Docstoc

AN-INTRODUCTION-TO-INFORMATION-TECHNOLOGY-(IT)-SUPERVISION

Document Sample
AN-INTRODUCTION-TO-INFORMATION-TECHNOLOGY-(IT)-SUPERVISION Powered By Docstoc
					         AN INTRODUCTION TO
         INFORMATION TECHNOLOGY
         (IT) SUPERVISION

              CARTAC & Caribbean Group of Banking Supervisors
              IT Workshop for Regional Bank Examiners

              June 23 – 25, 2009
              Georgetown, Guyana




Kirk Tyrell, CISA
Assistant Director
Financial Institutions Supervisory Division
Bank of Jamaica
www.boj.org.jm
What is IT Supervision?

…a high level examination that
encompasses review and evaluation
(wholly or in-part) of automated
information processing systems,
related non-automated processes and
the interfaces between them
      What is IT Supervision? (cont’d)
    DOES                                 DOES NOT
     Increase probability                Guarantee full
      of detecting                         detection
      potentially serious                 Prevent fraud,
      issues                               breaches, etc. from
     Reduces probability                  occurring
      of occurrence of
      fraud, breaches, etc.

What is …. “is an after-the-fact, detailed review of a system and,
in the world of information security is considered a line of
defense.” (ISACA)
Classifications
   Information Systems audit
       Collect and evaluate evidence, assesses
        /effectiveness /adequacy of controls of IS
        resources, etc, detect, correct and prevent
        undesirable events
   Specialized audits
       Examines 3rd party relationship, forensic
        audits, etc.
   Forensic audits
       Audit specialized in discovering, disclosing and
        following up on frauds and crimes
IT Supervision vs. IS Auditing

1.   Reporting relationship
2.   Scope and frequency of reviews
3.   Mandate
IT Supervision vs. IS Auditing
1.   Reporting relationship:
        IT Supervision reports are routed to
         the Chief Supervisor of Banks and/or
         supervisory council
        IS audit reports are made to the
         board of directors, audit committee
         or the public
2.   Scope and frequency of reviews
3.   Mandate
     IT Supervision vs. IS Auditing
1. Reporting relationship
2. Scope and frequency of reviews:
        IT Supervision scope is limited to high level
         examination of controls that govern the
         development, operation, maintenance, and
         security of IT systems. Reviews are normally
         scheduled at least once a year, except if a target
         review is required
        IS Auditing scope includes a more detailed review
         of controls that evaluate IT functions and system
         based on security, quality, fiduciary, services and
         capacity. These reviews are normally
         ongoing/continuous over an agreed audit cycle
3.   Mandate
IT Supervision vs. IS Auditing
1.   Reporting relationship
2.   Scope and frequency of reviews
3.   Mandate:
        IT Supervision is primarily concerned with
         ensuring that financial institutions operate
         in a safe and sound manner in order to
         protect depositors’ interest and the integrity
         of the financial system
        IS auditing is designed to meet the
         safeguarding needs of shareholders and
         other stakeholders.
Why is IT Supervision Necessary?

   Growing importance of IT to
    financial institution
   Growth of operational risk
   Increased focus from the
    international regulatory community
Why is IT Important to FIs?

 Regulatory pressures to improve
  risk management and compliance
 Strategic technology investment
  for survival and growth
 Relentless globalization

 Shifts in customer demographics

 Increased competition
IT Spending Within Banks




  Source: IT Spending in Financial Services: A Global Perspective Report Published by Celent January 2009
Growth in Operational Risk
      IT Supervision vs. Banking Supervision

           Supplements the work of financial or
            safety and soundness examinations
           Provides for an overall risk assessment
            of the financial institution
           Cross over of IT risk into the
            traditional risks areas
                                                                    GL


                                                                    Core
                                                                    Bank    Financials
                          Internet
                                                Server
                                     Firewall            Firewall
Internet banking client                                             Other
Challenges Impacting IT Supervision

 Rapid technology innovation
 Audit fatigue

 Skill, competence and availability
  of IT supervisors
 Changing scope of examinations

 Need to satisfy multiple
  stakeholders
 Lack of standardized certification
  process for IT supervision       ……
Challenges Impacting IT Supervision

 Siloed view of compliance
 Existence of Barriers to compliance

 Collecting accurate, timely
  data/evidence is a protracted
  manual process
 Proprietary interfaces prevent data
  integration, even where
  automation of IT supervisory tools
  exists
Specialized skills for IT Supervisors
Standards and Standards-Setting
Bodies




                                         IFAC




       Vendor or Jurisdiction Specific
Objectives of IT Supervision

   To assess a financial institution's IT
    management and operation
   To ensure accuracy and reliability of
    information system
   IT alignment with the financial
    institution's business
   Ultimate objectives ensure the
    safety and soundness
          Main Areas of Interest
                                                                 Process
                                                                 Controls


                                          Business and                       Application
                                          Transactional                       Controls
Effectiveness
                                           Processes
    Efficiency
                  Internal Control
                   Environmental




Confidentiality                           Are
      Integrity                                                                               IT General
                                     Supported
   Availability                             by                 Application                     Controls
 Compliance                                                     Systems
    Reliability

                                                          Are
                                                      Powered
                                                           by                 Technology
                                                                             Infrastructure

                                                 Entry Level
                                                  Controls
A Risk-Based Approach

                 Conclude               Post Audit
                   Audit                Follow-up




    Perform                 Risk-Based IT            Gather
   Substantive               Supervision          Information   Start here
     Tests
                                                    and Plan



                  Perform                  Obtain
                 Compliance          Understanding of
                   Tests              Internal Control
Risk-Based Approach - Gather
Information and Plan

   Knowledge of the financial
    institution and industry
   Prior year’s examination result (i.e.
    IT and non-IT reports)
   Regulatory statutes, standards,
    industry requirements, etc.
   Inherent risk assessments
Risk-Based Approach - Gather
Information and Plan

Scoping – What to include:
 Information and its flow

 IT architecture

 Applications and databases (e.g.
  OS, API, DB Oracle, Sybase, etc.)
A Risk-Based Approach to IT
Supervision


                  Conclude                 Post Audit
                    Audit                  Follow-up




                                                                      Start here
     Perform                   Risk-Based IT              Gather
    Substantive                 Supervision             Information
      Tests                                              and Plan




                                         Obtain
                   Perform            Understanding
                  Compliance
                    Tests              Of Internal
                                        Controls
Risk-Based Approach - Understanding
of Internal Control

   Control environment
   Control procedures
   Detection risk assessment
   Control risk assessment
   Equate total risk
A Risk-Based Approach to IT
Supervision


                 Conclude               Post Audit
                   Audit                Follow-up




                                                                       Start here
    Perform                 Risk-Based IT                  Gather
   Substantive               Supervision                 Information
     Tests                                                and Plan




             Perform                       Obtain
            Compliance               Understanding of
                                      Internal Control
              Tests
Risk-Based Approach - Perform
Compliance Tests

   Test policies and procedures
   Other substantive audit procedures
A Risk-Based Approach to IT
Supervision


             Conclude               Post Audit
               Audit                Follow-up




                                                               Start here
    Perform             Risk-Based IT              Gather
   Substantive           Supervision             Information
                                                   and Plan
     Tests



             Perform                   Obtain
            Compliance           Understanding of
              Tests               Internal Control
Risk-Based Approach - Perform
Substantive Tests

   Analytical procedures
   Detailed tests of account balance
   Other substantive examination
    procedures
A Risk-Based Approach to IT
Supervision


                 Conclude                 Post Audit
                   Audit                  Follow-up




                                                                         Start here
    Perform                   Risk-Based IT                  Gather
   Substantive                 Supervision                 Information
     Tests                                                  and Plan




                  Perform                    Obtain
                 Compliance            Understanding of
                   Tests                Internal Control
Risk-Based Approach - Conclude
Examination

   Present findings to institution’s
    management
   Create recommendations and
    course of action
   Write audit report
A Risk-Based Approach to IT
Supervision

                                          Post
                 Conclude
                   Audit                  Audit
                                        Follow-up


                                                                         Start here
    Perform                   Risk-Based IT                  Gather
   Substantive                 Supervision                 Information
     Tests                                                  and Plan




                  Perform                    Obtain
                 Compliance            Understanding of
                   Tests                Internal Control
Perform Post-Exam Follow-up

   Monitor compliance of enforcement
    actions
   Achievement of recommendations
Off-Site IT Examination

   Risk assessment of new IT-related
    products and services' applications
   Monitoring of major IT projects and
    initiatives within FIs
   Specialist advisor
Questions

				
DOCUMENT INFO
Shared By:
Tags: AN-IN, TRODU
Stats:
views:14
posted:12/1/2009
language:English
pages:34
Description: AN-INTRODUCTION-TO-INFORMATION-TECHNOLOGY-(IT)-SUPERVISION