As the IT auditors arrives….

1. IT ADVISORY
As the IT auditors arrives ….
InfoSecurity 2010
4 November 2010
ADVISORY
4 November 2010

2. As the IT Auditor arrives …
Understand the Purpose of the IT Audit
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 1

3. Se As the IT Auditor arrives …
Be aware of your own Attitude
Effectiveness and Efficiency of AuditEffectiveness and Efficiency of Audit
depend on behaviour
Client
Soft Controls
Auditor
Soft Controls
Audit Sponsor is leading by example
Involving stakeholders
Soft Controls
Seeking for Facts
Clearly in providing Judgment
Transparence, providing adequate Information
Be involved with Audit
C ea y p o d g Judg e t
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 2

4. As the IT Auditor arrives …
Consider the Auditor’s perspective
First line of
Defense
Second line
of Defense
Third line of
Defense
• Self-
assessment
by
operational
• Management
Assessment
• Audit
operational
staff
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 3

5. As the IT Auditor arrives …
Be specific regarding your expected maturity of IT
Cobit maturity levels
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 4

6. As the IT Auditor arrives …
Understand each Phase of the Audit
• Scope of Objects to be assessed
Risk-based
• Scope of Objects to be assessed
• Requirements to be applied
Compliance-
based
• Fact finding
based
• Evaluation of noted Deficiencies
Risk-based
• Evaluation of noted Deficiencies
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 5

7. As the IT Auditor arrives …
Risk-based scoping – Financial Reporting
AAccounts and disclosures Focus of financial audit Accou s a d d sc osu es
Entities
Business processes
Manual controls
Key controls
IT-dependent Manual controls
Automated controls
Generic ICT infrastructure
Application-specific ICT
Key application controls
IT management
processes
Focus of IT audit B
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 6
Generic ICT infrastructure Focus of IT audit

8. As the IT Auditor arrives …
Risk-based scoping – Assess an IT service
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 7

9. As the IT Auditor arrives …
Compliance-based fact-finding
Be aware that the auditor evaluates also your own (Continuous) Monitoring
Event
event
Deduction of
Event
Deduction of
events
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 8

10. As the IT Auditor arrives …
Risk-based evaluation Business
critical list of
Risk based
critical list of
Applications
Sensitivity
(CIA)
People
Soft controls
Risk-based
Selection of controls
(CIA)
Selection of
Controls
- Soft controls
Processes
-Three levels of defenseMonitoring
Compliance-based
monitoring
IT Environment
Technology
- Compliance monitoring
- Vulnerabilities monitoring
Incident detection
o to g
Analysis of Issues
IssueTracking
- Incident detection
Risk-based
evaluation and
follow-up
Follow-up
(improve or
accept)
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 9
9

11. As the IT Auditor arrives …
You can help to make it effective and efficient !
Consider how the IT Auditor can help you, to improve your IT environment
RegardingRegarding
People
ProcesesProceses
Technology
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 10

12. Questions
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 111
1

13. Contact details
Name  Ir Peter Kornelisse RE CISAName  Ir. Peter Kornelisse RE CISA
Position  Director, experienced with regard to Information Security and
Technology, having performed and coordinated many advisory services,
as well as compliance audits and security tests, since 1990.
Peter is globally responsible for security testing services at KPMG andPeter is globally responsible for security testing services at KPMG, and
mainly delivers IT audit support for Financial Audits, and Information
Protection and Business Continuity services in the Netherlands.
E-mail  kornelisse.peter@kpmg.nl
Telephone  +31 (0)6 – 53 165 596
© 2010 KPMG Advisory N.V., the Dutch member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG
International, a Swiss cooperative. 121
2