Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Joburg cobit assurance


Published on

  • Be the first to comment

  • Be the first to like this

Joburg cobit assurance

  1. 1. Using COBIT 4.1 for Assurance Assignments Prof. dr. Wim Van Grembergen University of Antwerp (UA) University of Antwerp Management School (UAMS)IT Alignment and Governance research institute (ITAG)
  2. 2. Agenda• COBIT introduction• COBIT framework• COBIT elements - High-level and detailed Control Objectives - IT control practices - Management Guidelines - Maturity models• IT assurance using COBIT• IT assurance assignments in practice (templates) 2
  3. 3. COBIT introduction
  4. 4. COBIT evolution Governance ManagementEvolution Control Audit COBIT 1 COBIT 2 COBIT 3 COBIT 4 1996 1998 2000 2005 4
  5. 5. Some key strenghtsIncorporates majorInternational StandardsHas become the de factostandard for overall controlover IT CobiT best practicesStarting from business repository forrequirementsProcess oriented IT Processes IT IT Management Processes IT Governance Processes 5
  6. 6. COBIT and other standards Gartner Research NoteBS7799 CobiT ControlSecurity WHAT ITIL Activities HOW 6
  7. 7. Who needs an IT Control Framework ?• Board and Executive - to ensure management follows and implements the strategic direction for IT• Management - IT investment decisions - balance risk and control investment - benchmark existing and future IT environment• Users - to obtain assurance on security and control of products and services they acquire internally or externally• Auditors - to substantiate opinions to management on internal controls - to advise on what minimum controls are necessary 7
  8. 8. The COBIT framework
  9. 9. COBIT Framework Business Requirements IT Processes IT Resources BUSINESS REQUIREMENTS IT PROCESSESs no ti n f e D IT RESOURCES i i “In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.” 9
  10. 10. Business requirements Business Requirements IT Processes IT Resources Quality Requirements: • Quality, Effectiveness • Delivery • Cost Efficiency Security Requirements • Confidentiality Confidentiality • Integrity • Availability Fiduciary Requirements Integrity (COSO Report) • Effectiveness and Efficiency Availability of Operations • Compliance with Laws and Compliances en s uB Regulations Reliability of • Reliability of Financial Reporting Information i 10
  11. 11. Business requirements effectiveness - deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. efficiency - concerns the provision of information through the optimal (most productive and economical) usage of resources confidentiality - concerns protection of sensitive information from unauthorized disclosure. integrity - relates to the accuracy and completeness of information as well as to its validity in accordance with the business set of values and expectations availability - relates to information being available when required by the business process, and hence also concerns the safeguarding of resources compliance - deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteriass e n s u B reliability of information - relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to users of i the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations. 11
  12. 12. Linking business goals - IT goals – IT processes Maintain enterprisereputation and leadershipBusiness Goal Ensure IT services can Ensure IT services can resist and recover from resist and recover from attacks attacks drives IT Goal Understanding security drives requirements, vulnerabilities and threats Process Goal 12
  13. 13. 13
  14. 14. 14
  15. 15. IT processes Business Requirements IT Processes IT Resources Domains Natural grouping of processes, often matching an organisational domain of responsibility Processes A series of joined activities with natural control breaks.ess ec or P TI Activities Actions needed to achieve a or tasks measurable result. Activities have a life-cycle whereas tasks are discrete. 15
  16. 16. COBIT IT ProcessesPlanning and OrganisationPO1. Define a strategic IT planPO2. Define the information architecturePO3. Determine technological directionPO4. Define the IT processes, organization and relationshipsPO5. Manage the IT investmentPO6. Communicate management aims and directionPO7. Manage IT human resourcesPO8. Manage qualityPO9. Assess and manage IT risksPO10. Manage projects 16
  17. 17. COBIT IT ProcessesAcquisition and ImplementationAI1. Identify automated solutionsAI2. Acquire and maintain application softwareAI3. Acquire and maintain technology infrastructureAI4. Enable operation and useAI5. Procure IT resourcesAI6. Manage changesAI7. Install and accredit solutions and changes 17
  18. 18. COBIT IT ProcessesDelivery and SupportDS1. Define and manage service levelsDS2. Manage third-party servicesDS3. Manage performance and capacityDS4. Ensure continuous serviceDS5. Ensure systems securityDS6. Identify and allocate costsDS7. Educate and train usersDS8. Manage service desk and incidentsDS9. Manage the configurationDS10. Manage problemsDS11. Manage dataDS12. Manage the physical environmentDS13.Manage operations 18
  19. 19. COBIT IT ProcessesMonitor an EvaluateME1. Monitor and evaluate IT performanceME2. Monitor and evaluate internal controlME3. Ensure regulatory complianceME4. Provide IT governance 19
  20. 20. Linking business goals - IT goals – IT processes Assignment Maintain enterprisereputation and leadershipBusiness Goal Ensure IT services can Ensure IT services can resist and recover from resist and recover from attacks attacks drives IT Goal ???? drives Process Goal 20
  21. 21. Linking IT goals business goals to IT goals Linking Business goals to IT goalsBusiness goals 21
  22. 22. Linking IT goals business goals to IT goals Linking IT goals to IT processesIT processes 22
  23. 23. The most important IT Processes (COBIT3.2) 34 PO1 define a strategic IT plan PO3 determine the technological direction PO5 manage the IT investment PO9 assess risks PO10 manage projects 15 AI1 AI2 identify solutions acquire and maintain applications s/w AI5 install and accredit systems AI6 manage changes 7 DS1 define service levels DS4 ensure continuous service DS5 ensure system security DS10 manage problems and incidents DS11 manage data Survey M1 monitor the processes 23
  24. 24. IT Resources Business Requirements IT Processes IT Resources Data : Data objects in their widest sense, i.e., external and internal, structured and non-structured, graphics, sound, etc. Application Systems : understood to be the sum of manual and programmed procedures. Infrastructure : covers hardware, operating systems,s ecr u os e R TI database management systems, networking, multimedia, facilities, etc.. People : Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services. 24
  25. 25. COBIT Framework IT IT Business Resources Processes Requirements  Data  Planning and  Effectiveness organisation  Efficiency  Application Systems  Aquisition and  Confidentiality implementation  Infrastructure  Integrity  Delivery and  Availability  People Support Compliancet od w H   Monitor and o  Information evaluate Reliability 25
  26. 26. The resources How IT is What the What the The resources How IT ismade available to made available to organised to organised to stakeholders stakeholders- -and built up by - - and built up by respond to the respond to the expect from IT expect from IT IT IT requirements requirements IT IT Business Resources Processes Requirements Data  Planning and  Effectiveness organisation  Efficiency Application Systems  Aquisition and  Confidentiality implementation Infrastructure  Integrity  Delivery and  Availability People Support  Compliance  Monitor and  Information evaluate Reliability 26
  27. 27. PO1. define a strategic IT plan Business and COBIT PO2. define the information architecture Governance PO3. determine technological direction Objectives PO4. define the IT processes, organization and relationshipsFramework PO5. manage the IT investment PO6.communicate management aims and direction PO7. manage IT human resources PO8. manage quality PO9. assess and manage risk INFORMATION PO10. manage projectsME1. monitor and evaluate IT performanceME2. monitor and evaluate internal control CriteriaME3. ensure regulatory compliance • effectiveness • efficiencyME4. provide IT governance • confidentiality • integrity • availability • compliance • reliability MONITOR AND PLANNING AND EVALUATE ORGANISATION IT RESOURCES • data • application systems • Infrastructure • people DS1. define and manage service levels DS2. manage third party services DS3. manage performance and capacity DS4. ensure continuous service DELIVERY AND ACQUISITION AND DS5. ensure systems security SUPPORT IMPLEMENTATION DS6. identify and allocate costs DS7. educate and train users DS8. manage service desk and incidents AI1. identify automated solutions DS9. manage the configuration AI2. acquire and maintain application software DS10. manage problems AI3. acquire and maintain technology infrastructure DS11. manage data AI4. enable operation and use DS12. manage the physical environment AI5. procure IT resources DS13.manage operations AI6. manage changes AI7. install and accredit solutions and changes 27
  28. 28. The Major Elements of COBIT High-level and detailed Control Objectives Management Guidelines  Inputs – outputs  RACI chart  Goals and metrics  Maturity models Assurance Guidelines – Implementation Guidelines 28
  29. 29. COBIT Control Objectives
  30. 30. COBIT Control Objectives The policies, procedures, practices and organisationalDefinition of structures, designed to provide reasonable assurance that Control business objectives will be achieved and that undesired events will be prevented or detected and corrected IT control objectives provide a complete set of high-levelDefinition of requirements to be considered by management for IT Control effective control of each IT process. They: Objective • Are statements of managerial actions to increase value or reduce risk • Consist of policies, procedures, practices and organisational structures • Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected 30
  31. 31. Example: Detailed Control Objectives for Manage Changes (AI6)AI6.1 Change Standards and ProceduresSet up formal change management procedures to handle in a standardised manner allrequests (including maintenance and patches) for changes to applications, procedures,processes, system and service parameters, and the underlying platforms.AI6.2 Impact Assessment, Prioritisation and AuthorisationEnsure that all requests for change are assessed in a structured way for impacts on theoperational system and its functionality. This assessment should include categorisation andprioritisation of changes. Prior to migration to production, changes are authorized by theappropriate stakeholder.AI6.3 Emergency ChangesEstablish a process for defining, raising, assessing and authorising emergency changes that donot follow the established change process. Documentation and testing should be performed,possibly after implementation of the emergency change.AI6.4 Change Status Tracking and ReportingEstablish a tracking and reporting system for keeping change requestors and relevantstakeholders up to date about the status of the change to applications, procedures, processes,system and service parameters, and the underlying platforms.AI6.5 Change Closure and DocumentationWhenever system changes are implemented, update the associated system and userdocumentation and procedures accordingly. Establish a review process to ensure completeimplementation of changes. 31
  32. 32. Generic process controls• Each COBIT process has generic control requirements that are identified by generic process controls within the Process Control (PC) domain. These are applicable for all COBIT processes and should be considered together with the detailed COBIT control objectives to have a complete view of control requirements.• PC1 Process goals and objectives• PC2 Process ownership• PC3 Process repeatability• PC4 Roles and responsibilities• PC5 Policy, plans and procedures• PC6 Process performance improvement 32
  33. 33. Application controls• Application controls relate to the transactions and standing data pertaining to each automated application system and are specific to each such application. They ensure the completeness and accuracy of the records and the validity of the entries made in transactions and standing data resulting from both manual and automated processing.• COBIT assumes the design and implementation of automated application controls to be the responsibility of IT, covered in the Acquire and Implement (AI) domain. The operational management and control responsibility for application controls is not with IT, but with the business process owner. Therefore, the COBIT IT processes cover general IT controls but not application controls.• AC1 Source document preparation and authorisation• AC2 Source document collection and data entry• AC3 Accuracy, completeness, authenticity checks• AC4 Data processing integrity and validity• AC5 Output review, reconciliation and error handling• AC6 Transaction authentication and integrity 33
  34. 34. COBITControl Practices 34
  35. 35. COBIT - IT Control Practices• For each of the control objectives, a list of specific control practices is defined. In addition, three generic control practices are defined, which are applicable to all control objectives. (Design control approach, Accountability and responsibility, Communication and understanding)• The complete set of generic and specific control practices provides one control approach, consisting of practices that are necessary for achieving the control objective. They provide high- level generic guidance, at a more detailed level under the control objective, for assessing process maturity, considering potential improvements and implementing the controls.• They do not describe specific solutions, and further guidance may need to be obtained from specific, relevant standards and best practices, such as ITIL or PRINCE2. 35
  36. 36. COBIT - IT Control PracticesDS8.1 Service DeskEstablish a service desk function, which is the user interface with IT, to register, communicate, dispatchand analyse all calls, reported incidents, service requests and information demands. There should bemonitoring and escalation procedures based on agreed-upon service levels relative to the appropriateSLA that allow classification and prioritisation of any reported issue as an incident, service request orinformation request. Measure end users’ satisfaction with the quality of the service desk and IT services. 1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation and resolution of customer requests and incidents. Develop business requirements for the service desk, based on service definitions and SLAs, including hours of operation and expected response time to a call. Ensure that service desk requirements include identifying staffing, tools and integration with other processes, such as change management and problem management. 2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately resolved by service desk personnel. Establish time thresholds to determine when escalation should occur based on the categorisation/prioritisation of the request or incident. 3. Implement the necessary support software and tools (e.g., incident management, knowledge management, incident escalation systems, automated call monitoring) required for operation of the service desk and configured in accordance with SLA requirements, to facilitate automated prioritisation of incidents and rapid resolution. 4. Advise customers of the existence of the service desk and the standards of service they can expect. Obtain user feedback on a regular basis to ensure customer satisfaction and confirm the effectiveness of the service desk operation. 5. Using the service desk software, create service desk performance reports to enable performance monitoring and continuous improvement of the service desk. 36
  37. 37. COBITManagement Guidelines Inputs –Outputs 37
  38. 38. 38
  39. 39. Each process has primary inputs and outputs with process linkages Inputs OutputsMission and Goals Strategic PlanUnderstanding of thebusiness context, PO1 Tactical Plancapability and Project Portfoliocapacity Service PortfolioBusiness StrategyRisk Appetite 39
  40. 40. Inputs / ouputs• Process:Input from: Output to:Process what Process what 40
  41. 41. Example: Input/Outputsfor Manage Changes (AI6) 41
  42. 42. COBITManagement Guideline RACI Chart 42
  43. 43. RACI chart providing roles and responsibilities CEO CARSCFO Business CIO Executive Head of Business Head of Chief Head of IT Admin PMO Sr Management Operations Architect or CTO Development HR, Fin, etc PO1 43
  44. 44. Activities RACI Chart Functions CEO CFO Bus ine ss E xe c CIO Bus ine ss Sr Mn He gm ad t Op era tio Chi ns ef A rch ite ct He ad De vel opm He ent CARS includes Risk, Security, Audit and Compliance ad IT Adm in PM O CA RS44
  45. 45. Example: RACI Diagramfor Manage Changes (AI6) 45
  46. 46. COBITManagement Guideline Goals and metrics 46
  47. 47. COBIT Management Guidelines Goals an MetricsKey Goal Indicators (KGIs)• lag indicator• is an indicator of the success of the process and its business contribution• describes the outcome of the process, i.e. measurable after the fact; a measure of “what”; may describe the impact of not reaching the process goal• focuses on the customer and financial dimensions of the balanced scorecard 47
  48. 48. COBIT Management Guidelines Goals an MetricsExamples of Key Goal Indicators (KGIs) - Increased level of service delivery - Reduced time and effort required to make changes - Availability of systems and services - Absence of integrity and confidentiality risks - Cost efficiency of processes and operations - Confirmation of reliability and effectiveness - Adherence to development cost and schedule - Cost efficiency of the process - Staff productivity and morale - Number of timely changes to processes and systems - Improved productivity (e.g., delivery of value per employee) 48
  49. 49. COBIT Management Guidelines Goals an MetricsKey Performance Indicators (KPIs)• lead indicator• are a measure of “how well” the process is performing• predict the probability of success or failure• focus on the process and learning dimensions of the balanced scorecard• are expressed in precise measurable terms• should help in improving the IT process 49
  50. 50. COBIT Management Guidelines Goals an MetricsExamples of Key Performance Indicators (KPIs) - System downtime - Throughput and response times - Amount of errors and rework - Number of staff trained in new technology - customer service skills - Benchmark comparisons - Number of non-compliance reportings - Reduction in development and processing time 50
  51. 51. KGI’s/KPI’s “Ensure System Security” (DS5) These KGIs represent the goals of the IT manager and KPI KGI can be derived from the list of IT goals. Together with Security expertise number of the KPIs (horizontal arrow) incidents because they are building blocks for the IT manager’s BSC. The of unauthorised KGIs at the IT manager’s access level are in the same time KPIs at the business Metrics for BSC of KPI KGI manager’s level (vertical IT process owner lines). Number of security breaches Metrics for BSC of IT manager KPI KGIThese metrics represent the Number of incidents KPIs and KGIs of the IT causing public embarrassment These KGIs represent the process owner and can be goals of the businessused as building blocks for a manager and can be derived BSC at process level. They Metrics for BSC of from the list of business map on the current KGIs business manager goals. Together with the and KPIs of COBIT. The KPIs (horizontal arrow) theyKGIs at process level are in are building blocks for the the same time KPIs at the business manager’s BSCIT manager’s level (vertical lines) 51
  52. 52. Cascade of metrics KPI KPI Metrics for BSC A KGI at KGI of IT manager business level is KPI supported by many other KPI KPIs at IT and KPI process level. KGI KGIMetrics for BSC of IT process owner KPI KPI KGI KGI KPI KPI KGI Metrics for BSC of business manager 52
  53. 53. Cascade of metrics for “Ensure System Security” (DS5) Understanding security Understanding security requirements, requirements, GOALS vulnerabilities and threats vulnerabilities and threats Process Goal Ensure IT services can Ensure IT services can resist and recover from resistand recoverfrom attacks attacks drives IT Goal KPI KGI Maintain enterprise Maintain enterpriseNr and type of Nr of incidentsnew security because of reputation and leadership reputation and leadershipincidents unauthorised access drives Process Goal Business Goal KPI KPI KGI Nr of IT security incidents IT Goal KPI KGI Number of incidentsMETRICS causing public embarrassment Business Goal 53
  54. 54. 54
  55. 55. 55
  56. 56. IT goals Process goals Activity goalsIT KGI Process KGI Activity KGI (process KPI) 56
  57. 57. Example: Goals and metrics for Manage Changes (AI6) 57
  58. 58. COBITMaturity models 58
  59. 59. Maturity Models• refers to business requirements (KGI) and the enabling aspects (KPI) at the different levels• are a scale that lends itself to pragmatic comparison, where the difference can be made measurable in an easy manner• are recognisable as a “profile” of the enterprise in relation to IT governance and control• assist in determining As-Is and To-Be positions relative to IT governance and control maturity and analyse the gap• are not industry specific nor generally applicable, the nature of the business will determine what is an appropriate level 59
  60. 60. Maturity Models: Goal setting and measurement Non-Existent Initial Repeatable Defined Managed Optimised 0 1 2 3 4 5 Legend for symbols used Legend for rankings used Enterprise current status 0 - Management processes are not applied at all 1 - Processes are ad hoc and disorganised International standard guidelines 2 - Processes follow a regular pattern Industry practice 3 - Processes are documented and communicated 4 - Processes are monitored and measured Enterprise target 5 - Best practices are followed and automated 60
  61. 61. Maturity modelsare improved starting from a new generic qualitative modelbased on the following attributes:•awareness and communication•policies, standards and procedures•tools and automation•skills and expertise•responsibility and accountability•goal setting and measurement 61
  62. 62. Example: Maturity Model for Manage Changes (AI6)0 Non-existent whenThere is no defined change management process and changes can be made with virtually no control. There is no awarenessthat change can be disruptive for IT and business operations, and no awareness of the benefits of good change management.1 Initial/ Ad Hoc whenIt is recognised that changes should be managed and controlled. Practices vary and it is likely that unauthorised changes takeplace. There is poor or non-existent documentation of change, and configuration documentation is incomplete and unreliable.Errors are likely to occur together with interruptions to the production environment caused by poor change management.2 Repeatable but Intuitive whenThere is an informal change management process in place and most changes follow this approach; however, it is unstructured,rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning and impactassessment takes place prior to a change.3 Defined Process whenThere is a defined formal change management process in place, including categorisation, prioritisation, emergency procedures,change authorisation and release management, and compliance is emerging. Workarounds take place and processes are oftenbypassed. Errors may still occur and unauthorised changes occasionally occur. The analysis of the impact of IT changes onbusiness operations is becoming formalised, to support planned rollouts of new applications and technologies.4 Managed and Measurable whenThe change management process is well developed and consistently followed for all changes, and management is confidentthat there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures andcontrols to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimisethe likelihood of post-production problems. An approval process for changes is in place. Change management documentation iscurrent and correct, with changes formally tracked. Configuration documentation is generally accurate. IT changemanagement planning and implementation are becoming more integrated with changes in the business processes, to ensurethat training, organisational changes and business continuity issues are addressed. There is increased co-ordination betweenIT change management and business process redesign. There is a consistent process for monitoring the quality andperformance of the change management process.5 Optimised whenThe change management process is regularly reviewed and updated to stay in line with good practices. The review processreflects the outcome of monitoring. Configuration information is computer-based and provides version control. Tracking ofchanges is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management isintegrated with business change management to ensure that IT is an enabler in increasing productivity and creating newbusiness opportunities for the organisation. 62
  63. 63. COBIT4.1• Released May 2007• Incremental updates, no fundamental changes• CobiT 4.1 features - an enhanced Executive Overview introduction and explanation of goals and metrics in the framework section and better definitions of the core concepts. - improved control objectives resulting from updated control practices and Val IT development activity. - A new definition of a control objectives, shifting more towards management practices statements - Grouping/rewording of some control objectives to avoid overlaps and make the list of control objectives within a process more consistent and action- oriented • AI5.4, AI5.5 and AI5.6 were combined • AI7.9, AI7.10 and AI7.11 were combined • Changes were also made to ME3 to include compliance with contractual requirements in addition to legal and regulatory. - reworded application controls, to support financial controls effectiveness assessment and reporting. • six Application Controls replacing the 18 in COBIT 4.0, with further detail being provided in the COBIT Control Practices. - An updated list of business goals and IT goals, based on new insights obtained during validation research executed by UAMS - an expanded pull-out to provide amongst others a quick reference list of the COBIT processes 63
  64. 64. IT Assurance using COBIT 64
  65. 65. mplementation Guide - IT Assurance Guide WHAT HOW HOW Framework Management Board Guidelines Board Briefing Control Briefing Briefing Objectives Maturity Models Executive CIO Audit CIO Director Baseline for Baseline for Baseline for IT Governance Control IT Governance IT Governance Value Risk Objective IT Governance Control Assurance IT Governance IT Implementation Practices Approach Implementation Assurance Guide using CobiT Guide using CobiT Guide using CobiT 65
  66. 66. Assurance & audit• Assurance Guide instead of Audit Guide - Assurance also covers evaluation activities not governed by internal and/or external audit standards. 66
  67. 67. Assurance Roadmap 67
  68. 68. Assurance planning• IT audit universe - 34 IT processes - 4 IT resources• Risk based assurance planning - The assurance professional should use an appropriate risk assessment technique or approach in developing the overall plan for the effective allocation of IT assurance resources. - Risk assessment is a technique used to examine units in the assurance universe and select those areas for review that have the greatest risk exposure, by analysing • Risk • impact 68
  69. 69. Assurance planning• High-level assessment can provide support in assurance planning by identifying processes where the maturity/control gap between as-is and to-be is the most significant.• The results of such high-level assessment can be used to prioritise the IT assurance work. Specific benefits of such high-level assessments are: - Making members of IT management aware of their accountability for controlling IT and gaining their buy-in - High-level checking of compliance with established IT control requirements - Optimising and prioritising IT assurance resources - Bridging to IT governance 69
  70. 70. Assurance planning• Define the scope and objectives - define the scope and objectives of the assurance work and perform a preliminary assessment of internal control/maturity of the function/activities being reviewed to provide reasonable assurance that all material items will be adequately covered during the assurance initiative. 70
  71. 71. Assurance scoping• Define the scope and objectives - Business goals – IT goals – IT processes / IT resources – control objectives – customized control objectives 71
  72. 72. Assurance executionDerived from control practices Originally 1 ITCP translated into 1 testing step. Later all individual testing steps grouped into three blocks:1. Testing control design (design effectiveness)2. Testing outcome of the objective (operational effectiveness)3. Document impact of control weaknesses 72
  73. 73. The audit steps to be performed in assessing the adequacy of the design of controls.AI6: Change ManagementTesting control design• Enquire whether and confirm that the change management process allows business process owners and IT to request changes to infrastructure, systems or applications.• Enquire whether and confirm that the overall change management process includes emergency change procedures (e.g., defining, raising, testing, documenting, assessing and authorising emergency changes).• Enquire whether and confirm that processes and procedures for contracted services providers (e.g., infrastructure, application development, application service providers, shared services) are included in the change management process.• Determine if the process and procedures include the contractual terms and SLAs. 73
  74. 74. The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously and to conclude on the appropriateness of the control environment.AI6: Change ManagementTesting CO outcome• Inspect a selection of changes and determine if requests have been categorised.• Inspect a selection of changes and determine if changes have been prioritised based on predefined criteria.• Inspect a selection of changes and determine if changes have been assessed in a structured method (e.g., security, legal, contractual and compliance implications are considered and business owners are involved).• Inspect a sample of emergency changes and verify that they have been processed in accordance with the change management framework. Verify that procedures have been followed to authorise, document and revoke access after the change has been applied.• Inspect a sample of emergency changes and determine if a post-implementation review has been conducted after the changes were applied. Consider implications for further application system maintenance, impact on development and test environments, application software development quality, documentation and manuals, and data integrity. 74
  75. 75. The audit steps to be performed to substantiate the risk of the controlAI6: Change Management objective not being met by using analytical techniquesDocument impact and/or consulting alternative sources.• Assess the time and cost of lack of formal change management standards and procedures (e.g., improper resource allocation, unclear roles and responsibilities, security breaches, lack of rollback procedures, lack of documentation and audit trails, inadequate training).• Assess the time and cost of lack of formal impact assessment to prioritise and authorise changes.• Assess the time and cost of lack of formal emergency change standards and procedures (e.g., compromised security, failure to• properly terminate additional access authorisations, unauthorised access to corporate information). 75
  76. 76. Structure of assurance guidance provided 76
  77. 77. Example: Control practices 77
  78. 78. Example: testing control design 78
  79. 79. Example: testingoperational effectiveness 79
  80. 80. Example: documenting impact 80
  81. 81. IT Assurance assignments in practice (templates) 81
  82. 82. Assurance assignment1. Scoping 1.1 Processes 1.2 Control objectives 1.3 Control practices2. Testing 2.1 Evaluate Design Effectiveness (testing control design) 2.2 Evaluate Operating Effectiveness (testing outcome of the control process)3. Findings and recommendations 82
  83. 83. 1.1 Scoping: processes • Define cascade of business goals – IT goals – IT processesGoal:first list of IT processes 83
  84. 84. 1.1 Scoping: processes• Define/refine list of IT processes based on risk based scoping - Risk and value drivers Goal: refined list of IT processes 84
  85. 85. 1.1 Scoping: processes• Define/refine list of IT processes based on risk based scoping Goal: refined list of IT processes - Maturity assessment 85
  86. 86. 1.2 Scoping: control objectives• Define control framework for 1 process based on control objectives attributes Goal: Set of important control objectives for one IT process 86
  87. 87. 1.3 Scoping: control practices• Define control design for 1 control objectives Goal: Mininum and sufficient set of control practices to achieve a control objective 87
  88. 88. 2. Testing• Structured approach for each of the control objectives / control practices COBIT 4 Control Practices RACI CHART AUDIT PLANS: Assurance Guide Inputs/outputs …. 88
  89. 89. 2.1 Evaluate design effectiveness• Translate control practices into assurance steps to evaluate design effectiveness COBIT 4 Control Practices AUDIT PLANS: RACI CHART Assurance guide …. 89
  90. 90. Example 2.1 Evaluate design effectiveness 90
  91. 91. 2.2 Evaluate operating effectiveness 91
  92. 92. COBIT 4.0 2.2 Evaluate operating effectivenessControl Practices Inputs/outputs RACI CHART AUDIT PLANS: Assurance Guide 92
  93. 93. Example 2.2 Evaluate operating effectiveness 93
  94. 94. 3. Findings & Recommendations• FINDING Description Detection Walkthrough / Testing• RISK Description Categorization• RECOMMENDATION Description Priority 94
  95. 95. Findings & Recommendations Example FINDINGDescription DetectionDS8.1 : There is no monitoring process in place that focuses on the quality of the Service Desk and the endusers’ satisfaction. RISKDescription ClassificationIT management is not informed on how the business percepts the Service Desk in particular and the ITdepartment in general. This lack of information can cause a disconnection/misalignment between businessand IT (i.e. no perception of added value by IT). It also prevents the implementation of an effectivecontinuous improvement process. RECOMMENDATIONDescription PriorityOrganize regular user satisfaction surveys via the different available media (intranet, phone, direct…) and usethis information to compare the responses of the satisfied users with the dissatisfied users. This informationcan also be used to enable continuous improvement. 95
  96. 96. 96
  97. 97. 97