• No results found

Terms of Reference for an IT Audit of

N/A
N/A
Protected

Academic year: 2021

Share "Terms of Reference for an IT Audit of"

Copied!
5
0
0

Loading.... (view fulltext now)

Full text

(1)

Terms of Reference for an IT Audit of

National Maritime Safety Authority (NMSA) 1

Terms of Reference for an IT Audit of

National Maritime Safety Authority (NMSA)

TASK DESCRIPTION

PROJECT/TASK TITLE: To engage a professional and qualified IT Auditor to conduct a comprehensive and independent audit of NMSA’s ITC processes and controls.

EXECUTING AGENT: National Maritime Safety Authority (NMSA) IMPLEMENTING AGENT: ITC Department

PROJECT SPONSOR: Executive Manager, Corporate Services

PROJECT LOCATION: National Maritime Safety Authority, Head Office, Level 2, Defense Haus, Port Moresby

COMMENCEMENT DATE: Mid-September 2013 PROJECT DURATION: 2-3 Months

(2)

Terms of Reference for an IT Audit of

National Maritime Safety Authority (NMSA) 2

I.

INTRODUCTION/BACKGROUND

The Authority was established by the National Maritime Safety Authority (NMSA) Act 2003 of parliament to oversee all aspects of safety at sea. NMSA through the Department of Information Technology is responsible for delivery of IT solutions and services to meet the Authority’s mandated responsibility of ensuring safety at sea and ensuring compliance with laws and regulations.

The Authority has invested significantly in the past on the installation and implementation of new technology infrastructures and business solutions to effectively achieve the Authority’s stakeholder requirements and business goals and objectives. For instance, the rollout of a Wide Area Network (WAN), connecting five field offices in Papua New Guinea.

As an ongoing effort by the Authority to improve controls, ensure an efficient use of IT systems and aligning its IT strategies with business strategies, the Authority seeks to engage a professional and qualified Auditor to conduct an independent IT audit of its IT infrastructures, systems and environment, report any significant issues and/or key findings, and make practical recommendations to address the control deficiencies and risk mitigation strategies.

II.

OBJECTIVE

The objective of the engagement is to review and provide an opinion on the capability of the existing IT framework and controls (hardware, software, facilities, policies, procedures, practices and organizational structures) that strategically supports, add value and improve the business operations of NMSA.

The engagement is aimed at helping the Authority to accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes within IT.

III.

STANDARDS AND GUIDANCE

The auditor who performs this audit is governed by the ISACA’s IS auditing and IS controls standards, and code of professional ethics, which establishes fundamental ethical principles for the Auditor with regard to integrity, objectivity, independence, professional competence and due care, confidentiality, professional behavior and technical standards.

IV.

REQUIREMENTS FOR THE AUDITOR

IV.1.

GENERAL PRINCIPLES

By accepting the Terms of Reference (ToR), the IT Auditor confirms that he/she meets the following conditions:

• The IT Auditor is a member of the international association for Information Systems Audit and Control Association or also known as ISACA.

• The IT Auditor is committed to undertake this engagement in accordance with ISACA’s IS auditing and IS controls standards, and code of professional ethics.

• The IT Auditor is expected to maintain his/her professional independence throughout the course of the engagement. This means that; in all matters related to auditing, the IT auditor is to be independent of the auditee in attitude and appearance.

(3)

Terms of Reference for an IT Audit of

National Maritime Safety Authority (NMSA) 3

• The IT Auditor is expected to have knowledge of internal control and standards framework such as COSO, COBIT, ITIL, VaLIT and standards such as ISO 27000 series (i.e. 27001, 27002/17799, 27003 etc..)

• The engaging firm is to be sufficiently independent of the organization (i.e. NMSA) being audited to permit objective completion of the audit.

• The engaging firm must be currently registered, as required under the PNG Companies Act 1997, and must always comply with the requirements and guidelines of Investment Promotion Auditory (IPA).

• The engaging firm must comply with all tax requirements, as required by the Internal Revenue Commission (IRC) and must have a current operating Certificate of Compliance (CoC).

IV.2.

QUALIFICATIONS AND EXPERIENCE

The Auditor must have experience in conducting IT Audit of internal control of entities comparable in size and complexity. The Auditor may be requested to provide evidence of similar engagement with previous clients.

The Auditor must have suitable experience and adequate professional and technical qualifications with ISACA standards; in particular he/she must have at least one of the listed accreditations.

• Certified Information Systems Auditor (CISA). • Certified Information Security Manager (CISM).

• Certified in the Governance for Enterprise IT (CGEIT). • Certified Information System Security Professional (CISSP). • Certified in Risk and Information Systems Control (CRISC).

(Note: CISSP not an ISACA certification)

V. SCOPE OF WORK (SoW)

The engagement is intended to address the internal controls (i.e. policies, procedures, facilities, practices, organizational structures).

TABLE 1: MAIN SCOPE OF WORK

CATEGORY PROCESS DESCRIPTION CONTROL OBJECTIVES

DEFINE A STRATEGIC IT PLAN DEFINE TECHNOLOGICAL DIRECTION DEFINE IT PROCESSES,

(4)

Terms of Reference for an IT Audit of

National Maritime Safety Authority (NMSA) 4

ORGANIZATION AND RELATIONSHIPS COMMUICATE MANAGEMENT AIMS AND DIRECTION AASESS AND MANAGE IT RISKS IT GOVERNANCE ENSURE SYSTEMS SECURITY ENSURE CONTINUOUS SERVICE MANAGE SERVICE DESK AND INCIDENTS

MANAGE THIRD PARTY SERVICES

DEFINE AND MANAGE SERVICE LEVELS IT PROCUREMENT EDUCATE AND TRAIN USERS ENABLE OPERATIONS AND USE MANAGE THE PHYSICAL ENVIRONMENT IDENTIFY AUTOMATED SOLUTIONS ACQUIRE AND MAINTAIN TECHNOLOGY INFRASTRUCTURE ACQUIRE AND

(5)

Terms of Reference for an IT Audit of

National Maritime Safety Authority (NMSA) 5

MAINTAIN APPLICATION SOFTWARE

MANAGE CHANGES

TABLE 2: ADDITIONAL SCOPE OF WORK

IT RESOURCES

NETWORK TOPOLOGY AND ARCHITECTURE

IT STRATEGIC TRAINING AND SUCCESSION PLAN IT OUTSOURCING Vs IN-SOURCING

VI.

EXPECTED OUTCOMES

Upon completion of the above Scope of Work, the IT Auditor should issue the Authority with a Final Audit Report detailing the key findings, risks and practical recommendations for improving the controls and mitigating the risks.

References

Related documents

This research aimed to evaluate the effect of the inlet air temperature and the feed flow (FF) rate of the spray drying of fresh stevia leaves aqueous extracts on the total phenolic

Alexandre Dgebuadze vs Alexandre Dgebuadze vs Ludwig Stahnecker, Ludwig Stahnecker, Schwaebisch Gmund, 2012 Schwaebisch Gmund, 2012.. Marin Bosiocic vs Marin Bosiocic vs Ivan

Over the almost now 100 years of the history of Cath- olic youth and young adult ministry, especially in recent history, pastoral ministry leaders have been pushed and pulled

The MEP must provide the registry manager with the required metering information for each metering installation the MEP is responsible for, and update the registry metering records

These services include: Education Support, Unlicensed Home and Community Habilitation, Licensed Day Habilitation, Prevocational Services, Respite, Supported Employment, Nursing,

Penelitian ini bertujuan untuk menganalisis kecenderungan rubrik good governance ditampilkan di Harian Palopo Pos, dan peran Palopo Pos dalam mewujudkan good governance di

The current study examined coping strategies utilized by individuals with SMI versus those with SMI-PTSD, while also investigating the role of PTSD symptom severity,

FY20 Research - $13m in direct and $1m indirect expenses Clinical Operations Own and manage clinical operations and budgets for practice. plan