cobit presentation - isaca willamette valley chapter

ISACA Willamette Valley Chapter Luncheon

Thursday, March 20, 2008

Practical Auditors Guide for CobiT

Steve Balough, CISA

Most of us are familiar with CobiT; however it can be an often overlooked and underutilized tool.

Today's talk will provide some helpful approaches for leveraging CobiT for use in all types of Audits.

Control Objectives for Information Technology

Today we will discuss:

I. Overview of the CobiT Framework

II. Navigating the on-line tool, What is there? What you might you need?

III. Reference to Risk Assessment (Real World)

IV. Testing Guide

V. Maturity Assessment

VI. Mapping CobiT to other standards




IV. Testing Guide



Framework for comprehensive IT control coverage.

Well thought out and researched. *

Maintained and kept up to update.

Sponsoring organization, IT Governance Institute (ITGI)

A means to address “IT governance”

Why is Cobit Valuable?

* COBIT (1996) was produced by a large group of people. Sections were developed over time by project teams, project steering committees, and researchers and expert reviewers.


The benefits of implementing COBIT as a governance framework over IT include:

• Better alignment, based on a business focus

• A view, understandable to management, of what IT does

• Clear ownership and responsibilities, based on process orientation

• General acceptability with third parties and regulators

• Shared understanding amongst all stakeholders, a common language

• Fulfillment of the COSO requirements for the IT control environment

CIO Magazine - July 2006

“….Cobit isn’t widely used: Less than half of the CIOs in the financial services industry, where Cobit is most popular, are even aware of the guidelines, …

The reason? Since it was created in 1996, Cobit has expanded to cover so many control objectives and management guidelines that it’s difficult to make sense of them.

….Cobit 4.0. (now 4.1) The authors have done away with Cobit’s multiple volumes, integrating the information about all 34 high-level control processes, 239 detailed control objectives and related management guidelines into one volume.

…..the material is organized by how one approaches projects: First, plan and organize (PO), next, acquire and implement (AI), then deliver and support (DS), and finally, monitor (M) and evaluate.

….Cobit 4.0 offers more details on how to measure whether IT processes are delivering what the business needs. ….”

Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives

Process focus and ownership

Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each

Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT

Is supported by a set of over 239 detailed control objectives

Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance

Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate

What does CobiT consist of ?

Processes

A series of joined activities with natural control breaks

Activities or Tasks

Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete.

Domains

Natural grouping of processes, often matching an organizational domain of responsibility

Process OrientationIT Processes

BusinessRequirements

IT Resources

IT Processes


IT Resources

Business Requirements

Quality RequirementsQuality Requirements: • Quality • Delivery• Cost

Security RequirementsSecurity Requirements• Confidentiality• Integrity• Availability

Fiduciary RequirementsFiduciary Requirements (COSO Report)• Effectiveness and

efficiency of operations• Compliance with laws and

regulations • Reliability of financial

reporting

Effectiveness

Efficiency

Confidentialit

y

Integrity

Availability

Compliance

Reliability of

information

IT Processes


IT Resources

IT Processes


IT Resources

COSO = Committee Of the Sponsoring

Organization

The COBIT Cube

CobiT Hierarchy

239

(No longer numbered)

IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each ITprocess.

Plan and Organise (PO)Plan and Organise (PO) Covers strategy and tactics, and the identification of how IT can best contribute to the achievement of the business objectives. Strategic vision needs to be planned, communicated and managed and organisation and infrastructure in place.

Acquire and ImplementAcquire and Implement IT solutions need to be identified, developed or acquired, implemented, and integrated into the business process. Changes in and maintenance of existing systems are covered to ensure the life cycle is continued for these systems.

Deliver and Support (DS)Deliver and Support (DS)Delivery of required services, which range from traditional operations over security and continuity aspects to training. Includes the processing of data by application systems, often classified under application controls.

Monitor and EvaluateMonitor and EvaluateIT processes need to be regularly assessed over time for their quality and compliance with control requirements. Addresses management’s oversight of the organization's control process and independent assurance provided by internal and external audit or alternative sources.

CobiT Domains IT Processes


IT Resources

IT Processes


IT Resources

PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT organisation and relationshipsPO5 Manage the IT investmentPO6 Communicate management aims and directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risksPO10 Manage projectsPO11 Manage quality

AI1 Identify automated solutionsAI2 Acquire and mantain application softwareAI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT proceduresAI5 Install and accredit systems

AI6 Manage changes

M1 Monitor the processM2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit

DS1 Define service levelsDS2 Manage third-party servicesDS3 Manage peformance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and attribute costsDS7 Educate and train usersDS8 Assist and advise IT customersDS9 Manage the configurationDS10 Manage problems and incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations

IT RESOURCES

IT RESOURCES

• Data• Application systems• Technology• Facilities• People

• Data• Application systems• Technology• Facilities• People PLAN AND

ORGANISEPLAN AND ORGANISE

ACQUIRE ANDIMPLEMENT

ACQUIRE ANDIMPLEMENT

DELIVER AND SUPPORT

DELIVER AND SUPPORT

• Effectiveness• Efficiency• Confidenciality• Integrity• Availability• Compliance• Reliability

• Effectiveness• Efficiency• Confidenciality• Integrity• Availability• Compliance• Reliability

Criteria

Business RequirementsCOBITFramework

MONITOR ANDEVALUATE

The control ofIT Processes which

satisfyis enabled byControl

Statements consideringControl

Practices

4 Domains - 34 Processes - 239 Control Objectives4 Domains - 34 Processes - 239 Control Objectives


Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance

General controls are controls embedded in IT processes and services. Examples include:• Systems development• Change management• Security• Computer operations

Controls embedded in business process applications are commonly referred to as application controls. Examples include:• Completeness• Accuracy• Validity• Authorisation• Segregation of duties

IT GENERAL CONTROLS AND APPLICATION CONTROLS




IV. Testing Guide






IV. Testing Guide



Information Technology Risk Based Auditing

From Your Company’s Audit Program

Data Center

User Access Management

Web Development

NarrativesFlowcharting

Prior Audits

Compliance

R R R

R

R

R RR

RR

Security

Change Management

Code Development

Performance Management

2- R

isk

Asses

smen

t3-

Ris

ks Id

entif

ied

4- R

isk

Categ

oriz

ed

1- IT

Aud

its

5- C

ontro

l Sou

rces

Policies & Procedures

Regulatory

Best Practices CobiTITILISO 17799:2000

CobiTITILISO 17799:2000

http://www.kaushik.net/avinash/wp-content/uploads/2007/11/water_drop_causing_a_ripple.jpg

Web Development Audit(example of initial risk assessment w/ no input from CobiT):

CHANGE MANAGEMENT – A control objective grouping based on risk

Risk That:

• Requests for systems and application changes, to include emergencies, may not be assessed or prioritized in a manner to address timely impacts on operational systems and their functionality.

• Changes are may not be appropriately reviewed, approved, and communicated.

Information Technology Risk Based Auditing

From Your Company’s Audit Program

Web Development

NarrativesFlowcharting

Prior Audits

Compliance

R R R

R

R

R RR

RR

DS 5: Ensure System Security

AI 6: Manage Changes

AI 2: Acquire & Maintain Application Software

DS 3: Manage Performance & Capacity

2- R

isk

Asses

smen

t3-

Ris

ks Id

entif

ied

4- R

isk

Categ

oriz

ed

1- IT

Aud

it

5- C

ontro

l Sou

rces

Policies & Procedures

Regulatory

Best Practices (CobiT for this page)

http://www.kaushik.net/avinash/wp-content/uploads/2007/11/water_drop_causing_a_ripple.jpg

Risk Categorization CobiT Processes

Change Management AI 6: Manage Changes

Code Development AI 2: Acquire & Maintain Application Software

Performance Management DS 3: Manage Performance & Capacity

Security DS 5: Ensure System Security

CobiT ‘AI 6 Manage Changes’

Managing changes to computer programs is required to ensure processing integrity between versions, and for consistency of results period to period. Change must be formally managed via change control request, impact assessment, documentation, authorization, release, and distribution policies and procedures.

Domain or high level Control Objective

Detailed Control Objective

Web Development Audit (Acquisition & Implementation)(example of initial risk assessment with CobiT review):

AI 6 - MANAGE CHANGES (CobiT online)

Risk That (risk drivers):

• Requests for systems and application changes, to include emergencies, may not be assessed or prioritized in a manner to address timely impacts on operational systems and their functionality.

• Changes are may not be appropriately approved and communicated.

• Appropriate contingencies for change control may not be addressed or followed.

• Inappropriate allocation of resources

• Production system availability may be impacted (reduced).

Control and Control Objective Definitions

The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected

Definition of Definition of ControlControl

Definition of IT Definition of IT Control ObjectiveControl Objective

A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity




IV. Testing Guide






IV. Testing Guide



Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of

Business Requirements

which satisfy

Process Description

Critical Success Factors

Key Goal Indicators

Key Performance Indicators

InformationCriteria

Resources

00 - Management processes are not applied at all.

11 - Processes are ad hoc and disorganised.22 - Processes follow a regular pattern.33 - Processes are documented and

communicated.44 - Processes are monitored and measured.55 - Best practices are followed and

automated.

Maturity Model

Management Guidelines Framework

0 1 2 3 4 5

Nonexistent Initial Repeatable Defined Managed Optimised

Enterprise current status

International standard guidelines

Industry best practice

Enterprise strategy

Legend for Symbols Used Legend for Rankings Used

0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.

Maturity Models

Usage

Possible maturity level of an IT process: The example illustrates a process that is largely at level 3 but still has some compliance issues with lower level requirements whilst already investing in performance measurement (level 4) and optimization (level 5)

Using the maturity models developed for each of COBIT’s 34 IT processes, management can identify:• The actual performance of the enterprise—Where the enterprise is today• The enterprise’s target for improvement—Where the enterprise wants to be

Matu

rity

Att

rib

ute

Tab

le




IV. Testing Guide






IV. Testing Guide



COBIT ISO 17799:2000




IV. Testing Guide






IV. Testing Guide



Today we reviewed:

• Information Systems Audit and ControlAssociationwww.isaca.org

• IT Governance Institutewww.itgi.org

• Committee of Sponsoring Organizations ofthe Treadway Commission (COSO)www.coso.org

•ITIL Information Technology Infrastructure Libraryhttp://www.itil-officialsite.com/home/home.asp

Useful Links

http://www.isaca.org/

http://www.itgi.org/

http://www.coso.org/

http://www.itil-officialsite.com/home/home.asp

Questions ?