1 part 2 2 audit guidelines 3 audit guidelines -- 226 pages 1 generic guideline and 34 process...

1

Part 2

2

AUDIT GUIDELINES

3

Audit Guidelines -- 226 pages

1 Generic Guideline and 34 Process Oriented A generic guideline identifies various tasks to

be performed in assessing ANY control objective within a process. This generic guideline extracted all repetitive tasks into one -- to be performed for all control objectives.

Others are specific process-oriented task suggestions to provide management assurance that a control is in place and is working.

4

Audit Guidelines

Purpose of audit guidelines is to provide simple structure for auditing controls

Audit guidelines are generic and high-level in structure

Although intended as a guide for auditing high-level control objectives, CobiT can assist overall audit planning

Enables auditor to review processes against control objectives

5

CobiT supports generally accepted structure of the audit process:

Identification and documentation

Evaluation

Compliance testing, and

Substantive testing

6

Obtaining an understanding of business requirements, related risks, and relevant control measures Evaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously. Substantiating the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources.

The IT process is therefore audited by:

7

OBTAINING AN UNDERSTANDING

The audit steps to be performed to document the activities under- lying the control objectives as well as to identify the stated control measures/procedures in place.

Interview appropriate management and staff to gain an understanding of:* Business requirements and associated risks* Organisation structure* Roles and responsibilities* Policies and procedures* Laws and regulations and contractual obligations* Control measures in place* Management reporting (status, performance, action items)

Document the process-related IT resources particularly affected by theprocess under review. Confirm the understanding of the process under review, the Key Performance Indicators (KPI) of the process, and the control implications (e.g., by a process walk through).

GENERIC AUDIT GUIDELINE

8

EVALUATING THE CONTROLS

The audit steps to be performed in assessing the effectiveness of control measures in place or the degree to which the control objective is achieved. Basically deciding what, whether and how to test.

Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying professional judgment.

• Documented processes exist• Appropriate deliverables exist• Responsibility and accountability are clear and effective• Compensating controls exist, where necessary

Conclude the degree to which the control objective is met.


9

ASSESSING COMPLIANCE

The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously, and to conclude on the appropriateness of the control environment.

Obtain direct or indirect evidence for selected items/periods to ensure thatthe procedures have been complied with for the period under review using both direct and indirect evidence.

Perform a limited review of the adequacy of the process deliverables.

Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate.


10

SUBSTANTIATING THE RISK

The audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniquesand/or consulting alternative sources. The objective is to supportthe opinion and to “shock” management into action. Auditorshave to be creative in finding and presenting this often sensitiveand confidential information.

Document the control weaknesses and resulting threats and vulnerabilities.

Identify and document the actual and potential impact (e.g., through root-cause analysis).

Provide comparative information (e.g., through benchmarks).


11

Audit Guidelines are GUIDELINES

They are a starting point for identifying control tasks and activities associated with particular control objectives.

To plan and conduct the audit, an auditor must add knowledge about the business, risk analysis, and controls; perform adequate audit procedures; and draw conclusions from the results of the audit procedures.

12

Using CobiT to Develop an Audit Program

Start with Control Objectives to refresh the purpose of the control objective and the recommended IT control practices

Use the Audit Guidelines’ generic audit guideline as a starting point

Use the selected process-oriented audit guidelines to refine the audit work program

Select appropriate portions of the Audit Guidelines in sync with selected detailed control objectives (selected control tasks and activities)

13

Using CobiT to Review an Audit Program

Use the Audit Guidelines to benchmark the existing audit program against

Use the Control Objectives’ high-level control objectives to review audit objectives and detailed control objectives to review criteria identification

Use the generic and process-oriented audit guidelines to review audit process and procedures

15

Adopting CobiT

Start by identifying the “need” for use, and how it might be used

Focus on the benefits to be derived from using CobiT

Assess the acceptance and implementation capabilities

Assign priority of multiple uses Identify one or more champions

16

Adopting CobiT For those responsible for systems and those who audit

systems, the value lies in having an organized IT control model that links management control practices to control objectives, and in turn to business objectives.

From a management perspective:– management and IT policy makers such as CEO, CIO, VP of

IT– IT steering committee– business process owners and users

From an Audit perspective:– evaluators and internal/external auditors

17

Factors to Consider

Dimension and depth of the IT environment Organizational structure of IT services Level of internal and outsourced IT functions Relationships of IT, IS Audit, business process

owners, management Management philosophy regarding control and audit Extent of business process reengineering Level of consensus needed

18

Benefits of CobiT

Supports IT governance objectives.

Helps ensure that IT processes are defined and assigned.

Helps to ensure that there is focus on control objectives.

Leads to more cost-effective IT services.

19

Benefits of CobiT

Helps to provide reasonable assurance that:– IT process objectives are understood

– IT risks have been identified

– Appropriate controls have been implemented

– Appropriate monitoring and evaluation processes in effect

– IT process objectives and can be achieved.

20

Benefits of CobiT

Helps to ensure that the organization complies with applicable rules, regulations and contractual obligations.

Opportunity for complementary adoption of COSO and CobiT (or other control models).

Authoritative nature of Cobit encompassing adoption of well-recognized and established standards for IT control.

21

Benefits of CobiT

Strengthens assessment, understanding and exercise of appropriate internal controls.

Provides a good framework for risk assessment and risk management.

Improves communication among management, business process owners, users and auditors regarding IT governance, and between internal and external audit.

22

Benefits of CobiT

Provides a framework for ensuring that outsourced IT functions are addressed in third-party contracts.

Helps to strengthen the relationship between IS Services and the user community through improved SLAs.

Supports management’s efforts to demonstrate due diligence with respect to IT-based operations.

24

Using COBIT

Organizational Tool

Audit Planning and Support

Tool

IT Control Self Assessment Tool

25

CobiT as an Organizational Tool

Provides framework and benchmarks for IT

planning and management Identification of primary IT processes (by

broad management-oriented Domains) Assists in establishing responsibilities and

points of accountability Assists in clarifying IT’s and Audit’s role

26

CobiT As An Audit Planning Tool

“To look at a functional area.”

– “Which functional area?”

– “What systems are involved?”

– “What IT processes are involved?”

– “What are the objectives and risks?”

– “What are the control objectives?”

27

Using CobiT in Audit Planning

IT audit shop planning --- audit engagement selection

Determining type of audit services Engagement planning Framing audit scope and audit objectives to

CobiT Development of audit approach

28

Audit Planning Adequate planning is a necessary first step

in performing effective IT Audits. Need to understand the general business

environment as well as the associated business and control risks.

Assess operational and control risks and identify control objectives during audit planning.

29

Use of CobiT during the Audit Planning

Assessing the control environment and identifying high risk processes

Conducting a high-level policy and procedures review

Conducting a detailed review of policies and procedures against the entire control objectives document

Using CobiT-related matrices

30

CobiT-related Matrices

31

Using CobiT Matrices to Focus on:

IT Functions– Their importance?– Level of performance?– Control documentation?

Responsible Parties of IT– Performed by?– Contracted services?– Primary responsible party?

Risk Assessment– Importance, level of risk, control documentation?

32

CobiT-Related Matrices Submit matrix of processes to IT management to attain

assertions regarding:– Importance, performance and risk of each process– self assessment of how well control is being carried out

for each process Have the review or audit team also independently rate

preliminary understanding of importance, performance and risk of each process

Use matrix of IT processes to be performed and identify who performs the process and who has final responsibility; can be used to identify processes not performed by “traditional” IT organization

33

Importance Performance

Ve

ry

Im

po

rta

nt

So

me

wh

at I

mp

orta

nt

No

t I

mp

orta

nt

No

t s

ure

No

t A

pp

lic

ab

le

IT Process

Ex

ce

lle

nt

Ve

ry

go

od

Sa

tis

fa

cto

ry

Po

or

No

t S

ure

Fo

rm

all

y R

ate

d

No

t R

ate

d

No

t A

pp

lic

ab

le

PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organisation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk

PO10 Manage projectsPO11 Manage quality

AI1 Identify automated solutionsAI2 Acquire & maintain application softwareAI3 Acquire & maintain technology architectureAI4 Develop & maintain proceduresAI5 Install & accredit systemAI6 Manage changes

DS1 Define service levelsDS2 Manage third party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify & allocate costsDS7 Educate & train usersDS8 Assist & advise customersDS9 Manage the configuration

DS10 Manage problems & incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations

M1 Monitor the processM2 Assess Internal Control AdequacyM3 Obtain independent assuranceM4 Provide for Independent Audit

ENTITY SHORT FORM

34

ENTITY LONG FORMInternal WP

Importance Performance Controls Ref.

Very Im

po

rta

nt

So

mew

hat

Imp

orta

nt

No

t Im

po

rta

nt

No

t su

re

No

t A

pp

licab

le

IT Process

Exc

ellen

t

Very g

oo

d

Sati

sfa

cto

ry

Po

or

No

t S

ure

Fo

rm

ally R

ate

d

No

t R

ate

d

No

t A

pp

licab

le

Do

cu

men

ted

No

t D

ocu

men

ted

No

t S

ure







35

RISK ASSESSMENT FORMInternal WP

Importance Risk Controls Ref.

Very

Im

po

rta

nt

So

mew

ha

t Im

po

rta

nt

No

t Im

po

rta

nt

No

t s

ure

IT Process

Hig

h

Me

diu

m

Lo

w

Imm

ate

ria

l

No

t S

ure

Do

cu

me

nte

d

No

t D

oc

um

en

ted

No

t S

ure

PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organiation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk






36

Pre-Audit: Performance and Risk

Level of Performance

Function & Operation

Level of

Risk

high A/P low

high payroll low

medium IT processing high

etc.

37

Pre-Audit: Risk/Importance and Control Documentation

Risk/ Importance


Control

Documentation

Low/medium A/P yes

Low/high payroll none

High/medium IT processing partial

etc.

38

PrimaryPerformed by (1) IT Process Responsible Party







(1) Identify organiational units(IT department, within organisation, outsourced or not sure) which perform activities incorporated within the IT process

RESPONSIBLE PARTY FORM

39

Pre-Audit: Functions & Responsibilities

Points of Points of AccountabilityFunction performed by


Responsible

Party

internal A/P Accounting

outsourced payroll Accounting

IT Dept IT processing VP of IT

etc.

40

Internal Formal Contract/SLA WPPerformed by Controls in place? Ref.

IT D

ep

artm

en

t

Wit

hin

Org

an

isa

tio

n

Ou

ts

ou

rc

ed

No

t s

ure

IT Process

Do

cu

me

nte

d

No

t D

oc

um

en

te

d

No

t S

ure

Ye

s

No

No

t A

pp

lic

ab

le

No

t S

ure







CONTRACT SERVICE/SERVICE LEVEL AGREEMENT (SLA) FORM

41

In Prior Prior Audit DispositionScope Opinion of Findings

Yes No IT Process

Un

qu

alifi

ed

Qu

alifi

ed

Ad

verse

Dis

cla

imer

Mate

ria

l W

eakn

esses

Fin

din

gs

Reso

lved

Un

reso

lve

d

N/A

No

t D

ete

rm

ined







Insert the number of material weaknesses and/or findings if there is more than one per process category and then reflect the appropriate number under each column.

PRIOR AUDIT WORK FORM

Audits (or audit entities)A B C D E F - - -

COBIT’s 34Processes

PO 1PO 2

.

.

.M 4

S= Pre-audit surveyA= AuditR= Report - Positive conclusion

- Finding

42

43

Use of CobiT in Audit Planning:

Supports objectives of AU.319 “Consideration of Internal Control in a Financial Statement Audit”, and

Risk-Based Audit planning

44

Key Features of Risk-Based Approach

Focuses on the business from a management perspective

Emphasis on knowledge of the business and the technology

Focus on assessing the effectiveness of a “combination” of controls

Linkage between risk assessment and testing focusing on control objectives

45

Risk-Based Audit Planning

What is most critical to the business? What are the CSFs? What are the risks and threats? How robust and appropriate does the

internal control structure appear? What are management’s concerns?

46

Risks to the Business?

Unaware of the risks Poor understanding of CSFs Absence of KPIs No “scorecard” or basis of measurement Absence of monitoring and evaluation Weak IT control environment Loss of data or system integrity

47

Control Risk Assessment

Control Risk assessment at maximum– addresses relevant audit objectives using

substantive tests– perform all applicable substantive tests

Control risk assessment at below maximum– identify control procedures that allow control risk

to be below maximum– design & perform tests of controls– Identify reduced substantive tests

48

Control Risk Assessment

Control Risk assessment at low– perform tests of controls for application and

IT controls– perform analytical procedures (reduced

substantive testing)

49

Control Assessment Steps What is the control objective? Identify the type of control (application or general; primary

or secondary; and preventive, detective, or corrective) What business objective is impacted? Appropriateness of the stated control? Number of components used to execute the control and

number of subsystems or control objectives impacted? Evidence that the control is in effect, or impact that it is

not.

50

Setting Audit Objectives

Depends on the type of audit Best phrased when focused on whether

selected control objectives are met Build the linkage between the control

objective and the controls to the audit objectives and audit procedures (review and examination steps) to obtain sufficient audit evidence to draw conclusions

51

Use of CobiT in

The Pre-Audit Process

52

Overview of Pre-Audit Process

Auditee selection (may be CobiT driven) Off-site preliminary information gathering Entrance Conference and on-site preaudit

information gathering (reference to CobiT) Develop proposed scope and audit objectives Internal scope meeting (review & approval) Finalize audit work program (CobiT-framed) Engagement conference (reference CobiT as

criteria) and audit (CobiT as examination criteria)

53

Pre-Audit Planning

Who are they? (type of organization, industry) What do they do? (mission, business objectives) How do they plan to do it? (strategy/plan) How do they do it? (functions, processes) With what resources? (IT, operational resources,

management & staff, raw materials, etc.) By what rules? (policies, standards, legal and regulatory

requirements) Under what risks? (risk analysis)

54

Pre-Audit Planning

Who does it? (internal & external players, their roles and

responsibilities) Who knows what is done? (reporting lines,

designated points of accountability) How do they known it is done right?

(measurement registers, assurance mechanisms, evaluations,

score cards, etc.) Where are they? (global or national, centralized or

distributed organizational structure, etc.)

55

On-Site Pre-Audit Entrance conference and subsequent interviews

(CobiT discussion) Tour of facility and observations Documentation review (high-level CobiT) Obtain management assertions (CobiT matrices) Identification of data/information sources and

their information criteria (CobiT) Risk and exposure analysis Review of internal controls (includes CobiT) Determination of planned materiality

56

On-Site Pre-Audit Procedures

Identification of accounting and operational control objectives and related control practices (CobiT)

Perform selected tests of stated procedures or controls (CobiT)

Determination of auditability Summary conclusions and development of

proposed scope and audit objectives

57

Internal Scope Meeting

AIC and manager present understanding of the entity and its audit requirements

Provides opportunity to discuss CobiT-related matters

Acquaints the Audit Shop’s management with proposed audit and CobiT-related matters

Serves as review and approval point for scope and audit objectives

58

Internal Scope Meeting

Addresses fundamental elements of preaudit planning; preliminary audit work; development and documentation of audit scope, objectives and methodology; identification of control objectives and criteria; and staffing and logistics issues

Cobit helps to ensure appropriate audit direction and allocation of audit resources to the engagement

Serves as a “practice run” for presenting audit scope and audit objectives, methodology and criteria (including CobiT) to the auditee

59

For the Audit Engagement

May identify CobiT as criteria at entrance conference

Use CobiT to develop and benchmark audit work programs

Introduce generally accepted control practices to auditee via CobiT

60

Where CobiT Helps on Pre-Audit Considerations

Framing IT processes by domains for the existing IT environment and automated systems

Identification of major processes and activities which support the entity’s mission and business objectives Review of acquisition and development plans or projects for IT

Performing risk analysis and internal control review

61

Using CobiT in other

Audit Areas

62

Using CobiT onUsing CobiT onSystem Development System Development

AuditsAudits

63

Three Types of System Development IT Audits

Type 1: examination of development methodology, policy and procedures

Type 2: examination of development and implementation of a particular information system

Type 3: participation as “control advisor” throughout the development and implementation process

64

System Development Audit Planning

Conduct preliminary survey and pre-audit work sufficient to select the “type” of system development audit

Use CobiT to assist in framing the audit with respect to processes and detailed control objectives applicable to the “type” of development audit

Use CobiT processes and detailed control objectives to identify criteria

65

System Development Audit Planning

Start with CobiT summary table to select processes directly impacting application(s)

Suggest focus on Planing & Organization, Acquisition & Implementation, and Monitoring domains for development audits

Note: not all processes will be selected nor will detailed control objectives within each process

Select applicable IT control practices (tasks and activities) for each process

66

SDLC Audits Type 1

The IT auditor reviews the organization’s system development and implementation procedures. Here, the auditor would determine whether appropriate SDLC procedures were in place to ensure that automated systems developed meet user needs, function as intended, meet any required legal or regulatory requirements, are sufficiently controlled to provide reasonable assurance for data and system integrity, and that the system operates effectively and efficiently.

67

Type 1 Development Audit

Process audit Determine whether appropriate SDLC

policies & procedures are in place Emphasis on Planning & Organization and

Acquisition & Implementation domains Detailed control objectives focused on good

practices for development

68

Type 1 Development Audit Assumptions

Linkage to Planning & Organization processes based on the premise that PO’s set the stage for IT environment and development

Audits or reviews of SDLC methodology should be in context of organization’s IT strategy, policies, and standards

69

SDLC Audits Type 2

The IT auditor reviews the development and implementation of a particular system, determining whether the organization’s (and generally-accepted) development procedures were followed, whether the system meets the needs of the organization and its users, is maintainable, and operates efficiently.

70


Compliance audit Operations/Performance audit Post-implementation examination Focus on compliance with SDLC methods

and assessment of the system’s “operational status”

May include 3rd-party review

71

SDLC Audits Type 3

The IT auditor participates in the development and implementation of the automated system where the auditor serves as a non-voting member of the development team. Under this arrangement, the auditor serves as an advisor, a “control consultant”.

72


Management advisory services (MAS) Use CobiT to facilitate discussions on design,

development, testing, etc. May involve audit work of each phase Greater emphasis placed on under-standing of

Audit’s role as “advisor” Good opportunities to design control self

assessment processes

73

Processes Selected for Type 1, 2 & 3 Development Audits

PO1: Define strategic IT plan PO2: Define information architecture PO4: Define organization & relationships PO5: Manage the investment PO6: Communicate management aims PO8: External requirements compliance PO9: Assess Risk PO10: Manage projects PO11: Manage quality

74

Processes selected for Type 1, 2 & 3 Development Audits

AI1: Identify automated solutions AI2: Acquire/maintain application software AI3: Acquire/maintain technology architecture AI4: Develop & maintain procedures AI5: Install & accredit systems AI6: Managing changes

M1: Monitor the process

75

Detailed Control Objectives by Process for Type 1 SDM Audit

PO1

PO2

PO4

1.1 Assessment of technology issues in L-R & S-R plans

1.5 Feasibility studies performed

2.1 Current architecture model 2.2 current corporate data dictionary 2.3 data classification scheme

4.1 Oversight role of steering committee

76


PO1

PO2

PO4

1.2 Development initiatives should be in L-R & S-R plans

1.5 Feasibility studies performed

2.2 current corporate data dictionary 2.3 data classification scheme 2.4 Maintain security levels for

information classes

4.1 Oversight role of steering committee etc.

77


PO1

PO2

PO3

1.3 IT-related issues to be considered in L-R planning

1.5 Plans to reflect IS resources

2.2 Corporate data dictionary incorporates data syntax rules

2.3 Placement of data on information classes

2.4 Implement security levels

3.4 Software acquisition plans 3.5 Standardization - infrastructure

78

System Development Audit Work Program

Use Control Objectives and Audit Guidelines together to start audit work program.

While primary focus may be on AI1-AI6, selected control objectives from Planning & Organization.

Include appropriate SDLC requirements of the organization, if available.

79

Summary Thoughts on Using CobiT on Development Audits

Participate in quality assurance for CobiT targeting software development

Use CobiT as for risk assessment and subsequent allocation of audit resources to development projects

Use CobiT to develop Type 1, 2, & 3 development audit work programs

Used CobiT to evaluate adequacy of audit approach on type 3 SDM audits

80

Developing a Change Control Audit Program

Select relevant objectives from the 34 high-level control objectives (e.g., AI1, AI2, AI4, AI6, DS9)

Select relevant detailed control objectives (e.g., AI 6.2)

These become audit objectives in the audit program

Compare the audit program to the COBIT Audit Guidelines

81

Using Cobit on Management Audits

Framing audits via Planning & Organization Domain

Using CobiT to evaluate assignment of responsibility of IT-related functions.

Using CobiT to evaluate points of accountability.

82

Using CobiT for Review of Using CobiT for Review of ResponsibilitiesResponsibilities

& Evaluation of Points of & Evaluation of Points of AccountabilityAccountability

83

Conducting Responsibility and Accountability Reviews

Determine the extent to which discrete tasks and activities referenced by CobiT are in place.

Determine the extent to which policies, procedures, and mechanisms referenced by CobiT have been established.

84

Factors to consider when identifying relevant tasks and activities

Not all tasks & responsibilities have an assigned responsible party

When planning your assessments (extent, scheduling, area to be reviewed, MAS), recommend comprehensive review by:– domain– key process(es)

85

Factors to consider when identifying relevant tasks and activities

If reviewing the control environment, you may elect to target tasks and responsibilities with CobiT-designated responsible parties.

Consider the difference between single tasks and on-going activities with respect to the purpose of your review or audit work.

86

Task/Activity Monitoring & Evaluation

Task or

Activity

Responsibility

to:

Monitored

by:

Evaluated

by:

Control

task

Establish a

Function or procedure

Initially &

Upon

Changes

Periodic

At least

annual

Control

activity

On-going

Function or activity

On-going

With

reporting

Periodic

To

On-going

87

“Lock in” Responsibilities Complete “responsible party” form Prepare list of responsible parties Based on entity and organizational structure,

and CobiT responsibility designations, agree or modify responsibility designations for the selected tasks and activities

Establish “Locked in” responsibility list

88

“Locked in” Responsibility List

Serves as established list of desired responsibility assignments.

Use as criteria for reviewing responsibility assignments for entity under audit.

89

Review and Evaluate

Clarity and appropriateness of responsibility definitions

assignment of responsibilities points of accountability reporting of actions taken and activities mechanisms to monitor and evaluate

adequacy of exercise of responsibilities

90

Determine extent to which Audit Team Needs to Perform:

A review of assigned responsibilities for discrete tasks during pre-audit.

A review of assigned responsibilities for activities during audit

91

Examination Steps

Determine whether IT-related responsibilities have been adequately defined and assigned, and that adequate points of accountability are in place.

Determine whether adequate controls and mechanisms are in place to monitor, evaluate, and hold accountable internal and outsourced parties for assigned responsibilities and desired deliverables

92

Evidence gathered in review of assigned responsibilities and points of accountability

Can assist assessments of internal structures for financial and operations audits

Can serve to identify the potential cause of audit results or findings

93

Evidence gathered in review of assigned responsibilities and points of accountability

Can assist management in reviewing and determining the adequacy of structures of accountability when organization incur organizational or significant technical change

Can provide insight into recommendations regarding task and activity assignment and monitoring

94

Using Cobit to Address Third-Party Providers of IT-Related Services

Determine whether desired processes are in place and establish accountability

Agree on levels of control Use CobiT to help design service contracts

by identifying deliverables and responsibilities

Use CobiT for ongoing monitoring and evaluation of providers and partners

95

As An IT Self Assessment Tool

“How am I doing against recommended

COBIT IT benchmarks?” Use COBIT to facilitate operational and

control improvements. Identify controls that should be in place. Reallocate resources to more important

projects.

96

Using Cobit on Control Self Assessment

Use CobiT to assist the development of Control Self Assessment programs by establishing benchmarks, gathering appropriate information on control objectives and control practices, and developing action plans.

Benchmarking - Self-Assessment

0 Very poor Complete lack of good practice1 Poor Recognized the issues2 Fair Some effort made to address issues3 Good Moderately good level of practice4 Very good Advanced level of practice5 Excellent Best possible, highly integrated

Source: Erik Guldentops, DC presentation, July 1997. 97

98

0 Very poor. Complete lack of good practices. Organization has not recognized that there is an issue to be addressed.

1 Poor. There is evidence that the organization has recognized that the issues exist and need to be addressed. There may also be some rudimentary attempts to solve the problem although these are relatively ineffective without greater levels of good practice to support them

2 Fair. There is some effort within the organization to provide a level of practice which is acceptable. This includes partial definitions of responsibility, organizational models and processes. Although these may not have been followed through to deliver effective and acceptable levels of practice.3 Good. There is a moderately good level of practice which should not draw undue criticism. The processes are reasonably well defined at levels of detail which make them effective. Responsibilities and organizational models are at a similar level of development. There is a recognition of the need for integration, but this has not evolved very far.

99

4 Very Good. There is generally a high level of good practices, with advanced tools being used to gain productivity, cost reduction and effectiveness. There is also considerable integration of related practices to give consistent and effective control within this area.5 Excellent. The very best possible levels of good practice, given the available knowledge and tools. There is also very high level of integration across all aspects related to this area.

100

101

Management GuidelinesIncludes:– Critical Success Factors– Key Performance Indicators– Key Goal Indicators– Maturity models

CCOBIOBITTCCOBIOBITT

102

HGHGHGHGHGHG

103

Using the Management Guidelines

104

IT Management Is IT well managed?

– Are we doing the right things?– Are we doing them the best way?– Are they being done well?– Are we achieving desired benefits?

Is IT properly controlled? Do we exercise due diligence? Is management driving the information

technology?

105

Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives.

Promotes process focus and process ownership

Divides IT into 34 processes belonging to four domains

Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT

EffectivenessEfficiencyAvailability,IntegrityConfidentialityReliabilityCompliance.

PlanningAcquiring & ImplementingDelivery & SupportMonitoring

CobiT : An IT control frameworkCobiT : An IT control framework

106

“Due diligence” IT is strategic to the business IT is critical to the business Expectations and reality don’t match IT involves huge investments and large risks

Why governance?Why governance?

107

If so, wouldn’t you want to know whether your information technology organization is:

Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognizing opportunities and acting

upon them?

IT is strategic to most businessesIT is strategic to most businesses

108

• Generic and action oriented• For the purpose of

• IT Control profiling - what’s important?• Awareness - where’s the risk?• Benchmarking - what do others do?

• Supporting decision making and follow up• Key performance indicators of IT processes• Critical success factors of controls• Control implementation choices

Management Guidelines

109

Management GuidelinesCritical Success Factors the most important things to do to increase the

probability of success of the process observable - usually measurable - characteristics of

the organisation and process are either strategic, technological, organizational or

procedural in nature focus on obtaining, maintaining and leveraging

capability and skills expressed in terms of the IT process, not necessarily

the business

110

Management GuidelinesKey Goal Indicators describe the outcome of the process and are therefore a ‘lag’

indicator, i.e., measurable after the fact Are an indicator of the success of the process but may also

be expressed in terms of the business contribution if that contribution is specific to the IT process

represent the process goal, i.e., a measure of “what”, a target to achieve

may also describe a measure of the impact of not reaching the process goal

KGIs are IT oriented but are also business driven Are expressed in precise measurable terms wherever

possible

111

Management Guidelines

Key Performance Indicators are a measure of “how well” the process is

performing predict the probability of success or failure in the

future, i.e. KPIs are ‘LEAD’ indicators are process oriented but IT driven focus on the process and learning dimensions of

the balanced scorecard are expressed in precise measurable terms should help in improving the IT process

112

Maturity Models• Refer to business requirements and control capabilities

at different levels

• Are scales that lend themselves to pragmatic comparison

• Are scales where the difference can be made measurable in an easy manner

• Are recognizable as a “profile” of the enterprise in relation to IT governance and control

• Assist in determining As-Is and To-Be positions relative to IT governance and control maturity

• Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level

113

0 1 2 3 4 5

Non-Existent Initial Repeatable Defined Managed Optimised

Enterprise current status

International standard guidelines

Industry best practice

Enterprise strategy

Legend for symbols used Legend for rankings used

0 - Management processes are not applied at all1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communicated4 - Processes are monitored and measured5 - Best practices are followed and automated

Start from a Maturity Modelfor Self-Assessment

114

Measures?

Scales?

Indicators?

115

Generic Maturity Model - Dimensions

Understanding and awareness Training and communications Process and practices Techniques and automation Compliance Expertise

116

UNDERSTANDING& AWARENESS

TRAINING &COMMUNICATION

PROCESS &PRACTICES

TECHNIQUES &AUTOMATION

COMPLIANCE EXPERTISE

1 recognition sporadic communica-tion on the issues

ad hoc approaches toprocess and practices

2 awareness communication onthe overall issue andneed

similar/commonprocesses emerge;largely intuitive

common tools areemerging

inconsitent monitoring inisolated areas

3 understand need toact

informal trainingsupports individualinitiative

existing practicesdefined, standardis-ed& documented;sharing of the betterpractices

currently availabletechniques areused; minimumpractices areenforced; tool-setbecomesstandardised

inconsistent monitoringglobally; measurementprocesses emerge; ITBalanced Scorecard ideas arebeing adopted; occasionalintuitive application of rootcause analysis

involvement ofIT specialists

4 understand fullrequirements

formal trainingsupports a managedprogram

process ownershipand responsibilitiesassigned; process issound & complete;interal best practicesapplied;

mature techniquesapplied; standardtools enforced;limited, tactical useof technology

IT Balanced Scorecardsimplemented in some areaswith exceptions noted bymanagement; root causeanalysis being standardised

involvement ofall internaldomain experts

5 advanced forward-lookingunderstanding

training andcommunicationssupports externalbest practices anduse of leading edgeconcepts/techniques

best external practicesapplied;

sophisticatedtechni-ques aredeployed;extensive,optimised use oftechnology

global application of ITBalance Scorecard andexceptions are globally &consistently noted bymanagement; root causeanalysis consistently applied

use of externalexperts andindustryleaders forguidance

Generic Maturity Model - Dimensions

117

0 Non-Existent. Complete lack of any recognizable processes. The organisation has not even recognised that there is an issue to be addressed.

1 Initial. There is evidence that the organisation has recognized that the issues exist and need to be addressed. There are however no standardized processes but instead there are ad hoc approaches that tend to be applied on an individual or case by case basis. The overall approach to management is disorganized.

2 Repeatable. Processes have developed to the stage where similar procedures are followed by different people undertaking the same task. There is no formal training or communication of standard procedures and responsibility is left to the individual. There is a high degree of reliance on the knowledge of individuals and therefore errors are likely.

3 Defined. Procedures have been standardized and documented, and communicated through training. It is however left to the individual to follow these processes, and it is unlikely that deviations will be detected. The procedures themselves are not sophisticated but are the formalization of existing practices.

4 Managed. It is possible to monitor and measure compliance with procedures and to take action where processes appear not to be working effectively. Processes are under constant improvement and provide good practice. Automation and tools are used in a limited or fragmented way.

5 Optimized. Processes have been refined to a level of best practice, based on the results of continuous improvement and maturity modeling with other organizations. IT is used in an integrated way to automate the workflow, providing tools to improve quality and effectiveness, making the enterprise quick to adapt.

Generic Maturity Model

118

In summaryMaturity Models• Refer to business requirements and the enabling aspects at the

different levels

• Are scales that lend themselves to pragmatic comparison

• Are scales where the difference can be made measurable in an easy manner

• Are recognisable as a “profile” of the enterprise in relation to IT governance and control

• Assist in determining As-Is and To-Be positions relative to IT governance and control maturity

• Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level

• Are neither industry specific nor always applicable; the nature of the business will determine what is an appropriate level

119

IT Governance GuidelineIT Governance Guideline

Governance over IT and its processes with goal of adding value to the business, while balancing risk versus return

ensures delivery of information to the business that addresses the required information criteria and is measured by KGIs

is enabled by creating and maintaining a system of process and control excellence appropriate for the business that directs and monitors the business value delivery of IT

considers CSFs that leverage all IT resources and is measured by KPIs

120

Objectives understand the issues and the strategic importance of IT ensure that the enterprise can sustain its operations and ascertain it can implement the strategies required to extend its activities

into the future

Goal ensuring that expectations for IT are met and IT risks are mitigated

Position within broad governance arrangements that cover relationships among

the entity's management and its governing body, its owners and its other stakeholders and providing the structure through which:

the entity's overall objectives are set the method of attaining those objectives is outlined the manner is which performance will be monitored is described

IT governance summarizedIT governance summarized

121

Audit Organization

Use CobiT to identify and assess risk of

IT processes

Use CobiT-related matrices in standard

audit work programs

Frame IT audits via CobiT

Development of MAS focused on CobiT

122

Cobitizing Audit -- Phases

Self assessment and modification Internal audit guidelines

– Text of policy & procedure manual– Generic work programs and matrices

Overall audit planning Engagement planning Discussions with auditees for self assessment Modify QA to include CobiT Strengthen focus on business processes, system integrity, and

IT environment

123

CobiT Recognizes IT is an integral part of the organization IT governance is an integral part of corporate

governance Focus on control objectives can strengthen

appropriateness and use of internal controls Measurement is crucial to internal control Monitoring and evaluation are integral to a

system of internal control

124

Learned So Far

Need Internal Control refresher course covering control models (such as COSO), CobiT, internal control acts, SAS 78, techniques in evaluating controls

There are good opportunities to leverage the understanding of internal controls and CobiT among management and staff, auditors, out-sourced services, academic community, and vendors

125

Learned So Far

Audit Teams and auditees seem to have better understanding of control objectives with CobiT

Increased consistency of discussions regarding IT domains, control objectives and controls

Increased emphasis on information criteria

126

Learned So Far Pilot use of CobiT Network and share “ideas” on CobiT CobiT has assisted identification of IT-

related processes, who performs them, and who is responsible

CobiT provides Value-Added opportunities and time savings

CobiT reinforces the final objective of effective and efficient operations

127

A Tip regarding CobiT

CobiT is generic - adapt it to your organization in cooperation with the business-process owners!– Determine focus (quality, security, fiduciary)

– Harmonize existing policies and procedures with CobiT

– Determine control responsibilities– Identify key performance indicators and critical

success factors

128

Another Tip or Two Study it carefully -- it takes some time to

understand - keep in mind that you are dealing with a control framework

For auditors and reviewers, provide sufficient time for using CobiT in pre-audit and engagement planning.

Promote discussions on CobiT Identify CobiT as a control framework and

basis for benchmark criteria and evaluation

129

The Last of the Tips Use CobiT initially as a control model and tool

to assist controls evaluations, framing audits, identifying criteria, and performing high-level benchmarking.

Share your insights regarding control design and evaluation

Study the Management Guidelines

130

4 major elements• COBIT as an open standard for increased world-wide adoption covering summary, framework and detailed control objectives;

• Three proprietary guideline products -- Implementation Tool Set : how to introduce the COBIT standard in the enterprise

-- Audit Guidelines : how to audit against the standard

-- Management Guidelines : how to benchmark, implement and self-assess

COBIT Product Family• E x e c u t i v e S u m m a r y• E x e c u t i v e O v e r v i e w• C a s e S t u d i e s• F A Q ’ s• P r e s e n t a t i o n s• I m p l e m e n t a t i o n G u i d e - M a n a g e m e n t A w a r e n e s s - I T C o n t r o l D i a g n o s t i c

I m p l e m e n t a t i o nT o o l S e t

E X E C U T I V E S U M M A R Y

F r a m e w o r kw i t h H i g h - L e v e l C o n t r o l O b j e c t i v e s

M a n a g e m e n t G u i d e l i n e s

A u d i tG u i d e l i n e s

D e t a i l e d C o n t r o lO b j e c t i v e s

K e y P e r f o r m a n c eI n d i c a t o r s ( p r o c e s s )

C r i t i c a l S u c c e s s

F a c t o r s ( c o n t r o l ) B e n c h m a r k s

C O B I TP r o d u c t F a m i l y

131

CobiT

For additional information:

www.isaca.orgwww.ITgovernance.org

or email or give me a call at(617) 727-6200 ext 135

http://www.isaca.org/

http://www.itgovernance.org/



Go Forth SafelyAnd COBITize

Thank You

132