Presentation on theme: "CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge"— Presentation transcript:
1CobiT Update NSAA IT Conference Richmond, VA John W. Beveridge September 27, 2007
2John Beveridge, CISA, CISM, CGFM, CFE, CQA Deputy State Auditor, Commonwealth of MassachusettsAdjunct faculty at Bentley CollegeCo-Chair of Commonwealth’s Enterprise Security BoardMember of Information Systems Auditing Standards Board and Assurance BoardMember of CobiT Steering Committee,International President of ISACA/F,Served as member of IT Commission, Governor’s Commission on Computer Crime, Governor’s Commission on Computer Technology and Law, & Governor’s Task Force on E-Commerce
3What is CobiT?Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.Structured and organized to provide a powerful control model and evaluative tool
4CobiT's ScopeFocuses on information having integrity, being secure, and available.Management-orientedSupports corporate and IT governanceProcess-orientedControls-basedMeasurement-drivenBased on a Strong Foundation and Sound Principles of Internal Control
5COBIT Promotes an improved focus on business information requirements Helps ensure that IT processes are defined and that responsibilities are assignedSupports management’s efforts to demonstrate due diligenceServes as excellent criteria for evaluationStrengthens the understanding, design, implementation, exercise, and evaluation of internal control
6Focus on Information and IT Management “Right” information, to only the “right” party, in the “right” format, at the “right” time, at the “right” cost.Information that is relevant, reliable, secure, and available.Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.
7Who is COBIT aimed at? IT & Business Users Auditors / Advisors To Those Individuals Who are Interested in and Responsible for the Management and Evaluation of Information TechnologyManagementIT & Business UsersAuditors / AdvisorsAcademics & Students of Management and ITLegislators, Regulators, Oversight BodiesVendorsThis summarises the different types of audience
8CobiT was Driven from Recognition of Need for better operational controlsImportance of technologyRisks associated with an ever changing technology environmentDemand for recognizable valueNeed to hold senior management accountable and strengthen governance
9The Challenge of Managing IT Achieving sufficient value from IT to support the entity’s mission within a complex, vulnerable and ever changing environmentAdequately managing risk with increasing IT dependenceEffectively dealing with the scale and cost of current and future IT investmentsProtecting operations and IT resources against increasing vulnerabilities and a wide spectrum of threats
10The Challenge of Managing IT Being able to adequately track and measure IT performance in support of business objectivesObtaining adequate assurance for the integrity, security and availability of IT systemsBeing able to demonstrate due diligence in meeting IT governance objectives
11Criticality of Managing IT Today, we are no longer just automating an established business process.Instead, we are using technology to expand business process capabilities and management decision making -- It is about IT-enabled change.Poorly-managed IT places the integrity, security, and availability of data and systems at risk and increases the likelihood of unrealized benefit.
12Management IssuesDifficulty of obtaining adequate assurance that operational and control objectives are being addressed and will be metNot being sufficiently aware of the impact of technology on control assessmentNot knowing who is really responsible for system integrity, security, and availabilityHaving cluttered or defused points of accountability for IT processes across the organization
13Management IssuesNot recognizing that we often manage IT as if it were separate from the enterprise when in fact it is highly integrated with business operationsUncoordinated strategic planning between business and IT operationsOutsourcing without adequate monitoring and evaluation
14Management IssuesThere are a whole host of folks who pose a real danger to IT systemsMeeting privacy requirementsFailing to meet regulatory or legal requirementsHaving a false sense of securityAchieving adequate value to support the entity’s mission
15Management Questions Is IT well managed? Is IT properly controlled? Are we doing the right things?Are we doing them the best way?Are they being done well?Are we achieving desired benefits?Is IT properly controlled?Do we exercise and can we demonstrate due diligence?Are the information technology drivers in sync with the agency’s mandates and business goals?
16Management QuestionsHow do responsible managers keep the ship on course? …… keep it afloat?How do we achieve satisfactory results for our citizens and stake-holders?How do we adapt in a timely manner to “best practices” for our organization’s environment?
17Assessing the Entity's Ability: To establish and maintain course and afloatStrategic and tactical planning, monitoring and evaluation – dashboards with indicators –Disaster recovery and BCP to keep it afloatTo achieve satisfactory results for our customers and stake-holdersMeasurement processes, balanced scorecard, etc.To adapt in a timely manner to “best practices” for our organization’s environmentBenchmarking, CMM comparisons
18IT Value How do we manage to achieve acceptable IT value? What policies, practices and assurance mechanisms do we apply to the “right” resources to achieve value?What guidance is there to assist management in understanding IT processes and how to achieve IT process results?What standards should be applied to our IT environment?How do we address governance?
19The successful organizations: Need for IT Governance Control FrameworkMany organizations recognize the potential benefits of technologyThe successful organizations:Understand that IT is more than an enablerUnderstand and manage the risks associated with implementing new technologiesKeep a keen eye on the mission and goals, andKnow where they are through measured progress and monitoring and evaluation
20The Need for IT Governance SecurityKeepingIT RunningAligningIT withBusinessManagingComplexityRegulatoryComplianceValue/CostOrganizations require a structured approach for managing these and other challenges.Need to ensure that IT objectives are agreed to, good management controls are in place, and there is effective monitoring of performance to keep on track and avoid unexpected outcomes.Explain that there are many management challenges relating to the use of IT. The slide identifies some examples (the same as in the COBIT® Foundation Course). To manage this range of issues, a sound management approach is needed. The goals include agreed and aligned objectives for IT, effective controls, and effective tracking of performance. These are the main drivers for IT governance.
21Need for IT Governance Control Framework CobiT underscores the importance to recognize:Optimizing value, safeguarding, and ensuring the availability of technology is an entity or senior management issue, not just an IT management issueBusiness and IT goals depend on our understanding of how to dynamically apply IT, measure results, and engage IT and business process managementRequires understanding of what we want the technology to do, and how we are going to measure success
22COBIT Provides a Framework for IT Governance COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure.COBIT:Starts from business requirementsIs process-oriented, organizing IT activities into a generally accepted process modelIdentifies the major IT resources to be leveragedDefines the management control objectives to be consideredIncorporates major international standardsHas become the de facto standard for overall control of ITThis slide summarises the main attributes of the COBIT framework.IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that achieves this objective.
23How Does COBIT View IT Governance? Consists of leadership, organizational structures, and processes that ensure that IT sustains and extends the enterprise’s strategies and objectivesIT governance is the responsibility of executives and the board of directors
24IT Governance Objectives IT is aligned with the business and enables the business to maximize benefitIT resources are safeguarded and used in a responsible and ethical mannerIT-related risks are addressed through appropriate controls and managed to minimize risk and exposure
25IT GovernanceIntegrates and institutionalizes good practices to ensure that IT supports the business objectives.Enables the enterprise to take advantage of its information and IT resources to maximize benefit and capitalize on opportunities.
26COBIT IT Governance IT is aligned with the business IT enables the business and maximizes benefitsIT resources are used responsiblyIT risks are managed appropriately
27IT Governance Focus Areas Strategic alignmentValue deliveryResource managementRisk managementPerformance measurementStrategic alignment focuses on ensuring the linkage of business and IT plans;on defining, maintaining and validating the IT value proposition; and on aligningIT operations with enterprise operations.• Value delivery is about executing the value proposition throughout the delivery cycle,ensuring that IT delivers the promised benefits against the strategy, concentrating onoptimising costs and proving the intrinsic value of IT.• Resource management is about the optimal investment in, and the proper management of,critical IT resources: applications, information, infrastructure and people. Key issues relate tothe optimisation of knowledge and infrastructure.• Risk management requires risk awareness by senior corporate officers, a clearunderstanding of the enterprise’s appetite for risk, understanding of compliancerequirements, transparency about the significant risks to the enterprise, and embedding ofrisk management responsibilities into the organisation.• Performance measurement tracks and monitors strategy implementation, projectcompletion, resource usage, process performance and service delivery, using, for example,balanced scorecards that translate strategy into action to achieve goals measurable beyondconventional accounting.
28IT Governance Focus Areas Strategic Alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.
29IT Governance Focus Areas Resource Management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.Risk Management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization.
30IT Governance Focus Areas Performance Measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
31What Should Management Do? Inquire: Ask the right questionsFocus on IT’sAlignment with the agency objectivesValue deliveryRisk managementAdopt an IT governance frameworkFocus on important IT processes and core IT competenciesEmbed responsibilities for IT security and management in the organizationMeasure performance and results
32To Manage and Control IT, COBIT Recommends: Employing fundamentals of IT governanceUnderstanding strategic value of ITUnderstanding and managing associated risksExercising appropriate frameworks of controlHaving mechanisms to provide adequate assurance that IT governance objectives are addressed
33Agencies Need Assurance That information and systems can be relied uponThat operations are adequately controlledThat information has integrity, is protected, and will be availableThat due diligence and compliance with good business practices can be demonstrated.CobiT provides the control criteria and evaluation methodology
34CobiT is an Authoritative Source Built on a sound framework of control and IT-related control practices.Aligned with de jure and de facto standards and regulations.Subject to extensive review and exposure.Aligned with control models, standards and best practices for IT management
35COBIT’s View of the Definition of Control Why Control Information Systems? The answer lies in the realm of what the business wants:to accomplish andavoidIt therefore falls to the spectrum of:objectives andrisks
36COBIT’s View of the Definition of Control The Objectives and Risks becomeValue Drivers and Risk Drivers in COBIT
37Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
38To Avoid Risks, Threats and Exposures To Achieve Business Objectives Control (as defined by COBIT)The policies, procedures, practices and organizationalstructures designed to provide reasonable assurance thatbusiness objectives will be achieved and that undesired eventswill be prevented or detected and corrected.Source: COBIT Control Objectives. P. 12.
39CobiT promotes a healthy understanding about “reasonable assurance” and “residual risk” Knowing the acceptable levels for reasonable assurance and residual risk is a critical success factor for designing and managing an adequate framework of control
41Relation to Other Control Models CobiT is in alignment with other control models:COSOCOCOCadburyKing
42COBIT and Other IT Management Frameworks Organizations will consider and use a variety of IT models, standards and best practices. They must be understood to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’).COSOCOBITISO 17799ISO 9000ITILWHATHOWIt is normal for COBIT to be used in conjunction with other good practices, standards and in-house developed guidance. COBIT can act like an umbrella providing the framework for everything else.SCOPE OF COVERAGE
43Business Requirements for Information Criteria COBIT CubeThe COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives.For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube.Business Requirements for Information CriteriaIT ResourcesIT Processes
44COBIT: PremiseThe COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.iIT Resources and ProcessesInformationBusiness ProcessesBusiness Objectivesprovidetofor achievingThe COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance.
45IT Resource Management CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality of information required to achieve organizational objectives.
46COBITCOBIT is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology.
48CobiT Addresses key attributes of information produced by IT. Links recommended control practices for IT to business and control objectives.Provides guidance in implementing and evaluating the appropriateness of IT-related management control practices.
50How is CobiT Focused?IT Governance – better coverage with governance practicesBusiness requirements – better business to IT linkages with cascading goals and supporting metricsHarmonization – improved integration with key practicesValue Creation – extended focus on IT investmentEnterprise architecture - process structure and resourcesProcess definitions and process flows – improved descriptions, activities, inputs and outputLanguage and presentation – more concise in presentation, action-oriented, control model and management guidelines are consolidated into one document
51What are the key COBIT Documents? Control Objectives define what needs to be done to implement an effective control structure to improve IT performance and address IT solutions and service delivery risks.Control Practices provides guidance on the risks to be avoided and value to be gained from implementing a control objective, and instruction on how to implement the objective.IT Assurance Guide provides guidance for the assurance team with a structured assurance approach linked to the COBIT framework that is understandable for business and IT professionals
52COBIT and Related Products COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks.Board Briefing on IT GovernanceTo help executives understand why IT governance is important, what its issues are and what their responsibility is for managing itInformation Security GovernanceTo help overcome these barriers by explaining information security in business terms. It comes complete with tools and techniques to help managers uncover security-related problemsIT Governance Implementation GuideProvides a generic road map for implementing IT governance using the COBIT and Val IT resourcesControl PracticesProvide guidance on why the control objectives are worth implementing and how to implement themIT Assurance GuideProvides guidance on how COBIT can be used to support a variety of assurance activities together with suggested testing steps for all the IT processes and control objectives
53COBIT and Related Products COBIT QuickstartTo summarized version of the COBIT resources, focusing on the most crucial IT processes, control objectives and metrics, all presented in an easy-to-follow format to help users gain the benefits of COBIT quickly.COBIT Security Baseline (available 3rd quarter 2007)To focuses on IT security risk in a way that is simple to follow and implement for everyone, from the home user or small- to medium-sized enterprise to executives and board members of larger organizations.Val ITTo provides guidance for managing an organization’s portfolio ofIT-enabled business investments and for maximizing the quality of business cases for IT-enabled business investments.IT Control Objectives for Sarbanes-OxleyTo provides guidance on how to ensure compliance for the IT environment based on the COBIT control objectives related to financial reporting.Aligning COBIT, ITIL and ISO 17799To explain to business users and senior management the value of IT best practices and how harmonization, implementation andintegration of best practices (COBIT, ITIL and ISO/IEC 17799) may be made easier.COBIT Mapping SeriesTo overview and various mappings of COBIT to other internationalguidance have been published by ITGI, such as CMM, ISO17799.
56Framework Control Objectives Management Guidelines Maturity Models
57COBIT Objectives - IT Governance Topics Focus on IT Alignment by linking Information Criteria, IT Resources and IT Goals to Business GoalsFocus on Value Delivery by using value-oriented IT goals to focus on the IT processes that are critical to deliver effectivelyFocus on Risk Management by using risk-oriented IT goals to focus on the IT processes that are needed to manage riskFocus on Resource Management by using Maturity Models to ensure there is a capability to deliverFocus on Performance Management by using metrics and scorecards to ensure plans are on track and deviations are identified and correctedCobiT focuses on 5 key areas which we will see during this course are the main elements of IT Governance as well as the issues all commentators and analysts agree are key to IT successRead through each bullet to reinforce each one, saying these will be come clearer as we progress through the two days
59Concise Control Objectives CobiT 4.1CobiT 4.0PO1.2 Business-IT AlignmentEstablish processes of bi-directional education andreciprocal involvement in strategic planning to achievebusiness and IT alignment and integration. Mediatebetween business and IT imperatives so priorities can bemutually agreed.Educate executives on current technology capabilities andfuture directions, the opportunities that IT provides, andwhat the business has to do to capitalize on thoseopportunities. Make sure the business direction to which ITis aligned is understood. The business and IT strategiesshould be integrated, clearly linking enterprise goals and ITgoals and recognizing opportunities as well as currentcapability limitations, and broadly communicated. Identifywhere the business (strategy) is critically dependent on ITand mediate between imperatives of the business and thetechnology, so agreed priorities can be established.PO5.1 Financial Management FrameworkEstablish and maintain a financial framework to manage theinvestment and cost of IT assets and services through portfoliosof IT enabled investments, business cases and IT budgets.Establish a financial framework for IT that drives budgeting andcost/benefit analysis, based on investment, service and assetportfolios. Maintain the portfolios of IT-enabled investmentprogrammers, IT services and IT assets, which form the basis forthe current IT budget. Provide input to business cases for newinvestments, taking into account current IT asset and serviceportfolios.New investments and maintenance to service and asset portfolioswill influence the future IT budget. Communicate the cost andbenefit aspects of these portfolios to the budget prioritization, costmanagement and benefit management processes.
63COBIT FrameworkDocuments relationships among information criteria, IT resources, and IT processesLinks control objectives and control practices to business processes and business objectivesAssists in confirming that appropriate IT processes (and practices) are in placeFacilitates evaluation and assurance methods
64Information Criteria -- The 1st Component EffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliability
65IT Resources -- The 2nd Component Application SystemsInformationInfrastructurePeople
66IT Process Domains -- The 3rd Component Plan and OrganizeAcquire and ImplementDeliver and SupportMonitor and Evaluate
67COBIT Process Model Subdivides IT into four domains 34 processes in line with the domainsResponsibility areas of plan, build, run and monitor, providing an end-to-endEnterprise architecture concepts help identify the resources essential for process success
69COBIT Domains: Information Processes (3rd Component) Plan andOrganizeAcquire andImplementFeedbackMonitor and EvaluateFeedbackFeedbackDeliver andSupport
70COBIT FrameworkTo provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes in order to provide the services that deliver the required enterprise information.Basic COBIT Principle
71CobiT Framework Helps one understand the: relationship of controls to control objectives,importance of focusing on control objectives and their relationship to the business organization and its business processes, andvalue of managed processes and resources to attain data integrity, security and availability.
73CobiT is Business-focused Business orientation is the main theme of COBIT.Designed to be used by IT service providers, users and auditors, and to also provide comprehensive guidance for management and business process owners.
74Business Orientation of COBIT Links business goals to IT goalsProvides metrics and maturity models to measure their achievementIdentifies the associated responsibilities of business and IT process owners.
75Business Goals Financial Perspective Customer Perspective Expand market shareIncrease revenueReturn on InvestmentOptimize asset utilizationManage business risksCustomer PerspectiveImprove customer orientation and serviceOffer competitive products and serviceService availabilityAgility in responding to changing business requirementsCost optimization of service delivery
76Business Goals Internal Perspective Learning and Growth Perspective Automate and integrate the business value chainImprove and maintain business process functionalityLower process costsCompliance with external laws and regulationsTransparencyCompliance with internal policiesImprove and maintain operational and staff productivityLearning and Growth PerspectiveProduct and business innovationObtain reliable and useful information for strategic decision makingAcquire and maintain skilled and motivated personnel
77IT GoalsRespond to business requirements in alignment with business strategyRespond to governance requirements in line with board directionEnsure the satisfaction of end users with service offerings and service levelsOptimize the use of informationCreate IT agilityDefine how business function and control requirements are translated in effective and efficient automated solutionsAcquire and maintain integrated and standardized application systemsAcquire and maintain and integrated and standardized infrastructure
78IT GoalsAcquire and maintain IT skills that respond to the IT strategyEnsure mutual satisfaction of third-party relationshipsSeamlessly integrate applications and technology solutions into business processesEnsure transparency and understanding of IT cost, benefits, strategy, policies and service levelsEnsure proper use and performance of the applications and technology solutionsAccount for and protect all IT assetsOptimize the IT infrastructure, resources and capabilitiesReduce solution and service delivery defects and reworkProtect the achievement of IT objectivesEstablish clarity of business impact of risks to IT objectives and resources
79IT GoalsEnsure critical and confidential information is withheld from those who should not have access to itEnsure automated business transactions and information exchanges can be trustedEnsure IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disasterEnsure minimum business impact in the event of an IT service disruption or changeMake sure that IT service are available as requiredImprove IT’s cost-efficiency and its contribution to business profitabilityDeliver projects on time and on budget meeting quality standardsMaintain the integrity of information and processing infrastructureEnsure IT compliance with laws and regulationsEnsure that IT demonstrates cost-efficient service quality, continuous improvement and readiness for future change
81Linking Business Goals to IT Goals An Example:The business goal of increasing revenue is linked to IT goals numbers 25 and 28, which are:“Deliver projects on time and on budget meeting quality standards” and“Ensure that IT demonstrates cost-efficient service quality, continuous improvement and readiness for future change”
83Linking IT Goals to IT Processes Example of linking IT goals to IT processes:The IT goal of optimizing the use of information is linked to IT processes PO2 and DS11 (information architecture and managing data)
85The WATERFALL Navigation Aid -- High Level Control Objectives for Each ProcessHigh-Level Control ObjectiveThe control ofwhich satisfyis focusing onIs achieved byIT ProcessesBusinessRequirementsControlStatementsPracticesIs measured byUsers satisfaction
87“RACI” ChartIdentifies who is Responsible, Accountable, Consulted and/or InformedAddresses considerations for points of accountabilityAddresses issues of communication and desired input (who would be consulted)Rather than titles, think of positions in terms of rolesDepending on the size of the organization or the IT function, several roles may be combined
88Primary Inputs and Outputs CobiT identifies from where primary inputs are obtained for each processThe inputs are identifies and where they came fromAlso identifies to which IT processes the process provides output toThe outputs (from the process) are identified to where they would be directed
90Metrics Performance measurement is essential for IT governance. Requires setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance).
91Metrics Activity Goals tells us how well the process is performing Measured by KPIsProcess Goals tell us what IT must deliverMeasured by Key Goal indicatorsIT Goals tell us what we expect from ITMeasured by Key Goal Indicators
95Use of Maturity ModelsThe assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation.Enables gaps in capability to be identified and demonstrated to management.Action plans can then be developed
97Control Practices Control Objectives Value Drivers Risk Drivers
98Control Design Necessary and sufficient steps Roles & responsibilities CharacteristicsGeneric and specific practicesActive and passiveInput, outputs, activities
99IT Control PracticesProvides guidance on risks to avoided and value to be gainedProvides detailed guidance on specific controls needed to address high-level and detailed control objectivesProvides guidance on how, why and what to implement to improve IT performanceIncludes key elements of value and risk statements and control practices
100IT Control PracticesDescribing the different necessary and sufficient steps to achieve a control objectiveAction-oriented, enabling timely execution and measurableRelevant to the purpose of the control objectiveSupporting clear roles and responsibility including segregation
101Control Practices Characteristics: The benefits listed under ‘why do it’ are tangible and motivate to implement controlsThe set of control practices is complete (e.g. key controls) and implementation satisfies the control objectiveControl practices listed are generally accepted as good business practiceControl practices suggest sustainable solutionsThe control practices are effective in addressing the risk linked to not achieving the detailed control objectiveThe control practices suggest efficient solutionsThe wording of the control practices is concise while providing clear and unambiguous guidance on what is expected for implementationThe control practices are realisticControl Practices go to the next level down and are a guide for implementation, explaining how to address each objective providing practical considerations. But they are not specific solutions and are therefore generic.Note that during 2003 not all of these are available as they are under development
102IT Assurance Guide Need for IT Governance and Assurance The CobiT FrameworkIT Assurance ApproachesHow CobiT Supports IT Assurance Activities
103Approach IT Assurance Steps Testing of a control approach covering 4 assurance objectivesExistenceDesign effectivenessOperating effectiveness (implemented, consistent application and proper use)Design and operating efficiency (cost/benefit and possible use of automation)Providing 3 types of assurance guidanceTesting the suggested control designTesting control objective achievementDocumenting impact of control weaknesses
104Approach IT Assurance Steps Tests based on a documented taxonomy of relevant assurance methodsEnquire and confirm (via different source)Inspect (walk-through, search, compare, review)Observe (confirmation is inherent)Re-perform or re-calculate and analyze (often based on a sample)Automated evidence collection (sample, trace, extract) and analyze
109CobiT provides the basis for IT Governance CobiT IT Processes and Maturity Models focus on IT capabilityCobiT Links business goals to IT GoalsProvide DirectionCompareMeasure PerformanceIT ActivitiesIncrease automation (make the businesseffective)Decrease cost(make the enterprise efficient)Manage risks(security, reliability and compliance)IT is aligned with thebusinessIT enables thebusiness andmaximizes benefitsIT resources are usedresponsiblyIT-related risks aremanaged appropriatelySet ObjectivesThis diagram which is taken from the Management Guidelines book, describes one of the basic principles of IT Governance. Objectives have to be clear and well understood. Management should direct activities to meet these objectives and regularly measure and compare to detect variances that can then be corrected.The diagram shows how the various elements of CobiT support these stagesThe working of a central heating thermostat as an exampleCobiT Framework provides a common understanding of IT’s roleCobiT KGIs and KPIs enable measurement
110Using CobiTFrom an organizational perspective, entities should use control models such as COSO and CobiT along with generally accepted control practices to build and exercise appropriate controls to help manage their entities.
111Strong Basis for Policy Development Use CobiT as a basis to develop or strengthen policies and control practicesCompare existing policies and standard procedures against CobiTConduct high-level and detailed policy reviews
112Using CobiT Matrices to Focus on: IT FunctionsTheir importance?Level of performance?Control documentation?Responsible Parties of ITPerformed by?Contracted services?Primary responsible party?Risk AssessmentImportance, level of risk, control documentation?
113CobiT’s Evaluation Focus What is most critical to the business?What are the CSFs?What are the risks and threats?How robust and appropriate does the internal control structure appear?What are management’s concerns?
114Risks to the Entity? Unaware of the risks Poor understanding of CSFs Absence of KPIsNo “scorecard” or basis of measurementAbsence of monitoring and evaluationWeak IT control environmentUnknown loss of data or system integrity
115COBIT Focuses on Risk-Based Approach Focuses on the entity from a management perspectiveEmphasis on knowledge of the business and the technologyFocus on assessing the effectiveness of a “combination” of controlsLinkage between risk assessment and testing focusing on control objectives
116To Address Outsourced Services Determine whether desired processes are in place and establish accountabilityAgree on levels of control, measurement and evaluationUse CobiT to help design service contracts by identifying deliverables and responsibilitiesUse CobiT for ongoing monitoring and evaluation of providers and partners
117Recap: CobiT Recognizes IT is an integral part of the organizationIT governance is an integral part of corporate governanceFocus on control objectives can strengthen appropriateness and use of internal controlsMeasurement is crucial to internal controlMonitoring and evaluation are integral to a system of internal control
120CobiT Control Practices COBIT Content DiagramCobiT and Val ITframeworksIT GovernanceImplementation Guide,2nd EditionIT Assurance GuideControl ObjectivesCobiT Control Practices2nd EditionKey ManagementPratices
121CobiT Update Thank You Freely downloadable from: www.isaca.org For questions and assistance:John W. Beveridgex 135Best to me at:Thank You