CobiT in support of IT Governance, CobiT in support of IT Governance, Management and AssuranceManagement and Assurance
Erik Guldentops, CISA, CISMExecutive Professor
University of Antwerp – Management School, BEAdvisor to the Board
IT Governance Institute, USA
AIEA - ISACA Milano20th National Conference on IT Audit
Verona, May 25-26, 2006
eg26042006-2
AGENDA
What makes IT Governance so important? IT Governance needs a control framework The Principle behind the CobiT Framework The major changes of CobiT4.0 The strategy and products for CobiT4.1 Relation of CobiT and IT Governance Conclusions
eg26042006-3
Increasing Expectations of the IT Function
Cost Value
• Ivory tower• IT projects• Big spender
• Cost
• Mysterious• Driving• Ignoring
• CEO• Board of Directors• CFO• Audit Committee• COO• Shareholders• Head of IA• Regulators• Directors• Capital Markets• Business Partners• Employees• Others
Internal & ExternalStakeholders BenefitsRisk
• Integrated with the business• IT-enabled business initiatives• IT has no budget and delivers no
value• Value=(benefits-cost) adjusted
for risk• Being transparent• Enabling• Taking Ownership
IT GovernanceIT Governance
eg26042006-4
Gartner – more than 600 billion $ thrown away annually on ill conceived or ill executed IT projects
Standish Group – about 20% of projects fail outright, 50% are challenged and only 30% are successful
ITGI 2005 Survey early findings confirm concerns
0% 20% 40% 60% 80% 100%
1998
2000
2002
2004
Successful Failed Challenged
Low return from high-cost IT investments, and transparency of IT’s performance are two of the top issues
More than 30% claim negative return from IT investments targeting efficiency gains
40% do not have good alignment between IT plans and business strategy
Interest in and use of active management of the return on IT investment has doubled in 2 years (28 to 58%)
• Strategic importance of IT• Extended Enterprise• Regulatory requirements• Cost optimisation• Return on investment
DRIVERS
What makes IT Governance so important?
eg26042006-5
Business and Operational Management want Value Transparency and Risk Mitigation
Surveys by PwC for the IT Governance Institute Sep-Oct2003 and Sep-Oct2005
• Strategic importance of IT• Extended Enterprise• Regulatory requirements• Cost optimisation• Return on investment
DRIVERS
2003 2005
Inadequate view on how well IT is performing 1 4
Operational failures of IT 2 3
Amount of security problems and incidents 3 7
High cost of IT with low return on investment 4 2
IT staffing problems 5 1
Lack of knowledge of critical systems 6 -
Disconnect between IT strategy and business strategy 7 6
Unmanaged dependencies on entities beyond own control 8 5
IT not meeting compliance requirements - 8
What makes IT Governance so important?
eg26042006-6
Business and Operational Management want Value Transparency and Risk Mitigation
Surveys by PwC for the IT Governance Institute Sep-Oct2003 and Sep-Oct2005
• Strategic importance of IT• Extended Enterprise• Regulatory requirements• Cost optimisation• Return on investment
DRIVERS
2003 2005
Inadequate view on how well IT is performing 1 4
Operational failures of IT 2 3
Amount of security problems and incidents 3 7
High cost of IT with low return on investment 4 2
IT staffing problems 5 1
Lack of knowledge of critical systems 6 -
Disconnect between IT strategy and business strategy 7 6
Unmanaged dependencies on entities beyond own control 8 5
IT not meeting compliance requirements - 8
•More Problems (operational ; security )
•Transparency still an issue but shift to value
•Alignment slightly better
•Compliance top of agenda
What makes IT Governance so important?
eg26042006-7
What makes IT Governance so important?
+8% +20%1
0 +2%
M
an
ag
em
en
t P
ract
ices
Sco
re +
- Intensity of IT deployment +
75th percentile and above
25th percentile and above
75th percentile and above
25th percentile and above
8% 20%
0% 2%
0-25 26-50 51-75 76-100
0-25
26-50
51-75
76-100
8% 20%
0% 2%
0-25 26-50 51-75 76-100
0-25
26-50
51-75
76-100
Additional spending in Information Technology can raise productivity…..
…..but only in well managed companies!
In October 2006 Mc Kinsey and the London School of Economics measured the increase in productivity from investments in IT versus investments in
management practices in 100 enterprises.
eg26042006-8
Strate
gic
Alignmen
tValue
Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
entIT IT
GovernanceGovernanceDomainsDomains
Strate
gic
Alignmen
tValue
Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
entIT IT
GovernanceGovernanceDomainsDomains
1. Strategic Alignmentaligning with the business and providing collaborative solutions
2. Value Deliveryfocus on IT expenses and proof of value
3. Resource Managementknowledge, infrastructure and partners
4. Risk Managementsafeguarding assets and disaster recovery
5. Performance MeasurementIT Scorecards
Doing something about it
Not doing something about it2003
2005
D
OM
AIN
S
What makes IT Governance so important?
eg26042006-9
AGENDA
What makes IT Governance so important? IT Governance needs a control framework The Principle behind the CobiT Framework The major changes of CobiT4.0 The strategy and products for CobiT4.1 Relation of CobiT and IT Governance Conclusions
eg26042006-10
IT Governance needs a control framework
ITIL for service delivery
CMM for software development
Prince2 for project management
…..
Strate
gic
Alignmen
tValue
Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignmen
tValue
Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Governance Strategy Planning Value delivery Performance measurement Risk management Control and assessment
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
XY
##
XY
##
XY
##
XY
##
XY
##
Strategic
Process Control
Process Execution
Work Instruction
COBIT
ITILCMM
BS
7799
eg26042006-11
IT Governance needs a control framework
ITIL for service delivery
CMM for software development
Prince2 for project management
…..
Strate
gic
Alignmen
tValue
Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Strate
gic
Alignmen
tValue
Delivery
Risk
M
anag
emen
t
Resource Management
Performance
Measurem
ent
IT IT GovernanceGovernance
DomainsDomains
Governance Strategy Planning Value delivery Performance measurement Risk management Control and assessment
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
• Workinstruction• 2• 3• 4,5,6….
XY
##
XY
##
XY
##
XY
##
XY
##
Strategic
Process Control
Process Execution
Work Instruction
COBIT
ITILCMM
BS
7799
eg26042006-12
How does it make other standards better?Integrator of technical standardsInterface to business standards
CobiTA generally accepted “de facto” standard
IT Governance needs a control framework
eg26042006-13
• Increasing dependenceIncreasing dependence on information and thesystems that deliver this information
• Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare
• Sheer scale and cost of the current and future investments in information and information systems
• The need to comply with regulations• Potential to dramatically change processes, organisations
and business practices, create new opportunities and reduce costs
Why does IT need a control framework?
eg26042006-14
cost, time and functionality are as expected and promised benefits are returned
risks are mitigated and resources are responsible managed
opportunities for process, product and services are leveraged
Not only risks are mitigated, also assurance that objectives are achieved
Why does IT need a control framework?
The solution: a management control framework that
Supplies a common language for IT activities and key management practices
To avoid misunderstandings, to have efficient dialogues and to enable synergy
Provides a business focus and supports governance expectations
To enable alignment between businessand IT and engage the executives
Organises IT tasks and activities into discrete processes
To define scope, responsibilities andextent of coverage
Is consistent with generally accepted IT good practices and corporate governance standards
To be generally acceptable and to have a provably complete basis to select from
eg26042006-15
AGENDA
What makes IT Governance so important? IT Governance needs a control framework The Principle behind the CobiT Framework The major changes of CobiT4.0 The strategy and products for CobiT4.1 Relation of CobiT and IT Governance Conclusions
eg26042006-16
Generally Accepted IT Management Principles
MMIISSSSIIOONN AANNDD SSTTAAKKEEHHOOLLDDEERRSS
1. IT enables the business to deliver value, mitigates IT related risks and responsibly manages the resources entrusted to it. The executive provide direction, the business drives what needs to be done and focuses on the associated benefits, and IT drives how it is done and focuses on the associated costs.
GGOOVVEERRNNAANNCCEE 2. IT is governed by processes, practices and leadership that direct and monitor the achievement of IT goals that are aligned
with and support the business goals. Business executives as well as those responsible for enterprise governance have a decision-making role relative to IT.
PPOOLLIICCIIEESS AANNDD PPRRAACCTTIICCEESS
3. IT is governed with clearly communicated policies and practices are based on generally accepted governance and control frameworks that are properly adapted to the enterprise.
MMEEAASSUURREEMMEENNTT AANNDD
IIMMPPRROOVVEEMMEENNTT
4. IT continuously improves based on efficient measurement and transparent reporting of performance and outcomes that reflect the IT goals and IT’s contribution to the business.
AACCCCOOUUNNTTAABBIILLIITTYY AANNDD PPRROOCCEESSSS
RREESSPPOONNSSIIBBIILLIITTYY
5. IT is organised along the generally accepted lines of responsibility of Plan, Build, Run and Monitor. Within this domains IT is organised into processes with clear ownership, roles and responsibilities, as well as process goals that support IT’s goals
SSOOLLUUTTIIOONN DDEELLIIVVEERRYY
6. IT delivers solutions based on stakeholder approved requirements and business cases, and managed by established development and project management practices.
SSEERRVVIICCEE DDEELLIIVVEERRYY
7. IT provides services managed by service level agreements and established quality and security management practices, including accurate costing and full and fair allocation of costs based on benefits derived.
RREESSOOUURRCCEE MMAANNAAGGEEMMEENNTT
8. IT manages the resources entrusted to it through resource inventories and portfolios, by maintaining the usefulness, capability and quality of the resources, and by leveraging them optimally for solution and service delivery.
RRIISSKK MMAANNAAGGEEMMEENNTT
9. IT mitigates its risks through regular analysis of what can go wrong, initiating corrective action where necessary and transparency of risk exposures and mitigation status.
CCOONNTTRROOLL RREEQQUUIIRREEMMEENNTTSS
10. Business goals, governance requirements, regulatory compliance and enterprise risk tolerance determine important IT processes and critical resources, and the associated control requirements are extracted from a generally accepted IT control framework.
An IT control framework based on generally accepted IT management principles
Mission and Stakeholders
Governance
Policies and Practices
Measurement and Improvement
Accountability and Responsibility
Solution Delivery
Service Delivery
Resource Management
Risk Management
Control Requirements
eg26042006-17
Governance DriversGovernance Drivers
Information CriteriaInformation Criteria• EffectivenessEffectiveness• EfficiencyEfficiency• ConfidentialityConfidentiality• IntegrityIntegrity• AvailabilityAvailability• ComplianceCompliance• ReliabilityReliability
COBITFramework
IT RESOURCESIT RESOURCES• ApplicationsApplications• InformationInformation• InfrastructureInfrastructure• PeoplePeople
Business GoalsBusiness Goals
MONITOR MONITOR ANDAND EVALUATEEVALUATE
PLAN PLAN ANDAND ORGANISEORGANISE
ACQUIRE ACQUIRE ANDAND IMPLEMENTIMPLEMENT
DELIVER DELIVER ANDAND SUPPORTSUPPORT
• Strategy and tactics. • Vision planned.• Organisation and
infrastructure
• IT solutions• Changes and
maintenance.
• Delivery of required services
• Set up of support processes• Processing by application
systems
• Assessment over time, delivering assurance
• Management’ oversight of the control system.
• Performance measurement
eg26042006-18
AGENDA
What makes IT Governance so important? IT Governance needs a control framework The Principle behind the CobiT Framework The major changes of CobiT4.0 The strategy and products for CobiT4.1 Relation of CobiT and IT Governance Conclusions
eg26042006-19
CobiT4.0 is providing a better interface to the business and IT Governance layer of the enterprise but also to the operational layer with a better
interface to operational standards and practices
Full IT governance frameworkFull IT governance framework and IT governance best practices to foster compliance and increase the value of IT
Stronger business focusStronger business focus and more specificity on process ownership and responsibilities, enabling strategic alignment and making implementation easier
Easier to design IT scorecards design IT scorecards with goals and metrics material withgreater focus on process performance via the key activitites
Better understanding of scope and purpose of IT processes scope and purpose of IT processes with process definitions, relationships, activities and responsibilities
Key elements remain Control Objectives, Control Practices and Control Objectives, Control Practices and Maturity ModelsMaturity Models
CobiT : An IT control framework
eg26042006-20
IT Goals
IT Processes
Linking Business and IT Goals
Business Goals
•Where to start•Results all over the place•Repetition•Hard to do
eg26042006-21
IT Goals
IT Processes
Governance Drivers
Business Outcomes
Business Goals
Applicatio
ns
Info
rmatio
n
Infrastru
cture
People
Linking Business and IT Goals
Enterprise architecture for IT
ApplicationsIT
Processes
Infrastructure & Peopleneed
Informationdeliver
runApplications
IT Processes
Infrastructure & Peopleneed
Informationdeliver
run
Business Governance
RiskValue
Agility Return Compliance ComfortF unctionality
Business Governance
RiskValue
AgilityAgility ReturnReturn ComplianceCompliance ComfortComfortF unctionalityF unctionality
Business Governance
RiskValue
AgilityAgility ReturnReturn ComplianceCompliance ComfortComfortF unctionalityF unctionality
Business Governance
RiskValue
AgilityAgility ReturnReturn ComplianceCompliance ComfortComfortF unctionalityF unctionality
eg26042006-22
Linking Business and IT Goals
eg26042006-23
Linkin
g IT Goals to IT P
rocesses
eg26042006-24
Linking Business and IT Goals
Business Goals for IT IT Goals
CobiT Information
Criteria
Process Goals
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
Reliability
Business Requirements
Who needs what information
where and in what form, in order for the business to achieve its objectives
IT Resources
People Applications Information Infrastructure
eg26042006-25
ActivityActivityGoalGoal
ProcessProcessGoalsGoals
ITITGoalGoal
BusinessBusinessGoalGoal
defines defines defines
drive
s
drive
s
drive
smeasuredby
measuredby
measuredby
measuredby
ActivityActivityGoalGoal
ProcessProcessGoalsGoals
ITITGoalGoal
BusinessBusinessGoalGoal
defines defines defines
drive
s
drive
s
drive
smeasuredby
measuredby
measuredby
measuredby
ActivityMetric
ProcessMetric
IT Metric
BusinessMetric
Goals and MetricsGoals and Metrics
Linking IT Goals to IT Metrics K
ey g
oal i
ndic
ator
(KG
I)K
ey g
oal i
ndic
ator
(KG
I)
Key perfo
rmance in
dicator (KGI)
Key perform
ance indicator (K
GI)
eg26042006-26
Understanding security
requirements, vulnerabilities and threats
Detect and resolve unautho-rised access to information,
applications & infrastructure
Ensure IT services can resist and
recover from attacks
Maintain enterprise
reputation and leadership
Activity Goal
Process Goal
IT Goal
Business Goal
Frequency of review of the
type of security events to be monitored
Number of actual incidents
because of unauthorised
access
Number of actual IT incidents with business impact
Number of incidents causing
public embarrassment
KPI Business Metric KGI
KPI IT Metric KGI
KPI Process Metric KGI
is measured by is measured by is measured by is measured by
Define goals
Drive performance
Imp
rove a
nd
re-a
lign
Measu
re a
chie
vem
en
t
eg26042006-27
Process description
IT domain & Information indicators
IT goals
Process goals
Key practices
Key metrics
New Framework
Layout
IT Governance & IT Resource indicators
eg26042006-28
Key Activities
RACI Chart
CEO
CFO
Busi
ness
Exec
CIO
Busi
ness
Sr
Mngm
tH
ead O
pera
tions
Chie
f A
rchit
ect
Head D
evelo
pm
ent
Head I
T A
dm
inPM
O
CA
RS
1 Link business goals to IT goals2 Identify critical dependencies and current performance3 Build IT strategic plan4 Build IT tactical plans5 Analyze and manage project and service portfolios
C I A/R R CC C R A/R C C C C C CA C C R I C C C C I CC I A C C C C C R IC I I A R R C R C C I
1 Link business goals to IT goals2 Identify critical dependencies and current performance3 Build IT strategic plan4 Build IT tactical plans5 Analyze and manage project and service portfolios
Major activities and associated responsibilities are added with a RACI Chart.
PO1
Management Guidelines Update
Risk Appetite
Business Strategy
Understanding of the business context, capability and capacity
Mission and Goals
Service Portfolio
Project Portfolio
Tactical Plan
Strategic Plan
Inputs Outputs
PO1
Process inputs and deliverables describe the activity flow and process relationships
eg26042006-29
Management Guidelines Update
Process Relationship
Key activities and responsibilities
Goals and metrics
eg26042006-30
CCOBIOBITT
IT Governance
Implementation
Conclusion
eg26042006-31
AGENDA
What makes IT Governance so important? IT Governance needs a control framework The Principle behind the CobiT Framework The major changes of CobiT4.0 The strategy and products for CobiT4.1 Relation of CobiT and IT Governance Conclusions
eg26042006-32
IT Governance, the What and the How
STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products
CobiT4.0
Control Practices and Assurance
Steps
Briefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
Audit DirectorBaseline for
IT Governance
IT Governance Assurance
Guide using CobiT
HOWHOW HOWHOW
WHATWHAT
BoardBriefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
ExecutiveBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
CobiT4.0
Control Practices and Assurance
Steps
Briefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
Audit DirectorBaseline for
IT Governance
IT Governance Assurance
Guide using CobiT
HOWHOW HOWHOW
WHATWHAT
BoardBriefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
ExecutiveBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
ExecutiveBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
eg26042006-33
• Provide guidance for usage and customisation of control practices and associated assurance steps based on a strong framework and concepts
• Supported with representative value and risk drivers, linking back to business and IT goals
• IT Control Practices objective is to Suggest the different steps necessary and sufficient to achieve a control
objective Leverage old ITCP’s, align with CobiT4.0 and improve
• IT Assurance Steps Objective is to Provide guidance on how to obtain assurance about achievement of the
control objective, leveraging the old process audit guidelines Not provide a detailed audit programme that can be ‘picked up and
executed’ Provide the basis for an auditor with some experience to very efficiently
develop audit programmes that can be ‘picked up and executed’
IT Control Practices and Assurance Steps
STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products
eg26042006-34
• A non-prescriptive control design for achieving the control objective
• Action oriented, enabling timely execution and measurable
• Relevant to the purpose of the control objective
• Covering all inputs, activities and outputs of the process
• Supporting clear roles and responsibility including segregation
• Concepts of active and passive components
• Generic and specific practices
IT Control Practices Approach
STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products
eg26042006-35
IT Assurance Steps Approach • Testing of a control approach covering 4 assurance objectives
1. Existence2. Design effectiveness 3. Operating effectiveness (implemented, consistent application and proper use)4. Design and operating efficiency (cost/benefit and possible use of automation)
• Providing 3 types of assurance guidance Testing the suggested control design Testing control objective achievement Documenting impact of control weaknesses
• Tests based on a documented taxonomy of relevant assurance methods• Enquire and confirm (via different source)• Inspect (walk-through, search, compare, review)• Observe (confirmation is inherent)• Re-perform or re-calculate and analyse (often based on a sample)• Automated evidence collection (sample, trace, extract) and analyse
STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products
eg26042006-36
E - Enquiry and confirmation• search for exceptions/deviations and examine• investigate unusual or non-routine transactions/events• check/determine whether something has (not) occurred
(sample)• corroborate management statements from independent
sources• interview and assess staff knowledge and awareness• reconcile transactions (sample)• ask questions of management and obtain answers to
confirm findingsI – Inspection• physically inspect presence (documentation, assets,
etc)• walk-through installations, plans etc• code walk-through• review plans, policies and procedures• search audit trails, problem logs etc• trace transactions through the process/system• compare actual with expected findings
O – Observation• Process• Procedures• compare actual with expected behaviourR - Re-performance/Recalculation (sample and/or
key actions/transactions)• independently develop and estimate• attempt what is prevented• perform what is detected• re-perform transactions, control procedures etc• recalculate independently• compare e.g. expected value with actual value• compare actual with expected behaviourA - Automated evidence collection• sample data• use embedded Audit Modules• analyse data using CAATS or other interrogation tools• trace transactions through the process/system,• extract exceptions or key transactions
IT Assurance Steps Approach
STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products
eg26042006-37
Confirm that benchmarking against industry norms is used to help assess existing systems and capabilities
Benchmarking against well-understood and reliable industry norms is an integral component of the assessment of existing systems and capabilities.
4
Enquire and confirm that proposed amendments are assessed and agreed upon.
Assess and agree the proposed amendments to the tactical and strategic IT plans, based upon the results of the assessment of the current performance.
3
Confirm that reviews are made regarding agreed targets within the tactical IT plan and that appropriate outcomes are determined.
Review the achievement of agreed targets defined within the tactical IT plan. The outcome of the evaluation includes, but is not restricted to, current requirements, current delivery to requirements, barriers to delivery of requirements, and the steps and costs required to remove restrictions.
2
Confirm that a system exists to capture and report feedback on current systems. Verify that the system is being used consistently by IT, organization management and key stakeholders to give feedback on various considerations of the current system.
Capture and report feedback from IT, organization management and key stakeholders on the current systems. Consideration includes strengths and weaknesses, degree of business automation, stability, complexity, development requirements, support and maintenance requirements, costs and external parties' input (including business partners and vendors).
1
Test DescriptionControl Practices
Take appropriate remedial action in response to service and solutions delivery deviationsAllow planning assumptions to be validated and changed
Identifying opportunities for leveraging the current IT infra-structureIT plans contribute to the attainment of the organisation's mission and goals
PO1.3 Assessment of Current PerformanceAssess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses.
RiskValueWhy do it?
Control Objective
IT Control Practices and Assurance Steps
STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products
eg26042006-38
Benchmarking against well-understood and reliable industry norms is an integral component of the assessment of existing systems and capabilities.
4
Assess and agree the proposed amendments to the tactical and strategic IT plans, based upon the results of the assessment of the current performance.
3
Review the achievement of agreed targets defined within the tactical IT plan. The outcome of the evaluation includes, but is not restricted to, current requirements, current delivery to requirements, barriers to delivery of requirements, and the steps and costs required to remove restrictions.
2
Capture and report feedback from IT, organization management and key stakeholders on the current systems. Consideration includes strengths and weaknesses, degree of business automation, stability, complexity, development requirements, support and maintenance requirements, costs and external parties' input (including business partners and vendors).
1
Test DescriptionControl Practices
Take appropriate remedial action in response to service and solutions delivery deviationsAllow planning assumptions to be validated and changed
Identifying opportunities for leveraging the current IT infra-structureIT plans contribute to the attainment of the organisation's mission and goals
PO1.3 Assessment of Current PerformanceAssess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses.
RiskValueWhy do it?Control Objective
Testing the Control Practices
Summarising the detailed testing steps currently available after quality reviewing them
Testing achievement of the CO Outcome
Capturing those tests from the current list that verify outcome and complement with extracts from step 3 of the old Audit Guidelines
Documenting the impact of not achieving the CO outcome
Leveraging the generic advise on next foils and complement with extracts from step 4 of the old Audit Guidelines
IT Control Practices and Assurance Steps
STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products
TYPE 1
TYPE 2
TYPE 3
eg26042006-39
IT Governance, the What and the How
Briefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
Audit DirectorBaseline for
IT Governance
IT Governance Assurance
Guide using CobiT
HOWHOWFramework
ControlObjectives
ManagementGuidelines
MaturityModels
ControlObjective
ControlPractices
AssuranceApproach
Value Risk
WHATWHAT
HOWHOW
BoardBriefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
ExecutiveBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products
eg26042006-40
IT Assurance Activities Fin
an
cia
l S
tate
men
t
Com
pli
an
ce
Inte
rna
l C
ontr
ol
3rd
Pa
rty
Syste
m R
elia
bilit
y
Du
e D
ilig
en
ce
Op
era
tio
ns
Pro
jec
ts
Pro
ce
ss I
mp
rove
me
nt
Det
erm
ine
resp
onsi
ble
party
and
inte
nded
us
er o
f ass
uran
ce o
utpu
t
Det
erm
ine
natu
re o
f the
sub
ject
mat
ter
Def
ine
and
agre
e ev
alua
tion
crite
ria
Col
lect
evi
denc
e
Asse
ss e
vide
nce
Mak
e ju
dgem
ent
Rep
ort a
nd c
onlc
lude
Effective audit reporting
Q&D risk assessment
Substantiating risk
Scope and plan self assessments
Control self assessment
Maturity based self-assessment
Assess process maturity
Threat, vulnerability and business impact assessments
Selecting the control objectives for critical processes
Identify critical IT processes based on value drivers
Operational auditDiagnose operational and project risk
Control Evaluation and testing
Customising control objectives (add, delete, rewrite)
Types of Assurance Assurance Stages
AssuranceSteps
Activities
Knowledge
Control
Objective
Assurance
Appoach
Value RiskControl
Objective
Assurance
Approach
Value Risk
Four step approach2.Develop and expose the
knowledge base• Concept & design of IT control practices• Approach to IT assurance• Practices and Steps• Argumentation
9.Align assessment steps of the Implementation & Assurance Guides
10.Update the Implementation Guide
11.Define, outsource and produce the Assurance Guide
Confirm that benchmarking against industry norms is used to helpassess existing systems and capabilities
Benchmarking against well-understood and reliable industry norms is an integral component of the assessment of existing systems and capabilities.
4
Enquire and confirm that proposed amendments are assessed and agreed upon.
Assess and agree the proposed amendments to the tactical and strategic IT plans, based upon the results of the assessment of the current performance.
3
Confirm that reviews are made regarding agreed targets within the tactical IT plan and that appropriate outcomes are determined.
Review the achievement of agreed targets defined within the tactical IT plan. The outcome of the evaluation includes, but isnot restricted to, current requirements, current delivery to requirements, barriers to delivery of requirements, and the steps and costs required to remove restrictions.
2
Confirm that a system exists to capture and report feedback on current systems. Verify that the system is being used consistently by IT, organization management and key stakeholders to give feedback on various considerations of the current system.
Capture and report feedback from IT, organization management and key stakeholders on the current systems. Consideration includes strengths and weaknesses, degree of business automation, stability, complexity, development requirements, support and maintenance requirements, costs and external parties' input (including business partners and vendors).
1
Test DescriptionControl Practices
Take appropriate remedial action in response to service and solutions delivery deviationsAllow planning assumptions to be validated and changed
Identifying opportunities for leveraging the current IT infra-structureIT plans contribute to the attainment of the organisation's mission and goals
PO1.3 Assessment of Current PerformanceAssess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses.
RiskValue
Why do it?Control Objective
Confirm that benchmarking against industry norms is used to helpassess existing systems and capabilities
Benchmarking against well-understood and reliable industry norms is an integral component of the assessment of existing systems and capabilities.
4
Enquire and confirm that proposed amendments are assessed and agreed upon.
Assess and agree the proposed amendments to the tactical and strategic IT plans, based upon the results of the assessment of the current performance.
3
Confirm that reviews are made regarding agreed targets within the tactical IT plan and that appropriate outcomes are determined.
Review the achievement of agreed targets defined within the tactical IT plan. The outcome of the evaluation includes, but isnot restricted to, current requirements, current delivery to requirements, barriers to delivery of requirements, and the steps and costs required to remove restrictions.
2
Confirm that a system exists to capture and report feedback on current systems. Verify that the system is being used consistently by IT, organization management and key stakeholders to give feedback on various considerations of the current system.
Capture and report feedback from IT, organization management and key stakeholders on the current systems. Consideration includes strengths and weaknesses, degree of business automation, stability, complexity, development requirements, support and maintenance requirements, costs and external parties' input (including business partners and vendors).
1
Test DescriptionControl Practices
Take appropriate remedial action in response to service and solutions delivery deviationsAllow planning assumptions to be validated and changed
Identifying opportunities for leveraging the current IT infra-structureIT plans contribute to the attainment of the organisation's mission and goals
PO1.3 Assessment of Current PerformanceAssess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses.
RiskValue
Why do it?Control Objective
CCOBIOBIT4.1T4.1 – Assurance Guide – Assurance Guide
1 2 3 41 2 3 4 451 2 3 41 2 3 4 45
eg26042006-41
• Establish the IT audit universe• Select an IT control framework• Perform risk- based IT audit planning• Perform high- level assessments• Set the high- level assurance objectives
PLANN
ING
• Establish the IT audit universe• Select an IT control framework• Perform risk- based IT audit planning• Perform high- level assessments• Set the high- level assurance objectives
PLANN
ING
Business GoalsIT Goals
Key IT Processes and Key IT ResourcesKey Control Objectives
Customised Key Control Objectives
SCO
PING
Business GoalsIT Goals
Key IT Processes and Key IT ResourcesKey Control Objectives
Customised Key Control Objectives
SCO
PING
ANN
UAL IT
AUD
IT PLANAN
NU
AL ITAU
DIT PLAN
SCO
PE &
OB
JECTIVES
SCO
PE &
OB
JECTIVES
AUID
T OPIN
ION
AUID
T OPIN
ION
TESTING
Alternatively / additionally test the outcome of
the key control objectives
Obtain an understanding of the IT
assurance subject
Refine the scoping of key control objectives
for the IT assurance
subject
Test the effectiveness of the control design of the
key control objectives
Document impact of control weaknesses, comment on efficiency and
provide an opinion
Alternatively / additionally test the outcome of
the key control objectives
Obtain an understanding of the IT
assurance subject
Refine the scoping of key control objectives
for the IT assurance
subject
Test the effectiveness of the control design of the
key control objectives
Document impact of control weaknesses, comment on efficiency and
provide an opinion
TESTING
Alternatively / additionally test the outcome of
the key control objectives
Obtain an understanding of the IT
assurance subject
Refine the scoping of key control objectives
for the IT assurance
subject
Test the effectiveness of the control design of the
key control objectives
Document impact of control weaknesses, comment on efficiency and
provide an opinion
Alternatively / additionally test the outcome of
the key control objectives
Obtain an understanding of the IT
assurance subject
Refine the scoping of key control objectives
for the IT assurance
subject
Test the effectiveness of the control design of the
key control objectives
Document impact of control weaknesses, comment on efficiency and
provide an opinion
IT Assurance Roadmap
CCOBIOBIT4.1T4.1 – Assurance Guide – Assurance Guide
eg26042006-42
LevelTest Type Generic Process Control Objective
1Control
Design of the Control
Objective
▪ Understanding control practices▪ Understanding assurance objectives and test methods▪ Customising assurance steps▪ Testing application controls▪ Testing Approach (levels, objectives, methods etc)
▪ Using the generic process controls and associated practices and assurance steps
▪ Test steps for the generic control practices and how to apply them▪ Test steps for the specific control practices and how to apply
2Outcome of the Control Objective
▪ How to leverage process output quality, 'why do it' statements as well as IT, process and activity goals, to test the outcome of the control objectives applied to the process
▪ Provide some representative examples based on step 3 material of the old AG and the generic advice
none
3Impact of Control
Weaknesses
▪ Generic approach to documenting actual control weakness impact▪ More specific advice on how to document actual and possible impact▪ Possibly expand with guidance on how to develop realistic risk scenarios to substantiate possible impact
▪ Provide some representative examples based on step 4 material of the old AG and the generic advice
none
The Assurance Guide will provide the following type of advice
STRATEGYSTRATEGY – C – COBIOBIT4.1 and supporting productsT4.1 and supporting products
eg26042006-43
◊ Q&D risk assessment ◊ Diagnose operational and project risk ◊ Threat, vulnerability and business impact
assessments◊ Risk based audit planning◊ Identify critical IT processes based on
value drivers ◊ Assess process maturity ◊ Audit scoping and planning ◊ Selecting control objectives for critical
processes◊ Customising control objectives◊ Control Evaluation and testing◊ Build an detailed audit program ◊ Control self assessment◊ Maturity based self-assessment◊ Scope and plan self assessments◊ Substantiating risk◊ Effective audit reporting
◊ COBIT Processes List◊ High-level and detailed Control Objectives◊ Information Criteria◊ IT resources◊ IT governance domain indicators◊ Inputs & Outputs◊ Key Activities and RACI chart◊ IT, process and activity goals◊ IT, process and activity metrics◊ Maturity Models◊ Risk & value statements◊ Control Practices◊ Board Briefing on IT Governance◊ Information Security Board Briefing◊ Management Awareness & Diagnostic Tools◊ Assurance and Implementation Guidelines◊ QuickStart◊ COBIT Security Baseline◊ VALIT◊ CobiTOnline - Browsing & Filtering, Benchmarking◊ COBIT Mapping
How IT Assurance Activities can leverage CobiT Components
CCOBIOBIT4.1T4.1 – Assurance Guide – Assurance Guide
eg26042006-44
COBI
T Pr
oces
ses L
istHi
gh-le
vel a
nd de
tailed
Con
trol
Objet
ives
Infor
matio
n Crite
ria
IT re
sour
ces
IT go
vern
ance
doma
in ind
icator
s
Inputs
& O
utputs
RACI
char
t
IT, p
roce
ss an
d acti
vity g
oals
IT, p
roce
ss an
d acti
vity K
ey G
oal
Indica
tors
Matur
ity M
odel
Contr
ol Pr
actic
es -
Risk
& va
lue
Contr
ol Pr
actic
es
Boar
d Brie
fing o
n IT
Gove
rnan
ce
Infor
matio
n Sec
urity
Boa
rd B
riefin
g
Mana
geme
nt Aw
arne
ss T
ool
Diag
nosti
c Too
lAs
sura
nce G
uideli
nes (
incl. A
ssur
ance
ste
ps)
Imple
menta
tion G
uideli
nes
Quick
Star
t
COBI
T Se
curity
Bas
eline
VALIT
CobiT
Onlin
e - B
rows
ing &
Filte
ring
Cobio
TOnli
ne -
Benc
hmar
king
COBI
T Ma
pping
Ser
ies
Q&D risk assessment Diagnose operational and project risk Threat, vulnerability and business impact assessments Risk based audit planning Identify critical IT processes based on value drivers Assess process maturity Audit scoping and planning Selecting the control objectives for critical processes Customising control objectives (add, delete, rewrite) Control Evaluation and testing Build an detailed audit program Control self assessment Maturity based self-assessment Scope and plan self assessments Substantiating risk Effective audit reporting
CobiT Component
IT Assurance Activity
IT Assurance Activities and CobiT Components
CCOBIOBIT4.1T4.1 – Assurance Guide – Assurance Guide
eg26042006-45
MAPPINGIT Controls
SC
OP
ING
IT c
ompo
nent
s
Ente
rpris
eEn
viro
n-m
ent
IT Control Framework
Drivers for the Objective
RISKAssessment against the objective
IT Components: Processes, systems, applications, information, infrastructure, people...
Driv
ers
for
the
Obj
ectiv
e
Value AnalysisRisk Assessment
Assurance Scoping
Convergence of Scoping Methods
CCOBIOBIT4.1T4.1 – Assurance Guide – Assurance Guide
eg26042006-46
CONTROLOBJECTIVES
ITComponents
Scoping control requirementsScoping control requirementsand audit coverageand audit coverage
Is it likely that non-achievement of this control objective for this component
has a material effect?
Summarise• Is implementation needed?• Are point solutions sufficient?• Is an enterprise-wide solution needed?
Summarise• Develop audit
programme• Determine depth
and scope of testing
CONTROLOBJECTIVES
ITComponents
Scoping control requirementsScoping control requirementsand audit coverageand audit coverage
Is it likely that non-achievement of this control objective for this component
has a material effect?
Summarise• Is implementation needed?• Are point solutions sufficient?• Is an enterprise-wide solution needed?
Summarise• Develop audit
programme• Determine depth
and scope of testing
Value AnalysisRisk Assessment
Assurance Scoping
Convergence of Scoping Methods
CCOBIOBIT4.1T4.1 – Assurance Guide – Assurance Guide
eg26042006-47
Implement Solution
Plan Solution
Envision Solution
Identify NeedsRaise
awareness & obtain
commitment
Analyse business & IT goals
Select processes & controls
Define actual performance
Define target for
improvement
Analyse gaps & identify
improvements
Define projects
Develop improvement
plan
Implement the improvements
Integrate measures
into ITBSC
Post Implementation
Review
Analyse risks
Build Sustainability
Finalise scope
Develop IT Governance Organisation Structures
and Processes
Understand background, set
assurance scope and objectives.
Define organisation, roles, responsibilities
and required resources.
Define IT Control framework and
supporting processes (agreed control
objectives aligned to IT domains for the
assurance review).
Communicate aims and objectives to all
stakeholders. Obtain agreement
Understand business
processes concerned.
Understand business goals and
IT relevance.
Define IT goals (for assurance
requirements).
Understand IT organisation and
roles.
Identify in-scope IT processes and IT control objectives
and identify in-scope IT
components (people,
applications, infrastructure, information).
Identify key control objectives by
assessing if it is likely that non
achievement of the control objective
for the IT component will have a material
effect.
Assess the inherent risk of material control objectives not being met e.g. recent changes
and incidents, audit history, self
assessments and management monitoring.
Assess the amount of assurance
review and testing required.
Set assurance strategy and refine scope and focus of
the assurance approach based on
risk.
Adjust IT process, IT component and
and IT control objective selection
as required.
Determine documentation and testing approach to
ensure most effective and
efficient coverage of assurance objectives.
Raise awareness & obtain
commitment Finalise scope
Analyse business & IT
goals Analyse risksSelect processes
& controls
Understand background, set
assurance scope and objectives.
Define organisation, roles, responsibilities
and required resources.
Define IT Control framework and
supporting processes (agreed control
objectives aligned to IT domains for the
assurance review).
Communicate aims and objectives to all
stakeholders. Obtain agreement
Understand business
processes concerned.
Understand business goals and
IT relevance.
Define IT goals (for assurance
requirements).
Understand IT organisation and
roles.
Identify in-scope IT processes and IT control objectives
and identify in-scope IT
components (people,
applications, infrastructure, information).
Identify key control objectives by
assessing if it is likely that non
achievement of the control objective
for the IT component will have a material
effect.
Assess the inherent risk of material control objectives not being met e.g. recent changes
and incidents, audit history, self
assessments and management monitoring.
Assess the amount of assurance
review and testing required.
Set assurance strategy and refine scope and focus of
the assurance approach based on
risk.
Adjust IT process, IT component and
and IT control objective selection
as required.
Determine documentation and testing approach to
ensure most effective and
efficient coverage of assurance objectives.
Raise awareness & obtain
commitment Finalise scope
Analyse business & IT
goals Analyse risksSelect processes
& controlsImplementation Guide
CCOBIOBIT4.1T4.1 – Implementation Guide – Implementation Guide
Identify Needs Section
• Update Identify Needs section in line with scoping
• Align with CobiT4.0
• Add IT Control Practices
eg26042006-48
HOWHOW HOWHOWWHATWHAT
Framework
ControlObjectives
ManagementGuidelines
MaturityModels
Framework
ControlObjectives
ManagementGuidelines
MaturityModels
ImplementationRoadmap
Raise awareness
& make decision
Analyse values
and risksSelect
processes
Identify needsIdentify needs
Raise awareness
& make decision
Analyse values
and risksSelect
processes
Identify needsIdentify needs
Define projects
Develop & implement
change plan
Plan the solutionPlan the solution
Define projects
Develop & implement
change plan
Plan the solutionPlan the solutionIntegrate
into day-to-day
practices
Integrate measures into ITBSC
Implement the solutionImplement the solution
Integrate into day-to-
day practices
Integrate measures into ITBSC
Implement the solutionImplement the solution
Define where you
are
Define where you want to be
Analyse gaps
Envision the solutionEnvision the solution
Define where you
are
Define where you want to be
Analyse gaps
Envision the solutionEnvision the solution
ControlObjective
AssuranceAppoach
Value RiskControlObjective
ControlPractices
Value Risk
IT Assurance Activities Fin
an
cia
l S
tate
me
nt
Co
mp
lia
nc
e
Inte
rna
l C
on
tro
l
3rd
Pa
rty
Syste
m R
elia
bil
ity
Du
e D
ilig
en
ce
Op
era
tio
ns
Pro
jec
ts
Pro
cess I
mp
rove
men
t
Det
erm
ine
resp
onsi
ble
party
and
inte
nded
us
er o
f ass
uran
ce o
utpu
t
Det
erm
ine
natu
re o
f the
sub
ject
mat
ter
Def
ine
and
agre
e ev
alua
tion
crite
ria
Col
lect
evi
denc
e
Ass
ess
evid
ence
Mak
e ju
dgem
ent
Rep
ort a
nd c
onlc
lude
Effective audit reporting
Q&D risk assessment Substantiating risk
Scope and plan self assessments Control self assessment Maturity based self-assessment Assess process maturity
Threat, vulnerability and business impact assessments Selecting the control objectives for critical processes
Identify critical IT processes based on value drivers Operational auditDiagnose operational and project risk
Control Evaluation and testing Customising control objectives (add, delete, rewrite)
Types of Assurance Assurance Stages
1 2 3 41 2 3 4
AssuranceSteps
Activities
ControlObjective
AssuranceAppoach
Value RiskControlObjective
AssuranceApproach
Value Risk
ControlObjective
ControlPractices
AssuranceApproach
Value RiskControl
Objective
ControlPractices
AssuranceApproach
Value Risk
BoardBriefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
ExecutiveBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
ExecutiveBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
Briefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
ExecutiveBaseline for
IT Governance
IT Governance Assurance
Guide using CobiT
Briefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
ExecutiveBaseline for
IT Governance
IT Governance Assurance
Guide using CobiT
CCOBIOBIT4.1T4.1 – Product Strategy – Product Strategy
eg26042006-49
AGENDA
What makes IT Governance so important? IT Governance needs a control framework The Principle behind the CobiT Framework The major changes of CobiT4.0 The strategy and products for CobiT4.1 Relation of CobiT and IT Governance Conclusions
eg26042006-50
Governance
2005
COBIT4
Management
2000
COBIT3
Control
1998
COBIT2
An open standard at www.isaca.org
Evo
luti
on
Audit
1996
COBIT1
How has it evolved ?How has it evolved ?
COBIT : An IT governance framework
eg26042006-51
“CobiT is the framework that gives me an end-to-end view of IT.”John Carrow, CIO, Unisys
IT Governance
Sarbanes- Oxley
Audit Methodology
Security
Policy
CobiT Framework
Outsourcing Process Standards
IT Governance
Sarbanes- OxleySecurity
Policy
CobiT Framework
Outsourcing
How is it being used ?How is it being used ?
“CobiT is an end-to-end catalogue of IT decisions.”Simon Shapiro, CIO, Investec
COBIT : An IT governance framework
eg26042006-52
Common language
Shared understanding of value, risk, control and compliance requirements
Comfort about the IT organisation being able to deliver
Authoritative Basis re. third party and external assessments
Essential for IT Governance
Why should you adopt it ?Why should you adopt it ?
COBIT : An IT governance framework
eg26042006-53
Aligned with the business and providing transparent value
Top management attention through appropriate IT governance mechanisms
Engaged in performance measurement
Committed to continuous improvement
World-c
lass
IT
CIOCIO
IT governance practices and leadership, supported by IT governance practices and leadership, supported by frameworks like CobiT and ValIT, will help executives frameworks like CobiT and ValIT, will help executives
achieve these goals and get value from IT !achieve these goals and get value from IT !
maximizing profits
controlling costs
minimizing risk and
ensuring compliance
Exe
cutive
Chal
lenge
CEO and BoardCEO and Board
COBIT : An IT governance framework
eg26042006-54
COBIT : An IT governance framework
IT Governance has a high return on investment
+8% +20%1
0 +2%
Man
ag
em
en
t P
ract
ices
Sco
re
+
- Intensity of IT deployment +
+8% +20%1
0 +2%
Man
ag
em
en
t P
ract
ices
Sco
re
+
- Intensity of IT deployment +
IT governance needs a control framework that Is strategically aligned Engages the executive level Can be reused for synergy
IT Governance
Sarbanes- Oxley
Audit Methodology
Security
Policy
CobiT Framework
Outsourcing Process Standards
IT Governance
Sarbanes- OxleySecurity
Policy
CobiT Framework
Outsourcing
IT Governance
Sarbanes- Oxley
Audit Methodology
Security
Policy
CobiT Framework
Outsourcing Process Standards
IT Governance
Sarbanes- OxleySecurity
Policy
CobiT Framework
Outsourcing
IT governance begins with the Board asking some tough questions about IT
AIEA - ISACA MilanoAIEA - ISACA Milano20th National Conference on IT Audit20th National Conference on IT Audit
Verona, May 25-26, 2006
For more information…Information Systems Audit and Control Association (ISACA)IT Governance Institute (ITGI)
3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USA
Phone +1.847.253.1545 (ISACA) +1.847.590.7491 (ITGI)Fax +1.847.253.1443 (both)ISACA E-mail [email protected] Web Site www.isaca.orgITGI E-mail [email protected] Web Site www.itgi.org
Erik GuldentopsAdvisor to the BoardThe IT Governance [email protected]@itgi.org
eg26042006-56
Thank you for listening carefully to this presentation.