Governance, audit and digital preservation Boudien J. Glashouwer RE RI CISA April 14, 2004
Table of contents Governance Quality and Maturity Information Security Audit Digital preservation April 14, 2004 Erpanet - Antwerp 2
Strategic business goals Profit or Non-profit Core business is digital preservation or Digital preservation is secondary April 14, 2004 Erpanet - Antwerp 3
Legislation Democracy Buying and selling agreements Computer crime Transparency Privacy Finance Specific laws Records management April 14, 2004 Erpanet - Antwerp 4
Hot issues Sarbanes Oxley Act, 2002, USA Financial Financial reporting, auditing, internal control, standard setting, corporate governance Basel II, New Basel Capital Accord, 2003, Europe Limitation of credit risks and operational risks in banking April 14, 2004 Erpanet - Antwerp 5
Governance How to keep the ship on course? How to achieve objectives? How to timely adapt? Governance manage, manage, control, account for and supervise Governance April 14, 2004 Erpanet - Antwerp 6
Plan Goals, strategy and policy Laws and regulations Standards and control models Commitment on top level Do Management cycle Needs Responsibilities Projects Communication Meetings Organisation Quality Security Correct/ Adapt Monitor, evaluate, learn New standards? Adapt policy Check Measure Alignment Compliance Assessment Audit/assurance April 14, 2004 Erpanet - Antwerp 7
Plan
Governance & control models COSO USA, USA, Internal Control Integrated Framework, 1992 business business ethics, effective internal control, corporate governance COSO COBIT Governance, control and audit for IT and related technology, 1996 IT-controls support the COSO-framework April 14, 2004 Erpanet - Antwerp 9
COSO Committee of Sponsoring Organisations of the Treadway Commission (fraudulent financial reporting) Internal Control Integrated Framework 1. Control environment (company level) 2. Risk assessment (achieve objectives) 3. Control activities (policies, procedures, practices, general & application controls) 4. Information and communication (at all levels) 5. Monitoring of the internal control (oversight) April 14, 2004 Erpanet - Antwerp 10
CobiT Planning and Organisation strategy, strategy, quality, human resources Acquisition and Implementation systems systems development and installing Delivery and Support service service levels, operations, security Monitoring internal internal control, assurance,, audit Monitoring April 14, 2004 Erpanet - Antwerp 11
Do
Business Performance Manage business Take action Produce Can be a bakery or digital preservation... April 14, 2004 Erpanet - Antwerp 13
Quality and maturity of business processes ISO 9000 general quality ISO 15489 records management ITIL IT Infrastructure Library EFQM, total quality management April 14, 2004 Erpanet - Antwerp 14
Information Security Risk analysis business processes Awareness Standard ISO 17799 Baseline security levels Manager, security-officer, security manager, auditor Service Level Agreement (SLA and SLM) Certification April 14, 2004 Erpanet - Antwerp 15
Check
Monintoring & Measuring Critical Success Factors Key Goal Indicators Key Performance Indicators Dashboards Scorecards Benchmarking April 14, 2004 Erpanet - Antwerp 17
Auditing Internal audit Self Self assessment InternalInternal Audit Service External audit Financial Financial auditing Operational auditing IT/EDP-auditing April 14, 2004 Erpanet - Antwerp 18
Resources Business processes input, input, througput,, output, outcome People Application systems Technology Facilities Data April 14, 2004 Erpanet - Antwerp 19
Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability April 14, 2004 Erpanet - Antwerp 20
Audit approach Legislation, standards Management norms Audit plan Audit tools Report Communication Certification? April 14, 2004 Erpanet - Antwerp 21
Correct/Adapt
Improvement Define maturity level Learn Take small steps Grow and improve quality of business processes! April 14, 2004 Erpanet - Antwerp 23
Digital preservation No information, no control... Without digital preservation governance, control and audit not possible! Can the audit of business processes be enough or Do we need a special preservation audit or certificate? April 14, 2004 Erpanet - Antwerp 24
Take the challenge Enjoy this conference in Antwerp! April 14, 2004 Erpanet - Antwerp 25
Websites www.coso coso.orgorg www.isaca isaca.org www.erpanet erpanet.org April 14, 2004 Erpanet - Antwerp 26
Contact Het Expertise Centrum, The Hague www.hec hec.nl b.glashouwer@hec hec.nl 00 31 6 206 02 209 April 14, 2004 Erpanet - Antwerp 27