COBIT 4'0

1
COBIT 4.0

• WHAT YOU NEED TO KNOW
• Howard DuBois, CISA
• howard_at_hallux.ca

2
Objectives

• Review structure and content of COBIT
• Assess challenges for IT management
• Explore impact of a successful implementation of
  COBIT on application owners

3
What is COBIT?

• COBIT is a highly regarded IT Governance
  framework produced and supported by the IT
  Governance Institute (ITGI)
• COBIT 4.0 is the most recent release of this model

4
What Does COBIT Stand For?

• C Control
• OB OBjectives
• I for Information
• T and Related Technology

5
Why is COBIT Important?

• Some interesting questions
• Why are control objectives of interest to
  application owners and users?
• What is the history behind COBIT?
• Where does IT Governance fit in?

6
COBITs History

• COBIT started as a control model for IT auditors
  hence control objectives for IT organizations
  and operations
• At some point, someone realized that if the model
  was good enough for the auditor to measure IT
  control and effectiveness, it was good enough for
  management
• This became a governance framework when it was
  realized that good control required
  implementation of best practices

7
COBITs History

• Control Objectives produced as an audit product
  by EDPAF early 1990s
• COBIT first edition - 1996
• COBIT second edition 1998
• First reference to governance and seeing COBIT as
  a set of best practices for IT management
• COBIT third edition 2000
• First reference to ITGI
• First reference to management guidelines

8
COBITs History

• COBIT 4.0 - 2005
• 4.0 is an update of 3rd edition better mapping
  to business goals, further development of
  maturity models
• COBIT On-Line introduced
• During the process, other products were issued
• Control Practices 2004 more detailed
  exploration of individual practices seen as best
  practices

9

• Purpose of COBIT
• Provide generally applicable and accepted
  Standards for Good Practices for Information and
  Information Technology (IT) Control
• Based on a management-oriented Framework for
  Control in IT
• Aligned with De Jure and De Facto Standards and
  Regulations
• Create a manageable and logical structure

10
The Pieces of COBIT Exec Summary - Senior
Executives (CEO, CIO) - 16 pages Framework -
Senior Operational Management (Directors of IT
and IS Audit /Controls) - 68 pages Control
Objectives - Middle Management (IT Management and
IS Audit/Controls Managers/ Seniors) - 148
pages Audit Guidelines - Line Management and
Controls Practitioner (Applications or Operations
Manager and Auditor) 226 pages Management
Guidelines - Senior Operational Management,
Director of IS, Mid-Level IT Management and IT
Audit/Control Managers - 122 pages Implementation
Tool Set - Director of IS and Audit/Control,
Mid-Level IS Management and IS Audit/Control
Managers - 86 pages
11
The Frameworks Principles
Business Requirements
IT Processes
IT Resources
12
Business Requirements Information Criteria
Quality Requirements Quality, Cost,
Delivery

Fiduciary Requirements (COSO Report)
Effectiveness and Efficiency of Operations
Reliability of Financial Reporting Compliance
with Laws and Regulations
Security Requirements Confidentiality
Integrity Availability
13
Information Technology Resources
Data Data objects in their widest sense, i.e.,
external and internal, structured and
non-structured, graphics, sound, etc. Application
Systems Application systems is understood to be
the sum of manual and programmed
procedures. Technology Technology covers
hardware, operating systems, database management
systems, networking, multimedia, etc. Facilities
Resources to house and support information
systems. People Staff skills, awareness and
productivity to plan, organize, acquire,
deliver, support and monitor information systems
and services.
14
The Frameworks Principles
15
IT Domains Processes
Natural grouping of processes, often matching an
organisational domain of responsibility. A
series of joined activities with natural
(control) breaks. Actions needed to achieve a
measurable result. Activities have a life-cycle
whereas tasks are discreet.
16
CONTROL OBJECTIVES
The DOMAINS Planning Organization
Acquisition Implementation Delivery
Support Monitoring
17

• Planning and Organisation
• Define a Strategic IT Plan
• Define the Information Architecture
• Determine Technological Direction
• Define the IT Organisation and Relationships
• Manage the IT Investment
• Communicate Management Aims and Direction
• Manage Human Resources
• Ensure Compliance with External Requirements
• Assess Risks
• Manage Projects
• Manage Quality

18

• Acquisition and Implementation
• Identify Automated Solutions
• Acquire and Maintain Application Software
• Acquire and Maintain Technology Infrastructure
• Develop and Maintain Procedures
• Install and Accredit Systems
• Manage Changes

19

• Delivery and Support
• Define and Manage Service Levels
• Manage Third-Party Services
• Manage Performance and Capacity
• Ensure Continuous Service
• Ensure Systems Security
• Identify and Allocate Costs
• Educate and Train Users
• Assist and Advise Customers
• Manage the Configuration
• Manage Problems and Incidents
• Manage Data
• Manage Facilities
• Manage Operations

20

• Monitoring
• Monitor the Processes
• Access Internal Control Adequacy
• Obtain Independent Assurance
• Provide for Independent Audit

21
IT Process Overview 1.0 Define a Strategic IT
Plan The IT function should ensure that there
are IT long- and short-range plans for managing
and directing all IT resources of the
organisation. These plans should be timely and
accurately updated to accommodate changes in IT
conditions. Assessments of existing systems
should be performed prior to developing or
changing the strategic IT plan. Furthermore, IT
management should ensure that the strategic IT
plan is consistent with the business objectives
and long- and short-range plans of the
organisation.
22
Linking to Control Objectives
Control over the IT process of DEFINING A
STRATEGIC IT PLAN PO-1 that satisfies the
business requirement to strike an optimum
balance of information technology opportunities
and IT business requirements as well as
ensuring its further accomplishment
is enabled by a strategic planning
process undertaken at regular intervals giving
rise to long-term plans the long-term
plans should periodically be translated
into operational plans setting clear and concrete
short-term goals and takes into
consideration enterprise business
strategy definition of how IT supports
the business objectives inventory of
technological solutions and current
infrastructure monitoring the
technology watch markets
timely feasibility studies and reality checks
existing systems
assessments enterprise
position on risk, time-to-market, quality
need for senior management
buy-in, support and critical review
23

• SUMMARY OF COBIT TO THIS POINT
• Framework defines a construct for reviewing and
  managing IT.
• Four domains are identified.
• Within each domain there are processes -- 34
  total.
• Within each process there are high-level IT
  control objectives
• defining controls that should be in place.
• For each of the 34 processes, there are from 3
  to 30 detailed
• IT control objectives.
• There are navigational tools including a
  waterfall approach.
• A systematic and logical method for defining
  and
• communicating IT control objectives.

24
AUDIT GUIDELINES

• The objectives of auditing are to
• provide management with reasonable assurance
  that
• control objectives are being met
• where there are significant control weaknesses,
  to
• substantiate the resulting risks
• advise management on corrective actions

25
AUDIT GUIDELINES The process is audited
by Obtaining an understanding of business
requirements, related risks, and relevant
control measures Evaluating the
appropriateness of stated controls
Assessing compliance by testing whether the
stated controls are working as
prescribed, consistently and
continuously Substantiating
the risk of the control objectives
not being met by using analytical
techniques and/or consulting
alternative sources.

26
Audit Guidelines 1 Generic Guideline 34 Process
Oriented Guidelines
A generic guideline identifies various tasks to
be performed in assessing ANY control objective
within a process. Others are specific
process-oriented task suggestions to provide
management assurance that a control is in place
and working.
27
GENERIC AUDIT GUIDELINE
OBTAINING AN UNDERSTANDING The audit steps to be
performed to document the activities underlying
the control objectives as well as to identify
the stated control measures/ procedures in
place. Interview appropriate management and
staff to gain an understanding of Business
requirements and associated risks, Organization
structure, Roles and responsibilities,
Policies and procedures, Laws and regulations,
Control measures in place, Management reporting
(status, performance, action
items) Document the process-related IT resources
particularly affected by the process under
review. Confirm the understanding of the process
under review, the Key Performance Indicators
(KPI) of the process, and the control
implications (e.g., by a process walk through).
28
GENERIC AUDIT GUIDELINE
EVALUATING THE CONTROLS The audit steps to be
performed in assessing the effectiveness of
control measures in place or the degree to which
the control objective is achieved. Basically
deciding what, whether and how to test. Evaluate
the appropriateness of control measures for the
process under review by considering identified
criteria and industry standard practices, the
Critical Success Factors (CSF) of the control
measures and applying professional judgment.
Documented processes exist Appropriate
deliverables exist Responsibility and
accountability are clear and effective
Compensating controls exist, where
necessary Conclude the degree to which the
control objective is met.
29
GENERIC AUDIT GUIDELINE
ASSESSING COMPLIANCE The audit steps to be
performed to ensure that the control measures
established are working as prescribed,
consistently and continuously, and to conclude
on the appropriateness of the control
environment. Obtain direct or indirect evidence
for selected items/periods to ensure that the
procedures have been complied with for the period
under review using both direct and indirect
evidence. Perform a limited review of the
adequacy of the process deliverables. Determine
the level of substantive testing and additional
work needed to provide assurance that the IT
process is adequate.
30
GENERIC AUDIT GUIDELINE
SUBSTANTIATING THE RISK The audit steps to be
performed to substantiate the risk of the
control objective not being met by using
analytical techniques and/or consulting
alternative sources. The objective is to
support the opinion and to shock management
into action. Auditors have to be creative in
finding and presenting this often sensitive and
confidential information. Document the control
weaknesses and resulting threats and
vulnerabilities. Identify and document the
actual and potential impact (e.g., through
root-cause analysis). Provide comparative
information (e.g., through benchmarks).
31
AUDIT GUIDELINES Audit Guidelines are
GUIDELINES. They are only a start for
identifying tasks associated with particular
process control objectives.
32
PO 1 DEFINE A STRATEGIC INFORMATION TECHNOLOGY
PLAN Identifying IT failures to meet the
organizations missions and goals IT failures to
match short-range plans with long-range plans IT
projects failures to meet short-range plans IT
failures to meet cost and time guidelines Missed
business opportunities Missed IT opportunities
33
SUMMARY OF COBIT TO THIS POINT

• Framework of four domains and 34 key IT
  processes.
• Defines high-level IT control objectives defining
  controls that should be in place.
• For each of the 34 processes, there are from 3 to
  30 detailed IT controls
• Audit Guidelines identify a process to
• Obtain an understanding of the BUSINESS
  requirements
• Evaluate the stated controls
• Assess compliance with controls
• Substantiate the risk to the BUSINESS

34
Management Guidelines

• COBIT is meant to be IMPLEMENTED, not just used
  as a measure. Thus it has
• Maturity Models
• Critical Success Factors
• Key Performance Indicators
• IT Generic Process and IT Governance
• Guidelines

35
Management GuidelinesCRITICAL SUCCESS FACTORS
- the most important things you need to do
based on the choices made in a Maturity
ModelKEY PERFORMANCE INDICATORS key monitoring
points to measure whether or not you will
reach the organizational goals for ITKEY
GOAL INDICATORS the goals for the organization
to be measured by the KPIs during the process
of implementing COBIT
36
Management Guidelines

• Generic and action oriented
• For the purpose of
• IT Control profiling what is important?
• Awareness where is the risk?
• Benchmarking - what do others do?
• Supporting decision making and follow-up
• Key performance indicators of IT Processes
• Critical success factors of controls
• Control implementation choices

37
Maturity Models for Self-Assessment
38
Generic Maturity Model - Dimensions

• Understanding and awareness
• Training and communications
• Processes and practices
• Techniques and automation
• Compliance
• Expertise

39
Generic Maturity Model - Dimensions

• Training Communication
• Level 1 Sporadic
• Level 2 Overall needs only
• Level 3 Informal training
• Level 4 Formal training
• Level 5 Supports best practices

40
Generic Maturity Model - Dimensions

• Processes Practices
• Level 1 Ad hoc
• Level 2 Intuitive practices
• Level 3 Defined and documented
• Level 4 Ownership assigned, best internal
  practices
• Level 5 Supports best external practices

41
Generic Maturity Model - Dimensions

• Techniques Automation
• Level 1
• Level 2 Some common tools
• Level 3 Standard tool set
• Level 4 Mature techniques, tactical technology
• Level 5 Sophisticated tools, optimized
  technology

42
Critical Success Factors

• Management oriented IT control implementation
  guidance
• Most important things that contribute to the IT
  process achieving its goal
• Control Statement and Considerations of the
  Waterfall
• Visible and measurable signs of success
• Short, focussed and action oriented
• Leveraging the resources of primary importance in
  this process

43
In summary

• Critical Success Factors
• Represent the most important things to do to
  increase the probability of success of the
  process
• Are observable - usually measurable -
  characteristics of the organisation and process
• Are either strategic, technological,
  organisational or procedural in nature
• Focus on obtaining, maintaining and leveraging
  capability and skills
• Are expressed in terms of the process, not
  necessarily the business

44
Key Performance Indicators
Guidance for measurement can be obtained from the
Balanced Business Scorecard concepts, where goals
and measures from the financial, customer,
process and innovation perspective are set and
monitored. In the Balanced Business Scorecard
approach, the Goal is measured based on its
outcome. The Drivers or Enablers that make it
possible to achieve the goal are measured based
on their performance in support of reaching the
goal
45
Key Performance Indicators

• The degree of importance of each of these
  criteria is a function of the business and the
  environment that the enterprise operates in

• COBIT then allows selection of those control
  objectives that best fit the degree of
  importance, i.e., the Profile
• This profile also expresses the enterprises
  position on risk

46
Key Performance Indicators
The goal for IT can then be expressed as
The performance measure of the enabler becomes
the goal for IT, which in turn will have a number
of enablers. These could be the COBIT IT domains.
Here again the measures can be cascaded, the
performance measure of the domain becoming, for
example, a goal for the process
47
Cascaded Performance Indicators
48
In summary

• Key Performance Indicators
• Are a measure of how well the process is
  performing
• Predict the probability of success or failure in
  the future
• Are process oriented, but IT driven
• Focus on the process and learning dimensions of
  the balanced scorecard
• Are expressed in precise, measurable terms
• Help in improving the IT process

49
Key Goal Indicators

• KGI for goal
• measurable indicators
• of the process achieving
• its goal
• Business Requirement of the Waterfall
• Influenced by the primary and secondary
  information
• criteria
• A potential source can be found in COBITs
• Substantiating Risk section in the
  Audit Guidelines

50
Key Goal Indicators Given that the link between
the business and IT scorecards is expressed in
terms of the information criteria, the KGIs will
usually be stated as

• Availability of systems and services
• Absence of integrity and confidentiality risks
• Cost-efficiency of processes and operations
• Confirmation of reliability, effectiveness and
  compliance

51
In summary

• Key Goal Indicators
• Describe the outcome of the process and are
  therefore measurable after the fact
• Are indicators of the success of the process, but
  may be expressed as well in terms of the business
  contribution, if that contribution is specific to
  that IT process
• Focus on the customer and financial dimensions of
  the balanced business scorecard
• Represent the process goal, i.e., a measure of
  what, a target to achieve
• Are IT oriented, but business driven
• Are expressed in precise measurable terms,
  wherever possible
• Focus on those information criteria that have
  been identified to be of most importance
  for this process

52
Management Guidelines
53
Generic IT Process
Control over an IT process and its activities
with specific business goals
is determined by the delivery of information to
the business that addresses the required
information criteria and is measured by KGIs
is enabled by creating and maintaining a system
of process and control excellence appropriate for
the business
considers CSFs that leverage specific IT
resources and is measured by KPIs
54
Management Guidelines
55
Generic IT Process

• Potential Critical Success Factors
• IT performance is measured in financial terms, in
  relation to customer satisfaction, for process
  effectiveness and for future capability,
• The processes are aligned with the IT strategy
  and with the business goals they are scalable
  and their resources are appropriately managed and
  leveraged
• A business culture is established, encouraging
  cross-divisional co-operation and teamwork, as
  well as continuous process improvement
• Control practices are applied to increase
  transparency, reduce complexity, promote
  learning, provide flexibility and allow
  scalability
• Goals and objectives are communicated and are
  understood
• It is known how to implement and monitor process
  objectives and who is accountable for process
  performance
• A continuous process quality improvement effort
  is applied
• The required quality of staff (training, transfer
  of information, morale, etc.) and
  availability of skills (recruit, retain,
  re-train) exist

56
Generic IT Process

• Potential Key Goal Indicators
• Increased level of service delivery
• Number of customers and cost per customer served
• Availability of systems and services
• Absence of integrity and confidentiality risks
• Cost efficiency of processes and operations
• Confirmation of reliability and effectiveness
• Adherence to development cost and schedule
• Cost efficiency of the process
• Staff productivity and morale
• Number of timely changes to processes and systems
• Improved productivity (e.g., delivery of value
  per employee)

57
Generic IT Process

• Potential Key Performance Indicators
• System downtime
• Throughput and response times
• Amount of errors and rework
• Number of staff trained in new technology and
  customer service skills
• Benchmark comparisons
• Number of non-compliance reportings
• Reduction in development and processing time

58
Management Guidelines Components

• IT governance guideline
• Generic IT process guideline
• For each of the 34 IT processes
• one maturity model
• 5 to 7 KGIs
• 8 to 10 CSFs
• 6 to 8 KPIs

59
SUMMARY OF COBIT TO THIS POINT

• Framework of four domains 34 key IT processes.
• Defines high-level IT control objectives defining
  controls that should be in place.
• For each of the 34 processes, there are from 3 to
  30 detailed
• Audit Guidelines identify a process to
• Obtain an understanding of the BUSINESS
  requirements
• Evaluate the stated controls
• Assess compliance with controls
• Substantiate the risk to the BUSINESS
• Management Guidelines outline
• The process to implement COBIT with key
  indicators of success
• A maturity model to measure progress

60
Why Should an Organization Adopt COBIT?

• Attention focused on Corporate Governance
• Management Accountability for Resources
• Specific Need for Control of IT Resources
• Stresses business-oriented solutions
• Provides an authoritative framework for Risk
  Assessment
• Improved communication among management, users
  and auditors

61
Management Expectations of IT Re-Engineered
Processes Right-Sizing Distributed
Processing Flattened organizations
Outsourcing
62
Management Responsibilities for IT
Safeguarding Assets Information as Most
Valuable Asset
63
COBIT Framework Blends Managements IT
Expectations with Managements IT
Responsibilities
64
Management Needs COBIT

• To evaluate IT investment decisions
• Making the link to the business needs
• Ensuring best use is made of information
• Ensuring regulatory and legislative compliance
• To balance risk and control of investment
• To Benchmark Existing and Future
• IT Environment
• Organizing into a generally accepted model of IT
  processes
• Identifying major IT resources to be leveraged

65
Why do Application Owners need COBIT?

• COBIT is a control-oriented framework
• Helps organizations to align Control Objectives
  with existing de jure and de facto
  standards,regulations and best practices
• Information, and by relationship IT, is one of an
  organizations most valuable assets
• Value, risk and control are the core of IT
  governance
• Management responsibility to ensure IT sustains
  and extends business objectives
• A more responsive IT organization should result
  in a better alignment with your business

66
IT needs COBIT

• Ensure strategic alignment
• Ensure linkage of business and IT plans
• Align operations with enterprise objectives
• Value delivery
• Ensure IT delivers promised benefits focus on
  controlling costs
• Optimise resource management
• Proper management of IT resources data,
  applications, infrastructure, people

67
IT needs COBIT

• Apply risk management
• Embed risk management responsibilities into the
  organization
• Raise awareness of all senior officers
• Track risks and ensure transparency of risks
• Performance measurement
• Track and monitor strategy implementation
• Benchmark operations
• Allow for continuous improvement

68
Current Situation

• Varied maturity levels across government, and
  even within individual organizations
• Historically IT has tended to be an objective
  unto itself
• Often IT plans bear no relationship to the
  business plans of the business organization
• Often shows up as lack of control over IT
  projects large projects often fail

69
Current Situation

• Recent focus on IT infrastructure and operations
  control across government implementation of
  ITIL
• IT Infrastructure Library is a compendium of best
  practices and is contained within COBIT
• Improvement in project governance
• Enhanced Management Framework
• COBIT can enhance all these initiatives

70
COBIT Questions and Answers
71
COBIT For additional information
www.isaca.org www.itgi.org
the end
72
COBIT - Appendices

• Information Criteria
• Implementing COBIT

73
Information Criteria Working Definitions
Effectiveness deals with information being
relevant and pertinent to the business
process as well as being delivered in a
timely, correct, consistent and usable
manner.
74
Information Criteria Working Definitions
Efficiency concerns the provision of
information through the optimal (most
productive and economical) usage of
resources.
75
Information Criteria Working Definitions
Confidentiality concerns the protection
of sensitive information from unauthorised
disclosure.
76
Information Criteria Working Definitions
Integrity relates to the accuracy and
completeness of information as well as its
validity in accordance with business set
of values and expectations.
77
Information Criteria Working Definitions
Availability relates to information being
available when required by the business
process, and hence also concerns the
safeguarding of resources.
78
Information Criteria Working Definitions
Compliance deals with complying with those
laws, regulations, and contractual
arrangements to which the business process
is subject, i.e., externally imposed
business criteria.
79
Information Criteria Working Definitions
Reliability of Information relates to
systems providing management with
appropriate information for it to use in
operating the entity, in providing reporting
to users of the financial information, and
in providing information to regulatory
bodies with regard to compliance with laws
and regulations.
80
Implementing COBIT
81
To Adopt COBIT, Who Needs To Be Influenced?
Management, especially IT policy makers, play a
major role in influencing the adoption of COBIT
in the organisation. Examples of such policy
makers include ? Chief Executive (e.g., CEO) ?
Senior IT Executive (CIO or VP of IT) ? IT
Steering Committee ? IT Management
82
A Product For Many Audiences
COBIT could
serve
the following Some specific
approaches When you are objectives for
you which could prove useful...
Executive manager Accept and promote Use
COBIT to compliment
COBIT as general IT existing
internal control
governance model framework
for all
enterprises
within enterprise Use COBIT process
model
to establish
common
language
between business
and
IT allocate clear

responsibilities
83
A Product For Many Audiences
COBIT could
serve
the following Some specific
approaches When you are objectives for
you which could prove useful...
Business manager Use COBIT to establish
Use COBIT control objectives
a common entity-wide as
a code of good practice
model to manage and for
dealing with IT within the
monitor ITs contribution
business function
to the business

Use COBIT control objectives

to determine needs to be

covered by Service Level

Agreements
(internal
or
outsourced)
84
A Product For Many Audiences
COBIT could
serve
the following Some specific
approaches When you are objectives for
you which could prove useful...
IT manager Use the COBIT process
Use the COBIT control model to
model and detailed
establish SLAs and communicate
control objectives to
with business functions
structure IT services
function into
manageable Use the COBIT control model
and controllable
as basis for process-related
processes
focussing on performance measures and IT-
business
contribution related policies and
norms
Use
COBIT as baseline model to

establish the appropriate level of

control objectives
and
external
certifications
85
A Product For Many Audiences
COBIT could
serve
the following Some specific
approaches When you are objectives for
you which could prove useful...
Project manager As a general framework
Use COBIT to help ensure that
for minimal project and
project plans incorporate
quality assurance
generally accepted phases in
standards
IT planning, acquisition and

development, service delivery

and project
management, and

assessment
86
A Product For Many Audiences
COBIT could
serve
the following Some specific
approaches When you are objectives for
you which could prove useful...
Developer As minimal guidance
Use COBIT to ensure that all
for controls to be
applicable IT control objectives
applied within
in the development project
development
processes have been addressed
as well as for internal
control to be
integrated
in information systems
being built
87
A Product For Many Audiences
COBIT could
serve
the following Some specific
approaches When you are objectives for
you which could prove useful...
Operations As general framework
Use COBIT to ensure that
for minimal controls to
operational policies and
be integrated into service
procedures are sufficiently
delivery and support
comprehensive
processes, placing clear
focus on client objectives
88
A Product For Many Audiences
COBIT could
serve
the following Some specific
approaches When you are objectives for
you which could prove useful...
User As minimal
guidance Use COBIT to guide service
for internal
control to level agreements
be integrated within
information
systems,
being fully operational
or under development
89
A Product For Many Audiences
COBIT could
serve
the following Some specific
approaches When you are objectives for
you which could prove useful...
Information As harmonising frame-
Use COBIT to structure the Security Officer
work providing a way information
security program,
to integrate information policies
and procedures
security with other
business related IT
objectives
90
A Product For Many Audiences
COBIT could
serve
the following Some specific
approaches When you are objectives for
you which could prove useful...
Auditor As basis for
determining Use COBIT as criteria for
review the
IT audit universe and review and examination,
and for as
IT control reference framing IT-related
audits
91
COBIT Management Awareness Diagnostic Tools

• One of the most challenging tasks will be
  getting top
• managements attention. Two tools for
  getting managements attention and raising
  managements
• awareness are
• IT Governance Self-Assessment
• Managements IT Concerns Diagnostic

92
IT Governance Self-Assessment
Asks Management to Determine for EACH of the
COBIT Processes
? How Important is the Process for Business
Objectives ? Whether the Process is Performed ?
Who performs the Process ? Whether the Process
is Audited ? Whether the Process and its
Control Are Formalized
93
Managements IT Concerns Diagnostic
Identifies which IT Processes need to be under
Control for various IT Concerns
? Management Issues ? Internet/Intranet ?
Enterprise Packaged Solutions ? Client/Server
Architecture ? Workgroups and GroupWare ?
Network Management
94
How To Implement COBIT in an Organisation

• Top Down Approach
• Audit Committee Approach
• Audit and IT Management Consensus Approach
• Regulation/Legislation

95
Ways to Implement Approach 1 -- Top Down
? Communicate COBIT to Senior Operating
Management and IT Management ? Communicate
Framework to CIO ? Communicate within CIOs
Organisation via education ? Gain
Commitment to Processes and Control
Objectives ? Develop Cyclical Audit Programs to
Cover all Processes
96
Ways to Implement Approach 2 -- The Audit
Committee ? Communicate and Education Audit
Committee ? Develop Cycle / Coverage Scenarios to
Minimise Potential Liability of Committee
Members ? Communication Cyclical Coverage within
IT ? Execute Audit Plan using COBIT to Scope
Audits and Define Required IT Control
Objectives
97
Ways to Implement Approach 3 -- Audit and IT
Management Consensus ? COBIT is Communicated
Within Audit ? Audit Performs Internal Assessment
of IT ? Audit Shares Assessment with IT ? IT and
Audit Reconcile Variances to Reach
Consensus ? Audit Program Developed and
Executed, Based on Self Assessment
98
Ways to Implement Approach 4 --
Regulation/Legislation ? COBIT is specified for
compliance by Regulating Authority ? COBIT
is specified for compliance by legislation
99
Implementation Action Plan for Organization
? Distribute copies of the COBIT Executive
Overview and/or Summary to key managers,
triggering analysis of and thoughts about
the existing organisations approach to IT
controls ? Present to Operations and Technology
management team and key staff ? Present to
outsourced service provider management and key
staff ? Assist key managers in developing action
plans to integrate COBIT concepts into
business process ? Present COBIT concepts and
activities progress reports to senior
management to inform and gain commitment ?
Develop or update audit programs consistent with
COBIT Audit Guidelines ? Restructure audit
inventory to reflect a COBIT process
orientation ? Present COBIT concepts, progress
and results to Audit Committee
100
Implementing COBIT from An Audit Perspective
? As an Organizational Tool ? As a
Consensus-Building Tool ? As an Engagement
Scoping Tool ? As a Self-Assessment Tool ?
Risk Assessment and Audit Planning Using
COBIT
101
COBIT as an Organizational Tool ? Domain 1
(Planning Organisation) Auditor 1 ? Domain
2 (Acquisition Implement) Auditor 2 ?
Domain 3 (Delivery Support) Auditor 3 ?
Domain 4 (Monitoring)
Auditor 4
102
COBIT as a Consensus-Building Tool CEO
----- Senior Audit Executive - Auditor 1
CIO -------- Director of Audit --------
Auditor 2 Dir. IT ---- Senior Audit
Manager --- Auditor 3 Appl. Mgr.. -
Practitioner --------- Auditor 4
103
COBIT as an Engagement Scoping Tool ? I want
to look at this area of IT... ? What are the
processes involved? ? What are the control
objectives involved? COBIT Allows
Identification of Minimum Controls
104
COBIT as an IT Self-Assessment Tool ? Are there
specific areas where too few or too many
resources are being applied? ? How am I doing
against COBITs IT control
requirements? ? Can Audit focus on strengths
for improvement I already know my
weaknesses. ? Show me what controls should be
in place before you come in, so I can
clean up my shop.-- reallocate resources
to higher risk projects