1. Part 1
1

2.  Deputy State Auditor, MIS & IT Audit, Commonwealth
of Massachusetts, USA
 Adjunct faculty at Bentley College
 Member of CobiT Steering Committee
 Member of Governor’s Task Force on E-Commerce and
Enterprise Security Board, Massachusetts
 Served as member of Y2K Coordinating Council,
Commonwealth of Massachusetts
 1994-1995 International President of ISACA/F
 Served as member of Governor’s Commission on
Computer Crime and Governor’s Commission on
Computer Technology and Law
 e-mail: john.beveridge@sao.state.ma.us 2

3.  What is CobiT?
 What is the CobiT Framework?
 What is the Control Objectives document?
 Who should use CobiT?
 How can auditors effectively use CobiT?
 How does one become familiar with CobiT and
learn to use it effectively?
3

4. CobiT’s Background and Authoritative
Nature
CobiT Framework and its components
High-Level & Detailed Control Objectives
Audit Guidelines and Using CobiT
4

5. Authoritative, up-to-date, international set of
generally accepted IT control objectives and
control practices for day-to-day use by business
managers and auditors.
Structured and organized to provide a powerful
control model
5

6. CobiT
CobiT is designed to be the break-
through IT governance tool that helps
in the understanding and managing of
risks and benefits associated with
information and related IT.
6

7. C Control
OB OBjectives
I for Information
T and Related Technology
7

8.  Right information, to only the right party,
at the right time.
 Information that is relevant, reliable and
secure.
 Information provided by systems that have
integrity by means of a well-managed and
properly controlled IT environment.
8

9. Information Systems Audit and
Control Association/Foundation
 Leading Global Professional IT Control organization
– Focuses on Audit, Control and Security Issues
– The Association Works Closely with its more than
150 Chapters in 100 Countries
 Provides Services and Programs Designed to Promote
and Establish Excellence on IT Governance and Audit.
 Research conducted through Foundation Projects are
selected to help Members and the Profession keep
pace with ever-changing IT and business environment.
9

10. IT Governance Institute
Formed by ISACA and
ISACF in 1998 to advance the
understanding and adoption
of IT governance principles
10

11. A structure of relationships and
processes to direct and control the
enterprise in order to achieve the
enterprise’s goals by adding value
while balancing risk versus return
over IT and its processes.
11

12. IT Governance Objectives
 IT is aligned with the business and
enables the business to maximize benefit
 IT resources are safeguarded and used
in a responsible and ethical manner
 IT-related risks are addressed through
appropriate controls and managed to
minimize risk and exposure
12

13.  CobiT grew from an initiative to update
EDPAA’s Control Objectives in 1992
 New focus expanded to include
managerial and user needs regarding IT
control and governance
 Global perspective added
 CobiT Steering Committee appointed
 IT control framework developed
 The framework became COBIT
 CobiT was first published in April, 1996
13

14.  CobiT implementation monitored and evaluated by
ISACA and the CobiT Steering Committee
 CobiT enhancements developed, 1997
 CobiT, 2nd edition, was published in April, 1998
 CobiT enhancements and development of
Management Guidelines, 1999-2000
 CobiT, 3rd edition, and Management Guidelines,
was published in July, 2000
14

15.  Executive Summary -- Senior Executives
(CEO, COO, CFO, CIO)
 Framework -- Senior Operational Management
(Directors of IS and Audit / Controls)
 Control Objectives -- Middle Management (Mid-
Level IS and IS Audit/ Controls Managers)
 Audit Guidelines -- The Line Manager and Controls
Practitioner (Applications or Operations Manager
and Auditor)
 Implementation Tool Set -- Any of the above
 Management Guidelines -- Management and Audit
15

16.  The need for better operational controls
 Technology that makes new business processes
possible may come with a loss of control
 Demand for increased effectiveness and
efficiency
 The importance of technology
 The need to hold officers and senior
management accountable and strengthen
governance 16

17.  Dashboard: How do responsible managers
keep the ship on course?
 Scorecard: How do we achieve satisfactory
results for our stake-holders?
 Benchmarking: How do we adapt in a
timely manner to trends, developments, and
“best practices” for our organization’s
environment?
17

18.  If you use computer-generated information
in decision-making or for audit evidence,
you need to assess its reliability.
 If you are the holder of computer-
generated information, you must exercise
appropriate and defendable controls to
safeguard that information, or evidence.
18

19. • Increasing dependence on information and the
systems that deliver the information
• Increasing vulnerabilities and a wide spectrum of
threats, such as cyber threats and information
warfare
• Scale and cost of the current and future
investments in information and information
systems
• Potential for technologies to dramatically change
organisations and business practices, create new
opportunities and reduce costs
19

20. Unpredictable and fast
1980s
Unstructured and innovative
Glass-house
Secure buildings Hard to implement
Data centres
1990s
Managed networks Network
Business integration
?
?
21st Century
Cyberspace
Streetwise users
Virtual Value Chain
E-Commerce
Extended Enterprise
20

21. CobiT’s Scope and
Overall Objectives
21

22.  CobiT focuses on information having
integrity and being secure and available.
 At the highest level, it focuses on the
importance of information to the long-term
success of the organization.
22

23. For Information System Services functions,
CobiT can be applied from single point IT
operations to across the enterprise.
For application systems, CobiT can be
applied from a single application-based
system to enterprise-based systems.
23

24. CobiT is management oriented
Supports corporate and IT governance
Serves as excellent criteria for evaluation
and a basis for audit planning
24

25.  Addresses key attributes of information
produced by IT.
 Links recommended control practices for IT to
business and control objectives.
 Provides guidance in implementing and
evaluating the appropriateness of IT-related
control practices.
25

26. As a control model, CobiT should be
tailored to organizational, platform
and system standards.
Use CobiT as the Structure to which
you link organization-specific operational
and control requirements, policies, and
standards
26

27. Helps business process owners to ensure the integrity
of information systems and auditors to provide
statements of assurance by providing:
– management with generally applicable and accepted
standards for good practice for IT control and
governance
– users with a solid base upon which to manage IT and
obtain assurance
– auditors with excellent criteria for review/audit work
27

28.  Standards used to determine whether something
meets expectations.
 Basis upon which one measures or compares
something against.
 Need to be generally accepted, recognized,
understandable, and defendable.
 Need to be authoritative.
28

29. CobiT as an
Authoritative Source
29

30. CobiT is an Authoritative Source
 Built on a sound framework of control and
IT-related control practices.
 Aligned with de jure and de facto standards
and regulations.
 41 international standards from around the
world were used to identify IT-related
control objectives and control practices.
30

31. CobiT Sources
Professional standards for internal control and
auditing (COSO, IFAC, AICPA, IIA, etc)
Technical standards (ISO, EDIFACT, etc.)
Codes of Conduct
Qualification criteria for IT systems and
processes (ISO9000, ITSEC, TCSEC, etc.)
Industry practices and requirements from
industry forums (ESF, I4)
Emerging industry-specific requirements from
banking, e-com, IT manufacturing.
31

32. Based on a Strong
Foundation and Sound
Principles of Internal
Control
32

33. What is Internal Control?
How it is defined
impacts its design,
exercise, and
evaluation.
33

34. Purpose of Internal Control
Designed to keep an organization on course
toward achievement of its mission minimizing
surprises along the way.
Assist in dealing with rapidly changing
economic and competitive environments,
shifting customer demands and priorities, and
restructuring for future growth.
Source: Committee of Sponsoring Organizations (COSO) of the Treadway
Commission, Internal Control - Integrated framework, Executive Summary, p. 1.
34

35. The design, implementation, and proper
exercise of a system of internal controls
should provide "reasonable assurance" that
management's goals are attained, control
objectives are addressed, legal obligations
are met, and undesired events do not occur.
Controls reduce or eliminate the risk of
exposures, or the exposures themselves.
35

36. Internal Control
Controls are framed by
what is to be attained
(control objectives) and
the means to attain those
goals (the controls).
36

37. Goals of Internal Control
“Keep things in Check”
Adhering to the Rules of the Road
Reduce risk
Based Upon “Best Practices”
Proof the Rules Have Been Followed
Provide assurance that operations are
according to standard
Keep those blasted auditors happy
37

38. Building
CobiT’s
Definition of
Internal Control
38

39. Control (as defined by COSO)
Internal control is broadly defined as a process,
effected by an entity’s board of directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following
categories:
efficiency and effectiveness of operations
reliability of financial reporting
compliance with applicable laws and
regulations
Source: Committee of Sponsoring Organizations (COSO) of the
Treadway Commission, Internal Control - Integrated framework,
Executive Summary, p. 1. 39

40. Control (as defined by COBIT)
The policies, procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
that undesired events will be prevented
or detected and corrected.
 Source: COBIT Control Objectives, p. 12. 40

41. IT Control Objective
A statement of desired result or
purpose to be achieved by
implementing control procedures
in a particular IT activity
41

42. CobiT supports all
fundamental
Internal Control
requirements
42

43. Internal Control Requirements
 Systemization
 Documentation
 Standards, defined expectations
 Measurement
 Appropriate risk assessment
43

44. Internal Control Requirements
 Well-defined operational and control
objectives
 Appropriate controls
 Competent and trustworthy people
 Monitoring & evaluation
44

45. Observe Observations Document
actual state actual state
of system of system
Recommendations Documentation
Recommend
changes to Evaluate
Evaluation system
system
Goals and plans
Desired
state of system
Source: Gelinas and Oram, Accounting Information Systems, 3rd ed., 24
South-Western Publishing, 1996, p. 214.

46. Internal Control Review
Gain Understanding
Observe Observations Document
the The process
process & & controls
controls
Report Recommendations AWP & Work Papers
Recommend Test & Evaluate
Changes if Process &
Draw
needed Conclusions controls
Goals and plans
CRITERIA
via CobiT
24

47. Control Principles
 Controls should be considered as “built in”
rather than “added on”.
 Controls need to support control objectives
that are tied to business objectives.
 In order to support monitoring and evaluation,
controls need to be testable and auditable.
 Controls need to be cost effective.
47

48. Value of Internal Control
 Often the value of internal control is only
recognized by the results of not having
adequate control in place.
 Control Objectives and related controls are
valued by the degree to which they assist an
organization to achieve objectives and avoid
undesired events.
48

49. Control Models:
 Structured or organized to present a control
framework relative to control objectives and
respective internal controls or control practices.
 Provide statements of responsibilities for control
 Provide guidance regarding mechanisms to assess
the need for control, and to design, develop,
implement and exercise control
 Requires that controls be monitored and evaluated.
49

50. To Be of Value,
a Control Model Should Be:
 Based on sound principles
 Applicable & Flexible in application
 Comprehendible
 Subject to having “staying power”
50

51. Impact of Technology on Control
Operational and control objectives
change little
 Some technology-specific control
objectives change
There is a significant impact on the
“mix” of controls used to address the
control objectives.
 Technology can facilitate achieving control
objectives
51

52. Impact of Technology on Audit
Has provided us with some tools to
increase audit effectiveness and
efficiency
Has allowed us to rethink post and pre-
emptive or on-going audit techniques
Has provided opportunities to facilitate
achieving control objectives
52

53. Relation to Other Control Models
CobiT is in alignment with other
control models:
– COSO
– COCO
– Cadbury
– King
53

54. What is COSO?
 Published in 1992 by the Committee Of
Sponsoring Organizations of the Treadway
Commission
– American Institute of CPAs
– American Accounting Association
– Institute of Internal Auditors
– Institute of Management Accountants
– Financial Executives Institute
54

55. Components of COSO
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
55

56. Checkmarks on COSO Slides
The red checkmarks on the
following slides indicate that the
CobiT control model includes the
same or extremely similar
statements
56

57. Components of COSO
 Control Environment:
tone of the organization
control awareness of people
integrity, ethical values and competence
– management philosophy and operating style
assignment of authority and responsibility
– attention and direction provided by the board
of directors.
57

58. Understanding the Control Environment
Understanding the information system,
supporting technology, and the organization
Documenting the business operations and the
IT environment
Identifying the key operational and control
objectives
Identifying and evaluating the appropriateness
of internal controls
58

59. Components of COSO
 Risk Assessment:
Established objectives
Identify and analyze risks to
achievement of objectives
Manage risks
Identify special risks associated with
change (economic, regulatory,
operating)
59

60. Components of COSO
 Control Activities:
Policies and procedures that help ensure
management directives are carried out
Actions taken to address risks
Carried out at all levels
Includes: approvals, authorizations,
verifications, reconciliation, reviews of
operating performance, security of assets
60

61. Components of COSO
 Information and Communication:
Pertinent information enables individuals to
carry out their responsibilities
Information must be identified, captured and
communicated
– Internal and external information necessary for
informed decision-making
61

62. Components of COSO
 Monitoring:
Assess the quality of the internal control
system’s performance
Ongoing monitoring and separate
evaluations
62

63. Internal Control Roles and
Responsibilities by COSO & CobiT
 Internal Auditors:
Evaluate effectiveness of control systems
Plays a significant monitoring role
 Other Personnel:
Internal control is everyone’s responsibility
Most employees produce information used in internal
control systems
Most employees take actions needed to effect control
63

64. Control Responsibilities
 Management -- primary responsibility for
ensuring that controls are in place and in effect to
provide reasonable assurance that operational and
control objectives will be met.
 Users -- exercise controls.
 Audit -- evaluates, advises and provides statements
of assurance regarding the adequacy of controls.
64

65. CobiT
 Assists in evaluating appropriateness of controls
 Assists in identifying desired states of systems
and processes
 Assists in identifying what to look for when
observing system operations
 Provides a working control model for IT-related
control objectives
65

66. The CobiT Control Model Provides
a Framework for Understanding
Control Objectives and
Control Practices
66

67. CobiT Framework
67

68. CobiT Framework
Documents relationships among information
criteria, IT resources, and IT processes
Links control objectives and control practices
to business processes and business objectives
Assists in confirming that appropriate IT
processes are in place
Facilitates discussion
68

69. CobiT Framework
 Facilitates the understanding of the:
 relationship of controls to control objectives,
 importance of focusing on control objectives
and their relationship to the business
organization and its business processes, and
 value of managed processes and resources
tied to strategic initiatives.
69

70. COBIT’s Focus on Process and Objectives
Business (organization) Retail merchandising
(Walmart, etc.)
Objectives/Requirements ROI, market share, customer
loyalty (right product, time,
Business Processes price)
Order fulfillment (OE/S,
(to meet objectives) Inventory, Purchasing)
Information Required Data availability and reliability
(for processes)
IT Resources Data, Application Systems,
(to provide People
information)
IT Processes (to manage Planning & Organization,
& control resources) Delivery & Support 70

71. Framework’s Three Components
 Business Requirements for Information
 IT Resources
 IT Processes
71

72. “Business Requirements for
Information”
 To support business processes and satisfy
business objectives, information needs to
conform to certain criteria.
 COBIT calls these criteria “business
requirements for information.”
72

73. Sources of Information Criteria
 Quality Requirements: Quality, Cost,
Delivery, Better, Cheaper, Faster
 Fiduciary Requirements (COSO Report)
– Effectiveness and Efficiency of operations
– Reliability of Financial Reporting
– Compliance with Laws and Regulations
 Security Requirements: Confidentiality,
Integrity, Availability
73

74. Promotes a Healthy, Constructive
Focus on Information Criteria
 Viewing Information as being:
– relevant and reliable
– delivered in a timely, correct, consistent, usable and
complete manner
– accurate, complete and valid
– provided through an optimal use of resources
– protected against unauthorized use, manipulation or
disclosure
– available when required
– in compliance with legal and contractual obligations
74

75. Information Criteria -- The 1st Component
 Effectiveness
 Efficiency
 Confidentiality
 Integrity
 Availability
 Compliance
 Reliability of Information
75

76. Information Criteria -- The 1st
Component
 Effectiveness: deals with information being
relevant and pertinent to the business process
as well as being delivered in a timely,
correct, consistent, usable and complete
manner.
 Efficiency: concerns the provision of
information through the optimal (most
productive and economical) use of resources.
See Framework, p. 14.
76

77. Information Criteria -- The 1st
Component
 Confidentiality: concerns the protection of
sensitive information from unauthorized
disclosure.
 Integrity: relates to the accuracy and
completeness of information as well as its
validity in accordance with business values
and expectations.
See Control Objectives, p. 14.
77

78. Information Criteria -- The 1st
Component
 Availability: relates to information being
available when required by the business process
now and in the future. It also concerns the
safeguarding of necessary resources and
associated capabilities.
 Compliance: deals with complying with those
laws, regulations and contractual arrangements
to which the business process is subject; i.e.,
externally imposed business criteria.
See Framework, p. 15.
78

79. Information Criteria -- The 1st
Component
 Reliability of Information: relates to the
provision of appropriate information for
management to operate the entity and for
management , in providing financial reporting
to users of the financial information, and in
providing information to report to regulatory
bodies with regard to compliance with laws
and regulations.
See Framework, p. 13.
79

80. IT Resources -- The 2nd Component
 Data
 Application Systems
 Technology
 Facilities
 People
80

81. IT Resources -- The 2nd
Component
 Data: Objects in their widest sense (i.e.,
external and internal), structured and not
structured, graphics, sound, etc.
 Application Systems: Application systems
are understood to be the sum of manual and
programmed procedures.
See Control Objectives, page 14.
81

82. IT Resources -- The 2nd Component
 Technology: Hardware, operating systems,
data base management, networking, multi-
media, etc.
 Facilities: Resources to house and support
information systems.
 People: Include staff skills, awareness and
productivity to plan, organize, acquire,
deliver, support and monitor information
systems and services.
See Control Objectives, page 14. 82

83. Information Processes (3rd component)
Natural grouping of processes,
(4) Domains often
matching an organizational domain
(34) of responsibility
Processes A series of joined tasks &
Activities with natural
(control) breaks.
(318) Tasks & Actions needed to achieve a
Activities measurable result. Activities
See Framework, p. 16. have a life-cycle whereas
tasks
are discrete 83

84. COBIT Domains: Information
Processes (3rd Component)
Planning/
Organization
Monitoring Acquisition /
Implementation
Delivery /
Support
84

85. How do they relate ?
IT IT Business
Resources Processes Requirements
 Data  Planning and  Effectiveness
organisation  Efficiency
 Information
Systems  Aquisition and  Confidenciality
implementation  Integrity
 Technology
 Delivery and  Availability
 Facilities Support
 Compliance
 Human  Monitoring
Resources  Information
Reliability 85

86. IT Resource Management
CobiT underscores and demonstrates a
clear understanding that IT resources need
to be managed by naturally grouped
processes in order to provide
organizations with type and quality, and
availability and security of information
needed to achieve organizational
objectives.
86

87. Framework
What you get BUSINESS What you need
PROCESSES
Information Criteria
•
Do they match?
effectiveness
INFORMATION • efficiency
• confidentiality
• integrity
• Availability
• Compliance
• reliability
IT RESOURCES
• data
• application systems
• technology
• facilities
• people
87

88. COBIT’s Waterfall and Navigation Aids
Planning &
Organisation
ss ty
ne ncy iali ty ty ce ity Acquisition &
ve i e ili n l
ti ic n gri lab plia abi
t
e e Implementation
c i i
fe eff nfid int ava om rel
ef c
co
S
S P Delivery &
Support
Monitoring
The control of
IT Processes
which satisfy
Business
Requirements is enabled by
Control
Statements and considers
e ns y s
Control pl atio log itie ta
o c o l
da
pe pli hn aci
Practices ap tec f
88

89. Process/Criteria Relationships
 Primary: the degree to which the defined control
objective directly impacts the information requirement
concerned.
 Secondary: the degree to which the defined control
objective only satisfies to a lesser extent or indirectly the
business requirement concerned.
 Blank: could be applicable; however, requirements are
more appropriately satisfied by another criteria in this
process and/or another process.
= IT Resource is managed by this process
See Control Objectives, page 17. 89

90. The WATERFALL Navigation Aid --
High Level Control Objectives for Each Process
The control of
IT Processes
which satisfy
Business
Requirements
is enabled by
Control
Statements
considering
Control
Practices
See Framework, p. 18. 56

91. Resources
Technology
Systems
Data
Facilities
People
Application
Effectiveness
Efficiency
Requirements
Confidenciality
Integrity
The planning Availability
process must
consider data Compliance
integrity
requirements
Reliability
Monitoring
Do
m
Delivery and Support
ai
ns
(p
Aquisition and implementation
r
oc
es
Planning and Organisation
se
s)
91
(By Gustavo Solis)

92. Executive Summary
 Executive Overview
 States the case for control
 Introduces the concepts of the COBIT
Framework -- Setting the Scene
 Provides working Definitions
 The Framework’s Principles
 Introduces the Domains and Processes
 Relationships Among Principles, Domains,
and Processes
92

93. The Framework
 Executive Overview (again)
 The COBIT Framework -- Setting the
Scene
 The Framework’s Principles – Criteria,
Resources and Processes
 Guide to Using the Framework
--Navigation Aids
 Summary Table
 High Level Control Objectives
(Processes)
93

94. Control
Objectives
94

95. Control Objectives, 3rd Edition
148 pages
 Contains statements of the desired results or
purposes to be achieved by implementing
specific control procedures within an IT
activity
 Assists in establishing clear policy and
good practice for IT control
95

96. Control Objectives Contains:
Executive Summary and Framework
Summary Table (page 20)
Title Headers for Domains, Processes and Control
Objectives (pages 23-27)
High-Level Control Objectives and management
control practices by Domain (pages 31-134)
IT Governance Management Guideline and Maturity
Model (pages137-140)
CobiT Project Description (page 141)
Primary Reference Materials (pages 142-143)
Glossary of Terms & Index (pages 144-148) 96

97. Planning and Organization Domain
 11 High-level Control Objectives
 100 Detailed Control Objectives
(IT-related management control practices )
 170+ Control Tasks and Activities
.
97

98. Planning and Organization
 Develop strategy and tactical plans for IT
 Identify ways that IT can best contribute to the
achievement of business objectives
 Plan, communicate, and manage the
realization of the strategic vision
 Establish the IT organization and set the stage
for information management and the
technology infrastructure
See Control Objectives, p. 32. 98

99. Planning and Organization Domain
 PO 1 Define a Strategic Information Technology Plan
 PO 2 Define the Information Architecture
 PO 3 Determine the Technological Direction
 PO 4 Define the IT Organization and Relationships
 PO 5 Manage the Investment in Information Technology
 PO 6 Communicate Management Aims and Directions
.
99

100. Planning and Organization Domain
 PO 7 Manage Human Resources
 PO 8 Ensure Compliance with External Requirements
 PO 9 Assess Risks
 PO 10 Manage Projects
 PO 11 Manage Quality
.
100

101. PO 1 Define a Strategic
Information Technology Plan
To take advantage of information technology
opportunities and address IT business
requirements, a process for developing a
strategic plan for the organization’s IT
resources should be adopted and the IT
strategic plan should be converted to short
term tactical plans.
101

102. Linking the Processes to Control Objectives
Control over the IT process of
DEFINING A STRATEGIC IT PLAN PO-1
that satisfies the business requirement
to strike an optimum balance of IT opportunities and IT business
requirements as well as ensuring its further accomplishment
is enabled by
a strategic planning process undertaken at regular intervals
giving rise to long-term plans. The long-term plans should
periodically be translated into operational plans setting
clear and concrete short-term goals
and takes into consideration:
* definition of the business objectives and needs for IT
* inventory of technological solutions and current
infrastructure
* “technology watch” services
* organisation changes
* timely feasibility studies
* existing systems assessments 102

103. PO 1 Define a Strategic
Information Technology Plan
• Reference: page 32 of Control Objectives
 8 detailed control objectives
 IT as part of long-range goals
 IT long-range plan
 Contents of IT plan
 Modification of IT long-range plan
 IT tactical plan development
 Communication & evaluation of IT plans
 Assessing existing systems
103

104. PO 2 Define the Information
Architecture
To ensure that the organization’s information
is consistent with needs and enables people
to carry out their responsibilities effectively
and on a timely basis, an information
architecture model, encompassing the
corporate data model and the associated
information systems should be created and
regularly updated.
104

105. PO 2 Define the Information
Architecture
 Information architecture model
 Corporate data dictionary and data syntax rules
 Data classification scheme:
– security categories
– ownership
– access rules
 Maintain security levels for each data
classification
105

106. PO 3 Determine the Technological
Direction
To ensure sufficient technology to perform
the IS function and to take advantage of
emerging technology, the information
services function should create and regularly
update a technology infrastructure that
encompasses the systems architecture,
technological direction and migration
strategies.
106

107. PO 3 Determine the Technological
Direction
 Technological infrastructure planning
 Monitor future trends and regulations
 Assess infrastructure for contingency
aspects
 Hardware & software acquisition plans
 Define technology standards
107

108. PO 4 Define the IT Organization and
Relationships
To ensure that IT services are delivered in an
efficient and effective manner, there must be:
adequate internal and external IT staff,
administrative policies and procedures for all
functions (with specific attention to
organizational placement, roles and
responsibilities, and segregation of duties),
and an IS steering committee to determine
prioritization of resource use.
108

109. PO 5 Manage the Investment in
Information Technology
To ensure adequate funding for IT, controlled
disbursement of financial resources, and
effective and efficient utilization of IT
resources, IT resources must be managed:
through use of information services capital
and operating budgets, by justifying IT
expenditures, and by monitoring costs (in
light of risks).
109

110. PO 6 Communicate Management Aims
and Direction
To ensure the overall effectiveness of the IS
function, IS management must establish
direction and related policies addressing
such aspects as: positive control
environment throughout the organization,
code of conduct/ethics, quality, and security.
The policies must then be communicated
(internally and externally) to obtain
commitment and compliance.
110

111. PO 7 Manage Human Resources
IT personnel resources must be managed so
as to maximize their contributions to the IT
processes. Specific attention must be paid to
recruitment, promotion, personnel
qualifications, training, back up, performance
evaluation, job change, and termination.
111

112. PO 8 Ensure Compliance with
External Requirements
To avoid fines, sanctions, and loss of
business, the organization must maintain
procedures to ensure awareness of and
compliance with industry, regulatory, legal,
and contractual obligations. IT related
requirements include: safety, privacy,
transborder data flows, electronic commerce,
and insurance contracts.
112

113. PO 9 Assess Risks
To ensure the achievement of IT objectives,
in support of business objectives, and to
respond to threats to the provision of IT
services, management should establish a
risk assessment framework including: risk
identification, measurement, risk action plan,
and the formal acceptance and
communication of the residual risk.
113

114. PO 9 Assess Risks
Cornerstone high-level control objective for
developing and maintaining an appropriate
system of internal control
Includes business risk assessment, risk
assessment approach, identification of risk, risk
measurement, & action plan
Understanding and acceptance of residual risk
114

115. PO 10 Manage Projects
To ensure that projects are completed on
time, within budget, and are undertaken in
order of importance, management must
establish a project management framework
to ensure that project selection is in line with
plans and that a project management
methodology is applied to each project
undertaken.
115

116. PO 11 Manage Quality
To ensure that customer requirements are
met, senior management should establish a
quality assurance (QA) plan and implement
related activities, including reviews, audits,
and inspections, to ensure the attainment of
IT customer requirements. A systems
development life cycle methodology is an
essential component of the QA plan.
116

117. Acquisition and Implementation
Domain
 6 High-level Control Objectives
 68 Detailed Control Objectives
(IT-related management control practices)
 100+ Control Tasks and Activities
117

118. Acquisition and Implementation
 IT solutions
– Identified
– Developed or acquired
– Implemented
– Integrated into the business processes
 Change and maintain existing systems
See Framework, p. 17.
118

119. Acquisition and Implementation
Domain
 AI 1 Identify Automated Solutions
 AI 2 Acquire and Maintain Application Software
 AI 3 Acquire & Maintain Technology Infrastructure
 AI 4 Develop and Maintain IT Procedures
 AI 5 Install and Accredit Systems
 AI 6 Manage Changes
119

120. AI 1 Identify Automated Solutions
SDLC having procedures to:
• define information requirements,
• formulate alternative courses of action,
• perform technological feasibility studies
• perform economic feasibility studies, and
• assess risks.
120

121. AI 2 Acquire and Maintain
Application Software
SDLC having procedures to:
• create design specifications for new, or
significantly modified, application systems
• verify those specifications against the user
requirements.
• Ensure specifications are developed with
system users and approved by management
and user departments.
121

122. AI 3 Acquire and Maintain
Technology Infrastructure
To ensure that platforms (hardware and
systems software) support business
applications, the organization’s SDLC should
provide for an assessment of the impact of
new hardware and software on the
performance of the overall system. In
addition, procedures should be in place to
ensure that hardware and systems software
is installed, maintained, and changed to
continue to support business applications. 122

123. AI 4 Develop and Maintain
IT Procedures
To ensure the ongoing, effective use of IT,
the organization’s SDLC should provide for
the preparation and maintenance of service
level requirements, training materials, and
operating (user and operations) manuals.
123

124. AI 5 Install and Accredit Systems
• SDLC should provide for a planned, tested,
controlled, and approved conversion to the
new system.
• After installation, the SDLC should call for
a review to determine that the new system
has met users’ needs in a cost-effective
manner.
124

125. AI 6 Manage Changes
To ensure processing integrity between
versions of systems and to ensure
consistency of results from period to period,
changes to the IT infrastructure must be
managed via: change request, impact
assessment, documentation, authorization,
and release and distribution policies and
procedures.
125

126. Delivery and Support Domain
 13 High-level Control Objectives
 126 Detailed Control Objectives
(IT-related management control
practices)
 190+ Control Tasks and Activities 126

127. Delivery and Support
 Deliver required services
 Ensure security and continuity of
services
 Set up support processes, including
training
 Process data (including “application”
controls)
See Control Objectives, p. 90.
127

128. Delivery and Support Domain
 DS 1 Define Service Levels
 DS 2 Manage Third-Party Services
 DS 3 Manage Performance and Capacity
 DS 4 Ensure Continuous Service
 DS 5 Ensure Systems Security
 DS 6 Identify and Allocate Costs
 DS 7 Educate and Train Users 128

129. Delivery and Support Domain
 DS 8 Assist and Advise IT Customers
 DS 9 Manage the Configuration
 DS 10 Manage Problems and Incidents
 DS 11 Manage Data
 DS 12 Manage Facilities
 DS 13 Manage Operations
129

130. DS 1 Define Service Levels
To ensure that IT services continue to satisfy
organizational requirements, senior
management should establish a framework
for reaching explicit agreements on the
minimal acceptable levels of quantity and
quality of IT services delivered by internal
and external IT resources and then measure
IT performance against these agreements.
130

131. DS 2 Manage Third-Party Services
To ensure that IT services delivered by third
parties continue to satisfy organizational
requirements, management should establish
a process to identify, manage and monitor
non-entity IT resources. Formal third-party
contracts should address many of the same
items contained in service level agreements
(see DS 1).
131

132. DS 3 Manage Performance and Capacity
To ensure that sufficient capacity of IT
resources remain available for optimal use to
satisfy organizational requirements,
management should establish a process to
monitor the capacity and performance of all
IT resources. Capacity of all IT resources
must be determined, managed, and resource
modifications (increases or decreases)
planned for.
132

133. DS 4 Ensure Continuous Service
To ensure that sufficient IT resources
continue to be available for use in the event
of a service disruption, management should
establish a process, coordinated with the
overall business continuity strategy, that
includes disaster recovery/contingency
planning for all IT resources and related
business resources, both internal and
external.
133

134. DS 4 Ensure Continuous Service Continued
Example of Including Additional Guidelines:
Include “Control Practices Guideline for
Information Systems Continuity Planning”,
ISACA publication, July 1995, calls for:
Evaluation of continuity requirements
• criticality assessment
• risk assessment
• impact assessment
134

135. DS 4 Ensure Continuous Service Continued
Control Practices Guideline for Information
Systems Continuity Planning calls for:
Continuity Plan
Risk Management
Maintaining a Viable Continuity Plan
• Testing Continuity Plan
• Maintenance of Plan
• Communication and Training
135

136. DS 5 Ensure Systems Security
To ensure that organizational information is
not subjected to unauthorized use,
disclosure, modification, damage, or loss,
management should implement logical
access controls to restrict access to systems,
data, and programs to only authorized users.
This objective addresses logical, as opposed
to physical security issues.
136

137. DS 6 Identify and Allocate Costs
To ensure that IT resources are delivered in
a cost-effective manner and that they are
used wisely, information services
management should identify the costs of
providing IT services and should allocate
those costs to the users of those services.
137

138. DS 7 Educate and Train Users
To ensure that users make effective use of
IT, management should identify the training
needs of all personnel, internal and external,
who make use of the organization’s IT
resources and services and should see that
timely training sessions are conducted.
138

139. DS 8 Assist and Advise IT Customers
To effectively utilize IT resources, users often
require advice in how to properly utilize IT
resources and may require assistance to
overcome problems encountered in using
those resources. This assistance is generally
delivered via a “help desk” function.
139

140. DS 9 Manage the Configuration
To ensure that IT assets are not lost or
altered, or used without authorization,
management should establish a process to
account for all IT components, including
applications, technology, and facilities, and to
prevent unauthorized alterations of assets or
use of unauthorized assets.
140

141. DS 10 Manage Problems and Incidents
To ensure that barriers to efficient and
effective use of the IT resource are
prevented or eliminated and that the IT
resource remains available, information
services management should implement a
system to identify, track, and resolve in a
timely manner problems and incidents that
occur.
141

142. DS 11 Manage Data
To ensure that data remains complete,
accurate and valid, management
should establish a combination of
application and general controls.
142

143. DS 12 Manage Facilities
To protect the IT facilities against man-
made and natural hazards, the
organization must install and regularly
review suitable environmental and
physical controls.
143

144. DS 13 Manage Operations
To ensure that important IT functions are
performed regularly and in an orderly
fashion, the information services function
should establish and document standard
procedures for IT operations.
144

145. Monitoring Domain
• 4 High-level Control Objectives
• 24 Detailed Control Objectives
• (IT-related management control practices)
• 51+ Control Tasks and Activities
.
145

146. Monitoring Domain
 Regularly assess IT processes for
– Quality
– Compliance with control requirements
 Addresses management oversight of
organization’s control provisions
 Provides for audit function
See Control Objectives, p. 126.
146

147. Monitoring Domain
 M 1 Monitor the Process
 M 2 Assess Internal Control Adequacy
 M 3 Obtain Independent Assurance
 M 4 Provide for Independent Audit
.
147

148. M 1 Monitor the Process
To ensure the achievement of IT process
objectives, management should establish a
system for defining performance indicators,
gathering data about all processes, and
generating performance reports.
Management should review these reports to
measure progress toward identified goals.
148

149. M 2 Assess Internal Control Adequacy
To ensure the achievement of internal
control objectives, management
should establish a system for
monitoring internal controls and
assessing and reporting on their
effectiveness on a regular basis.
149

150. M 3 Obtain Independent Assurance
To increase confidence that IT objectives
are being achieved and that controls are
in place and to benefit from advice
regarding best practices for IT,
independent assurance reviews should be
conducted on a regular basis.
150

151. M 4 Provide for Independent Audit
To increase confidence levels that IT
objectives are being achieved and that
controls are in place and to benefit from
advice regarding best practices for IT
governance, independent audits should be
conducted on a regular basis.
151

152. Summary of the Framework
 Business Objective
– Business Processes (to meet objectives)
• IT Processes (to manage and control..)
– IT Resources (to provide info to..)
 4 Domains
 34 Processes/High-Level Control Objectives
 318 Activities/Detailed Control Objectives
 Cut the Framework by Info Criteria, IT Resources, IT
processes
152

153. SUMMARY OF COBIT TO THIS POINT
 Defines a Framework for Reviewing IT.
 Four Domains Are Identified.
 Achievement of each IT Process to meet
a business objective represents a high-
level Control Objective.
 Identifies control objectives to be addressed.
 For Each of the 34 Processes, there are up to 30
Detailed IT Control Objectives or IT management
control practices.
153

154. SUMMARY OF COBIT TO THIS
POINT
 The IT Control Objectives came from 41 primary
sources.
 There are Navigational Tools including a
“Waterfall” and a “Cube” approach.
 Provides a Systematic and Logical Method for
defining and communicating IT Control Objectives
 IT Control Objectives are linked to business
processes and objectives.
154

155. Domains
•P&O
•A&I
•D&S
•M
34 Processes
PO 1.0 AI 1.0 DS 1.0 M 1.0 High-Level Control
. . . .
PO 11.0 AI 6.0 DS 13.0 M 4.0 Objectives
PO 1.1 AI DS 1.1 M 1.1
. 1.1 . . 318 Tasks & Activities
PO 11.18 . DS 13.7 M 4.8
AI
6.7
155

156. The CUBE-- Information Criteria
Relationships
Among
lity ry ity
Components ua cia ur
Q id
u ec
Data
F S
Application Systems
Facilities
Technology
IT Processes
People
e s
u rc
so
Re
IT
See Control Objectives, p. 16. 156

157. For Management, CobiT:
 Addresses management's increasing legal
responsibility for control
 Expresses required IT control practices
in management terms
 Guides IT investment and operational
decisions (to balance risk and control)
 Helps management better utilize internal
and external auditors
157

158. For Users, COBIT:
 Provides benchmarks for best practices for
IT management and IT control
 Helps obtain assurance for business
processes supported by IT
 Strengthens relationship with IT services
 Helps ensure adequate level of integrity of
information provided by IT systems
158

159. For Auditors, COBIT:
 Provides good benchmarks or criteria for
evaluating IT control
 Focuses on control objectives and controls
 Substantiates opinions to management on
internal controls
 Helps auditors and control professionals to
be proactive business advisors
159

160. For us All, CobiT:
 Strengthens the understanding, design,
implementation, exercise, and evaluation
of internal control through improved focus
on information criteria and IT-related
control objectives
 Strengthens management’s efforts to
“ensure” and Audit’s efforts to provide
“assurance”
160

161. End of Part 1
Go To Part 2
161