institute of internal auditors cobit presentation october 9, 2001
TRANSCRIPT
![Page 1: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/1.jpg)
Institute of Internal Auditors
COBIT PresentationOctober 9, 2001
![Page 2: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/2.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 2
Confidential and Proprietary - Internal Audit Consulting Group Use Only
For More Information on COBIT
Phone847-253-1545
Websiteswww.Itgovernance.org
www.isaca.org
![Page 3: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/3.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 3
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Cost
• ISACA Member$115
• Non-Member $225
![Page 4: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/4.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 4
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Background
• Control OBjectives for Information and related Technology– Originally released in 1996 by the Information Systems Audit and Control
Foundation (ISACF)
– Current primary publisher is the IT Governance Institute - formed by the Information Systems Audit and Control Association (ISACA) in 1998
– COBIT was formed through research of sources such as the technical standards from ISO, codes of conduct issued by the Council of Europe and ISACA, professional standards for internal control and auditing issued by COSO, AICPA, GAO, etc.
– The above sources were used to formulate COBIT to “be both pragmatic and responsive to business needs while being independent of the technical IT platforms adopted in an organization.”
![Page 5: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/5.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 5
Confidential and Proprietary - Internal Audit Consulting Group Use Only
The COBIT Mission
• To research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors
![Page 6: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/6.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 6
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Objectives of COBIT
• To provide a framework to bridge gaps between business risks, control needs and technical issues in order to maximize benefits, capitalize on opportunities and gain competitive advantage
![Page 7: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/7.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 7
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Components
• Executive Summary
• Framework
• Control Objectives
• Audit Guidelines
• Management Guidelines
![Page 8: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/8.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 8
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Executive Summary
• Provides a synopsis of COBIT’s objectives and processes
![Page 9: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/9.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 9
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Framework
• A tool to be used as a comprehensive guidance for users, auditors, management & business process owners
![Page 10: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/10.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 10
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Control Objectives
• Generically defined high-level business needs organized by process/activity used to facilitate the implementation of a process
![Page 11: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/11.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 11
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Audit Guidelines
• A template used to facilitate the obtaining, evaluating, assessing and substantiating of of information needed to evaluate overall control
![Page 12: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/12.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 12
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Management Guidelines• Set of action oriented guidelines developed
to assist management in answering:– Does the benefit outweigh the cost?– What are the indicators of good performance?– What are the critical success factors?– What are the risks of not achieving our
objectives?– What do others do?– How do we measure and compare?
![Page 13: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/13.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 13
Confidential and Proprietary - Internal Audit Consulting Group Use Only
COBIT Family of Products
M aturityM odels
Critical SuccessFactors
Key GoalIndicators
Key Perform anceIndicators
M anagem entGuidelines
Detailed ControlObjectives
AuditGuidelines
Fram ew orkW ith high-level control objectives
Executive OverviewCase StudiesFAQ'sPow er Point Presentations
M anagem ent Aw areness DiagnosticsIT Control Diagnostic
Im plem entation Guide
Im plem entation Tool Set
Executive Sum m ary
![Page 14: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/14.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 14
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Framework (see handout)
• 4 Domains
– Planning & Organization
– Acquisition & Implementation
– Delivery & Support
– Monitoring
• 34 Control Objectives
• 318 Detailed Control
Objectives
![Page 15: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/15.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 15
Confidential and Proprietary - Internal Audit Consulting Group Use Only
![Page 16: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/16.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 16
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Audit Guidelines
Obtain Understanding– Interviewing– Obtaining
Evaluate Controls– Considering
Assess Compliance– Testing
Substantiate Risk– Performing– Identifying
![Page 17: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/17.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 17
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Management Guidelines
Critical Success Factors
Key Goal Indicators
Key Performance Indicators
Maturity Model
![Page 18: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/18.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 18
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Example
Manage Changes
![Page 19: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/19.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 19
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Domain
Acquisition & Implementation
![Page 20: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/20.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 20
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Control Objective
AI6
![Page 21: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/21.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 21
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Detailed Control Objectives
Change Request Initiation and ControlImpact AssessmentControl of ChangesEmergency ChangesDocumentation and ProceduresAuthorized MaintenanceSoftware Release PolicyDistribution of Software
![Page 22: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/22.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 22
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Audit Guidelines
Obtain Understanding– Interviewing
– Obtaining
Evaluate Controls– Considering
Assess Compliance– Testing
Substantiate Risk– Performing
– Identifying
![Page 23: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/23.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 23
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Management Guidelines
Non-existent
Initial/Ad Hoc
2 Repeatable but Intuitive
Defined Process
Managed & Measurable
Optimized
![Page 24: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/24.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 24
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Findings
Issues
Benchmarking
![Page 25: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/25.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 25
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
ProjectManager
General Framework forminimal project andquality standards
Use COBIT to help ensure thatproject plans incorporategenerally accepted phases inIT planning, acquisition anddevelopment, service delivery,and project management andassessment
![Page 26: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/26.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 26
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
Developer As minimal guidance forcontrols to be appliedwithin developmentprocesses as well as forinternal control to beintegrated in informationsystems being built
Use COBIT to help ensure thatall applicable IT controlobjectives in the developmentproject have been addressed
![Page 27: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/27.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 27
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
Operations As general framework forminimal controls to beintegrated into servicedelivery and supportprocesses, placing clearfocus on client objectives
Use COBIT to ensure thatoperational policies andprocedures are sufficientlycomprehensive
![Page 28: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/28.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 28
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
User As minimal guidance forinternal control to beintegrated withininformation systems, beingfully operational or underdevelopment
Use COBIT to guide servicelevel agreements
![Page 29: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/29.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 29
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
InformationSecurityOfficer
As harmonizingframework providing away to integrateinformation securitywith other businessrelated IT objectives
Use COBIT to structure theinformation security program,policies, and procedures
![Page 30: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/30.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 30
Confidential and Proprietary - Internal Audit Consulting Group Use Only
Adopting COBIT Tool Set
When youare…
COBITobjectivesserved…
Useful COBITapproaches…
Auditor As basis for determiningthe IT audit universe andas IT control reference
Use COBIT as criteria forreview and examination andfor framing IT-related audits
![Page 31: Institute of Internal Auditors COBIT Presentation October 9, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062519/5697bf741a28abf838c7fd53/html5/thumbnails/31.jpg)
Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 31
Confidential and Proprietary - Internal Audit Consulting Group Use Only
COBIT Case Studies• Cedel Group• Office of the State Auditor of Massachusetts• PWC• Fidelity Investments• Department of Defense• Boston Gas Company• Santa Barbara Bank and Trust• Society for Worldwide Interbank Financial
Telecommunication