2. 1 IT Directors Briefing October 16, 2001

3. 2  Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts  Adjunct faculty at Bentley College  Member of CobiT Steering Committee  Served as member of Y2K Coordinating Council, Commonwealth of Massachusetts  1994-1995 International President of ISACA/F  Served as member of Governor’s Commission on Computer Crime, Governor’s Commission on Computer Technology and Law, and Governor’s Task Force on E- Commerce  e-mail: john.beveridge@sao.state.ma.us

4. 3  How do responsible managers keep the ship on course?  How do we achieve satisfactory results for our stake-holders?  How do we adapt in a timely manner to “best practices” for our organization’s environment?

5. 4 When we spend a lot of money and what we have built doesn’t work, or is difficult to maintain, or is not accepted, or appears vulnerable, People have a lot to say

6. 5 Stakeholders apply pressure Shareholders and Executive Lower cost, higher profitability and increased market share Customers and Staff More functionality at lower cost and greater ease of use Society Greater accountability for executives in private and public sector

7. 6 E-business Factors u Guarantee of delivery u Customer service u Ease of use u Increased dependence u Security What are the customers saying ?

8. 7 u Focus on Operational Risk within which security and IT are very significant u All major risk issues have been caused by breakdowns in 3 Internal control 3 Oversight 3 Information Technology What signals are regulators giving? Federal Reserve

9. 8 Most Pressing Concerns about Information Technology  Security  Availability  Integrity and Effectiveness  Cost

10. 9 September 11 th has Impacted us all in a Whole Lot of Ways  Personal  Economic  Security  Risk

11. 10 Measures?Scales? Indicators?

12. 11 The Answer Lies In:  Having clear understandings of the strategic value of technology  Bringing that strategic value to reality  Having appropriate frameworks of control  Employing the fundamentals of IT goverance  Building mechanisms to provide adequate assurance that IT governance objectives are addressed

13. 12 CobiT CobiT’s Control Objectives and Management Guidelines are valuable IT governance tools that help in the understanding and management of risks and benefits associated with information integrity, security and availability and the management of related IT.

14. 13 lAuthoritative, up-to-date set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors. lStructured and organized to provide a powerful control model

15. 14  Executive Summary -- Senior Executives (CEO, COO, CFO, CIO)  Framework -- Senior Operational Management (Directors of IS and Audit / Controls)  Control Objectives -- Middle Management (Mid-Level IS and IS Audit/ Controls Managers)  Audit Guidelines -- The Line Manager and Controls Practitioner (Applications or Operations Manager and Auditor)  Implementation Tool Set -- Any of the above  Management Guidelines -- Management and Audit

16. 15  Management Guidelines Includes: – Critical Success Factors – Key Performance Indicators – Key Goal Indicators – Maturity models C OBI T

17. 16  Right information, to only the right party, at the right time.  Information that is relevant, reliable and secure.  Information provided by systems that have integrity by a well-managed and properly controlled IT environment.

18. 17 IT Governance Objectives  IT is aligned with the business enabling the entity to maximize benefit  IT resources are safeguarded and used in a responsible and ethical manner  IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure

19. 18  The need for better operational control  While technology makes new business processes possible, it may come with reduced control  Demand for increased effectiveness, efficiency and security  Strategic importance of technology  The need to hold officers and senior management accountable and strengthen governance

20. 19  Addresses key attributes of information produced by IT.  Provides a working control model for IT- related control objectives  Links recommended control practices for IT to business and control objectives.  Assists in evaluating appropriateness of controls

21. 20 CobiT is an Authoritative Source  Built on a sound framework of control and IT-related control practices.  Aligned with de jure and de facto standards and regulations.  Has undergone expert review and exposure process

22. 21 CobiT Sources Professional standards for internal control and auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes (ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry forums (ESF, I4) Emerging industry-specific requirements from banking, e-com, IT manufacturing.

23. 22 Based on a Strong Foundation and Sound Principles of Internal Control

24. 23 What is Internal Control? How it is defined impacts its design, exercise, and evaluation.

25. 24 Control (as defined by C OBI T ) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.  Source: C OBI T Control Objectives, p. 12.

26. 25 IT Control Objective A statement of desired result or purpose to be achieved by implementing control procedures in a particular IT activity

27. 26 Internal Control Controls are framed by what is to be attained (control objectives) and the means to attain those goals (the controls).

28. 27 CobiT Incorporates Key Internal Control Requirements ð Systemization ð Documentation ð Standards, defined expectations ð Measurement ð Appropriate risk assessment

29. 28 CobiT Incorporates Key Internal Control Requirements ð Well-defined operational and control objectives ð Appropriate controls ð Competent and trustworthy people ð Monitoring & evaluation

30. 29 CobiT Framework  Built on an understanding of the:  relationship of controls to control objectives,  importance of focusing on the relationship of control objectives to business objectives and business processes,  value of managed processes and resources tied to strategic initiatives.

31. 30 BUSINESS PROCESSES BUSINESS PROCESSES INFORMATION IT RESOURCES data application systems technology facilities people data application systems technology facilities people effectiveness efficiency confidentiality integrity Availability Compliance reliability effectiveness efficiency confidentiality integrity Availability Compliance reliability Information Criteria ? Do they match? Framework What you need What you get

32. 31 Framework’s Three Components  “Business Requirements” for Information  IT Resources  IT Processes

33. 32 Information Criteria -- The 1st Component  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Reliability of Information

34. 33 IT Resources -- The 2nd Component  Data  Application Systems  Technology  Facilities  People

35. 34 Domains Processes Tasks & Activities Natural grouping of processes, often matching an organizational domain of responsibility A series of joined tasks & Activities with natural (control) breaks. Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discrete (4) (34) (318) Information Processes ( 3rd component )

36. 35 Planning/ Organization Acquisition / Implementation Delivery / Support Monitoring COBIT Domains: Information Processes (3rd Component)

37. 36 How do they relate ? IT Processes IT Resources IT Resources Business Requirements  Data  Information Systems  Technology  Facilities  Human Resources  Planning and organisation  Aquisition and implementation  Delivery and Support  Monitoring  Effectiveness  Efficiency  Confidenciality  Integrity  Availability  Compliance  Information Reliability

38. 37 IT Resource Management CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality, and security of information required to achieve organizational objectives.

39. The WATERFALL Navigation Aid -- High Level Control Objectives for Each Process The control of which satisfy is enabled by considering IT Processes Business Requirements Control Statements Control Practices See Framework, p. 18. 56

40. 39 CobiT’s Control Objectives  Contains management control practices by high-level control objective within four categories, or domains, of the control objectives.  Contains statements of the desired results or purposes to be achieved by implementing specific control procedures within an IT activity.  Assists in establishing clear policy and good practices for IT control

41. 40 Planning and Organization  Strategy and tactical plans for IT  Identify ways that IT can best contribute to the achievement of business objectives  Plan, communicate, and manage the realization of the strategic vision  Establish the IT organization, and  Set the stage for managing information and the technology infrastructure

42. 41 Acquisition and Implementation Domain  IT solutions – Identified – Developed or acquired – Implemented – Integrated into the business processes  Change and maintain existing systems

43. 42 Delivery and Support Domain  Deliver required services  Ensure security and continuity of services  Set up support processes, including training  Process data (including “application” controls)

44. 43 Monitoring Domain  Regularly assess IT processes for – Quality – Appropriateness of controls – Compliance with control requirements  Addresses management oversight of organization’s control provisions  Provide for an audit function

45. 44 Relation to Other Control Models CobiT is in alignment with other control models: – COSO – COCO – Cadbury – King

46. 45 Reinforces Control Responsibilities  Management -- has primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met.  Users -- exercise and monitor controls.  Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls.

47. 46 As a control model, CobiT should be As a control model, CobiT should be tailored to agency, IT platform, and system standards and system standards Use CobiT as the Structure to which you link agency-specific operational and control requirements, policies, and standards

49. 48 CobiT as an Organizational Tool  Provides framework and benchmarks for IT planning and management  Identification of primary IT processes (by broad management-oriented Domains)  Assists in establishing responsibilities and points of accountability  Assists in clarifying the roles of management, business process owners, IT and Audit

50. 49 CobiT As An Control Evaluation Tool “To review controls over functional areas” – “Which functional area?” – “Which systems are involved?” – “What IT processes are involved?” – “What are the operational objectives and risks?” – “What are the control objectives?”

51. 50 Using CobiT in Evaluating IT Controls ð Selecting areas or control objectives for evaluation ð Determining type of evaluation ð Engagement/assessment planning ð Framing scope and evaluation objectives to CobiT ð Development of control assessment approach

52. 51 Use of CobiT to Plan Control Evaluations  Assessing the control environment and identifying high risk processes  Conducting a high-level and detailed policy and procedures review  Performing a control review  Using CobiT-related matrices

53. 52 Using CobiT Matrices to Focus on:  IT Functions – Their importance? – Level of performance? – Control documentation?  Responsible Parties of IT – Performed by? – Contracted services? – Primary responsible party?  Risk Assessment – Importance, level of risk, control documentation

54. 53 RISK ASSESSMENT FORM

55. 54 RESPONSIBLE PARTY FORM

56. 55 CobiT Helps Identify Key Risks to the Organization è Unaware of the risks è Poor understanding of CSFs è Absence of KPIs è No “scorecard” or basis of measurement è Absence of monitoring and evaluation è Weak IT control environment

57. 56 CobiT helps senior management, business process owners, and IT gain increased benefit from independent examiners

58. 57 Audit Insight: Overview of Audit Planning  Auditee selection (may be CobiT driven)  Entrance Conference and on-site preaudit information gathering (CobiT)  Develop proposed scope and audit objectives (CobiT-framed)  Finalize audit work program (CobiT- framed)  Engagement conference (reference CobiT as criteria) and audit (CobiT as review criteria)

59. 58 Pre-Audit Planning  Who are they? ( type of agency, enabling legislation )  What do they do? ( mission, business objectives )  How do they plan to do it? ( strategy/plan )  How do they do it? ( functions, processes )  With what resources? ( IT, operational resources, management & staff, raw materials, etc.)  By what rules? ( policies, standards, legal and regulatory requirements )  Under what risks? ( risk analysis )

60. 59 Pre-Audit Planning  Who does it? ( internal & external players, their roles and responsibilities )  Who knows what is done? ( reporting lines, designated points of accountability )  How do they known it is done right? ( measurement registers, assurance mechanisms, evaluations, score cards, etc. )  Where are they? ( centralized or distributed )

61. 60 Audit Guidelines  They are evaluation guidelines.  Generic guideline identifies various tasks to be performed in assessing ANY control objective within a process. This generic guideline extracted all repetitive tasks into one -- to be performed for all control objectives.  34 others are specific process-oriented task suggestions to provide management assurance that a control objective is being addressed.

62. 61 Obtaining an understanding of business requirements, related risks, and relevant control measures Evaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously. Substantiating the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources. The IT process is therefore audited by:

63. 62 Task/Activity Monitoring & Evaluation Task or Activity Responsibility to: Monitored by: Evaluated by: Control task Establish a Function or procedure Initially & Upon Changes Periodic At least annual Control activity On-going Function or activity On-going With reporting Periodic To On-going

64. 63 Organization & Management Review è Clarity and appropriateness of responsibility definitions è assignment of responsibilities è points of accountability è reporting of actions taken and activities è mechanisms to monitor and evaluate adequacy of exercise of responsibilities

65. 64 Using Cobit to Address Third-Party Providers of IT-Related Services è Determine whether desired processes are in place and establish accountability è Agree on levels of control è Use CobiT to help design service contracts by identifying deliverables and responsibilities è Use CobiT for ongoing monitoring and evaluation of providers and partners

66. 65 Using the Management Guidelines

67. 66  Are they doing the right things?  Are they doing it the right way?  Are they being done well?  Are we getting benefits? What IT Problem? IT governance is the responsibility of the board of directors and consists of the leadership, organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives. What does the agency do?  Cascading strategy and goals  Organizational alignment  A control framework  Balanced Business Scorecard How does management react?

68. 67 u Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. u Promotes process focus and process ownership u Divides IT into 34 processes belonging to four domains u Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT u Effectiveness u Efficiency u Availability, u Integrity u Confidentiality u Reliability u Compliance. u Planning u Acquiring & Implementing u Delivery & Support u Monitoring CobiT : An IT control framework

69. 68 l “Due diligence” l IT is strategic to the business l IT is critical to the business l Expectations and reality don’t match l IT involves huge investments and large risks Why governance?

70. 69 If so, wouldn’t you want to know whether your information technology organization is:  Likely to achieve its objectives?  Resilient enough to learn and adapt?  Judiciously managing the risks it faces?  Appropriately recognizing opportunities and acting upon them? IT is strategic to most businesses

71. 70 Generic and action oriented For the purpose of IT Control profiling - what’s important? Awareness - where’s the risk? Benchmarking - what do others do? Supporting decision making and follow up Key performance indicators of IT processes Critical success factors of controls Control implementation choices Management Guidelines

72. 71 Management Guidelines Critical Success Factors l the most important things to do to increase the probability of success of the process l observable - usually measurable - characteristics of the organisation and process l are either strategic, technological, organizational or procedural in nature l focus on obtaining, maintaining and leveraging capability and skills l expressed in terms of the IT process, not necessarily the business

73. 72 Management Guidelines Key Goal Indicators l describe the outcome of the process and are therefore a ‘lag’ indicator, i.e., measurable after the fact l Are an indicator of the success of the process but may also be expressed in terms of the business contribution if that contribution is specific to the IT process l represent the process goal, i.e., a measure of “what”, a target to achieve l may also describe a measure of the impact of not reaching the process goal l KGIs are IT oriented but are also business driven l Are expressed in precise measurable terms wherever possible

74. 73 Management Guidelines Key Performance Indicators l are a measure of “how well” the process is performing l predict the probability of success or failure in the future, i.e. KPIs are ‘LEAD’ indicators l are process oriented but IT driven l focus on the process and learning dimensions of the balanced scorecard l are expressed in precise measurable terms l should help in improving the IT process

75. 74 Maturity Models Refer to business requirements and control capabilities at different levels Are scales that lend themselves to pragmatic comparison Are scales where the difference can be made measurable in an easy manner Are recognizable as a “profile” of the enterprise in relation to IT governance and control Assist in determining As-Is and To-Be positions relative to IT governance and control maturity Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level

76. 75 012345 Non- Existent InitialRepeatableDefinedManagedOptimised Enterprise current status International standard guidelines Industry best practice Enterprise strategy Legend for symbols usedLegend for rankings used 0 - Management processes are not applied at all 1 - Processes are ad hoc and disorganised 2 - Processes follow a regular pattern 3 - Processes are documented and communicated 4 - Processes are monitored and measured 5 - Best practices are followed and automated Start from a Maturity Model

77. 76 Generic Maturity Model - Dimensions l Understanding and awareness l Training and communications l Process and practices l Techniques and automation l Compliance l Expertise

78. 77 Generic Maturity Model - Dimensions

79. 78 Objectives  understand the issues and the strategic importance of IT  ensure that the enterprise can sustain its operations and  ascertain it can implement the strategies required to extend its activities into the future Goal  ensuring that expectations for IT are met and IT risks are mitigated Position  within broad governance arrangements that cover relationships among the entity's management and its governing body, its owners and its other stakeholders and providing the structure through which: 4 the entity's overall objectives are set 4 the method of attaining those objectives is outlined 4 the manner is which performance will be monitored is described IT governance summarized

80. 79 CobiT Recognizes  IT is an integral part of the organization  IT governance is an integral part of corporate governance  Focus on control objectives can strengthen appropriateness and use of internal controls  Measurement is crucial to internal control  Monitoring and evaluation are integral to a system of internal control

81. 80 Benefits of CobiT  Supports IT governance objectives.  Helps ensure that IT processes are defined and assigned.  Helps to focus on control objectives.  Leads to more cost-effective IT services.  Helps management to better utilize internal and external auditors  Provides benchmarks for best practices for IT management and IT control

82. 81 Benefits of CobiT  Helps ensure the organization complies with applicable rules, regulations and contractual obligations.  Opportunity for complementary adoption of COSO and CobiT (or other control models).  Authoritative nature of Cobit encompassing adoption of well-recognized and established standards for IT control.

83. 82 Benefits of CobiT  Strengthens assessment, understanding and exercise of appropriate internal controls.  Provides a good framework for risk assessment and risk management.  Improves communication among management, business process owners, users and auditors regarding IT governance, and between internal and external audit.  Helps auditors and control professionals to be proactive business advisors.

84. 83 Benefits of CobiT  Provides a framework for ensuring that outsourced IT functions are addressed in third- party contracts.  Helps to strengthen the relationship between IT Services and the user community through improved SLAs.  Supports management’s efforts to demonstrate due diligence with respect to IT-based operations.

85. 84 Benefits of CobiT Helps to provide reasonable assurance that: – IT process objectives are understood – IT risks have been identified – Appropriate controls have been implemented – Appropriate monitoring and evaluation processes in effect – IT process objectives and can be achieved.

86. 85 CobiT  Strengthens the understanding, design, implementation, exercise, and evaluation of internal control through improved focus on information criteria and IT-related control objectives  Strengthens management’s efforts to “ensure” and Audit’s efforts to provide “assurance”

87. 86 A Tip regarding CobiT  CobiT is generic - adapt it to your organization in cooperation with the business-process owners! – Determine focus (quality, security, fiduciary) – Harmonize existing policies and procedures with CobiT – Determine control responsibilities – Identify key performance indicators and critical success factors

88. 87 Another Tip or Two  Study it carefully -- it takes some time to understand - keep in mind that you are dealing with a control framework  Start with CobiT’s Control Objectives Framework and progress to the Management Guidelines.  Build the mechanisms to provide assurance that control objectives are being addressed and that controls are working as intended

89. 88 CobiT For additional information: www.isaca.org www.ITgovernance.org or email or give me a call at (617) 727-6200 ext 135

90. Go Forth and C OBI T ize Thank You 89