Information systems audit and control


Published on

Published in: Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • (This slide is for the benefit of those non-ISACA members who might not be familiar with the Association, the Foundation and what they do. It should be shown as an overview even if all in attendance are ISACA members.) The Information Systems Audit and Control Association (ISACA) is a leading information technology organization representing nearly 100 countries and comprising all levels of IT professionals from senior executives to staff. ISACA has expanded its depth and coverage to assume the role as the harmonizing source for IT control practices and standards around the world. Among its many products and services are: Certification (Certified Information Systems Auditor (CISA ) program); Continuing Education (Global Conferences and Seminars); Technical Publications (Award winning IS Audit & Control Journal and bookstore products); and Research (The Foundation sponsors and conducts research to further the knowledge base available to the IT and business communities)The Foundation sponsored COBIT! How many are members of ISACA?
  • Let’s review control responsibilities.
  • Note to instructor: Ask the participants to provide examples of how these three points relate. IT Resources that support IT Processes within the organisation, complying with Business requirements.
  • Visual representation of a comparison of the need for usable information using the previous slides.   Note to Instructor: U se this diagram to ask attendees to think of their own organisation and about the numerous times systems are developed or changed and the user is not satisfied. Then ask them to think about where the breakdown may occur and note if there is a pattern?
  • The conceptual framework can be approached from three vantage points: IT resources, business criteria for information and IT processes. These different views allow the framework to be accessed efficiently. For example, enterprise managers may want to look with a quality, security or fiduciary interest (translated by the framework into seven specific information criteria). An IT manager might like to consider IT resources for which he or she is accountable. Process owners, IT specialists, and users may have a specific interest in particular processes. Auditors may wish to approach the framework from a control coverage point of view.
  • See Control Objectives: pp. 10-25 p. 26. pp. 56-73. and then, the MWRA (A) case study Left Page -- copy of high-level control objectives from the framework Right Page -- detailed control objectives relating to the process being developed
  • See Control Objectives: pp. 10-25 p. 26. pp. 56-73. and then, the MWRA (A) case study Left Page -- copy of high-level control objectives from the framework Right Page -- detailed control objectives relating to the process being developed
  • Acquisition and Implementation has 6 processes. Here the subject is the development of specific systems. User management could (should?) take the lead in the acquisition and implementation of applications to ensure that the systems meets business objectives. However, the user must be guided by the IT specialists to see that: the products fits into the existing IT architecture. If it doesn’t, additional costs will be absorbed for modifications, maintenance, and support. controls are built in rather than added on after-the-fact. control procedures include, as appropriate, backup processes, disaster recovery/business resumption planning. the contact specifies such items as testing, non-disclosure of confidential information, penalties for non-performance, procedures for vendor access that do not violate existing security procedures, such as firewalls.
  • Acquisition and Implementation has 6 processes. Here the subject is the development of specific systems. User management could (should?) take the lead in the acquisition and implementation of applications to ensure that the systems meets business objectives. However, the user must be guided by the IT specialists to see that: the products fits into the existing IT architecture. If it doesn’t, additional costs will be absorbed for modifications, maintenance, and support. controls are built in rather than added on after-the-fact. control procedures include, as appropriate, backup processes, disaster recovery/business resumption planning. the contact specifies such items as testing, non-disclosure of confidential information, penalties for non-performance, procedures for vendor access that do not violate existing security procedures, such as firewalls.
  • Information systems audit and control

    1. 1. Part 1 1
    2. 2.  Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts, USA Adjunct faculty at Bentley College Member of CobiT Steering Committee Member of Governor’s Task Force on E-Commerce and Enterprise Security Board, Massachusetts Served as member of Y2K Coordinating Council, Commonwealth of Massachusetts 1994-1995 International President of ISACA/F Served as member of Governor’s Commission on Computer Crime and Governor’s Commission on Computer Technology and Law e-mail: 2
    3. 3.  What is CobiT? What is the CobiT Framework? What is the Control Objectives document? Who should use CobiT? How can auditors effectively use CobiT? How does one become familiar with CobiT and learn to use it effectively? 3
    4. 4. CobiT’s Background and Authoritative NatureCobiT Framework and its componentsHigh-Level & Detailed Control ObjectivesAudit Guidelines and Using CobiT 4
    5. 5. Authoritative, up-to-date, international set ofgenerally accepted IT control objectives andcontrol practices for day-to-day use by businessmanagers and auditors.Structured and organized to provide a powerfulcontrol model 5
    6. 6. CobiTCobiT is designed to be the break-through IT governance tool that helpsin the understanding and managing ofrisks and benefits associated withinformation and related IT. 6
    7. 7. C ControlOB OBjectivesI for InformationT and Related Technology 7
    8. 8.  Right information, to only the right party, at the right time. Information that is relevant, reliable and secure. Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment. 8
    9. 9. Information Systems Audit and Control Association/Foundation Leading Global Professional IT Control organization – Focuses on Audit, Control and Security Issues – The Association Works Closely with its more than 150 Chapters in 100 Countries Provides Services and Programs Designed to Promote and Establish Excellence on IT Governance and Audit. Research conducted through Foundation Projects are selected to help Members and the Profession keep pace with ever-changing IT and business environment. 9
    10. 10. IT Governance InstituteFormed by ISACA andISACF in 1998 to advance theunderstanding and adoptionof IT governance principles 10
    11. 11. A structure of relationships andprocesses to direct and control theenterprise in  order to achieve the                                                     enterprise’s goals by adding valuewhile balancing risk versus returnover IT and its processes. 11
    12. 12. IT Governance Objectives IT is aligned with the business and enables the business to maximize benefit IT resources are safeguarded and used in a responsible and ethical manner IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure 12
    13. 13.  CobiT grew from an initiative to update EDPAA’s Control Objectives in 1992 New focus expanded to include managerial and user needs regarding IT control and governance Global perspective added CobiT Steering Committee appointed IT control framework developed The framework became COBIT CobiT was first published in April, 1996 13
    14. 14.  CobiT implementation monitored and evaluated by ISACA and the CobiT Steering Committee CobiT enhancements developed, 1997 CobiT, 2nd edition, was published in April, 1998 CobiT enhancements and development of Management Guidelines, 1999-2000 CobiT, 3rd edition, and Management Guidelines, was published in July, 2000 14
    15. 15.  Executive Summary -- Senior Executives (CEO, COO, CFO, CIO) Framework -- Senior Operational Management (Directors of IS and Audit / Controls) Control Objectives -- Middle Management (Mid- Level IS and IS Audit/ Controls Managers) Audit Guidelines -- The Line Manager and Controls Practitioner (Applications or Operations Manager and Auditor) Implementation Tool Set -- Any of the above Management Guidelines -- Management and Audit 15
    16. 16.  The need for better operational controls Technology that makes new business processes possible may come with a loss of control Demand for increased effectiveness and efficiency The importance of technology The need to hold officers and senior management accountable and strengthen governance 16
    17. 17.  Dashboard: How do responsible managers keep the ship on course? Scorecard: How do we achieve satisfactory results for our stake-holders? Benchmarking: How do we adapt in a timely manner to trends, developments, and “best practices” for our organization’s environment? 17
    18. 18.  If you use computer-generated information in decision-making or for audit evidence, you need to assess its reliability. If you are the holder of computer- generated information, you must exercise appropriate and defendable controls to safeguard that information, or evidence. 18
    19. 19. • Increasing dependence on information and the systems that deliver the information• Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare• Scale and cost of the current and future investments in information and information systems• Potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs 19
    20. 20. Unpredictable and fast 1980s Unstructured and innovative Glass-houseSecure buildings Hard to implement Data centres 1990s Managed networks Network Business integration ? ? 21st Century Cyberspace Streetwise users Virtual Value Chain E-Commerce Extended Enterprise 20
    21. 21. CobiT’s Scope andOverall Objectives 21
    22. 22.  CobiT focuses on information having integrity and being secure and available. At the highest level, it focuses on the importance of information to the long-term success of the organization. 22
    23. 23. For Information System Services functions, CobiT can be applied from single point IT operations to across the enterprise.For application systems, CobiT can be applied from a single application-based system to enterprise-based systems. 23
    24. 24. CobiT is management orientedSupports corporate and IT governanceServes as excellent criteria for evaluation and a basis for audit planning 24
    25. 25.  Addresses key attributes of information produced by IT. Links recommended control practices for IT to business and control objectives. Provides guidance in implementing and evaluating the appropriateness of IT-related control practices. 25
    26. 26. As a control model, CobiT should betailored to organizational, platform and system standards. Use CobiT as the Structure to whichyou link organization-specific operational and control requirements, policies, and standards 26
    27. 27. Helps business process owners to ensure the integrityof information systems and auditors to providestatements of assurance by providing:– management with generally applicable and accepted standards for good practice for IT control and governance– users with a solid base upon which to manage IT and obtain assurance– auditors with excellent criteria for review/audit work 27
    28. 28.  Standards used to determine whether something meets expectations. Basis upon which one measures or compares something against. Need to be generally accepted, recognized, understandable, and defendable. Need to be authoritative. 28
    29. 29. CobiT as anAuthoritative Source 29
    30. 30. CobiT is an Authoritative Source  Built on a sound framework of control and IT-related control practices.  Aligned with de jure and de facto standards and regulations.  41 international standards from around the world were used to identify IT-related control objectives and control practices. 30
    31. 31. CobiT SourcesProfessional standards for internal control andauditing (COSO, IFAC, AICPA, IIA, etc)Technical standards (ISO, EDIFACT, etc.)Codes of ConductQualification criteria for IT systems andprocesses (ISO9000, ITSEC, TCSEC, etc.)Industry practices and requirements fromindustry forums (ESF, I4)Emerging industry-specific requirements frombanking, e-com, IT manufacturing. 31
    32. 32. Based on a StrongFoundation and Sound Principles of Internal Control 32
    33. 33. What is Internal Control? How it is defined impacts its design, exercise, and evaluation. 33
    34. 34. Purpose of Internal Control Designed to keep an organization on course toward achievement of its mission minimizing surprises along the way. Assist in dealing with rapidly changing economic and competitive environments, shifting customer demands and priorities, and restructuring for future growth. Source: Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control - Integrated framework, Executive Summary, p. 1. 34
    35. 35. The design, implementation, and properexercise of a system of internal controlsshould provide "reasonable assurance" thatmanagements goals are attained, controlobjectives are addressed, legal obligationsare met, and undesired events do not occur.Controls reduce or eliminate the risk ofexposures, or the exposures themselves. 35
    36. 36. Internal ControlControls are framed bywhat is to be attained(control objectives) andthe means to attain thosegoals (the controls). 36
    37. 37. Goals of Internal Control “Keep things in Check” Adhering to the Rules of the Road Reduce risk Based Upon “Best Practices” Proof the Rules Have Been Followed Provide assurance that operations are according to standard Keep those blasted auditors happy 37
    38. 38. Building CobiT’s Definition ofInternal Control 38
    39. 39. Control (as defined by COSO)Internal control is broadly defined as a process,effected by an entity’s board of directors,management and other personnel, designed toprovide reasonable assurance regarding theachievement of objectives in the followingcategories: efficiency and effectiveness of operations reliability of financial reporting compliance with applicable laws and regulationsSource: Committee of Sponsoring Organizations (COSO) of theTreadway Commission, Internal Control - Integrated framework,Executive Summary, p. 1. 39
    40. 40. Control (as defined by COBIT) The policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. Source: COBIT Control Objectives, p. 12. 40
    41. 41. IT Control ObjectiveA statement of desired result orpurpose to be achieved byimplementing control proceduresin a particular IT activity 41
    42. 42. CobiT supports all fundamental Internal Control requirements 42
    43. 43. Internal Control Requirements Systemization Documentation Standards, defined expectations Measurement Appropriate risk assessment 43
    44. 44. Internal Control Requirements Well-defined operational and control objectives Appropriate controls Competent and trustworthy people Monitoring & evaluation 44
    45. 45. Observe Observations Document actual state actual state of system of system Recommendations Documentation Recommend changes to Evaluate Evaluation system system Goals and plans Desired state of systemSource: Gelinas and Oram, Accounting Information Systems, 3rd ed., 24South-Western Publishing, 1996, p. 214.
    46. 46. Internal Control Review Gain Understanding Observe Observations Document the The processprocess & & controls controls Report Recommendations AWP & Work PapersRecommend Test & Evaluate Changes if Process & Draw needed Conclusions controls Goals and plans CRITERIA via CobiT 24
    47. 47. Control Principles Controls should be considered as “built in” rather than “added on”. Controls need to support control objectives that are tied to business objectives. In order to support monitoring and evaluation, controls need to be testable and auditable. Controls need to be cost effective. 47
    48. 48. Value of Internal Control Often the value of internal control is only recognized by the results of not having adequate control in place. Control Objectives and related controls are valued by the degree to which they assist an organization to achieve objectives and avoid undesired events. 48
    49. 49. Control Models: Structured or organized to present a control framework relative to control objectives and respective internal controls or control practices. Provide statements of responsibilities for control Provide guidance regarding mechanisms to assess the need for control, and to design, develop, implement and exercise control Requires that controls be monitored and evaluated. 49
    50. 50. To Be of Value, a Control Model Should Be: Based on sound principles Applicable & Flexible in application Comprehendible Subject to having “staying power” 50
    51. 51. Impact of Technology on Control Operational and control objectives change little  Some technology-specific control objectives change There is a significant impact on the “mix” of controls used to address the control objectives.  Technology can facilitate achieving control objectives 51
    52. 52. Impact of Technology on AuditHas provided us with some tools toincrease audit effectiveness andefficiencyHas allowed us to rethink post and pre-emptive or on-going audit techniquesHas provided opportunities to facilitateachieving control objectives 52
    53. 53. Relation to Other Control Models CobiT is in alignment with other control models: – COSO – COCO – Cadbury – King 53
    54. 54. What is COSO? Published in 1992 by the Committee Of Sponsoring Organizations of the Treadway Commission – American Institute of CPAs – American Accounting Association – Institute of Internal Auditors – Institute of Management Accountants – Financial Executives Institute 54
    55. 55. Components of COSOControl EnvironmentRisk AssessmentControl ActivitiesInformation and CommunicationMonitoring 55
    56. 56. Checkmarks on COSO Slides The red checkmarks on the following slides indicate that the CobiT control model includes the same or extremely similar statements 56
    57. 57. Components of COSO Control Environment: tone of the organization control awareness of people integrity, ethical values and competence – management philosophy and operating style assignment of authority and responsibility – attention and direction provided by the board of directors. 57
    58. 58. Understanding the Control Environment Understanding the information system, supporting technology, and the organization Documenting the business operations and the IT environment Identifying the key operational and control objectives Identifying and evaluating the appropriateness of internal controls 58
    59. 59. Components of COSO Risk Assessment: Established objectives Identify and analyze risks to achievement of objectives Manage risks Identify special risks associated with change (economic, regulatory, operating) 59
    60. 60. Components of COSO Control Activities: Policies and procedures that help ensure management directives are carried out Actions taken to address risks Carried out at all levels Includes: approvals, authorizations, verifications, reconciliation, reviews of operating performance, security of assets 60
    61. 61. Components of COSO Information and Communication: Pertinent information enables individuals to carry out their responsibilities Information must be identified, captured and communicated – Internal and external information necessary for informed decision-making 61
    62. 62. Components of COSO Monitoring: Assess the quality of the internal control system’s performance Ongoing monitoring and separate evaluations 62
    63. 63. Internal Control Roles andResponsibilities by COSO & CobiT  Internal Auditors: Evaluate effectiveness of control systems Plays a significant monitoring role  Other Personnel: Internal control is everyone’s responsibility Most employees produce information used in internal control systems Most employees take actions needed to effect control 63
    64. 64. Control Responsibilities Management -- primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met. Users -- exercise controls. Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls. 64
    65. 65. CobiT Assists in evaluating appropriateness of controls Assists in identifying desired states of systems and processes Assists in identifying what to look for when observing system operations Provides a working control model for IT-related control objectives 65
    66. 66. The CobiT Control Model Provides a Framework for Understanding Control Objectives and Control Practices 66
    67. 67. CobiT Framework 67
    68. 68. CobiT FrameworkDocuments relationships among information criteria, IT resources, and IT processesLinks control objectives and control practices to business processes and business objectivesAssists in confirming that appropriate IT processes are in placeFacilitates discussion 68
    69. 69. CobiT Framework Facilitates the understanding of the:  relationship of controls to control objectives,  importance of focusing on control objectives and their relationship to the business organization and its business processes, and  value of managed processes and resources tied to strategic initiatives. 69
    70. 70. COBIT’s Focus on Process and ObjectivesBusiness (organization) Retail merchandising (Walmart, etc.)Objectives/Requirements ROI, market share, customer loyalty (right product, time,Business Processes price) Order fulfillment (OE/S,(to meet objectives) Inventory, Purchasing)Information Required Data availability and reliability(for processes)IT Resources Data, Application Systems,(to provide People information)IT Processes (to manage Planning & Organization,& control resources) Delivery & Support 70
    71. 71. Framework’s Three Components Business Requirements for Information IT Resources IT Processes 71
    72. 72. “Business Requirements for Information” To support business processes and satisfy business objectives, information needs to conform to certain criteria. COBIT calls these criteria “business requirements for information.” 72
    73. 73. Sources of Information Criteria Quality Requirements: Quality, Cost, Delivery, Better, Cheaper, Faster Fiduciary Requirements (COSO Report) – Effectiveness and Efficiency of operations – Reliability of Financial Reporting – Compliance with Laws and Regulations Security Requirements: Confidentiality, Integrity, Availability 73
    74. 74. Promotes a Healthy, Constructive Focus on Information Criteria Viewing Information as being: – relevant and reliable – delivered in a timely, correct, consistent, usable and complete manner – accurate, complete and valid – provided through an optimal use of resources – protected against unauthorized use, manipulation or disclosure – available when required – in compliance with legal and contractual obligations 74
    75. 75. Information Criteria -- The 1st Component  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Reliability of Information 75
    76. 76. Information Criteria -- The 1st Component Effectiveness: deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, usable and complete manner. Efficiency: concerns the provision of information through the optimal (most productive and economical) use of resources. See Framework, p. 14. 76
    77. 77. Information Criteria -- The 1st Component Confidentiality: concerns the protection of sensitive information from unauthorized disclosure. Integrity: relates to the accuracy and completeness of information as well as its validity in accordance with business values and expectations.See Control Objectives, p. 14. 77
    78. 78. Information Criteria -- The 1st Component Availability: relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities. Compliance: deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria.See Framework, p. 15. 78
    79. 79. Information Criteria -- The 1st Component Reliability of Information: relates to the provision of appropriate information for management to operate the entity and for management , in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.See Framework, p. 13. 79
    80. 80. IT Resources -- The 2nd Component  Data  Application Systems  Technology  Facilities  People 80
    81. 81. IT Resources -- The 2nd Component Data: Objects in their widest sense (i.e., external and internal), structured and not structured, graphics, sound, etc. Application Systems: Application systems are understood to be the sum of manual and programmed procedures.See Control Objectives, page 14. 81
    82. 82. IT Resources -- The 2nd Component  Technology: Hardware, operating systems, data base management, networking, multi- media, etc.  Facilities: Resources to house and support information systems.  People: Include staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services. See Control Objectives, page 14. 82
    83. 83. Information Processes (3rd component) Natural grouping of processes, (4) Domains often matching an organizational domain (34) of responsibility Processes A series of joined tasks & Activities with natural (control) breaks. (318) Tasks & Actions needed to achieve a Activities measurable result. ActivitiesSee Framework, p. 16. have a life-cycle whereas tasks are discrete 83
    84. 84. COBIT Domains: Information Processes (3rd Component) Planning/ OrganizationMonitoring Acquisition / Implementation Delivery / Support 84
    85. 85. How do they relate ? IT IT Business Resources Processes Requirements Data  Planning and  Effectiveness organisation  Efficiency Information Systems  Aquisition and  Confidenciality implementation  Integrity Technology  Delivery and  Availability Facilities Support  Compliance Human  Monitoring Resources  Information Reliability 85
    86. 86. IT Resource ManagementCobiT underscores and demonstrates aclear understanding that IT resources needto be managed by naturally groupedprocesses in order to provideorganizations with type and quality, andavailability and security of informationneeded to achieve organizationalobjectives. 86
    87. 87. FrameworkWhat you get BUSINESS What you need PROCESSES Information Criteria • Do they match? effectiveness INFORMATION • efficiency • confidentiality • integrity • Availability • Compliance • reliability IT RESOURCES • data • application systems • technology • facilities • people 87
    88. 88. COBIT’s Waterfall and Navigation Aids Planning & Organisation ss ty ne ncy iali ty ty ce ity Acquisition & ve i e ili n l ti ic n gri lab plia abi t e e Implementation c i i fe eff nfid int ava om rel ef c co S S P Delivery & Support Monitoring The control of IT Processes which satisfy Business Requirements is enabled by Control Statements and considers e ns y s Control pl atio log itie ta o c o l da pe pli hn aci Practices ap tec f 88
    89. 89. Process/Criteria Relationships  Primary: the degree to which the defined control objective directly impacts the information requirement concerned.  Secondary: the degree to which the defined control objective only satisfies to a lesser extent or indirectly the business requirement concerned.  Blank: could be applicable; however, requirements are more appropriately satisfied by another criteria in this process and/or another process. = IT Resource is managed by this processSee Control Objectives, page 17. 89
    90. 90. The WATERFALL Navigation Aid -- High Level Control Objectives for Each Process The control of IT Processes which satisfy Business Requirements is enabled by Control Statements considering Control PracticesSee Framework, p. 18. 56
    91. 91. Resources Technology Systems Data Facilities People Application Effectiveness Efficiency Requirements Confidenciality IntegrityThe planning Availabilityprocess mustconsider data Compliance integrityrequirements Reliability Monitoring Do m Delivery and Support ai ns (p Aquisition and implementation r oc es Planning and Organisation se s) 91 (By Gustavo Solis)
    92. 92. Executive Summary Executive Overview States the case for control Introduces the concepts of the COBIT Framework -- Setting the Scene Provides working Definitions The Framework’s Principles Introduces the Domains and Processes Relationships Among Principles, Domains, and Processes 92
    93. 93. The Framework Executive Overview (again) The COBIT Framework -- Setting the Scene The Framework’s Principles – Criteria, Resources and Processes Guide to Using the Framework --Navigation Aids Summary Table High Level Control Objectives (Processes) 93
    94. 94. ControlObjectives 94
    95. 95. Control Objectives, 3rd Edition 148 pages Contains statements of the desired results or purposes to be achieved by implementing specific control procedures within an IT activity Assists in establishing clear policy and good practice for IT control 95
    96. 96. Control Objectives Contains:Executive Summary and FrameworkSummary Table (page 20)Title Headers for Domains, Processes and ControlObjectives (pages 23-27)High-Level Control Objectives and managementcontrol practices by Domain (pages 31-134)IT Governance Management Guideline and MaturityModel (pages137-140)CobiT Project Description (page 141)Primary Reference Materials (pages 142-143)Glossary of Terms & Index (pages 144-148) 96
    97. 97. Planning and Organization Domain 11 High-level Control Objectives 100 Detailed Control Objectives (IT-related management control practices ) 170+ Control Tasks and Activities. 97
    98. 98. Planning and Organization Develop strategy and tactical plans for IT Identify ways that IT can best contribute to the achievement of business objectives Plan, communicate, and manage the realization of the strategic vision Establish the IT organization and set the stage for information management and the technology infrastructureSee Control Objectives, p. 32. 98
    99. 99. Planning and Organization Domain PO 1 Define a Strategic Information Technology Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organization and Relationships PO 5 Manage the Investment in Information Technology PO 6 Communicate Management Aims and Directions . 99
    100. 100. Planning and Organization Domain PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality . 100
    101. 101. PO 1 Define a Strategic Information Technology PlanTo take advantage of information technologyopportunities and address IT businessrequirements, a process for developing astrategic plan for the organization’s ITresources should be adopted and the ITstrategic plan should be converted to shortterm tactical plans. 101
    102. 102. Linking the Processes to Control ObjectivesControl over the IT process ofDEFINING A STRATEGIC IT PLAN PO-1 that satisfies the business requirement to strike an optimum balance of IT opportunities and IT business requirements as well as ensuring its further accomplishment is enabled by a strategic planning process undertaken at regular intervals giving rise to long-term plans. The long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals and takes into consideration: * definition of the business objectives and needs for IT * inventory of technological solutions and current infrastructure * “technology watch” services * organisation changes * timely feasibility studies * existing systems assessments 102
    103. 103. PO 1 Define a Strategic Information Technology Plan• Reference: page 32 of Control Objectives 8 detailed control objectives IT as part of long-range goals IT long-range plan Contents of IT plan Modification of IT long-range plan IT tactical plan development Communication & evaluation of IT plans Assessing existing systems 103
    104. 104. PO 2 Define the Information ArchitectureTo ensure that the organization’s informationis consistent with needs and enables peopleto carry out their responsibilities effectivelyand on a timely basis, an informationarchitecture model, encompassing thecorporate data model and the associatedinformation systems should be created andregularly updated. 104
    105. 105. PO 2 Define the Information Architecture Information architecture model Corporate data dictionary and data syntax rules Data classification scheme: – security categories – ownership – access rules Maintain security levels for each data classification 105
    106. 106. PO 3 Determine the Technological DirectionTo ensure sufficient technology to performthe IS function and to take advantage ofemerging technology, the informationservices function should create and regularlyupdate a technology infrastructure thatencompasses the systems architecture,technological direction and migrationstrategies. 106
    107. 107. PO 3 Determine the Technological Direction Technological infrastructure planning Monitor future trends and regulations Assess infrastructure for contingency aspects Hardware & software acquisition plans Define technology standards 107
    108. 108. PO 4 Define the IT Organization and RelationshipsTo ensure that IT services are delivered in anefficient and effective manner, there must be:adequate internal and external IT staff,administrative policies and procedures for allfunctions (with specific attention toorganizational placement, roles andresponsibilities, and segregation of duties),and an IS steering committee to determineprioritization of resource use. 108
    109. 109. PO 5 Manage the Investment in Information TechnologyTo ensure adequate funding for IT, controlleddisbursement of financial resources, andeffective and efficient utilization of ITresources, IT resources must be managed:through use of information services capitaland operating budgets, by justifying ITexpenditures, and by monitoring costs (inlight of risks). 109
    110. 110. PO 6 Communicate Management Aims and DirectionTo ensure the overall effectiveness of the ISfunction, IS management must establishdirection and related policies addressingsuch aspects as: positive controlenvironment throughout the organization,code of conduct/ethics, quality, and security.The policies must then be communicated(internally and externally) to obtaincommitment and compliance. 110
    111. 111. PO 7 Manage Human ResourcesIT personnel resources must be managed soas to maximize their contributions to the ITprocesses. Specific attention must be paid torecruitment, promotion, personnelqualifications, training, back up, performanceevaluation, job change, and termination. 111
    112. 112. PO 8 Ensure Compliance with External RequirementsTo avoid fines, sanctions, and loss ofbusiness, the organization must maintainprocedures to ensure awareness of andcompliance with industry, regulatory, legal,and contractual obligations. IT relatedrequirements include: safety, privacy,transborder data flows, electronic commerce,and insurance contracts. 112
    113. 113. PO 9 Assess RisksTo ensure the achievement of IT objectives,in support of business objectives, and torespond to threats to the provision of ITservices, management should establish arisk assessment framework including: riskidentification, measurement, risk action plan,and the formal acceptance andcommunication of the residual risk. 113
    114. 114. PO 9 Assess RisksCornerstone high-level control objective fordeveloping and maintaining an appropriatesystem of internal controlIncludes business risk assessment, riskassessment approach, identification of risk, riskmeasurement, & action planUnderstanding and acceptance of residual risk 114
    115. 115. PO 10 Manage ProjectsTo ensure that projects are completed ontime, within budget, and are undertaken inorder of importance, management mustestablish a project management frameworkto ensure that project selection is in line withplans and that a project managementmethodology is applied to each projectundertaken. 115
    116. 116. PO 11 Manage QualityTo ensure that customer requirements aremet, senior management should establish aquality assurance (QA) plan and implementrelated activities, including reviews, audits,and inspections, to ensure the attainment ofIT customer requirements. A systemsdevelopment life cycle methodology is anessential component of the QA plan. 116
    117. 117. Acquisition and Implementation Domain 6 High-level Control Objectives 68 Detailed Control Objectives (IT-related management control practices) 100+ Control Tasks and Activities 117
    118. 118. Acquisition and Implementation IT solutions – Identified – Developed or acquired – Implemented – Integrated into the business processes Change and maintain existing systemsSee Framework, p. 17. 118
    119. 119. Acquisition and Implementation Domain AI 1 Identify Automated Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire & Maintain Technology Infrastructure AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes 119
    120. 120. AI 1 Identify Automated SolutionsSDLC having procedures to: • define information requirements, • formulate alternative courses of action, • perform technological feasibility studies • perform economic feasibility studies, and • assess risks. 120
    121. 121. AI 2 Acquire and Maintain Application SoftwareSDLC having procedures to:• create design specifications for new, orsignificantly modified, application systems• verify those specifications against the userrequirements.• Ensure specifications are developed withsystem users and approved by managementand user departments. 121
    122. 122. AI 3 Acquire and Maintain Technology InfrastructureTo ensure that platforms (hardware andsystems software) support businessapplications, the organization’s SDLC shouldprovide for an assessment of the impact ofnew hardware and software on theperformance of the overall system. Inaddition, procedures should be in place toensure that hardware and systems softwareis installed, maintained, and changed tocontinue to support business applications. 122
    123. 123. AI 4 Develop and Maintain IT ProceduresTo ensure the ongoing, effective use of IT,the organization’s SDLC should provide forthe preparation and maintenance of servicelevel requirements, training materials, andoperating (user and operations) manuals. 123
    124. 124. AI 5 Install and Accredit Systems• SDLC should provide for a planned, tested,controlled, and approved conversion to thenew system.• After installation, the SDLC should call fora review to determine that the new systemhas met users’ needs in a cost-effectivemanner. 124
    125. 125. AI 6 Manage ChangesTo ensure processing integrity betweenversions of systems and to ensureconsistency of results from period to period,changes to the IT infrastructure must bemanaged via: change request, impactassessment, documentation, authorization,and release and distribution policies andprocedures. 125
    126. 126. Delivery and Support Domain 13 High-level Control Objectives 126 Detailed Control Objectives (IT-related management control practices) 190+ Control Tasks and Activities 126
    127. 127. Delivery and Support  Deliver required services  Ensure security and continuity of services  Set up support processes, including training  Process data (including “application” controls)See Control Objectives, p. 90. 127
    128. 128. Delivery and Support Domain DS 1 Define Service Levels DS 2 Manage Third-Party Services DS 3 Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Allocate Costs DS 7 Educate and Train Users 128
    129. 129. Delivery and Support Domain DS 8 Assist and Advise IT Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS 11 Manage Data DS 12 Manage Facilities DS 13 Manage Operations 129
    130. 130. DS 1 Define Service LevelsTo ensure that IT services continue to satisfyorganizational requirements, seniormanagement should establish a frameworkfor reaching explicit agreements on theminimal acceptable levels of quantity andquality of IT services delivered by internaland external IT resources and then measureIT performance against these agreements. 130
    131. 131. DS 2 Manage Third-Party ServicesTo ensure that IT services delivered by thirdparties continue to satisfy organizationalrequirements, management should establisha process to identify, manage and monitornon-entity IT resources. Formal third-partycontracts should address many of the sameitems contained in service level agreements(see DS 1). 131
    132. 132. DS 3 Manage Performance and Capacity To ensure that sufficient capacity of IT resources remain available for optimal use to satisfy organizational requirements, management should establish a process to monitor the capacity and performance of all IT resources. Capacity of all IT resources must be determined, managed, and resource modifications (increases or decreases) planned for. 132
    133. 133. DS 4 Ensure Continuous ServiceTo ensure that sufficient IT resourcescontinue to be available for use in the eventof a service disruption, management shouldestablish a process, coordinated with theoverall business continuity strategy, thatincludes disaster recovery/contingencyplanning for all IT resources and relatedbusiness resources, both internal andexternal. 133
    134. 134. DS 4 Ensure Continuous Service Continued Example of Including Additional Guidelines: Include “Control Practices Guideline for Information Systems Continuity Planning”, ISACA publication, July 1995, calls for: Evaluation of continuity requirements • criticality assessment • risk assessment • impact assessment 134
    135. 135. DS 4 Ensure Continuous Service Continued Control Practices Guideline for Information Systems Continuity Planning calls for: Continuity Plan Risk Management Maintaining a Viable Continuity Plan • Testing Continuity Plan • Maintenance of Plan • Communication and Training 135
    136. 136. DS 5 Ensure Systems SecurityTo ensure that organizational information isnot subjected to unauthorized use,disclosure, modification, damage, or loss,management should implement logicalaccess controls to restrict access to systems,data, and programs to only authorized users.This objective addresses logical, as opposedto physical security issues. 136
    137. 137. DS 6 Identify and Allocate CostsTo ensure that IT resources are delivered ina cost-effective manner and that they areused wisely, information servicesmanagement should identify the costs ofproviding IT services and should allocatethose costs to the users of those services. 137
    138. 138. DS 7 Educate and Train UsersTo ensure that users make effective use ofIT, management should identify the trainingneeds of all personnel, internal and external,who make use of the organization’s ITresources and services and should see thattimely training sessions are conducted. 138
    139. 139. DS 8 Assist and Advise IT CustomersTo effectively utilize IT resources, users oftenrequire advice in how to properly utilize ITresources and may require assistance toovercome problems encountered in usingthose resources. This assistance is generallydelivered via a “help desk” function. 139
    140. 140. DS 9 Manage the ConfigurationTo ensure that IT assets are not lost oraltered, or used without authorization,management should establish a process toaccount for all IT components, includingapplications, technology, and facilities, and toprevent unauthorized alterations of assets oruse of unauthorized assets. 140
    141. 141. DS 10 Manage Problems and IncidentsTo ensure that barriers to efficient andeffective use of the IT resource areprevented or eliminated and that the ITresource remains available, informationservices management should implement asystem to identify, track, and resolve in atimely manner problems and incidents thatoccur. 141
    142. 142. DS 11 Manage DataTo ensure that data remains complete,accurate and valid, managementshould establish a combination ofapplication and general controls. 142
    143. 143. DS 12 Manage FacilitiesTo protect the IT facilities against man-made and natural hazards, theorganization must install and regularlyreview suitable environmental andphysical controls. 143
    144. 144. DS 13 Manage OperationsTo ensure that important IT functions areperformed regularly and in an orderlyfashion, the information services functionshould establish and document standardprocedures for IT operations. 144
    145. 145. Monitoring Domain • 4 High-level Control Objectives • 24 Detailed Control Objectives • (IT-related management control practices) • 51+ Control Tasks and Activities. 145
    146. 146. Monitoring Domain Regularly assess IT processes for – Quality – Compliance with control requirements Addresses management oversight of organization’s control provisions Provides for audit functionSee Control Objectives, p. 126. 146
    147. 147. Monitoring Domain  M 1 Monitor the Process  M 2 Assess Internal Control Adequacy  M 3 Obtain Independent Assurance  M 4 Provide for Independent Audit. 147
    148. 148. M 1 Monitor the ProcessTo ensure the achievement of IT processobjectives, management should establish asystem for defining performance indicators,gathering data about all processes, andgenerating performance reports.Management should review these reports tomeasure progress toward identified goals. 148
    149. 149. M 2 Assess Internal Control Adequacy To ensure the achievement of internal control objectives, management should establish a system for monitoring internal controls and assessing and reporting on their effectiveness on a regular basis. 149
    150. 150. M 3 Obtain Independent AssuranceTo increase confidence that IT objectivesare being achieved and that controls arein place and to benefit from adviceregarding best practices for IT,independent assurance reviews should beconducted on a regular basis. 150
    151. 151. M 4 Provide for Independent AuditTo increase confidence levels that ITobjectives are being achieved and thatcontrols are in place and to benefit fromadvice regarding best practices for ITgovernance, independent audits should beconducted on a regular basis. 151
    152. 152. Summary of the Framework Business Objective – Business Processes (to meet objectives) • IT Processes (to manage and control..) – IT Resources (to provide info to..) 4 Domains 34 Processes/High-Level Control Objectives 318 Activities/Detailed Control Objectives Cut the Framework by Info Criteria, IT Resources, IT processes 152
    153. 153. SUMMARY OF COBIT TO THIS POINT Defines a Framework for Reviewing IT. Four Domains Are Identified. Achievement of each IT Process to meet a business objective represents a high- level Control Objective. Identifies control objectives to be addressed. For Each of the 34 Processes, there are up to 30 Detailed IT Control Objectives or IT management control practices. 153
    154. 154. SUMMARY OF COBIT TO THIS POINT The IT Control Objectives came from 41 primary sources. There are Navigational Tools including a “Waterfall” and a “Cube” approach. Provides a Systematic and Logical Method for defining and communicating IT Control Objectives IT Control Objectives are linked to business processes and objectives. 154
    155. 155. Domains •P&O •A&I •D&S •M 34 Processes PO 1.0 AI 1.0 DS 1.0 M 1.0 High-Level Control . . . . PO 11.0 AI 6.0 DS 13.0 M 4.0 ObjectivesPO 1.1 AI DS 1.1 M 1.1 . 1.1 . . 318 Tasks & ActivitiesPO 11.18 . DS 13.7 M 4.8 AI 6.7 155
    156. 156. The CUBE-- Information Criteria Relationships Among lity ry ity Components ua cia ur Q id u ec Data F S Application Systems Facilities Technology IT Processes People e s u rc so Re ITSee Control Objectives, p. 16. 156
    157. 157. For Management, CobiT: Addresses managements increasing legal responsibility for control Expresses required IT control practices in management terms Guides IT investment and operational decisions (to balance risk and control) Helps management better utilize internal and external auditors 157
    158. 158. For Users, COBIT: Provides benchmarks for best practices for IT management and IT control Helps obtain assurance for business processes supported by IT Strengthens relationship with IT services Helps ensure adequate level of integrity of information provided by IT systems 158
    159. 159. For Auditors, COBIT: Provides good benchmarks or criteria for evaluating IT control Focuses on control objectives and controls Substantiates opinions to management on internal controls Helps auditors and control professionals to be proactive business advisors 159
    160. 160. For us All, CobiT: Strengthens the understanding, design, implementation, exercise, and evaluation of internal control through improved focus on information criteria and IT-related control objectives Strengthens management’s efforts to “ensure” and Audit’s efforts to provide “assurance” 160
    161. 161. End of Part 1Go To Part 2 161