Professional Documents
Culture Documents
(b) The goal of Problem Management is to resolve the root cause of incidents and thus to
minimize the adverse impact of incidents and problems on business that are caused by
errors within the IT infrastructure, and to prevent recurrence of incidents related to these
errors. A `problem' is an unknown underlying cause of one or more incidents, and a
`known error' is a problem that is successfully diagnosed and for which a work-around
has been identified
(c) Configuration Management is a process that tracks all of the individual Configuration
Items (CI) in a system. A system may be as simple as a single server, or as complex as
the entire IT department. Configuration Management includes:
values are stipulated by the confidentiality, integrity and availability. Inferred aspects are
privacy, anonymity and verifiability.
(i) ICT Infrastructure Management: ICT Infrastructure Management processes recommend
best practice for requirements analysis, planning, design, deployment and ongoing
operations management and technical support of an ICT Infrastructure. The
Infrastructure Management processes describe those processes within ITIL that directly
relate to the ICT equipment and software that is involved in providing ICT services to
customers.
. ICT Design and Planning
. ICT Deployment
. ICT Operations
. ICT Technical Support
(j) The Business Perspective: The Business Perspective is the name given to the
collection of best practices that is suggested to address some of the issues often
encountered in understanding and improving IT service provision, as a part of the entire
business requirement for high IS quality management. These issues are:
. Business Continuity Management describes the responsibilities and opportunities
available to the business manager to improve what is, in most organizations one of
the key contributing services to business efficiency and effectiveness.
. Surviving Change. IT infrastructure changes can impact the manner in which
business is conducted or the continuity of business operations. It is important that
business managers take notice of these changes and ensure that steps are taken to
safeguard the business from adverse side effects.
. Transformation of business practice through radical change helps to control IT and
to integrate it with the business.
. Partnerships and outsourcing
(k) Application Management: ITIL Application Management set encompasses a set of best
practices proposed to improve the overall quality of IT software development and support
through the life-cycle of software development projects, with particular attention to
gathering and defining requirements that meet business objectives.
(l) Software Asset Management: Organisations rely increasingly on technology in order to
operate profitably and software as such should be treated as a valuable asset. Good
Auditing organization
The auditing organization has the regulatory authority or is designated by the regulatory
authority to perform audits, the results of which are evidence of the auditees
compliance or non-compliance with the regulatory requirements for quality management
systems. Associated with this authority are the responsibilities for management and
performance of all audit activities.
The responsibilities of the auditing organization for audit management include:
a)
b)
c)
d)
e)
f)
maintaining the means of providing prompt guidance which may be required by the
audit team during the audit
g)
h)
i)
Audits do not result in a transfer of the responsibility to achieve quality objectives from
the manufacturer to the auditing organization.
In conjunction with the lead auditor, the responsibilities of the auditing organization for
audit performance include:
a)
b)
agreeing on the scope of the audit, including the standards or other documents to
be used, with the manufacturer as necessary to comply with and as permitted by
the regulatory requirements
c)
d)
e)
f)
b)
c)
d)
e)
f)
g)
remaining alert to any indications or evidence that can influence the audit
results and possibly require more extensive auditing
h)
i)
j)
ii)
l)
verifying that corrective actions have been taken and have been effective:
i)
ii)
iii)
based on experience gained with devices on the market (e.g. post market
surveillance)
iv)
m)
minimizing disruption to the auditees personnel and processes during the audit
while attaining the audit's objectives
n)
complying with any health and safety or other applicable requirements of the
auditee
about the quality of financial reporting and audit processes, but also to approve of
significant accounting policy decisions. Moreover, strong and effective audit committees,
through their planning, review, and monitoring activities, can recognize problem areas and
take corrective action before such problems impact the company's financial statements and
investors. Thus, audit committees have an important role in helping boards of directors
avoid litigation risk because such committees provide due diligence related to financial
reporting.
Requirement For Audit Committees
Audit committees have long been seen as an important group in assuring greater corporate
accountability in the United States. The value of such committees has been noted by the
U.S. Congress, the U.S. Securities and Exchange Commission, the New York Stock
Exchange, and the American Institute of Certified Public Accountants. Audit committees are
required by the New York Stock Exchange, American Stock Exchange, and National
Association of Securities Dealers (NASDAQ/NMS issuers).
Key recommendations and decisions in the evolution of audit committees in the United
States include the following:
1940
The Securities and Exchange Commission (SEC) recommended the establishment of
audit committees (Accounting Series Release No. 19). Specifically, the SEC
recommended that shareholders elect the auditors at annual meetings and a
committee of nonofficer directors nominate the auditors. Also, the New York Stock
Exchange Board of Governors issued a similar recommendation.
1967
The executive committee of the American Institute of Certified Public Accountants
(AICPA) recommended that publicly held corporations establish audit committees to
nominate the auditors and discuss the audit.
1972
The SEC issued Accounting Series Release No. 123, "Standing Audit Committees
Composed of Outside Directors."
1973
The New York Stock Exchange (NYSE) issued a white paper, "Recommendations and
Comments on Financial Reporting to Shareholders and Related Matters," strongly
recommending that each listed company form an audit committee.
1974
The SEC amended Regulation 14A dealing with the proxy rules. Registrants are
required to disclose in their proxy statements the existence of audit committees and
the names of the committee members.
1977
A NYSE audit committee policy statement required each domestic corporation listed
on the exchange to establish and maintain an audit committee of outside directors
before July 1, 1978.
1987
The National Commission on Fraudulent Financial Reporting recommended that the
SEC require that all public companies have audit committees.
1987
The National Association of Securities Dealers required each NASDAQ/NMS issuer to
establish an audit committee.
1991
Congress passed the Federal Deposit Insurance Corporation Improvement Act. The
law provided for the establishment of audit committees for insured depository
institutions that have total assets of $150,000,000 or more.
1993
American Stock Exchange required its listed companies to establish audit
committees.
1994
The American Law Institute issued Principles of Corporate Governance: Analysis and
Recommendations. The Institute strongly supported and endorsed the concept of
audit committees.
1999
The Independence Standards Board issued its first standard, "Independence
Discussions with Audit Committees," which requires independent auditors to issue an
annual independence confirmation to the audit committee of the company.
1999
The SEC approved changes to its rules to implement several of the recommendations
by the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit
Committees. Registrants are required to disclose information about audit committee
composition and practices.
In addition to the presence of audit committees on U.S. stock exchanges, a number of stock
exchanges in Canada, Europe, Africa, the Middle East, and the Asia/Pacific region have
adopted audit committees. As worldwide financial markets expand and more companies are
listed on major stock exchanges in different countries, the international investing public's
demand for consistent and equal oversight protection through the use of audit committees
will continue. In addition, international investors are concerned about the quality of
corporate governance because of the impact of financial collapses and alleged frauds on
securities markets.
In response, a number of stock exchanges have adopted audit committees to increase
transparency and competence in the management of their listed member companies in
order to deal effectively with attracting foreign equity investment.
Organization and Structure of Audit Committees:
Boards of directors form their audit committees by either passing a board resolution or
amending corporate bylaws. Audit committees' responsibilities should be clearly defined and
documented in their charter. Although the scope of the audit committees' responsibilities is
predetermined by boards, the committees should be allowed to expand their charge with
board approval and investigate significant matters that impact financial reporting
disclosures.
Boards of directors should carefully give consideration to the following points with respect to
their appointments of directors to audit committees:
1. Number of directors: The number of independent directors appointed to audit
committees depends on the nature of the business and industry dynamics, the size
of the company, and the size of the board of directors. The general consensus seems
to be that three to five members are adequate.
2. Composition: Because members of audit committees have varied backgrounds and
occupations, they provide a mix of skills and experience. Although the members have
different levels of expertise, it is strongly advisable to have at least one individual
who has a financial accounting background.
3. Meetings: Audit committees meet from one to four times each year, with three or
four meetings being the most common schedules.
Internal controls
Although boards of directors have defined the responsibilities of audit committees, boards
may expand the scope of the audit committees' charter; however, boards should avoid
diluting the committees' charge with information over-load. Recognizing that audit
committees operate on a part-time basis and serve in an advisory capacity to boards, it is
essential that boards place limitations on the scope of the committees' charge. Such a scope
limitation enables boards to evaluate the committees' performance as well as protect the
committees against legal claims for their inactions that are outside their charge. An
illustration of the roles and responsibilities of audit committees is disclosed in the annual
proxy statement of a company.
The duties of the Audit Committee are (a) to recommend to the Board of Directors a firm of
independent accountants to perform the examination of the annual financial statements of
the Company; (b) to review with the independent accountants and with the Controller the
pro posed scope of the annual audit, past audit experience, the Company's internal audit
program, recently completed internal audits and other matters bearing upon the scope of
the audit; (c) to review with the independent accountants and with the Controller significant
matters revealed in the course of the audit of the annual financial statements of the
Company; (d) to review on a regular basis whether the Company's Standards of Business
Conduct and Corporate Policies relating thereto has been communicated by the Company to
all key employees of the Company and its subsidiaries throughout the world with a direction
that all such key employees certify that they have read, understand and are not aware of
any violation of the Standards of Business Con duct; (e) to review with the Controller any
suggestions and recommendations of the independent accountants concerning the internal
control standards and accounting procedures of the Company; (f) to meet on a regular basis
with a representative or representatives of the Internal Audit Department of the Company
and to review the Internal Audit Department's Reports of Operations; and (g) to report its
activities and actions to the Board at least once each fiscal year.
The IS auditor will require to include in the scope of the audit the relevant processes for
planning and organising the information systems activity and the processes for monitoring
that activity. The scope of the audit will also include the internal control system(s) for the
use and protection of the information and the Information Systems, as under :
a) Data
b) Application systems
c) Technology
d) Facilities
e) People
Performance of Audit Work :
The IS auditor should review the following :
a) Minutes of the meetings of the Board of Directors for audit information relating to the
consideration of the matters concerning the information systems and their control and the
supporting materials for any such items.
b) Minutes of the meetings of the Audit Committee reporting to the Board of
Directors for audit information relating to the consideration of the matters
concerning the information systems and their control and the supporting materials
for any such items.
The IS auditor will require to consider whether the information obtained from the above
reviews indicates coverage of the appropriate areas. The various issues / documents /
statements / areas, among others, which the IS auditor will require to examine include as
under :
a) IS mission statement and agreed goals and objectives for information systems activities.
b) Assessment of the risks associated with the organisations use of the information
systems and approach to managing those risks.
c) IS strategy, plans to implement the strategy and monitoring of progress against those
plans.
d) IS budgets and monitoring of variances.
e) High level policies for IS use and the protection and monitoring of compliance with
these policies.
f) Major contract approval and monitoring of suppliers performance.
g) Monitoring of performance against service level agreements.
h) Acquisition of major systems and decisions on implementation.
i) Impact of external influences on IS such as Internet, merger of suppliers or liquidation
etc.
j) Control of self-assessment reports, internal and external audit reports, quality assurance
reports or other reports on IS.
k) Business Continuity Planning, Testing thereof and Test results.
l) Compliance with legal and regulatory requirements.
m) Appointment, Performance Monitoring and Succession Planning for senior IS staff
including internal IS audit Management and Business Process Owners.
Review of Policies and Compliance :
The IS auditor will require to consider whether the policies issued cover all of the
appropriate areas for which board-level direction is necessary in order to provide
reasonable assurance that the business objectives are met. Such policies on board level
direction will require to be documented ones only and such documented policies shall,
among others, include the following :
a) Security Policy
b) Human Resources Policy
c) Data Ownership Policy
d) End-user Computing Policy
e) Copyright Policy
governance, the same will require to be urgently reported to the designated authority in the
organisation. The IS audit report on corporate governance of information systems should,
among others, include the following :
a) A statement that the Board of Directors is responsible for the organisations Information
Systems and formulation and implementation of the system of internal controls.
b) A statement that a system of internal controls can only provide reasonable and not
absolute assurance against material misstatement or loss.
c) A description of the key procedures, which the Board of Directors has
approved/established, to provide effective internal control and the related supporting
documentation presented to the Board of Directors.
d) Information on any non-compliance with the national or industry codes of practice for
corporate governance.
e) Information on any major uncontrolled risks.
f) Information on any ineffective or inefficient control structures or control measures
togetherwith the IS auditors recommendations for improvement.
g) The IS auditors overall conclusion on the corporate governance of the information
systems, as defined in the scope of audit.
Follow-up Activities :
The weaknesses, if any, in the system of corporate governance of information and
information systems can cause wide ranging and high risk effects in the organisation. The
IS auditor will require to, therefore, where appropriate, carry out sufficient, timely followup work to verify that the management action is taken promptly to address such
weaknesses.