Role of State Audit Bureau of Kuwait in

Role of State Audit Bureau of Kuwait in promoting and audit of IT Security

Table of content: • • Definition and Importance. IT audit in SAB. The objectives of INTOSAI in IT audit. What do we have in IT audit? (Our capabilities). Efforts of SAB related to IT Security Audit. How Auditors in The State Audit Bureau of Kuwait view the IT Security Audit. Main challenges within the audit of IT security. How to overcome challenges related to the audit of IT security.

The State Audit Bureau Of Kuwait • The “National Cyber Security Strategy for the State of Kuwait” is a response from Kuwaiti government due to the extent of threats and challenges of cyber risks againstitutions and individuals. • SAB has held the duty of overseeing the collection of State revenues and the settlement of its expenses within the limits of budget allocations in addition to sustaining the adequacy of the followed systems and procedures used to safeguard public funds and prevent any misuse.

Definition Information Systems Security Audit (ISSA) Information Technology Audit “independent review and examination of system records, activities and related documents. ” “the process of examining the implemented measures and systems that were designed to securely protect and safeguard information utilizing various forms of technology”

Importance Evaluating the flow of data within SAB Drawing managements’ attention to address residual risk exposure. Determining if the Auditee needs to work more on its IT security controls, policies, regulations or standards Ensuring that management is applying the governance structures currently in place to support effective oversight of IT security. Improving IT governance. Reducing risk, improving security and reinforcing controls.

IT Audit in SAB Examining and evaluating an organization's information technology infrastructure, policies and operations. Determining whether IT controls protect corporate assets. Ensuring data integrity and alignment with the business' overall goals. Examining the overall business and financial controls that involve information technology systems.

The objectives of INTOSAI in IT audit: Implementing the triennial work plan, which consists of various goals and projects. Projects are selected after reviewing the needs of SAIs and the deliverables range from best practice guides to website related information and other audit material. It is the dedication and effort of individual SAIs that makes the WGITA work.

What do we have in IT audit? (Our capabilities): IT Pre-Audit IT Post-Audit Internal Audit Performance Audit: Investigates technically the technically subject tender, commitment, agreement, or contract and verifies that the allocations of the funds in the budget allow for engagement. Controls review. Provide a reasonable assurance regarding the efficiency of performed processes within SAB examination of controls and business rules adopted by audited entity in the database management system. Audit of system development. Audit of IT systems. Forensic audit. Security audits.

What do we have in IT audit? (Our capabilities): Information technology department quality management system CAATs: Development projects teams. CMMI-DEV L 2. The Interactive Data Exploration and Analytics (IDEA) ISO 9001 SAB’s working teams: Standing committees and working groups. Temporary Working Teams.

Efforts of SAB related to IT Security Audit: 1. Training programs (Local, External). 2. Formal Meetings with other SAIs (Local, External). SAB’s CAATs: 3. Seminars and Conferences (Local, External). 4. Workshops (Local, External). 5. Field Visits to other SAIs. Performance Audit: working teams:

IT Audit Training: Training programs in IT Audit 160 140 120 100 80 60 40 20 0 Programs participants 2014 Programs participants 2015 Programs participants 2016 Programs participants 2017 Programs participants 2018

IT Audit Training: Formal Meetings, Seminars, Conferences and workshops related to IT audit 30 25 20 15 10 5 0 Programs participants 2014 Programs participants 2015 Programs participants 2016 Programs participants 2017 Programs participants 2018

How Auditors in SAB view the IT Security Audit: Auditing of the National Rationing System. Auditing of the Traffic Ticketing Information System. Evaluating the efficiency of automated systems in Kuwait Fund for Arab Economic Development with an emphasize on the security of the systems. Auditing of the digital security environment of Kuwait authority for partnership projects.

Results: Auditees have taken some corrective actions regarding the findings. Auditees have benefited from recommendations regarding creating and implementing new security procedures and policies. Audit finding have helped in revealing some hidden risks. Auditees were more encouraged to keep technology up-to-date.

Main challenges within the audit of IT security: Auditees are not employing proper technologies in their work. Internal Audit is ignored. Lack of IT security controls. Employing new concepts within the audit process. Staff shortage. Auditor experience vs. rapid change of technology. Lack of experience.

How to overcome challenges related to the audit of IT security: Strategic plan of SAB. Auditors’ continuous training in topics related to the Audit of IT security. Helping its auditors to focus on developing their technical skills and staying up-to-date on the latest technologies. Internal audit Following Regular audits which also helps in improving the effectiveness of the auditor. Technical support department Providing auditees with workshops and training courses related to IT and IT security IT audit team. Hiring qualified and skilled staff including auditors.

Thank you!