2. 1 Part 2

3. 2 AUDIT GUIDELINES

4. 3 Audit Guidelines -- 226 pages  1 Generic Guideline and 34 Process Oriented  A generic guideline identifies various tasks to be performed in assessing ANY control objective within a process. This generic guideline extracted all repetitive tasks into one -- to be performed for all control objectives.  Others are specific process-oriented task suggestions to provide management assurance that a control is in place and is working.

5. 4 Audit Guidelines  Purpose of audit guidelines is to provide simple structure for auditing controls  Audit guidelines are generic and high-level in structure  Although intended as a guide for auditing high-level control objectives, CobiT can assist overall audit planning  Enables auditor to review processes against control objectives

6. 5 CobiT supports generally accepted structure of the audit process:  Identification and documentation  Evaluation  Compliance testing, and  Substantive testing

7. 6 Obtaining an understanding of business requirements, related risks, and relevant control measures Evaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously. Substantiating the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources. The IT process is therefore audited by:

8. 7 O BTAINING AN U NDERSTANDING The audit steps to be performed to document the activities under- lying the control objectives as well as to identify the stated control measures/procedures in place. Interview appropriate management and staff to gain an understanding of: * Business requirements and associated risks * Organisation structure * Roles and responsibilities * Policies and procedures * Laws and regulations and contractual obligations * Control measures in place * Management reporting (status, performance, action items) Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the Key Performance Indicators (KPI) of the process, and the control implications (e.g., by a process walk through). GENERIC AUDIT GUIDELINE

9. 8 E VALUATING THE C ONTROLS The audit steps to be performed in assessing the effectiveness of control measures in place or the degree to which the control objective is achieved. Basically deciding what, whether and how to test. Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying professional judgment. Documented processes exist Appropriate deliverables exist Responsibility and accountability are clear and effective Compensating controls exist, where necessary Conclude the degree to which the control objective is met. GENERIC AUDIT GUIDELINE

10. 9 A SSESSING C OMPLIANCE The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously, and to conclude on the appropriateness of the control environment. Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review using both direct and indirect evidence. Perform a limited review of the adequacy of the process deliverables. Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate. GENERIC AUDIT GUIDELINE

11. 10 S UBSTANTIATING THE R ISK The audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources. The objective is to support the opinion and to “shock” management into action. Auditors have to be creative in finding and presenting this often sensitive and confidential information. Document the control weaknesses and resulting threats and vulnerabilities. Identify and document the actual and potential impact (e.g., through root-cause analysis). Provide comparative information (e.g., through benchmarks). GENERIC AUDIT GUIDELINE

12. 11 Audit Guidelines are GUIDELINES  They are a starting point for identifying control tasks and activities associated with particular control objectives.  To plan and conduct the audit, an auditor must add knowledge about the business, risk analysis, and controls; perform adequate audit procedures; and draw conclusions from the results of the audit procedures.

13. 12 Using CobiT to Develop an Audit Program  Start with Control Objectives to refresh the purpose of the control objective and the recommended IT control practices  Use the Audit Guidelines’ generic audit guideline as a starting point  Use the selected process-oriented audit guidelines to refine the audit work program  Select appropriate portions of the Audit Guidelines in sync with selected detailed control objectives (selected control tasks and activities)

14. 13 Using CobiT to Review an Audit Program  Use the Audit Guidelines to benchmark the existing audit program against  Use the Control Objectives’ high-level control objectives to review audit objectives and detailed control objectives to review criteria identification  Use the generic and process-oriented audit guidelines to review audit process and procedures

16. 15 Adopting CobiT  Start by identifying the “need” for use, and how it might be used  Focus on the benefits to be derived from using CobiT  Assess the acceptance and implementation capabilities  Assign priority of multiple uses  Identify one or more champions

17. 16 Adopting CobiT  For those responsible for systems and those who audit systems, the value lies in having an organized IT control model that links management control practices to control objectives, and in turn to business objectives.  From a management perspective: – management and IT policy makers such as CEO, CIO, VP of IT – IT steering committee – business process owners and users  From an Audit perspective: – evaluators and internal/external auditors

18. 17 Factors to Consider  Dimension and depth of the IT environment  Organizational structure of IT services  Level of internal and outsourced IT functions  Relationships of IT, IS Audit, business process owners, management  Management philosophy regarding control and audit  Extent of business process reengineering  Level of consensus needed

19. 18 Benefits of CobiT  Supports IT governance objectives.  Helps ensure that IT processes are defined and assigned.  Helps to ensure that there is focus on control objectives.  Leads to more cost-effective IT services.

20. 19 Benefits of CobiT Helps to provide reasonable assurance that: – IT process objectives are understood – IT risks have been identified – Appropriate controls have been implemented – Appropriate monitoring and evaluation processes in effect – IT process objectives and can be achieved.

21. 20 Benefits of CobiT  Helps to ensure that the organization complies with applicable rules, regulations and contractual obligations.  Opportunity for complementary adoption of COSO and CobiT (or other control models).  Authoritative nature of Cobit encompassing adoption of well-recognized and established standards for IT control.

22. 21 Benefits of CobiT  Strengthens assessment, understanding and exercise of appropriate internal controls.  Provides a good framework for risk assessment and risk management.  Improves communication among management, business process owners, users and auditors regarding IT governance, and between internal and external audit.

23. 22 Benefits of CobiT  Provides a framework for ensuring that outsourced IT functions are addressed in third- party contracts.  Helps to strengthen the relationship between IS Services and the user community through improved SLAs.  Supports management’s efforts to demonstrate due diligence with respect to IT-based operations.

25. 24 U sing C OBI T ò Organizational Tool ò Audit Planning and Support Tool ò IT Control Self Assessment Tool

26. 25 CobiT as an Organizational Tool  Provides framework and benchmarks for IT planning and management  Identification of primary IT processes (by broad management-oriented Domains)  Assists in establishing responsibilities and points of accountability  Assists in clarifying IT’s and Audit’s role

27. 26 CobiT As An Audit Planning Tool “To look at a functional area.” – “Which functional area?” – “What systems are involved?” – “What IT processes are involved?” – “What are the objectives and risks?” – “What are the control objectives?”

28. 27 Using CobiT in Audit Planning ò IT audit shop planning --- audit engagement selection ò Determining type of audit services ò Engagement planning ò Framing audit scope and audit objectives to CobiT ò Development of audit approach

29. 28 Audit Planning è Adequate planning is a necessary first step in performing effective IT Audits. è Need to understand the general business environment as well as the associated business and control risks. è Assess operational and control risks and identify control objectives during audit planning.

30. 29 Use of CobiT during the Audit Planning  Assessing the control environment and identifying high risk processes  Conducting a high-level policy and procedures review  Conducting a detailed review of policies and procedures against the entire control objectives document  Using CobiT-related matrices

31. 30 CobiT-related Matrices

32. 31 Using CobiT Matrices to Focus on:  IT Functions – Their importance? – Level of performance? – Control documentation?  Responsible Parties of IT – Performed by? – Contracted services? – Primary responsible party?  Risk Assessment – Importance, level of risk, control documentation?

33. 32 CobiT-Related Matrices  Submit matrix of processes to IT management to attain assertions regarding: – Importance, performance and risk of each process – self assessment of how well control is being carried out for each process  Have the review or audit team also independently rate preliminary understanding of importance, performance and risk of each process  Use matrix of IT processes to be performed and identify who performs the process and who has final responsibility; can be used to identify processes not performed by “traditional” IT organization

34. 33 ENTITY SHORT FORM

35. 34 ENTITY LONG FORM

36. 35 RISK ASSESSMENT FORM

37. 36 Pre-Audit: Performance and Risk Level of Performance Function & Operation Level of Risk highA/Plow highpayrolllow mediumIT processinghigh etc.

38. 37 Pre-Audit: Risk/Importance and Control Documentation Risk/ Importance Function & Operation Control Documentation Low/mediumA/Pyes Low/highpayrollnone High/mediumIT processingpartial etc.

39. 38 RESPONSIBLE PARTY FORM

40. 39 Pre-Audit: Functions & Responsibilities Points of Points of Accountability Function performed by Function & Operation Responsible Party internalA/PAccounting outsourcedpayrollAccounting IT DeptIT processingVP of IT etc.

41. 40 CONTRACT SERVICE/SERVICE LEVEL AGREEMENT (SLA) FORM

42. 41 PRIOR AUDIT WORK FORM

43. Audits (or audit entities) A B C D E F - - - C OBI T ’s 34 Processes PO 1 PO 2. M 4 S= Pre-audit survey A= Audit R= Report - Positive conclusion - Finding 42

44. 43 Use of CobiT in Audit Planning:  Supports objectives of AU.319 “Consideration of Internal Control in a Financial Statement Audit”, and  Risk-Based Audit planning

45. 44 Key Features of Risk-Based Approach  Focuses on the business from a management perspective  Emphasis on knowledge of the business and the technology  Focus on assessing the effectiveness of a “combination” of controls  Linkage between risk assessment and testing focusing on control objectives

46. 45 Risk-Based Audit Planning  What is most critical to the business?  What are the CSFs?  What are the risks and threats?  How robust and appropriate does the internal control structure appear?  What are management’s concerns?

47. 46 Risks to the Business? è Unaware of the risks è Poor understanding of CSFs è Absence of KPIs è No “scorecard” or basis of measurement è Absence of monitoring and evaluation è Weak IT control environment è Loss of data or system integrity

48. 47 Control Risk Assessment è Control Risk assessment at maximum – addresses relevant audit objectives using substantive tests – perform all applicable substantive tests è Control risk assessment at below maximum – identify control procedures that allow control risk to be below maximum – design & perform tests of controls – Identify reduced substantive tests

49. 48 Control Risk Assessment è Control Risk assessment at low – perform tests of controls for application and IT controls – perform analytical procedures (reduced substantive testing)

50. 49 Control Assessment Steps  What is the control objective?  Identify the type of control ( application or general; primary or secondary; and preventive, detective, or corrective )  What business objective is impacted?  Appropriateness of the stated control?  Number of components used to execute the control and number of subsystems or control objectives impacted?  Evidence that the control is in effect, or impact that it is not.

51. 50 Setting Audit Objectives  Depends on the type of audit  Best phrased when focused on whether selected control objectives are met  Build the linkage between the control objective and the controls to the audit objectives and audit procedures (review and examination steps) to obtain sufficient audit evidence to draw conclusions

52. 51 Use of CobiT in The Pre-Audit Process

53. 52 Overview of Pre-Audit Process  Auditee selection (may be CobiT driven)  Off-site preliminary information gathering  Entrance Conference and on-site preaudit information gathering (reference to CobiT)  Develop proposed scope and audit objectives  Internal scope meeting (review & approval)  Finalize audit work program (CobiT-framed)  Engagement conference (reference CobiT as criteria) and audit (CobiT as examination criteria)

54. 53 Pre-Audit Planning  Who are they? ( type of organization, industry )  What do they do? ( mission, business objectives )  How do they plan to do it? ( strategy/plan )  How do they do it? ( functions, processes )  With what resources? ( IT, operational resources, management & staff, raw materials, etc.)  By what rules? ( policies, standards, legal and regulatory requirements )  Under what risks? ( risk analysis )

55. 54 Pre-Audit Planning  Who does it? ( internal & external players, their roles and responsibilities )  Who knows what is done? ( reporting lines, designated points of accountability )  How do they known it is done right? ( measurement registers, assurance mechanisms, evaluations, score cards, etc. )  Where are they? ( global or national, centralized or distributed organizational structure, etc. )

56. 55 On-Site Pre-Audit  Entrance conference and subsequent interviews (CobiT discussion)  Tour of facility and observations  Documentation review (high-level CobiT)  Obtain management assertions (CobiT matrices)  Identification of data/information sources and their information criteria (CobiT)  Risk and exposure analysis  Review of internal controls (includes CobiT)  Determination of planned materiality

57. 56 On-Site Pre-Audit Procedures  Identification of accounting and operational control objectives and related control practices (CobiT)  Perform selected tests of stated procedures or controls (CobiT)  Determination of auditability  Summary conclusions and development of proposed scope and audit objectives

58. 57 Internal Scope Meeting  AIC and manager present understanding of the entity and its audit requirements  Provides opportunity to discuss CobiT-related matters  Acquaints the Audit Shop’s management with proposed audit and CobiT-related matters  Serves as review and approval point for scope and audit objectives

59. 58 Internal Scope Meeting  Addresses fundamental elements of preaudit planning; preliminary audit work; development and documentation of audit scope, objectives and methodology; identification of control objectives and criteria; and staffing and logistics issues  Cobit helps to ensure appropriate audit direction and allocation of audit resources to the engagement  Serves as a “practice run” for presenting audit scope and audit objectives, methodology and criteria (including CobiT) to the auditee

60. 59 For the Audit Engagement  May identify CobiT as criteria at entrance conference  Use CobiT to develop and benchmark audit work programs  Introduce generally accepted control practices to auditee via CobiT

61. 60 Where CobiT Helps on Pre-Audit Considerations  Framing IT processes by domains for the existing IT environment and automated systems  Identification of major processes and activities which support the entity’s mission and business objectives Review of acquisition and development plans or projects for IT  Performing risk analysis and internal control review

62. 61 Using CobiT in other Audit Areas

63. 62 Using CobiT on System Development Audits

64. 63 Three Types of System Development IT Audits  Type 1: examination of development methodology, policy and procedures  Type 2: examination of development and implementation of a particular information system  Type 3: participation as “control advisor” throughout the development and implementation process

65. 64 System Development Audit Planning  Conduct preliminary survey and pre-audit work sufficient to select the “type” of system development audit  Use CobiT to assist in framing the audit with respect to processes and detailed control objectives applicable to the “type” of development audit  Use CobiT processes and detailed control objectives to identify criteria

66. 65 System Development Audit Planning  Start with CobiT summary table to select processes directly impacting application(s)  Suggest focus on Planing & Organization, Acquisition & Implementation, and Monitoring domains for development audits  Note: not all processes will be selected nor will detailed control objectives within each process  Select applicable IT control practices (tasks and activities) for each process

67. 66 SDLC Audits Type 1 The IT auditor reviews the organization’s system development and implementation procedures. Here, the auditor would determine whether appropriate SDLC procedures were in place to ensure that automated systems developed meet user needs, function as intended, meet any required legal or regulatory requirements, are sufficiently controlled to provide reasonable assurance for data and system integrity, and that the system operates effectively and efficiently.

68. 67 Type 1 Development Audit  Process audit  Determine whether appropriate SDLC policies & procedures are in place  Emphasis on Planning & Organization and Acquisition & Implementation domains  Detailed control objectives focused on good practices for development

69. 68 Type 1 Development Audit Assumptions  Linkage to Planning & Organization processes based on the premise that PO’s set the stage for IT environment and development  Audits or reviews of SDLC methodology should be in context of organization’s IT strategy, policies, and standards

70. 69 SDLC Audits Type 2 The IT auditor reviews the development and implementation of a particular system, determining whether the organization’s (and generally-accepted) development procedures were followed, whether the system meets the needs of the organization and its users, is maintainable, and operates efficiently.

71. 70 Type 2 Development Audit  Compliance audit  Operations/Performance audit  Post-implementation examination  Focus on compliance with SDLC methods and assessment of the system’s “operational status”  May include 3rd-party review

72. 71 SDLC Audits Type 3 The IT auditor participates in the development and implementation of the automated system where the auditor serves as a non-voting member of the development team. Under this arrangement, the auditor serves as an advisor, a “control consultant”.

73. 72 Type 3 Development Audit  Management advisory services (MAS)  Use CobiT to facilitate discussions on design, development, testing, etc.  May involve audit work of each phase  Greater emphasis placed on under-standing of Audit’s role as “advisor”  Good opportunities to design control self assessment processes

74. 73 Processes Selected for Type 1, 2 & 3 Development Audits  PO1: Define strategic IT plan  PO2: Define information architecture  PO4: Define organization & relationships  PO5: Manage the investment  PO6: Communicate management aims  PO8: External requirements compliance  PO9: Assess Risk  PO10: Manage projects  PO11: Manage quality

75. 74 Processes selected for Type 1, 2 & 3 Development Audits  AI1: Identify automated solutions  AI2: Acquire/maintain application software  AI3: Acquire/maintain technology architecture  AI4: Develop & maintain procedures  AI5: Install & accredit systems  AI6: Managing changes  M1: Monitor the process

76. 75 Detailed Control Objectives by Process for Type 1 SDM Audit  PO1  PO2  PO4  1.1 Assessment of technology issues in L-R & S-R plans  1.5 Feasibility studies performed  2.1 Current architecture model  2.2 current corporate data dictionary  2.3 data classification scheme  4.1 Oversight role of steering committee

77. 76 Detailed Control Objectives by Process for Type 2 SDM Audit  PO1  PO2  PO4  1.2 Development initiatives should be in L-R & S-R plans  1.5 Feasibility studies performed  2.2 current corporate data dictionary  2.3 data classification scheme  2.4 Maintain security levels for information classes  4.1 Oversight role of steering committee etc.

78. 77 Detailed Control Objectives by Process for Type 3 SDM Audit  PO1  PO2  PO3  1.3 IT-related issues to be considered in L-R planning  1.5 Plans to reflect IS resources  2.2 Corporate data dictionary incorporates data syntax rules  2.3 Placement of data on information classes  2.4 Implement security levels  3.4 Software acquisition plans  3.5 Standardization - infrastructure

79. 78 System Development Audit Work Program ò Use Control Objectives and Audit Guidelines together to start audit work program. ò While primary focus may be on AI1-AI6, selected control objectives from Planning & Organization. ò Include appropriate SDLC requirements of the organization, if available.

80. 79 Summary Thoughts on Using CobiT on Development Audits  Participate in quality assurance for CobiT targeting software development  Use CobiT as for risk assessment and subsequent allocation of audit resources to development projects  Use CobiT to develop Type 1, 2, & 3 development audit work programs  Used CobiT to evaluate adequacy of audit approach on type 3 SDM audits

81. 80 Developing a Change Control Audit Program  Select relevant objectives from the 34 high-level control objectives (e.g., AI1, AI2, AI4, AI6, DS9)  Select relevant detailed control objectives (e.g., AI 6.2) These become audit objectives in the audit program  Compare the audit program to the C OBI T Audit Guidelines

82. 81 Using Cobit on Management Audits  Framing audits via Planning & Organization Domain  Using CobiT to evaluate assignment of responsibility of IT-related functions.  Using CobiT to evaluate points of accountability.

83. 82 Using CobiT for Review of Responsibilities & Evaluation of Points of Accountability

84. 83 Conducting Responsibility and Accountability Reviews  Determine the extent to which discrete tasks and activities referenced by CobiT are in place.  Determine the extent to which policies, procedures, and mechanisms referenced by CobiT have been established.

85. 84 Factors to consider when identifying relevant tasks and activities  Not all tasks & responsibilities have an assigned responsible party  When planning your assessments (extent, scheduling, area to be reviewed, MAS), recommend comprehensive review by: – domain – key process(es)

86. 85 Factors to consider when identifying relevant tasks and activities  If reviewing the control environment, you may elect to target tasks and responsibilities with CobiT-designated responsible parties.  Consider the difference between single tasks and on-going activities with respect to the purpose of your review or audit work.

87. 86 Task/Activity Monitoring & Evaluation Task or Activity Responsibility to: Monitored by: Evaluated by: Control task Establish a Function or procedure Initially & Upon Changes Periodic At least annual Control activity On-going Function or activity On-going With reporting Periodic To On-going

88. 87 “Lock in” Responsibilities  Complete “responsible party” form  Prepare list of responsible parties  Based on entity and organizational structure, and CobiT responsibility designations, agree or modify responsibility designations for the selected tasks and activities  Establish “Locked in” responsibility list

89. 88 “Locked in” Responsibility List  Serves as established list of desired responsibility assignments.  Use as criteria for reviewing responsibility assignments for entity under audit.

90. 89 Review and Evaluate ò Clarity and appropriateness of responsibility definitions ò assignment of responsibilities ò points of accountability ò reporting of actions taken and activities ò mechanisms to monitor and evaluate adequacy of exercise of responsibilities

91. 90 Determine extent to which Audit Team Needs to Perform:  A review of assigned responsibilities for discrete tasks during pre-audit.  A review of assigned responsibilities for activities during audit

92. 91 Examination Steps  Determine whether IT-related responsibilities have been adequately defined and assigned, and that adequate points of accountability are in place.  Determine whether adequate controls and mechanisms are in place to monitor, evaluate, and hold accountable internal and outsourced parties for assigned responsibilities and desired deliverables

93. 92 Evidence gathered in review of assigned responsibilities and points of accountability  Can assist assessments of internal structures for financial and operations audits  Can serve to identify the potential cause of audit results or findings

94. 93 Evidence gathered in review of assigned responsibilities and points of accountability  Can assist management in reviewing and determining the adequacy of structures of accountability when organization incur organizational or significant technical change  Can provide insight into recommendations regarding task and activity assignment and monitoring

95. 94 Using Cobit to Address Third-Party Providers of IT-Related Services  Determine whether desired processes are in place and establish accountability  Agree on levels of control  Use CobiT to help design service contracts by identifying deliverables and responsibilities  Use CobiT for ongoing monitoring and evaluation of providers and partners

96. 95 As An IT Self Assessment Tool  “How am I doing against recommended C OBI T IT benchmarks?”  Use C OBI T to facilitate operational and control improvements.  Identify controls that should be in place.  Reallocate resources to more important projects.

97. 96 Using Cobit on Control Self Assessment Use CobiT to assist the development of Control Self Assessment programs by establishing benchmarks, gathering appropriate information on control objectives and control practices, and developing action plans.

98. Benchmarking - Self-Assessment 0 Very poorComplete lack of good practice 1 PoorRecognized the issues 2 FairSome effort made to address issues 3 GoodModerately good level of practice 4 Very goodAdvanced level of practice 5 ExcellentBest possible, highly integrated Source: Erik Guldentops, DC presentation, July 1997. 97

99. 98 0 Very poor. Complete lack of good practices. Organization has not recognized that there is an issue to be addressed. 1 Poor. There is evidence that the organization has recognized that the issues exist and need to be addressed. There may also be some rudimentary attempts to solve the problem although these are relatively ineffective without greater levels of good practice to support them

100. 2 Fair. There is some effort within the organization to provide a level of practice which is acceptable. This includes partial definitions of responsibility, organizational models and processes. Although these may not have been followed through to deliver effective and acceptable levels of practice. 3 Good. There is a moderately good level of practice which should not draw undue criticism. The processes are reasonably well defined at levels of detail which make them effective. Responsibilities and organizational models are at a similar level of development. There is a recognition of the need for integration, but this has not evolved very far. 99

101. 4 Very Good. There is generally a high level of good practices, with advanced tools being used to gain productivity, cost reduction and effectiveness. There is also considerable integration of related practices to give consistent and effective control within this area. 5 Excellent. The very best possible levels of good practice, given the available knowledge and tools. There is also very high level of integration across all aspects related to this area. 100

102. 101  Management Guidelines Includes: – Critical Success Factors – Key Performance Indicators – Key Goal Indicators – Maturity models C OBI T

103. 102 HGHGHGHGHGHG

104. 103 Using the Management Guidelines

105. 104 IT Management  Is IT well managed? – Are we doing the right things? – Are we doing them the best way? – Are they being done well? – Are we achieving desired benefits?  Is IT properly controlled?  Do we exercise due diligence?  Is management driving the information technology?

106. 105 u Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. u Promotes process focus and process ownership u Divides IT into 34 processes belonging to four domains u Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT u Effectiveness u Efficiency u Availability, u Integrity u Confidentiality u Reliability u Compliance. u Planning u Acquiring & Implementing u Delivery & Support u Monitoring CobiT : An IT control framework

107. 106 l “Due diligence” l IT is strategic to the business l IT is critical to the business l Expectations and reality don’t match l IT involves huge investments and large risks Why governance?

108. 107 If so, wouldn’t you want to know whether your information technology organization is:  Likely to achieve its objectives?  Resilient enough to learn and adapt?  Judiciously managing the risks it faces?  Appropriately recognizing opportunities and acting upon them? IT is strategic to most businesses

109. 108 Generic and action oriented For the purpose of IT Control profiling - what’s important? Awareness - where’s the risk? Benchmarking - what do others do? Supporting decision making and follow up Key performance indicators of IT processes Critical success factors of controls Control implementation choices Management Guidelines

110. 109 Management Guidelines Critical Success Factors l the most important things to do to increase the probability of success of the process l observable - usually measurable - characteristics of the organisation and process l are either strategic, technological, organizational or procedural in nature l focus on obtaining, maintaining and leveraging capability and skills l expressed in terms of the IT process, not necessarily the business

111. 110 Management Guidelines Key Goal Indicators l describe the outcome of the process and are therefore a ‘lag’ indicator, i.e., measurable after the fact l Are an indicator of the success of the process but may also be expressed in terms of the business contribution if that contribution is specific to the IT process l represent the process goal, i.e., a measure of “what”, a target to achieve l may also describe a measure of the impact of not reaching the process goal l KGIs are IT oriented but are also business driven l Are expressed in precise measurable terms wherever possible

112. 111 Management Guidelines Key Performance Indicators l are a measure of “how well” the process is performing l predict the probability of success or failure in the future, i.e. KPIs are ‘LEAD’ indicators l are process oriented but IT driven l focus on the process and learning dimensions of the balanced scorecard l are expressed in precise measurable terms l should help in improving the IT process

113. 112 Maturity Models Refer to business requirements and control capabilities at different levels Are scales that lend themselves to pragmatic comparison Are scales where the difference can be made measurable in an easy manner Are recognizable as a “profile” of the enterprise in relation to IT governance and control Assist in determining As-Is and To-Be positions relative to IT governance and control maturity Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level

114. 113 012345 Non- Existent InitialRepeatableDefinedManagedOptimised Enterprise current status International standard guidelines Industry best practice Enterprise strategy Legend for symbols usedLegend for rankings used 0 - Management processes are not applied at all 1 - Processes are ad hoc and disorganised 2 - Processes follow a regular pattern 3 - Processes are documented and communicated 4 - Processes are monitored and measured 5 - Best practices are followed and automated Start from a Maturity Model for Self-Assessment

115. 114 Measures?Scales? Indicators?

116. 115 Generic Maturity Model - Dimensions l Understanding and awareness l Training and communications l Process and practices l Techniques and automation l Compliance l Expertise

117. 116 Generic Maturity Model - Dimensions

118. 117 0 Non-Existent. Complete lack of any recognizable processes. The organisation has not even recognised that there is an issue to be addressed. 1 Initial. There is evidence that the organisation has recognized that the issues exist and need to be addressed. There are however no standardized processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized. 2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely. 3 Defined. Procedures have been standardized and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices. 4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way. 5 Optimized. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other organizations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt. Generic Maturity Model

119. 118 In summary Maturity Models Refer to business requirements and the enabling aspects at the different levels Are scales that lend themselves to pragmatic comparison Are scales where the difference can be made measurable in an easy manner Are recognisable as a “profile” of the enterprise in relation to IT governance and control Assist in determining As-Is and To-Be positions relative to IT governance and control maturity Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level Are neither industry specific nor always applicable; the nature of the business will determine what is an appropriate level

120. 119 IT Governance Guideline Governance over IT and its processes with goal of adding value to the business, while balancing risk versus return ensures delivery of information to the business that addresses the required information criteria and is measured by KGIs is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value delivery of IT considers CSFs that leverage all IT resources and is measured by KPIs

121. 120 Objectives  understand the issues and the strategic importance of IT  ensure that the enterprise can sustain its operations and  ascertain it can implement the strategies required to extend its activities into the future Goal  ensuring that expectations for IT are met and IT risks are mitigated Position  within broad governance arrangements that cover relationships among the entity's management and its governing body, its owners and its other stakeholders and providing the structure through which:  the entity's overall objectives are set  the method of attaining those objectives is outlined  the manner is which performance will be monitored is described IT governance summarized

122. 121 Audit Organization  Use CobiT to identify and assess risk of IT processes  Use CobiT-related matrices in standard audit work programs  Frame IT audits via CobiT  Development of MAS focused on CobiT

123. 122 Cobitizing Audit -- Phases  Self assessment and modification  Internal audit guidelines – Text of policy & procedure manual – Generic work programs and matrices  Overall audit planning  Engagement planning  Discussions with auditees for self assessment  Modify QA to include CobiT  Strengthen focus on business processes, system integrity, and IT environment

124. 123 CobiT Recognizes  IT is an integral part of the organization  IT governance is an integral part of corporate governance  Focus on control objectives can strengthen appropriateness and use of internal controls  Measurement is crucial to internal control  Monitoring and evaluation are integral to a system of internal control

125. 124 Learned So Far òNeed Internal Control refresher course covering control models (such as COSO), CobiT, internal control acts, SAS 78, techniques in evaluating controls ò There are good opportunities to leverage the understanding of internal controls and CobiT among management and staff, auditors, out-sourced services, academic community, and vendors

126. 125 Learned So Far ò Audit Teams and auditees seem to have better understanding of control objectives with CobiT ò Increased consistency of discussions regarding IT domains, control objectives and controls ò Increased emphasis on information criteria

127. 126 Learned So Far ò Pilot use of CobiT ò Network and share “ideas” on CobiT ò CobiT has assisted identification of IT- related processes, who performs them, and who is responsible ò CobiT provides Value-Added opportunities and time savings ò CobiT reinforces the final objective of effective and efficient operations

128. 127 A Tip regarding CobiT  CobiT is generic - adapt it to your organization in cooperation with the business-process owners! – Determine focus (quality, security, fiduciary) – Harmonize existing policies and procedures with CobiT – Determine control responsibilities – Identify key performance indicators and critical success factors

129. 128 Another Tip or Two  Study it carefully -- it takes some time to understand - keep in mind that you are dealing with a control framework  For auditors and reviewers, provide sufficient time for using CobiT in pre-audit and engagement planning.  Promote discussions on CobiT  Identify CobiT as a control framework and basis for benchmark criteria and evaluation

130. 129 The Last of the Tips  Use CobiT initially as a control model and tool to assist controls evaluations, framing audits, identifying criteria, and performing high-level benchmarking.  Share your insights regarding control design and evaluation  Study the Management Guidelines

131. 130 4 major elements COBIT as an open standard for increased world-wide adoption covering summary, framework and detailed control objectives; Three proprietary guideline products -- Implementation Tool Set : how to introduce the C OBI T standard in the enterprise -- Audit Guidelines : how to audit against the standard -- Management Guidelines : how to benchmark, implement and self-assess C OBI T Product Family

132. 131 CobiT For additional information: www.isaca.org www.ITgovernance.org or email or give me a call at (617) 727-6200 ext 135

133. Go Forth Safely And C OBI T ize Thank You 132