Date post: | 20-Jan-2016 |
Category: |
Documents |
Upload: | virgil-chase |
View: | 215 times |
Download: | 0 times |
Institute of Internal Auditors
COBIT PresentationOctober 9, 2001
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 2
Confidential and Proprietary - Internal Audit Consulting Group Use Only
For More Information on COBIT
Phone847-253-1545
Websiteswww.Itgovernance.org
www.isaca.org
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 3
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Cost
• ISACA Member$115
• Non-Member $225
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 4
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Background
• Control OBjectives for Information and related Technology– Originally released in 1996 by the Information Systems Audit and Control
Foundation (ISACF)
– Current primary publisher is the IT Governance Institute - formed by the Information Systems Audit and Control Association (ISACA) in 1998
– COBIT was formed through research of sources such as the technical standards from ISO, codes of conduct issued by the Council of Europe and ISACA, professional standards for internal control and auditing issued by COSO, AICPA, GAO, etc.
– The above sources were used to formulate COBIT to “be both pragmatic and responsive to business needs while being independent of the technical IT platforms adopted in an organization.”
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 5
Confidential and Proprietary - Internal Audit Consulting Group Use Only
The COBIT Mission
• To research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 6
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Objectives of COBIT
• To provide a framework to bridge gaps between business risks, control needs and technical issues in order to maximize benefits, capitalize on opportunities and gain competitive advantage
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 7
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Components
• Executive Summary
• Framework
• Control Objectives
• Audit Guidelines
• Management Guidelines
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 8
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Executive Summary
• Provides a synopsis of COBIT’s objectives and processes
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 9
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Framework
• A tool to be used as a comprehensive guidance for users, auditors, management & business process owners
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 10
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Control Objectives
• Generically defined high-level business needs organized by process/activity used to facilitate the implementation of a process
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 11
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Audit Guidelines
• A template used to facilitate the obtaining, evaluating, assessing and substantiating of of information needed to evaluate overall control
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 12
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Management Guidelines• Set of action oriented guidelines developed
to assist management in answering:– Does the benefit outweigh the cost?– What are the indicators of good performance?– What are the critical success factors?– What are the risks of not achieving our
objectives?– What do others do?– How do we measure and compare?
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 13
Confidential and Proprietary - Internal Audit Consulting Group Use Only
COBIT Family of Products
M aturityM odels
Critical SuccessFactors
Key GoalIndicators
Key Perform anceIndicators
M anagem entGuidelines
Detailed ControlObjectives
AuditGuidelines
Fram ew orkW ith high-level control objectives
Executive OverviewCase StudiesFAQ'sPow er Point Presentations
M anagem ent Aw areness DiagnosticsIT Control Diagnostic
Im plem entation Guide
Im plem entation Tool Set
Executive Sum m ary
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 14
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Framework (see handout)
• 4 Domains
– Planning & Organization
– Acquisition & Implementation
– Delivery & Support
– Monitoring
• 34 Control Objectives
• 318 Detailed Control
Objectives
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 15
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 16
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Audit Guidelines
Obtain Understanding– Interviewing– Obtaining
Evaluate Controls– Considering
Assess Compliance– Testing
Substantiate Risk– Performing– Identifying
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 17
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Management Guidelines
Critical Success Factors
Key Goal Indicators
Key Performance Indicators
Maturity Model
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 18
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Example
Manage Changes
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 19
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Domain
Acquisition & Implementation
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 20
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Control Objective
AI6
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 21
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Detailed Control Objectives
Change Request Initiation and ControlImpact AssessmentControl of ChangesEmergency ChangesDocumentation and ProceduresAuthorized MaintenanceSoftware Release PolicyDistribution of Software
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 22
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Audit Guidelines
Obtain Understanding– Interviewing
– Obtaining
Evaluate Controls– Considering
Assess Compliance– Testing
Substantiate Risk– Performing
– Identifying
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 23
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Management Guidelines
Non-existent
Initial/Ad Hoc
2 Repeatable but Intuitive
Defined Process
Managed & Measurable
Optimized
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 24
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Findings
Issues
Benchmarking
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 25
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
ProjectManager
General Framework forminimal project andquality standards
Use COBIT to help ensure thatproject plans incorporategenerally accepted phases inIT planning, acquisition anddevelopment, service delivery,and project management andassessment
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 26
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
Developer As minimal guidance forcontrols to be appliedwithin developmentprocesses as well as forinternal control to beintegrated in informationsystems being built
Use COBIT to help ensure thatall applicable IT controlobjectives in the developmentproject have been addressed
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 27
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
Operations As general framework forminimal controls to beintegrated into servicedelivery and supportprocesses, placing clearfocus on client objectives
Use COBIT to ensure thatoperational policies andprocedures are sufficientlycomprehensive
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 28
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
User As minimal guidance forinternal control to beintegrated withininformation systems, beingfully operational or underdevelopment
Use COBIT to guide servicelevel agreements
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 29
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
InformationSecurityOfficer
As harmonizingframework providing away to integrateinformation securitywith other businessrelated IT objectives
Use COBIT to structure theinformation security program,policies, and procedures
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 30
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
Auditor As basis for determiningthe IT audit universe andas IT control reference
Use COBIT as criteria forreview and examination andfor framing IT-related audits
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 31
Confidential and Proprietary - Internal Audit Consulting Group Use Only
COBIT Case Studies• Cedel Group• Office of the State Auditor of Massachusetts• PWC• Fidelity Investments• Department of Defense• Boston Gas Company• Santa Barbara Bank and Trust• Society for Worldwide Interbank Financial
Telecommunication