Download presentation
Presentation is loading. Please wait.
2
1 Part 2
3
2 AUDIT GUIDELINES
4
3 Audit Guidelines -- 226 pages 1 Generic Guideline and 34 Process Oriented A generic guideline identifies various tasks to be performed in assessing ANY control objective within a process. This generic guideline extracted all repetitive tasks into one -- to be performed for all control objectives. Others are specific process-oriented task suggestions to provide management assurance that a control is in place and is working.
5
4 Audit Guidelines Purpose of audit guidelines is to provide simple structure for auditing controls Audit guidelines are generic and high-level in structure Although intended as a guide for auditing high-level control objectives, CobiT can assist overall audit planning Enables auditor to review processes against control objectives
6
5 CobiT supports generally accepted structure of the audit process: Identification and documentation Evaluation Compliance testing, and Substantive testing
7
6 Obtaining an understanding of business requirements, related risks, and relevant control measures Evaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously. Substantiating the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources. The IT process is therefore audited by:
8
7 O BTAINING AN U NDERSTANDING The audit steps to be performed to document the activities under- lying the control objectives as well as to identify the stated control measures/procedures in place. Interview appropriate management and staff to gain an understanding of: * Business requirements and associated risks * Organisation structure * Roles and responsibilities * Policies and procedures * Laws and regulations and contractual obligations * Control measures in place * Management reporting (status, performance, action items) Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the Key Performance Indicators (KPI) of the process, and the control implications (e.g., by a process walk through). GENERIC AUDIT GUIDELINE
9
8 E VALUATING THE C ONTROLS The audit steps to be performed in assessing the effectiveness of control measures in place or the degree to which the control objective is achieved. Basically deciding what, whether and how to test. Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying professional judgment. Documented processes exist Appropriate deliverables exist Responsibility and accountability are clear and effective Compensating controls exist, where necessary Conclude the degree to which the control objective is met. GENERIC AUDIT GUIDELINE
10
9 A SSESSING C OMPLIANCE The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously, and to conclude on the appropriateness of the control environment. Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review using both direct and indirect evidence. Perform a limited review of the adequacy of the process deliverables. Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate. GENERIC AUDIT GUIDELINE
11
10 S UBSTANTIATING THE R ISK The audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources. The objective is to support the opinion and to “shock” management into action. Auditors have to be creative in finding and presenting this often sensitive and confidential information. Document the control weaknesses and resulting threats and vulnerabilities. Identify and document the actual and potential impact (e.g., through root-cause analysis). Provide comparative information (e.g., through benchmarks). GENERIC AUDIT GUIDELINE
12
11 Audit Guidelines are GUIDELINES They are a starting point for identifying control tasks and activities associated with particular control objectives. To plan and conduct the audit, an auditor must add knowledge about the business, risk analysis, and controls; perform adequate audit procedures; and draw conclusions from the results of the audit procedures.
13
12 Using CobiT to Develop an Audit Program Start with Control Objectives to refresh the purpose of the control objective and the recommended IT control practices Use the Audit Guidelines’ generic audit guideline as a starting point Use the selected process-oriented audit guidelines to refine the audit work program Select appropriate portions of the Audit Guidelines in sync with selected detailed control objectives (selected control tasks and activities)
14
13 Using CobiT to Review an Audit Program Use the Audit Guidelines to benchmark the existing audit program against Use the Control Objectives’ high-level control objectives to review audit objectives and detailed control objectives to review criteria identification Use the generic and process-oriented audit guidelines to review audit process and procedures
16
15 Adopting CobiT Start by identifying the “need” for use, and how it might be used Focus on the benefits to be derived from using CobiT Assess the acceptance and implementation capabilities Assign priority of multiple uses Identify one or more champions
17
16 Adopting CobiT For those responsible for systems and those who audit systems, the value lies in having an organized IT control model that links management control practices to control objectives, and in turn to business objectives. From a management perspective: – management and IT policy makers such as CEO, CIO, VP of IT – IT steering committee – business process owners and users From an Audit perspective: – evaluators and internal/external auditors
18
17 Factors to Consider Dimension and depth of the IT environment Organizational structure of IT services Level of internal and outsourced IT functions Relationships of IT, IS Audit, business process owners, management Management philosophy regarding control and audit Extent of business process reengineering Level of consensus needed
19
18 Benefits of CobiT Supports IT governance objectives. Helps ensure that IT processes are defined and assigned. Helps to ensure that there is focus on control objectives. Leads to more cost-effective IT services.
20
19 Benefits of CobiT Helps to provide reasonable assurance that: – IT process objectives are understood – IT risks have been identified – Appropriate controls have been implemented – Appropriate monitoring and evaluation processes in effect – IT process objectives and can be achieved.
21
20 Benefits of CobiT Helps to ensure that the organization complies with applicable rules, regulations and contractual obligations. Opportunity for complementary adoption of COSO and CobiT (or other control models). Authoritative nature of Cobit encompassing adoption of well-recognized and established standards for IT control.
22
21 Benefits of CobiT Strengthens assessment, understanding and exercise of appropriate internal controls. Provides a good framework for risk assessment and risk management. Improves communication among management, business process owners, users and auditors regarding IT governance, and between internal and external audit.
23
22 Benefits of CobiT Provides a framework for ensuring that outsourced IT functions are addressed in third- party contracts. Helps to strengthen the relationship between IS Services and the user community through improved SLAs. Supports management’s efforts to demonstrate due diligence with respect to IT-based operations.
25
24 U sing C OBI T ò Organizational Tool ò Audit Planning and Support Tool ò IT Control Self Assessment Tool
26
25 CobiT as an Organizational Tool Provides framework and benchmarks for IT planning and management Identification of primary IT processes (by broad management-oriented Domains) Assists in establishing responsibilities and points of accountability Assists in clarifying IT’s and Audit’s role
27
26 CobiT As An Audit Planning Tool “To look at a functional area.” – “Which functional area?” – “What systems are involved?” – “What IT processes are involved?” – “What are the objectives and risks?” – “What are the control objectives?”
28
27 Using CobiT in Audit Planning ò IT audit shop planning --- audit engagement selection ò Determining type of audit services ò Engagement planning ò Framing audit scope and audit objectives to CobiT ò Development of audit approach
29
28 Audit Planning è Adequate planning is a necessary first step in performing effective IT Audits. è Need to understand the general business environment as well as the associated business and control risks. è Assess operational and control risks and identify control objectives during audit planning.
30
29 Use of CobiT during the Audit Planning Assessing the control environment and identifying high risk processes Conducting a high-level policy and procedures review Conducting a detailed review of policies and procedures against the entire control objectives document Using CobiT-related matrices
31
30 CobiT-related Matrices
32
31 Using CobiT Matrices to Focus on: IT Functions – Their importance? – Level of performance? – Control documentation? Responsible Parties of IT – Performed by? – Contracted services? – Primary responsible party? Risk Assessment – Importance, level of risk, control documentation?
33
32 CobiT-Related Matrices Submit matrix of processes to IT management to attain assertions regarding: – Importance, performance and risk of each process – self assessment of how well control is being carried out for each process Have the review or audit team also independently rate preliminary understanding of importance, performance and risk of each process Use matrix of IT processes to be performed and identify who performs the process and who has final responsibility; can be used to identify processes not performed by “traditional” IT organization
34
33 ENTITY SHORT FORM
35
34 ENTITY LONG FORM
36
35 RISK ASSESSMENT FORM
37
36 Pre-Audit: Performance and Risk Level of Performance Function & Operation Level of Risk highA/Plow highpayrolllow mediumIT processinghigh etc.
38
37 Pre-Audit: Risk/Importance and Control Documentation Risk/ Importance Function & Operation Control Documentation Low/mediumA/Pyes Low/highpayrollnone High/mediumIT processingpartial etc.
39
38 RESPONSIBLE PARTY FORM
40
39 Pre-Audit: Functions & Responsibilities Points of Points of Accountability Function performed by Function & Operation Responsible Party internalA/PAccounting outsourcedpayrollAccounting IT DeptIT processingVP of IT etc.
41
40 CONTRACT SERVICE/SERVICE LEVEL AGREEMENT (SLA) FORM
42
41 PRIOR AUDIT WORK FORM
43
Audits (or audit entities) A B C D E F - - - C OBI T ’s 34 Processes PO 1 PO 2. M 4 S= Pre-audit survey A= Audit R= Report - Positive conclusion - Finding 42
44
43 Use of CobiT in Audit Planning: Supports objectives of AU.319 “Consideration of Internal Control in a Financial Statement Audit”, and Risk-Based Audit planning
45
44 Key Features of Risk-Based Approach Focuses on the business from a management perspective Emphasis on knowledge of the business and the technology Focus on assessing the effectiveness of a “combination” of controls Linkage between risk assessment and testing focusing on control objectives
46
45 Risk-Based Audit Planning What is most critical to the business? What are the CSFs? What are the risks and threats? How robust and appropriate does the internal control structure appear? What are management’s concerns?
47
46 Risks to the Business? è Unaware of the risks è Poor understanding of CSFs è Absence of KPIs è No “scorecard” or basis of measurement è Absence of monitoring and evaluation è Weak IT control environment è Loss of data or system integrity
48
47 Control Risk Assessment è Control Risk assessment at maximum – addresses relevant audit objectives using substantive tests – perform all applicable substantive tests è Control risk assessment at below maximum – identify control procedures that allow control risk to be below maximum – design & perform tests of controls – Identify reduced substantive tests
49
48 Control Risk Assessment è Control Risk assessment at low – perform tests of controls for application and IT controls – perform analytical procedures (reduced substantive testing)
50
49 Control Assessment Steps What is the control objective? Identify the type of control ( application or general; primary or secondary; and preventive, detective, or corrective ) What business objective is impacted? Appropriateness of the stated control? Number of components used to execute the control and number of subsystems or control objectives impacted? Evidence that the control is in effect, or impact that it is not.
51
50 Setting Audit Objectives Depends on the type of audit Best phrased when focused on whether selected control objectives are met Build the linkage between the control objective and the controls to the audit objectives and audit procedures (review and examination steps) to obtain sufficient audit evidence to draw conclusions
52
51 Use of CobiT in The Pre-Audit Process
53
52 Overview of Pre-Audit Process Auditee selection (may be CobiT driven) Off-site preliminary information gathering Entrance Conference and on-site preaudit information gathering (reference to CobiT) Develop proposed scope and audit objectives Internal scope meeting (review & approval) Finalize audit work program (CobiT-framed) Engagement conference (reference CobiT as criteria) and audit (CobiT as examination criteria)
54
53 Pre-Audit Planning Who are they? ( type of organization, industry ) What do they do? ( mission, business objectives ) How do they plan to do it? ( strategy/plan ) How do they do it? ( functions, processes ) With what resources? ( IT, operational resources, management & staff, raw materials, etc.) By what rules? ( policies, standards, legal and regulatory requirements ) Under what risks? ( risk analysis )
55
54 Pre-Audit Planning Who does it? ( internal & external players, their roles and responsibilities ) Who knows what is done? ( reporting lines, designated points of accountability ) How do they known it is done right? ( measurement registers, assurance mechanisms, evaluations, score cards, etc. ) Where are they? ( global or national, centralized or distributed organizational structure, etc. )
56
55 On-Site Pre-Audit Entrance conference and subsequent interviews (CobiT discussion) Tour of facility and observations Documentation review (high-level CobiT) Obtain management assertions (CobiT matrices) Identification of data/information sources and their information criteria (CobiT) Risk and exposure analysis Review of internal controls (includes CobiT) Determination of planned materiality
57
56 On-Site Pre-Audit Procedures Identification of accounting and operational control objectives and related control practices (CobiT) Perform selected tests of stated procedures or controls (CobiT) Determination of auditability Summary conclusions and development of proposed scope and audit objectives
58
57 Internal Scope Meeting AIC and manager present understanding of the entity and its audit requirements Provides opportunity to discuss CobiT-related matters Acquaints the Audit Shop’s management with proposed audit and CobiT-related matters Serves as review and approval point for scope and audit objectives
59
58 Internal Scope Meeting Addresses fundamental elements of preaudit planning; preliminary audit work; development and documentation of audit scope, objectives and methodology; identification of control objectives and criteria; and staffing and logistics issues Cobit helps to ensure appropriate audit direction and allocation of audit resources to the engagement Serves as a “practice run” for presenting audit scope and audit objectives, methodology and criteria (including CobiT) to the auditee
60
59 For the Audit Engagement May identify CobiT as criteria at entrance conference Use CobiT to develop and benchmark audit work programs Introduce generally accepted control practices to auditee via CobiT
61
60 Where CobiT Helps on Pre-Audit Considerations Framing IT processes by domains for the existing IT environment and automated systems Identification of major processes and activities which support the entity’s mission and business objectives Review of acquisition and development plans or projects for IT Performing risk analysis and internal control review
62
61 Using CobiT in other Audit Areas
63
62 Using CobiT on System Development Audits
64
63 Three Types of System Development IT Audits Type 1: examination of development methodology, policy and procedures Type 2: examination of development and implementation of a particular information system Type 3: participation as “control advisor” throughout the development and implementation process
65
64 System Development Audit Planning Conduct preliminary survey and pre-audit work sufficient to select the “type” of system development audit Use CobiT to assist in framing the audit with respect to processes and detailed control objectives applicable to the “type” of development audit Use CobiT processes and detailed control objectives to identify criteria
66
65 System Development Audit Planning Start with CobiT summary table to select processes directly impacting application(s) Suggest focus on Planing & Organization, Acquisition & Implementation, and Monitoring domains for development audits Note: not all processes will be selected nor will detailed control objectives within each process Select applicable IT control practices (tasks and activities) for each process
67
66 SDLC Audits Type 1 The IT auditor reviews the organization’s system development and implementation procedures. Here, the auditor would determine whether appropriate SDLC procedures were in place to ensure that automated systems developed meet user needs, function as intended, meet any required legal or regulatory requirements, are sufficiently controlled to provide reasonable assurance for data and system integrity, and that the system operates effectively and efficiently.
68
67 Type 1 Development Audit Process audit Determine whether appropriate SDLC policies & procedures are in place Emphasis on Planning & Organization and Acquisition & Implementation domains Detailed control objectives focused on good practices for development
69
68 Type 1 Development Audit Assumptions Linkage to Planning & Organization processes based on the premise that PO’s set the stage for IT environment and development Audits or reviews of SDLC methodology should be in context of organization’s IT strategy, policies, and standards
70
69 SDLC Audits Type 2 The IT auditor reviews the development and implementation of a particular system, determining whether the organization’s (and generally-accepted) development procedures were followed, whether the system meets the needs of the organization and its users, is maintainable, and operates efficiently.
71
70 Type 2 Development Audit Compliance audit Operations/Performance audit Post-implementation examination Focus on compliance with SDLC methods and assessment of the system’s “operational status” May include 3rd-party review
72
71 SDLC Audits Type 3 The IT auditor participates in the development and implementation of the automated system where the auditor serves as a non-voting member of the development team. Under this arrangement, the auditor serves as an advisor, a “control consultant”.
73
72 Type 3 Development Audit Management advisory services (MAS) Use CobiT to facilitate discussions on design, development, testing, etc. May involve audit work of each phase Greater emphasis placed on under-standing of Audit’s role as “advisor” Good opportunities to design control self assessment processes
74
73 Processes Selected for Type 1, 2 & 3 Development Audits PO1: Define strategic IT plan PO2: Define information architecture PO4: Define organization & relationships PO5: Manage the investment PO6: Communicate management aims PO8: External requirements compliance PO9: Assess Risk PO10: Manage projects PO11: Manage quality
75
74 Processes selected for Type 1, 2 & 3 Development Audits AI1: Identify automated solutions AI2: Acquire/maintain application software AI3: Acquire/maintain technology architecture AI4: Develop & maintain procedures AI5: Install & accredit systems AI6: Managing changes M1: Monitor the process
76
75 Detailed Control Objectives by Process for Type 1 SDM Audit PO1 PO2 PO4 1.1 Assessment of technology issues in L-R & S-R plans 1.5 Feasibility studies performed 2.1 Current architecture model 2.2 current corporate data dictionary 2.3 data classification scheme 4.1 Oversight role of steering committee
77
76 Detailed Control Objectives by Process for Type 2 SDM Audit PO1 PO2 PO4 1.2 Development initiatives should be in L-R & S-R plans 1.5 Feasibility studies performed 2.2 current corporate data dictionary 2.3 data classification scheme 2.4 Maintain security levels for information classes 4.1 Oversight role of steering committee etc.
78
77 Detailed Control Objectives by Process for Type 3 SDM Audit PO1 PO2 PO3 1.3 IT-related issues to be considered in L-R planning 1.5 Plans to reflect IS resources 2.2 Corporate data dictionary incorporates data syntax rules 2.3 Placement of data on information classes 2.4 Implement security levels 3.4 Software acquisition plans 3.5 Standardization - infrastructure
79
78 System Development Audit Work Program ò Use Control Objectives and Audit Guidelines together to start audit work program. ò While primary focus may be on AI1-AI6, selected control objectives from Planning & Organization. ò Include appropriate SDLC requirements of the organization, if available.
80
79 Summary Thoughts on Using CobiT on Development Audits Participate in quality assurance for CobiT targeting software development Use CobiT as for risk assessment and subsequent allocation of audit resources to development projects Use CobiT to develop Type 1, 2, & 3 development audit work programs Used CobiT to evaluate adequacy of audit approach on type 3 SDM audits
81
80 Developing a Change Control Audit Program Select relevant objectives from the 34 high-level control objectives (e.g., AI1, AI2, AI4, AI6, DS9) Select relevant detailed control objectives (e.g., AI 6.2) These become audit objectives in the audit program Compare the audit program to the C OBI T Audit Guidelines
82
81 Using Cobit on Management Audits Framing audits via Planning & Organization Domain Using CobiT to evaluate assignment of responsibility of IT-related functions. Using CobiT to evaluate points of accountability.
83
82 Using CobiT for Review of Responsibilities & Evaluation of Points of Accountability
84
83 Conducting Responsibility and Accountability Reviews Determine the extent to which discrete tasks and activities referenced by CobiT are in place. Determine the extent to which policies, procedures, and mechanisms referenced by CobiT have been established.
85
84 Factors to consider when identifying relevant tasks and activities Not all tasks & responsibilities have an assigned responsible party When planning your assessments (extent, scheduling, area to be reviewed, MAS), recommend comprehensive review by: – domain – key process(es)
86
85 Factors to consider when identifying relevant tasks and activities If reviewing the control environment, you may elect to target tasks and responsibilities with CobiT-designated responsible parties. Consider the difference between single tasks and on-going activities with respect to the purpose of your review or audit work.
87
86 Task/Activity Monitoring & Evaluation Task or Activity Responsibility to: Monitored by: Evaluated by: Control task Establish a Function or procedure Initially & Upon Changes Periodic At least annual Control activity On-going Function or activity On-going With reporting Periodic To On-going
88
87 “Lock in” Responsibilities Complete “responsible party” form Prepare list of responsible parties Based on entity and organizational structure, and CobiT responsibility designations, agree or modify responsibility designations for the selected tasks and activities Establish “Locked in” responsibility list
89
88 “Locked in” Responsibility List Serves as established list of desired responsibility assignments. Use as criteria for reviewing responsibility assignments for entity under audit.
90
89 Review and Evaluate ò Clarity and appropriateness of responsibility definitions ò assignment of responsibilities ò points of accountability ò reporting of actions taken and activities ò mechanisms to monitor and evaluate adequacy of exercise of responsibilities
91
90 Determine extent to which Audit Team Needs to Perform: A review of assigned responsibilities for discrete tasks during pre-audit. A review of assigned responsibilities for activities during audit
92
91 Examination Steps Determine whether IT-related responsibilities have been adequately defined and assigned, and that adequate points of accountability are in place. Determine whether adequate controls and mechanisms are in place to monitor, evaluate, and hold accountable internal and outsourced parties for assigned responsibilities and desired deliverables
93
92 Evidence gathered in review of assigned responsibilities and points of accountability Can assist assessments of internal structures for financial and operations audits Can serve to identify the potential cause of audit results or findings
94
93 Evidence gathered in review of assigned responsibilities and points of accountability Can assist management in reviewing and determining the adequacy of structures of accountability when organization incur organizational or significant technical change Can provide insight into recommendations regarding task and activity assignment and monitoring
95
94 Using Cobit to Address Third-Party Providers of IT-Related Services Determine whether desired processes are in place and establish accountability Agree on levels of control Use CobiT to help design service contracts by identifying deliverables and responsibilities Use CobiT for ongoing monitoring and evaluation of providers and partners
96
95 As An IT Self Assessment Tool “How am I doing against recommended C OBI T IT benchmarks?” Use C OBI T to facilitate operational and control improvements. Identify controls that should be in place. Reallocate resources to more important projects.
97
96 Using Cobit on Control Self Assessment Use CobiT to assist the development of Control Self Assessment programs by establishing benchmarks, gathering appropriate information on control objectives and control practices, and developing action plans.
98
Benchmarking - Self-Assessment 0 Very poorComplete lack of good practice 1 PoorRecognized the issues 2 FairSome effort made to address issues 3 GoodModerately good level of practice 4 Very goodAdvanced level of practice 5 ExcellentBest possible, highly integrated Source: Erik Guldentops, DC presentation, July 1997. 97
99
98 0 Very poor. Complete lack of good practices. Organization has not recognized that there is an issue to be addressed. 1 Poor. There is evidence that the organization has recognized that the issues exist and need to be addressed. There may also be some rudimentary attempts to solve the problem although these are relatively ineffective without greater levels of good practice to support them
100
2 Fair. There is some effort within the organization to provide a level of practice which is acceptable. This includes partial definitions of responsibility, organizational models and processes. Although these may not have been followed through to deliver effective and acceptable levels of practice. 3 Good. There is a moderately good level of practice which should not draw undue criticism. The processes are reasonably well defined at levels of detail which make them effective. Responsibilities and organizational models are at a similar level of development. There is a recognition of the need for integration, but this has not evolved very far. 99
101
4 Very Good. There is generally a high level of good practices, with advanced tools being used to gain productivity, cost reduction and effectiveness. There is also considerable integration of related practices to give consistent and effective control within this area. 5 Excellent. The very best possible levels of good practice, given the available knowledge and tools. There is also very high level of integration across all aspects related to this area. 100
102
101 Management Guidelines Includes: – Critical Success Factors – Key Performance Indicators – Key Goal Indicators – Maturity models C OBI T
103
102 HGHGHGHGHGHG
104
103 Using the Management Guidelines
105
104 IT Management Is IT well managed? – Are we doing the right things? – Are we doing them the best way? – Are they being done well? – Are we achieving desired benefits? Is IT properly controlled? Do we exercise due diligence? Is management driving the information technology?
106
105 u Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. u Promotes process focus and process ownership u Divides IT into 34 processes belonging to four domains u Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT u Effectiveness u Efficiency u Availability, u Integrity u Confidentiality u Reliability u Compliance. u Planning u Acquiring & Implementing u Delivery & Support u Monitoring CobiT : An IT control framework
107
106 l “Due diligence” l IT is strategic to the business l IT is critical to the business l Expectations and reality don’t match l IT involves huge investments and large risks Why governance?
108
107 If so, wouldn’t you want to know whether your information technology organization is: Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognizing opportunities and acting upon them? IT is strategic to most businesses
109
108 Generic and action oriented For the purpose of IT Control profiling - what’s important? Awareness - where’s the risk? Benchmarking - what do others do? Supporting decision making and follow up Key performance indicators of IT processes Critical success factors of controls Control implementation choices Management Guidelines
110
109 Management Guidelines Critical Success Factors l the most important things to do to increase the probability of success of the process l observable - usually measurable - characteristics of the organisation and process l are either strategic, technological, organizational or procedural in nature l focus on obtaining, maintaining and leveraging capability and skills l expressed in terms of the IT process, not necessarily the business
111
110 Management Guidelines Key Goal Indicators l describe the outcome of the process and are therefore a ‘lag’ indicator, i.e., measurable after the fact l Are an indicator of the success of the process but may also be expressed in terms of the business contribution if that contribution is specific to the IT process l represent the process goal, i.e., a measure of “what”, a target to achieve l may also describe a measure of the impact of not reaching the process goal l KGIs are IT oriented but are also business driven l Are expressed in precise measurable terms wherever possible
112
111 Management Guidelines Key Performance Indicators l are a measure of “how well” the process is performing l predict the probability of success or failure in the future, i.e. KPIs are ‘LEAD’ indicators l are process oriented but IT driven l focus on the process and learning dimensions of the balanced scorecard l are expressed in precise measurable terms l should help in improving the IT process
113
112 Maturity Models Refer to business requirements and control capabilities at different levels Are scales that lend themselves to pragmatic comparison Are scales where the difference can be made measurable in an easy manner Are recognizable as a “profile” of the enterprise in relation to IT governance and control Assist in determining As-Is and To-Be positions relative to IT governance and control maturity Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level
114
113 012345 Non- Existent InitialRepeatableDefinedManagedOptimised Enterprise current status International standard guidelines Industry best practice Enterprise strategy Legend for symbols usedLegend for rankings used 0 - Management processes are not applied at all 1 - Processes are ad hoc and disorganised 2 - Processes follow a regular pattern 3 - Processes are documented and communicated 4 - Processes are monitored and measured 5 - Best practices are followed and automated Start from a Maturity Model for Self-Assessment
115
114 Measures?Scales? Indicators?
116
115 Generic Maturity Model - Dimensions l Understanding and awareness l Training and communications l Process and practices l Techniques and automation l Compliance l Expertise
117
116 Generic Maturity Model - Dimensions
118
117 0 Non-Existent. Complete lack of any recognizable processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognized that the issues exist and need to be addressed. There are however no standardized processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized. 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely. 3 Defined. Procedures have been standardized and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices. 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimized. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other organizations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. Generic Maturity Model
119
118 In summary Maturity Models Refer to business requirements and the enabling aspects at the different levels Are scales that lend themselves to pragmatic comparison Are scales where the difference can be made measurable in an easy manner Are recognisable as a “profile” of the enterprise in relation to IT governance and control Assist in determining As-Is and To-Be positions relative to IT governance and control maturity Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level Are neither industry specific nor always applicable; the nature of the business will determine what is an appropriate level
120
119 IT Governance Guideline Governance over IT and its processes with goal of adding value to the business, while balancing risk versus return ensures delivery of information to the business that addresses the required information criteria and is measured by KGIs is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value delivery of IT considers CSFs that leverage all IT resources and is measured by KPIs
121
120 Objectives understand the issues and the strategic importance of IT ensure that the enterprise can sustain its operations and ascertain it can implement the strategies required to extend its activities into the future Goal ensuring that expectations for IT are met and IT risks are mitigated Position within broad governance arrangements that cover relationships among the entity's management and its governing body, its owners and its other stakeholders and providing the structure through which: the entity's overall objectives are set the method of attaining those objectives is outlined the manner is which performance will be monitored is described IT governance summarized
122
121 Audit Organization Use CobiT to identify and assess risk of IT processes Use CobiT-related matrices in standard audit work programs Frame IT audits via CobiT Development of MAS focused on CobiT
123
122 Cobitizing Audit -- Phases Self assessment and modification Internal audit guidelines – Text of policy & procedure manual – Generic work programs and matrices Overall audit planning Engagement planning Discussions with auditees for self assessment Modify QA to include CobiT Strengthen focus on business processes, system integrity, and IT environment
124
123 CobiT Recognizes IT is an integral part of the organization IT governance is an integral part of corporate governance Focus on control objectives can strengthen appropriateness and use of internal controls Measurement is crucial to internal control Monitoring and evaluation are integral to a system of internal control
125
124 Learned So Far òNeed Internal Control refresher course covering control models (such as COSO), CobiT, internal control acts, SAS 78, techniques in evaluating controls ò There are good opportunities to leverage the understanding of internal controls and CobiT among management and staff, auditors, out-sourced services, academic community, and vendors
126
125 Learned So Far ò Audit Teams and auditees seem to have better understanding of control objectives with CobiT ò Increased consistency of discussions regarding IT domains, control objectives and controls ò Increased emphasis on information criteria
127
126 Learned So Far ò Pilot use of CobiT ò Network and share “ideas” on CobiT ò CobiT has assisted identification of IT- related processes, who performs them, and who is responsible ò CobiT provides Value-Added opportunities and time savings ò CobiT reinforces the final objective of effective and efficient operations
128
127 A Tip regarding CobiT CobiT is generic - adapt it to your organization in cooperation with the business-process owners! – Determine focus (quality, security, fiduciary) – Harmonize existing policies and procedures with CobiT – Determine control responsibilities – Identify key performance indicators and critical success factors
129
128 Another Tip or Two Study it carefully -- it takes some time to understand - keep in mind that you are dealing with a control framework For auditors and reviewers, provide sufficient time for using CobiT in pre-audit and engagement planning. Promote discussions on CobiT Identify CobiT as a control framework and basis for benchmark criteria and evaluation
130
129 The Last of the Tips Use CobiT initially as a control model and tool to assist controls evaluations, framing audits, identifying criteria, and performing high-level benchmarking. Share your insights regarding control design and evaluation Study the Management Guidelines
131
130 4 major elements COBIT as an open standard for increased world-wide adoption covering summary, framework and detailed control objectives; Three proprietary guideline products -- Implementation Tool Set : how to introduce the C OBI T standard in the enterprise -- Audit Guidelines : how to audit against the standard -- Management Guidelines : how to benchmark, implement and self-assess C OBI T Product Family
132
131 CobiT For additional information: www.isaca.org www.ITgovernance.org or email or give me a call at (617) 727-6200 ext 135
133
Go Forth Safely And C OBI T ize Thank You 132
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.