R
C
I
A
R
R
C
R
C
I
R
C
I
A
R
R
C
R
C
I
R
C
R
R
I
C
C
R
C
I
R
C
I
R
R
R
C
R
C
I
R
C
R
I
C
C
R
C
I
R
C
C
I
C
C
R
C
Information
Officer
Development
Head IT
R
Operations
Head IT
Administration
Service
Manager
Information
Security
Manager
Business
Continuity
Manager
IT audit plan_ IT Assurance Findings and Recommendations
Privacy Officer
I
C
C
29
I
C
C
R
6. Assessment plan for the culture, ethics, and behavior in scope
A-3.4
Define the
In the context of this engagement, the following enterprise wide
culture, ethics
behaviors are in scope:
R
IT audit plan_ IT Assurance Findings and Recommendations
30
and behavior
• Security risk awareness exists.
aspects in scope.
• Organizational culture emphasizes compliance with external
laws and regulations is important.
• Management recognizes the need for compliance with external
laws and regulations and commits enough resources to it.
•
(B-6.3) identify which Quality Dimensions are appropriate to assess the
Information Items. Using Appendix D Figure 72 as an example, determine
Metric(s) to assess the Quality Dimensions.
Generic ITDescription Assessment Step/Subrelated
/ Key
Process- Governance
Goals
Informatio Practice / Management
Key n Items to
Practice:
Related
Quality
Crit Support
Appendix I – Process to
Metrics
Dimension
eria Achieveme Key Management Practice
nt of the
to Activities
IT-related
Goal
“02. IT
XX
•APO01.08-Observation,
Accuracy
compliance
and Testing
Objectivity
Believability
and support • Cost of IT
Reputation
for business non•Put in place procedures
Relevancy
•
IT-related
compliance compliance
to maintain compliance
Completeness
XX
compliance
with
with and performance
, including
Currency
XX
requirement
external
measurement of policies
settlements Amount of
s register
laws and
and other enablers of the
and fines,
information
•
regulations” and the
Concise
Compliance control framework and
-ITG02
enforce the consequences
representation
impact of
assurance
Consistent
of noncompliance or
reputationa
reports
representation
inadequate performance.
l loss
Interpretability
Track trends and
< +10%
Understandabil
performance and consider
ity
these in the future design
Manipulation
IT audit plan_ IT Assurance Findings and Recommendations
Availability
and improvement of the
control framework.
•Recommended type of
assurance/assessment:
-External Audit
-Internal Audit /
Compliance Review
Restricted
access
Generic ITrelated
Goals
“10.
Security of
information,
processing
infrastructur
e, and
applications
”
-ITG10
Related
Metrics
Quality
Dimension
•
Percentage
of
accordance
with
current
standards
and
guidelines
during
latest
information
security
assessment
> 90%
Accuracy
Objectivity
Believability
Reputation
Relevancy
Completeness
Currency
Amount of
information
Concise
representation
Consistent
representation
Interpretability
Understandabil
ity
Manipulation
Availability
Restricted
access
Generic ITRelated
related
Metrics
Goals
Quality
Dimension
31
Key
Crit
eria
Description
/ Key
Informatio
n Items to
Support
Achieveme
nt of the
IT-related
Goal
•MEA01.04-Observation,
and Testing
XX
XX
XX
•Summary
metrics for
information
security
XX
Key
Crit
eria
Assessment Step/SubProcess- Governance
Practice / Management
Practice:
Appendix I – Process to
Key Management Practice
to Activities
•Periodically review and
report performance
against targets, using a
method that provides a
succinct all-around view
of IT performance and fits
within the enterprise
monitoring system.
•Recommended type of
assurance/assessment:
Internal Audit /
Compliance Review
Description
/ Key
Informatio
Assessment Step/SubProcess -Governance
IT audit plan_ IT Assurance Findings and Recommendations
n Items to
Support
Achieveme
nt of the
IT-related
Goal
“15. IT
compliance
with
internal
policies”
-ITG15
• Level of
stakeholder
understandi
ng of
internal
policies >
80%
Accuracy
Objectivity
Believability
Reputation
Relevancy
Completeness
Currency
Amount of
information
Concise
representation
Consistent
representation
Interpretability
Understandabil
ity
Manipulation
Availability
Restricted
access
32
Practice / Management
Practice:
Appendix I – Process to
Key Management Practice
to Activities
•MEA01.02-Observation,
and Testing
XX
XX
XX
XX
Internal
policies and
frameworks
•Work with stakeholders
to define, periodically
review, update and
approve performance and
conformance targets
within the performance
measurement system.
•Recommended type of
assurance/assessment:
Internal Audit /
Compliance Review
IT audit plan_ IT Assurance Findings and Recommendations
33
7. Assessment plan for the information items in scope
A-3.5
Define the
COBIT 5: Enabling Processes defines a number of inputs and
information
outputs between processes. The related inputs and outputs from
items in scope.
the identified process in A-3.2 are considered in this section. Key
priorities and availability of resources will determine how many
and which ones will be reviewed in detail. The following items
were considered for this case:
By using key Goals of A-2.4 and Figure 72-information
Information Items Supporting IT-related Goals (Comprehensive):
Key
• IT-related compliance requirements register
Information
• Compliance assurance reports
Items
• Risk appetite
• Risk profile, including risk assessment results
• Risk management policies
• Clarified and agreed-on business expectation
• Quality review results including customer
feedback, exceptions and corrections
IT audit plan_ IT Assurance Findings and Recommendations
34
• Internal policies and frameworks
• Results of (third-party) quality/risk assessments
• Root causes of quality delivery failures and
recommendations
• Risk analysis and risk profile reports for
stakeholders
•
(B-6.4) using the Information Life Cycle definition in Appendix D, determine
which lifecycle stage is most important, and by consequence will be assessed
against the criteria determined in B6.3.
Generic ITrelated
Quality
Goals
Dimension
“02. IT
compliance
and
support for
business
compliance
with
external
laws and
regulations
”
-ITG02
Plan
Design
Key
Criter
ia
N.A
N.A
Build/acquire XX
Use/operate
N.A
Evaluate/mo
nitor
XX
Description /SubProcess -Activities:
Appendix I – Process to
Key Management
Practice to Activities
—-3. Integrate performance
and compliance with
individual staff members’
performance objectives.
–1. Track compliance with
policies and procedures.
2. Analyze noncompliance and take
appropriate action (this
could include changing
requirements).
4. Regularly assess the
performance of the
framework’s enablers
and take appropriate
action.
5. Analyze trends in
performance and
compliance and take
appropriate action
Assessment Step
•APO01.08-Observation,
and Testing
•Recommended type of
assurance/assessment:
-External Audit
-Internal Audit /
Compliance Review
IT audit plan_ IT Assurance Findings and Recommendations
Update/dispo
se
Generic ITrelated
Quality
Goals
Dimension
“10.
Security of
informatio
n,
processing
infrastruct
ure, and
application
s”
-ITG10
Plan
N.A
Key
Criter
ia
N.A
Design
XX
Build/acquire
N.A
Use/operate
XX
XX
Evaluate/mo
nitor
35
–Description /SubProcess -Activities:
Appendix I – Process to
Key Management
Practice to Activities
–1. Design process
performance reports that
are concise, easy to
understand, and tailored
to various management
needs and audiences.
Facilitate effective,
timely decision making
(e.g., scorecards, traffic
light reports) and ensure
that the cause and effect
between goals and
metrics are
communicated in an
understandable manner.
–3. Recommend changes
to the goals and metrics,
where appropriate.
4. Distribute reports to
the relevant stakeholders.
6. Where feasible, link
achievement of
performance targets to
the organizational reward
compensation system.
2. Compare the
performance values to
internal targets and
benchmarks and, where
possible, to external
benchmarks (industry
and key competitors).
5. Analyze the cause of
deviations against
Assessment Step
•MEA01.04Observation, and
Testing
•Recommended type of
assurance/assessment:
Internal Audit /
Compliance Review
IT audit plan_ IT Assurance Findings and Recommendations
36
targets, initiate remedial
actions, assign
responsibilities for
remediation, and follow
up. At appropriate times,
review all deviations and
search for root causes,
where necessary.
Document the issues for
further guidance if the
problem recurs.
Document results.
Update/dispo
se
Generic ITrelated
Quality
Goals
Dimension
“15. IT
compliance
with
internal
policies”
N.A
Key
Criter
ia
Plan
XX
Design
Build/acquire
N.A
N.A
Use/operate
XX
-ITG15
–Description /SubProcess -Activities:
Appendix I – Process to
Key Management
Practice to Activities
1. Define and
periodically review with
stakeholders the goals
and metrics to identify
any significant missing
items and define
reasonableness of targets
and tolerances.
—-2. Communicate
proposed changes to
performance and
conformance targets and
tolerances (relating to
metrics) with key due
diligence stakeholders
(e.g., legal, audit, HR,
ethics, compliance,
finance).
3. Publish changed
targets and tolerances to
users of this information.
Assessment Step
•MEA01.02Observation, and
Testing
•Recommended type of
assurance/assessment:
Internal Audit /
Compliance Review
IT audit plan_ IT Assurance Findings and Recommendations
XX
Evaluate/mo
nitor
Update/dispo
se
•
N.A
37
4. Evaluate whether the
goals and metrics are
adequate, i.e., specific,
measurable, achievable,
relevant and time-bound
(SMART).
—
(B-6.5) using the Information Attributes definition in Appendix D, determine
which Information Attributes are deemed most important and by consequence will
be assessed against the criteria determined in B6.3.
Generic ITrelated
Goals
“02. IT
compliance
and
support for
business
compliance
with
external
laws and
regulations
”
-ITG02
Attribute
Physical
Empirical
Syntactic
Key
Criter
ia
XX
XX
XX
XX
Semantic
XX
Pragmatic
XX
Social
Generic ITrelated
Attribute
Goals
Key
Criter
ia
Description
Internet – Email
Written communication
English language
Registratio
Informati
n /legal and
on -Type
financial
Informati
Current
on date
Currency
Informati Sales per
on -Level year
Retention
1 -year
Period
Informatio Operation
n Status
al
Informatio
Novelty
n
Complianc
e to legal
Contingen
requireme
cy
nts in
USA.
Social media: Linden,
Facebook, Twitter, and
Instagram.
Description
Assessment Step
•Observation, and
Testing
•Recommended type of
assurance/assessment:
-External Audit
-Internal Audit /
Compliance Review
Assessment Step
IT audit plan_ IT Assurance Findings and Recommendations
“10.
Security of
informatio
n,
processing
infrastruct
ure, and
application
s”
-ITG10
Physical
Empirical
Syntactic
XX
XX
XX
XX
Semantic
XX
Pragmatic
XX
Social
Generic ITrelated
Goals
“15. IT
compliance
with
internal
policies”
Attribute
Physical
Empirical
Syntactic
Key
Criter
ia
XX
XX
XX
XX
-ITG15
Semantic
XX
Pragmatic
Internet – Email
Written communication
English language
Registratio
Informatio n /legal
n -Type
and
financial
Informatio
Current
ndate
Currency
Informatio Sales per
n -Level
year
Retention
1 -year
Period
Informatio Operation
n Status
al
Informatio
Novelty
n
Complianc
e to legal
Contingen
requireme
cy
nts in
USA.
Social media: Linden,
Facebook, Twitter, and
Instagram.
Description
Internet – Email
Written communication
English language
Registratio
Informatio n /legal
n -Type
and
financial
Informatio
Current
ndate
Currency
Informatio Sales per
n -Level
year
Retention
1 -year
Period
Informatio Operation
n Status
al
38
•Observation, and
Testing
•Recommended type of
assurance/assessment:
-Internal Audit /
Compliance Review
Assessment Step
•Observation, and
Testing
•Recommended type of
assurance/assessment:
-Internal Audit /
Compliance Review
IT audit plan_ IT Assurance Findings and Recommendations
Novelty
Contingen
cy
Social
N.A
39
Informatio
n
Complianc
e to legal
requireme
nts in
USA.
—
8. Assessment plan for the services, infrastructure, and applications in scope
The outline of a Service Capability:
– Service Capability Name + Description
– Supporting Technology + Benefits
– Quality Goals + Metrics
•
Legal & Regulatory Compliance Audit Services
Service Capability
Description
Compliance Audit is an
Systematic, independent and documented verification process of
appraisal of
objectively obtaining and evaluating audit evidence to determine
organizations operations
whether specific criteria’s are met in relation to applicable legal
to determine its
compliance It is imperative for organizations to develop a Robust
compliance with the laws
Legal Compliance System which will achieve excellence in
and regulations that
Corporate Governance and inculcate healthy compliance culture
apply to it.
within the organization The changing scenario of the legal system
raises the bar on governance and thrusts greater responsibility and
obligation on the Company all around the globe A dedicated team
coordinates and monitors all global subsidiary Corporate
Governance activities.
IT audit plan_ IT Assurance Findings and Recommendations
Service Capability
Supporting Technology
40
Benefits
Compliance Audit is
1. Training courses
Increase focus on governance,
an appraisal of
2. News feeds
accountability & transparency the legal
organizations
3. Knowledge Bases
audit also lays the groundwork for the
operations to
4. Training tools
establishment of an ongoing legal
determine its
5. Social media
compliance and prevention program to
compliance with the
6. Email
ensure that the company’s goals, structure,
laws and regulations
7. Collaboration tools
and ongoing operations are consistent with
that apply to it.
8. Vendor and industry
the latest developments in business and
advisories
corporate law.
9. – Expert advisories
Small non-compliance can lead to
reputation risk to the organization!
•
Non-compliances could lead to
Penalty
•
Complexity in various applicable
law of land
•
Failure to obtain all proper permits
and license could lead to fines, penalties,
and, in some cases, even closure of unit by
the governmental agencies
•
Risk exposure for Directors and
Executives of the business
IT audit plan_ IT Assurance Findings and Recommendations
Service Capability
Quality Goal
41
Metrics
Compliance Audit is an
•
appraisal of
on mitigation of risk and
including settlements and
organizations operations
liabilities and formulates
fines, and the impact of
to determine its
customized guidelines
reputational loss
Risk mitigation: It advises
• Cost of IT non-compliance,
• Number of IT-related non-
compliance with the laws
and regulations that
•
apply to it.
way to simplify compliances for
the board or causing
all businesses, enabling them to
public comment or
focus on their core activities and
embarrassment
helping bring a positive change in
• Number of non-compliance
the corporate culture
issues relating to contractual
Simplify Focus: Lead the
compliance issues reported to
agreements with IT
•
Indicator: A strong
service providers
compliance program is an
• Coverage of compliance
indication of the overall health of
assessments
a company, and makes you much
more attractive to customers,
investors, and partners
IT audit plan_ IT Assurance Findings and Recommendations
42
Good practice for service capabilities include:
1. Definition of Architecture principles:
Overall guidelines that govern the implementation and use of IT-related resources within the
enterprise.
Re-use:
Common components of the architecture should be used when designing and implementing
solutions as part of the target or transition architectures(ISACA, 2018).
➢ Category of covered documents and fields:
• Corporate
• Tax (Direct & Indirect)
• Industry Specific
• Commercial
• Import & Export
• Environment, Health & safety
• Municipal law
• Labor Law
Buy vs. build:
Solutions should be purchased unless there is an approved rationale for developing them
internally. Its recommended that we start with external audit and include our internal legal
department in the audit process to get the required experience for future audits.
➢ Recommended type of assurance/assessment:
IT audit plan_ IT Assurance Findings and Recommendations
43
-External Audit, and
-Internal Audit / Compliance Review
Simplicity:
The enterprise architecture should be designed and maintained to be as simple as possible while
still meeting enterprise requirements (ISACA, 2018).
The simplicity in the methodology of the audit would be:
a) Extensive preparation by studying client business
b) A physical visit to the Locations
c) Understanding activity/operation/ process after meeting with concern people and key
management personnel to finalize applicable laws and compliances
d) Submission of list of documents for review
e) Examination and review of all statutory records maintained by Company
f) Preparation & submission of Audit Report.
g) Discussion of findings with management
h) Recommendations
Agility:
The enterprise architecture should incorporate agility to meet changing business needs in an
effective and efficient manner (ISACA, 2018). Different types of compliance should be scheduled
in enterprise lifecycle as below:
➢ Types of Compliance:
a) Preliminary Compliances [to be done immediately after setting up]
b) Ongoing Compliance [to be done on a routine basis]
c) Periodic Compliance [to be done after a certain time]
d) Conditional Compliance [to be done on the occurrence of certain event]
Openness:
IT audit plan_ IT Assurance Findings and Recommendations
44
Enterprise architecture should leverage open industry standards (ISACA, 2018):
•
The openness vision in the audit is to increase the public’s confidence in the organization’s
processes.
Recommendation for proposing high-level priorities for the openness strategy:
a) Work in partnership to improve standards of openness, transparency, and participation
among enterprise authorities.
b) Provide excellent customer service to the consumers and public authorities and lead by
example in fulfilling our statutory functions.
c) Promote the reform of access to information legislation so it remains fit for purpose.
d) Develop and sustain collaboration with public authorities.
2. Architecture Repository:
Having an architecture repository, which can be used to store different types of architectural
outputs, including architecture principles and standards, architecture reference models, and other
architecture deliverables, and which defines the building blocks of services such as (ISACA,
2018):
a) Applications, providing business functionality.
b) Technology infrastructures: including hardware, system software, and networking
infrastructure.
c) Physical infrastructures.
3. Service Level Agreement (SLA):
Service level agreements for Legal & Regulatory Compliance Audit Services need to be
defined and achieved by the service providers (ISACA, 2018).
IT audit plan_ IT Assurance Findings and Recommendations
45
9. Assessment plan for the people, skills, and competencies in scope
A-3.7
Define the
In the context of this engagement, considering key processes and
people, skills,
key roles:
and
The following skill sets are included in scope:
competencies in
• Legal awareness skills
scope.
• Security skills
• Architectural skills
• Risk management skills
The following people are included in scope:
• IT Services – The IT Services organization includes the Project
Management Office (PMO), IT Quality Management, and
Organizational Change Management (OCM).
• IT Operations
• ERP Systems Development
• IT Business Intelligence
• Risk management department
• IT security department
IT audit plan_ IT Assurance Findings and Recommendations
46
• Architecture board
• IT development department
Create a Balanced Scorecard:
By using last procedure results, we can Identify Processes, and by using “Appendix H—
Achievement of Goals – Process Goals and Metrics” (ISACA, 2018, p. 145-160) then we can find
Objectives/ Process Goals and Measurement/ Metrics, also we can Action Identify Plan/ subprocess by using “Appendix I :
PROCESS
OBJECTIVES/
MEASUREMENT
PROCESS
ACTION PLAN/
TARGET
/ METRICS
SUB-PROCESS
GOALS
Financial
“EDM03
LOW
EDM03.02-
IT-related
Ensure
SUB-PROCESS
enterprise risk
Level of
does not
unexpected
exceed risk
enterprise impact
Risk
Direct the
Optimizati
establishment of
on”
risk management
appetite and
practices to provide
the impact of
Percent of IT risk
reasonable
IT risk to
that exceeds
enterprise
assurance that IT
< +20%
enterprise risk
risk management
tolerance
practices are
value is
IT audit plan_ IT Assurance Findings and Recommendations
47
identified and
appropriate to
managed.
ensure that the
actual IT risk does
not exceed the
board’s risk
appetite.
“APO01
> 85%
APO01.08-
Manage
Number of staffs
the IT
who attended
Manageme
training or
Put in place
nt
awareness sessions
procedures to
Framewor
k”
SUB-PROCESS
maintain
Everyone is
compliance with
aware of the
and performance
policies and
measurement of
how they
Percent of third-
policies and other
party suppliers
enablers of the
who have contracts > 80%
control framework
defining control
and enforce the
requirements
consequences of
should be
implemented.
noncompliance or
inadequate
performance. Track
IT audit plan_ IT Assurance Findings and Recommendations
48
trends and
performance and
consider these in
the future design
and improvement
of the control
framework.
“MEA03
Number of critical
Monitor,
non-compliance
MEA03.03SUB-PROCESS
LOW
Evaluate
issues identified
and Assess
per year
Complianc
External
e with
compliance
External
requirements
Requireme
are adequately
nts”
addressed
Confirm
compliance of
policies, principles,
standards,
Percent of process
procedures, and
owners signing
> +90%
methodologies
off, confirming
with legal,
compliance
regulatory and
contractual
requirements.
PROCESS
OBJECTIVES/
MEASUREMENT
PROCESS
TARGET
/ METRICS
GOALS
ACTION PLAN/
SUB-PROCESS
IT audit plan_ IT Assurance Findings and Recommendations
Customer
49
APO13
Level of
APO13.01-
Manage
stakeholder
SUB-PROCESS
Security
satisfaction with
>80%
the security plan
Establish and
throughout the
maintain an ISMS
enterprise
that provides a
Number of
standard, formal
A security plan
security solutions
has been
and continuous
+90%
approved by
approve
stakeholders
performance and
the
stakeholders
conformance
targets within the
performance
measurement
system.
MEA02
Percent of
MEA02.06SUB-PROCESS
Monitor,
Processes,
processes with
Evaluate
resources and
assured output
and Assess
information
meeting targets
the System
meet enterprise within tolerances
initiatives based on
of Internal
internal control
enterprise
Control
system
> +85%
Plan assurance
Percent of
objectives and
processes assured
requirements.
> +90%
strategic priorities,
as compliant with
inherent risk,
IT audit plan_ IT Assurance Findings and Recommendations
51
internal control
resource
targets
constraints, and
enough knowledge
of the enterprise.
PROCESS
OBJECTIVES/
MEASUREMENT
PROCESS
ACTION PLAN/
TARGET
/ METRICS
SUB-PROCESS
GOALS
Internal
DSS05
DSS05.06 –
Manage
SUB-PROCESS
Security
Establish
Services
appropriate
physical
Electronic
information is
safeguards,
Number of
< 1%
properly
incidents relating
secured when
to unauthorized
stored,
transmitted or
destroyed
accounting
practices, and
inventory
access to
management
information
oversensitive IT
assets, such as
special forms,
negotiable
instruments,
special-purpose
IT audit plan_ IT Assurance Findings and Recommendations
52
printers or security
tokens.
Internal
“MEA03
Average time lag
MEA03.02 -
Monitor,
between
SUB-PROCESS
Evaluate
identification of
LOW <
Confirm
and Assess
external
24 Hours
compliance of
Complianc
All external
compliance issues
policies, principles,
e with
compliance
and resolution
standards,
External
requirements
Requireme
are identified.
nts”
procedures, and
methodologies
Frequency of
HIGH =
compliance
Daily
reviews
check
with legal,
regulatory and
contractual
requirements.
PROCESS
OBJECTIVES/
MEASUREMENT
PROCESS
ACTION PLAN/
TARGET
/ METRICS
SUB-PROCESS
GOALS
Learning
APO12
and
Manage
Growth
Risk
Degree of
The it-related
visibility and
APO12.04 -
risk is
recognition in the
identified,
current
analyzed,
environment
> 90%
SUB-PROCESS
IT audit plan_ IT Assurance Findings and Recommendations
53
managed and
Number of loss
Provide
reported.
events with key
information on the
characteristics
< 10%
current state of IT-
captured in
related exposures
repositories
and opportunities
in a timely manner
Percent of audits,
to all required
events, and trends
> 90%
stakeholders for the
captured in
appropriate
repositories
response.
BAI10
Configuration
Number of
BAI10.01 –
Manage
repository is
deviations between
SUB-PROCESS
Configurat
accurate,
the configuration
ion
complete and
repository and live
maintain a logical
up to date.
configuration
model of the
< 4%
Establish and
services, assets and
Number of
infrastructure and
discrepancies
how to record
relating to
incomplete or
missing
configuration
information
configuration items
< 2%
(CIs) and the
relationships
amongst them.
Include the CIs
IT audit plan_ IT Assurance Findings and Recommendations
54
considered
necessary to
manage services
effectively and to
provide a single
reliable description
of the assets in
service.
MEA 01
MEA01.04 -
Monitor,
SUB-PROCESS
Evaluate
Periodically review
and Assess
Process
Performan
reporting on
and report
performance
Percent of
ce and
performance
Conforma
and
nce
conformance is
against targets,
performance
> +95%
using a method that
reports delivered
provides a succinct
as scheduled
useful and
all-around view of
timely.
IT performance
and fits within the
enterprise
monitoring system.
IT audit plan_ IT Assurance Findings and Recommendations
55
References
“Information Systems Audit and Control Association (ISACA)”. (2018). COBIT5 and Assurance
Toolkit. Retrieved from
https://myclasses.southuniversity.edu/d2l/le/dropbox/37025/138870/DownloadAttachment
?fid=939505
“Information Systems Audit and Control Association (ISACA)”. (2016). Information Systems
Auditing: Tools and Techniques—Creating Audit Programs. Retrieved from
https://www.isaca.org/COBIT/Documents/IS-auditing-creating-auditprograms_whp_eng_0316.pdf
“Information Systems Audit and Control Association (ISACA)”. (2014). ITAF™: A Professional
Practices Framework for IS Audit/ Assurance, 3rd Edition. Retrieved from
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/ITAF-3rdEdition.aspx
Senft, S., Gallegos, F., & Davis, A. (2013). Information Technology Control and Audit (04th ed.)
[Vital Source digital version]. Boca Raton, FL: Taylor & Francis Group, LLC
Trusted Exchange Framework
and Common Agreement (TEFCA)
Draft 2
TABLE OF CONTENTS
Introduction to the Trusted Exchange Framework and Common Agreement (TEFCA)…………… 3
Appendix 1: The Trusted Exchange Framework (TEF) ………………………………………………….. 24
Appendix 2: Minimum Required Terms & Conditions (MRTCs) ………………………………………. 32
Appendix 3: Qualified Health Information Network (QHIN) Technical Framework ……………. 70
Introduction to the Trusted Exchange
Framework and Common Agreement (TEFCA)
April 19, 2019
TABLE OF CONTENTS
Executive Summary ………………………………………………………………………………………………… 4
Introduction ………………………………………………………………………………………………………….. 6
What are the Trusted Exchange Framework (TEF) and the Common Agreement? ……………….. 9
What can the Common Agreement be used for? …………………………………………………………. 14
The Common Agreement’s Relationship to HIPAA ………………………………………………………. 17
What Privacy and Security Requirements are Included in the Common Agreement?………….. 18
Major Updates to Draft 2 of the TEF and MRTCs …………………………………………………………. 21
What are the Next Steps? ………………………………………………………………………………………. 22
Executive Summary
For decades, many health care providers, health plans, and individuals have sought a health care system
that enables a patient’s Electronic Health Information (EHI) 1 to flow when and where it matters most.
Even though most hospitals and clinicians use electronic health records (EHRs), connectivity across
systems and networks remains fragmented and interoperable uses of EHI vary. Often these variations in
interoperability are not due to technical issues, but rather caused by deficits in trust between
organizations and by anti-competitive behavior that results in the holding of patient EHI. Congress
recognized these gaps in the 21st Century Cures Act (Cures Act) 2 , and laid out a path to promote
nationwide interoperability.
The Office of the National Coordinator for Health Information Technology (ONC) leads implementation of
key provisions under Title IV of the Cures Act, which includes defining the requirement for health IT
developers of certified health IT to publish application programming interfaces (APIs) that can be used
“without special effort” to drive individual, clinician, and payer access to clinical data; and the
development of a comprehensive approach to address information blocking. Additionally, in section 4003
of the Cures Act, Congress directed ONC to “develop or support a trusted exchange framework, including
a common agreement among health information networks (HINs) nationally.”3 In developing a Trusted
Exchange Framework (TEF) and a Common Agreement that meets the industry’s needs, ONC has focused
on three high-level goals:
•
•
•
Provide a single “on-ramp” to nationwide connectivity.
Enable Electronic Health Information to securely follow the patient when and where it is needed.
Support nationwide scalability.
The TEF and the Common Agreement will be distinct components that together aim to create technical
and legal requirements for sharing EHI at a nationwide scale across disparate HINs. The TEF describes a
common set of principles that facilitate trust between HINs. These principles serve as “rules of the road”
for nationwide electronic health information exchange. The Common Agreement will provide the
governance necessary to scale a functioning system of connected HINs that will grow over time to meet
the demands of individuals, clinicians, and payers. The architecture will follow a “network of networks”
structure, which allows for multiple points of entry and is inclusive of many different types of health care
entities. Stakeholders have the option of participating at multiple levels of the TEF and Common
Agreement exchange environment, as is appropriate for them.
ONC embarked on this work by holding stakeholder discussions, public listening sessions, and an initial
comment period. In January 2018, ONC released the first draft of the Trusted Exchange Framework (TEF
Capitalized terms are included in the MRTCs Draft 2, Section 1 (Appendix 2).
Pub. L. 114–255 (Dec 13, 2016).
3 Id.
1
2
Introduction to the Trusted Exchange Framework (TEF) and the Common Agreement
4
Draft 1) for public comment. The TEF Draft 1 outlined the minimum set of principles, terms, and conditions
to support the development of a Common Agreement that would enable data exchange across disparate
health information networks.
ONC reviewed all of the public comments on the TEF Draft 14, and has now released an updated draft
package for public comment. In particular, we look forward to receiving comments on the three
complementary documents: the TEF Draft 2, the Minimum Required Terms and Conditions Draft 2 (MRTCs
Draft 2), and the Qualified Health Information Network (QHIN) Technical Framework Draft 1 (QTF Draft
1).5 The TEF sets forth the aspirational principles for trusted exchange that apply to a broad audience of
HINs. The MRTCs constitute the required terms and conditions that would be binding for those who elect
to sign the Common Agreement. The QTF would be incorporated by reference in the Common Agreement
and details the technical components for exchange among QHINs. As they serve different purposes, ONC
separated these parts into three appendices so that commenters could comment on each part in context.
Your comments will help inform the final versions of the TEF and the Common Agreement.
ONC is concurrently issuing a Notice of Funding Opportunity (NOFO)6 to select a Recognized Coordinating
Entity (RCE) to develop, update, implement, and maintain the Common Agreement and the QTF.
The MRTCs Draft 2 requires support for a minimum set of Exchange Purposes for sending and receiving
EHI. The proposed exchange modalities for exchanging EHI include QHIN Targeted Query, QHIN Broadcast
Query, and QHIN Message Delivery, which will facilitate core use cases for interoperability, including
Individuals’ electronic access to and use of their EHI.
Under the MRTCs Draft 2, the Common Agreement will require strong privacy and security protections for
all entities who elect to participate, including entities not covered by the Health Insurance Portability and
Accountability Act (HIPAA). Establishing baseline privacy and security requirements is important for
building and maintaining confidence and trust that EHI shared pursuant to the Common Agreement will
be appropriately protected.
The Cures Act’s focus on trusted exchange is an important step forward to advance an interoperable
health system that empowers individuals to use their EHI to the fullest extent, enables providers and
communities to deliver smarter, safer, and more efficient care, and promotes innovation and competition
at all levels.
Capitalized terms in this document are defined in Section 1 of the MRTCs Draft 2 (Appendix 2).
Public comments on TEF Draft 1 are available at: https://beta.healthit.gov/sites/default/files/page/201802/Copy%20of%20tefca%20draft_public_comments%20final.xlsx
5 The MRTCs were previously referred to as “Part B” in TEF Draft 1.
6 The Notice of Funding Opportunity (NOFO) for the Recognized Coordinating Entity (RCE) Cooperative Agreement
is available at: https://www.healthit.gov/topic/onc-funding-opportunities/trusted-exchange-framework-andcommon-agreement-recognized
4
Introduction to the Trusted Exchange Framework (TEF) and the Common Agreement
5
Introduction
The U.S. health care system must evolve to ensure individuals have access to safe, effective, and efficient
care. Such a transformation requires the interoperable exchange of EHI across the care continuum. The
Cures Act’s 7 focus on trusted exchange is an important next step toward advancing the establishment of
an interoperable health system that:
•
•
•
Empowers individuals to use their Electronic Health Information to the fullest extent;
Enables providers and communities to deliver smarter, safer, and more efficient care; and
Promotes innovation and competition at all levels.
For EHI to move when and where it is needed most, networks that facilitate connectivity need to agree to
the right mix of technical standards, policies, and legal terms and conditions. The TEF and the Common
Agreement will provide the means to build on the industry’s commitment to increase trust across
networks, while promoting the privacy, security, and appropriate use of EHI.
In January 2018, ONC released the TEF Draft 1 for a public comment period. The TEF Draft 1 included two
parts: “Part A — Principles for Trusted Exchange”, and “Part B — Minimum Required Terms and Conditions
for Trusted Exchange.” ONC received more than 200 public comments from stakeholders across the
industry, including individuals, health care systems, payers, purchasers, care providers (e.g., long-term
and post-acute care, behavioral health, community-based and safety net providers, and emergency
medical services), health IT developers, federal stakeholders, and other stakeholders that enable
widespread health information exchange to occur. ONC reviewed those comments and engaged with
federal partners in the development of Draft 2, including the HHS Office for Civil Rights, the Department
of Veterans Affairs, the Department of Defense, the Social Security Administration, the National Institute
of Standards and Technology, and the Centers for Medicare & Medicaid Services. Additionally, ONC’s
federal advisory committee, the Health Information Technology Advisory Committee (HITAC), created a
Task Force to review TEF Draft 1 and provide recommendations.8
The modified draft ONC released for public comment on April 19, 2019 is broken into three parts that are
included as Appendices to this document. These parts are:
1) The TEF Draft 2 (Appendix 1): formerly “Part A — Principles for Trusted Exchange”;
2) The Minimum Required Terms and Conditions (MRTCs) Draft 2 (Appendix 2): formerly “Part
B — Minimum Required Terms and Conditions for Trusted Exchange;” and
3) The QHIN Technical Framework Draft 1 (Appendix 3)
Pub. L. 114–255 (Dec 13, 2016).
The HITAC TEF Task Force recommendations are available at: https://www.healthit.gov/topic/federal-advisorycommittees/recommendations-national-coordinator-health-it.
7
8
Introduction to the Trusted Exchange Framework (TEF) and the Common Agreement
6
An “On-Ramp” for Data Exchange
Currently, there are more than 100 regional health information exchanges 9 and multiple national level
organizations that support health information exchange. While these organizations have made significant
progress in advancing interoperability, connectivity across HINs is still limited due to variations in the
participation and data use agreements that govern data exchange. This results in fragmentation and gaps
in interoperability. It also means that HINs, health care providers, health plans, and individuals participate
in multiple forms of data exchange, which can be extremely costly and burdensome, in order to access all
of an individual’s data. According to a recent survey of about 70 hospitals, a majority of respondents
indicated that they required three or more methods for exchanging data and about three in 10 hospitals
used five or more methods to be interoperable. 10 Continuing with the status quo is not enough to ensure
all stakeholders have efficient methods for engaging in health information exchange.
The TEF and the Common Agreement seek to scale health information exchange nationwide and ensure
that HINs, health care providers, health plans, individuals, and many more stakeholders can access realtime, interoperable health information. A single network that comprehensively addresses all use cases for
all users is not feasible for a variety of reasons, including, technical limitations, security concerns,
variations in use cases, and resource limitations. However, establishing a Common Agreement that
enables existing and future networks to share EHI with each other without having to join multiple
networks is feasible and achievable.
The industry has done significant work to broaden the exchange of data, build trust frameworks, and
develop participation agreements that enable providers to exchange data across organizational
boundaries. A national exchange agreement must leverage what is working well to encourage and
facilitate growth. Such an agreement must also create a balance between being overly prescriptive and
unintentionally adding burden that impedes interoperability, while also minimizing the current variations
that prohibit data flow. To that end, once finalized, the TEF and the Common Agreement will build on
existing trust frameworks, infrastructure, and capabilities. These efforts will enable participating HINs to
work together to provide an on-ramp to EHI regardless of what health IT developer an organization uses,
health information exch…
