View
2.098
Download
0
Category
Preview:
Citation preview
ISACA Willamette Valley Chapter Luncheon
Thursday, March 20, 2008
Practical Auditors Guide for CobiT
Steve Balough, CISA
Most of us are familiar with CobiT; however it can be an often overlooked and underutilized tool.
Today's talk will provide some helpful approaches for leveraging CobiT for use in all types of Audits.
Control Objectives for Information Technology
Today we will discuss:
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
Framework for comprehensive IT control coverage.
Well thought out and researched. *
Maintained and kept up to update.
Sponsoring organization, IT Governance Institute (ITGI)
A means to address “IT governance”
Why is Cobit Valuable?
* COBIT (1996) was produced by a large group of people. Sections were developed over time by project teams, project steering committees, and researchers and expert reviewers.
I. Overview of the CobiT Framework
The benefits of implementing COBIT as a governance framework over IT include:
• Better alignment, based on a business focus
• A view, understandable to management, of what IT does
• Clear ownership and responsibilities, based on process orientation
• General acceptability with third parties and regulators
• Shared understanding amongst all stakeholders, a common language
• Fulfillment of the COSO requirements for the IT control environment
CIO Magazine - July 2006
“….Cobit isn’t widely used: Less than half of the CIOs in the financial services industry, where Cobit is most popular, are even aware of the guidelines, …
The reason? Since it was created in 1996, Cobit has expanded to cover so many control objectives and management guidelines that it’s difficult to make sense of them.
….Cobit 4.0. (now 4.1) The authors have done away with Cobit’s multiple volumes, integrating the information about all 34 high-level control processes, 239 detailed control objectives and related management guidelines into one volume.
…..the material is organized by how one approaches projects: First, plan and organize (PO), next, acquire and implement (AI), then deliver and support (DS), and finally, monitor (M) and evaluate.
….Cobit 4.0 offers more details on how to measure whether IT processes are delivering what the business needs. ….”
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives
Process focus and ownership
Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each
Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT
Is supported by a set of over 239 detailed control objectives
Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance
Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate
What does CobiT consist of ?
Processes
A series of joined activities with natural control breaks
Activities or Tasks
Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete.
Domains
Natural grouping of processes, often matching an organizational domain of responsibility
Process OrientationIT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
Business Requirements
Quality RequirementsQuality Requirements: • Quality • Delivery• Cost
Security RequirementsSecurity Requirements• Confidentiality• Integrity• Availability
Fiduciary RequirementsFiduciary Requirements (COSO Report)• Effectiveness and
efficiency of operations• Compliance with laws and
regulations • Reliability of financial
reporting
Effectiveness
Efficiency
Confidentialit
y
Integrity
Availability
Compliance
Reliability of
information
IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
COSO = Committee Of the Sponsoring
Organization
The COBIT Cube
CobiT Hierarchy
239
(No longer numbered)
IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each ITprocess.
Plan and Organise (PO)Plan and Organise (PO) Covers strategy and tactics, and the identification of how IT can best contribute to the achievement of the business objectives. Strategic vision needs to be planned, communicated and managed and organisation and infrastructure in place.
Acquire and ImplementAcquire and Implement IT solutions need to be identified, developed or acquired, implemented, and integrated into the business process. Changes in and maintenance of existing systems are covered to ensure the life cycle is continued for these systems.
Deliver and Support (DS)Deliver and Support (DS)Delivery of required services, which range from traditional operations over security and continuity aspects to training. Includes the processing of data by application systems, often classified under application controls.
Monitor and EvaluateMonitor and EvaluateIT processes need to be regularly assessed over time for their quality and compliance with control requirements. Addresses management’s oversight of the organization's control process and independent assurance provided by internal and external audit or alternative sources.
CobiT Domains IT Processes
BusinessRequirements
IT Resources
IT Processes
BusinessRequirements
IT Resources
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT organisation and relationshipsPO5 Manage the IT investmentPO6 Communicate management aims and directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risksPO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire and mantain application softwareAI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT proceduresAI5 Install and accredit systems
AI6 Manage changes
M1 Monitor the processM2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit
DS1 Define service levelsDS2 Manage third-party servicesDS3 Manage peformance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and attribute costsDS7 Educate and train usersDS8 Assist and advise IT customersDS9 Manage the configurationDS10 Manage problems and incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
IT RESOURCES
IT RESOURCES
• Data• Application systems• Technology• Facilities• People
• Data• Application systems• Technology• Facilities• People PLAN AND
ORGANISEPLAN AND ORGANISE
ACQUIRE ANDIMPLEMENT
ACQUIRE ANDIMPLEMENT
DELIVER AND SUPPORT
DELIVER AND SUPPORT
• Effectiveness• Efficiency• Confidenciality• Integrity• Availability• Compliance• Reliability
• Effectiveness• Efficiency• Confidenciality• Integrity• Availability• Compliance• Reliability
Criteria
Business RequirementsCOBITFramework
MONITOR ANDEVALUATE
The control ofIT Processes which
satisfyis enabled byControl
Statements consideringControl
Practices
4 Domains - 34 Processes - 239 Control Objectives4 Domains - 34 Processes - 239 Control Objectives
BusinessRequirements
Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance
General controls are controls embedded in IT processes and services. Examples include:• Systems development• Change management• Security• Computer operations
Controls embedded in business process applications are commonly referred to as application controls. Examples include:• Completeness• Accuracy• Validity• Authorisation• Segregation of duties
IT GENERAL CONTROLS AND APPLICATION CONTROLS
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
Information Technology Risk Based Auditing
From Your Company’s Audit Program
Data Center
User Access Management
Web Development
NarrativesFlowcharting
Prior Audits
Compliance
R R R
R
R
R RR
RR
Security
Change Management
Code Development
Performance Management
2- R
isk
Asses
smen
t3-
Ris
ks Id
entif
ied
4- R
isk
Categ
oriz
ed
1- IT
Aud
its
5- C
ontro
l Sou
rces
Policies & Procedures
Regulatory
Best Practices CobiTITILISO 17799:2000
CobiTITILISO 17799:2000
Web Development Audit(example of initial risk assessment w/ no input from CobiT):
CHANGE MANAGEMENT – A control objective grouping based on risk
Risk That:
• Requests for systems and application changes, to include emergencies, may not be assessed or prioritized in a manner to address timely impacts on operational systems and their functionality.
• Changes are may not be appropriately reviewed, approved, and communicated.
Information Technology Risk Based Auditing
From Your Company’s Audit Program
Web Development
NarrativesFlowcharting
Prior Audits
Compliance
R R R
R
R
R RR
RR
DS 5: Ensure System Security
AI 6: Manage Changes
AI 2: Acquire & Maintain Application Software
DS 3: Manage Performance & Capacity
2- R
isk
Asses
smen
t3-
Ris
ks Id
entif
ied
4- R
isk
Categ
oriz
ed
1- IT
Aud
it
5- C
ontro
l Sou
rces
Policies & Procedures
Regulatory
Best Practices (CobiT for this page)
Risk Categorization CobiT Processes
Change Management AI 6: Manage Changes
Code Development AI 2: Acquire & Maintain Application Software
Performance Management DS 3: Manage Performance & Capacity
Security DS 5: Ensure System Security
CobiT ‘AI 6 Manage Changes’
Managing changes to computer programs is required to ensure processing integrity between versions, and for consistency of results period to period. Change must be formally managed via change control request, impact assessment, documentation, authorization, release, and distribution policies and procedures.
Domain or high level Control Objective
Detailed Control Objective
Web Development Audit (Acquisition & Implementation)(example of initial risk assessment with CobiT review):
AI 6 - MANAGE CHANGES (CobiT online)
Risk That (risk drivers):
• Requests for systems and application changes, to include emergencies, may not be assessed or prioritized in a manner to address timely impacts on operational systems and their functionality.
• Changes are may not be appropriately approved and communicated.
• Appropriate contingencies for change control may not be addressed or followed.
• Inappropriate allocation of resources
• Production system availability may be impacted (reduced).
Control and Control Objective Definitions
The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected
Definition of Definition of ControlControl
Definition of IT Definition of IT Control ObjectiveControl Objective
A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
Process Description
Critical Success Factors
Key Goal Indicators
Key Performance Indicators
InformationCriteria
Resources
00 - Management processes are not applied at all.
11 - Processes are ad hoc and disorganised.22 - Processes follow a regular pattern.33 - Processes are documented and
communicated.44 - Processes are monitored and measured.55 - Best practices are followed and
automated.
Maturity Model
Management Guidelines Framework
0 1 2 3 4 5
Nonexistent Initial Repeatable Defined Managed Optimised
Enterprise current status
International standard guidelines
Industry best practice
Enterprise strategy
Legend for Symbols Used Legend for Rankings Used
0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.
Maturity Models
Usage
Possible maturity level of an IT process: The example illustrates a process that is largely at level 3 but still has some compliance issues with lower level requirements whilst already investing in performance measurement (level 4) and optimization (level 5)
Using the maturity models developed for each of COBIT’s 34 IT processes, management can identify:• The actual performance of the enterprise—Where the enterprise is today• The enterprise’s target for improvement—Where the enterprise wants to be
Matu
rity
Att
rib
ute
Tab
le
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
COBIT ISO 17799:2000
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
I. Overview of the CobiT Framework
II. Navigating the on-line tool, What is there? What you might you need?
III. Reference to Risk Assessment (Real World)
IV. Testing Guide
V. Maturity Assessment
VI. Mapping CobiT to other standards
Today we reviewed:
• Information Systems Audit and ControlAssociationwww.isaca.org
• IT Governance Institutewww.itgi.org
• Committee of Sponsoring Organizations ofthe Treadway Commission (COSO)www.coso.org
•ITIL Information Technology Infrastructure Libraryhttp://www.itil-officialsite.com/home/home.asp
Useful Links
Questions ?
Recommended