CobiT in support of IT Governance, Management and Assurance · CobiT in support of IT Governance,...

CobiT in support of IT Governance, CobiT in support of IT Governance, Management and AssuranceManagement and Assurance

Erik Guldentops, CISA, CISMExecutive Professor

University of Antwerp – Management School, BEAdvisor to the Board

IT Governance Institute, USA

<[email protected]>

AIEA - ISACA Milano20th National Conference on IT Audit

Verona, May 25-26, 2006

eg26042006-2

AGENDA

What makes IT Governance so important? IT Governance needs a control framework The Principle behind the CobiT Framework The major changes of CobiT4.0 The strategy and products for CobiT4.1 Relation of CobiT and IT Governance Conclusions

eg26042006-3

Increasing Expectations of the IT Function

Cost Value

• Ivory tower• IT projects• Big spender

• Cost

• Mysterious• Driving• Ignoring

• CEO• Board of Directors• CFO• Audit Committee• COO• Shareholders• Head of IA• Regulators• Directors• Capital Markets• Business Partners• Employees• Others

Internal & ExternalStakeholders BenefitsRisk

• Integrated with the business• IT-enabled business initiatives• IT has no budget and delivers no

value• Value=(benefits-cost) adjusted

for risk• Being transparent• Enabling• Taking Ownership

IT GovernanceIT Governance

eg26042006-4

Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects

Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful

ITGI 2005 Survey early findings confirm concerns

0% 20% 40% 60% 80% 100%

1998

2000

2002

2004

Successful Failed Challenged

Low return from high-cost IT investments, and transparency of IT’s performance are two of the top issues

More than 30% claim negative return from IT investments targeting efficiency gains

40% do not have good alignment between IT plans and business strategy

Interest in and use of active management of the return on IT investment has doubled in 2 years (28 to 58%)

• Strategic importance of IT• Extended Enterprise• Regulatory requirements• Cost optimisation• Return on investment

DRIVERS

What makes IT Governance so important?

eg26042006-5

Business and Operational Management want Value Transparency and Risk Mitigation

Surveys by PwC for the IT Governance Institute Sep-Oct2003 and Sep-Oct2005


DRIVERS

2003 2005

Inadequate view on how well IT is performing 1 4

Operational failures of IT 2 3

Amount of security problems and incidents 3 7

High cost of IT with low return on investment 4 2

IT staffing problems 5 1

Lack of knowledge of critical systems 6 -

Disconnect between IT strategy and business strategy 7 6

Unmanaged dependencies on entities beyond own control 8 5

IT not meeting compliance requirements - 8


eg26042006-6

Business and Operational Management want Value Transparency and Risk Mitigation

Surveys by PwC for the IT Governance Institute Sep-Oct2003 and Sep-Oct2005


DRIVERS

2003 2005

Inadequate view on how well IT is performing 1 4

Operational failures of IT 2 3

Amount of security problems and incidents 3 7

High cost of IT with low return on investment 4 2

IT staffing problems 5 1

Lack of knowledge of critical systems 6 -

Disconnect between IT strategy and business strategy 7 6

Unmanaged dependencies on entities beyond own control 8 5

IT not meeting compliance requirements - 8

•More Problems (operational ; security )

•Transparency still an issue but shift to value

•Alignment slightly better

•Compliance top of agenda


eg26042006-7


+8% +20%1

0 +2%

M

an

ag

em

en

t P

ract

ices

Sco

re +

- Intensity of IT deployment +

75th percentile and above




8% 20%

0% 2%

0-25 26-50 51-75 76-100

0-25

26-50

51-75

76-100

8% 20%

0% 2%

0-25 26-50 51-75 76-100

0-25

26-50

51-75

76-100

Additional spending in Information Technology can raise productivity…..

…..but only in well managed companies!

In October 2006 Mc Kinsey and the London School of Economics measured the increase in productivity from investments in IT versus investments in

management practices in 100 enterprises.

eg26042006-8

Strate

gic

Alignmen

tValue

Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

entIT IT

GovernanceGovernanceDomainsDomains

Strate

gic

Alignmen

tValue

Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

entIT IT

GovernanceGovernanceDomainsDomains

1. Strategic Alignmentaligning with the business and providing collaborative solutions

2. Value Deliveryfocus on IT expenses and proof of value

3. Resource Managementknowledge, infrastructure and partners

4. Risk Managementsafeguarding assets and disaster recovery

5. Performance MeasurementIT Scorecards

Doing something about it

Not doing something about it2003

2005

D

OM

AIN

S


eg26042006-9

AGENDA


eg26042006-10

IT Governance needs a control framework

ITIL for service delivery

CMM for software development

Prince2 for project management

…..

Strate

gic

Alignmen

tValue

Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent

IT IT GovernanceGovernance

DomainsDomains

Strate

gic

Alignmen

tValue

Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Governance Strategy Planning Value delivery Performance measurement Risk management Control and assessment

• Workinstruction• 2• 3• 4,5,6….





XY

##

XY

##

XY

##

XY

##

XY

##

Strategic

Process Control

Process Execution

Work Instruction

COBIT

ITILCMM

BS

7799

eg26042006-11


ITIL for service delivery

CMM for software development

Prince2 for project management

…..

Strate

gic

Alignmen

tValue

Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Strate

gic

Alignmen

tValue

Delivery

Risk

M

anag

emen

t

Resource Management

Performance

Measurem

ent


DomainsDomains

Governance Strategy Planning Value delivery Performance measurement Risk management Control and assessment






XY

##

XY

##

XY

##

XY

##

XY

##

Strategic

Process Control

Process Execution

Work Instruction

COBIT

ITILCMM

BS

7799

eg26042006-12

How does it make other standards better?Integrator of technical standardsInterface to business standards

CobiTA generally accepted “de facto” standard


eg26042006-13

• Increasing dependenceIncreasing dependence on information and thesystems that deliver this information

• Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare

• Sheer scale and cost of the current and future investments in information and information systems

• The need to comply with regulations• Potential to dramatically change processes, organisations

and business practices, create new opportunities and reduce costs

Why does IT need a control framework?

eg26042006-14

cost, time and functionality are as expected and promised benefits are returned

risks are mitigated and resources are responsible managed

opportunities for process, product and services are leveraged

Not only risks are mitigated, also assurance that objectives are achieved

Why does IT need a control framework?

The solution: a management control framework that

Supplies a common language for IT activities and key management practices

To avoid misunderstandings, to have efficient dialogues and to enable synergy

Provides a business focus and supports governance expectations

To enable alignment between businessand IT and engage the executives

Organises IT tasks and activities into discrete processes

To define scope, responsibilities andextent of coverage

Is consistent with generally accepted IT good practices and corporate governance standards

To be generally acceptable and to have a provably complete basis to select from

eg26042006-15

AGENDA


eg26042006-16

Generally Accepted IT Management Principles

MMIISSSSIIOONN AANNDD SSTTAAKKEEHHOOLLDDEERRSS

1. IT enables the business to deliver value, mitigates IT related risks and responsibly manages the resources entrusted to it. The executive provide direction, the business drives what needs to be done and focuses on the associated benefits, and IT drives how it is done and focuses on the associated costs.

GGOOVVEERRNNAANNCCEE 2. IT is governed by processes, practices and leadership that direct and monitor the achievement of IT goals that are aligned

with and support the business goals. Business executives as well as those responsible for enterprise governance have a decision-making role relative to IT.

PPOOLLIICCIIEESS AANNDD PPRRAACCTTIICCEESS

3. IT is governed with clearly communicated policies and practices are based on generally accepted governance and control frameworks that are properly adapted to the enterprise.

MMEEAASSUURREEMMEENNTT AANNDD

IIMMPPRROOVVEEMMEENNTT

4. IT continuously improves based on efficient measurement and transparent reporting of performance and outcomes that reflect the IT goals and IT’s contribution to the business.

AACCCCOOUUNNTTAABBIILLIITTYY AANNDD PPRROOCCEESSSS

RREESSPPOONNSSIIBBIILLIITTYY

5. IT is organised along the generally accepted lines of responsibility of Plan, Build, Run and Monitor. Within this domains IT is organised into processes with clear ownership, roles and responsibilities, as well as process goals that support IT’s goals

SSOOLLUUTTIIOONN DDEELLIIVVEERRYY

6. IT delivers solutions based on stakeholder approved requirements and business cases, and managed by established development and project management practices.

SSEERRVVIICCEE DDEELLIIVVEERRYY

7. IT provides services managed by service level agreements and established quality and security management practices, including accurate costing and full and fair allocation of costs based on benefits derived.

RREESSOOUURRCCEE MMAANNAAGGEEMMEENNTT

8. IT manages the resources entrusted to it through resource inventories and portfolios, by maintaining the usefulness, capability and quality of the resources, and by leveraging them optimally for solution and service delivery.

RRIISSKK MMAANNAAGGEEMMEENNTT

9. IT mitigates its risks through regular analysis of what can go wrong, initiating corrective action where necessary and transparency of risk exposures and mitigation status.

CCOONNTTRROOLL RREEQQUUIIRREEMMEENNTTSS

10. Business goals, governance requirements, regulatory compliance and enterprise risk tolerance determine important IT processes and critical resources, and the associated control requirements are extracted from a generally accepted IT control framework.

An IT control framework based on generally accepted IT management principles

Mission and Stakeholders

Governance

Policies and Practices

Measurement and Improvement

Accountability and Responsibility

Solution Delivery

Service Delivery

Resource Management

Risk Management

Control Requirements

eg26042006-17

Governance DriversGovernance Drivers

Information CriteriaInformation Criteria• EffectivenessEffectiveness• EfficiencyEfficiency• ConfidentialityConfidentiality• IntegrityIntegrity• AvailabilityAvailability• ComplianceCompliance• ReliabilityReliability

COBITFramework

IT RESOURCESIT RESOURCES• ApplicationsApplications• InformationInformation• InfrastructureInfrastructure• PeoplePeople

Business GoalsBusiness Goals

MONITOR MONITOR ANDAND EVALUATEEVALUATE

PLAN PLAN ANDAND ORGANISEORGANISE

ACQUIRE ACQUIRE ANDAND IMPLEMENTIMPLEMENT

DELIVER DELIVER ANDAND SUPPORTSUPPORT

• Strategy and tactics. • Vision planned.• Organisation and

infrastructure

• IT solutions• Changes and

maintenance.

• Delivery of required services

• Set up of support processes• Processing by application

systems

• Assessment over time, delivering assurance

• Management’ oversight of the control system.

• Performance measurement

eg26042006-18

AGENDA


eg26042006-19

CobiT4.0 is providing a better interface to the business and IT Governance layer of the enterprise but also to the operational layer with a better

interface to operational standards and practices

Full IT governance frameworkFull IT governance framework and IT governance best practices to foster compliance and increase the value of IT

Stronger business focusStronger business focus and more specificity on process ownership and responsibilities, enabling strategic alignment and making implementation easier

Easier to design IT scorecards design IT scorecards with goals and metrics material withgreater focus on process performance via the key activitites

Better understanding of scope and purpose of IT processes scope and purpose of IT processes with process definitions, relationships, activities and responsibilities

Key elements remain Control Objectives, Control Practices and Control Objectives, Control Practices and Maturity ModelsMaturity Models

CobiT : An IT control framework

eg26042006-20

IT Goals

IT Processes

Linking Business and IT Goals

Business Goals

•Where to start•Results all over the place•Repetition•Hard to do

eg26042006-21

IT Goals

IT Processes

Governance Drivers

Business Outcomes

Business Goals

Applicatio

ns

Info

rmatio

n

Infrastru

cture

People


Enterprise architecture for IT

ApplicationsIT

Processes

Infrastructure & Peopleneed

Informationdeliver

runApplications

IT Processes

Infrastructure & Peopleneed

Informationdeliver

run

Business Governance

RiskValue

Agility Return Compliance ComfortF unctionality

Business Governance

RiskValue

AgilityAgility ReturnReturn ComplianceCompliance ComfortComfortF unctionalityF unctionality

Business Governance

RiskValue


Business Governance

RiskValue


eg26042006-22


eg26042006-23

Linkin

g IT Goals to IT P

rocesses

eg26042006-24


Business Goals for IT IT Goals

CobiT Information

Criteria

Process Goals

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

Reliability

Business Requirements

Who needs what information

where and in what form, in order for the business to achieve its objectives

IT Resources

People Applications Information Infrastructure

eg26042006-25

ActivityActivityGoalGoal

ProcessProcessGoalsGoals

ITITGoalGoal

BusinessBusinessGoalGoal

defines defines defines

drive

s

drive

s

drive

smeasuredby

measuredby

measuredby

measuredby

ActivityActivityGoalGoal

ProcessProcessGoalsGoals

ITITGoalGoal

BusinessBusinessGoalGoal

defines defines defines

drive

s

drive

s

drive

smeasuredby

measuredby

measuredby

measuredby

ActivityMetric

ProcessMetric

IT Metric

BusinessMetric

Goals and MetricsGoals and Metrics

Linking IT Goals to IT Metrics K

ey g

oal i

ndic

ator

(KG

I)K

ey g

oal i

ndic

ator

(KG

I)

Key perfo

rmance in

dicator (KGI)

Key perform

ance indicator (K

GI)

eg26042006-26

Understanding security

requirements, vulnerabilities and threats

Detect and resolve unautho-rised access to information,

applications & infrastructure

Ensure IT services can resist and

recover from attacks

Maintain enterprise

reputation and leadership

Activity Goal

Process Goal

IT Goal

Business Goal

Frequency of review of the

type of security events to be monitored

Number of actual incidents

because of unauthorised

access

Number of actual IT incidents with business impact

Number of incidents causing

public embarrassment

KPI Business Metric KGI

KPI IT Metric KGI

KPI Process Metric KGI

is measured by is measured by is measured by is measured by

Define goals

Drive performance

Imp

rove a

nd

re-a

lign

Measu

re a

chie

vem

en

t

eg26042006-27

Process description

IT domain & Information indicators

IT goals

Process goals

Key practices

Key metrics

New Framework

Layout

IT Governance & IT Resource indicators

eg26042006-28

Key Activities

RACI Chart

CEO

CFO

Busi

ness

Exec

CIO

Busi

ness

Sr

Mngm

tH

ead O

pera

tions

Chie

f A

rchit

ect

Head D

evelo

pm

ent

Head I

T A

dm

inPM

O

CA

RS

1 Link business goals to IT goals2 Identify critical dependencies and current performance3 Build IT strategic plan4 Build IT tactical plans5 Analyze and manage project and service portfolios

C I A/R R CC C R A/R C C C C C CA C C R I C C C C I CC I A C C C C C R IC I I A R R C R C C I

1 Link business goals to IT goals2 Identify critical dependencies and current performance3 Build IT strategic plan4 Build IT tactical plans5 Analyze and manage project and service portfolios

Major activities and associated responsibilities are added with a RACI Chart.

PO1

Management Guidelines Update

Risk Appetite

Business Strategy

Understanding of the business context, capability and capacity

Mission and Goals

Service Portfolio

Project Portfolio

Tactical Plan

Strategic Plan

Inputs Outputs

PO1

Process inputs and deliverables describe the activity flow and process relationships

eg26042006-29

Management Guidelines Update

Process Relationship

Key activities and responsibilities

Goals and metrics

eg26042006-30

CCOBIOBITT

IT Governance

Implementation

Conclusion

eg26042006-31

AGENDA


eg26042006-32

IT Governance, the What and the How

STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products

CobiT4.0

Control Practices and Assurance

Steps

Briefing

CIOBaseline for

IT Governance

IT Governance Implementation

Guide using CobiT

BoardBriefing

Audit DirectorBaseline for

IT Governance

IT Governance Assurance

Guide using CobiT

HOWHOW HOWHOW

WHATWHAT

BoardBriefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing

ExecutiveBaseline for

IT Governance


Guide using CobiT

CobiT4.0

Control Practices and Assurance

Steps

Briefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing


IT Governance


Guide using CobiT

HOWHOW HOWHOW

WHATWHAT

BoardBriefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing


IT Governance


Guide using CobiT

BoardBriefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing


IT Governance


Guide using CobiT

eg26042006-33

• Provide guidance for usage and customisation of control practices and associated assurance steps based on a strong framework and concepts

• Supported with representative value and risk drivers, linking back to business and IT goals

• IT Control Practices objective is to Suggest the different steps necessary and sufficient to achieve a control

objective Leverage old ITCP’s, align with CobiT4.0 and improve

• IT Assurance Steps Objective is to Provide guidance on how to obtain assurance about achievement of the

control objective, leveraging the old process audit guidelines Not provide a detailed audit programme that can be ‘picked up and

executed’ Provide the basis for an auditor with some experience to very efficiently

develop audit programmes that can be ‘picked up and executed’

IT Control Practices and Assurance Steps


eg26042006-34

• A non-prescriptive control design for achieving the control objective

• Action oriented, enabling timely execution and measurable

• Relevant to the purpose of the control objective

• Covering all inputs, activities and outputs of the process

• Supporting clear roles and responsibility including segregation

• Concepts of active and passive components

• Generic and specific practices

IT Control Practices Approach


eg26042006-35

IT Assurance Steps Approach • Testing of a control approach covering 4 assurance objectives

1. Existence2. Design effectiveness 3. Operating effectiveness (implemented, consistent application and proper use)4. Design and operating efficiency (cost/benefit and possible use of automation)

• Providing 3 types of assurance guidance Testing the suggested control design Testing control objective achievement Documenting impact of control weaknesses

• Tests based on a documented taxonomy of relevant assurance methods• Enquire and confirm (via different source)• Inspect (walk-through, search, compare, review)• Observe (confirmation is inherent)• Re-perform or re-calculate and analyse (often based on a sample)• Automated evidence collection (sample, trace, extract) and analyse


eg26042006-36

E - Enquiry and confirmation• search for exceptions/deviations and examine• investigate unusual or non-routine transactions/events• check/determine whether something has (not) occurred

(sample)• corroborate management statements from independent

sources• interview and assess staff knowledge and awareness• reconcile transactions (sample)• ask questions of management and obtain answers to

confirm findingsI – Inspection• physically inspect presence (documentation, assets,

etc)• walk-through installations, plans etc• code walk-through• review plans, policies and procedures• search audit trails, problem logs etc• trace transactions through the process/system• compare actual with expected findings

O – Observation• Process• Procedures• compare actual with expected behaviourR - Re-performance/Recalculation (sample and/or

key actions/transactions)• independently develop and estimate• attempt what is prevented• perform what is detected• re-perform transactions, control procedures etc• recalculate independently• compare e.g. expected value with actual value• compare actual with expected behaviourA - Automated evidence collection• sample data• use embedded Audit Modules• analyse data using CAATS or other interrogation tools• trace transactions through the process/system,• extract exceptions or key transactions

IT Assurance Steps Approach


eg26042006-37

Confirm that benchmarking against industry norms is used to help assess existing systems and capabilities

Benchmarking against well-understood and reliable industry norms is an integral component of the assessment of existing systems and capabilities.

4

Enquire and confirm that proposed amendments are assessed and agreed upon.

Assess and agree the proposed amendments to the tactical and strategic IT plans, based upon the results of the assessment of the current performance.

3

Confirm that reviews are made regarding agreed targets within the tactical IT plan and that appropriate outcomes are determined.

Review the achievement of agreed targets defined within the tactical IT plan. The outcome of the evaluation includes, but is not restricted to, current requirements, current delivery to requirements, barriers to delivery of requirements, and the steps and costs required to remove restrictions.

2

Confirm that a system exists to capture and report feedback on current systems. Verify that the system is being used consistently by IT, organization management and key stakeholders to give feedback on various considerations of the current system.

Capture and report feedback from IT, organization management and key stakeholders on the current systems. Consideration includes strengths and weaknesses, degree of business automation, stability, complexity, development requirements, support and maintenance requirements, costs and external parties' input (including business partners and vendors).

1

Test DescriptionControl Practices

Take appropriate remedial action in response to service and solutions delivery deviationsAllow planning assumptions to be validated and changed

Identifying opportunities for leveraging the current IT infra-structureIT plans contribute to the attainment of the organisation's mission and goals

PO1.3 Assessment of Current PerformanceAssess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses.

RiskValueWhy do it?

Control Objective



eg26042006-38


4


3

Review the achievement of agreed targets defined within the tactical IT plan. The outcome of the evaluation includes, but is not restricted to, current requirements, current delivery to requirements, barriers to delivery of requirements, and the steps and costs required to remove restrictions.

2


1





RiskValueWhy do it?Control Objective

Testing the Control Practices

Summarising the detailed testing steps currently available after quality reviewing them

Testing achievement of the CO Outcome

Capturing those tests from the current list that verify outcome and complement with extracts from step 3 of the old Audit Guidelines

Documenting the impact of not achieving the CO outcome

Leveraging the generic advise on next foils and complement with extracts from step 4 of the old Audit Guidelines



TYPE 1

TYPE 2

TYPE 3

eg26042006-39

IT Governance, the What and the How

Briefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing


IT Governance


Guide using CobiT

HOWHOWFramework

ControlObjectives

ManagementGuidelines

MaturityModels

ControlObjective

ControlPractices

AssuranceApproach

Value Risk

WHATWHAT

HOWHOW

BoardBriefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing


IT Governance


Guide using CobiT


eg26042006-40

IT Assurance Activities Fin

an

cia

l S

tate

men

t

Com

pli

an

ce

Inte

rna

l C

ontr

ol

3rd

Pa

rty

Syste

m R

elia

bilit

y

Du

e D

ilig

en

ce

Op

era

tio

ns

Pro

jec

ts

Pro

ce

ss I

mp

rove

me

nt

Det

erm

ine

resp

onsi

ble

party

and

inte

nded

us

er o

f ass

uran

ce o

utpu

t

Det

erm

ine

natu

re o

f the

sub

ject

mat

ter

Def

ine

and

agre

e ev

alua

tion

crite

ria

Col

lect

evi

denc

e

Asse

ss e

vide

nce

Mak

e ju

dgem

ent

Rep

ort a

nd c

onlc

lude

Effective audit reporting

Q&D risk assessment

Substantiating risk

Scope and plan self assessments

Control self assessment

Maturity based self-assessment

Assess process maturity

Threat, vulnerability and business impact assessments

Selecting the control objectives for critical processes

Identify critical IT processes based on value drivers

Operational auditDiagnose operational and project risk

Control Evaluation and testing

Customising control objectives (add, delete, rewrite)

Types of Assurance Assurance Stages

AssuranceSteps

Activities

Knowledge

Control

Objective

Assurance

Appoach

Value RiskControl

Objective

Assurance

Approach

Value Risk

Four step approach2.Develop and expose the

knowledge base• Concept & design of IT control practices• Approach to IT assurance• Practices and Steps• Argumentation

9.Align assessment steps of the Implementation & Assurance Guides

10.Update the Implementation Guide

11.Define, outsource and produce the Assurance Guide

Confirm that benchmarking against industry norms is used to helpassess existing systems and capabilities


4



3


Review the achievement of agreed targets defined within the tactical IT plan. The outcome of the evaluation includes, but isnot restricted to, current requirements, current delivery to requirements, barriers to delivery of requirements, and the steps and costs required to remove restrictions.

2



1





RiskValue

Why do it?Control Objective

Confirm that benchmarking against industry norms is used to helpassess existing systems and capabilities


4



3


Review the achievement of agreed targets defined within the tactical IT plan. The outcome of the evaluation includes, but isnot restricted to, current requirements, current delivery to requirements, barriers to delivery of requirements, and the steps and costs required to remove restrictions.

2



1





RiskValue

Why do it?Control Objective

CCOBIOBIT4.1T4.1 – Assurance Guide – Assurance Guide

1 2 3 41 2 3 4 451 2 3 41 2 3 4 45

eg26042006-41

• Establish the IT audit universe• Select an IT control framework• Perform risk- based IT audit planning• Perform high- level assessments• Set the high- level assurance objectives

PLANN

ING

• Establish the IT audit universe• Select an IT control framework• Perform risk- based IT audit planning• Perform high- level assessments• Set the high- level assurance objectives

PLANN

ING

Business GoalsIT Goals

Key IT Processes and Key IT ResourcesKey Control Objectives

Customised Key Control Objectives

SCO

PING

Business GoalsIT Goals

Key IT Processes and Key IT ResourcesKey Control Objectives

Customised Key Control Objectives

SCO

PING

ANN

UAL IT

AUD

IT PLANAN

NU

AL ITAU

DIT PLAN

SCO

PE &

OB

JECTIVES

SCO

PE &

OB

JECTIVES

AUID

T OPIN

ION

AUID

T OPIN

ION

TESTING

Alternatively / additionally test the outcome of

the key control objectives

Obtain an understanding of the IT

assurance subject

Refine the scoping of key control objectives

for the IT assurance

subject

Test the effectiveness of the control design of the

key control objectives

Document impact of control weaknesses, comment on efficiency and

provide an opinion




assurance subject



subject




provide an opinion

TESTING




assurance subject



subject




provide an opinion




assurance subject



subject




provide an opinion

IT Assurance Roadmap


eg26042006-42

LevelTest Type Generic Process Control Objective

1Control

Design of the Control

Objective

▪ Understanding control practices▪ Understanding assurance objectives and test methods▪ Customising assurance steps▪ Testing application controls▪ Testing Approach (levels, objectives, methods etc)

▪ Using the generic process controls and associated practices and assurance steps

▪ Test steps for the generic control practices and how to apply them▪ Test steps for the specific control practices and how to apply

2Outcome of the Control Objective

▪ How to leverage process output quality, 'why do it' statements as well as IT, process and activity goals, to test the outcome of the control objectives applied to the process

▪ Provide some representative examples based on step 3 material of the old AG and the generic advice

none

3Impact of Control

Weaknesses

▪ Generic approach to documenting actual control weakness impact▪ More specific advice on how to document actual and possible impact▪ Possibly expand with guidance on how to develop realistic risk scenarios to substantiate possible impact

▪ Provide some representative examples based on step 4 material of the old AG and the generic advice

none

The Assurance Guide will provide the following type of advice


eg26042006-43

◊ Q&D risk assessment ◊ Diagnose operational and project risk ◊ Threat, vulnerability and business impact

assessments◊ Risk based audit planning◊ Identify critical IT processes based on

value drivers ◊ Assess process maturity ◊ Audit scoping and planning ◊ Selecting control objectives for critical

processes◊ Customising control objectives◊ Control Evaluation and testing◊ Build an detailed audit program ◊ Control self assessment◊ Maturity based self-assessment◊ Scope and plan self assessments◊ Substantiating risk◊ Effective audit reporting

◊ COBIT Processes List◊ High-level and detailed Control Objectives◊ Information Criteria◊ IT resources◊ IT governance domain indicators◊ Inputs & Outputs◊ Key Activities and RACI chart◊ IT, process and activity goals◊ IT, process and activity metrics◊ Maturity Models◊ Risk & value statements◊ Control Practices◊ Board Briefing on IT Governance◊ Information Security Board Briefing◊ Management Awareness & Diagnostic Tools◊ Assurance and Implementation Guidelines◊ QuickStart◊ COBIT Security Baseline◊ VALIT◊ CobiTOnline - Browsing & Filtering, Benchmarking◊ COBIT Mapping

How IT Assurance Activities can leverage CobiT Components


eg26042006-44

COBI

T Pr

oces

ses L

istHi

gh-le

vel a

nd de

tailed

Con

trol

Objet

ives

Infor

matio

n Crite

ria

IT re

sour

ces

IT go

vern

ance

doma

in ind

icator

s

Inputs

& O

utputs

RACI

char

t

IT, p

roce

ss an

d acti

vity g

oals

IT, p

roce

ss an

d acti

vity K

ey G

oal

Indica

tors

Matur

ity M

odel

Contr

ol Pr

actic

es -

Risk

& va

lue

Contr

ol Pr

actic

es

Boar

d Brie

fing o

n IT

Gove

rnan

ce

Infor

matio

n Sec

urity

Boa

rd B

riefin

g

Mana

geme

nt Aw

arne

ss T

ool

Diag

nosti

c Too

lAs

sura

nce G

uideli

nes (

incl. A

ssur

ance

ste

ps)

Imple

menta

tion G

uideli

nes

Quick

Star

t

COBI

T Se

curity

Bas

eline

VALIT

CobiT

Onlin

e - B

rows

ing &

Filte

ring

Cobio

TOnli

ne -

Benc

hmar

king

COBI

T Ma

pping

Ser

ies

Q&D risk assessment Diagnose operational and project risk Threat, vulnerability and business impact assessments Risk based audit planning Identify critical IT processes based on value drivers Assess process maturity Audit scoping and planning Selecting the control objectives for critical processes Customising control objectives (add, delete, rewrite) Control Evaluation and testing Build an detailed audit program Control self assessment Maturity based self-assessment Scope and plan self assessments Substantiating risk Effective audit reporting

CobiT Component

IT Assurance Activity

IT Assurance Activities and CobiT Components


eg26042006-45

MAPPINGIT Controls

SC

OP

ING

IT c

ompo

nent

s

Ente

rpris

eEn

viro

n-m

ent

IT Control Framework

Drivers for the Objective

RISKAssessment against the objective

IT Components: Processes, systems, applications, information, infrastructure, people...

Driv

ers

for

the

Obj

ectiv

e

Value AnalysisRisk Assessment

Assurance Scoping

Convergence of Scoping Methods


eg26042006-46

CONTROLOBJECTIVES

ITComponents

Scoping control requirementsScoping control requirementsand audit coverageand audit coverage

Is it likely that non-achievement of this control objective for this component

has a material effect?

Summarise• Is implementation needed?• Are point solutions sufficient?• Is an enterprise-wide solution needed?

Summarise• Develop audit

programme• Determine depth

and scope of testing

CONTROLOBJECTIVES

ITComponents

Scoping control requirementsScoping control requirementsand audit coverageand audit coverage

Is it likely that non-achievement of this control objective for this component

has a material effect?

Summarise• Is implementation needed?• Are point solutions sufficient?• Is an enterprise-wide solution needed?

Summarise• Develop audit

programme• Determine depth

and scope of testing

Value AnalysisRisk Assessment

Assurance Scoping

Convergence of Scoping Methods


eg26042006-47

Implement Solution

Plan Solution

Envision Solution

Identify NeedsRaise

awareness & obtain

commitment

Analyse business & IT goals

Select processes & controls

Define actual performance

Define target for

improvement

Analyse gaps & identify

improvements

Define projects

Develop improvement

plan

Implement the improvements

Integrate measures

into ITBSC

Post Implementation

Review

Analyse risks

Build Sustainability

Finalise scope

Develop IT Governance Organisation Structures

and Processes

Understand background, set

assurance scope and objectives.

Define organisation, roles, responsibilities

and required resources.

Define IT Control framework and

supporting processes (agreed control

objectives aligned to IT domains for the

assurance review).

Communicate aims and objectives to all

stakeholders. Obtain agreement

Understand business

processes concerned.

Understand business goals and

IT relevance.

Define IT goals (for assurance

requirements).

Understand IT organisation and

roles.

Identify in-scope IT processes and IT control objectives

and identify in-scope IT

components (people,

applications, infrastructure, information).

Identify key control objectives by

assessing if it is likely that non

achievement of the control objective

for the IT component will have a material

effect.

Assess the inherent risk of material control objectives not being met e.g. recent changes

and incidents, audit history, self

assessments and management monitoring.

Assess the amount of assurance

review and testing required.

Set assurance strategy and refine scope and focus of

the assurance approach based on

risk.

Adjust IT process, IT component and

and IT control objective selection

as required.

Determine documentation and testing approach to

ensure most effective and

efficient coverage of assurance objectives.

Raise awareness & obtain

commitment Finalise scope

Analyse business & IT

goals Analyse risksSelect processes

& controls

Understand background, set

assurance scope and objectives.

Define organisation, roles, responsibilities

and required resources.

Define IT Control framework and

supporting processes (agreed control

objectives aligned to IT domains for the

assurance review).

Communicate aims and objectives to all

stakeholders. Obtain agreement

Understand business

processes concerned.

Understand business goals and

IT relevance.

Define IT goals (for assurance

requirements).

Understand IT organisation and

roles.

Identify in-scope IT processes and IT control objectives

and identify in-scope IT

components (people,

applications, infrastructure, information).

Identify key control objectives by

assessing if it is likely that non

achievement of the control objective

for the IT component will have a material

effect.

Assess the inherent risk of material control objectives not being met e.g. recent changes

and incidents, audit history, self

assessments and management monitoring.

Assess the amount of assurance

review and testing required.

Set assurance strategy and refine scope and focus of

the assurance approach based on

risk.

Adjust IT process, IT component and

and IT control objective selection

as required.

Determine documentation and testing approach to

ensure most effective and

efficient coverage of assurance objectives.

Raise awareness & obtain

commitment Finalise scope

Analyse business & IT

goals Analyse risksSelect processes

& controlsImplementation Guide

CCOBIOBIT4.1T4.1 – Implementation Guide – Implementation Guide

Identify Needs Section

• Update Identify Needs section in line with scoping

• Align with CobiT4.0

• Add IT Control Practices

eg26042006-48

HOWHOW HOWHOWWHATWHAT

Framework

ControlObjectives


MaturityModels

Framework

ControlObjectives


MaturityModels

ImplementationRoadmap

Raise awareness

& make decision

Analyse values

and risksSelect

processes

Identify needsIdentify needs

Raise awareness

& make decision

Analyse values

and risksSelect

processes

Identify needsIdentify needs

Define projects

Develop & implement

change plan

Plan the solutionPlan the solution

Define projects

Develop & implement

change plan

Plan the solutionPlan the solutionIntegrate

into day-to-day

practices

Integrate measures into ITBSC

Implement the solutionImplement the solution

Integrate into day-to-

day practices

Integrate measures into ITBSC

Implement the solutionImplement the solution

Define where you

are

Define where you want to be

Analyse gaps

Envision the solutionEnvision the solution

Define where you

are

Define where you want to be

Analyse gaps

Envision the solutionEnvision the solution

ControlObjective

AssuranceAppoach

Value RiskControlObjective

ControlPractices

Value Risk

IT Assurance Activities Fin

an

cia

l S

tate

me

nt

Co

mp

lia

nc

e

Inte

rna

l C

on

tro

l

3rd

Pa

rty

Syste

m R

elia

bil

ity

Du

e D

ilig

en

ce

Op

era

tio

ns

Pro

jec

ts

Pro

cess I

mp

rove

men

t

Det

erm

ine

resp

onsi

ble

party

and

inte

nded

us

er o

f ass

uran

ce o

utpu

t

Det

erm

ine

natu

re o

f the

sub

ject

mat

ter

Def

ine

and

agre

e ev

alua

tion

crite

ria

Col

lect

evi

denc

e

Ass

ess

evid

ence

Mak

e ju

dgem

ent

Rep

ort a

nd c

onlc

lude

Effective audit reporting

Q&D risk assessment Substantiating risk

Scope and plan self assessments Control self assessment Maturity based self-assessment Assess process maturity

Threat, vulnerability and business impact assessments Selecting the control objectives for critical processes

Identify critical IT processes based on value drivers Operational auditDiagnose operational and project risk

Control Evaluation and testing Customising control objectives (add, delete, rewrite)

Types of Assurance Assurance Stages

1 2 3 41 2 3 4

AssuranceSteps

Activities

ControlObjective

AssuranceAppoach

Value RiskControlObjective

AssuranceApproach

Value Risk

ControlObjective

ControlPractices

AssuranceApproach

Value RiskControl

Objective

ControlPractices

AssuranceApproach

Value Risk

BoardBriefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing


IT Governance


Guide using CobiT

BoardBriefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing


IT Governance


Guide using CobiT

Briefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing


IT Governance


Guide using CobiT

Briefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing


IT Governance


Guide using CobiT

CCOBIOBIT4.1T4.1 – Product Strategy – Product Strategy

eg26042006-49

AGENDA


eg26042006-50

Governance

2005

COBIT4

Management

2000

COBIT3

Control

1998

COBIT2

An open standard at www.isaca.org

Evo

luti

on

Audit

1996

COBIT1

How has it evolved ?How has it evolved ?

COBIT : An IT governance framework

eg26042006-51

“CobiT is the framework that gives me an end-to-end view of IT.”John Carrow, CIO, Unisys

IT Governance

Sarbanes- Oxley

Audit Methodology

Security

Policy

CobiT Framework

Outsourcing Process Standards

IT Governance

Sarbanes- OxleySecurity

Policy

CobiT Framework

Outsourcing

How is it being used ?How is it being used ?

“CobiT is an end-to-end catalogue of IT decisions.”Simon Shapiro, CIO, Investec


eg26042006-52

Common language

Shared understanding of value, risk, control and compliance requirements

Comfort about the IT organisation being able to deliver

Authoritative Basis re. third party and external assessments

Essential for IT Governance

Why should you adopt it ?Why should you adopt it ?


eg26042006-53

Aligned with the business and providing transparent value

Top management attention through appropriate IT governance mechanisms

Engaged in performance measurement

Committed to continuous improvement

World-c

lass

IT

CIOCIO

IT governance practices and leadership, supported by IT governance practices and leadership, supported by frameworks like CobiT and ValIT, will help executives frameworks like CobiT and ValIT, will help executives

achieve these goals and get value from IT !achieve these goals and get value from IT !

maximizing profits

controlling costs

minimizing risk and

ensuring compliance

Exe

cutive

Chal

lenge

CEO and BoardCEO and Board


eg26042006-54


IT Governance has a high return on investment

+8% +20%1

0 +2%

Man

ag

em

en

t P

ract

ices

Sco

re

+


+8% +20%1

0 +2%

Man

ag

em

en

t P

ract

ices

Sco

re

+


IT governance needs a control framework that Is strategically aligned Engages the executive level Can be reused for synergy

IT Governance

Sarbanes- Oxley

Audit Methodology

Security

Policy

CobiT Framework


IT Governance


Policy

CobiT Framework

Outsourcing

IT Governance

Sarbanes- Oxley

Audit Methodology

Security

Policy

CobiT Framework


IT Governance


Policy

CobiT Framework

Outsourcing

IT governance begins with the Board asking some tough questions about IT

AIEA - ISACA MilanoAIEA - ISACA Milano20th National Conference on IT Audit20th National Conference on IT Audit

Verona, May 25-26, 2006

For more information…Information Systems Audit and Control Association (ISACA)IT Governance Institute (ITGI)

3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USA

Phone +1.847.253.1545 (ISACA) +1.847.590.7491 (ITGI)Fax +1.847.253.1443 (both)ISACA E-mail [email protected] Web Site www.isaca.orgITGI E-mail [email protected] Web Site www.itgi.org

Erik GuldentopsAdvisor to the BoardThe IT Governance [email protected]@itgi.org

eg26042006-56

Thank you for listening carefully to this presentation.

Date post:	12-May-2018
Category:	Documents
Upload:	dangkiet
View:	224 times
Download:	3 times

CobiT in support of IT Governance, Management and Assurance · CobiT in support of IT Governance,...

Documents