Levels of IT audit implementation in Bosnia and Herzegovina

Master Thesis Presentation

Levels of IT audit
implementation in
Bosnia and Herzegovina

Student: Supervisor:
Nermin Ćatović Ing. Pavel Ĉech, Ph.D.

1

Levels of IT audit implementation in

IT auditing
is the evaluation of IT, practices and operations to assure
the integrity of an entity’s information. Such evaluation
can include assessment of the efficiency, effectiveness,
and economy of computer-based practices.

Derived as an enhancement / support to financial
auditing

Today – important role in modern business
2


Background
- Early stages of development in Bosnia and Herzegovina
- Chances of huge impact on profession
- No ISACA Chapter formed – only 24 registered members
- EU integrations will require introduction of legislations
- Two legislations in 2012 which change future of IT auditing
(another two in preparation!):

- Decision of Minimum Standards of Information System Management
- Decision on Minimum Standards of Externalization/Outsourcing

3


Goals and objectives
- Determine and confirm needs for legal legislations
- Awakening of consciousness about IT auditing
- Determine levels of international standard and
framework implementation so far
- Awareness of companies
- Needs to control and monitor processes are critical to
business development

4


Hypothesis
Growing awareness on the evaluation of information technologies to support
modern business and objectives in Bosnia and Herzegovina is changing. This
opinion and awareness requires implementation of international standards and
frameworks related to control and auditing, risk management, performance
measures through adoption of legislatures which are necessary to establish
higher level of decision making in management.

Research will try to prove positive changes and evolution of information
technology auditing compared to previous years.

5


Research
- February 2012 ( opened for 1 month)
- Email list based on previous contacts and use of LinkedIn group – IT revizija
- Aimed focus group of 37 people

25 fully filled surveys
(67% of aimed number)

Easy-to-use filling form on
www.itrevizija.ba

6


Research concept was based on 6 parts which include 28
questions:
– Profile
– Company IT profile
– Significance and benefits of information technology
– IT problems and potential solutions
– Awareness and usage of IT Governance frameworks
– Awareness and usage of CobiT

- Results which prove hypothesis will be shown
- Comparison to similar research from 2009

7


Question P1.3 : Please indicate Question P1.1: Please indicate position
which group does your company within the organization?
belong to.
P1.3
Internal Auditors, IT security officer,
Internal IT auditors, Head of IT department,
20% 20% Auditor, Deputy CEO,
IT Supervisor, Project Manager,
0%
4% Assistant IT auditor, CSO,
12% CIO, IT Department Director,
IT Project manager, Assistant Professor
44%

Limited Liability Company (d.o.o. BiH)
Financial Institution
Corporation (joint-stock)
Public institution or company
Nonprofit organization
Budget user

8


Question P3.2: How strongly would you agree or disagree that IT investments
have created value for your organization?
P3.2 * proof how IT gives out
0% 0% additional, competitive value
12%

Absolutely agree

16% Agree

Partly agree

Strong disagree

72% I don't know

9


Question P3.4: Of these, which is the most important item in the
management of IT activities of your organization?
P3.4
0% Avoidance of negative incidents
0%
8% 4%

Ensuring that the current IT functionality
16% is in compliance with current business
needs
Achieving a better balance between
innovation and risk avoidance

Alignment with business and/or legal
regulations
72%
I don't know

10


Question P3.7: To what extent does your IT department support the
business needs?
P3.7
0% 0%
4%

Does not support at all

Does not support enough
32%
Supports up to some limit

Extremely supports

I don't know
64%

11


Comparison to 2009 research
- basis in similar research from 2009
- clear goal of proving hypothesis and positive changes
- MSc. Amra Alagid currently works at Federal Banking Agency (B&H)

- best way of determining changes
- questions that show difference

12


Question P2.4: How would you describe Management's level of involvement
in IT governance?
2012 2009

0%
Low level of
8% 8% engagement
8% Are informed, but 9%
17%
not included
20% 22%
Participate in 17%
decision making
Key people in
decision making 35%

Fully involved
56%
I don't know

13


Question P3.8: How would you describe the fit or alignment between your IT
strategy and your organization’s overall business strategy?
2012 2009.

Very poor
0% 0%
0%
4% Poor
4%
9% 4%
17%
Average
20% 31%
44%
Good
39%
Very good

I don't know
28%

We don't have IT
strategy

14


Question P5.2: Have you implemented, are you in the process of
implementing or are you considering implementing improved IT governance
practices?
2012 2009.
Not considering
implementation

4%
13% Considering 11%
implementation 28%
25%
12% 28%
In the process of
implementing
33%

Have implemented

46%
I don't know

15


Question P5.3: What solutions/frameworks do you use, are you considering
using or not using?

2012
ISO security standards – 55% using, 25% considering implementing
2009
ISO security standards – 17% implemented

2012
COBIT framework – 56,5% using, 13% consider implementing
2009 (4th place)
COBIT framework – 11% implemented

Interesting data obtained is that 38% of respondents are mostly interested
and considering implementation of Val IT, but only 9.5% of them are using
it which is nearly the same number as from 2009 (9%).
16


Question P6.2: Are you personally aware of the contents of COBIT?

2012 2009.
9%
4%

25%
Yes

No 75%

87%
I don't know

17


Research results - conclusions
- Research that was conducted on the territory of Bosnia and Herzegovina has
shown satisfactory conditions
- Respondents consider IT generally important for their business
- Follow practices of developed countries
- Implementation of good practices through intensive cooperation of internal
and external auditors.
- Reducing risk of information technology --> advise management about
practices of strategic approach
- Strategic development plan --> strategic plan for implementation of IT
- Shows how much management cares about establishment of effective
systems of internal controls

18


CobiT & problems?
- Small amount of developed IT organizations mature enough to
implement
- Areas of banking and financial activities
- Insufficient institutionalized encouragement
- COBIT framework must be adapted to use in each individual
organization (if we are using it to improve processes)
- Change in mindset, orientation and training of organization and
its employees
- „ community of auditors „

19


Improvements & suggestions
- Not perfect but clear improvements can be seen
- Increase popularity of www.itrevizija.ba
- Training, on-line educations, consultant
lectures, presentations, case studies, etc.
- Benefits of organizing first IT auditing conference
- Clearer understanding of risk, development of audit programs
- Promotion of the frameworks within auditing community
- Experiences and examples from similar countries and European
Union

20


Publication
- Research document prepared for all interested individuals
- Free publication available on www.itrevizija.ba
- Extremely positive comments from leading experts so far
- Possibility of publishing results and publication by Institute of
Internal Auditors (IIA BiH)
- Invitation to write 2-3 part article about IT auditing with
research results in leading accounting and auditing magazine
„Porezni savjetnik“ – Tax advisor

21

Thank you for attention!

Nermin Ćatović

22

Reviewer’s questions:

Other questions?

23


Question 1: What do you think is the most interesting
result from your survey from the B&H IT industry point
of view? Support it with some sound arguments.

Question 2. Was the number of completely filled
surveys high enough for achieving some sound
statistical results?

24


Question P5.4: How important is IT risk management to your
organization? 2012 2009

0%
4% 4% 4%
14% 5%
Not important at all
20% Not very important 48%
9%
Not sure
Somewhat important
24%
Very important
68% I don't know

25


Question 1: What do you think is the most interesting result from your
survey from the B&H IT industry point of view? Support it with some
sound arguments.

According to a 2009 survey of 280 audit committee members conducted by
KPMG in conjunction with the National Association of Corporate
Directors, IT risk is a key area of concern.

Banking sector – huge risks (cyber attacks) – constant increase
- Lack of legislations – REDUCING RISK takes an essential role
- Realization that IT risk management is crucial in protecting their assets
- Corporate risk management – clearly part of internal controls
- Provides guidance to help executives and management ask the key
questions, make better, more informed risk-adjusted decisions and guide
their enterprises so risk is managed effectively
- Helps save time, cost and effort with tools to address business risks
26


Question 2. Was the number of completely filled surveys high enough for
achieving some sound statistical results?

- Undeveloped IT community
- Basic statistical data
- 2009 research 27 filled questionnaires | 2012 research 25 filled
- Physical presence and deep networking abilities crucial for obtaining
data
- Professional encouragement from experts
- Advices of how to improve future version of research – EMPHASIS on
larger group of experts and individual question relationships (
multivariable statistical analysis)

- Personal opinion – IT CAN/MUST BE IMPROVED
- „ Research V2 „ - extensive research on this topic (from inside industry
/profession)
27

Levels of IT audit implementation in Bosnia and Herzegovina

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (8)

Similar a Levels of IT audit implementation in Bosnia and Herzegovina

Similar a Levels of IT audit implementation in Bosnia and Herzegovina (20)

Último

Último (20)

Levels of IT audit implementation in Bosnia and Herzegovina