CobiT for Internal Auditors

1
CobiT for Internal Auditors
Lucas Kowal, AVP BNP Paribas NA CPA, CISA, CISSP
2
Overview of CobiT

• What is CobiT?

3
Overview of CobiT

• What CobiT is not!!
• Audit software
• An IT audit plan
• An IT Internal Audit workprogram
• An IT audit testing plan
• Guide on How to Audit IT

4
Overview of CobiT

• Then what is CobiT?
• It is the Control Objectives for Information and
  related Technology
• A methodology consisting of standards and
  controls created to assist IT professionals in
  the implementation, review, administration and
  monitoring of an IT environment.
• The CobiT Executive Summary and Framework were
  released in December 1995, Control Objectives in
  April 1996, and Audit Guidelines followed in
  September 1996.
• A tool that for IT professionals that has linked
  information technology and control practices
• CobiT consolidates and harmonizes standards from
  prominent global sources into a critical resource
  for management, control professionals and
  auditors.

5
Overview of CobiT

• CobiT represents
• A control framework,
• a set of generally accepted control objectives,
  and
• the CobiT Audit Guidelines.
• CobiT is based on the philosophy that IT
  resources need to be managed by a set of
  naturally grouped processes in order to provide
  the pertinent and reliable information an
  organization needs to achieve its objectives.
• CobiT is business process oriented provides the
  business process owners with a framework, which
  should enable them to control all the different
  activities underlying IT deployment.

6
Overview of CobiT

• What is the purpose of CobiT?
• To provide management and business process owners
  with an Information Technology (IT) governance
  model that helps in understanding and managing
  the risks associated with IT.
• CobiT helps bridge the gaps between business
  risks, control needs and technical issues by
  presenting the controls through one vehicle.
• It is a control model to meet the needs of IT
  governance and ensure the integrity of
  information and information systems.

7
Components of CobiT
8
Components of CobiT

• The 4 Domains of CobiT
• MONITORING (MO)
• PLANNING ORGANIZATION (PO)
• ACQUISITION IMPLEMENTATION (AI)
• DELIVERY SUPPORT (DS)

9
Components of CobiT
MONITORING (MO) All IT processes need to be
regularly assessed over time for their quality
and compliance with control and regulatory
requirements Auditors need to perform
procedures to ensure that the IT environment
meets predefined standards with respect to
controls.

• M1- Monitor the process
• M2- Obtain independent assurance

10
Components of CobiT
PLANNING ORGANIZATION (PO) Addresses strategy
and tactics, and concerns the identification of
the way information technology can best
contribute to the achievement of business
objectives. Is the IT strategy be effectively
controlled and will it contribute to the business
objectives?

• PO1- Define a strategic IT plan
• PO2- Define the Information architecture
• PO3- Determine technical direction
• PO4- Define IT Organization and relationships
• PO5- Manage the investment in IT

• PO6- Communicate management aims and directions
• PO7- Manage Human Resources
• PO8- Ensure compliance with external requirements
• PO9- Assess risks
• PO10- Manage projects
• PO11- Manage quality

11
Components of CobiT
ACQUISITION IMPLEMENTATION (AI) To realize the
IT strategy, IT solutions need to be identified,
developed and/or acquired as well as implemented
and integrated into the business process. Is
the process to choose and implement IT solutions
a controlled process? Does this process meet
control standards?

• AI1- Identify solutions
• AI2- Acquire and maintain application software
• AI3- Acquire and maintain technology architecture
• AI4- Develop and maintain IT procedures
• AI5- Install and accredit systems
• AI6- Managing changes

12
Components of CobiT
DELIVERY SUPPORT (DS) Addresses the actual
delivery of required information services. Are
information related services delivered in a
controlled manner?

• DS1- Define service levels
• DS2- Manage Third Party services
• DS3- Manage performance capacity
• DS4- Ensure continuous service
• DS5- Ensure systems security
• DS6- Identify and allocate costs
• DS7- Educate and train users

• DS8- Assist and advise IT customers
• DS9- Manage the configuration of IT systems
• DS10- Manage problems and incidents
• DS11- Manage data
• DS12- Manage facilities
• DS13- Manage operations

13
Overview of Internal Audit

• Internal Audit
• "Internal auditing is an independent, objective
  assurance and consulting activity designed to add
  value and improve an organization's operations.
  It helps an organization accomplish its
  objectives by bringing a systematic, disciplined
  approach to evaluate and improve the
  effectiveness of risk management, control, and
  governance processes."(Definition of Internal
  Auditing by the Institute of Internal Auditors,
  Inc.)
• The mission of Internal Audit is to evaluate the
  efficiency and effectiveness of the entitys
  procedures and related internal controls.
• As Internal Auditors, we also provide control
  recommendations and controls advisory.

14
CobiT For Internal Auditors

• Who uses CobiT in the Internal Audit world?
• Typically, the IT Auditor
• Business Process Auditor
• The IT Inspection Team, or
• The IT Control Team

15
CobiT For Internal Auditors

• How is CobiT used by Internal Audit?
• Establishing control baselines and standards
• Facilitating and creating performance metrics for
  Risk Assessments
• Developing the audit plan
• Facilitating the audit
• Managing residual risk
• Issuing control advisory and recommendations to
  the IT groups

16

CobiT For Internal Auditors
Audits that can be performed with the use of
CobiT

• Reviews of Baselines and Standards for IT
• Information System Implementations
• Pre-Implementation Review
• Implementation of Controls Certification Reviews
• Post Implementation Review
• Code Development / Source Code Management Reviews
• General Controls Reviews
• Data Center reviews

• Audits of the Business Continuity Program
• Audits of Security Configuration
• Reviews of Security Administration
• Reviews of IT Purchasing and Procurement
• Application Review / Audits
• Audits of Business Processes

BE CREATIVE! How can you fit CobiT into your
audit plan?
17
Applications of the 4 CobiT Domains

• All of the discussed types of reviews can employ
  the 4 CobiT domains
• MONITORING,
• PLANNING ORGANIZATION,
• ACQUISITION IMPLEMENTATION,
• DELIVERY SUPPORT

18
CobiT Trends

• In general, each of the 4 domains can be applied
  to each review with careful planning
• All IT Audit reviews should have a component that
  includes
• Management controls of the information
• Review of controls over the way that information
  is delivered / facilitated
• How the IT control review process works, and is
  it working effectively
• With the right planning, all reviews can be
  performed with the use of the 4 domains as a
  reference, standard, and Best Practice template

19
Top Ten Strengths of CobiT in Internal Audit

• 10. Control evaluations processes are
  standardized across the IT environment
• 9. Benchmarks and standards are portable
  throughout the IT environment
• 8. System management processes across different
  systems can compared
• 7. Post-audit benchmarking is easily achieved
  through existing CobiT Control Objectives
• 6. A common language between auditee, auditor,
  user management and data owners is provided
• 5. CobiT is a globally-recognized as a tool that
  provides guidance on IT audits and sets IT
  control Best Practices
• 4. International IT Audit groups can knowledge
  share (i.e. workprograms, test plans)
• 3. Audit groups can recruit based on experience
  with an internationally recognized audit tool
• 2. CobiT can easily be mapped to relevant
  regulatory examination criteria (FFIEC, HIPAA)
• 1. Its just plain old fun!

20
Problems Inherent to the Implementation and Use
of CobiT

• CobiT is a control framework with Audit
  Guidelines. Therefore,
• It is NOT an audit plan
• It is NOT a workprogram
• It does NOT provide for audit steps / techniques
  / procedures
• It does NOT define standards
• It does NOT define acceptable levels for IT
  processes
• The use of CobiT requires a sufficient amount of
  experience with IT controls because it does not
  detail actual controls verification and testing
  steps

21
Problems Inherent to the Implementation and Use
of CobiT

• CobiT is time resource intensive to implement
• Steep learning curve
• New audit plans and workprograms
• New documentation methods needed
• Although CobiT is process focused, CobiT based
  reviews tend to be more system-focused.
• Few, if any processes, are composed of one
  system.
• All data flows between systems, so how are data
  flows evaluated?
• How can major information flow processes be
  evaluated within reasonable time constraints?

22
Opportunities to Implement CobiT

• Ideal Times to Implement the CobiT Framework
• Beginning of an audit year
• During a reorganization of the audit department
• During a change of strategy for the IT Audit
  group
• Upon implementation of Business Process focused
  audits

23
Threats to CobiT in the Internal Audit World

• Threats to Cobit in Internal Audit
• Initial audits are time intensive and difficult
  because auditors are unfamiliar with CobiT
  terminology
• Auditees can be unreceptive to controls based
  recommendations as opposed to traditional IT
  recommendations
• If the audit staff does not have a sufficient
  amount of experience with IT controls,
  difficulties can arise in creating procedures to
  test for the existence of CobiT prescribed
  controls

24
CobiT A Real World Example at a Major
International Financial Services Firm

• Situation
• A major international financial services firm
  uses the SWIFT network as a payment messaging
  system at its worldwide locations
• All major locations of the financial services
  firm have their own local SWIFT systems
  installations
• Worldwide IT Management seeks efficiencies and
  decides to consolidate SWIFT messaging systems
  to regional platforms.
• IT managements strategy is to create three
  regional hubs for messages to flow through to
  the SWIFT network.

25
CobiT A Real World Example at a Major
International Financial Services Firm

• Internal Audit
• Internal Audit conducted an IT Audit of the
  management strategy, selection, acquisition,
  implementation, and configuration of the new
  SWIFT Alliance messaging hubs
• Controls Advisory was also provided as a
  complimentary service.
• The CobiT methodology was used.

26
CobiT A Real World Example at a Major
International Financial Services Firm

• Examples of IT Audits Role
• Participated on the SWIFT implementation team
• Reviewed the project charter for financial, human
  resources, regulatory, compliance, and IT
  management strategy controls
• Reviewed Service Level Agreements and contracts
  with vendors for controls prescribed by CobiT
• Examined project details for the processes to
  chose hardware, software, and implementation
  methods.
• Reviewed project plans for reasonableness and the
  ability to meet prescribed timelines
• Performed reviews of SWIFT system configurations
  pre- and post-implementation
• Examined regulatory constraints and gave opinions
  based on regulatory requirements

27
CobiT A Real World Example at a Major
International Financial Services Firm

• Highlights Planning Organization
• Reviewed the strategy and plan for management
  controls
• Critiqued the new IT architecture
• Monitored progress with respect to timelines
• Ensured that compliance and regulatory
  constraints were addressed during implementation

28
CobiT A Real World Example at a Major
International Financial Services Firm

• Highlights Acquisition Implementation
• Reviewed choices for messaging hub locations
• Reviewed alternatives for hardware and software
• Verified that changes were in compliance with
  CobiT and best practices for change control
• Determined whether procedures were created for
  the administration of the implemented system

29
CobiT A Real World Example at a Major
International Financial Services Firm

• Highlights Delivery Support
• Reviewed agreements with vendors and business
  partners for reasonableness and compliance with
  best practices
• Attended user training sessions
• Tested controls for security configuration and
  security administration
• Determined whether controlled procedures were
  created for administration and management of
  data, facilities, and operations

30
CobiT A Real World Example at a Major
International Financial Services Firm

• Highlights Monitoring
• Determined whether controlled procedures were in
  place for the monitoring of the new SWIFT
  system
• Verified that monitoring procedures were in
  compliance with regulatory requirements

31
Questions?
Lucas Kowal, CPA is an AVP of Information Systems
Audit at the international financial services
conglomerate, BNP Paribas. Mr. Kowal has several
years of audit and consulting experience of
information systems and technology applications
having worked with Arthur Andersens Technology
Risk Consulting Group and the Depository Trust
Clearing Co. prior to joining BNP Paribas. In
addition to being a Certified Public Accountant
(CPA-NY), Lucas has attained both the Certified
Information Systems Auditor (CISA) accreditation
and the Certified Information Systems Security
Professional (CISSP) accreditation. Lucas is a
graduate of the prestigious BS (Public
Accounting) / MBA (Management Information
Systems) program from the State University of New
York at Buffalo. Lucas can be reached at
lucas.kowal_at_BNPPARIBAS.com