1

Executive BriefingOctober 16, 2001

2

Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts

Adjunct faculty at Bentley College Member of CobiT Steering Committee Served as member of Y2K Coordinating Council,

Commonwealth of Massachusetts 1994-1995 International President of ISACA/F Served as member of Governor’s Commission on

Computer Crime, Governor’s Commission on Computer Technology and Law, and Governor’s Task Force on E-Commerce

e-mail: john.beveridge@sao.state.ma.us

3

How does responsible managment keep the ship on course?

How do we achieve satisfactory results for our clients and stake-holders?

How do we adapt in a timely manner to “best practices” for our organization’s environment?

4

When we spend a lot of moneyand what we have built

doesn’t work, or is difficult to maintain,

or is not accepted,or appears vulnerable,People have a lot to say

5

Stakeholders apply pressureStakeholders apply pressure

Shareholders and ExecutiveLower cost, higher profitability andLower cost, higher profitability andincreased market shareincreased market share

Customers and Staff More functionality at lower cost andMore functionality at lower cost andgreater ease of usegreater ease of use

Society Greater accountability for executives inGreater accountability for executives inprivate and public sectorprivate and public sector

6

E-business FactorsE-business Factors Guarantee of delivery Customer service Ease of use Increased dependence Security

What are the customers saying ?What are the customers saying ?

7

Focus on Operational Risk within which security and IT are very significant

All major risk issues have been caused by breakdowns in Internal control Oversight Information Technology

What signals are regulators giving?What signals are regulators giving?

Federal ReserveFederal Reserve

8

Most Pressing Concerns about Information Technology

Security Availability Integrity and Effectiveness Cost

9

September 11th has Impacted us all in a Whole Lot of Ways

Personal Economic Security Risk

10

Measures?

Scales?

Indicators?

11

The Answer Lies In: Having clear understandings of the strategic

value of technology Bringing that strategic value to reality Having appropriate frameworks of control Employing the fundamentals of IT goverance Building mechanisms to provide adequate

assurance that IT governance objectives are addressed

12

CobiTCobiT CobiT’s Control Objectives and Management Guidelines are valuable IT governance tools that help in the understanding and management of risks and benefits associated with information integrity, security and availability and the management of related IT.

13

Authoritative, up-to-date set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.

Structured and organized to provide a powerful

control model

14

Executive Summary -- Senior Executives (CEO, COO, CFO, CIO)

Framework -- Senior Operational Management (Directors of IS and Audit / Controls)

Control Objectives -- Middle Management (Mid-Level IS and IS Audit/ Controls Managers)

Audit Guidelines -- The Line Manager and Controls Practitioner (Applications or Operations Manager and Auditor)

Implementation Tool Set -- Any of the above Management Guidelines -- Management and Audit

15

Management GuidelinesIncludes:– Critical Success Factors– Key Performance Indicators– Key Goal Indicators– Maturity models

CCOBIOBITTCCOBIOBITT

16

Right information, to only the right party, at the right time.

Information that is relevant, reliable and secure.

Information provided by systems that have integrity by a well-managed and properly controlled IT environment.

17

IT Governance Objectives

IT is aligned with the business enabling the entity to maximize benefit

IT resources are safeguarded and used in a responsible and ethical manner

IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure

18

Need for better operational control While technology makes new business processes

possible, it may come with reduced control Demand for increased effectiveness, efficiency

and security Strategic importance of technology The need to hold officers and senior

management accountable and strengthen governance

19

Addresses key attributes of information produced by IT.

Provides a working control model for IT-

related control objectives

Links recommended control practices for IT to business and control objectives.

Assists in evaluating appropriateness of controls

20

CobiT is an Authoritative Source

Built on a sound framework of control

and IT-related control practices. Aligned with de jure and de facto

standards and regulations. Has undergone expert review and

exposure process, now in its 3rd edition

21

CobiT Sources Professional standards for internal control and

auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes

(ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry

forums (ESF, I4) Emerging industry-specific requirements from

banking, e-com, IT manufacturing.

22

Based on a Strong Based on a Strong Foundation and Sound Foundation and Sound Principles of Internal Principles of Internal

ControlControl

23

What is Internal Control?What is Internal Control?

How it is defined How it is defined impacts its design, impacts its design,

exercise, and exercise, and evaluationevaluation..

24

Control (as defined by COBIT)

The policies, procedures, practices and

organizational structures designed to provide

reasonable assurance that business objectives

will be achieved and that undesired events

will be prevented or detected and corrected.

Source: COBIT Control Objectives, p. 12.

25

IT Control Objective

A statement of desired result or

purpose to be achieved by

implementing control procedures

in a particular IT activity

26

Internal Control

Controls are framed by what is to be attained

(control objectives) and the means to attain those goals (the controls).

27

CobiT Incorporates Key Internal Control Requirements

Systemization

Documentation

Standards, defined expectations

Measurement

Appropriate risk assessment

28

CobiT Incorporates Key Internal Control Requirements

Well-defined operational and control

objectives

Appropriate controls

Competent and trustworthy people

Monitoring & evaluation

29

CobiT Framework

Built on an understanding of the:relationship of controls to control objectives,importance of focusing on the relationship of

control objectives to business objectives and business processes,

value of managed processes and resources tied to strategic initiatives.

30

BUSINESSPROCESSESBUSINESS

PROCESSES

INFORMATIONINFORMATION

IT RESOURCESIT RESOURCES

• data• application systems• technology• facilities• people

• data• application systems• technology• facilities• people

• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability

• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability

Information CriteriaInformation Criteria

Do they match?

FrameworkWhat you needWhat you get

31

Framework’s Three Components

“Business Requirements” for Information

IT Resources

IT Processes

32

Information Criteria -- The 1st Component

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability of Information

33

IT Resources -- The 2nd Component

Data

Application Systems

Technology

Facilities

People

34

Domains

Processes

Tasks &Activities

Natural grouping of processes, oftenmatching an organizational domainof responsibilityA series of joined tasks & Activities with natural (control) breaks.

Actions needed to achieve a measurable result. Activitieshave a life-cycle whereas tasksare discrete

(4)

(34)

(318)

Information Processes (3rd component)

35

Planning/Organization

Acquisition /Implementation

Delivery /Support

Monitoring

COBIT Domains: Information Processes (3rd Component)

36

How do they relate ?How do they relate ?

IT Processes

IT Processes

IT Resources

IT Resources

Business Requirements

Business Requirements

Data Information

Systems Technology Facilities Human

Resources

Planning and organisation

Aquisition and implementation

Delivery and Support

Monitoring

Effectiveness Efficiency Confidenciality Integrity Availability Compliance Information

Reliability

37

IT Resource Management

CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality, and security of information required to achieve organizational objectives.

38

The WATERFALL Navigation Aid --High Level Control Objectives for Each Process

The control of

which satisfy

is enabled by

considering

IT Processes

BusinessRequirements

ControlStatements

ControlPractices

See Framework, p. 18. 56

39

CobiT’s Control Objectives

Contains management control practices by high-level control objective within four categories, or domains, of the control objectives.

Contains statements of the desired results or purposes to be achieved by implementing specific control procedures within an IT activity.

Assists in establishing clear policy and good practices for IT control

40

Planning and Organization

Strategy and tactical plans for IT Identify ways that IT can best contribute to the

achievement of business objectives Plan, communicate, and manage the

realization of the strategic vision Establish the IT organization, and Set the stage for managing information and the

technology infrastructure

41

Acquisition and Implementation Domain

IT solutions– Identified– Developed or acquired– Implemented– Integrated into the business processes

Change and maintain existing systems

42

Delivery and Support Domain

Deliver required services Ensure security and continuity of

services Set up support processes, including

training Process data (including “application”

controls)

43

Monitoring Domain

Regularly assess IT processes for– Quality– Appropriateness of controls– Compliance with control requirements

Addresses management oversight of organization’s control provisions

Provide for an audit function

44

Relation to Other Control Models

CobiT is in alignment with other control models:– COSO

– COCO

– Cadbury

– King

45

Reinforces Control Responsibilities

Management -- has primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met.

Users -- exercise and monitor controls.

Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls.

47

As a control model, CobiT should beAs a control model, CobiT should betailored to agency, IT platform, tailored to agency, IT platform,

and system standardsand system standards

Use CobiT as the Structure to which you link agency-specific operational and control requirements, policies, and

standards

48

Using CobiT

Organizational tool Management tool Good practices standard Strengthen third-party contracts Criteria for Evaluation Strengthen risk management Basis for improved management

49

Using CobiT in Evaluating IT Controls

Selecting areas or control objectives for evaluation

Determining type of evaluation Engagement/assessment planning Framing scope and evaluation objectives to

CobiT Development of control assessment

approach

50

Use of CobiT to Plan Control Evaluations

Assessing the control environment and identifying high risk processes

Conducting a high-level and detailed policy and procedures review

Performing a control review Using CobiT-related matrices

51

Using CobiT Matrices to Focus on:

IT Functions– Their importance?– Level of performance?– Control documentation?

Responsible Parties of IT– Performed by?– Contracted services?– Primary responsible party?

Risk Assessment– Importance, level of risk, control documentation

52

CobiT Helps Identify Key Risks to the Organization

Unaware of the risks Poor understanding of CSFs Absence of KPIs No “scorecard” or basis of measurement Absence of monitoring and evaluation Weak IT control environment

53

CobiT helps senior management, business process owners, and IT

gain increased benefit from independent examiners

54

Audit Insight: Overview of Audit Planning

Auditee selection (may be CobiT driven) Entrance Conference and on-site preaudit

information gathering (CobiT) Develop proposed scope and audit

objectives (CobiT-framed) Finalize audit work program (CobiT-

framed) Engagement conference (reference

CobiT as criteria) and audit (CobiT as review criteria)

55

Audit Planning:

Who are they? (type of agency, enabling legislation) What do they do? (mission, business objectives) How do they plan to do it? (strategy/plan) How do they do it? (functions, processes) With what resources? (IT, operational resources,

management & staff, raw materials, etc.) By what rules? (policies, standards, legal and regulatory

requirements) Under what risks? (risk analysis)

56

Audit Planning:

Who does it? (internal & external players, their roles

and responsibilities) Who knows what is done? (reporting lines,

designated points of accountability) How do they known it is done right?

(measurement registers, assurance mechanisms, evaluations,

score cards, etc.) Where are they? (centralized or distributed)

57

Audit Guidelines

They are evaluation guidelines. Generic guideline identifies various tasks to

be performed in assessing ANY control objective within a process. This generic guideline extracted all repetitive tasks into one -- to be performed for all control objectives.

34 others are specific process-oriented task suggestions to provide management assurance that a control objective is being addressed.

58

Obtaining an understanding of business requirements, related risks, and relevant control measures Evaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously. Substantiating the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources.

The IT process is therefore audited by:

59

Organization & Management Review

Clarity and appropriateness of responsibility definitions

assignment of responsibilities points of accountability reporting mechanisms for actions taken and

activities performed Efforts to monitor and evaluate adequacy of

exercise of responsibilities

60

Using Cobit to Address Third-Party Providers of IT-Related Services

Are desired processes are in place? Have we established accountability Do we agree on the levels of control? Do the service contracts adequately identify

deliverables and responsibilities? Is there ongoing monitoring and evaluation of

providers and partners?

61

Using the Management Guidelines

62

Are they doing the right things?Are they doing it the right way?Are they being done well?Are we getting benefits?

What IT Problem?

IT governance is the responsibility of the board of directors and consists of the leadership, organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.

What does the agency

do?

Cascading strategy and goals Organizational alignmentA control frameworkBalanced Business Scorecard

How does management

react?

63

Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives.

Promotes process focus and process ownership

Divides IT into 34 processes belonging to four domains

Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT

EffectivenessEfficiencyAvailability,IntegrityConfidentialityReliabilityCompliance.

PlanningAcquiring & ImplementingDelivery & SupportMonitoring

CobiT : An IT control frameworkCobiT : An IT control framework

64

“Due diligence” IT is strategic to the business IT is critical to the business Expectations and reality don’t match IT involves huge investments and large risks

Why governance?Why governance?

65

If so, wouldn’t you want to know whether your information technology organization is:

Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognizing opportunities and acting

upon them?

IT is strategic to most businessesIT is strategic to most businesses

66

Generic and action oriented For the purpose of

• IT Control profiling - what’s important?• Awareness - where’s the risk?• Benchmarking - what do others do?

Supporting decision making and follow up• Key performance indicators of IT

processes• Critical success factors of controls• Control implementation choices

Management Guidelines

67

Management GuidelinesCritical Success Factors the most important things to do to increase the

probability of success of the process observable - usually measurable - characteristics of

the organisation and process are either strategic, technological, organizational or

procedural in nature focus on obtaining, maintaining and leveraging

capability and skills expressed in terms of the IT process, not necessarily

the business

68

Management GuidelinesKey Goal Indicators describe the outcome of the process and are therefore a ‘lag’

indicator, i.e., measurable after the fact Are an indicator of the success of the process but may also

be expressed in terms of the business contribution if that contribution is specific to the IT process

represent the process goal, i.e., a measure of “what”, a target to achieve

may also describe a measure of the impact of not reaching the process goal

KGIs are IT oriented but are also business driven Are expressed in precise measurable terms wherever

possible

69

Management Guidelines

Key Performance Indicators are a measure of “how well” the process is

performing predict the probability of success or failure in the

future, i.e. KPIs are ‘LEAD’ indicators are process oriented but IT driven focus on the process and learning dimensions of

the balanced scorecard are expressed in precise measurable terms should help in improving the IT process

70

Maturity Models• Refer to business requirements and control capabilities

at different levels

• Are scales that lend themselves to pragmatic comparison

• Are scales where the difference can be made measurable in an easy manner

• Are recognizable as a “profile” of the enterprise in relation to IT governance and control

• Assist in determining As-Is and To-Be positions relative to IT governance and control maturity

• Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level

71

0 1 2 3 4 5

Non-Existent Initial Repeatable Defined Managed Optimised

Enterprise current status

International standard guidelines

Industry best practice

Enterprise strategy

Legend for symbols used Legend for rankings used

0 - Management processes are not applied at all1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communicated4 - Processes are monitored and measured5 - Best practices are followed and automated

Start from a Maturity Model

72

What Management should do

Align IT strategy with business goals Cascade strategy and goals down into the agency Set up organizational structures that facilitate strategy

implementation Adopt a control and governance framework Provide IT infrastructures that facilitate creation and sharing of

business information Embed responsibilities for risk management in the

organization Focus on important IT processes and core IT competencies Measure performance (Balanced Business Scorecard)

73

CobiT Recognizes IT is an integral part of the organization IT governance is an integral part of corporate

governance Focus on control objectives can strengthen

appropriateness and use of internal controls Measurement is crucial to internal control Monitoring and evaluation are integral to a

system of internal control

74

Benefits of CobiT

Supports IT governance objectives.

Helps ensure that IT processes are defined and assigned.

Helps to focus on control objectives.

Leads to more cost-effective IT services.

Helps management to better utilize internal and external auditors

Provides benchmarks for best practices for IT management and IT control

75

Benefits of CobiT

Helps ensure the organization complies with applicable rules, regulations and contractual obligations.

Opportunity for complementary adoption of COSO and CobiT (or other control models).

Authoritative nature of Cobit encompassing adoption of well-recognized and established standards for IT control.

76

Benefits of CobiT

Strengthens assessment, understanding and exercise of appropriate internal controls.

Provides a good framework for risk assessment and risk management.

Improves communication among management, business process owners, users and auditors regarding IT governance, and between internal and external audit.

Helps auditors and control professionals to be proactive business advisors.

77

Benefits of CobiT

Provides a framework for ensuring that outsourced IT functions are addressed in third-party contracts.

Helps to strengthen the relationship between IT Services and the user community through improved SLAs.

Supports management’s efforts to demonstrate due diligence with respect to IT-based operations.

78

Benefits of CobiT

Helps to provide reasonable assurance that:– IT process objectives are understood

– IT risks have been identified

– Appropriate controls have been implemented

– Appropriate monitoring and evaluation processes in effect

– IT process objectives and can be achieved.

79

CobiT Strengthens the understanding, design,

implementation, exercise, and evaluation of internal control through improved focus on information criteria and IT-related control objectives

Strengthens management’s efforts to “ensure” and Audit’s efforts to provide “assurance”

80

A Tip regarding CobiT

CobiT is generic - adapt it to your organization in cooperation with the business-process owners!– Determine focus (quality, security, fiduciary)

– Harmonize existing policies and procedures with CobiT

– Determine control responsibilities– Identify key performance indicators and critical

success factors

81

Another Tip or Two

Study it carefully -- it takes some time to understand - keep in mind that you are dealing with a control framework

Start with CobiT’s Control Objectives Framework and progress to the Management Guidelines.

Build the mechanisms to provide assurance that control objectives are being addressed and that controls are working as intended

82

CobiT

For additional information:

www.isaca.orgwww.ITgovernance.org

or email or give me a call at(617) 727-6200 ext 135

Go Forth andCOBITize

Thank You

83