Oiac It Audit Wo Cartoons


Published on

Risk Management / Audit LifeCycle

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Oiac It Audit Wo Cartoons

  1. 1. Office of Internal Audit and Compliance IT Auditing Overview CIO Advisory Counsel Meeting Spring 2011 - Savannah, Ga.
  2. 2. Session GuideOffice of Internal Audit and Compliance • Erwin (Chris) L. Carrow IT Audit Director; M.Div., MSIS, CISSP, INFOSEC, CCAI, CCNP, CCSP, CQS, CCNA, LCP, LCI, OCM, MCSE, MCP+I, LSS Green Belt, etc. (Alphabet soup – who cares?!) Board of Regents, University System of Georgia Office of Internal Audit and Compliance 270 Washington Street S.W., Ste. 7087 Atlanta, GA 30334 (404)657-9890 Office, (678)644-3526 Cell, (404)463-0699 Fax Email: erwin.carrow@usg.edu ecarrow@gmail.com ecarrow@google.com http://www.linkedin.com/in/thebishop Twitter: @ecarrow Skype: erwin.louis.carrow 2
  3. 3. Session Agenda (22 Slides – unless additional needs for clarity)Office of Internal Audit and Compliance  Quick Overview – Audit Methodology (slides 1-15)  Assessment Lifecycle & Applying Controls (slides 16-18)  Overview & Summary (slides 19-22) ______________________________________________________________  Terminology & Context of Security Implementation (slides 23-27)  Securing Business Functions  Governance  Business Function Characteristics  Vertical (B2S) and Horizontal (B2B) Relationship  Risk Identification & Reconciliation (slides 28-34)  Business Impact Analysis  Risk Assessment Process  Risk Analysis Methodology  Categories and Types (slides 35-37)  Risk – Enterprise Risk Management (BIA, RA, ERM)  Information, Information Systems, & Users  Controls Framework (slides 38-44)  Types of Controls, Skill Sets, and Resources  Criteria  Maturity of Controls to Support Outcomes  Procedures  Operational Tasks to Implement and Support Controls (low-level)  Example: Identity Management (COBIT, CMMI, & NIST) (slides 45-55) 3
  4. 4. Key TakeawaysOffice of Internal Audit and Compliance  Understand OIAC requirements how IT audit function applies their framework for assessing controls to compensate for high impact/probability risks.  Provide a high-level overview of how the framework applies to institutional and agency audits / consulting.  Provide a resources for review & dialogue 4
  5. 5. Office of Internal Audit and Compliance Quick Overview – Audit Methodology 5
  6. 6. Why We Audit – Mission & CharterOffice of Internal Audit and Compliance • “Internal auditing provides independent and objective assurance and consulting services to the Board of Regents (Board), the Chancellor, and institution leadership in order to add value and improve operations. The internal audit activity helps the University System Office (USO) and USG institutions accomplish their objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, compliance, and internal control processes.” - Internal Audit Charter approved by the Board of Regents *(underline added ) 6
  7. 7. Types of Audits – Federal, State,Office of Internal Audit Campus, and Board of Regents and Compliance • Federal Auditors – Rely on work of state auditors – May focus on federal compliance (FISMA, FERPA, HIPAA, etc.), financial aid, and federal grants management • State Auditors – Financial and Performance – Financial / Operational auditors - external auditors validating internal controls and the AFR – Performance auditors – external auditors focused on specific system-wide process or policy issue • Campus Auditors – Varies by campus – Generally focused on departmental reviews – Report to institution President and USO Chief Audit Officer • Board of Regents Auditors – Shoot the gaps that other agencies do not address and engage with specific BOR or Legislative concerns
  8. 8. The Audits Selection Process: OIAC Risk Assessment & Planning ProcessOffice of Internal Audit and Compliance (The “Why Us Syndrome and What We Audit?”) • OIAC’s Risk Assessment process – Quantitative Data: previous findings, financials, etc. – Qualitative Data: surveys, interviews, trends, etc. – Quarterly review and assessment versus annual approach to be proactive • Rolling Audit Plan – Designed to ensure coverage of institutions with high risk – Also designed to ensure OIAC coverage at all USG institutions at least once every 3-4 years – Specifies institution and broad categories in which to audit – May also incorporate consulting engagements and other special projects
  9. 9. Overall Engagement Plan Summary of ProcessOffice of Internal Audit and Compliance • Top Down methodology for the auditing assessment – Risk based: High Impact / High Probability – 32 different influencers – Business Goals to Standards and Practices – Business Function critical component identification – Leadership (administrator) to Technician or Staff member (end user) – Assess Requirements, Resources, and Processes • The approach focused on key business functions and their associated Business Goals and Objectives as it relates to the assessed entities. • Once identified and agreed upon for each business function, the key associated requirements, resources, and processes were identified and assessed to determine if high or critical risk is being managed. • Focus was upon Control Practices and Responsibility / Accountability associated with key activities with an expected CMMI level 3 criteria for High Risk Critical processes. 9
  10. 10. Methodology, Scope, & CriteriaOffice of Internal Audit and Compliance • Standards for the Methodology – Institute of Internal Auditor (IIA - www.theiia.org) – Information System Audit & Control Association (ISACA - www.isaca.org) • Scope of Application: Area of Emphasis (Entity or Process) – Usually focused on institution-wide processes, e.g., data classification, IT services, NOC, incident response / emergency planning, strategic planning, change management, etc. • Determine what areas of High Risk or Critical Systems exist for the assessed entities at the institution? – Risk Analysis (OIAC) & Preliminary Assessment with Institution – Prior Coordination / Business Impact Analysis / Risk Assessment - Information request list, based upon audited entities – Analysis of information provided from pre-audit phase • Scope of Execution: Area of Emphasis (Entity or Process) – Business Functions (High Critical Risk) • Examples: IAM: Identity and Access Control Management & NETSEC: Perimeter & Network Security – Will incorporate recommended focus areas from institutional leadership – Scope can change during the course of an audit if warranted • CMMI Criteria level 3: Process is Defined & Documented and periodically Evaluated 10
  11. 11. Those Involved in Areas Reviewed & Priority of Emphasis (# Personnel – # Meetings)Office of Internal Audit and Compliance Information Technology Academic Units Department (Limited) (High) Administrative Auxiliaries Units (Medium) (Low) 11
  12. 12. Summary for Plan of ActionOffice of Internal Audit and Compliance During the engagement we … • Gather Information / Evidence - related to implementation of controls to address High Impact / High Probability risk – Interviews with key personnel (Business Owner, Trustees, & Stewards) – Test and Validate Objectives • Information - Information systems • Direct observation & dialogue • Document initial analysis (informal) • Dialogue and gain Confirmation of Observations (validation) • Dialogue and gain Common Understanding of Exceptions and Issues • Identify to Key Shareholders / Leadership Issues and discuss Solutions • Up until the final report is completed, dialogue will continue with audited entity regarding issues (objections are welcome – it is your right!) 12
  13. 13. The Process We Follow – From Notification to ReportingOffice of Internal Audit and Compliance• 1st Phase: Pre-Campus Work (Preparatory Efforts) – Announcement / Notification Letter, sent to President upon rolling audit plan approval (specific 5-month period during which the audit will be conducted) – Preliminary Survey- Brief visit on campus, approx. 60 prior to start of audit – Engagement Letter – Sent to President approx. 30 days prior to start of audit – Data Collection – Initial interviews, data requests, network scans may take place prior to arrival on campus – the more we get ahead of time the less time we have to spend onsite• 2nd Phase: On-Campus Fieldwork (Evidence Gathering Phase) – Initiated with Entrance Conference (“Line in the Sand”) – Scope of work may expand / contract – Campus POC kept informed on audit progress and issues (daily) – End of field work review, a meeting conducted at close of work summarizing initial results and implications• 3rd Phase: Post-Campus Work (Documentation & Publication Phase) – Draft Report prepared and sent as discussion document – Exit Conference held either in person or via phone / video conference – Official Draft Report sent requiring response from institution – Institution’s response incorporated in report – Report published and distributed 13
  14. 14. Summary of Engagement Office of Internal Audit Flow Timeframes and Compliance Rolling Risk Assessment & Notification – three times per year 1 Preliminary Survey onsite with Senior Leadership60 Days Audit Letter with data request sent – preliminary assessment 2 30 Days Entrance meeting & field work 2 to 4 Wks End of field work meeting w/ Key Shareholders 3 4-6 Wks 1-2 Wks 1Wk 30 Days 1Wk 90 Days 14
  15. 15. Assessment Results / ReportingOffice of Internal Audit and Compliance 15
  16. 16. Office of Internal Audit and Compliance Assessment Lifecycle & Applying of Controls 16
  17. 17. Assessment Life Cycle?Office of Internal Audit and Compliance 17
  18. 18. “Life Cycle” of Security & ProcessOffice of Internal Audit Provisioning and Compliance 18
  19. 19. Office of Internal Audit and Compliance Overview & Summary 19
  20. 20. Putting it all together…Office of Internal Audit and Compliance 20
  21. 21. Thank You for Your Patience &Office of Internal Audit and Compliance Participation - Any Questions? Understand OIAC requirements and the IT audit function applies their framework for assessing controls to compensate for high impact/probability risks. Provide a high-level overview of how the framework applies to institutional and agency audits / consulting. Provide a resources for review & dialogue 21
  22. 22. Helpful ResourcesOffice of Internal Audit and Compliance  CIS Benchmarks - http://www.cisecurity.org/benchmarks.html  IIA - www.theiia.org  ISACA - www.isaca.org  ISC(2) - www.isc2.org  ISO - www.iso.org  ITGI - www.itgi.org  NIST - csrc.nist.gov  NSA - www.nsa.gov  IASE - iase.disa.mil  Web App Consortium - www.webappsec.org  EDUCAUSE - educause.edu/security  Univ. Austin Texas Sec. - security.utexas.edu  Univ. Cornell Sec. - www.cit.cornell.edu/security  Virginia Tech Sec. - security.vt.edu  Ga. Tech Info Sec. Center - www.gtisc.gatech.edu 22
  23. 23. Office of Internal Audit and Compliance Terminology & Context of the Audit Implementation 23
  24. 24. Securing Business EventsOffice of Internal Audit and Compliance • It still comes down to …, Business event Needs and Outcomes – Goals or Objectives – Vision, Mission, & Operations – Rules and Requirements • Identifying critical business functions – Support Infrastructure: Finance and Accounting, Human Resources, Facilities, Services, other administrative functions or departments – Production Infrastructure: those folks who actually make the widgets (Instruction)! • Identify the departments and who are the key personnel, e.g., Business owners, Trustees and Stewards? • Identify the vertical (B2S - dependent) and horizontal (B2B - interdependent) relationships that potentially introduce risk (IT Governance) • Identify the systems that support business functions • Categories and type of information and information systems • Answer the question … “How are the people and systems integrated into the business process?” • Answer the question … “What internal controls exist or need to be implemented to mitigate risk?” 24
  25. 25. Governance Interdependencies & Value Drivers Office of Internal Audit and ComplianceControl Objectives for Information and related Technology (COBIT®) 25
  26. 26. Business Functions and CharacteristicsOffice of Internal Audit and Compliance Control Objectives for Information and related Technology (COBIT®) 26
  27. 27. Governance: Business to Stewardship (B2S) versus Business to Business (B2B)Office of Internal Audit and Compliance 27
  28. 28. Office of Internal Audit and Compliance Risk Identification & Reconciliation 28
  29. 29. Audit Risk Life Cycle VariablesOffice of Internal Audit and Compliance 29
  30. 30. Standards of ApplicationOffice of Internal Audit and Compliance • Industry Standards / Frameworks – COBiT 4.1 (Control Objectives for Information Technology) – NIST (National Institute of Standards and Technology) – ISO 17799/27001 (International Organization for Standardization) – ITIL (Information Technology Infrastructure Library) • Compliance and Regulatory Requirements (FISMA, FERPA, HIPAA, PCI, SOX, SCADA, etc.) • Board of Regents Standards – Board of Regents Policy – ITS Security Guidelines – Business Process Manual • Institutions’ Local Policies and Procedures NOT PERSONAL OPINION OR PREFERENCES!!!!! 30
  31. 31. Business Impact AnalysisOffice of Internal Audit and Compliance Must understand …  Business goals and requirements  Internal and external relationships  What resources are involved  Who is in charge and what interdependencies exist Vision (Strategic)  Mission (Tactical)  Objectives (Operational)  factors for success KPI’s  What are the Key Performance / Process Indicators?  What distinctions and outcomes exist for each stage  What is the scope of probability / impact (Beware “Chicken Little” effect)  What expectations exist for each key shareholder Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 31
  32. 32. Assessing for Risk …Office of Internal Audit and Compliance Risk assessment evaluates components of information, information system security and compliance as it relates to the business function Assess  Mitigate / Monitor  Re- Assess Ongoing risk management program must be in place Business owner or key shareholder must own the process Establish a standard for considering and negotiating risk Annual (periodic) risk assessment deliverable with recommendations for corrective action Clearly define and document accepted risk – someone needs to sign off on the responsibility 32
  33. 33. Risk MitigationOffice of Internal Audit and Compliance Once risks are identified, they must be mitigated via internal controls Internal Controls: a practice approved by management to mitigate risk or produce a desired outcome in a business process for implementing and enforcing information security and compliance Design  Document  Implement  Document and retain artifacts.  Test the controls prior to implementation to validate expectations  Monitor results  Re-test controls periodically 33
  34. 34. Re-Assess RisksOffice of Internal Audit and Compliance Risk Assessments are an on- going exercise; Track mitigation strategies, did they work?  What “Framework(s)” are being applied?  Is there an identifiable “Structure” in place e.g., risk management program?  Is the “Methodology” recognizable, e.g., documented and not arbitrary?  Are you using tools to monitor, manage, and validate the associated processes? Test  re-test controls (design and effectiveness) Document test results, corrective actions, changes in business needs / requirements. Certified Information Systems Auditor (Study Guide) Cannon, Bergmann, & Pamplin 34
  35. 35. Office of Internal Audit and Compliance Categories and Types 35
  36. 36. Risk Categories and Types?Office of Internal Audit and Compliance Determined how the categories of risk may or may not apply:  Risk Types  Strategic: Affects the entities’ ability to achieve goals and objectives  Compliance: Affects compliance with laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc.  Reputational: Affects reputation, public perception, political issues, etc.  Financial: Affects loss of assets, technology, etc.  Operational: Affects on-going management processes and procedures  Risk Management Process  Agreed upon methodology to assess priorities (BIA, RA, ERM)  Consistency and agreement in identification of risks  Focus upon high probability / high impact risk  Types and classification – Information, Systems, & People 36
  37. 37. Information & Information System Users (Internal & External) Categories and Types? Office of Internal Audit and Compliance What type of information, on which systems, are being accessed by which users?  Public, administrative, sensitive, confidential  Internal: Administrative, Managerial, Informational  External: General Public or Specific Target group What level of access and authorization of the information is being provided to those types of users? Is the risk being managed with effective controls? People who use or interact with the Information include:  Share Holders / Owners / Management  Employees & Business Partners  Service providers / Contractors /  Customers / Clients  Regulators etc… 37
  38. 38. Controls FrameworkOffice of Internal Audit and Compliance 38
  39. 39. Control Objectives for Information and related Technology (COBIT)Office of Internal Audit and Compliance • Developed by the ITGI (Current v4.1  5.0) – https://www.isaca.org/ • Value of IT, Risk, and Control • Links IT service delivery to business requirements (already defined, right?) • A lifecycle; constantly adapting, improving, re-adapting • Four Responsibility Domains: – Plan and Organize (PO) – Acquire and Implement (AI) – Deliver and Support (DS) – Monitor and Evaluate (ME) • Make a grocery list of needs and then go shopping 39
  40. 40. Audit Program DesignOffice of Internal Audit and Compliance 40
  41. 41. Audit Controls DefinitionOffice of Internal Audit and Compliance Audit Controls & Assessment • Provides roadmap to auditor on which areas to focus audit steps (assess controls) – Preventive: controls to stop the problem from occurring – Detective: controls to find the problem – Corrective: controls to repair the problem after detection – Administrative: policies, standards, guidelines, & procedures – Technical: controls using hardware or software for processing & analysis – Physical: controls to implement barriers or deterrents • Based upon industry standards, requirements, & practices • Build list of high level objectives and outcomes to address risks associated with audited entity 41
  42. 42. Common Maturity ModelOffice of Internal Audit Integrated (CMMI) and Compliance – Variants of the CMMI: CMM & ISO 15504 – Identifies WHERE you are at in the application of IT risk mitigation controls and HOW to get to the next level – Levels of Application • Level 0: No Recognizable Process, though one is needed • Level 1: Process is Ad-hoc and perform by key individuals • Level 2: Process is Repeatable , but not controlled • Level 3: Process is Defined & Documented and periodically Evaluated • Level 4: Managed & Measurable; effective Internal Controls with Risk Management • Level 5: Optimized Enterprise wide risk and control program 42
  43. 43. Engagement: Application ofOffice of Internal Audit Standards and Compliance • Assessment Standards & Identification – Create assessment program (pre-engagement) • Identify risk & criteria • Identify audit resources, skill sets, & personnel • Develop information requirements for requests – Share expectations and objectives with institution • Gather Information / Evidence – Assess Controls: Strengths / Weaknesses (during engagement) [validate assurance or identify vulnerabilities / exploitation] – Calculate Level of Control criteria being applied (CMMI) • Analysis to Determine if Compliant with Standards • Document Variances or Exceptions / Issues [potential issues] • Report Per Charter Requirements (Ratings) 43
  44. 44. Controls Development &Office of Internal Audit Implementation and Compliance 44
  45. 45. Office of Internal Audit and Compliance Example: Controls Mapping 11/12/2011 Framework for Information & System Security 45
  46. 46. IAM Example:Office of Internal Audit Entity to be Assessed for Risk and Compliance • IAM: Identity and Access Control Management – Identity Management; the management of user credentials and the means by which users might log onto and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities – Access Control; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares 46
  47. 47. Users Involved in Business Functions and Types of Information and Systems? (Provisioning of High Risk or Critical Information)Office of Internal Audit and Compliance  Business Functional responsibility for assigning “Rights & Permissions” to various roles within the organization  Business Owner: Responsible for the provisioning and delegation of the processes or functions and associated privileges, e.g., Payroll, Finance, HR, etc.  Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated departments that conduct day to day operations  Stewards: Responsible to service and support the business function, typically provide a technical system or infrastructure to facilitate business needs, e.g., Information Technology Services, etc.  Audience: What / Who is the use of the information intended.  B2S versus B2B: Vertical and horizontal relationships (IT Governance)  Types of Information (classification) per organization or agency  Unrestricted / Public: No consequence typically general information  Sensitive: typically references’ legal or externally imposed constraints that requires this restriction  Confidential: highest level of restriction, applies to the risk or harm that may result from disclosure or inappropriate use, e.g., FERPA, HIPAA, etc.  Types of Information Systems to support information exchange  Infrastructure and architecture to support business driven events  Classification and type (comparable to the information being managed)  Supply Chain Management (SCM), Enterprise Resource Planning (ERP), Customer Resource Management (CRM), Business Intelligence (BI), basic communications, etc.  Determine scope of assessment and entities (people, application systems, & information) to be assessed 47
  48. 48. Example associated Key Process –Office of Internal Audit Ecommerce e.g., One Card System and Compliance • COBIT high level framework for controls relating to the Ecommerce systems – Plan and Organize (PO) — Provides direction to solution delivery(AI) and service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11 – Acquire and Implement (AI) —Provides the solutions and passes them to be turned into services AI5 and AI4 – Deliver and Support (DS) —Receives the solutions and makes them usable for end users: DS1, DS5 and DS11 • Map the requirements to your preferred checklist, e.g. NIST or ISO • Requirements for Ecommerce Compliment other Processes – Less work required for other system implementations – No duplication of effort if requirements are properly addressed • Identity Management applies to many different other process requirements, e.g., Applications, Operating Systems, and Databases 48
  49. 49. Example: Identity and AccessOffice of Internal Audit Control Management (IAM) and Compliance COBIT 4.1 DS5.3 Identity Management • Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms. • Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. • Ensure that user access rights are requested by user management, approved by system owners and implemented by the security- responsible person. • Maintain user identities and access rights in a central repository. • Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights. 49
  50. 50. Example: Identity and Access Control Management (IAM)Office of Internal Audit and Compliance Logical Didactic Approach - DS5.3 Identity Management (How it is Evaluated) • Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents • By focusing on – defining IT security policies, plans and procedures, and monitoring, detecting, reporting and resolving security vulnerabilities and incidents • Is achieved by – Understanding security requirements, vulnerabilities and threats – Managing user identities and authorizations in a standardized manner – Testing security regularly • And is measured by – Number of incidents damaging the organizations reputation with the public – Number of systems where security requirements are not met – Number of violations in segregation of duties 50
  51. 51. How to Measure Success? Maturity Model – CMMI DS5 Snapshot (Criteria)Office of Internal Audit and ComplianceDS5 Ensure Systems Security - Management of the process of Ensure systems security that satisfies the business requirements for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents is:0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a complete lack of a recognizable system security administration process.1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT security breaches are unpredictable.2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain.3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed.4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured.5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated …. 51
  52. 52. COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk)Office of Internal Audit and Compliance 52
  53. 53. NIST 800-53, Revision 1 Standards Terminology and ApplicationOffice of Internal Audit and Compliance 53
  54. 54. Audit Program Development Life-CycleOffice of Internal Audit and Compliance 54
  55. 55. COBIT MappingsOffice of Internal Audit and Compliance  Others besides NIST are currently posted at www.isaca.org/downloads:  Aligning COBIT, ITIL and ISO 17799 for Business Benefit  COBIT® Mapping: Mapping of CMMI for Development  COBIT® Mapping: Mapping of ISO/IEC 17799:2000  COBIT® Mapping: Mapping of ISO/IEC 17799:2005  COBIT® Mapping: Mapping of ITIL  COBIT® Mapping: Mapping of PMBOK  COBIT® Mapping: Mapping of PRINCE2  COBIT® Mapping: Mapping of SEI’s CMM for Software  COBIT® Mapping: Mapping of TOGAF 8.1  COBIT® Mapping: Overview of International IT Guidance 55