Date post: | 24-Jun-2015 |
Category: |
Internet |
Upload: | darshan-kumar |
View: | 106 times |
Download: | 3 times |
Lecture 3
COBIT (Control Objectives for Information and related Technology)
Introduction to COBIT (Control Objectives for Information and related Technology)
• One major challenge faced by auditor – Lack of common framework within which to operate
– This problem was first addressed with release of the COBIT framework, by IT Governance Institute, USA sponsored by ISACA (Information System Audit Control Association)
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors – To meet the business objectives, there had to be a common
ground for proactive discussion among auditors, IT management, and the board.
– COBIT, and IT governance framework, addresses these issues through several supporting tools and mechanism.
– These mechanism – defined the role of the auditor within the realm of IT governance
– IT governance activities have thirty four objectives, one for each of the IT process. These are grouped into four domains, viz.,
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors – IT governance activities have thirty four objectives, one for each of
the IT process. These are grouped into four domains, viz., • Planning and Organization• Acquisition and Implementation • Delivery and Support• Monitoring
– COBIT as a standard for IT security and control practices is not only meant for auditors but also the management, users, etc.
– COBIT is helpful to manager, users, and auditors in the following manner:
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors
– COBIT is helpful to manager, users, and auditors in the following manner:
• Management: it helps them balance risk and control investments in an often unpredictable IT environment
• Users: Help them obtain assurance on the security and control of IT services provided by internal and third parties
• IS auditors: Enables them substantiate their opinion and/ or provide advice to the management on matters of internal controls
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors • Let us discuss the Role of auditor in each of four domains of
COBIT mentioned earlier
– Planning and Organization• Board of directors, and management decide the strategy that would help
achieve business objectives, and ensure the technological infrastructure is in place.
• Here, the auditor’s role is to evaluate and /or assess whether the functioning of these process is in accordance with the business objectives.
• The only process that auditor is directly responsible for within this domain is quality management.
• This process includes the development of long-term strategic plan• This process is concern with the measurement criteria to be applied• Identification of specific projects and work plan
Introduction to COBIT (Control Objectives for Information and related Technology)
• The processes and auditor’s duties that are part of this domain are:– Define a strategic IT plan (evaluate/assess) – Define the information architecture (evaluate/assess)– Determine technological direction (evaluate/assess/inform/support)– Define the IT organization and relationship
(evaluate/assess/inform/support)– Communicate management’s aim and direction
(evaluate/assess/inform)– Manage human resources (evaluate/assess/inform)– Ensure compliance with external requirements (evaluate/assess)– Assess risks (evaluate/assess)– Manage projects (evaluate/assess/inform/support)– Manage quality (evaluate/assess/responsible)
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors– Acquisition and Implementation
• To realize the business strategies and tactics, IT solutions need to be identified, developed or acquired.
• Within this domain, the primary role of auditor is still to assess the process.
• However, here support needed to control issues regarding the acquisition and maintenance of application software.
• The processes and auditor’s duties that are part of this domain are:
Introduction to COBIT (Control Objectives for Information and related Technology)
• Acquisition and Implementation – The processes and auditor’s duties that are part of this
domain are: • Identify automated solutions (evaluate) • Acquire and maintain application software (evaluate /
support)• Acquire and maintain technology infrastructure
(evaluate) • Develop and maintain procedures (evaluate) • Install and accredit systems (evaluate)• Manage changes (evaluate / support)
Introduction to COBIT (Control Objectives for Information and related Technology)
• Delivery and Support– This domain concern with the delivery of IT services, includes operations
through security, training, and support. – The role of auditor here, is to evaluate and assess. – The processes and auditor’s duties that are part of this domain are:
• Define and manage service levels (evaluate/assess) • Manage third party services (evaluate/assess) • Manage performance and capacity (evaluate/assess) • Ensure continuous service (evaluate/assess) • Ensure system security (evaluate/assess/support)• Identify and allocate costs (evaluate/assess)• Educate and train users (evaluate/assess)• Assist and advice customers (evaluate/assess)• Manage configuration (evaluate/assess)• Manage problems and incidents (evaluate/assess)• Manage data (evaluate/assess)• Manage facilities (evaluate/assess)• Manage operations (evaluate/assess)
Introduction to COBIT (Control Objectives for Information and related Technology)
• Monitoring – In all previous domains, auditor required to check for compliance of
processes with quality, and control requirements– Here the auditors have direct responsibility and provide direct
support to the domain’s processes. – The processes and auditor’s duties that are a part of this domain are:
• Monitor the process (evaluate/assess/support)• Asses internal control adequacy (evaluate/assess/support)• Obtain independent assurance (evaluate/assess/support)• Provide for an independent audit (evaluate/assess/support)
Directed Unsupervised Activity
• Visit the website of ISACA and find out the standards for IS Audit documentation and give your comments.
• List ten assurance services and group them into attestation and non-attestation services.
Control
• “any input given to a dynamic system to produce a desired output.”
• Here the word dynamic and desired output are very important.
Input Dynamic System
Desired output
Control
• Dynamism of the system and Control Requirement – Static system – control is not required – More dynamism – the greater will be the control requirement of
the system – Computer system – control not required, if it is not being used
for any application or switched off – As complexity increases – its control requirement will also rise.– This implies that
• Lesser control is required for stand-alone system • Greater for one which is connected to network or Internet
Control
• Knowledge of Dynamism of the System Makes Control Effective– The predictability of the complexity of the disease has helped in
development of vaccines to prevent and cure
– Similarly, in computer system – control measures would operate effectively if the dynamism and complexity were known.
Control
• The Input should be Directed towards Achieving the Desired Output– If the inputs are not focused and directed towards specific
outputs – then control mechanism will not be successful. – There are No thumb rule– Each input or control measure should be directed towards
achieving a specific output.
Control
• The Output Should be Evaluated for Giving further Appropriate Input to the System
Effects of Computers on Internal Controls
• The internal controls within an enterprise in a computerized environment the major areas of impact with the goal of asset safeguarding, data integrity, system efficiency and effectiveness are discussed below.– Personnel – Segregation of duties– Authorization Procedures