2. Deputy State Auditor, MIS & IT Audit, Commonwealth
of Massachusetts, USA
Adjunct faculty at Bentley College
Member of CobiT Steering Committee
Member of Governor’s Task Force on E-Commerce and
Enterprise Security Board, Massachusetts
Served as member of Y2K Coordinating Council,
Commonwealth of Massachusetts
1994-1995 International President of ISACA/F
Served as member of Governor’s Commission on
Computer Crime and Governor’s Commission on
Computer Technology and Law
e-mail: john.beveridge@sao.state.ma.us 2
3. What is CobiT?
What is the CobiT Framework?
What is the Control Objectives document?
Who should use CobiT?
How can auditors effectively use CobiT?
How does one become familiar with CobiT and
learn to use it effectively?
3
4. CobiT’s Background and Authoritative
Nature
CobiT Framework and its components
High-Level & Detailed Control Objectives
Audit Guidelines and Using CobiT
4
5. Authoritative, up-to-date, international set of
generally accepted IT control objectives and
control practices for day-to-day use by business
managers and auditors.
Structured and organized to provide a powerful
control model
5
6. CobiT
CobiT is designed to be the break-
through IT governance tool that helps
in the understanding and managing of
risks and benefits associated with
information and related IT.
6
7. C Control
OB OBjectives
I for Information
T and Related Technology
7
8. Right information, to only the right party,
at the right time.
Information that is relevant, reliable and
secure.
Information provided by systems that have
integrity by means of a well-managed and
properly controlled IT environment.
8
9. Information Systems Audit and
Control Association/Foundation
Leading Global Professional IT Control organization
– Focuses on Audit, Control and Security Issues
– The Association Works Closely with its more than
150 Chapters in 100 Countries
Provides Services and Programs Designed to Promote
and Establish Excellence on IT Governance and Audit.
Research conducted through Foundation Projects are
selected to help Members and the Profession keep
pace with ever-changing IT and business environment.
9
10. IT Governance Institute
Formed by ISACA and
ISACF in 1998 to advance the
understanding and adoption
of IT governance principles
10
11. A structure of relationships and
processes to direct and control the
enterprise in order to achieve the
enterprise’s goals by adding value
while balancing risk versus return
over IT and its processes.
11
12. IT Governance Objectives
IT is aligned with the business and
enables the business to maximize benefit
IT resources are safeguarded and used
in a responsible and ethical manner
IT-related risks are addressed through
appropriate controls and managed to
minimize risk and exposure
12
13. CobiT grew from an initiative to update
EDPAA’s Control Objectives in 1992
New focus expanded to include
managerial and user needs regarding IT
control and governance
Global perspective added
CobiT Steering Committee appointed
IT control framework developed
The framework became COBIT
CobiT was first published in April, 1996
13
14. CobiT implementation monitored and evaluated by
ISACA and the CobiT Steering Committee
CobiT enhancements developed, 1997
CobiT, 2nd edition, was published in April, 1998
CobiT enhancements and development of
Management Guidelines, 1999-2000
CobiT, 3rd edition, and Management Guidelines,
was published in July, 2000
14
15. Executive Summary -- Senior Executives
(CEO, COO, CFO, CIO)
Framework -- Senior Operational Management
(Directors of IS and Audit / Controls)
Control Objectives -- Middle Management (Mid-
Level IS and IS Audit/ Controls Managers)
Audit Guidelines -- The Line Manager and Controls
Practitioner (Applications or Operations Manager
and Auditor)
Implementation Tool Set -- Any of the above
Management Guidelines -- Management and Audit
15
16. The need for better operational controls
Technology that makes new business processes
possible may come with a loss of control
Demand for increased effectiveness and
efficiency
The importance of technology
The need to hold officers and senior
management accountable and strengthen
governance 16
17. Dashboard: How do responsible managers
keep the ship on course?
Scorecard: How do we achieve satisfactory
results for our stake-holders?
Benchmarking: How do we adapt in a
timely manner to trends, developments, and
“best practices” for our organization’s
environment?
17
18. If you use computer-generated information
in decision-making or for audit evidence,
you need to assess its reliability.
If you are the holder of computer-
generated information, you must exercise
appropriate and defendable controls to
safeguard that information, or evidence.
18
19. • Increasing dependence on information and the
systems that deliver the information
• Increasing vulnerabilities and a wide spectrum of
threats, such as cyber threats and information
warfare
• Scale and cost of the current and future
investments in information and information
systems
• Potential for technologies to dramatically change
organisations and business practices, create new
opportunities and reduce costs
19
20. Unpredictable and fast
1980s
Unstructured and innovative
Glass-house
Secure buildings Hard to implement
Data centres
1990s
Managed networks Network
Business integration
?
?
21st Century
Cyberspace
Streetwise users
Virtual Value Chain
E-Commerce
Extended Enterprise
20
22. CobiT focuses on information having
integrity and being secure and available.
At the highest level, it focuses on the
importance of information to the long-term
success of the organization.
22
23. For Information System Services functions,
CobiT can be applied from single point IT
operations to across the enterprise.
For application systems, CobiT can be
applied from a single application-based
system to enterprise-based systems.
23
24. CobiT is management oriented
Supports corporate and IT governance
Serves as excellent criteria for evaluation
and a basis for audit planning
24
25. Addresses key attributes of information
produced by IT.
Links recommended control practices for IT to
business and control objectives.
Provides guidance in implementing and
evaluating the appropriateness of IT-related
control practices.
25
26. As a control model, CobiT should be
tailored to organizational, platform
and system standards.
Use CobiT as the Structure to which
you link organization-specific operational
and control requirements, policies, and
standards
26
27. Helps business process owners to ensure the integrity
of information systems and auditors to provide
statements of assurance by providing:
– management with generally applicable and accepted
standards for good practice for IT control and
governance
– users with a solid base upon which to manage IT and
obtain assurance
– auditors with excellent criteria for review/audit work
27
28. Standards used to determine whether something
meets expectations.
Basis upon which one measures or compares
something against.
Need to be generally accepted, recognized,
understandable, and defendable.
Need to be authoritative.
28
30. CobiT is an Authoritative Source
Built on a sound framework of control and
IT-related control practices.
Aligned with de jure and de facto standards
and regulations.
41 international standards from around the
world were used to identify IT-related
control objectives and control practices.
30
31. CobiT Sources
Professional standards for internal control and
auditing (COSO, IFAC, AICPA, IIA, etc)
Technical standards (ISO, EDIFACT, etc.)
Codes of Conduct
Qualification criteria for IT systems and
processes (ISO9000, ITSEC, TCSEC, etc.)
Industry practices and requirements from
industry forums (ESF, I4)
Emerging industry-specific requirements from
banking, e-com, IT manufacturing.
31
32. Based on a Strong
Foundation and Sound
Principles of Internal
Control
32
33. What is Internal Control?
How it is defined
impacts its design,
exercise, and
evaluation.
33
34. Purpose of Internal Control
Designed to keep an organization on course
toward achievement of its mission minimizing
surprises along the way.
Assist in dealing with rapidly changing
economic and competitive environments,
shifting customer demands and priorities, and
restructuring for future growth.
Source: Committee of Sponsoring Organizations (COSO) of the Treadway
Commission, Internal Control - Integrated framework, Executive Summary, p. 1.
34
35. The design, implementation, and proper
exercise of a system of internal controls
should provide "reasonable assurance" that
management's goals are attained, control
objectives are addressed, legal obligations
are met, and undesired events do not occur.
Controls reduce or eliminate the risk of
exposures, or the exposures themselves.
35
36. Internal Control
Controls are framed by
what is to be attained
(control objectives) and
the means to attain those
goals (the controls).
36
37. Goals of Internal Control
“Keep things in Check”
Adhering to the Rules of the Road
Reduce risk
Based Upon “Best Practices”
Proof the Rules Have Been Followed
Provide assurance that operations are
according to standard
Keep those blasted auditors happy
37
38. Building
CobiT’s
Definition of
Internal Control
38
39. Control (as defined by COSO)
Internal control is broadly defined as a process,
effected by an entity’s board of directors,
management and other personnel, designed to
provide reasonable assurance regarding the
achievement of objectives in the following
categories:
efficiency and effectiveness of operations
reliability of financial reporting
compliance with applicable laws and
regulations
Source: Committee of Sponsoring Organizations (COSO) of the
Treadway Commission, Internal Control - Integrated framework,
Executive Summary, p. 1. 39
40. Control (as defined by COBIT)
The policies, procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
that undesired events will be prevented
or detected and corrected.
Source: COBIT Control Objectives, p. 12. 40
41. IT Control Objective
A statement of desired result or
purpose to be achieved by
implementing control procedures
in a particular IT activity
41
43. Internal Control Requirements
Systemization
Documentation
Standards, defined expectations
Measurement
Appropriate risk assessment
43
44. Internal Control Requirements
Well-defined operational and control
objectives
Appropriate controls
Competent and trustworthy people
Monitoring & evaluation
44
45. Observe Observations Document
actual state actual state
of system of system
Recommendations Documentation
Recommend
changes to Evaluate
Evaluation system
system
Goals and plans
Desired
state of system
Source: Gelinas and Oram, Accounting Information Systems, 3rd ed., 24
South-Western Publishing, 1996, p. 214.
46. Internal Control Review
Gain Understanding
Observe Observations Document
the The process
process & & controls
controls
Report Recommendations AWP & Work Papers
Recommend Test & Evaluate
Changes if Process &
Draw
needed Conclusions controls
Goals and plans
CRITERIA
via CobiT
24
47. Control Principles
Controls should be considered as “built in”
rather than “added on”.
Controls need to support control objectives
that are tied to business objectives.
In order to support monitoring and evaluation,
controls need to be testable and auditable.
Controls need to be cost effective.
47
48. Value of Internal Control
Often the value of internal control is only
recognized by the results of not having
adequate control in place.
Control Objectives and related controls are
valued by the degree to which they assist an
organization to achieve objectives and avoid
undesired events.
48
49. Control Models:
Structured or organized to present a control
framework relative to control objectives and
respective internal controls or control practices.
Provide statements of responsibilities for control
Provide guidance regarding mechanisms to assess
the need for control, and to design, develop,
implement and exercise control
Requires that controls be monitored and evaluated.
49
50. To Be of Value,
a Control Model Should Be:
Based on sound principles
Applicable & Flexible in application
Comprehendible
Subject to having “staying power”
50
51. Impact of Technology on Control
Operational and control objectives
change little
Some technology-specific control
objectives change
There is a significant impact on the
“mix” of controls used to address the
control objectives.
Technology can facilitate achieving control
objectives
51
52. Impact of Technology on Audit
Has provided us with some tools to
increase audit effectiveness and
efficiency
Has allowed us to rethink post and pre-
emptive or on-going audit techniques
Has provided opportunities to facilitate
achieving control objectives
52
53. Relation to Other Control Models
CobiT is in alignment with other
control models:
– COSO
– COCO
– Cadbury
– King
53
54. What is COSO?
Published in 1992 by the Committee Of
Sponsoring Organizations of the Treadway
Commission
– American Institute of CPAs
– American Accounting Association
– Institute of Internal Auditors
– Institute of Management Accountants
– Financial Executives Institute
54
55. Components of COSO
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
55
56. Checkmarks on COSO Slides
The red checkmarks on the
following slides indicate that the
CobiT control model includes the
same or extremely similar
statements
56
57. Components of COSO
Control Environment:
tone of the organization
control awareness of people
integrity, ethical values and competence
– management philosophy and operating style
assignment of authority and responsibility
– attention and direction provided by the board
of directors.
57
58. Understanding the Control Environment
Understanding the information system,
supporting technology, and the organization
Documenting the business operations and the
IT environment
Identifying the key operational and control
objectives
Identifying and evaluating the appropriateness
of internal controls
58
59. Components of COSO
Risk Assessment:
Established objectives
Identify and analyze risks to
achievement of objectives
Manage risks
Identify special risks associated with
change (economic, regulatory,
operating)
59
60. Components of COSO
Control Activities:
Policies and procedures that help ensure
management directives are carried out
Actions taken to address risks
Carried out at all levels
Includes: approvals, authorizations,
verifications, reconciliation, reviews of
operating performance, security of assets
60
61. Components of COSO
Information and Communication:
Pertinent information enables individuals to
carry out their responsibilities
Information must be identified, captured and
communicated
– Internal and external information necessary for
informed decision-making
61
62. Components of COSO
Monitoring:
Assess the quality of the internal control
system’s performance
Ongoing monitoring and separate
evaluations
62
63. Internal Control Roles and
Responsibilities by COSO & CobiT
Internal Auditors:
Evaluate effectiveness of control systems
Plays a significant monitoring role
Other Personnel:
Internal control is everyone’s responsibility
Most employees produce information used in internal
control systems
Most employees take actions needed to effect control
63
64. Control Responsibilities
Management -- primary responsibility for
ensuring that controls are in place and in effect to
provide reasonable assurance that operational and
control objectives will be met.
Users -- exercise controls.
Audit -- evaluates, advises and provides statements
of assurance regarding the adequacy of controls.
64
65. CobiT
Assists in evaluating appropriateness of controls
Assists in identifying desired states of systems
and processes
Assists in identifying what to look for when
observing system operations
Provides a working control model for IT-related
control objectives
65
66. The CobiT Control Model Provides
a Framework for Understanding
Control Objectives and
Control Practices
66
68. CobiT Framework
Documents relationships among information
criteria, IT resources, and IT processes
Links control objectives and control practices
to business processes and business objectives
Assists in confirming that appropriate IT
processes are in place
Facilitates discussion
68
69. CobiT Framework
Facilitates the understanding of the:
relationship of controls to control objectives,
importance of focusing on control objectives
and their relationship to the business
organization and its business processes, and
value of managed processes and resources
tied to strategic initiatives.
69
70. COBIT’s Focus on Process and Objectives
Business (organization) Retail merchandising
(Walmart, etc.)
Objectives/Requirements ROI, market share, customer
loyalty (right product, time,
Business Processes price)
Order fulfillment (OE/S,
(to meet objectives) Inventory, Purchasing)
Information Required Data availability and reliability
(for processes)
IT Resources Data, Application Systems,
(to provide People
information)
IT Processes (to manage Planning & Organization,
& control resources) Delivery & Support 70
72. “Business Requirements for
Information”
To support business processes and satisfy
business objectives, information needs to
conform to certain criteria.
COBIT calls these criteria “business
requirements for information.”
72
73. Sources of Information Criteria
Quality Requirements: Quality, Cost,
Delivery, Better, Cheaper, Faster
Fiduciary Requirements (COSO Report)
– Effectiveness and Efficiency of operations
– Reliability of Financial Reporting
– Compliance with Laws and Regulations
Security Requirements: Confidentiality,
Integrity, Availability
73
74. Promotes a Healthy, Constructive
Focus on Information Criteria
Viewing Information as being:
– relevant and reliable
– delivered in a timely, correct, consistent, usable and
complete manner
– accurate, complete and valid
– provided through an optimal use of resources
– protected against unauthorized use, manipulation or
disclosure
– available when required
– in compliance with legal and contractual obligations
74
75. Information Criteria -- The 1st Component
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of Information
75
76. Information Criteria -- The 1st
Component
Effectiveness: deals with information being
relevant and pertinent to the business process
as well as being delivered in a timely,
correct, consistent, usable and complete
manner.
Efficiency: concerns the provision of
information through the optimal (most
productive and economical) use of resources.
See Framework, p. 14.
76
77. Information Criteria -- The 1st
Component
Confidentiality: concerns the protection of
sensitive information from unauthorized
disclosure.
Integrity: relates to the accuracy and
completeness of information as well as its
validity in accordance with business values
and expectations.
See Control Objectives, p. 14.
77
78. Information Criteria -- The 1st
Component
Availability: relates to information being
available when required by the business process
now and in the future. It also concerns the
safeguarding of necessary resources and
associated capabilities.
Compliance: deals with complying with those
laws, regulations and contractual arrangements
to which the business process is subject; i.e.,
externally imposed business criteria.
See Framework, p. 15.
78
79. Information Criteria -- The 1st
Component
Reliability of Information: relates to the
provision of appropriate information for
management to operate the entity and for
management , in providing financial reporting
to users of the financial information, and in
providing information to report to regulatory
bodies with regard to compliance with laws
and regulations.
See Framework, p. 13.
79
80. IT Resources -- The 2nd Component
Data
Application Systems
Technology
Facilities
People
80
81. IT Resources -- The 2nd
Component
Data: Objects in their widest sense (i.e.,
external and internal), structured and not
structured, graphics, sound, etc.
Application Systems: Application systems
are understood to be the sum of manual and
programmed procedures.
See Control Objectives, page 14.
81
82. IT Resources -- The 2nd Component
Technology: Hardware, operating systems,
data base management, networking, multi-
media, etc.
Facilities: Resources to house and support
information systems.
People: Include staff skills, awareness and
productivity to plan, organize, acquire,
deliver, support and monitor information
systems and services.
See Control Objectives, page 14. 82
83. Information Processes (3rd component)
Natural grouping of processes,
(4) Domains often
matching an organizational domain
(34) of responsibility
Processes A series of joined tasks &
Activities with natural
(control) breaks.
(318) Tasks & Actions needed to achieve a
Activities measurable result. Activities
See Framework, p. 16. have a life-cycle whereas
tasks
are discrete 83
84. COBIT Domains: Information
Processes (3rd Component)
Planning/
Organization
Monitoring Acquisition /
Implementation
Delivery /
Support
84
85. How do they relate ?
IT IT Business
Resources Processes Requirements
Data Planning and Effectiveness
organisation Efficiency
Information
Systems Aquisition and Confidenciality
implementation Integrity
Technology
Delivery and Availability
Facilities Support
Compliance
Human Monitoring
Resources Information
Reliability 85
86. IT Resource Management
CobiT underscores and demonstrates a
clear understanding that IT resources need
to be managed by naturally grouped
processes in order to provide
organizations with type and quality, and
availability and security of information
needed to achieve organizational
objectives.
86
87. Framework
What you get BUSINESS What you need
PROCESSES
Information Criteria
•
Do they match?
effectiveness
INFORMATION • efficiency
• confidentiality
• integrity
• Availability
• Compliance
• reliability
IT RESOURCES
• data
• application systems
• technology
• facilities
• people
87
88. COBIT’s Waterfall and Navigation Aids
Planning &
Organisation
ss ty
ne ncy iali ty ty ce ity Acquisition &
ve i e ili n l
ti ic n gri lab plia abi
t
e e Implementation
c i i
fe eff nfid int ava om rel
ef c
co
S
S P Delivery &
Support
Monitoring
The control of
IT Processes
which satisfy
Business
Requirements is enabled by
Control
Statements and considers
e ns y s
Control pl atio log itie ta
o c o l
da
pe pli hn aci
Practices ap tec f
88
89. Process/Criteria Relationships
Primary: the degree to which the defined control
objective directly impacts the information requirement
concerned.
Secondary: the degree to which the defined control
objective only satisfies to a lesser extent or indirectly the
business requirement concerned.
Blank: could be applicable; however, requirements are
more appropriately satisfied by another criteria in this
process and/or another process.
= IT Resource is managed by this process
See Control Objectives, page 17. 89
90. The WATERFALL Navigation Aid --
High Level Control Objectives for Each Process
The control of
IT Processes
which satisfy
Business
Requirements
is enabled by
Control
Statements
considering
Control
Practices
See Framework, p. 18. 56
91. Resources
Technology
Systems
Data
Facilities
People
Application
Effectiveness
Efficiency
Requirements
Confidenciality
Integrity
The planning Availability
process must
consider data Compliance
integrity
requirements
Reliability
Monitoring
Do
m
Delivery and Support
ai
ns
(p
Aquisition and implementation
r
oc
es
Planning and Organisation
se
s)
91
(By Gustavo Solis)
92. Executive Summary
Executive Overview
States the case for control
Introduces the concepts of the COBIT
Framework -- Setting the Scene
Provides working Definitions
The Framework’s Principles
Introduces the Domains and Processes
Relationships Among Principles, Domains,
and Processes
92
93. The Framework
Executive Overview (again)
The COBIT Framework -- Setting the
Scene
The Framework’s Principles – Criteria,
Resources and Processes
Guide to Using the Framework
--Navigation Aids
Summary Table
High Level Control Objectives
(Processes)
93
95. Control Objectives, 3rd Edition
148 pages
Contains statements of the desired results or
purposes to be achieved by implementing
specific control procedures within an IT
activity
Assists in establishing clear policy and
good practice for IT control
95
96. Control Objectives Contains:
Executive Summary and Framework
Summary Table (page 20)
Title Headers for Domains, Processes and Control
Objectives (pages 23-27)
High-Level Control Objectives and management
control practices by Domain (pages 31-134)
IT Governance Management Guideline and Maturity
Model (pages137-140)
CobiT Project Description (page 141)
Primary Reference Materials (pages 142-143)
Glossary of Terms & Index (pages 144-148) 96
97. Planning and Organization Domain
11 High-level Control Objectives
100 Detailed Control Objectives
(IT-related management control practices )
170+ Control Tasks and Activities
.
97
98. Planning and Organization
Develop strategy and tactical plans for IT
Identify ways that IT can best contribute to the
achievement of business objectives
Plan, communicate, and manage the
realization of the strategic vision
Establish the IT organization and set the stage
for information management and the
technology infrastructure
See Control Objectives, p. 32. 98
99. Planning and Organization Domain
PO 1 Define a Strategic Information Technology Plan
PO 2 Define the Information Architecture
PO 3 Determine the Technological Direction
PO 4 Define the IT Organization and Relationships
PO 5 Manage the Investment in Information Technology
PO 6 Communicate Management Aims and Directions
.
99
100. Planning and Organization Domain
PO 7 Manage Human Resources
PO 8 Ensure Compliance with External Requirements
PO 9 Assess Risks
PO 10 Manage Projects
PO 11 Manage Quality
.
100
101. PO 1 Define a Strategic
Information Technology Plan
To take advantage of information technology
opportunities and address IT business
requirements, a process for developing a
strategic plan for the organization’s IT
resources should be adopted and the IT
strategic plan should be converted to short
term tactical plans.
101
102. Linking the Processes to Control Objectives
Control over the IT process of
DEFINING A STRATEGIC IT PLAN PO-1
that satisfies the business requirement
to strike an optimum balance of IT opportunities and IT business
requirements as well as ensuring its further accomplishment
is enabled by
a strategic planning process undertaken at regular intervals
giving rise to long-term plans. The long-term plans should
periodically be translated into operational plans setting
clear and concrete short-term goals
and takes into consideration:
* definition of the business objectives and needs for IT
* inventory of technological solutions and current
infrastructure
* “technology watch” services
* organisation changes
* timely feasibility studies
* existing systems assessments 102
103. PO 1 Define a Strategic
Information Technology Plan
• Reference: page 32 of Control Objectives
8 detailed control objectives
IT as part of long-range goals
IT long-range plan
Contents of IT plan
Modification of IT long-range plan
IT tactical plan development
Communication & evaluation of IT plans
Assessing existing systems
103
104. PO 2 Define the Information
Architecture
To ensure that the organization’s information
is consistent with needs and enables people
to carry out their responsibilities effectively
and on a timely basis, an information
architecture model, encompassing the
corporate data model and the associated
information systems should be created and
regularly updated.
104
105. PO 2 Define the Information
Architecture
Information architecture model
Corporate data dictionary and data syntax rules
Data classification scheme:
– security categories
– ownership
– access rules
Maintain security levels for each data
classification
105
106. PO 3 Determine the Technological
Direction
To ensure sufficient technology to perform
the IS function and to take advantage of
emerging technology, the information
services function should create and regularly
update a technology infrastructure that
encompasses the systems architecture,
technological direction and migration
strategies.
106
107. PO 3 Determine the Technological
Direction
Technological infrastructure planning
Monitor future trends and regulations
Assess infrastructure for contingency
aspects
Hardware & software acquisition plans
Define technology standards
107
108. PO 4 Define the IT Organization and
Relationships
To ensure that IT services are delivered in an
efficient and effective manner, there must be:
adequate internal and external IT staff,
administrative policies and procedures for all
functions (with specific attention to
organizational placement, roles and
responsibilities, and segregation of duties),
and an IS steering committee to determine
prioritization of resource use.
108
109. PO 5 Manage the Investment in
Information Technology
To ensure adequate funding for IT, controlled
disbursement of financial resources, and
effective and efficient utilization of IT
resources, IT resources must be managed:
through use of information services capital
and operating budgets, by justifying IT
expenditures, and by monitoring costs (in
light of risks).
109
110. PO 6 Communicate Management Aims
and Direction
To ensure the overall effectiveness of the IS
function, IS management must establish
direction and related policies addressing
such aspects as: positive control
environment throughout the organization,
code of conduct/ethics, quality, and security.
The policies must then be communicated
(internally and externally) to obtain
commitment and compliance.
110
111. PO 7 Manage Human Resources
IT personnel resources must be managed so
as to maximize their contributions to the IT
processes. Specific attention must be paid to
recruitment, promotion, personnel
qualifications, training, back up, performance
evaluation, job change, and termination.
111
112. PO 8 Ensure Compliance with
External Requirements
To avoid fines, sanctions, and loss of
business, the organization must maintain
procedures to ensure awareness of and
compliance with industry, regulatory, legal,
and contractual obligations. IT related
requirements include: safety, privacy,
transborder data flows, electronic commerce,
and insurance contracts.
112
113. PO 9 Assess Risks
To ensure the achievement of IT objectives,
in support of business objectives, and to
respond to threats to the provision of IT
services, management should establish a
risk assessment framework including: risk
identification, measurement, risk action plan,
and the formal acceptance and
communication of the residual risk.
113
114. PO 9 Assess Risks
Cornerstone high-level control objective for
developing and maintaining an appropriate
system of internal control
Includes business risk assessment, risk
assessment approach, identification of risk, risk
measurement, & action plan
Understanding and acceptance of residual risk
114
115. PO 10 Manage Projects
To ensure that projects are completed on
time, within budget, and are undertaken in
order of importance, management must
establish a project management framework
to ensure that project selection is in line with
plans and that a project management
methodology is applied to each project
undertaken.
115
116. PO 11 Manage Quality
To ensure that customer requirements are
met, senior management should establish a
quality assurance (QA) plan and implement
related activities, including reviews, audits,
and inspections, to ensure the attainment of
IT customer requirements. A systems
development life cycle methodology is an
essential component of the QA plan.
116
117. Acquisition and Implementation
Domain
6 High-level Control Objectives
68 Detailed Control Objectives
(IT-related management control practices)
100+ Control Tasks and Activities
117
118. Acquisition and Implementation
IT solutions
– Identified
– Developed or acquired
– Implemented
– Integrated into the business processes
Change and maintain existing systems
See Framework, p. 17.
118
119. Acquisition and Implementation
Domain
AI 1 Identify Automated Solutions
AI 2 Acquire and Maintain Application Software
AI 3 Acquire & Maintain Technology Infrastructure
AI 4 Develop and Maintain IT Procedures
AI 5 Install and Accredit Systems
AI 6 Manage Changes
119
120. AI 1 Identify Automated Solutions
SDLC having procedures to:
• define information requirements,
• formulate alternative courses of action,
• perform technological feasibility studies
• perform economic feasibility studies, and
• assess risks.
120
121. AI 2 Acquire and Maintain
Application Software
SDLC having procedures to:
• create design specifications for new, or
significantly modified, application systems
• verify those specifications against the user
requirements.
• Ensure specifications are developed with
system users and approved by management
and user departments.
121
122. AI 3 Acquire and Maintain
Technology Infrastructure
To ensure that platforms (hardware and
systems software) support business
applications, the organization’s SDLC should
provide for an assessment of the impact of
new hardware and software on the
performance of the overall system. In
addition, procedures should be in place to
ensure that hardware and systems software
is installed, maintained, and changed to
continue to support business applications. 122
123. AI 4 Develop and Maintain
IT Procedures
To ensure the ongoing, effective use of IT,
the organization’s SDLC should provide for
the preparation and maintenance of service
level requirements, training materials, and
operating (user and operations) manuals.
123
124. AI 5 Install and Accredit Systems
• SDLC should provide for a planned, tested,
controlled, and approved conversion to the
new system.
• After installation, the SDLC should call for
a review to determine that the new system
has met users’ needs in a cost-effective
manner.
124
125. AI 6 Manage Changes
To ensure processing integrity between
versions of systems and to ensure
consistency of results from period to period,
changes to the IT infrastructure must be
managed via: change request, impact
assessment, documentation, authorization,
and release and distribution policies and
procedures.
125
126. Delivery and Support Domain
13 High-level Control Objectives
126 Detailed Control Objectives
(IT-related management control
practices)
190+ Control Tasks and Activities 126
127. Delivery and Support
Deliver required services
Ensure security and continuity of
services
Set up support processes, including
training
Process data (including “application”
controls)
See Control Objectives, p. 90.
127
128. Delivery and Support Domain
DS 1 Define Service Levels
DS 2 Manage Third-Party Services
DS 3 Manage Performance and Capacity
DS 4 Ensure Continuous Service
DS 5 Ensure Systems Security
DS 6 Identify and Allocate Costs
DS 7 Educate and Train Users 128
129. Delivery and Support Domain
DS 8 Assist and Advise IT Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations
129
130. DS 1 Define Service Levels
To ensure that IT services continue to satisfy
organizational requirements, senior
management should establish a framework
for reaching explicit agreements on the
minimal acceptable levels of quantity and
quality of IT services delivered by internal
and external IT resources and then measure
IT performance against these agreements.
130
131. DS 2 Manage Third-Party Services
To ensure that IT services delivered by third
parties continue to satisfy organizational
requirements, management should establish
a process to identify, manage and monitor
non-entity IT resources. Formal third-party
contracts should address many of the same
items contained in service level agreements
(see DS 1).
131
132. DS 3 Manage Performance and Capacity
To ensure that sufficient capacity of IT
resources remain available for optimal use to
satisfy organizational requirements,
management should establish a process to
monitor the capacity and performance of all
IT resources. Capacity of all IT resources
must be determined, managed, and resource
modifications (increases or decreases)
planned for.
132
133. DS 4 Ensure Continuous Service
To ensure that sufficient IT resources
continue to be available for use in the event
of a service disruption, management should
establish a process, coordinated with the
overall business continuity strategy, that
includes disaster recovery/contingency
planning for all IT resources and related
business resources, both internal and
external.
133
134. DS 4 Ensure Continuous Service Continued
Example of Including Additional Guidelines:
Include “Control Practices Guideline for
Information Systems Continuity Planning”,
ISACA publication, July 1995, calls for:
Evaluation of continuity requirements
• criticality assessment
• risk assessment
• impact assessment
134
135. DS 4 Ensure Continuous Service Continued
Control Practices Guideline for Information
Systems Continuity Planning calls for:
Continuity Plan
Risk Management
Maintaining a Viable Continuity Plan
• Testing Continuity Plan
• Maintenance of Plan
• Communication and Training
135
136. DS 5 Ensure Systems Security
To ensure that organizational information is
not subjected to unauthorized use,
disclosure, modification, damage, or loss,
management should implement logical
access controls to restrict access to systems,
data, and programs to only authorized users.
This objective addresses logical, as opposed
to physical security issues.
136
137. DS 6 Identify and Allocate Costs
To ensure that IT resources are delivered in
a cost-effective manner and that they are
used wisely, information services
management should identify the costs of
providing IT services and should allocate
those costs to the users of those services.
137
138. DS 7 Educate and Train Users
To ensure that users make effective use of
IT, management should identify the training
needs of all personnel, internal and external,
who make use of the organization’s IT
resources and services and should see that
timely training sessions are conducted.
138
139. DS 8 Assist and Advise IT Customers
To effectively utilize IT resources, users often
require advice in how to properly utilize IT
resources and may require assistance to
overcome problems encountered in using
those resources. This assistance is generally
delivered via a “help desk” function.
139
140. DS 9 Manage the Configuration
To ensure that IT assets are not lost or
altered, or used without authorization,
management should establish a process to
account for all IT components, including
applications, technology, and facilities, and to
prevent unauthorized alterations of assets or
use of unauthorized assets.
140
141. DS 10 Manage Problems and Incidents
To ensure that barriers to efficient and
effective use of the IT resource are
prevented or eliminated and that the IT
resource remains available, information
services management should implement a
system to identify, track, and resolve in a
timely manner problems and incidents that
occur.
141
142. DS 11 Manage Data
To ensure that data remains complete,
accurate and valid, management
should establish a combination of
application and general controls.
142
143. DS 12 Manage Facilities
To protect the IT facilities against man-
made and natural hazards, the
organization must install and regularly
review suitable environmental and
physical controls.
143
144. DS 13 Manage Operations
To ensure that important IT functions are
performed regularly and in an orderly
fashion, the information services function
should establish and document standard
procedures for IT operations.
144
145. Monitoring Domain
• 4 High-level Control Objectives
• 24 Detailed Control Objectives
• (IT-related management control practices)
• 51+ Control Tasks and Activities
.
145
146. Monitoring Domain
Regularly assess IT processes for
– Quality
– Compliance with control requirements
Addresses management oversight of
organization’s control provisions
Provides for audit function
See Control Objectives, p. 126.
146
147. Monitoring Domain
M 1 Monitor the Process
M 2 Assess Internal Control Adequacy
M 3 Obtain Independent Assurance
M 4 Provide for Independent Audit
.
147
148. M 1 Monitor the Process
To ensure the achievement of IT process
objectives, management should establish a
system for defining performance indicators,
gathering data about all processes, and
generating performance reports.
Management should review these reports to
measure progress toward identified goals.
148
149. M 2 Assess Internal Control Adequacy
To ensure the achievement of internal
control objectives, management
should establish a system for
monitoring internal controls and
assessing and reporting on their
effectiveness on a regular basis.
149
150. M 3 Obtain Independent Assurance
To increase confidence that IT objectives
are being achieved and that controls are
in place and to benefit from advice
regarding best practices for IT,
independent assurance reviews should be
conducted on a regular basis.
150
151. M 4 Provide for Independent Audit
To increase confidence levels that IT
objectives are being achieved and that
controls are in place and to benefit from
advice regarding best practices for IT
governance, independent audits should be
conducted on a regular basis.
151
152. Summary of the Framework
Business Objective
– Business Processes (to meet objectives)
• IT Processes (to manage and control..)
– IT Resources (to provide info to..)
4 Domains
34 Processes/High-Level Control Objectives
318 Activities/Detailed Control Objectives
Cut the Framework by Info Criteria, IT Resources, IT
processes
152
153. SUMMARY OF COBIT TO THIS POINT
Defines a Framework for Reviewing IT.
Four Domains Are Identified.
Achievement of each IT Process to meet
a business objective represents a high-
level Control Objective.
Identifies control objectives to be addressed.
For Each of the 34 Processes, there are up to 30
Detailed IT Control Objectives or IT management
control practices.
153
154. SUMMARY OF COBIT TO THIS
POINT
The IT Control Objectives came from 41 primary
sources.
There are Navigational Tools including a
“Waterfall” and a “Cube” approach.
Provides a Systematic and Logical Method for
defining and communicating IT Control Objectives
IT Control Objectives are linked to business
processes and objectives.
154
155. Domains
•P&O
•A&I
•D&S
•M
34 Processes
PO 1.0 AI 1.0 DS 1.0 M 1.0 High-Level Control
. . . .
PO 11.0 AI 6.0 DS 13.0 M 4.0 Objectives
PO 1.1 AI DS 1.1 M 1.1
. 1.1 . . 318 Tasks & Activities
PO 11.18 . DS 13.7 M 4.8
AI
6.7
155
156. The CUBE-- Information Criteria
Relationships
Among
lity ry ity
Components ua cia ur
Q id
u ec
Data
F S
Application Systems
Facilities
Technology
IT Processes
People
e s
u rc
so
Re
IT
See Control Objectives, p. 16. 156
157. For Management, CobiT:
Addresses management's increasing legal
responsibility for control
Expresses required IT control practices
in management terms
Guides IT investment and operational
decisions (to balance risk and control)
Helps management better utilize internal
and external auditors
157
158. For Users, COBIT:
Provides benchmarks for best practices for
IT management and IT control
Helps obtain assurance for business
processes supported by IT
Strengthens relationship with IT services
Helps ensure adequate level of integrity of
information provided by IT systems
158
159. For Auditors, COBIT:
Provides good benchmarks or criteria for
evaluating IT control
Focuses on control objectives and controls
Substantiates opinions to management on
internal controls
Helps auditors and control professionals to
be proactive business advisors
159
160. For us All, CobiT:
Strengthens the understanding, design,
implementation, exercise, and evaluation
of internal control through improved focus
on information criteria and IT-related
control objectives
Strengthens management’s efforts to
“ensure” and Audit’s efforts to provide
“assurance”
160
(This slide is for the benefit of those non-ISACA members who might not be familiar with the Association, the Foundation and what they do. It should be shown as an overview even if all in attendance are ISACA members.) The Information Systems Audit and Control Association (ISACA) is a leading information technology organization representing nearly 100 countries and comprising all levels of IT professionals from senior executives to staff. ISACA has expanded its depth and coverage to assume the role as the harmonizing source for IT control practices and standards around the world. Among its many products and services are: Certification (Certified Information Systems Auditor (CISA ) program); Continuing Education (Global Conferences and Seminars); Technical Publications (Award winning IS Audit & Control Journal and bookstore products); and Research (The Foundation sponsors and conducts research to further the knowledge base available to the IT and business communities)The Foundation sponsored COBIT! How many are members of ISACA?
Let’s review control responsibilities.
Note to instructor: Ask the participants to provide examples of how these three points relate. IT Resources that support IT Processes within the organisation, complying with Business requirements.
Visual representation of a comparison of the need for usable information using the previous slides. Note to Instructor: U se this diagram to ask attendees to think of their own organisation and about the numerous times systems are developed or changed and the user is not satisfied. Then ask them to think about where the breakdown may occur and note if there is a pattern?
The conceptual framework can be approached from three vantage points: IT resources, business criteria for information and IT processes. These different views allow the framework to be accessed efficiently. For example, enterprise managers may want to look with a quality, security or fiduciary interest (translated by the framework into seven specific information criteria). An IT manager might like to consider IT resources for which he or she is accountable. Process owners, IT specialists, and users may have a specific interest in particular processes. Auditors may wish to approach the framework from a control coverage point of view.
See Control Objectives: pp. 10-25 p. 26. pp. 56-73. and then, the MWRA (A) case study Left Page -- copy of high-level control objectives from the framework Right Page -- detailed control objectives relating to the process being developed
See Control Objectives: pp. 10-25 p. 26. pp. 56-73. and then, the MWRA (A) case study Left Page -- copy of high-level control objectives from the framework Right Page -- detailed control objectives relating to the process being developed
Acquisition and Implementation has 6 processes. Here the subject is the development of specific systems. User management could (should?) take the lead in the acquisition and implementation of applications to ensure that the systems meets business objectives. However, the user must be guided by the IT specialists to see that: the products fits into the existing IT architecture. If it doesn’t, additional costs will be absorbed for modifications, maintenance, and support. controls are built in rather than added on after-the-fact. control procedures include, as appropriate, backup processes, disaster recovery/business resumption planning. the contact specifies such items as testing, non-disclosure of confidential information, penalties for non-performance, procedures for vendor access that do not violate existing security procedures, such as firewalls.
Acquisition and Implementation has 6 processes. Here the subject is the development of specific systems. User management could (should?) take the lead in the acquisition and implementation of applications to ensure that the systems meets business objectives. However, the user must be guided by the IT specialists to see that: the products fits into the existing IT architecture. If it doesn’t, additional costs will be absorbed for modifications, maintenance, and support. controls are built in rather than added on after-the-fact. control procedures include, as appropriate, backup processes, disaster recovery/business resumption planning. the contact specifies such items as testing, non-disclosure of confidential information, penalties for non-performance, procedures for vendor access that do not violate existing security procedures, such as firewalls.