© 2014 ISACA. All rights reserved. 1 Major Manufacturing Caselet: Using COBIT ® 5 © 2014 ISACA....

© 2014 ISACA. All rights reserved. 1

Major Manufacturing Caselet: Using COBIT® 5

© 2014 ISACA. All rights reserved.


ISACA has designed and created the Major Manufacturing Caselet: Using COBIT® 5 (the ‘Work’) primarily as an educational resource for educational professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security governance and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment.

ISACA3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USAPhone: +1.847.253.1545Fax: +1.847.253.1443Email: [email protected] site: www.isaca.org

2

Disclaimer



© 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and non-commercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.

Provide Feedback: www.isaca.org/basic-concepts-caseletsParticipate in the ISACA Knowledge Center: www.isaca.org/knowledge-centerFollow ISACA on Twitter: https://twitter.com/ISACANewsJoin ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ

3

Reservation of Rights



AuthorKrishna Seeburn, Ph.D., CFE, CIA, CISSP, FBCS, LLM, PMP, Riesling Consulting Group,

Mauritius Board of DirectorsTony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia,

International PresidentAllan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK,

Vice PresidentJuan Luis Carselle, CISA, CGEIT, CRISC, RadioShack Mexico, Mexico, Vice PresidentRamses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice

PresidentTheresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of

Representatives, USA, Vice President Vittal Raj, CISA, CISM, CGEIT, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice PresidentMarc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice PresidentGregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International PresidentKenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International

PresidentChristos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, DirectorKrysten McCabe, CISA, The Home Depot, USA, DirectorJo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director Credentialing and Career Management BoardAllan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK,

ChairmanBernard Battistin, CISA, CMA, Office of the Auditor General of Canada, CanadaRichard Brisebois, CISA, CGA, CanadaTerry Chrisman, CGEIT, CRISC, GE Money, USAErik Friebolin, CISA, CISM, CRISC, CISSP, PCI-QSA, ITIL, USAFrank Nielsen, CISA, CGEIT, CCSA, CIA, Nordea, Denmark Hitoshi Ota, CISA, CISM, CGEIT, CRISC, CIA, Mizuho Corporate Bank, JapanCarmen Ozores Fernandes, CISA, CRISC, BrazilSteven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission,

USA

4

Acknowledgements


Professional Standards and Career Management CommitteeSteven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission,

USA, ChairmanChristopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP, HP Enterprises Security

Services, UKRonald E. Franke, CISA, CRISC, CFE, CIA, CICA, Myers and Stauffer LLC, USAAlisdair McKenzie, CISA, CISSP, ITCP, I S Assurance Services, New ZealandKameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USAKatsumi Sakagawa, CISA, CRISC, PMP, JIEC Co. Ltd., JapanIan Sanderson, CISA, CRISC, FCA, NATO, BelgiumTimothy Smith, CISA, CISSP, CPA, LPL Financial, USATodd Weinman, CPS, The Weinman Group, USA Academic Program SubcommitteeKameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA,

ChairmanUmesh R. Hodeghatta, Xavier Institute of Management, IndiaMatthew Liotine, Ph.D., CBCP, CSSBB, MBCI, University of Illinois at Chicago, USAJoshua Onome Imoniana, Ph.D., CGEIT, Universidade Presbiteriana Mackenzie, BrazilNebil Messabia, CanadaKumar Srikanteswaran, CISA, CMA, PMP, IndiaSadir Vanderloot, CISA, CISM, CCNA, CCSA, NCSA, Sheffield Hallam University, SwedenYpe van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The NetherlandsHiroshi Yoshida, Ph.D., CGEIT, CRISC, Nagoya Bunri University, Japan


This caselet was developed to support theBasic Foundational Concepts Student Book: Using COBIT® 5, www.isaca.org/basic-concepts-student-book

5

Student Book



Testing and independence is all about being able perform a review or an assessment and provide a report that is impartial. It should give the right picture of the situation. An independent audit should include a rigorous assessment of the facts. All findings should be tested and supported by appropriate evidence.

A lack of Independence is a major problem faced by any professional today. Professionals are required to abide by a code of ethics and demonstrate personal integrity when making decisions. As much as possible, professionals should maintain a clear independent view. Non-compliance with ethics sometimes exists when one has a vested interest in an area. For example, having family or investments within a business might impair one’s independence and objectivity.

How does it benefit an IS auditor?

How does it benefit an enterprise?

What is testing and independence?


Having the right skills to carry out a review is also important. It is important to collaborate with other skilled experts in defining areas where a rigorous review is important.

The bottom line is that the major benefit to enterprises is the real insight into the functioning of the business; where things are working well and where they are not.How does it

benefit an IS auditor?




As an auditor, it is important that you build the right skills and always be impartial in your judgement and evaluation.

It will enable you to provide a professional assessment of the enterprise.

How does it benefit an IS auditor?




• Company Profile – Major Manufacturing

• Background Information

• The Problems

• Your Role

• Your Tasks

• Figures

• Questions

9

Agenda


Major Manufacturing – Profile

One of the largest manufacturing companies in the world

Headquartered in Berlin, Germany with branch offices in London, UK; Barcelona, Spain; Singapore; Hong Kong; and St. Louis, Missouri, USA

Is a publicly held company that traces its roots to the beginning of the twentieth century

Has approximately 15,000 employees and a few hundred long-term contractors


Background – What We Do

• We make a wide variety of small, durable goods.• We are known internationally, not only for the goods that

we make, but also for the quality of those goods.• We have invented ways to create new and better

versions of existing products several times in the past.

What We Do

Org. Structure

Operational

Industry

Marketing

Financials


Background – Financials

Major Manufacturing is a publicly owned company with:•Revenue of € 201 million •Profit of € 15.1 million•No significant debt

What We Do

Org. Structure

Operational

Industry

Marketing

Financials


Background – Org. Structure

What We Do

Org. Structure

Operational

Industry

Marketing

Financials


Background – Org. Structure

The board of directors: • Is not a very functional entity• Provides little oversight and guidance to the business

The CEO:• Is also the chairman of the board of directors• Rules with an iron hand• Appoints people to the board on the basis of their

willingness to give approval for initiatives with little delay

What We Do

Org. Structure

Operational

Industry

Marketing

Financials


Background – Operational

• Business units are the backbone of Major Manufacturing. Each is a fiercely independent silo with the mission of being as profitable as possible, except for the way they share machinery and equipment used in manufacturing.

• Business unit managers are highly valued and are placed high in the organisational chart.

• All business unit managers report to the chief operations officer (COO).

• Each business unit faces what often turn out to be stringent time deadlines.

What We Do

Org. Structure

Operational

Industry

Marketing

Financials


Background – Industry

• The manufacturing arena has taken a downward turn over the last two years. One of the effects of the bad economy has been a sharp drop in sales of manufactured goods.

• The level of competition within the manufacturing industry is very high. Some manufacturing companies have been selling manufactured goods at below their actual cost because their inventories of manufactured goods have been high and also because of the need for greater cash flow.

What We Do

Org. Structure

Operational

Industry

Marketing

Financials


Background – Marketing

• Major Manufacturing’s executive management and the board of directors have a philosophy that they will not rush any product to market.

• Instead, they have established processes in which each new product is carefully and thoroughly tested before it is allowed to go on the market, and quality assurance and Major Manufacturing go hand-in-hand.

What We Do

Org. Structure

Operational

Industry

Marketing

Financials


Background – Marketing

• Major Manufacturing has a modest advertising campaign.

• People in Berlin (and to a lesser degree, Europe at large) have heard of this company, although the company is also not exactly a household name in Berlin. Major Manufacturing is also not well known internationally.

• The CEO has been deliberating whether the marketing efforts should be strengthened.

What We Do

Org. Structure

Operational

Industry

Marketing

Financials


The Problem

19

• The board has been having key issues with the operations of the company. They want a clear insight of the status of the enterprise and its major IT systems.

• There has been whistle-blowing about close irregular transactions between key C-suite level executives.

• You have family ties with the CIO; the CIO is your cousin, and your wife’s brother is the CFO of the company.

• The CFO is the cousin of the CEO, and they have been working closely for a while.


• The company is listed on the stock exchange and thus has many external stockholders. Thereby, it requires clear transparent processes in the governance of the board.

• You have, in the past, worked on the key infrastructure systems and designed a few of them personally before your move to be an auditor of the firm.

• The company has been making steady progress towards profitability and constant growth.

• The company has in place enterprise resources planning (ERP) systems, which you helped implement when you worked for Major Manufacturing, and put in place some key loopholes (e.g., reversing of transaction within the system without further audit trails). The loopholes were implemented in support of the CFO requirements ensure a quick back-end access to the ERP system without following the key best business practices.

• You have been promised some indirect financial support by the CFO for overlooking some practices in the system that may have been implemented after you had left the company, but of which you are aware.

20

The Problem (cont.)


• The CIO has been able to work around the problem, but the situation still exists.• In financial terms, if you were to look at the ERP system in place and give

assurance on the information available, and if it were to leak to the stakeholders or to the market, it may have some impact.

• Further, you have been involved as an independent consultant for the firm on some new initiatives within the enterprise, and you have not advised your audit partners that you were advising Major Manufacturing as a consultant on the potential systems you were going to audit.

21

The Problem (cont.)


You have been requested by Touching Auditors to carry an audit review of Major Manufacturing. You need to:•Provide a review of the IT systems. You need to review the core processes and evaluate whether they are operational. •Provide the audit team with the assurance on the organisational data and IT systems and processes.•Explain the ERP system issues, if any.•Provide a clear and concise report to the board for effective review.

22

The Problem (cont.)


• Despite your close ties with the executives of Major Manufacturing, you decide

to carry on and go about your audit.

• You provide a concise report and highlight some key issues. You ensure that

your work as the IS auditor is done effectively with a few small omissions.

Despite the fact that there were issues identified by the board, the report did

not seem to suggest any major issues apart from areas in information security.

23

The Problem (cont.)


• Your title: Senior IT Auditor at Touching Audit

• Your assignment: The Touching Audit firm was appointed to carry out the audit review of Major Manufacturing, and you have been placed as the senior auditor IT for the project because of your inside knowledge of Major Manufacturing.

• Tenure: You have had three successful years on the job with Touching Audit.

24

• Education: You have a bachelor's degree in IT.

• Certifications:₋ Certified Information Systems

Auditor (CISA)₋ Certified Internal Auditor (CIA)₋ American Institute of Certified

Public Accountants (AICPA) Qualified Member

₋ Grandfathered into the Certified in the Governance of Enterprise IT (CGEIT) certification in 2008

Your Role


• Look at your independence as the IS auditor in this case.• Identify key requirements for the audit, while ensuring the standards are clear.• Help your colleagues in the process without undue interference.• Produce an impartial report.

25

Your Task


1. What are the key requirements for an independent audit?2. What are the key issues that can lead to a non-independent and unclear audit?3. What is critical for a successful audit?4. Discuss some of the major audit failures and why were they so critical in-house

as well as knowledge for the public5. From an IS audit perspective, the IS audit could get away with the implied and

applicable laws that concern mainly financial audit/reporting. What is the main importance and role the IS audit plays in a routine enterprisewide approach?

6. What are the triggers to an unclear testing of controls and evidence gathering?7. In the described problem in the caselet, what would you suggest should

happen? What would you do to ensure a clear vision and objective of such an audit?

26

Discussion Questions

© 2014 ISACA. All rights reserved. 1 Major Manufacturing Caselet: Using COBIT ® 5 © 2014 ISACA....

Documents

Transcript of © 2014 ISACA. All rights reserved. 1 Major Manufacturing Caselet: Using COBIT ® 5 © 2014 ISACA....