isa 3 cobit
DESCRIPTION
Information Security and AssuranceTRANSCRIPT
![Page 1: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/1.jpg)
Lecture 3
COBIT (Control Objectives for Information and related Technology)
![Page 2: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/2.jpg)
![Page 3: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/3.jpg)
![Page 4: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/4.jpg)
![Page 5: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/5.jpg)
![Page 6: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/6.jpg)
![Page 7: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/7.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• One major challenge faced by auditor – Lack of common framework within which to operate
– This problem was first addressed with release of the COBIT framework, by IT Governance Institute, USA sponsored by ISACA (Information System Audit Control Association)
![Page 8: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/8.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors – To meet the business objectives, there had to be a common
ground for proactive discussion among auditors, IT management, and the board.
– COBIT, and IT governance framework, addresses these issues through several supporting tools and mechanism.
– These mechanism – defined the role of the auditor within the realm of IT governance
– IT governance activities have thirty four objectives, one for each of the IT process. These are grouped into four domains, viz.,
![Page 9: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/9.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors – IT governance activities have thirty four objectives, one for each of
the IT process. These are grouped into four domains, viz., • Planning and Organization• Acquisition and Implementation • Delivery and Support• Monitoring
– COBIT as a standard for IT security and control practices is not only meant for auditors but also the management, users, etc.
– COBIT is helpful to manager, users, and auditors in the following manner:
![Page 10: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/10.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors
– COBIT is helpful to manager, users, and auditors in the following manner:
• Management: it helps them balance risk and control investments in an often unpredictable IT environment
• Users: Help them obtain assurance on the security and control of IT services provided by internal and third parties
• IS auditors: Enables them substantiate their opinion and/ or provide advice to the management on matters of internal controls
![Page 11: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/11.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors • Let us discuss the Role of auditor in each of four domains of
COBIT mentioned earlier
– Planning and Organization• Board of directors, and management decide the strategy that would help
achieve business objectives, and ensure the technological infrastructure is in place.
• Here, the auditor’s role is to evaluate and /or assess whether the functioning of these process is in accordance with the business objectives.
• The only process that auditor is directly responsible for within this domain is quality management.
• This process includes the development of long-term strategic plan• This process is concern with the measurement criteria to be applied• Identification of specific projects and work plan
![Page 12: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/12.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• The processes and auditor’s duties that are part of this domain are:– Define a strategic IT plan (evaluate/assess) – Define the information architecture (evaluate/assess)– Determine technological direction (evaluate/assess/inform/support)– Define the IT organization and relationship
(evaluate/assess/inform/support)– Communicate management’s aim and direction
(evaluate/assess/inform)– Manage human resources (evaluate/assess/inform)– Ensure compliance with external requirements (evaluate/assess)– Assess risks (evaluate/assess)– Manage projects (evaluate/assess/inform/support)– Manage quality (evaluate/assess/responsible)
![Page 13: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/13.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• IT Governance and Auditors– Acquisition and Implementation
• To realize the business strategies and tactics, IT solutions need to be identified, developed or acquired.
• Within this domain, the primary role of auditor is still to assess the process.
• However, here support needed to control issues regarding the acquisition and maintenance of application software.
• The processes and auditor’s duties that are part of this domain are:
![Page 14: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/14.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• Acquisition and Implementation – The processes and auditor’s duties that are part of this
domain are: • Identify automated solutions (evaluate) • Acquire and maintain application software (evaluate /
support)• Acquire and maintain technology infrastructure
(evaluate) • Develop and maintain procedures (evaluate) • Install and accredit systems (evaluate)• Manage changes (evaluate / support)
![Page 15: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/15.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• Delivery and Support– This domain concern with the delivery of IT services, includes operations
through security, training, and support. – The role of auditor here, is to evaluate and assess. – The processes and auditor’s duties that are part of this domain are:
• Define and manage service levels (evaluate/assess) • Manage third party services (evaluate/assess) • Manage performance and capacity (evaluate/assess) • Ensure continuous service (evaluate/assess) • Ensure system security (evaluate/assess/support)• Identify and allocate costs (evaluate/assess)• Educate and train users (evaluate/assess)• Assist and advice customers (evaluate/assess)• Manage configuration (evaluate/assess)• Manage problems and incidents (evaluate/assess)• Manage data (evaluate/assess)• Manage facilities (evaluate/assess)• Manage operations (evaluate/assess)
![Page 16: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/16.jpg)
Introduction to COBIT (Control Objectives for Information and related Technology)
• Monitoring – In all previous domains, auditor required to check for compliance of
processes with quality, and control requirements– Here the auditors have direct responsibility and provide direct
support to the domain’s processes. – The processes and auditor’s duties that are a part of this domain are:
• Monitor the process (evaluate/assess/support)• Asses internal control adequacy (evaluate/assess/support)• Obtain independent assurance (evaluate/assess/support)• Provide for an independent audit (evaluate/assess/support)
![Page 17: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/17.jpg)
Directed Unsupervised Activity
• Visit the website of ISACA and find out the standards for IS Audit documentation and give your comments.
• List ten assurance services and group them into attestation and non-attestation services.
![Page 18: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/18.jpg)
Control
• “any input given to a dynamic system to produce a desired output.”
• Here the word dynamic and desired output are very important.
Input Dynamic System
Desired output
![Page 19: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/19.jpg)
Control
• Dynamism of the system and Control Requirement – Static system – control is not required – More dynamism – the greater will be the control requirement of
the system – Computer system – control not required, if it is not being used
for any application or switched off – As complexity increases – its control requirement will also rise.– This implies that
• Lesser control is required for stand-alone system • Greater for one which is connected to network or Internet
![Page 20: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/20.jpg)
Control
• Knowledge of Dynamism of the System Makes Control Effective– The predictability of the complexity of the disease has helped in
development of vaccines to prevent and cure
– Similarly, in computer system – control measures would operate effectively if the dynamism and complexity were known.
![Page 21: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/21.jpg)
Control
• The Input should be Directed towards Achieving the Desired Output– If the inputs are not focused and directed towards specific
outputs – then control mechanism will not be successful. – There are No thumb rule– Each input or control measure should be directed towards
achieving a specific output.
![Page 22: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/22.jpg)
Control
• The Output Should be Evaluated for Giving further Appropriate Input to the System
![Page 23: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/23.jpg)
Effects of Computers on Internal Controls
• The internal controls within an enterprise in a computerized environment the major areas of impact with the goal of asset safeguarding, data integrity, system efficiency and effectiveness are discussed below.– Personnel – Segregation of duties– Authorization Procedures
![Page 24: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/24.jpg)
![Page 25: ISA 3 COBIT](https://reader035.vdocuments.net/reader035/viewer/2022081502/558a9bafd8b42ae7108b4571/html5/thumbnails/25.jpg)