1
Introduction to COBITfor
IT Auditor
Armanto Witjaksono
2
3
Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.
Structured and organized to provide a powerful control model and evaluative tool
4
Overview
COBIT – Control Objectives for Information and related Technology
Currently at version 4.1 A model designed to control of the IT function Supports IT governance by providing a comprehensive
description of the control objectives for IT processes
Text
Text
Text
TextText
Text
Text
TextText
5
Overview of CobiT
What CobiT is not!!Audit softwareAn IT audit planAn IT Internal Audit workprogramAn IT audit testing planGuide on “How to Audit” IT
6
Then what is CobiT?o It is the Control Objectives for Information and related Technology
o A methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of an IT environment.
o The CobiT Executive Summary and Framework were released in December 1995, Control Objectives in April 1996, and Audit Guidelines followed in September 1996.
o A tool that for IT professionals that has linked information technology and control practices
o CobiT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals and auditors.
Overview of CobiT
7
Overview of CobiT
o CobiT represents
1. A control framework,
2. a set of generally accepted control objectives, and
3. the CobiT Audit Guidelines.
o CobiT is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives.
o CobiT is business process oriented provides the business process owners with a framework, which should enable them to control all the different activities underlying IT deployment.
8
Overview of CobiT
What is the purpose of CobiT?o To provide management and business process owners with
an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT.
o CobiT helps bridge the gaps between business risks, control needs and technical issues by presenting the controls through one vehicle.
o It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems.
9
Promotes an improved focus on business information requirements
Helps ensure that IT processes are defined and that responsibilities are assigned
Supports management’s efforts to demonstrate due diligence
Serves as excellent criteria for evaluation Strengthens the understanding, design,
implementation, exercise, and evaluation of internal control
Overview of CobiT
10
Focuses on information having integrity, being secure, and available.
Management-oriented Supports corporate and IT governance Process-oriented Controls-based Measurement-driven Based on a Strong Foundation and Sound
Principles of Internal Control
11
IT Resource Management
CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality of information required to achieve organizational objectives.
12
COBIT
COBIT is a valuable IT governance tool that helps in the understanding and management of risks and benefits associated with information integrity, security, and availability, and the management of related technology.
13
Addresses key attributes of information produced by IT.
Links recommended control practices for IT to business and control objectives.
Provides guidance in implementing and evaluating the appropriateness of IT-related management control practices.
14
15
“Right” information, to only the “right” party, in the “right” format, at the “right” time, at the “right” cost.
Information that is relevant, reliable, secure, and available.
Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.
Focus on Information and IT Management
16
COBIT Target Groups
COBIT is primarily intended for management, business users of IT and auditors
Main target groupso Managers – holding executive responsibility for operation of
the enterpriseo End users – provide assurance of security and controlso Auditors – independent assurance of quality and controlso Business and IT consultants – bring knowledge and adviceo IT Service Management Professionals – provides a
framework covering complete lifecycle of IT systems and services
17
To Those Individuals Who are Interested in and Responsible for the Management and Evaluation of Information Technology
Management IT & Business Users Auditors / Advisors Academics & Students of Management and IT Legislators, Regulators, Oversight Bodies Vendors
Who is COBIT aimed at?
18
COBIT Structure
IT Governance Cube with 3 interrelated viewpoints(Quality Criteria,IT Processes, and IT Resources
19
4 COBIT Domains
Plan & Organize – concerned with identification of the way IT can best contribute to the achievement of business objectives
Acquire and Implement – acquiring, implementing or development of IT Solutions to be integrated into business process
Deliver & Support – delivery of required services including traditional operations, security, and training
Monitor & Evaluate – regular assessment over time for quality and compliance with control requirements
20
COBIT mapped onto Management Cycle
21
Components of CobiT
22
Components of CobiT
The 4 Domains of CobiT
MONITORING (MO)
PLANNING & ORGANIZATION (PO)
ACQUISITION & IMPLEMENTATION (AI)
DELIVERY & SUPPORT (DS)
23
Components of CobiT
M1- Monitor the process M2- Obtain independent assurance
MONITORING (MO)All IT processes need to be regularly assessed over time for their quality and compliance with control and regulatory requirements
Auditors need to perform procedures to ensure that the IT environment meets predefined standards with respect to controls.
24
Components of CobiT
PO1- Define a strategic IT plan PO2- Define the Information architecture PO3- Determine technical direction PO4- Define IT Organization and relationships PO5- Manage the investment in IT
PLANNING & ORGANIZATION (PO)Addresses strategy and tactics, and concerns the identification of the way information technology can best contribute to the achievement of business objectives.
Is the IT strategy be effectively controlled and will it contribute to the business objectives?
PO6- Communicate management aims and directions PO7- Manage Human Resources PO8- Ensure compliance with external requirements PO9- Assess risks PO10- Manage projects PO11- Manage quality
25
Components of CobiT
AI1- Identify solutions AI2- Acquire and maintain application software AI3- Acquire and maintain technology architecture AI4- Develop and maintain IT procedures AI5- Install and accredit systems AI6- Managing changes
ACQUISITION & IMPLEMENTATION (AI)To realize the IT strategy, IT solutions need to be identified, developed and/or acquired as well as implemented and integrated into the business process. Is the process to choose and implement IT solutions a controlled process? Does this process meet control standards?
26
Components of CobiT
DS1- Define service levels DS2- Manage Third Party services DS3- Manage performance capacity DS4- Ensure continuous service DS5- Ensure systems security DS6- Identify and allocate costs DS7- Educate and train users
DS8- Assist and advise IT customers DS9- Manage the configuration of IT systems DS10- Manage problems and incidents DS11- Manage data DS12- Manage facilities DS13- Manage operations
DELIVERY & SUPPORT (DS)Addresses the actual delivery of required information services.
Are information related services delivered in a controlled manner?
27
Overview of Internal Audit
Internal Audito "Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."(Definition of Internal Auditing by the Institute of Internal Auditors, Inc.)
The mission of Internal Audit is to evaluate the efficiency and effectiveness of the entity’s procedures and related internal controls.
As Internal Auditors, we also provide control recommendations and controls advisory.
28
VIDEO
http://www.youtube.com/watch?v=bg_GEN8AZA0
29
30
CobiT For Internal Auditors
Who uses CobiT in the Internal Audit world?
o Typically, the IT Auditor
o Business Process Auditor
o The IT Inspection Team, or
o The IT Control Team
31
CobiT For Internal Auditors
How is CobiT used by Internal Audit?o Establishing control baselines and standards
o Facilitating and creating performance metrics for Risk Assessments
o Developing the audit plan
o Facilitating the audit
o Managing residual risk
o Issuing control advisory and recommendations to the IT groups
32
1. Reviews of Baselines and Standards for IT
2. Information System Implementations Pre-Implementation Review Implementation of Controls
Certification Reviews Post Implementation Review
3. Code Development / Source Code Management Reviews
4. General Controls Reviews
5. Data Center reviews
6. Audits of the Business Continuity Program
7. Audits of Security Configuration
8. Reviews of Security Administration
9. Reviews of IT Purchasing and Procurement
10. Application Review / Audits
11. Audits of Business Processes
CobiT For Internal Auditors
Audits that can be performed with the use of CobiT
BE CREATIVE! How can you fit CobiT into your audit plan?
33
Applications of the 4 CobiT Domains
All of the discussed types of reviews can employ the 4 CobiT domains:
– MONITORING, – PLANNING & ORGANIZATION, – ACQUISITION & IMPLEMENTATION, – DELIVERY & SUPPORT
34
CobiT Trends
In general, each of the 4 domains can be applied to each review with careful planning
All IT Audit reviews should have a component that includes o Management controls of the informationo Review of controls over the way that information is delivered /
facilitated o How the IT control review process works, and is it working
effectively
With the right planning, all reviews can be performed with the use of the 4 domains as a reference, standard, and “Best Practice” template
35
10. Control evaluations processes are standardized across the IT environment
9. Benchmarks and standards are portable throughout the IT environment
8. System management processes across different systems can compared
7. Post-audit benchmarking is easily achieved through existing CobiT Control Objectives
6. A common language between auditee, auditor, user management and data owners is provided
5. CobiT is a globally-recognized as a tool that provides guidance on IT audits and sets IT control “Best Practices”
4. International IT Audit groups can knowledge share (i.e. workprograms, test plans)
3. Audit groups can recruit based on experience with an internationally recognized audit tool
2. CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC, HIPAA)
1. Its just plain old fun!
Top Ten Strengths of CobiT in Internal Audit
36
Problems Inherent to the Implementation and Use of CobiT
CobiT is a control framework with Audit Guidelines. Therefore, o It is NOT an audit plano It is NOT a workprogramo It does NOT provide for audit steps / techniques / procedureso It does NOT define standardso It does NOT define acceptable levels for IT processes
The use of CobiT requires a sufficient amount of experience with IT controls because it does not detail actual controls verification and testing steps
37
Problems Inherent to the Implementation and Use of CobiT
CobiT is time & resource intensive to implement o Steep learning curveo New audit plans and workprogramso New documentation methods needed
Although CobiT is process focused, CobiT based reviews tend to be more system-focused. o Few, if any processes, are composed of one system.o All data flows between systems, so how are data flows
evaluated?o How can major information flow processes be evaluated
within reasonable time constraints?
38
Opportunities to Implement CobiT
Ideal Times to Implement the CobiT Frameworko Beginning of an audit year
o During a reorganization of the audit department
o During a change of strategy for the IT Audit group
o Upon implementation of Business Process focused audits
39
Threats to CobiT in the Internal Audit World
Threats to Cobit in Internal Audito Initial audits are time intensive and difficult because auditors
are unfamiliar with CobiT terminology
o Auditees can be unreceptive to controls based recommendations as opposed to traditional IT recommendations
o If the audit staff does not have a sufficient amount of experience with IT controls, difficulties can arise in creating procedures to test for the existence of CobiT prescribed controls
40
41
Framework for Managing Operational Risk
42
Need for better operational controls Importance of technology Risks associated with an ever changing technology
environment Demand for recognizable value Need to hold senior management accountable and
strengthen governance
43
• Achieving sufficient value from IT to support the entity’s mission within a complex, vulnerable and ever changing environment
• Adequately managing risk with increasing IT dependence
• Effectively dealing with the scale and cost of current and future IT investments
• Protecting operations and IT resources against increasing vulnerabilities and a wide spectrum of threats
44
• Being able to adequately track and measure IT performance in support of business objectives
• Obtaining adequate assurance for the integrity, security and availability of IT systems
• Being able to demonstrate due diligence in meeting IT governance objectives
45
• Today, we are no longer just automating an established business process.
• Instead, we are using technology to expand business process capabilities and management decision making -- It is about IT-enabled change.
• Poorly-managed IT places the integrity, security, and availability of data and systems at risk and increases the likelihood of unrealized benefit.
46
Management Issues
Difficulty of obtaining adequate assurance that operational and control objectives are being addressed and will be met
Not being sufficiently aware of the impact of technology on control assessment
Not knowing who is really responsible for system integrity, security, and availability
Having cluttered or defused points of accountability for IT processes across the organization
47
Management Issues
Not recognizing that we often manage IT as if it were separate from the enterprise when in fact it is highly integrated with business operations
Uncoordinated strategic planning between business and IT operations
Outsourcing without adequate monitoring and evaluation
48
Management Issues
• There are a whole host of folks who pose a real danger to IT systems
Meeting privacy requirements Failing to meet regulatory or legal requirements Having a false sense of security Achieving adequate value to support the entity’s
mission
49
Management Questions
Is IT well managed?o Are we doing the right things?o Are we doing them the best way?o Are they being done well?o Are we achieving desired benefits?
Is IT properly controlled? Do we exercise and can we demonstrate due diligence? Are the information technology drivers in sync with the
agency’s mandates and business goals?
50
How do responsible managers keep the ship on course? …… keep it afloat?
How do we achieve satisfactory results for our citizens and stake-holders?
How do we adapt in a timely manner to “best practices” for our organization’s environment?
51
To establish and maintain course . . . and afloat Strategic and tactical planning, monitoring and
evaluation – dashboards with indicators – Disaster recovery and BCP to keep it afloat
To achieve satisfactory results for our customers and stake-holders Measurement processes, balanced scorecard, etc.
To adapt in a timely manner to “best practices” for our organization’s environment Benchmarking, CMM comparisons
52
IT Value
How do we manage to achieve acceptable IT value?
What policies, practices and assurance mechanisms do we apply to the “right” resources to achieve value?
What guidance is there to assist management in understanding IT processes and how to achieve IT process results?
What standards should be applied to our IT environment?
How do we address governance?
53
54
COBIT as an IT Governance Framework
COBIT provides a framework to control IT and supports the following 5 requirements for an IT control framework
o Providing a sharper business focuso Ensuring a process orientationo Having a general acceptability among organizationso Defining a common languageo Helping to meet regulatory requirements
55
IT Governance Focus Areas
Strategic Alignment – focus on ensuring the linkage of business and IT plans
Value Delivery – executing the value proposition throughout the delivery cycle
Risk Management – requires risk awareness by senior corporate officers, compliance requirements, transparency
Resource Management – optimal investment in and management of critical resources: people, applications, information and infrastructure
Performance Measurement – tracks and monitors strategy implementation
56
IT Governance Focus Areas
57
Enterprise governance is a set of responsibilities and practices exercised by the board and executive management with the goal of:
• Providing strategic direction
• Ensuring that objectives are achieved
• Ascertaining that risks are managed appropriately
• Verifying that the enterprise’s resources are used responsibly
The Need for IT Governance
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RESOURCEMANAGEMENT
RIS
KM
AN
AG
EM
EN
T
VALUEDELIVERY
STRATEGIC
ALIGNMENT
www.itgi.orgwww.itgi.org
58
IT governance is:
• The responsibility of the board of directors and executive management
• An integral part of enterprise governance, consisting of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives
IT Governance, as Defined by ITGI
PE
RF
OR
MA
NC
E
ME
AS
UR
EM
EN
T
RESOURCEMANAGEMENT
RIS
KM
AN
AG
EM
EN
T
VALUEDELIVERY
STRATEGIC
ALIGNMENT
www.itgi.orgwww.itgi.org
64% Doing something about it64% Doing something about it
42% Not doing something about it42% Not doing something about it2003
2005
Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005
36%
58%
59
Enterprise governance is about: Conformance
• Adhering to legislation, internal policies, audit requirements, etc.
Performance• Improving profitability, efficiency,
effectiveness, growth, etc.
Enterprise Governance Drives IT Governance
Enterprise governance and IT governance require a balance between conformance and performance goals directed by the board.
Performance
Conformance
60
IT Governance Focus Areas
Value delivery
Focuses on ensuring the linkage of business and IT plans; on defining, maintaining and validating the IT value proposition; and on aligning IT operations with enterprise operations
Is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimising costs and proving the intrinsic value of IT
Is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimisation of knowledge and infrastructure.
Requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise, and embedding of risk management responsibilities in the organisation
Tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting
Performance measurement
Risk management
Resource management
Strategic alignment
61
To make an IT governance implementation project successful:
Make IT governance a workable solution—able to deal with the challenges and pitfalls presented by IT. Focus as much on improving performance and enabling competitive advantage as preventing problems. Make IT governance a shared responsibility between the business (customer) and the IT service provider, with the full commitment and
direction of the board. Align IT governance within a wider enterprise governance scheme. Boards and executive management need to extend enterprise governance to include IT, provide the necessary leadership and organisational
structures, and insist on well-managed and properly controlled processes.
Making IT Governance Work
62
IT Governance Stakeholders
Business management
Set direction for IT, monitor results and insist on corrective measures
Defines business requirements for IT and ensures that value is delivered and risks are managed
Delivers and improves IT services as required by the business
Provides independent assurance to demonstrate that IT delivers what is needed
Measures compliance with policies and focuses on alerts to new risks
Risk and compliance
IT audit
IT management
Board and executive
63
Many organizations recognize the potential benefits of technology
The successful organizations: Understand that IT is more than an enabler Understand and manage the risks associated
with implementing new technologies Keep a keen eye on the mission and goals, and Know where they are through measured
progress and monitoring and evaluation
Need for IT Governance Control Framework
64
Organizations require a structured approach for managing these and other challenges.
Need to ensure that IT objectives are agreed to, good management controls are in place, and there is effective monitoring of performance to keep on track and avoid unexpected outcomes.
The Need for IT Governance
Keeping IT Running
Security
Value/Cost
Managing Complexity
AligningIT with Business
Regulatory Compliance
65
CobiT underscores the importance to recognize:
Optimizing value, safeguarding, and ensuring the availability of technology is an entity or senior management issue, not just an IT management issue
Business and IT goals depend on our understanding of how to dynamically apply IT, measure results, and engage IT and business process management
Requires understanding of what we want the technology to do, and how we are going to measure success
Need for IT Governance Control Framework
66
COBIT: Starts from business requirements
Is process-oriented, organizing IT activities into a generally accepted process model
Identifies the major IT resources to be leveraged
Defines the management control objectives to be considered
Incorporates major international standards
Has become the de facto standard for overall control of IT
COBIT helps bridge the gaps between business risks, control needs and technical issues. It provides good practices across a domain and process framework and presents activities in a manageable and logical structure.
IT resources need to be managed by a set of naturally grouped processes. COBIT provides a framework that
achieves this objective.
COBIT Provides a Framework for IT Governance
67
How Does COBIT View IT Governance?
Consists of leadership, organizational structures, and processes that ensure that IT sustains and extends the enterprise’s strategies and objectives
IT governance is the responsibility of executives and the board of directors
68
IT Governance Objectives
IT is aligned with the business and enables the business to maximize benefit
IT resources are safeguarded and used in a responsible and ethical manner
IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure
69
IT Governance
Integrates and institutionalizes good practices to ensure that IT supports the business objectives.
Enables the enterprise to take advantage of its
information and IT resources to maximize benefit and capitalize on opportunities.
70
COBIT IT Governance
IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT risks are managed appropriately
71
IT Governance Focus Areas
Strategic alignment Value delivery Resource management Risk management Performance
measurement
72
IT Governance Focus Areas
Strategic Alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.
Value Delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.
73
IT Governance Focus Areas Resource Management is about the optimal
investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.
Risk Management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization.
74
IT Governance Focus Areas
Performance Measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.
75
What Should Management Do?
Inquire: Ask the right questions Focus on IT’s
Alignment with the agency objectives Value delivery Risk management
Adopt an IT governance framework Focus on important IT processes and core IT
competencies Embed responsibilities for IT security and
management in the organization Measure performance and results
76
To Manage and Control IT, COBIT Recommends:
Employing fundamentals of IT governance Understanding strategic value of IT Understanding and managing associated risks Exercising appropriate frameworks of control Having mechanisms to provide adequate assurance
that IT governance objectives are addressed
77
Agencies Need Assurance
That information and systems can be relied upon That operations are adequately controlled That information has integrity, is protected, and will
be available That due diligence and compliance with good
business practices can be demonstrated.
CobiT provides the control criteria and evaluation methodology
78
CobiT is an Authoritative Source
Built on a sound framework of control and IT-related
control practices. Aligned with de jure and de facto standards and
regulations. Subject to extensive review and exposure. Aligned with control models, standards and best
practices for IT management
79
COBIT’s View of the Definition of Control
Why Control Information Systems?
The answer lies in the realm of what the business wants: to accomplish and avoid
It therefore falls to the spectrum of: objectives and risks
80
COBIT’s View of the Definition of Control
The Objectives and Risks become Value Drivers and Risk
Drivers in COBIT
81
Control (as defined by COBIT)
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected.
82
To Achieve Business Objectives
To Avoid Risks, Threats and Exposures
Control (as defined by COBIT)
The policies, procedures, practices and organizational structures designed to provide reasonable assurance that
business objectives will be achieved and that undesired events will be prevented or detected and corrected.
Source: COBIT Control Objectives. P. 12.
83
CobiT promotes a healthy understanding about “reasonable assurance” and “residual
risk”
Knowing the acceptable levels for reasonable assurance and residual risk is a critical
success factor for designing and managing an adequate framework of control
84
Assurance Level
100%
Residual Risk
0%
Reasonable Assurance
85
Relation to Other Control Models
CobiT is in alignment with other control models:
o COSO
o COCO
o Cadbury
o King
86
Organizations will consider and use a variety of IT models, standards and best practices. They must be understood to consider how they can be used together, with COBIT acting as the consolidator (‘umbrella’).
COBIT
ISO 9000
ISO 17799
ITIL
COSO
WHAT HOW
COBIT and Other IT Management Frameworks
SCOPE OF COVERAGE
87
PERFORMANCE: Business Goals
CONFORMANCEBasel II, Sarbanes-
Oxley Act, etc.
Enterprise Governance
IT Governance
ISO 9001:2000
ISO 17799
ISO 20000Best Practice Standards
QAProcedures
Processes and Procedures
Drivers
COBIT
COSO
Security Principles
ITIL
Balanced Scorecard
Where Does COBIT Fit?
88
COBIT Framework
► The COBIT framework was created with the main characteristics:
Business-focused
Process-oriented
Controls-based
Measurement-driven
COBIT Framework Characteristics
89
For latest updates on COBIT, log on to www.isaca.org/cobit.
Governance
COBIT 4
2005
COBIT 3
Management
2000
COBIT 2
Control
1998
COBIT 1
Audit
1996
Evo
lutio
n
COBIT: An IT Control Framework
90
COBIT:
► Has internationally accepted good practices
► Is management-oriented
► Is supported by tools and training
► Is freely downloadable
► Allows the knowledge of expert volunteers to be shared and leveraged
► Continually evolves
► Is maintained by a reputable not-for-profit organisation
► Maps 100 percent to COSO
► Maps strongly to all major, related standards
► Is a reference, not an ‘off-the-shelf’ cure
Enterprises still need to analyse control requirements and customise COBIT based on their:
► Value drivers
► Risk profile
► IT infrastructure, organisation and project portfolio
COBIT: Value and Limitations
91
COBIT Components
An organisation depends on reliable and timely data and information. COBIT components provide a comprehensive framework for delivering value while managing risk and control over data and information.
Business Strategy
Information Criteria
IT Resources
IT Processes
92
COBIT: Advantages
Some of the advantages of adopting COBIT are:
► COBIT is aligned with other standards and good practices and should be used together with them.
► COBIT’s framework and supporting best practices provide a well-managed and flexible IT environment in an organisation.
► COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities.
► COBIT provides tools to help manage IT activities.
93
COBIT and IT Governance
► COBIT focuses on improving IT governance in organisations.
► COBIT provides a framework to manage and control IT activities and supports five requirements for a control framework.
Has general acceptability amongst organisations
Helps meet regulatory requirements
Control Framework
Defines a common language
Provides sharper business
Ensures process orientation
94
COBIT and IT Governance (Cont.)
Business Focus
► COBIT achieves sharper business focus by aligning IT with business objectives.
► The measurement of IT performance should focus on IT’s contribution to enabling and extending the business strategy.
► COBIT, supported by appropriate business-focused metrics, can ensure that the primary focus is value delivery and not technical excellence as an end in itself.
Has general acceptability amongst organisations
Defines a common language
Ensures process orientation
Helps meet regulatory requirements
Provides sharper business
Control Framework
focus
95
COBIT and IT Governance (Cont.)
Process Orientation
► When organisations implement COBIT, their focus is more process-oriented.
► Incidents and problems no longer divert attention from processes.
► Exceptions can be clearly defined as part of standard processes.
► With process ownership defined, assigned and accepted, the organisation is better able to maintain control through periods of rapid change or organisational crisis.
Has general acceptability amongst organisations
Defines a common language
Helps meet regulatory requirements
Provides sharper business
Ensures process orientation
Control Framework
focus
96
COBIT and IT Governance (Cont.)
General Acceptability
► COBIT is a proven and globally accepted standard for increasing the contribution of IT to organisational success.
► The framework continues to improve and develop to keep pace with good practices.
► IT professionals from all over the world contribute their ideas and time to regular review meetings. Has general
acceptability amongst organisations
Defines a common language
Helps meet regulatory requirements
Provides sharper business
Ensures process orientation
Control Framework
focus
97
COBIT and IT Governance (Cont.)
Regulatory Requirements
► Recent corporate scandals have increased regulatory pressures on boards of directors to report their status and ensure that internal controls are appropriate. This pressure covers IT controls as well.
► Organisations constantly need to improve IT performance and demonstrate adequate controls over their IT activities.
► Many IT managers, advisors and auditors are turning to COBIT as the de facto response to regulatory IT requirements.
Has general acceptability amongst organisations
Defines a common language
Provides sharper business
Ensures process orientation
Helps meet regulatory requirements
Control Framework
focus
98
COBIT and IT Governance (Cont.)
Common Language
► A framework helps get everybody on the same page by defining critical terms and providing a glossary.
► Co-ordination within and across project teams and organisations can play a key role in the success of any project.
► Common language helps build confidence and trust.
Has general acceptability amongst organisations
Provides sharper business
Ensures process orientation
Defines a common language
Helps meet regulatory requirements
Control Framework
focus
99
COBIT: Premise
► The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.
i
IT Resources and Processes
Information
Business Processes
Business Objectives
provide
to
for achieving
► The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance.
100
COBIT: Principle
The principle of the COBIT framework is to link management’s IT expectations with management’s IT responsibilities. The objective is to facilitate IT governance to deliver IT value whilst managing IT risks.
Business Strategy
Information Criteria
IT Resources
IT Processes
101
COBIT Framework
As a control and governance framework for IT, COBIT focuses on two key areas:
► Providing the information required to support business objectives and requirements
► Treating information as the result of the combined application of IT-related resources that need to be managed by IT processes
Processes
Activities
Domains
IT Processes
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
Applications
Information
Infrastructure
People
IT Process
Business Requirement
Control Approach
Consideration• ……………………………• ……………………………• ……………………..……..
Information Criteria
102
COBIT Cube
The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives.
For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube.
Business Requirements for Information Criteria
IT Resources
IT Processes
103
COBIT Cube: IT Processes
► COBIT describes the IT life cycle with the help of four domains:
Plan and Organise
Acquire and Implement
Deliver and Support
Monitor and Evaluate
► Processes are series of activities with natural control breaks. There are 34 processes across the four domains. These processes specify what the business needs to achieve its objectives. The delivery of information is controlled through 34 IT processes.
► Activities are actions that are required to achieve measurable results. Moreover, activities have life cycles and include many discrete tasks.
Processes
Activities
Domains IT Resources
Information Criteria
IT Processes
104
COBIT Cube: IT Domains
Plan and Organise (PO)► Objectives:
Formulating strategy and tactics Identifying how IT can best contribute to achieving business objectives Planning, communicating and managing the realisation of the strategic vision Implementing organisational and technological infrastructure
► Scope: Are IT and the business strategically aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?
IT and Business
105
Let’s look at the COBIT process model, which consists of 34 IT processes defined within the four IT domains.
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation
and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and
direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
Plan and Organise
COBIT Cube: IT Domains (Cont.)
Plan and Organise
Deliver and Support
Acquire and Implement
Monitor and Evaluate
IT Processes
106
COBIT Cube: IT Domains (Cont.)
Acquire and Implement (AI)
► Objectives:
Identifying, developing or acquiring, implementing, and integrating IT solutions
Changes in and maintenance of existing systems
► Scope:
Are new projects likely to deliver solutions that meet business needs?
Are new projects likely to be delivered on time and within budget?
Will the new systems work properly when implemented?
Will changes be made without upsetting current business operations?
New Projects Organisation
?
107
COBIT Cube: IT Domains (Cont.)
Plan and Organise
Deliver and Support
Acquire and Implement
Monitor and Evaluate
IT Processes
AI1 Identify automated solutions.
AI2 Acquire and maintain application
software.
AI3 Acquire and maintain technology
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.
Acquire and Implement
108
COBIT Cube: IT Domains (Cont.)
Deliver and Support (DS)
► Objectives:
The actual delivery of required services, including service delivery
The management of security, continuity, data and operational facilities
Service support for users
► Scope:
Are IT services being delivered in line with business priorities?
Are IT costs optimised?
Is the workforce able to use IT systems productively and safely?
Are adequate confidentiality, integrity and availability in place?
IT Services Business Priorities
109
COBIT Cube: IT Domains (Cont.)
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Deliver and Support
Plan and Organise
Deliver and Support
Acquire and Implement
Monitor and Evaluate
IT Processes
110
COBIT Cube: IT Domains (Cont.)
Monitor and Evaluate (ME)
► Objectives:
Performance management
Monitoring of internal control
Regulatory compliance
Governance
► Scope:
Is IT’s performance measured to detect problems before it is too late?
Does management ensure that internal controls are effective and efficient?
Can IT performance be linked to business goals?
Are risk, control, compliance and performance measured and reported?
IT Performance
111
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
Monitor and Evaluate
COBIT Cube: IT Domains (Cont.)
Plan and Organise
Deliver and Support
Acquire and Implement
Monitor and Evaluate
IT Processes
112
COBIT Cube: Information Criteria
► To satisfy business objectives, information needs to conform to specific control criteria, which COBIT refers to as business requirements for information.
► Broadly, information criteria are based on the following requirements:
Quality
Fiduciary
Security
Fiduciary Requirements
Security Requirements
Quality Requirements
Information Criteria
IT Resources
IT Processes
113
COBIT Cube: Information Criteria (Cont.)
EffectivenessDeals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner
EfficiencyConcerns the provision of information through the optimal (most productive and economical) use of resources
ConfidentialityConcerns the protection of sensitive information from unauthorised disclosure
IntegrityRelates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
AvailabilityRelates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
ComplianceDeals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies
ReliabilityRelates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities
Fiduciary Requirements
Security Requirements
Quality Requirements
Information Criteria
IT ResourcesIT Processes
114
COBIT Cube: IT Resources
► IT processes manage IT resources to generate, deliver and store the information that the organisation needs to achieve its objectives.
► The IT resources identified in COBIT are defined as:
Applications are automated user systems and manual procedures that process information.
Information is data that are input, processed and output by information systems, in whatever form used by the business.
Infrastructure includes the technology and facilities, such as hardware, operating systems and networking, that enable the processing of applications.
People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate information systems and services. They may be internal, outsourced or contracted, as required.
Applications
Information
Infrastructure
People
IT Resources
Information Criteria
IT Processes
115
BUSINESS OBJECTIVES ANDGOVERNANCE OBJECTIVES
Efficiency
ApplicationsInformation
InfrastructurePeople
DELIVER AND
SUPPORT
MONITORAND
EVALUATE
ACQUIREAND
IMPLEMENT
INFORMATION
ITRESOURCES
C O B I TF R A M E W O R K
Effectiveness
Confidentiality
Integrity
AvailabilityCompliance
DS1 Define and manage service levels.
DS2 Manage third-party services.DS3 Manage performance and
capacity.DS4 Ensure continuous service.DS5 Ensure systems security.DS6 Identify and allocate costs.DS7 Educate and train users.DS8 Manage service desk and
incidents.DS9 Manage the configuration.DS10 Manage problems.DS11 Manage data.DS12 Manage the physical
environment.DS13 Manage operations.
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
PO1 Define a strategic IT plan.PO2 Define the information
architecture.PO3 Determine technological
direction.PO4 Define the IT processes,
organisation and relationships.PO5 Manage the IT investment.PO6 Communicate management aims
and direction.PO7 Manage IT human resources.PO8 Manage quality.PO9 Assess and manage IT risks.PO10 Manage projects.
AI1 Identify automated solutions.AI2 Acquire and maintain application
software.AI3 Acquire and maintain technology
infrastructure.AI4 Enable operation and use.AI5 Procure IT resources.AI6 Manage changes.AI7 Install and accredit solutions and
changes.
PLANAND
ORGANISE
Reliability
COBIT Framework
116
COBIT Cube
IT resources are managed by IT processes to achieve IT goals that respond to the business requirements. This is the basic principle of the COBIT framework, as illustrated by the COBIT cube.
117
Interrelationship of the COBIT Components
118
COBIT Cube
The COBIT framework describes how IT processes deliver the information that the business needs to achieve its objectives.
For controlling this delivery, COBIT provides three key components, each forming a dimension of the COBIT cube.
Business Requirements for Information Criteria
IT Resources
IT Processes
119
COBIT: Premise
►The COBIT framework is based on the premise that IT needs to deliver the information that an enterprise requires to achieve its objectives.
i
IT Resources and Processes
Information
Business Processes
Business Objectives
provide
to
for achieving
►The COBIT framework helps align IT with the business by focusing on business information requirements and organising IT resources. COBIT provides the framework and guidance to implement IT governance.
120
COBIT Processes within Domains
Each of the previous Domains are composed of processes(34):
121
Domains and processes
A Domain contains the relationships of each individual processes
For example: Plan and Organize
122
COBIT Domains with Processes
123
COBIT Process Descriptions
COBIT does offer detailed descriptions for all 34 processes.
The Process Descriptions:o contain the inputs, outputs, responsibilities, metrics and
goals
o Provide a basis of expert knowledge from which the enterprise may decide is relevant to their organization
o Diagrams with relationships to other processes are also illustrated
124
Where is COBIT Today?
125
How is CobiT Focused?
IT Governance – better coverage with governance practices Business requirements – better business to IT linkages with cascading
goals and supporting metrics Harmonization – improved integration with key practices Value Creation – extended focus on IT investment Enterprise architecture - process structure and resources Process definitions and process flows – improved descriptions,
activities, inputs and output Language and presentation – more concise in presentation, action-
oriented, control model and management guidelines are consolidated into one document
126
What are the key COBIT Documents?
Control Objectives define what needs to be done to implement an effective control structure to improve IT performance and address IT solutions and service delivery risks.
Control Practices provides guidance on the risks to be avoided and value to be gained from implementing a control objective, and instruction on how to implement the objective.
IT Assurance Guide provides guidance for the assurance team with a structured assurance approach linked to the COBIT framework that is understandable for business and IT professionals
127
COBIT and Related Products
COBIT 4.1 COBIT is an IT governance framework and supporting tool set that allows managers to bridge the gap between control requirements, technical issues and business risks.
Board Briefing on IT Governance
To help executives understand why IT governance is important, what its issues are and what their responsibility is for managing it
Information Security Governance
To help overcome these barriers by explaining information security in business terms. It comes complete with tools and techniques to help managers uncover security-related problems
IT Governance Implementation
Guide
Provides a generic road map for implementing IT governance using the COBIT and Val IT resources
Control Practices Provide guidance on why the control objectives are worth implementing and how to implement them
IT Assurance Guide Provides guidance on how COBIT can be used to support a variety of assurance activities together with suggested testing steps for all the IT processes and control objectives
128
COBIT and Related ProductsCOBIT Quickstart To summarized version of the COBIT resources, focusing on the most crucial IT
processes, control objectives and metrics, all presented in an easy-to-follow format to help users gain the benefits of COBIT quickly.
COBIT Security Baseline
(available 3rd quarter 2007)
To focuses on IT security risk in a way that is simple to follow and implement for everyone, from the home user or small- to medium-sized enterprise to executives and board members of larger organizations.
Val IT To provides guidance for managing an organization’s portfolio ofIT-enabled business investments and for maximizing the quality of business cases for IT-enabled business investments.
IT Control Objectives for
Sarbanes-Oxley
To provides guidance on how to ensure compliance for the IT environment based on the COBIT control objectives related to financial reporting.
Aligning COBIT, ITIL and ISO
17799
To explain to business users and senior management the value of IT best practices and how harmonization, implementation andintegration of best practices (COBIT, ITIL and ISO/IEC 17799) may be made easier.
COBIT Mapping Series
To overview and various mappings of COBIT to other internationalguidance have been published by ITGI, such as CMM, ISO17799.
129
COBIT and Related Products
130
131
Control Objectives
Framework
Control Objectives
Management Guidelines
Maturity Models
132
Focus on IT Alignment by linking Information Criteria, IT Resources and IT Goals to Business Goals
Focus on Value Delivery by using value-oriented IT goals to focus on the IT processes that are critical to deliver effectively
Focus on Risk Management by using risk-oriented IT goals to focus on the IT processes that are needed to manage risk
Focus on Resource Management by using Maturity Models to ensure there is a capability to deliver
Focus on Performance Management by using metrics and scorecards to ensure plans are on track and deviations are identified and corrected
COBIT Objectives - IT Governance Topics
133
134
Concise Control Objectives
PO1.2 Business-IT Alignment
Establish processes of bi-directional education and
reciprocal involvement in strategic planning to achieve
business and IT alignment and integration. Mediate
between business and IT imperatives so priorities can be
mutually agreed.
PO1.2 Business-IT Alignment
Educate executives on current technology capabilities and
future directions, the opportunities that IT provides, and
what the business has to do to capitalize on those
opportunities. Make sure the business direction to which IT
is aligned is understood. The business and IT strategies
should be integrated, clearly linking enterprise goals and IT
goals and recognizing opportunities as well as current
capability limitations, and broadly communicated. Identify
where the business (strategy) is critically dependent on IT
and mediate between imperatives of the business and the
technology, so agreed priorities can be established.
PO5.1 Financial Management Framework
Establish and maintain a financial framework to manage the
investment and cost of IT assets and services through portfolios
of IT enabled investments, business cases and IT budgets.
PO5.1 Financial Management Framework
Establish a financial framework for IT that drives budgeting and
cost/benefit analysis, based on investment, service and asset
portfolios. Maintain the portfolios of IT-enabled investment
programmers, IT services and IT assets, which form the basis for
the current IT budget. Provide input to business cases for new
investments, taking into account current IT asset and service
portfolios.
New investments and maintenance to service and asset portfolios
will influence the future IT budget. Communicate the cost and
benefit aspects of these portfolios to the budget prioritization, cost
management and benefit management processes.
CobiT 4.1 CobiT 4.0
135
136
137
Framework Update
138
COBIT Framework
Documents relationships among information criteria, IT resources, and IT processes
Links control objectives and control practices to business processes and business objectives
Assists in confirming that appropriate IT processes (and practices) are in place
Facilitates evaluation and assurance methods
139
Information Criteria -- The 1st Component
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
140
IT Resources -- The 2nd Component
Application Systems
Information
Infrastructure
People
141
IT Process Domains -- The 3rd Component
Plan and Organize
Acquire and Implement
Deliver and Support
Monitor and Evaluate
142
COBIT Process Model
Subdivides IT into four domains 34 processes in line with the domainsResponsibility areas of plan, build, run and
monitor, providing an end-to-endEnterprise architecture concepts help
identify the resources essential for process success
143
What Are the Main Changes?
144
Plan andOrganize
Acquire andImplement
Deliver andSupport
Monitor and Evaluate
COBIT Domains: Information Processes (3rd Component)
Feedback
Feedback
Feedback
145
COBIT Framework
To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes in order to provide the services that deliver the required enterprise information.
Basic COBIT Principle
146
CobiT Framework
Helps one understand the: relationship of controls to control objectives, importance of focusing on control objectives and
their relationship to the business organization and its business processes, and
value of managed processes and resources to attain data integrity, security and availability.
147
148
CobiT is Business-focused
Business orientation is the main theme of COBIT.
Designed to be used by IT service providers, users and auditors, and to also provide comprehensive guidance for management and business process owners.
149
Business Orientation of COBIT
Links business goals to IT goalsProvides metrics and maturity models to
measure their achievement Identifies the associated responsibilities of
business and IT process owners.
150
Business Goals
Financial Perspective Expand market share Increase revenue Return on Investment Optimize asset utilization Manage business risks
Customer Perspective Improve customer orientation and service Offer competitive products and service Service availability Agility in responding to changing business requirements Cost optimization of service delivery
151
Business Goals
Internal Perspective Automate and integrate the business value chain Improve and maintain business process functionality Lower process costs Compliance with external laws and regulations Transparency Compliance with internal policies Improve and maintain operational and staff productivity
Learning and Growth Perspective Product and business innovation Obtain reliable and useful information for strategic decision making Acquire and maintain skilled and motivated personnel
152
IT Goals
1. Respond to business requirements in alignment with business strategy
2. Respond to governance requirements in line with board direction3. Ensure the satisfaction of end users with service offerings and service
levels4. Optimize the use of information5. Create IT agility6. Define how business function and control requirements are translated
in effective and efficient automated solutions7. Acquire and maintain integrated and standardized application
systems8. Acquire and maintain and integrated and standardized infrastructure
153
IT Goals
9. Acquire and maintain IT skills that respond to the IT strategy10. Ensure mutual satisfaction of third-party relationships11. Seamlessly integrate applications and technology solutions into
business processes12. Ensure transparency and understanding of IT cost, benefits, strategy,
policies and service levels13. Ensure proper use and performance of the applications and
technology solutions14. Account for and protect all IT assets15. Optimize the IT infrastructure, resources and capabilities16. Reduce solution and service delivery defects and rework17. Protect the achievement of IT objectives18. Establish clarity of business impact of risks to IT objectives and
resources
154
IT Goals
19. Ensure critical and confidential information is withheld from those who should not have access to it
20. Ensure automated business transactions and information exchanges can be trusted
21. Ensure IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster
22. Ensure minimum business impact in the event of an IT service disruption or change
23. Make sure that IT service are available as required24. Improve IT’s cost-efficiency and its contribution to business profitability25. Deliver projects on time and on budget meeting quality standards26. Maintain the integrity of information and processing infrastructure27. Ensure IT compliance with laws and regulations28. Ensure that IT demonstrates cost-efficient service quality, continuous
improvement and readiness for future change
155
156
Linking Business Goals to IT Goals
An Example:
• The business goal of increasing revenue is linked to IT goals numbers 25 and 28, which are:
• “Deliver projects on time and on budget meeting quality standards” and
• “Ensure that IT demonstrates cost-efficient service quality, continuous improvement and readiness for future change”
157
158
Linking IT Goals to IT Processes
Example of linking IT goals to IT processes:
• The IT goal of optimizing the use of information is linked to IT processes PO2 and DS11 (information architecture and managing data)
159
160
The WATERFALL Navigation Aid --High Level Control Objectives for Each Process
The control of
which satisfy
is focusing on
Is achieved by
IT Processes
BusinessRequirements
ControlStatements
ControlPractices
High-Level Control Objective
Users satisfaction
Is measured by
161
162
“RACI” Chart
Identifies who is Responsible, Accountable, Consulted and/or Informed
Addresses considerations for points of accountability Addresses issues of communication and desired input (who
would be consulted) Rather than titles, think of positions in terms of roles Depending on the size of the organization or the IT function,
several roles may be combined
163
Primary Inputs and Outputs
CobiT identifies from where primary inputs are obtained for each process
The inputs are identifies and where they came from Also identifies to which IT processes the process provides
output to The outputs (from the process) are identified to where they
would be directed
164
165
Metrics
Performance measurement is essential for IT governance.
Requires setting and monitoring measurable objectives of what the IT processes need to deliver (process outcome) and how they deliver it (process capability and performance).
166
Metrics
Activity Goals tells us how well the process is performingo Measured by KPIs
Process Goals tell us what IT must delivero Measured by Key Goal indicators
IT Goals tell us what we expect from ITo Measured by Key Goal Indicators
167
168
169
170
Use of Maturity Models
The assessment of process capability based on the COBIT maturity models is a key part of IT governance implementation.
Enables gaps in capability to be identified and demonstrated to management.
Action plans can then be developed
171
172
Control Practices
Control Practices
Control Objectives
Value Drivers
Risk Drivers
173
Control Design
Necessary and sufficient steps Roles & responsibilities Characteristics Generic and specific practices Active and passive Input, outputs, activities
174
IT Control Practices
Provides guidance on risks to avoided and value to be gained
Provides detailed guidance on specific controls needed to address high-level and detailed control objectives
Provides guidance on how, why and what to implement to improve IT performance
Includes key elements of value and risk statements and control practices
175
IT Control Practices
Describing the different necessary and sufficient steps to achieve a control objective
Action-oriented, enabling timely execution and measurable
Relevant to the purpose of the control objective Supporting clear roles and responsibility including
segregation
176
The benefits listed under ‘why do it’ are tangible and motivate to implement controls
The set of control practices is completecomplete (e.g. key controls) and implementation satisfies the control objective
Control practices listed are generally accepted as good business good business practicepractice
Control practices suggest sustainablesustainable solutions
The control practices are effectiveeffective in addressing the risk linked to not achieving the detailed control objective
The control practices suggest efficientefficient solutions
The wording of the control practices is conciseconcise while providing clear and unambiguous guidance on what is expected for implementation
The control practices are realisticrealistic
Control Practices Characteristics:
177
IT Assurance Guide
Need for IT Governance and Assurance
The CobiT Framework
IT Assurance Approaches
How CobiT Supports IT Assurance Activities
178
Approach
Testing of a control approach covering 4 assurance objectives
1. Existence2. Design effectiveness3. Operating effectiveness (implemented,
consistent application and proper use)4. Design and operating efficiency (cost/benefit
and possible use of automation) Providing 3 types of assurance guidance
Testing the suggested control design Testing control objective achievement Documenting impact of control weaknesses
IT Assurance Steps
179
Approach
Tests based on a documented taxonomy of relevant assurance methods
Enquire and confirm (via different source) Inspect (walk-through, search, compare,
review) Observe (confirmation is inherent) Re-perform or re-calculate and analyze
(often based on a sample) Automated evidence collection (sample,
trace, extract) and analyze
IT Assurance Steps
180
181
182
1831
Using CobiT
184
Provide Direction
Compare
Measure Performance
IT Activities Increase automation
(make the business effective) Decrease cost (make the enterprise
efficient) Manage risks (security, reliability and
compliance)
IT is aligned with the business IT enables the business and maximizes benefits IT resources are used responsibly IT-related risks are managed appropriately
Set Objectives
CobiT provides the basis for IT Governance
CobiT Links business goals to IT Goals
CobiT Framework provides a common understanding of IT’s role
CobiT IT Processes and Maturity Models focus on IT capability
CobiT KGIs and KPIs enable measurement
185
Using CobiT
From an organizational perspective, entities should use control models such as COSO and CobiT along with generally accepted control practices to build and exercise appropriate controls to help manage their entities.
186
Strong Basis for Policy Development
Use CobiT as a basis to develop or strengthen policies and control practices
Compare existing policies and standard procedures against CobiT
Conduct high-level and detailed policy reviews
187
Using CobiT Matrices to Focus on:
IT Functionso Their importance?o Level of performance?o Control documentation?
Responsible Parties of ITo Performed by?o Contracted services?o Primary responsible party?
Risk Assessmento Importance, level of risk, control documentation?
188
CobiT’s Evaluation Focus
What is most critical to the business? What are the CSFs? What are the risks and threats? How robust and appropriate does the internal
control structure appear? What are management’s concerns?
189
Risks to the Entity?
Unaware of the risks Poor understanding of CSFs Absence of KPIs No “scorecard” or basis of measurement Absence of monitoring and evaluation Weak IT control environment Unknown loss of data or system integrity
190
COBIT Focuses on Risk-Based Approach
Focuses on the entity from a management perspective
Emphasis on knowledge of the business and the technology
Focus on assessing the effectiveness of a “combination” of controls
Linkage between risk assessment and testing focusing on control objectives
191
To Address Outsourced Services
Determine whether desired processes are in place and establish accountability
Agree on levels of control, measurement and evaluation
Use CobiT to help design service contracts by identifying deliverables and responsibilities
Use CobiT for ongoing monitoring and evaluation of providers and partners
192
Recap: CobiT Recognizes
IT is an integral part of the organization IT governance is an integral part of corporate
governance Focus on control objectives can strengthen
appropriateness and use of internal controls Measurement is crucial to internal control Monitoring and evaluation are integral to a system of
internal control
193
194
Interrelationships of CobiT Components
195
COBIT Content Diagram
CobiT and Val IT frameworks
Control Objectives
Key Management Pratices
IT Governance Implementation Guide,
2nd Edition
CobiT Control Practices 2nd Edition
IT Assurance Guide
196
IT Risk Analysis—A Generally Accepted FrameworkIT Risk Analysis—A Generally Accepted Framework
AssetIdentificationand Valuation
Vulnerability Assessment
ThreatAssessment
RiskAssessment
Counter- measures
ControlEvaluation
ResidualRisk
Action Plan
197
IT Risk Analysis—A Generally Accepted FrameworkIT Risk Analysis—A Generally Accepted Framework
AssetIdentificationand Valuation
Vulnerability Assessment
ThreatAssessment
RiskAssessment
Counter-measures
ControlEvaluation
ResidualRisk
Action Plan
AlternativeEntry Point
AlternativeEntry Point
198
AssetIdentificationand Valuation
Vulnerability Assessment
ThreatAssessment
RiskAssessment
Counter-measures
ControlEvaluation
ResidualRisk
Action Plan
Three Approaches:1. Ignore.2. Only prevent.3. Prevent and detect.
Translate into business
consequences and into
financial risks.
IT Risk Analysis—A Generally Accepted FrameworkIT Risk Analysis—A Generally Accepted Framework
199
Summary