Information systems audit and control
-
Upload
kashif-rana -
Category
Business
-
view
705 -
download
2
Transcript of Information systems audit and control
1
Part 1
2
Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts, USA
Adjunct faculty at Bentley College Member of CobiT Steering Committee Member of Governor’s Task Force on E-Commerce and
Enterprise Security Board, Massachusetts Served as member of Y2K Coordinating Council, Commonwealth of Massachusetts 1994-1995 International President of ISACA/F Served as member of Governor’s Commission on
Computer Crime and Governor’s Commission on Computer Technology and Law
e-mail: [email protected]
3
What is CobiT?
What is the CobiT Framework?
What is the Control Objectives document?
Who should use CobiT?
How can auditors effectively use CobiT?
How does one become familiar with CobiT and
learn to use it effectively?
4
CobiT’s Background and Authoritative
Nature
CobiT Framework and its components
High-Level & Detailed Control Objectives
Audit Guidelines and Using CobiT
5
Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.
Structured and organized to provide a powerful
control model
6
CobiTCobiT
CobiT is designed to be the break-through IT governance tool that helps in the understanding and managing of risks and benefits associated with information and related IT.
7
C ControlOB OBjectivesI for InformationT and Related Technology
8
Right information, to only the right party, at the right time.
Information that is relevant, reliable and secure.
Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.
9
Information Systems Audit and Information Systems Audit and Control Association/FoundationControl Association/Foundation
Leading Global Professional IT Control organization– Focuses on Audit, Control and Security Issues– The Association Works Closely with its more than
150 Chapters in 100 Countries Provides Services and Programs Designed to Promote
and Establish Excellence on IT Governance and Audit. Research conducted through Foundation Projects are
selected to help Members and the Profession keep pace with ever-changing IT and business environment.
10
IT Governance InstituteIT Governance InstituteIT Governance InstituteIT Governance Institute
Formed by ISACA and ISACF in 1998 to advance the understanding and adoption of IT governance principles
11
A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.
12
IT Governance Objectives
IT is aligned with the business and enables the business to maximize benefit
IT resources are safeguarded and used in a responsible and ethical manner
IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure
13
CobiT grew from an initiative to update EDPAA’s Control Objectives in 1992
New focus expanded to include managerial and user needs regarding IT control and governance
Global perspective added CobiT Steering Committee appointed IT control framework developed The framework became COBIT CobiT was first published in April, 1996
14
CobiT implementation monitored and evaluated by
ISACA and the CobiT Steering Committee
CobiT enhancements developed, 1997
CobiT, 2nd edition, was published in April, 1998
CobiT enhancements and development of
Management Guidelines, 1999-2000
CobiT, 3rd edition, and Management Guidelines,
was published in July, 2000
15
Executive Summary -- Senior Executives (CEO, COO, CFO, CIO)
Framework -- Senior Operational Management (Directors of IS and Audit / Controls)
Control Objectives -- Middle Management (Mid-Level IS and IS Audit/ Controls Managers)
Audit Guidelines -- The Line Manager and Controls Practitioner (Applications or Operations Manager and Auditor)
Implementation Tool Set -- Any of the above Management Guidelines -- Management and Audit
16
The need for better operational controls Technology that makes new business processes
possible may come with a loss of control Demand for increased effectiveness and
efficiency The importance of technology The need to hold officers and senior
management accountable and strengthen governance
17
Dashboard: How do responsible managers keep the ship on course?
Scorecard: How do we achieve satisfactory results for our stake-holders?
Benchmarking: How do we adapt in a timely manner to trends, developments, and “best practices” for our organization’s environment?
18
If you use computer-generated information in decision-making or for audit evidence, you need to assess its reliability.
If you are the holder of computer-generated information, you must exercise appropriate and defendable controls to safeguard that information, or evidence.
19
• Increasing dependence on information and the systems that deliver the information
• Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare
• Scale and cost of the current and future investments in information and information systems
• Potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs
20
1980s
Glass-house
Data centresSecure buildings
1990s
Network
Business integration
Managed networks
21st Century
Cyberspace
Virtual Value ChainE-CommerceExtended Enterprise
??
Streetwise users
Unpredictable and fast Unstructured and innovative Hard to implement
21
CobiT’s Scope and CobiT’s Scope and Overall ObjectivesOverall Objectives
22
CobiT focuses on information having integrity and being secure and available.
At the highest level, it focuses on the
importance of information to the long-term success of the organization.
23
For Information System Services functions, CobiT can be applied from single point IT operations to across the enterprise.
For application systems, CobiT can be
applied from a single application-based system to enterprise-based systems.
24
CobiT is management oriented
Supports corporate and IT governance
Serves as excellent criteria for evaluation and a basis for audit planning
25
Addresses key attributes of information produced by IT.
Links recommended control practices for IT to business and control objectives.
Provides guidance in implementing and evaluating the appropriateness of IT-related control practices.
26
As a control model, CobiT should beAs a control model, CobiT should betailored to organizational, platform tailored to organizational, platform
and system standards.and system standards.
Use CobiT as the Structure to which you link organization-specific operational
and control requirements, policies, and standards
27
Helps business process owners to ensure the integrity of information systems and auditors to provide statements of assurance by providing:
– management with generally applicable and accepted
standards for good practice for IT control and
governance
– users with a solid base upon which to manage IT and
obtain assurance
– auditors with excellent criteria for review/audit work
28
Standards used to determine whether something meets expectations.
Basis upon which one measures or compares something against.
Need to be generally accepted, recognized, understandable, and defendable.
Need to be authoritative.
29
CobiT as an CobiT as an Authoritative SourceAuthoritative Source
30
CobiT is an Authoritative Source
Built on a sound framework of control and
IT-related control practices. Aligned with de jure and de facto standards
and regulations. 41 international standards from around the
world were used to identify IT-related
control objectives and control practices.
31
CobiT Sources Professional standards for internal control and
auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes
(ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry
forums (ESF, I4) Emerging industry-specific requirements from
banking, e-com, IT manufacturing.
32
Based on a Strong Based on a Strong Foundation and Sound Foundation and Sound Principles of Internal Principles of Internal
ControlControl
33
What is Internal Control?What is Internal Control?
How it is defined How it is defined impacts its design, impacts its design,
exercise, and exercise, and evaluationevaluation..
34
Purpose of Internal Control
Designed to keep an organization on course toward achievement of its mission minimizing surprises along the way.
Assist in dealing with rapidly changing economic and competitive environments, shifting customer demands and priorities, and restructuring for future growth.
Source: Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control - Integrated framework, Executive Summary, p. 1.
35
The design, implementation, and proper exercise of a system of internal controls should provide "reasonable assurance" that management's goals are attained, control objectives are addressed, legal obligations are met, and undesired events do not occur.
Controls reduce or eliminate the risk of exposures, or the exposures themselves.
36
Internal Control
Controls are framed by what is to be attained (control objectives) and the means to attain those goals (the controls).
37
Goals of Internal Control
“Keep things in Check” Adhering to the Rules of the Road Reduce risk Based Upon “Best Practices” Proof the Rules Have Been Followed Provide assurance that operations are
according to standard Keep those blasted auditors happy
38
Building
CobiT’sDefinition of
Internal Control
39
Control (as defined by COSO)Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
efficiency and effectiveness of operationsreliability of financial reportingcompliance with applicable laws and
regulationsSource: Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control - Integrated framework, Executive Summary, p. 1.
40
Control (as defined by COBIT)
The policies, procedures, practices and
organizational structures designed to provide
reasonable assurance that business objectives
will be achieved and that undesired events
will be prevented or detected and corrected.
Source: COBIT Control Objectives, p. 12.
41
IT Control Objective
A statement of desired result or
purpose to be achieved by
implementing control procedures
in a particular IT activity
42
CobiT supports all
fundamental Internal Control
requirements
43
Internal Control Requirements
Systemization
Documentation
Standards, defined expectations
Measurement
Appropriate risk assessment
44
Internal Control Requirements
Well-defined operational and control
objectives
Appropriate controls
Competent and trustworthy people
Monitoring & evaluation
Desiredstate of system
Goals and plans
Observe actual state of system
Observations Documentactual stateof system
Documentation
EvaluatesystemEvaluation
Recommendchanges to
system
Recommendations
Source: Gelinas and Oram, Accounting Information Systems, 3rd ed.,South-Western Publishing, 1996, p. 214.
24
CRITERIAvia CobiT
Goals and plans
Observe the
process & controls
Gain Understanding
Observations DocumentThe process & controls
AWP & Work Papers
Test & EvaluateProcess & controls
DrawConclusions
RecommendChanges if
needed
Report Recommendations
Internal Control Review
24
47
Control Principles
Controls should be considered as “built in” rather than “added on”.
Controls need to support control objectives that are tied to business objectives.
In order to support monitoring and evaluation, controls need to be testable and auditable.
Controls need to be cost effective.
48
Value of Internal Control Often the value of internal control is only
recognized by the results of not having adequate control in place.
Control Objectives and related controls are valued by the degree to which they assist an organization to achieve objectives and avoid undesired events.
49
Control Models: Structured or organized to present a control
framework relative to control objectives and respective internal controls or control practices.
Provide statements of responsibilities for control Provide guidance regarding mechanisms to assess
the need for control, and to design, develop, implement and exercise control
Requires that controls be monitored and evaluated.
50
To Be of Value, a Control Model Should Be:
Based on sound principles
Applicable & Flexible in application
Comprehendible
Subject to having “staying power”
51
Impact of Technology on Control
Operational and control objectives change little
Some technology-specific control objectives change
There is a significant impact on the “mix” of controls used to address the control objectives.
Technology can facilitate achieving control objectives
52
Impact of Technology on Audit
Has provided us with some tools to increase audit effectiveness and efficiency
Has allowed us to rethink post and pre-emptive or on-going audit techniques
Has provided opportunities to facilitate achieving control objectives
53
Relation to Other Control Models
CobiT is in alignment with other control models:
– COSO
– COCO
– Cadbury
– King
54
What is COSO?
Published in 1992 by the Committee Of Sponsoring Organizations of the Treadway Commission– American Institute of CPAs– American Accounting Association– Institute of Internal Auditors– Institute of Management Accountants– Financial Executives Institute
55
Components of COSO
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring
56
Checkmarks on COSO SlidesCheckmarks on COSO Slides
The red checkmarks on the following slides indicate that the CobiT control model includes the
same or extremely similar statements
57
Components of COSO
Control Environment: tone of the organizationcontrol awareness of peopleintegrity, ethical values and competence– management philosophy and operating styleassignment of authority and responsibility– attention and direction provided by the board
of directors.
58
Understanding the Control Environment
Understanding the information system, supporting technology, and the organization
Documenting the business operations and the IT environment
Identifying the key operational and control objectives
Identifying and evaluating the appropriateness of internal controls
59
Components of COSO
Risk Assessment:Established objectivesIdentify and analyze risks to
achievement of objectivesManage risksIdentify special risks associated with
change (economic, regulatory, operating)
60
Components of COSO
Control Activities:Policies and procedures that help ensure
management directives are carried outActions taken to address risksCarried out at all levelsIncludes: approvals, authorizations,
verifications, reconciliation, reviews of operating performance, security of assets
61
Components of COSO
Information and Communication:Pertinent information enables individuals to
carry out their responsibilitiesInformation must be identified, captured and
communicated– Internal and external information necessary for
informed decision-making
62
Components of COSO
Monitoring:
Assess the quality of the internal control
system’s performance
Ongoing monitoring and separate
evaluations
63
Internal Control Roles and Responsibilities by COSO & CobiT
Internal Auditors:Evaluate effectiveness of control systemsPlays a significant monitoring role
Other Personnel:Internal control is everyone’s responsibilityMost employees produce information used in internal
control systemsMost employees take actions needed to effect control
64
Control Responsibilities
Management -- primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met.
Users -- exercise controls.
Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls.
65
CobiT Assists in evaluating appropriateness of controls
Assists in identifying desired states of systems
and processes
Assists in identifying what to look for when
observing system operations
Provides a working control model for IT-related
control objectives
66
The CobiT Control Model Provides The CobiT Control Model Provides a Framework for Understanding a Framework for Understanding
Control Objectives andControl Objectives andControl PracticesControl Practices
67
CobiT Framework
68
CobiT Framework
Documents relationships among information criteria, IT resources, and IT processes
Links control objectives and control practices to business processes and business objectives
Assists in confirming that appropriate IT processes are in place
Facilitates discussion
69
CobiT Framework Facilitates the understanding of the:
relationship of controls to control objectives, importance of focusing on control objectives
and their relationship to the business organization and its business processes, and
value of managed processes and resources tied to strategic initiatives.
COBIT’s Focus on Process and Objectives
Business (organization) Retail merchandising(Walmart, etc.)
Objectives/Requirements ROI, market share, customer loyalty (right product, time, price)Business Processes
(to meet objectives)Order fulfillment (OE/S, Inventory, Purchasing)
Information Required(for processes)
Data availability and reliability
IT Resources(to provide
information)
Data, Application Systems,People
IT Processes (to manage& control resources)
Planning & Organization, Delivery & Support 70
71
Framework’s Three Components
Business Requirements for Information
IT Resources
IT Processes
72
“Business Requirements for Information”
To support business processes and satisfy business objectives, information needs to conform to certain criteria.
COBIT calls these criteria “business requirements for information.”
73
Sources of Information Criteria
Quality Requirements: Quality, Cost, Delivery, Better, Cheaper, Faster
Fiduciary Requirements (COSO Report)– Effectiveness and Efficiency of operations– Reliability of Financial Reporting– Compliance with Laws and Regulations
Security Requirements: Confidentiality, Integrity, Availability
74
Promotes a Healthy, Constructive Focus on Information Criteria
Viewing Information as being:– relevant and reliable– delivered in a timely, correct, consistent, usable and
complete manner– accurate, complete and valid– provided through an optimal use of resources– protected against unauthorized use, manipulation or
disclosure– available when required
– in compliance with legal and contractual obligations
75
Information Criteria -- The 1st Component
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of Information
76
Information Criteria -- The 1st Component
Effectiveness: deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, usable and complete manner.
Efficiency: concerns the provision of information through the optimal (most productive and economical) use of resources. See Framework, p. 14.
77
Information Criteria -- The 1st Component
Confidentiality: concerns the protection of sensitive information from unauthorized disclosure.
Integrity: relates to the accuracy and completeness of information as well as its validity in accordance with business values and expectations.
See Control Objectives, p. 14.
78
Information Criteria -- The 1st Component
Availability: relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Compliance: deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria.
See Framework, p. 15.
79
Information Criteria -- The 1st Component
Reliability of Information: relates to the provision of appropriate information for management to operate the entity and for management , in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.
See Framework, p. 13.
80
IT Resources -- The 2nd Component
Data
Application Systems
Technology
Facilities
People
81
IT Resources -- The 2nd Component
Data: Objects in their widest sense (i.e., external and internal), structured and not structured, graphics, sound, etc.
Application Systems: Application systems are understood to be the sum of manual and programmed procedures.
See Control Objectives, page 14.
82
IT Resources -- The 2nd Component
Technology: Hardware, operating systems, data base management, networking, multi-media, etc.
Facilities: Resources to house and support information systems.
People: Include staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services.
See Control Objectives, page 14.
83
Domains
Processes
Tasks &Activities
Natural grouping of processes, oftenmatching an organizational domainof responsibilityA series of joined tasks & Activities with natural (control) breaks.
Actions needed to achieve a measurable result. Activitieshave a life-cycle whereas tasksare discrete
(4)
(34)
(318)
See Framework, p. 16.
Information Processes (3rd component)
84
Planning/Organization
Acquisition /Implementation
Delivery /Support
Monitoring
COBIT Domains: Information Processes (3rd Component)
85
How do they relate ?How do they relate ?
IT Processes
IT Processes
IT Resources
IT Resources
Business Requirements
Business Requirements
Data Information
Systems Technology Facilities Human
Resources
Planning and organisation
Aquisition and implementation
Delivery and Support
Monitoring
Effectiveness Efficiency Confidenciality Integrity Availability Compliance Information
Reliability
86
IT Resource Management
CobiT underscores and demonstrates a clear understanding that IT resources need to be managed by naturally grouped processes in order to provide organizations with type and quality, and availability and security of information needed to achieve organizational objectives.
87
BUSINESSPROCESSESBUSINESS
PROCESSES
INFORMATIONINFORMATION
IT RESOURCESIT RESOURCES
• data• application systems• technology• facilities• people
• data• application systems• technology• facilities• people
• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability
• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability
Information CriteriaInformation Criteria
Do they match?
FrameworkWhat you needWhat you get
88
Control Statements
Control Practices
is enabled by
and considers
IT Processes
The control of
Business Requirements
which satisfy
effe
ctiv
enes
s
effic
iency
confid
entia
lity
inte
grity
avai
labili
ty
com
pliance
relia
bility
SS PP
people
applic
atio
ns
tech
nology
faci
litie
s
data
Planning &
Delivery &
Organisation
Support
Monitoring
Acquisition & Implementation
COBIT’s Waterfall and Navigation Aids
89
Process/Criteria Relationships
Primary: the degree to which the defined control objective directly impacts the information requirement concerned.
Secondary: the degree to which the defined control objective only satisfies to a lesser extent or indirectly the business requirement concerned.
Blank: could be applicable; however, requirements are more appropriately satisfied by another criteria in this process and/or another process.
See Control Objectives, page 17.
= IT Resource is managed by this process
The WATERFALL Navigation Aid --High Level Control Objectives for Each Process
The control of
which satisfy
is enabled by
considering
IT Processes
BusinessRequirements
ControlStatements
ControlPractices
See Framework, p. 18. 56
91
Domains (processes)
Req
uirem
ents
Resources
Da
ta
Ap
plic
atio
n
Sys
tem
s
Te
chn
olo
gy
Fa
cilit
ies
Pe
op
le
Planning and Organisation
Aquisition and implementation
Monitoring
Delivery and Support
Effectiveness
Efficiency
Confidenciality
Integrity
Availability
Compliance
Reliability
The planning process must consider data
integrity requirements
(By Gustavo Solis)
92
Executive Summary Executive Overview States the case for control Introduces the concepts of the COBIT
Framework -- Setting the Scene Provides working Definitions The Framework’s Principles Introduces the Domains and Processes Relationships Among Principles, Domains,
and Processes
93
The Framework Executive Overview (again) The COBIT Framework -- Setting the
Scene The Framework’s Principles – Criteria,
Resources and Processes Guide to Using the Framework --
Navigation Aids Summary Table High Level Control Objectives
(Processes)
94
Control Objectives
95
Control Objectives, 3rd Edition148 pages
Contains statements of the desired results or purposes to be achieved by implementing specific control procedures within an IT activity
Assists in establishing clear policy and
good practice for IT control
96
Control Objectives Contains:
Executive Summary and FrameworkSummary Table (page 20)Title Headers for Domains, Processes and Control
Objectives (pages 23-27)High-Level Control Objectives and management
control practices by Domain (pages 31-134) IT Governance Management Guideline and Maturity
Model (pages137-140)CobiT Project Description (page 141)Primary Reference Materials (pages 142-143)Glossary of Terms & Index (pages 144-148)
97
Planning and Organization Domain
11 High-level Control Objectives
100 Detailed Control Objectives
(IT-related management control practices)
170+ Control Tasks and Activities
.
98
Planning and Organization
Develop strategy and tactical plans for IT Identify ways that IT can best contribute to the
achievement of business objectives Plan, communicate, and manage the
realization of the strategic vision Establish the IT organization and set the stage
for information management and the technology infrastructure
See Control Objectives, p. 32.
99
Planning and Organization Domain
PO 1 Define a Strategic Information Technology Plan
PO 2 Define the Information Architecture
PO 3 Determine the Technological Direction
PO 4 Define the IT Organization and Relationships
PO 5 Manage the Investment in Information Technology
PO 6 Communicate Management Aims and Directions
.
100
Planning and Organization Domain
PO 7 Manage Human Resources
PO 8 Ensure Compliance with External Requirements
PO 9 Assess Risks
PO 10 Manage Projects
PO 11 Manage Quality
.
101
PO 1 Define a StrategicInformation Technology Plan
To take advantage of information technology opportunities and address IT business requirements, a process for developing a strategic plan for the organization’s IT resources should be adopted and the IT strategic plan should be converted to short term tactical plans.
102
Linking the Processes to Control Objectives
Control over the IT process ofDEFINING A STRATEGIC IT PLAN PO-1
that satisfies the business requirement
to strike an optimum balance of IT opportunities and IT business requirements as well as ensuring its further accomplishment
is enabled bya strategic planning process undertaken at regular intervals giving rise to long-term plans. The long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals
and takes into consideration: * definition of the business objectives and needs for IT * inventory of technological solutions and current
infrastructure * “technology watch” services
* organisation changes * timely feasibility studies
* existing systems assessments
103
PO 1 Define a StrategicInformation Technology Plan
• Reference: page 32 of Control Objectives 8 detailed control objectives IT as part of long-range goals IT long-range plan Contents of IT plan Modification of IT long-range plan IT tactical plan development Communication & evaluation of IT plans Assessing existing systems
104
PO 2 Define the InformationArchitecture
To ensure that the organization’s information is consistent with needs and enables people to carry out their responsibilities effectively and on a timely basis, an information architecture model, encompassing the corporate data model and the associated information systems should be created and regularly updated.
105
PO 2 Define the InformationArchitecture
Information architecture model Corporate data dictionary and data syntax rules Data classification scheme:
– security categories– ownership– access rules
Maintain security levels for each data classification
106
PO 3 Determine the Technological Direction
To ensure sufficient technology to perform the IS function and to take advantage of emerging technology, the information services function should create and regularly update a technology infrastructure that encompasses the systems architecture, technological direction and migration strategies.
107
PO 3 Determine the Technological Direction
Technological infrastructure planning
Monitor future trends and regulations
Assess infrastructure for contingency
aspects
Hardware & software acquisition plans
Define technology standards
108
PO 4 Define the IT Organization and Relationships
To ensure that IT services are delivered in an efficient and effective manner, there must be: adequate internal and external IT staff, administrative policies and procedures for all functions (with specific attention to organizational placement, roles and responsibilities, and segregation of duties), and an IS steering committee to determine prioritization of resource use.
109
PO 5 Manage the Investment in Information Technology
To ensure adequate funding for IT, controlled disbursement of financial resources, and effective and efficient utilization of IT resources, IT resources must be managed: through use of information services capital and operating budgets, by justifying IT expenditures, and by monitoring costs (in light of risks).
110
PO 6 Communicate Management Aims and Direction
To ensure the overall effectiveness of the IS function, IS management must establish direction and related policies addressing such aspects as: positive control environment throughout the organization, code of conduct/ethics, quality, and security. The policies must then be communicated (internally and externally) to obtain commitment and compliance.
111
PO 7 Manage Human Resources
IT personnel resources must be managed so
as to maximize their contributions to the IT
processes. Specific attention must be paid to
recruitment, promotion, personnel
qualifications, training, back up, performance
evaluation, job change, and termination.
112
PO 8 Ensure Compliance withExternal Requirements
To avoid fines, sanctions, and loss of business, the organization must maintain procedures to ensure awareness of and compliance with industry, regulatory, legal, and contractual obligations. IT related requirements include: safety, privacy, transborder data flows, electronic commerce, and insurance contracts.
113
PO 9 Assess Risks
To ensure the achievement of IT objectives, in support of business objectives, and to respond to threats to the provision of IT services, management should establish a risk assessment framework including: risk identification, measurement, risk action plan, and the formal acceptance and communication of the residual risk.
114
PO 9 Assess Risks Cornerstone high-level control objective for
developing and maintaining an appropriate system of internal control
Includes business risk assessment, risk assessment approach, identification of risk, risk measurement, & action plan
Understanding and acceptance of residual risk
115
PO 10 Manage Projects
To ensure that projects are completed on time, within budget, and are undertaken in order of importance, management must establish a project management framework to ensure that project selection is in line with plans and that a project management methodology is applied to each project undertaken.
116
PO 11 Manage Quality
To ensure that customer requirements are met, senior management should establish a quality assurance (QA) plan and implement related activities, including reviews, audits, and inspections, to ensure the attainment of IT customer requirements. A systems development life cycle methodology is an essential component of the QA plan.
117
Acquisition and Implementation Domain
6 High-level Control Objectives
68 Detailed Control Objectives
(IT-related management control practices)
100+ Control Tasks and Activities
118
Acquisition and Implementation
IT solutions– Identified– Developed or acquired– Implemented– Integrated into the business processes
Change and maintain existing systems
See Framework, p. 17.
119
Acquisition and Implementation Domain
AI 1 Identify Automated Solutions
AI 2 Acquire and Maintain Application Software
AI 3 Acquire & Maintain Technology Infrastructure
AI 4 Develop and Maintain IT Procedures
AI 5 Install and Accredit Systems
AI 6 Manage Changes
120
AI 1 Identify Automated Solutions
SDLC having procedures to:
• define information requirements,
• formulate alternative courses of action,
• perform technological feasibility studies
• perform economic feasibility studies, and
• assess risks.
121
AI 2 Acquire and Maintain Application Software
SDLC having procedures to:• create design specifications for new, or significantly modified, application systems• verify those specifications against the user requirements.• Ensure specifications are developed with system users and approved by management and user departments.
122
AI 3 Acquire and Maintain Technology Infrastructure
To ensure that platforms (hardware and systems software) support business applications, the organization’s SDLC should provide for an assessment of the impact of new hardware and software on the performance of the overall system. In addition, procedures should be in place to ensure that hardware and systems software is installed, maintained, and changed to continue to support business applications.
123
AI 4 Develop and Maintain IT Procedures
To ensure the ongoing, effective use of IT, the organization’s SDLC should provide for the preparation and maintenance of service level requirements, training materials, and operating (user and operations) manuals.
124
AI 5 Install and Accredit Systems
• SDLC should provide for a planned, tested, controlled, and approved conversion to the new system. • After installation, the SDLC should call for a review to determine that the new system has met users’ needs in a cost-effective manner.
125
AI 6 Manage Changes
To ensure processing integrity between versions of systems and to ensure consistency of results from period to period, changes to the IT infrastructure must be managed via: change request, impact assessment, documentation, authorization, and release and distribution policies and procedures.
126
Delivery and Support Domain
13 High-level Control Objectives
126 Detailed Control Objectives
(IT-related management control practices)
190+ Control Tasks and Activities
127
Delivery and Support
Deliver required services Ensure security and continuity of
services Set up support processes, including
training Process data (including “application”
controls)
See Control Objectives, p. 90.
128
Delivery and Support Domain DS 1 Define Service Levels
DS 2 Manage Third-Party Services
DS 3 Manage Performance and Capacity
DS 4 Ensure Continuous Service
DS 5 Ensure Systems Security
DS 6 Identify and Allocate Costs
DS 7 Educate and Train Users
129
Delivery and Support Domain
DS 8 Assist and Advise IT Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations
130
DS 1 Define Service Levels
To ensure that IT services continue to satisfy organizational requirements, senior management should establish a framework for reaching explicit agreements on the minimal acceptable levels of quantity and quality of IT services delivered by internal and external IT resources and then measure IT performance against these agreements.
131
DS 2 Manage Third-Party Services
To ensure that IT services delivered by third parties continue to satisfy organizational requirements, management should establish a process to identify, manage and monitor non-entity IT resources. Formal third-party contracts should address many of the same items contained in service level agreements (see DS 1).
132
DS 3 Manage Performance and Capacity
To ensure that sufficient capacity of IT resources remain available for optimal use to satisfy organizational requirements, management should establish a process to monitor the capacity and performance of all IT resources. Capacity of all IT resources must be determined, managed, and resource modifications (increases or decreases) planned for.
133
DS 4 Ensure Continuous Service
To ensure that sufficient IT resources continue to be available for use in the event of a service disruption, management should establish a process, coordinated with the overall business continuity strategy, that includes disaster recovery/contingency planning for all IT resources and related business resources, both internal and external.
134
DS 4 Ensure Continuous Service Continued
Example of Including Additional Guidelines:
Include “Control Practices Guideline for Information Systems Continuity Planning”, ISACA publication, July 1995, calls for:
Evaluation of continuity requirements• criticality assessment• risk assessment• impact assessment
135
DS 4 Ensure Continuous Service Continued
Control Practices Guideline for Information Systems Continuity Planning calls for:
Continuity Plan Risk Management Maintaining a Viable Continuity Plan
• Testing Continuity Plan• Maintenance of Plan• Communication and Training
136
DS 5 Ensure Systems Security
To ensure that organizational information is not subjected to unauthorized use, disclosure, modification, damage, or loss, management should implement logical access controls to restrict access to systems, data, and programs to only authorized users. This objective addresses logical, as opposed to physical security issues.
137
DS 6 Identify and Allocate Costs
To ensure that IT resources are delivered in a cost-effective manner and that they are used wisely, information services management should identify the costs of providing IT services and should allocate those costs to the users of those services.
138
DS 7 Educate and Train Users
To ensure that users make effective use of
IT, management should identify the training
needs of all personnel, internal and external,
who make use of the organization’s IT
resources and services and should see that
timely training sessions are conducted.
139
DS 8 Assist and Advise IT Customers
To effectively utilize IT resources, users often
require advice in how to properly utilize IT
resources and may require assistance to
overcome problems encountered in using
those resources. This assistance is generally
delivered via a “help desk” function.
140
DS 9 Manage the Configuration
To ensure that IT assets are not lost or altered, or used without authorization, management should establish a process to account for all IT components, including applications, technology, and facilities, and to prevent unauthorized alterations of assets or use of unauthorized assets.
141
DS 10 Manage Problems and Incidents
To ensure that barriers to efficient and effective use of the IT resource are prevented or eliminated and that the IT resource remains available, information services management should implement a system to identify, track, and resolve in a timely manner problems and incidents that occur.
142
DS 11 Manage Data
To ensure that data remains complete,
accurate and valid, management should
establish a combination of application
and general controls.
143
DS 12 Manage Facilities
To protect the IT facilities against man-made and natural hazards, the organization must install and regularly review suitable environmental and physical controls.
144
DS 13 Manage Operations
To ensure that important IT functions are performed regularly and in an orderly fashion, the information services function should establish and document standard procedures for IT operations.
145
Monitoring Domain
• 4 High-level Control Objectives
• 24 Detailed Control Objectives
• (IT-related management control practices)
• 51+ Control Tasks and Activities .
146
Monitoring Domain
Regularly assess IT processes for– Quality– Compliance with control requirements
Addresses management oversight of organization’s control provisions
Provides for audit function
See Control Objectives, p. 126.
147
Monitoring Domain
M 1 Monitor the Process
M 2 Assess Internal Control Adequacy
M 3 Obtain Independent Assurance
M 4 Provide for Independent Audit
.
148
M 1 Monitor the Process
To ensure the achievement of IT process objectives, management should establish a system for defining performance indicators, gathering data about all processes, and generating performance reports. Management should review these reports to measure progress toward identified goals.
149
M 2 Assess Internal Control Adequacy
To ensure the achievement of internal control objectives, management should establish a system for monitoring internal controls and assessing and reporting on their effectiveness on a regular basis.
150
M 3 Obtain Independent Assurance
To increase confidence that IT objectives are being achieved and that controls are in place and to benefit from advice regarding best practices for IT, independent assurance reviews should be conducted on a regular basis.
151
M 4 Provide for Independent Audit
To increase confidence levels that IT objectives are being achieved and that controls are in place and to benefit from advice regarding best practices for IT governance, independent audits should be conducted on a regular basis.
152
Business Objective– Business Processes (to meet objectives)
• IT Processes (to manage and control..)
– IT Resources (to provide info to..)
4 Domains 34 Processes/High-Level Control Objectives 318 Activities/Detailed Control Objectives
Cut the Framework by Info Criteria, IT Resources, IT processes
Summary of the Framework
153
SUMMARY OF COBIT TO THIS POINT
Defines a Framework for Reviewing IT. Four Domains Are Identified.
Achievement of each IT Process to meet a business objective represents a high-level Control Objective.
Identifies control objectives to be addressed. For Each of the 34 Processes, there are up to 30
Detailed IT Control Objectives or IT management control practices.
154
SUMMARY OF COBIT TO THIS POINT
The IT Control Objectives came from 41 primary
sources. There are Navigational Tools including a
“Waterfall” and a “Cube” approach. Provides a Systematic and Logical Method for
defining and communicating IT Control Objectives IT Control Objectives are linked to business
processes and objectives.
Domains•P&O•A&I•D&S•M
PO 1.1 .PO 11.18
PO 1.0 .PO 11.0
34 ProcessesHigh-Level ControlObjectives
318 Tasks & Activities
AI 1.0 .AI 6.0
DS 1.0 .DS 13.0
M 1.0 .M 4.0
AI 1.1 .AI 6.7
DS 1.1 .DS 13.7
M 1.1 .M 4.8
155
The CUBE--RelationshipsAmongComponents
IT P
roc
ess
es
Peo
ple
App
licat
ion
Sys
tem
sT
echn
olog
yF
acili
ties Dat
a
IT R
esources
Quality
Fiduciary
Secur
ity
Information Criteria
See Control Objectives, p. 16. 156
157
For Management, CobiT:
Addresses management's increasing legal responsibility for control
Expresses required IT control practices in management terms
Guides IT investment and operational decisions (to balance risk and control)
Helps management better utilize internal and external auditors
158
For Users, COBIT:
Provides benchmarks for best practices for IT management and IT control
Helps obtain assurance for business processes supported by IT
Strengthens relationship with IT services Helps ensure adequate level of integrity of
information provided by IT systems
159
For Auditors, COBIT:
Provides good benchmarks or criteria for evaluating IT control
Focuses on control objectives and controls Substantiates opinions to management on
internal controls Helps auditors and control professionals to
be proactive business advisors
160
For us All, CobiT: Strengthens the understanding, design,
implementation, exercise, and evaluation of internal control through improved focus on information criteria and IT-related control objectives
Strengthens management’s efforts to “ensure” and Audit’s efforts to provide “assurance”
End of Part 1Go To Part 2
161