Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISACA Willamette Valley Chapter Luncheon Thursday, March 20, 2008 Practical Auditors Guide for CobiT Steve Balough, CISA.

Published byKimberly Newman Modified over 7 years ago

Similar presentations

Presentation on theme: "ISACA Willamette Valley Chapter Luncheon Thursday, March 20, 2008 Practical Auditors Guide for CobiT Steve Balough, CISA."— Presentation transcript:

1 ISACA Willamette Valley Chapter Luncheon Thursday, March 20, 2008 Practical Auditors Guide for CobiT Steve Balough, CISA

2 Most of us are familiar with CobiT; however it can be an often overlooked and underutilized tool. Today's talk will provide some helpful approaches for leveraging CobiT for use in all types of Audits. C ontrol Ob jectives for I nformation T echnology

3 Today we will discuss: I. Overview of the CobiT Framework II. Navigating the on-line tool, What is there? What you might you need? III. Reference to Risk Assessment (Real World) IV. Testing Guide V. Maturity Assessment VI. Mapping CobiT to other standards

4  Framework for comprehensive IT control coverage.  Well thought out and researched. *  Maintained and kept up to update.  Sponsoring organization, IT Governance Institute (ITGI)  A means to address “IT governance” Why is Cobit Valuable? * COBIT (1996) was produced by a large group of people. Sections were developed over time by project teams, project steering committees, and researchers and expert reviewers. I. Overview of the CobiT Framework

5 The benefits of implementing COBIT as a governance framework over IT include: Better alignment, based on a business focus A view, understandable to management, of what IT does Clear ownership and responsibilities, based on process orientation General acceptability with third parties and regulators Shared understanding amongst all stakeholders, a common language Fulfillment of the COSO requirements for the IT control environment

6 CIO Magazine - July 2006 “….Cobit isn’t widely used: Less than half of the CIOs in the financial services industry, where Cobit is most popular, are even aware of the guidelines, … The reason? Since it was created in 1996, Cobit has expanded to cover so many control objectives and management guidelines that it’s difficult to make sense of them. ….Cobit 4.0. (now 4.1) The authors have done away with Cobit’s multiple volumes, integrating the information about all 34 high-level control processes, 239 detailed control objectives and related management guidelines into one volume. …..the material is organized by how one approaches projects: First, plan and organize (PO), next, acquire and implement (AI), then deliver and support (DS), and finally, monitor (M) and evaluate. ….Cobit 4.0 offers more details on how to measure whether IT processes are delivering what the business needs. ….”

7  Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives  Process focus and ownership  Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each  Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT  Is supported by a set of over 239 detailed control objectives l Effectiveness l Efficiency l Availability l Integrity l Confidentiality l Reliability l Compliance l Plan and Organise l Acquire and Implement l Deliver and Support l Monitor and Evaluate What does CobiT consist of ?

8 Processes A series of joined activities with natural control breaks Activities or Tasks Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete. Domains Natural grouping of processes, often matching an organizational domain of responsibility Process Orientation

9 Business Requirements Quality Requirements Quality Requirements: Quality Delivery Cost Security Requirements Confidentiality Integrity Availability Fiduciary Requirements (COSO Report) Effectiveness and efficiency of operations Compliance with laws and regulations Reliability of financial reporting 4 Effectiveness 4 Efficiency 4 Confidentiality 4 Integrity 4 Availability 4 Compliance 4 Reliability of information COSO = C ommittee O f the S ponsoring O rganization

10 The C OBI T Cube

11 CobiT Hierarchy 239 (No longer numbered) IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process.

12 Plan and Organise (PO) Covers strategy and tactics, and the identification of how IT can best contribute to the achievement of the business objectives. Strategic vision needs to be planned, communicated and managed and organisation and infrastructure in place. Acquire and Implement IT solutions need to be identified, developed or acquired, implemented, and integrated into the business process. Changes in and maintenance of existing systems are covered to ensure the life cycle is continued for these systems. Deliver and Support (DS) Delivery of required services, which range from traditional operations over security and continuity aspects to training. Includes the processing of data by application systems, often classified under application controls. Monitor and Evaluate IT processes need to be regularly assessed over time for their quality and compliance with control requirements. Addresses management ’ s oversight of the organization's control process and independent assurance provided by internal and external audit or alternative sources. CobiT Domains

13 PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage projects PO11 Manage quality AI1 Identify automated solutions AI2 Acquire and mantain application software AI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT procedures AI5 Install and accredit systems AI6 Manage changes M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit DS1 Define service levels DS2 Manage third-party services DS3 Manage peformance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Assist and advise IT customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage operations IT RESOURCES IT RESOURCES Data Application systems Technology Facilities People Data Application systems Technology Facilities People PLAN AND ORGANISE PLAN AND ORGANISE ACQUIRE AND IMPLEMENT ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT Effectiveness Efficiency Confidenciality Integrity Availability Compliance Reliability Effectiveness Efficiency Confidenciality Integrity Availability Compliance Reliability Criteria Business Requirements C OBI T Framework MONITOR AND EVALUATE

14 The control of IT Processes which satisfy is enabled by Control Statements considering Control Practices 4 Domains - 34 Processes - 239 Control Objectives Business Requirements l Effectiveness l Efficiency l Availability l Integrity l Confidentiality l Reliability l Compliance

15 General controls are controls embedded in IT processes and services. Examples include: Systems development Change management Security Computer operations Controls embedded in business process applications are commonly referred to as application controls. Examples include: Completeness Accuracy Validity Authorisation Segregation of duties IT GENERAL CONTROLS AND APPLICATION CONTROLS

16 I. Overview of the CobiT Framework II. Navigating the on-line tool, What is there? What you might you need? III. Reference to Risk Assessment (Real World) IV. Testing Guide V. Maturity Assessment VI. Mapping CobiT to other standards

17 I. Overview of the CobiT Framework II. Navigating the on-line tool, What is there? What you might you need? III. Reference to Risk Assessment (Real World) IV. Testing Guide V. Maturity Assessment VI. Mapping CobiT to other standards

18 Information Technology Risk Based Auditing From Your Company’s Audit Program Data Center User Access Management Web Development Narratives Flowcharting Prior Audits Compliance RR R R R R R R R R Security Change Management Code Development Performance Management 2- Risk Assessment 3- Risks Identified 4- Risk Categorized 1- IT Audits 5- Control Sources Policies & Procedures Regulatory Best Practices CobiT ITIL ISO 17799:2000

19 Web Development Audit (example of initial risk assessment w/ no input from CobiT): CHANGE MANAGEMENT – A control objective grouping based on risk Risk That: Requests for systems and application changes, to include emergencies, may not be assessed or prioritized in a manner to address timely impacts on operational systems and their functionality. Changes are may not be appropriately reviewed, approved, and communicated.

20 Information Technology Risk Based Auditing From Your Company’s Audit Program Web Development Narratives Flowcharting Prior Audits Compliance RR R R R R R R R R DS 5: Ensure System Security AI 6: Manage Changes AI 2: Acquire & Maintain Application Software DS 3: Manage Performance & Capacity 2- Risk Assessment 3- Risks Identified 4- Risk Categorized 1- IT Audit 5- Control Sources Policies & Procedures Regulatory Best Practices (CobiT for this page)

21 Risk CategorizationCobiT Processes Change ManagementAI 6: Manage Changes Code DevelopmentAI 2: Acquire & Maintain Application Software Performance ManagementDS 3: Manage Performance & Capacity SecurityDS 5: Ensure System Security

22 CobiT ‘AI 6 Manage Changes’ Managing changes to computer programs is required to ensure processing integrity between versions, and for consistency of results period to period. Change must be formally managed via change control request, impact assessment, documentation, authorization, release, and distribution policies and procedures. Domain or high level Control Objective Detailed Control Objective

23 Web Development Audit (Acquisition & Implementation) (example of initial risk assessment with CobiT review): AI 6 - MANAGE CHANGES (CobiT online) Risk That (risk drivers): Requests for systems and application changes, to include emergencies, may not be assessed or prioritized in a manner to address timely impacts on operational systems and their functionality. Changes are may not be appropriately approved and communicated. Appropriate contingencies for change control may not be addressed or followed. Inappropriate allocation of resources Production system availability may be impacted (reduced).

24 Control and Control Objective Definitions The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected Definition of Control Definition of IT Control Objective A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity

25 I. Overview of the CobiT Framework II. Navigating the on-line tool, What is there? What you might you need? III. Reference to Risk Assessment (Real World) IV. Testing Guide V. Maturity Assessment VI. Mapping CobiT to other standards

26 I. Overview of the CobiT Framework II. Navigating the on-line tool, What is there? What you might you need? III. Reference to Risk Assessment (Real World) IV. Testing Guide V. Maturity Assessment VI. Mapping CobiT to other standards

27 Process Description Critical Success Factors  Key Goal Indicators  Key Performance Indicators  Information Criteria Resources 0 0 - Management processes are not applied at all. 1 1 - Processes are ad hoc and disorganised. 2 2 - Processes follow a regular pattern. 3 3 - Processes are documented and communicated. 4 4 - Processes are monitored and measured. 5 5 - Best practices are followed and automated. Maturity Model Management Guidelines Framework

28 012345 Nonexistent InitialRepeatableDefinedManagedOptimised Enterprise current status International standard guidelines Industry best practice Enterprise strategy Legend for Symbols UsedLegend for Rankings Used 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated. Maturity Models Usage

29 Possible maturity level of an IT process: The example illustrates a process that is largely at level 3 but still has some compliance issues with lower level requirements whilst already investing in performance measurement (level 4) and optimization (level 5) Using the maturity models developed for each of COBIT’s 34 IT processes, management can identify: The actual performance of the enterprise—Where the enterprise is today The enterprise’s target for improvement—Where the enterprise wants to be Maturity Attribute Table

30 I. Overview of the CobiT Framework II. Navigating the on-line tool, What is there? What you might you need? III. Reference to Risk Assessment (Real World) IV. Testing Guide V. Maturity Assessment VI. Mapping CobiT to other standards

31 COBIT ISO 17799:2000

32 I. Overview of the CobiT Framework II. Navigating the on-line tool, What is there? What you might you need? III. Reference to Risk Assessment (Real World) IV. Testing Guide V. Maturity Assessment VI. Mapping CobiT to other standards Today we reviewed:

33 Information Systems Audit and Control Association www.isaca.org IT Governance Institute www.itgi.org Committee of Sponsoring Organizations of the Treadway Commission (COSO) www.coso.org ITIL Information Technology Infrastructure Library http://www.itil-officialsite.com/home/home.asp Useful Links

34 Questions ?

Download ppt "ISACA Willamette Valley Chapter Luncheon Thursday, March 20, 2008 Practical Auditors Guide for CobiT Steve Balough, CISA."

Similar presentations

Alignment of COBIT to Botswana IT Audit Methodology

Alignment of COBIT to Botswana IT Audit Methodology
Alignment of Enterprise Governance and IT Governance

Alignment of Enterprise Governance and IT Governance
Analisa Proses. Terjemahan model analisis menjadi desain software.

Analisa Proses. Terjemahan model analisis menjadi desain software.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
COBIT Framework Source:

COBIT Framework Source:
Centro de Convenciones, August 22-23, 2006

Centro de Convenciones, August 22-23, 2006
COBIT - II.

COBIT - II.
IT Governance Capability Maturity within Government

IT Governance Capability Maturity within Government
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
By Collin Smith http://techinitiatives.blogspot.com COBIT Introduction By Collin Smith http://techinitiatives.blogspot.com.

By Collin Smith COBIT Introduction By Collin Smith
COBIT & IT Governance Control Objectives for Information and Related Technology Includes material subject to: Copyright © 2004 and 2005 IT Governance Institute.

COBIT & IT Governance Control Objectives for Information and Related Technology Includes material subject to: Copyright © 2004 and 2005 IT Governance Institute.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Overview of IT Governance and

Overview of IT Governance and
The Information Systems Audit Process

The Information Systems Audit Process

Similar presentations

Ads by Google