This document provides an overview of using COBIT 4.1 for assurance assignments. It introduces COBIT, describing its evolution and key strengths in incorporating international standards. It outlines the COBIT framework, including its business requirements, IT processes, and IT resources domains. It also describes some of the specific IT processes within the Planning and Organization, Acquisition and Implementation, and Delivery and Support domains.

1. Using COBIT 4.1 for
Assurance Assignments
Prof. dr. Wim Van Grembergen
University of Antwerp (UA)
University of Antwerp Management School (UAMS)
IT Alignment and Governance research institute (ITAG)
wim.vangrembergen@ua.ac.be
www.uams.be/itag

2. Agenda
• COBIT introduction
• COBIT framework
• COBIT elements
- High-level and detailed Control Objectives
- IT control practices
- Management Guidelines
- Maturity models
• IT assurance using COBIT
• IT assurance assignments in practice (templates)
2

3. COBIT introduction

4. COBIT evolution
Governance
Management
Evolution
Control
Audit
COBIT 1 COBIT 2 COBIT 3 COBIT 4
1996 1998 2000 2005
4

5. Some key
strenghts
Incorporates major
International Standards
Has become the de facto
standard for overall control
over IT CobiT
best practices
Starting from business repository for
requirements
Process oriented IT Processes
IT
IT Management Processes
IT Governance Processes
5

6. COBIT and other
standards
Gartner Research Note
BS7799 CobiT
Control
Security
WHAT
ITIL
Activities HOW
6

7. Who needs an IT Control Framework ?
• Board and Executive
- to ensure management follows and implements the strategic
direction for IT
• Management
- IT investment decisions
- balance risk and control investment
- benchmark existing and future IT environment
• Users
- to obtain assurance on security and control of products and
services they acquire internally or externally
• Auditors
- to substantiate opinions to management on internal controls
- to advise on what minimum controls are necessary
7

8. The COBIT framework

9. COBIT Framework
Business
Requirements
IT
Processes
IT
Resources
BUSINESS
REQUIREMENTS
IT PROCESSES
s no ti n f e D
IT RESOURCES
i i
“In order to provide the information that the organisation needs
to achieve its objectives, IT resources need to be managed by a
set of naturally grouped processes.”
9

10. Business requirements
Business
Requirements
IT
Processes
IT
Resources
Quality Requirements:
• Quality, Effectiveness
• Delivery
• Cost Efficiency
Security Requirements
• Confidentiality
Confidentiality
• Integrity
• Availability
Fiduciary Requirements
Integrity
(COSO Report)
• Effectiveness and Efficiency Availability
of Operations
• Compliance with Laws and Compliance
s en s uB
Regulations Reliability of
• Reliability of Financial
Reporting Information
i
10

11. Business requirements
effectiveness - deals with information being relevant and
pertinent to the business process as well as being delivered in
a timely, correct, consistent and usable manner.
efficiency - concerns the provision of information through the
optimal (most productive and economical) usage of resources
confidentiality - concerns protection of sensitive information
from unauthorized disclosure.
integrity - relates to the accuracy and completeness of
information as well as to its validity in accordance with the
business' set of values and expectations
availability - relates to information being available when
required by the business process, and hence also concerns the
safeguarding of resources
compliance - deals with complying with those laws, regulations
and contractual arrangements to which the business process is
subject; i.e., externally imposed business criteria
ss e n s u B
reliability of information - relates to systems providing
management with appropriate information for it to use in
operating the entity, in providing financial reporting to users of
i
the financial information, and in providing information to
report to regulatory bodies with regard to compliance with
laws and regulations. 11

12. Linking business goals - IT
goals – IT processes
Maintain enterprise
reputation and leadership
Business Goal
Ensure IT services can
Ensure IT services can
resist and recover from
resist and recover from
attacks
attacks
drives
IT Goal
Understanding security
drives requirements,
vulnerabilities and threats
Process Goal
12

13. 13

14. 14

15. IT processes
Business
Requirements
IT
Processes
IT
Resources
Domains Natural grouping of processes,
often matching an organisational
domain of responsibility
Processes
A series of joined activities
with natural control breaks.
ess ec or P TI
Activities Actions needed to achieve a
or tasks measurable result. Activities
have a life-cycle whereas tasks
are discrete.
15

16. COBIT IT Processes
Planning and Organisation
PO1. Define a strategic IT plan
PO2. Define the information architecture
PO3. Determine technological direction
PO4. Define the IT processes, organization and relationships
PO5. Manage the IT investment
PO6. Communicate management aims and direction
PO7. Manage IT human resources
PO8. Manage quality
PO9. Assess and manage IT risks
PO10. Manage projects
16

17. COBIT IT Processes
Acquisition and Implementation
AI1. Identify automated solutions
AI2. Acquire and maintain application software
AI3. Acquire and maintain technology infrastructure
AI4. Enable operation and use
AI5. Procure IT resources
AI6. Manage changes
AI7. Install and accredit solutions and changes
17

18. COBIT IT Processes
Delivery and Support
DS1. Define and manage service levels
DS2. Manage third-party services
DS3. Manage performance and capacity
DS4. Ensure continuous service
DS5. Ensure systems security
DS6. Identify and allocate costs
DS7. Educate and train users
DS8. Manage service desk and incidents
DS9. Manage the configuration
DS10. Manage problems
DS11. Manage data
DS12. Manage the physical environment
DS13.Manage operations
18

19. COBIT IT Processes
Monitor an Evaluate
ME1. Monitor and evaluate IT performance
ME2. Monitor and evaluate internal control
ME3. Ensure regulatory compliance
ME4. Provide IT governance
19

20. Linking business goals - IT goals
– IT processes
Assignment
Maintain enterprise
reputation and leadership
Business Goal
Ensure IT services can
Ensure IT services can
resist and recover from
resist and recover from
attacks
attacks
drives
IT Goal
????
drives
Process Goal
20

21. Linking IT goals
business goals to IT goals
Linking Business goals
to IT goals
Business goals
21

22. Linking IT goals
business goals to IT goals
Linking IT goals to IT
processes
IT processes
22

23. The most important IT Processes (COBIT3.2)
34
PO1 define a strategic IT plan
PO3 determine the technological direction
PO5 manage the IT investment
PO9 assess risks
PO10 manage projects
15 AI1
AI2
identify solutions
acquire and maintain applications s/w
AI5 install and accredit systems
AI6 manage changes
7
DS1 define service levels
DS4 ensure continuous service
DS5 ensure system security
DS10 manage problems and incidents
DS11 manage data
Survey M1 monitor the processes
23

24. IT Resources
Business
Requirements
IT
Processes
IT
Resources
Data : Data objects in their widest sense, i.e., external and
internal, structured and non-structured, graphics, sound, etc.
Application Systems : understood to be the sum of
manual and programmed procedures.
Infrastructure : covers hardware, operating systems,
s ecr u os e R TI
database management systems, networking, multimedia,
facilities, etc..
People : Staff skills, awareness and productivity to plan,
organise, acquire, deliver, support and monitor information
systems and services.
24

25. COBIT Framework
IT IT Business
Resources Processes Requirements
 Data  Planning and  Effectiveness
organisation  Efficiency
 Application
Systems  Aquisition and  Confidentiality
implementation
 Infrastructure  Integrity
 Delivery and  Availability
 People Support
Compliance
t od w H

 Monitor and
o
 Information
evaluate Reliability
25

26. The resources How IT is What the
What the
The resources How IT is
made available to
made available to organised to
organised to
stakeholders
stakeholders
- -and built up by - -
and built up by respond to the
respond to the expect from IT
expect from IT
IT
IT requirements
requirements
IT IT Business
Resources Processes Requirements
 Data  Planning and  Effectiveness
organisation  Efficiency
 Application
Systems  Aquisition and  Confidentiality
implementation
 Infrastructure  Integrity
 Delivery and  Availability
 People Support
 Compliance
 Monitor and  Information
evaluate Reliability
26

27. PO1. define a strategic IT plan
Business and
COBIT
PO2. define the information architecture
Governance PO3. determine technological direction
Objectives PO4. define the IT processes, organization and relationships
Framework PO5. manage the IT investment
PO6.communicate management aims and direction
PO7. manage IT human resources
PO8. manage quality
PO9. assess and manage risk
INFORMATION PO10. manage projects
ME1. monitor and evaluate IT performance
ME2. monitor and evaluate internal control Criteria
ME3. ensure regulatory compliance • effectiveness
• efficiency
ME4. provide IT governance • confidentiality
• integrity
• availability
• compliance
• reliability
MONITOR AND PLANNING AND
EVALUATE ORGANISATION
IT RESOURCES
• data
• application systems
• Infrastructure
• people
DS1. define and manage service levels
DS2. manage third party services
DS3. manage performance and capacity
DS4. ensure continuous service DELIVERY AND ACQUISITION AND
DS5. ensure systems security SUPPORT IMPLEMENTATION
DS6. identify and allocate costs
DS7. educate and train users
DS8. manage service desk and incidents AI1. identify automated solutions
DS9. manage the configuration AI2. acquire and maintain application software
DS10. manage problems AI3. acquire and maintain technology infrastructure
DS11. manage data AI4. enable operation and use
DS12. manage the physical environment AI5. procure IT resources
DS13.manage operations AI6. manage changes
AI7. install and accredit solutions and changes 27

28. The Major Elements of COBIT
 High-level and detailed Control Objectives
 Management Guidelines
 Inputs – outputs
 RACI chart
 Goals and metrics
 Maturity models
 Assurance Guidelines – Implementation Guidelines
28

29. COBIT Control Objectives

30. COBIT Control Objectives
The policies, procedures, practices and organisational
Definition of structures, designed to provide reasonable assurance that
Control business objectives will be achieved and that undesired
events will be prevented or detected and corrected
IT control objectives provide a complete set of high-level
Definition of requirements to be considered by management for
IT Control effective control of each IT process. They:
Objective • Are statements of managerial actions to increase value
or reduce risk
• Consist of policies, procedures, practices and
organisational structures
• Are designed to provide reasonable assurance that
business objectives will be achieved and undesired
events will be prevented or
detected and corrected 30

31. Example: Detailed Control Objectives
for Manage Changes (AI6)
AI6.1 Change Standards and Procedures
Set up formal change management procedures to handle in a standardised manner all
requests (including maintenance and patches) for changes to applications, procedures,
processes, system and service parameters, and the underlying platforms.
AI6.2 Impact Assessment, Prioritisation and Authorisation
Ensure that all requests for change are assessed in a structured way for impacts on the
operational system and its functionality. This assessment should include categorisation and
prioritisation of changes. Prior to migration to production, changes are authorized by the
appropriate stakeholder.
AI6.3 Emergency Changes
Establish a process for defining, raising, assessing and authorising emergency changes that do
not follow the established change process. Documentation and testing should be performed,
possibly after implementation of the emergency change.
AI6.4 Change Status Tracking and Reporting
Establish a tracking and reporting system for keeping change requestors and relevant
stakeholders up to date about the status of the change to applications, procedures, processes,
system and service parameters, and the underlying platforms.
AI6.5 Change Closure and Documentation
Whenever system changes are implemented, update the associated system and user
documentation and procedures accordingly. Establish a review process to ensure complete
implementation of changes.
31

32. Generic process controls
• Each COBIT process has generic control requirements
that are identified by generic process controls within
the Process Control (PC) domain. These are applicable
for all COBIT processes and should be considered
together with the detailed COBIT control objectives to
have a complete view of control requirements.
• PC1 Process goals and objectives
• PC2 Process ownership
• PC3 Process repeatability
• PC4 Roles and responsibilities
• PC5 Policy, plans and procedures
• PC6 Process performance improvement
32

33. Application controls
• Application controls relate to the transactions and standing data
pertaining to each automated application system and are specific to
each such application. They ensure the completeness and accuracy
of the records and the validity of the entries made in transactions
and standing data resulting from both manual and automated
processing.
• COBIT assumes the design and implementation of automated
application controls to be the responsibility of IT, covered in the
Acquire and Implement (AI) domain. The operational management
and control responsibility for application controls is not with IT, but
with the business process owner. Therefore, the COBIT IT processes
cover general IT controls but not application controls.
• AC1 Source document preparation and authorisation
• AC2 Source document collection and data entry
• AC3 Accuracy, completeness, authenticity checks
• AC4 Data processing integrity and validity
• AC5 Output review, reconciliation and error handling
• AC6 Transaction authentication and integrity 33

34. COBIT
Control Practices
34

35. COBIT - IT Control
Practices
• For each of the control objectives, a list of specific control
practices is defined. In addition, three generic control practices
are defined, which are applicable to all control objectives. (Design
control approach, Accountability and responsibility,
Communication and understanding)
• The complete set of generic and specific control practices
provides one control approach, consisting of practices that are
necessary for achieving the control objective. They provide high-
level generic guidance, at a more detailed level under the control
objective, for assessing process maturity, considering potential
improvements and implementing the controls.
• They do not describe specific solutions, and further guidance may
need to be obtained from specific, relevant standards and best
practices, such as ITIL or PRINCE2. 35

36. COBIT - IT Control
Practices
DS8.1 Service Desk
Establish a service desk function, which is the user interface with IT, to register, communicate, dispatch
and analyse all calls, reported incidents, service requests and information demands. There should be
monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate
SLA that allow classification and prioritisation of any reported issue as an incident, service request or
information request. Measure end users’ satisfaction with the quality of the service desk and IT services.
1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation and
resolution of customer requests and incidents. Develop business requirements for the service desk,
based on service definitions and SLAs, including hours of operation and expected response time to
a call. Ensure that service desk requirements include identifying staffing, tools and integration with
other processes, such as change management and problem management.
2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately
resolved by service desk personnel. Establish time thresholds to determine when escalation should
occur based on the categorisation/prioritisation of the request or incident.
3. Implement the necessary support software and tools (e.g., incident management, knowledge
management, incident escalation systems, automated call monitoring) required for operation of the
service desk and configured in accordance with SLA requirements, to facilitate automated
prioritisation of incidents and rapid resolution.
4. Advise customers of the existence of the service desk and the standards of service they can expect.
Obtain user feedback on a regular basis to ensure customer satisfaction and confirm the
effectiveness of the service desk operation.
5. Using the service desk software, create service desk performance reports to enable performance
monitoring and continuous improvement of the service desk. 36

37. COBIT
Management Guidelines
Inputs –Outputs
37

38. 38

39. Each process has primary inputs and
outputs with process linkages
Inputs
Outputs
Mission and Goals
Strategic Plan
Understanding of the
business context, PO1 Tactical Plan
capability and Project Portfolio
capacity
Service Portfolio
Business Strategy
Risk Appetite
39

40. Inputs / ouputs
• Process:
Input from: Output to:
Process what Process what
40

41. Example: Input/Outputs
for Manage Changes (AI6)
41

42. COBIT
Management Guideline
RACI Chart
42

43. RACI chart providing roles
and responsibilities
CEO
CARS
CFO Business CIO
Executive
Head of
Business Head of Chief Head of
IT Admin PMO
Sr Management Operations Architect or CTO Development
HR, Fin, etc
PO1
43

44. Activities
RACI Chart
Functions
CEO
CFO
Bus
ine
ss
E xe
c
CIO
Bus
ine
ss
Sr
Mn
He gm
ad t
Op
era
tio
Chi ns
ef A
rch
ite
ct
He
ad
De
vel
opm
He ent
CARS includes Risk, Security, Audit and Compliance
ad
IT
Adm
in
PM
O
CA
RS
44

45. Example: RACI Diagram
for Manage Changes (AI6)
45

46. COBIT
Management Guideline
Goals and metrics
46

47. COBIT Management Guidelines
Goals an Metrics
Key Goal Indicators (KGIs)
• lag indicator
• is an indicator of the success of the process and
its business contribution
• describes the outcome of the process, i.e.
measurable after the fact; a measure of “what”;
may describe the impact of not reaching the
process goal
• focuses on the customer and financial dimensions
of the balanced scorecard
47

48. COBIT Management Guidelines
Goals an Metrics
Examples of Key Goal Indicators (KGIs)
- Increased level of service delivery
- Reduced time and effort required to make changes
- Availability of systems and services
- Absence of integrity and confidentiality risks
- Cost efficiency of processes and operations
- Confirmation of reliability and effectiveness
- Adherence to development cost and schedule
- Cost efficiency of the process
- Staff productivity and morale
- Number of timely changes to processes and systems
- Improved productivity (e.g., delivery of value per
employee) 48

49. COBIT Management Guidelines
Goals an Metrics
Key Performance Indicators (KPIs)
• lead indicator
• are a measure of “how well” the process is
performing
• predict the probability of success or failure
• focus on the process and learning dimensions of
the balanced scorecard
• are expressed in precise measurable terms
• should help in improving the IT process
49

50. COBIT Management Guidelines
Goals an Metrics
Examples of Key Performance Indicators (KPIs)
- System downtime
- Throughput and response times
- Amount of errors and rework
- Number of staff trained in new technology
- customer service skills
- Benchmark comparisons
- Number of non-compliance reportings
- Reduction in development and processing time
50

51. KGI’s/KPI’s “Ensure System Security”
(DS5)
These KGIs represent the
goals of the IT manager and
KPI KGI can be derived from the list
of IT goals. Together with
Security expertise number of the KPIs (horizontal arrow)
incidents because they are building blocks for
the IT manager’s BSC. The
of unauthorised KGIs at the IT manager’s
access level are in the same time
KPIs at the business
Metrics for BSC of KPI KGI manager’s level (vertical
IT process owner lines).
Number of
security
breaches
Metrics for BSC
of IT manager KPI KGI
These metrics represent the Number of incidents
KPIs and KGIs of the IT causing public
embarrassment These KGIs represent the
process owner and can be
goals of the business
used as building blocks for a
manager and can be derived
BSC at process level. They Metrics for BSC of
from the list of business
map on the current KGIs business manager goals. Together with the
and KPIs of COBIT. The
KPIs (horizontal arrow) they
KGIs at process level are in
are building blocks for the
the same time KPIs at the
business manager’s BSC
IT manager’s level (vertical
lines) 51

52. Cascade of metrics
KPI
KPI Metrics for BSC A KGI at
KGI of IT manager business level is
KPI supported by
many other
KPI KPIs at IT and
KPI process level.
KGI KGI
Metrics for BSC of
IT process owner KPI KPI
KGI KGI
KPI KPI KGI
Metrics for BSC of
business manager
52

53. Cascade of metrics
for “Ensure System Security” (DS5)
Understanding security
Understanding security
requirements,
requirements, GOALS
vulnerabilities and threats
vulnerabilities and threats
Process Goal
Ensure IT services can
Ensure IT services can
resist and recover from
resistand recoverfrom
attacks
attacks
drives
IT Goal
KPI KGI
Maintain enterprise
Maintain enterprise
Nr and type of Nr of incidents
new security because of reputation and leadership
reputation and leadership
incidents unauthorised
access
drives
Process Goal Business Goal
KPI
KPI KGI
Nr of IT
security
incidents
IT Goal
KPI KGI
Number of incidents
METRICS causing public
embarrassment
Business Goal
53

54. 54

55. 55

56. IT goals Process goals Activity goals
IT KGI Process KGI Activity KGI (process KPI)
56

57. Example: Goals and metrics
for Manage Changes (AI6)
57

58. COBIT
Maturity models
58

59. Maturity Models
• refers to business requirements (KGI) and the enabling
aspects (KPI) at the different levels
• are a scale that lends itself to pragmatic comparison, where
the difference can be made measurable in an easy manner
• are recognisable as a “profile” of the enterprise in relation to
IT governance and control
• assist in determining As-Is and To-Be positions relative to IT
governance and control maturity and analyse the gap
• are not industry specific nor generally applicable, the nature
of the business will determine what is an appropriate level
59

60. Maturity Models: Goal setting and
measurement
Non-
Existent Initial Repeatable Defined Managed Optimised
0 1 2 3 4 5
Legend for symbols used Legend for rankings used
Enterprise current status 0 - Management processes are not applied at all
1 - Processes are ad hoc and disorganised
International standard guidelines
2 - Processes follow a regular pattern
Industry practice 3 - Processes are documented and communicated
4 - Processes are monitored and measured
Enterprise target 5 - Best practices are followed and automated
60

61. Maturity models
are improved starting from a new generic qualitative model
based on the following attributes:
•awareness and communication
•policies, standards and procedures
•tools and automation
•skills and expertise
•responsibility and accountability
•goal setting and measurement
61

62. Example: Maturity Model
for Manage Changes (AI6)
0 Non-existent when
There is no defined change management process and changes can be made with virtually no control. There is no awareness
that change can be disruptive for IT and business operations, and no awareness of the benefits of good change management.
1 Initial/ Ad Hoc when
It is recognised that changes should be managed and controlled. Practices vary and it is likely that unauthorised changes take
place. There is poor or non-existent documentation of change, and configuration documentation is incomplete and unreliable.
Errors are likely to occur together with interruptions to the production environment caused by poor change management.
2 Repeatable but Intuitive when
There is an informal change management process in place and most changes follow this approach; however, it is unstructured,
rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning and impact
assessment takes place prior to a change.
3 Defined Process when
There is a defined formal change management process in place, including categorisation, prioritisation, emergency procedures,
change authorisation and release management, and compliance is emerging. Workarounds take place and processes are often
bypassed. Errors may still occur and unauthorised changes occasionally occur. The analysis of the impact of IT changes on
business operations is becoming formalised, to support planned rollouts of new applications and technologies.
4 Managed and Measurable when
The change management process is well developed and consistently followed for all changes, and management is confident
that there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures and
controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimise
the likelihood of post-production problems. An approval process for changes is in place. Change management documentation is
current and correct, with changes formally tracked. Configuration documentation is generally accurate. IT change
management planning and implementation are becoming more integrated with changes in the business processes, to ensure
that training, organisational changes and business continuity issues are addressed. There is increased co-ordination between
IT change management and business process redesign. There is a consistent process for monitoring the quality and
performance of the change management process.
5 Optimised when
The change management process is regularly reviewed and updated to stay in line with good practices. The review process
reflects the outcome of monitoring. Configuration information is computer-based and provides version control. Tracking of
changes is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management is
integrated with business change management to ensure that IT is an enabler in increasing productivity and creating new
business opportunities for the organisation.
62

63. COBIT4.1
• Released May 2007
• Incremental updates, no fundamental changes
• CobiT 4.1 features
- an enhanced Executive Overview introduction and explanation of goals and
metrics in the framework section and better definitions of the core concepts.
- improved control objectives resulting from updated control practices and Val
IT development activity.
- A new definition of a control objectives, shifting more towards management
practices statements
- Grouping/rewording of some control objectives to avoid overlaps and make
the list of control objectives within a process more consistent and action-
oriented
• AI5.4, AI5.5 and AI5.6 were combined
• AI7.9, AI7.10 and AI7.11 were combined
• Changes were also made to ME3 to include compliance with contractual requirements
in addition to legal and regulatory.
- reworded application controls, to support financial controls effectiveness
assessment and reporting.
• six Application Controls replacing the 18 in COBIT 4.0, with further detail being
provided in the COBIT Control Practices.
- An updated list of business goals and IT goals, based on new insights obtained
during validation research executed by UAMS
- an expanded pull-out to provide amongst others a quick reference list of the
COBIT processes
63

64. IT Assurance using COBIT
64

65. mplementation Guide - IT Assurance Guide
WHAT
HOW HOW
Framework
Management
Board Guidelines Board
Briefing Control Briefing
Briefing
Objectives Maturity
Models
Executive
CIO Audit CIO
Director
Baseline for Baseline for
Baseline for
IT Governance Control IT Governance
IT Governance
Value Risk
Objective
IT Governance Control Assurance IT Governance
IT
Implementation Practices Approach Implementation
Assurance
Guide using CobiT Guide using CobiT
Guide using CobiT
65

66. Assurance & audit
• Assurance Guide instead of Audit Guide
- Assurance also covers evaluation activities not
governed by internal and/or external audit
standards.
66

67. Assurance Roadmap
67

68. Assurance planning
• IT audit universe
- 34 IT processes
- 4 IT resources
• Risk based assurance planning
- The assurance professional should use an appropriate risk
assessment technique or approach in developing the
overall plan for the effective allocation of IT assurance
resources.
- Risk assessment is a technique used to examine units in
the assurance universe and select those areas for review
that have the greatest risk exposure, by analysing
• Risk
• impact
68

69. Assurance planning
• High-level assessment can provide support
in assurance planning by identifying
processes where the maturity/control gap
between as-is and to-be is the most
significant.
• The results of such high-level assessment
can be used to prioritise the IT assurance
work. Specific benefits of such high-level
assessments are:
- Making members of IT management
aware of their accountability for
controlling IT and gaining their buy-in
- High-level checking of compliance with
established IT control requirements
- Optimising and prioritising IT
assurance resources
- Bridging to IT governance
69

70. Assurance planning
• Define the scope and objectives
- define the scope and objectives of the assurance work and perform a
preliminary assessment of internal control/maturity of the function/activities
being reviewed to provide reasonable assurance that all material items will be
adequately covered during the assurance initiative.
70

71. Assurance scoping
• Define the scope and objectives
- Business goals – IT goals – IT processes / IT resources – control
objectives – customized control objectives
71

72. Assurance execution
Derived from control practices
 Originally 1 ITCP translated into 1 testing step. Later all individual
testing steps grouped into three blocks:
1. Testing control design (design effectiveness)
2. Testing outcome of the objective (operational effectiveness)
3. Document impact of control weaknesses
72

73. The audit steps to be performed in
assessing the adequacy of the
design of controls.
AI6: Change Management
Testing control design
• Enquire whether and confirm that the change management process allows
business process owners and IT to request changes to infrastructure,
systems or applications.
• Enquire whether and confirm that the overall change management process
includes emergency change procedures (e.g., defining, raising, testing,
documenting, assessing and authorising emergency changes).
• Enquire whether and confirm that processes and procedures for contracted
services providers (e.g., infrastructure, application development, application
service providers, shared services) are included in the change management
process.
• Determine if the process and procedures include the contractual terms and
SLAs.
73

74. The audit steps to be performed to
ensure that the control measures
established are working as
prescribed, consistently and
continuously and to conclude on
the appropriateness of the control
environment.
AI6: Change Management
Testing CO outcome
• Inspect a selection of changes and determine if requests have been categorised.
• Inspect a selection of changes and determine if changes have been prioritised based on
predefined criteria.
• Inspect a selection of changes and determine if changes have been assessed in a
structured method (e.g., security, legal, contractual and compliance implications are
considered and business owners are involved).
• Inspect a sample of emergency changes and verify that they have been processed in
accordance with the change management framework. Verify that procedures have been
followed to authorise, document and revoke access after the change has been applied.
• Inspect a sample of emergency changes and determine if a post-implementation review
has been conducted after the changes were applied. Consider implications for further
application system maintenance, impact on development and test environments,
application software development quality, documentation and manuals, and data
integrity.
74

75. The audit steps to be
performed to substantiate
the risk of the control
AI6: Change Management objective not being met by
using analytical techniques
Document impact
and/or consulting alternative
sources.
• Assess the time and cost of lack of formal change management
standards and procedures (e.g., improper resource allocation,
unclear roles and responsibilities, security breaches, lack of rollback
procedures, lack of documentation and audit trails, inadequate
training).
• Assess the time and cost of lack of formal impact assessment to
prioritise and authorise changes.
• Assess the time and cost of lack of formal emergency change
standards and procedures (e.g., compromised security, failure to
• properly terminate additional access authorisations, unauthorised
access to corporate information).
75

76. Structure of assurance guidance provided
76

77. Example: Control practices
77

78. Example: testing control design
78

79. Example: testing
operational effectiveness
79

80. Example: documenting impact
80

81. IT Assurance assignments in practice
(templates)
81

82. Assurance assignment
1. Scoping
1.1 Processes
1.2 Control objectives
1.3 Control practices
2. Testing
2.1 Evaluate Design Effectiveness (testing control design)
2.2 Evaluate Operating Effectiveness (testing outcome of the control process)
3. Findings and recommendations
82

83. 1.1 Scoping: processes
• Define cascade of business goals – IT goals –
IT processes
Goal:
first list of IT processes
83

84. 1.1 Scoping: processes
• Define/refine list of IT processes based on risk
based scoping
- Risk and value drivers
Goal:
refined list of IT processes
84

85. 1.1 Scoping: processes
• Define/refine list of IT processes based on risk
based scoping Goal:
refined list of IT processes
- Maturity assessment
85

86. 1.2 Scoping: control objectives
• Define control framework for 1 process based
on control objectives attributes
Goal:
Set of important control
objectives for one IT
process
86

87. 1.3 Scoping: control practices
• Define control design for 1 control objectives
Goal:
Mininum and sufficient set
of control practices to
achieve a control objective
87

88. 2. Testing
• Structured approach for each of the control objectives /
control practices
COBIT 4
Control Practices
RACI CHART
AUDIT PLANS:
Assurance Guide
Inputs/outputs
….
88

89. 2.1 Evaluate design effectiveness
• Translate control practices into assurance
steps to evaluate design effectiveness
COBIT 4
Control Practices
AUDIT PLANS:
RACI CHART Assurance guide
….
89

90. Example
2.1 Evaluate design effectiveness
90

91. 2.2 Evaluate operating effectiveness
91

92. COBIT 4.0 2.2 Evaluate operating effectiveness
Control Practices
Inputs/outputs
RACI CHART
AUDIT PLANS:
Assurance Guide
92

93. Example
2.2 Evaluate operating effectiveness
93

94. 3. Findings & Recommendations
• FINDING
Description Detection
Walkthrough / Testing
• RISK
Description Categorization
• RECOMMENDATION
Description Priority
94

95. Findings & Recommendations
Example
FINDING
Description Detection
DS8.1 : There is no monitoring process in place that focuses on the quality of the Service Desk and the end
users’ satisfaction.
RISK
Description Classification
IT management is not informed on how the business percepts the Service Desk in particular and the IT
department in general. This lack of information can cause a disconnection/misalignment between business
and IT (i.e. no perception of added value by IT). It also prevents the implementation of an effective
continuous improvement process.
RECOMMENDATION
Description Priority
Organize regular user satisfaction surveys via the different available media (intranet, phone, direct…) and use
this information to compare the responses of the satisfied users with the dissatisfied users. This information
can also be used to enable continuous improvement.
95

96. 96

97. 97