1
CobiT for Internal Auditors
Lucas Kowal, AVP BNP Paribas NA
CPA, CISA, CISSP
2
Overview of CobiT
What is CobiT?
3
Overview of CobiT
What CobiT is not!! Audit software An IT audit plan An IT Internal Audit workprogram An IT audit testing plan Guide on “How to Audit” IT
4
Then what is CobiT? It is the Control Objectives for Information and related
Technology
A methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of an IT environment.
The CobiT Executive Summary and Framework were released in December 1995, Control Objectives in April 1996, and Audit Guidelines followed in September 1996.
A tool that for IT professionals that has linked information technology and control practices
CobiT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals and auditors.
Overview of CobiT
5
Overview of CobiT CobiT represents
1. A control framework,2. a set of generally accepted control objectives, and3. the CobiT Audit Guidelines.
CobiT is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives.
CobiT is business process oriented provides the business process owners with a framework, which should enable them to control all the different activities underlying IT deployment.
6
Overview of CobiT What is the purpose of CobiT?
To provide management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT.
CobiT helps bridge the gaps between business risks, control needs and technical issues by presenting the controls through one vehicle.
It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.
7
Components of CobiT
8
Components of CobiT
The 4 Domains of CobiT
MONITORING (MO)
PLANNING & ORGANIZATION (PO)
ACQUISITION & IMPLEMENTATION (AI)
DELIVERY & SUPPORT (DS)
9
Components of CobiT
M1- Monitor the process M2- Obtain independent assurance
MONITORING (MO)All IT processes need to be regularly assessed over time for their quality and compliance with control and regulatory requirements
Auditors need to perform procedures to ensure that the IT environment meets predefined standards with respect to controls.
10
Components of CobiT
PO1- Define a strategic IT plan PO2- Define the Information
architecture PO3- Determine technical direction PO4- Define IT Organization and
relationships PO5- Manage the investment in IT
PLANNING & ORGANIZATION (PO)Addresses strategy and tactics, and concerns the identification of the way information technology can best contribute to the achievement of business objectives.
Is the IT strategy be effectively controlled and will it contribute to the business objectives?
PO6- Communicate management aims and directions
PO7- Manage Human Resources PO8- Ensure compliance with external
requirements PO9- Assess risks PO10- Manage projects PO11- Manage quality
11
Components of CobiT
AI1- Identify solutions AI2- Acquire and maintain application software AI3- Acquire and maintain technology architecture AI4- Develop and maintain IT procedures AI5- Install and accredit systems AI6- Managing changes
ACQUISITION & IMPLEMENTATION (AI)To realize the IT strategy, IT solutions need to be identified, developed and/or acquired as well as implemented and integrated into the business process. Is the process to choose and implement IT solutions a controlled process? Does this process meet control standards?
12
Components of CobiT
DS1- Define service levels DS2- Manage Third Party services DS3- Manage performance capacity DS4- Ensure continuous service DS5- Ensure systems security DS6- Identify and allocate costs DS7- Educate and train users
DS8- Assist and advise IT customers DS9- Manage the configuration of IT systems DS10- Manage problems and incidents DS11- Manage data DS12- Manage facilities DS13- Manage operations
DELIVERY & SUPPORT (DS)Addresses the actual delivery of required information services.
Are information related services delivered in a controlled manner?
13
Overview of Internal Audit Internal Audit
"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."(Definition of Internal Auditing by the Institute of Internal Auditors, Inc.)
The mission of Internal Audit is to evaluate the efficiency and effectiveness of the entity’s procedures and related internal controls.
As Internal Auditors, we also provide control recommendations and controls advisory.
14
CobiT For Internal Auditors
Who uses CobiT in the Internal Audit world?
Typically, the IT Auditor
Business Process Auditor
The IT Inspection Team, or
The IT Control Team
15
CobiT For Internal AuditorsHow is CobiT used by Internal Audit? Establishing control baselines and standards
Facilitating and creating performance metrics for Risk Assessments
Developing the audit plan
Facilitating the audit
Managing residual risk
Issuing control advisory and recommendations to the IT groups
16
1. Reviews of Baselines and Standards for IT
2. Information System Implementations
Pre-Implementation Review Implementation of Controls
Certification Reviews Post Implementation Review
3. Code Development / Source Code Management Reviews
4. General Controls Reviews
5. Data Center reviews
6. Audits of the Business Continuity Program
7. Audits of Security Configuration
8. Reviews of Security Administration
9. Reviews of IT Purchasing and Procurement
10. Application Review / Audits
11. Audits of Business Processes
CobiT For Internal AuditorsAudits that can be performed
with the use of CobiT
BE CREATIVE! How can you fit CobiT into your audit plan?
17
Applications of the 4 CobiT Domains
All of the discussed types of reviews can employ the 4 CobiT domains:
– MONITORING, – PLANNING & ORGANIZATION, – ACQUISITION & IMPLEMENTATION, – DELIVERY & SUPPORT
18
CobiT Trends In general, each of the 4 domains can be applied to each
review with careful planning
All IT Audit reviews should have a component that includes Management controls of the information Review of controls over the way that information is delivered /
facilitated How the IT control review process works, and is it working
effectively
With the right planning, all reviews can be performed with the use of the 4 domains as a reference, standard, and “Best Practice” template
19
10. Control evaluations processes are standardized across the IT environment
9. Benchmarks and standards are portable throughout the IT environment
8. System management processes across different systems can compared
7. Post-audit benchmarking is easily achieved through existing CobiT Control Objectives
6. A common language between auditee, auditor, user management and data owners is provided
5. CobiT is a globally-recognized as a tool that provides guidance on IT audits and sets IT control “Best Practices”
4. International IT Audit groups can knowledge share (i.e. workprograms, test plans)
3. Audit groups can recruit based on experience with an internationally recognized audit tool
2. CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC, HIPAA)
1. Its just plain old fun!
Top Ten Strengths of CobiT in Internal Audit
20
Problems Inherent to the Implementation and Use of
CobiT CobiT is a control framework with Audit
Guidelines. Therefore, It is NOT an audit plan It is NOT a workprogram It does NOT provide for audit steps /
techniques / procedures It does NOT define standards It does NOT define acceptable levels for IT
processes
The use of CobiT requires a sufficient amount of experience with IT controls because it does not detail actual controls verification and testing steps
21
Problems Inherent to the Implementation and Use of
CobiT CobiT is time & resource intensive to implement
Steep learning curve New audit plans and workprograms New documentation methods needed
Although CobiT is process focused, CobiT based reviews tend to be more system-focused. Few, if any processes, are composed of one system. All data flows between systems, so how are data flows
evaluated? How can major information flow processes be
evaluated within reasonable time constraints?
22
Opportunities to Implement CobiT
Ideal Times to Implement the CobiT Framework Beginning of an audit year
During a reorganization of the audit department
During a change of strategy for the IT Audit group
Upon implementation of Business Process focused audits
23
Threats to CobiT in the Internal Audit World
Threats to Cobit in Internal Audit Initial audits are time intensive and difficult because
auditors are unfamiliar with CobiT terminology
Auditees can be unreceptive to controls based recommendations as opposed to traditional IT recommendations
If the audit staff does not have a sufficient amount of experience with IT controls, difficulties can arise in creating procedures to test for the existence of CobiT prescribed controls
24
CobiT: A Real World Example at a Major International Financial Services Firm
Situation: A major international financial services firm uses the
SWIFT network as a payment messaging system at its worldwide locations
All major locations of the financial services firm have their own “local” SWIFT systems installations
Worldwide IT Management seeks efficiencies and decides to “consolidate” SWIFT messaging systems to regional platforms.
IT management’s strategy is to create three regional “hubs” for messages to flow through to the SWIFT network.
25
CobiT: A Real World Example at a Major International Financial Services Firm
Internal Audit Internal Audit conducted an IT Audit of the
management strategy, selection, acquisition, implementation, and configuration of the new SWIFT Alliance messaging “hubs”
“Controls Advisory” was also provided as a complimentary service.
The CobiT methodology was used.
26
Examples of IT Audit’s Role1. Participated on the SWIFT implementation team2. Reviewed the project charter for financial, human
resources, regulatory, compliance, and IT management strategy controls
3. Reviewed Service Level Agreements and contracts with vendors for controls prescribed by CobiT
4. Examined project details for the processes to chose hardware, software, and implementation methods.
5. Reviewed project plans for reasonableness and the ability to meet prescribed timelines
6. Performed reviews of SWIFT system configurations pre- and post-implementation
7. Examined regulatory constraints and gave opinions based on regulatory requirements
CobiT: A Real World Example at a Major International Financial Services Firm
27
Highlights: Planning & Organization Reviewed the strategy and plan for management
controls
Critiqued the “new” IT architecture
Monitored progress with respect to timelines
Ensured that compliance and regulatory constraints were addressed during implementation
CobiT: A Real World Example at a Major International Financial Services Firm
28
Highlights: Acquisition & Implementation Reviewed choices for messaging hub locations
Reviewed alternatives for hardware and software
Verified that changes were in compliance with CobiT and “best practices” for change control
Determined whether procedures were created for the administration of the implemented system
CobiT: A Real World Example at a Major International Financial Services Firm
29
Highlights: Delivery & Support Reviewed agreements with vendors and business partners for
reasonableness and compliance with “best practices”
Attended user training sessions
Tested controls for security configuration and security administration
Determined whether controlled procedures were created for administration and management of data, facilities, and operations
CobiT: A Real World Example at a Major International Financial Services Firm
30
Highlights: Monitoring Determined whether controlled procedures were in
place for the monitoring of the “new” SWIFT system
Verified that monitoring procedures were in compliance with regulatory requirements
CobiT: A Real World Example at a Major International Financial Services Firm
31
Questions?
Lucas Kowal, CPA is an AVP of Information Systems Audit at the international financial services conglomerate, BNP Paribas. Mr. Kowal has several years of audit and consulting experience of information systems and technology applications having worked with Arthur Andersen’s Technology Risk Consulting Group and the Depository Trust Clearing Co. prior to joining BNP Paribas.
In addition to being a Certified Public Accountant (CPA-NY), Lucas has attained both the Certified Information Systems Auditor (CISA) accreditation and the Certified Information Systems Security Professional (CISSP) accreditation. Lucas is a graduate of the prestigious BS (Public Accounting) / MBA (Management Information Systems) program from the State University of New York at Buffalo.
Lucas can be reached at [email protected]