isa 3 cobit

Lecture 3

COBIT (Control Objectives for Information and related Technology)

Introduction to COBIT (Control Objectives for Information and related Technology)

• One major challenge faced by auditor – Lack of common framework within which to operate

– This problem was first addressed with release of the COBIT framework, by IT Governance Institute, USA sponsored by ISACA (Information System Audit Control Association)


• IT Governance and Auditors – To meet the business objectives, there had to be a common

ground for proactive discussion among auditors, IT management, and the board.

– COBIT, and IT governance framework, addresses these issues through several supporting tools and mechanism.

– These mechanism – defined the role of the auditor within the realm of IT governance

– IT governance activities have thirty four objectives, one for each of the IT process. These are grouped into four domains, viz.,


• IT Governance and Auditors – IT governance activities have thirty four objectives, one for each of

the IT process. These are grouped into four domains, viz., • Planning and Organization• Acquisition and Implementation • Delivery and Support• Monitoring

– COBIT as a standard for IT security and control practices is not only meant for auditors but also the management, users, etc.

– COBIT is helpful to manager, users, and auditors in the following manner:


• IT Governance and Auditors

– COBIT is helpful to manager, users, and auditors in the following manner:

• Management: it helps them balance risk and control investments in an often unpredictable IT environment

• Users: Help them obtain assurance on the security and control of IT services provided by internal and third parties

• IS auditors: Enables them substantiate their opinion and/ or provide advice to the management on matters of internal controls


• IT Governance and Auditors • Let us discuss the Role of auditor in each of four domains of

COBIT mentioned earlier

– Planning and Organization• Board of directors, and management decide the strategy that would help

achieve business objectives, and ensure the technological infrastructure is in place.

• Here, the auditor’s role is to evaluate and /or assess whether the functioning of these process is in accordance with the business objectives.

• The only process that auditor is directly responsible for within this domain is quality management.

• This process includes the development of long-term strategic plan• This process is concern with the measurement criteria to be applied• Identification of specific projects and work plan


• The processes and auditor’s duties that are part of this domain are:– Define a strategic IT plan (evaluate/assess) – Define the information architecture (evaluate/assess)– Determine technological direction (evaluate/assess/inform/support)– Define the IT organization and relationship

(evaluate/assess/inform/support)– Communicate management’s aim and direction

(evaluate/assess/inform)– Manage human resources (evaluate/assess/inform)– Ensure compliance with external requirements (evaluate/assess)– Assess risks (evaluate/assess)– Manage projects (evaluate/assess/inform/support)– Manage quality (evaluate/assess/responsible)


• IT Governance and Auditors– Acquisition and Implementation

• To realize the business strategies and tactics, IT solutions need to be identified, developed or acquired.

• Within this domain, the primary role of auditor is still to assess the process.

• However, here support needed to control issues regarding the acquisition and maintenance of application software.

• The processes and auditor’s duties that are part of this domain are:


• Acquisition and Implementation – The processes and auditor’s duties that are part of this

domain are: • Identify automated solutions (evaluate) • Acquire and maintain application software (evaluate /

support)• Acquire and maintain technology infrastructure

(evaluate) • Develop and maintain procedures (evaluate) • Install and accredit systems (evaluate)• Manage changes (evaluate / support)


• Delivery and Support– This domain concern with the delivery of IT services, includes operations

through security, training, and support. – The role of auditor here, is to evaluate and assess. – The processes and auditor’s duties that are part of this domain are:

• Define and manage service levels (evaluate/assess) • Manage third party services (evaluate/assess) • Manage performance and capacity (evaluate/assess) • Ensure continuous service (evaluate/assess) • Ensure system security (evaluate/assess/support)• Identify and allocate costs (evaluate/assess)• Educate and train users (evaluate/assess)• Assist and advice customers (evaluate/assess)• Manage configuration (evaluate/assess)• Manage problems and incidents (evaluate/assess)• Manage data (evaluate/assess)• Manage facilities (evaluate/assess)• Manage operations (evaluate/assess)


• Monitoring – In all previous domains, auditor required to check for compliance of

processes with quality, and control requirements– Here the auditors have direct responsibility and provide direct

support to the domain’s processes. – The processes and auditor’s duties that are a part of this domain are:

• Monitor the process (evaluate/assess/support)• Asses internal control adequacy (evaluate/assess/support)• Obtain independent assurance (evaluate/assess/support)• Provide for an independent audit (evaluate/assess/support)

Directed Unsupervised Activity

• Visit the website of ISACA and find out the standards for IS Audit documentation and give your comments.

• List ten assurance services and group them into attestation and non-attestation services.

Control

• “any input given to a dynamic system to produce a desired output.”

• Here the word dynamic and desired output are very important.

Input Dynamic System

Desired output

Control

• Dynamism of the system and Control Requirement – Static system – control is not required – More dynamism – the greater will be the control requirement of

the system – Computer system – control not required, if it is not being used

for any application or switched off – As complexity increases – its control requirement will also rise.– This implies that

• Lesser control is required for stand-alone system • Greater for one which is connected to network or Internet

Control

• Knowledge of Dynamism of the System Makes Control Effective– The predictability of the complexity of the disease has helped in

development of vaccines to prevent and cure

– Similarly, in computer system – control measures would operate effectively if the dynamism and complexity were known.

Control

• The Input should be Directed towards Achieving the Desired Output– If the inputs are not focused and directed towards specific

outputs – then control mechanism will not be successful. – There are No thumb rule– Each input or control measure should be directed towards

achieving a specific output.

Control

• The Output Should be Evaluated for Giving further Appropriate Input to the System

Effects of Computers on Internal Controls

• The internal controls within an enterprise in a computerized environment the major areas of impact with the goal of asset safeguarding, data integrity, system efficiency and effectiveness are discussed below.– Personnel – Segregation of duties– Authorization Procedures