Information systems audit and control

1

Part 1

2

Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts, USA

Adjunct faculty at Bentley College Member of CobiT Steering Committee Member of Governor’s Task Force on E-Commerce and

Enterprise Security Board, Massachusetts Served as member of Y2K Coordinating Council, Commonwealth of Massachusetts 1994-1995 International President of ISACA/F Served as member of Governor’s Commission on

Computer Crime and Governor’s Commission on Computer Technology and Law

e-mail: [email protected]

3

What is CobiT?

What is the CobiT Framework?

What is the Control Objectives document?

Who should use CobiT?

How can auditors effectively use CobiT?

How does one become familiar with CobiT and

learn to use it effectively?

4

CobiT’s Background and Authoritative

Nature

CobiT Framework and its components

High-Level & Detailed Control Objectives

Audit Guidelines and Using CobiT

5

Authoritative, up-to-date, international set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.

Structured and organized to provide a powerful

control model

6

CobiTCobiT

CobiT is designed to be the break-through IT governance tool that helps in the understanding and managing of risks and benefits associated with information and related IT.

7

C ControlOB OBjectivesI for InformationT and Related Technology

8

Right information, to only the right party, at the right time.

Information that is relevant, reliable and secure.

Information provided by systems that have integrity by means of a well-managed and properly controlled IT environment.

9

Information Systems Audit and Information Systems Audit and Control Association/FoundationControl Association/Foundation

Leading Global Professional IT Control organization– Focuses on Audit, Control and Security Issues– The Association Works Closely with its more than

150 Chapters in 100 Countries Provides Services and Programs Designed to Promote

and Establish Excellence on IT Governance and Audit. Research conducted through Foundation Projects are

selected to help Members and the Profession keep pace with ever-changing IT and business environment.

10

IT Governance InstituteIT Governance InstituteIT Governance InstituteIT Governance Institute

Formed by ISACA and ISACF in 1998 to advance the understanding and adoption of IT governance principles

11

A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.

12

IT Governance Objectives

IT is aligned with the business and enables the business to maximize benefit

IT resources are safeguarded and used in a responsible and ethical manner

IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure

13

CobiT grew from an initiative to update EDPAA’s Control Objectives in 1992

New focus expanded to include managerial and user needs regarding IT control and governance

Global perspective added CobiT Steering Committee appointed IT control framework developed The framework became COBIT CobiT was first published in April, 1996

14

CobiT implementation monitored and evaluated by

ISACA and the CobiT Steering Committee

CobiT enhancements developed, 1997

CobiT, 2nd edition, was published in April, 1998

CobiT enhancements and development of

Management Guidelines, 1999-2000

CobiT, 3rd edition, and Management Guidelines,

was published in July, 2000

15

Executive Summary -- Senior Executives (CEO, COO, CFO, CIO)

Framework -- Senior Operational Management (Directors of IS and Audit / Controls)

Control Objectives -- Middle Management (Mid-Level IS and IS Audit/ Controls Managers)

Audit Guidelines -- The Line Manager and Controls Practitioner (Applications or Operations Manager and Auditor)

Implementation Tool Set -- Any of the above Management Guidelines -- Management and Audit

16

The need for better operational controls Technology that makes new business processes

possible may come with a loss of control Demand for increased effectiveness and

efficiency The importance of technology The need to hold officers and senior

management accountable and strengthen governance

17

Dashboard: How do responsible managers keep the ship on course?

Scorecard: How do we achieve satisfactory results for our stake-holders?

Benchmarking: How do we adapt in a timely manner to trends, developments, and “best practices” for our organization’s environment?

18

If you use computer-generated information in decision-making or for audit evidence, you need to assess its reliability.

If you are the holder of computer-generated information, you must exercise appropriate and defendable controls to safeguard that information, or evidence.

19

• Increasing dependence on information and the systems that deliver the information

• Increasing vulnerabilities and a wide spectrum of threats, such as cyber threats and information warfare

• Scale and cost of the current and future investments in information and information systems

• Potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs

20

1980s

Glass-house

Data centresSecure buildings

1990s

Network

Business integration

Managed networks

21st Century

Cyberspace

Virtual Value ChainE-CommerceExtended Enterprise

??

Streetwise users

Unpredictable and fast Unstructured and innovative Hard to implement

21

CobiT’s Scope and CobiT’s Scope and Overall ObjectivesOverall Objectives

22

CobiT focuses on information having integrity and being secure and available.

At the highest level, it focuses on the

importance of information to the long-term success of the organization.

23

For Information System Services functions, CobiT can be applied from single point IT operations to across the enterprise.

For application systems, CobiT can be

applied from a single application-based system to enterprise-based systems.

24

CobiT is management oriented

Supports corporate and IT governance

Serves as excellent criteria for evaluation and a basis for audit planning

25

Addresses key attributes of information produced by IT.

Links recommended control practices for IT to business and control objectives.

Provides guidance in implementing and evaluating the appropriateness of IT-related control practices.

26

As a control model, CobiT should beAs a control model, CobiT should betailored to organizational, platform tailored to organizational, platform

and system standards.and system standards.

Use CobiT as the Structure to which you link organization-specific operational

and control requirements, policies, and standards

27

Helps business process owners to ensure the integrity of information systems and auditors to provide statements of assurance by providing:

– management with generally applicable and accepted

standards for good practice for IT control and

governance

– users with a solid base upon which to manage IT and

obtain assurance

– auditors with excellent criteria for review/audit work

28

Standards used to determine whether something meets expectations.

Basis upon which one measures or compares something against.

Need to be generally accepted, recognized, understandable, and defendable.

Need to be authoritative.

29

CobiT as an CobiT as an Authoritative SourceAuthoritative Source

30

CobiT is an Authoritative Source

Built on a sound framework of control and

IT-related control practices. Aligned with de jure and de facto standards

and regulations. 41 international standards from around the

world were used to identify IT-related

control objectives and control practices.

31

CobiT Sources Professional standards for internal control and

auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes

(ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry

forums (ESF, I4) Emerging industry-specific requirements from

banking, e-com, IT manufacturing.

32

Based on a Strong Based on a Strong Foundation and Sound Foundation and Sound Principles of Internal Principles of Internal

ControlControl

33

What is Internal Control?What is Internal Control?

How it is defined How it is defined impacts its design, impacts its design,

exercise, and exercise, and evaluationevaluation..

34

Purpose of Internal Control

Designed to keep an organization on course toward achievement of its mission minimizing surprises along the way.

Assist in dealing with rapidly changing economic and competitive environments, shifting customer demands and priorities, and restructuring for future growth.

Source: Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control - Integrated framework, Executive Summary, p. 1.

35

The design, implementation, and proper exercise of a system of internal controls should provide "reasonable assurance" that management's goals are attained, control objectives are addressed, legal obligations are met, and undesired events do not occur.

Controls reduce or eliminate the risk of exposures, or the exposures themselves.

36

Internal Control

Controls are framed by what is to be attained (control objectives) and the means to attain those goals (the controls).

37

Goals of Internal Control

“Keep things in Check” Adhering to the Rules of the Road Reduce risk Based Upon “Best Practices” Proof the Rules Have Been Followed Provide assurance that operations are

according to standard Keep those blasted auditors happy

38

Building

CobiT’sDefinition of

Internal Control

39

Control (as defined by COSO)Internal control is broadly defined as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

efficiency and effectiveness of operationsreliability of financial reportingcompliance with applicable laws and

regulationsSource: Committee of Sponsoring Organizations (COSO) of the Treadway Commission, Internal Control - Integrated framework, Executive Summary, p. 1.

40

Control (as defined by COBIT)

The policies, procedures, practices and

organizational structures designed to provide

reasonable assurance that business objectives

will be achieved and that undesired events

will be prevented or detected and corrected.

Source: COBIT Control Objectives, p. 12.

41

IT Control Objective

A statement of desired result or

purpose to be achieved by

implementing control procedures

in a particular IT activity

42

CobiT supports all

fundamental Internal Control

requirements

43

Internal Control Requirements

Systemization

Documentation

Standards, defined expectations

Measurement

Appropriate risk assessment

44

Internal Control Requirements

Well-defined operational and control

objectives

Appropriate controls

Competent and trustworthy people

Monitoring & evaluation

Desiredstate of system

Goals and plans

Observe actual state of system

Observations Documentactual stateof system

Documentation

EvaluatesystemEvaluation

Recommendchanges to

system

Recommendations

Source: Gelinas and Oram, Accounting Information Systems, 3rd ed.,South-Western Publishing, 1996, p. 214.

24

CRITERIAvia CobiT

Goals and plans

Observe the

process & controls

Gain Understanding

Observations DocumentThe process & controls

AWP & Work Papers

Test & EvaluateProcess & controls

DrawConclusions

RecommendChanges if

needed

Report Recommendations

Internal Control Review

24

47

Control Principles

Controls should be considered as “built in” rather than “added on”.

Controls need to support control objectives that are tied to business objectives.

In order to support monitoring and evaluation, controls need to be testable and auditable.

Controls need to be cost effective.

48

Value of Internal Control Often the value of internal control is only

recognized by the results of not having adequate control in place.

Control Objectives and related controls are valued by the degree to which they assist an organization to achieve objectives and avoid undesired events.

49

Control Models: Structured or organized to present a control

framework relative to control objectives and respective internal controls or control practices.

Provide statements of responsibilities for control Provide guidance regarding mechanisms to assess

the need for control, and to design, develop, implement and exercise control

Requires that controls be monitored and evaluated.

50

To Be of Value, a Control Model Should Be:

Based on sound principles

Applicable & Flexible in application

Comprehendible

Subject to having “staying power”

51

Impact of Technology on Control

Operational and control objectives change little

Some technology-specific control objectives change

There is a significant impact on the “mix” of controls used to address the control objectives.

Technology can facilitate achieving control objectives

52

Impact of Technology on Audit

Has provided us with some tools to increase audit effectiveness and efficiency

Has allowed us to rethink post and pre-emptive or on-going audit techniques

Has provided opportunities to facilitate achieving control objectives

53

Relation to Other Control Models

CobiT is in alignment with other control models:

– COSO

– COCO

– Cadbury

– King

54

What is COSO?

Published in 1992 by the Committee Of Sponsoring Organizations of the Treadway Commission– American Institute of CPAs– American Accounting Association– Institute of Internal Auditors– Institute of Management Accountants– Financial Executives Institute

55

Components of COSO

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring

56

Checkmarks on COSO SlidesCheckmarks on COSO Slides

The red checkmarks on the following slides indicate that the CobiT control model includes the

same or extremely similar statements

57

Components of COSO

Control Environment: tone of the organizationcontrol awareness of peopleintegrity, ethical values and competence– management philosophy and operating styleassignment of authority and responsibility– attention and direction provided by the board

of directors.

58

Understanding the Control Environment

Understanding the information system, supporting technology, and the organization

Documenting the business operations and the IT environment

Identifying the key operational and control objectives

Identifying and evaluating the appropriateness of internal controls

59

Components of COSO

Risk Assessment:Established objectivesIdentify and analyze risks to

achievement of objectivesManage risksIdentify special risks associated with

change (economic, regulatory, operating)

60

Components of COSO

Control Activities:Policies and procedures that help ensure

management directives are carried outActions taken to address risksCarried out at all levelsIncludes: approvals, authorizations,

verifications, reconciliation, reviews of operating performance, security of assets

61

Components of COSO

Information and Communication:Pertinent information enables individuals to

carry out their responsibilitiesInformation must be identified, captured and

communicated– Internal and external information necessary for

informed decision-making

62

Components of COSO

Monitoring:

Assess the quality of the internal control

system’s performance

Ongoing monitoring and separate

evaluations

63

Internal Control Roles and Responsibilities by COSO & CobiT

Internal Auditors:Evaluate effectiveness of control systemsPlays a significant monitoring role

Other Personnel:Internal control is everyone’s responsibilityMost employees produce information used in internal

control systemsMost employees take actions needed to effect control

64

Control Responsibilities

Management -- primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met.

Users -- exercise controls.

Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls.

65

CobiT Assists in evaluating appropriateness of controls

Assists in identifying desired states of systems

and processes

Assists in identifying what to look for when

observing system operations

Provides a working control model for IT-related

control objectives

66

The CobiT Control Model Provides The CobiT Control Model Provides a Framework for Understanding a Framework for Understanding

Control Objectives andControl Objectives andControl PracticesControl Practices

67

CobiT Framework

68

CobiT Framework

Documents relationships among information criteria, IT resources, and IT processes

Links control objectives and control practices to business processes and business objectives

Assists in confirming that appropriate IT processes are in place

Facilitates discussion

69

CobiT Framework Facilitates the understanding of the:

relationship of controls to control objectives, importance of focusing on control objectives

and their relationship to the business organization and its business processes, and

value of managed processes and resources tied to strategic initiatives.

COBIT’s Focus on Process and Objectives

Business (organization) Retail merchandising(Walmart, etc.)

Objectives/Requirements ROI, market share, customer loyalty (right product, time, price)Business Processes

(to meet objectives)Order fulfillment (OE/S, Inventory, Purchasing)

Information Required(for processes)

Data availability and reliability

IT Resources(to provide

information)

Data, Application Systems,People

IT Processes (to manage& control resources)

Planning & Organization, Delivery & Support 70

71

Framework’s Three Components

Business Requirements for Information

IT Resources

IT Processes

72

“Business Requirements for Information”

To support business processes and satisfy business objectives, information needs to conform to certain criteria.

COBIT calls these criteria “business requirements for information.”

73

Sources of Information Criteria

Quality Requirements: Quality, Cost, Delivery, Better, Cheaper, Faster

Fiduciary Requirements (COSO Report)– Effectiveness and Efficiency of operations– Reliability of Financial Reporting– Compliance with Laws and Regulations

Security Requirements: Confidentiality, Integrity, Availability

74

Promotes a Healthy, Constructive Focus on Information Criteria

Viewing Information as being:– relevant and reliable– delivered in a timely, correct, consistent, usable and

complete manner– accurate, complete and valid– provided through an optimal use of resources– protected against unauthorized use, manipulation or

disclosure– available when required

– in compliance with legal and contractual obligations

75

Information Criteria -- The 1st Component

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability of Information

76


Effectiveness: deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent, usable and complete manner.

Efficiency: concerns the provision of information through the optimal (most productive and economical) use of resources. See Framework, p. 14.

77


Confidentiality: concerns the protection of sensitive information from unauthorized disclosure.

Integrity: relates to the accuracy and completeness of information as well as its validity in accordance with business values and expectations.

See Control Objectives, p. 14.

78


Availability: relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Compliance: deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria.

See Framework, p. 15.

79


Reliability of Information: relates to the provision of appropriate information for management to operate the entity and for management , in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.


80

IT Resources -- The 2nd Component

Data

Application Systems

Technology

Facilities

People

81


Data: Objects in their widest sense (i.e., external and internal), structured and not structured, graphics, sound, etc.

Application Systems: Application systems are understood to be the sum of manual and programmed procedures.

See Control Objectives, page 14.

82


Technology: Hardware, operating systems, data base management, networking, multi-media, etc.

Facilities: Resources to house and support information systems.

People: Include staff skills, awareness and productivity to plan, organize, acquire, deliver, support and monitor information systems and services.


83

Domains

Processes

Tasks &Activities

Natural grouping of processes, oftenmatching an organizational domainof responsibilityA series of joined tasks & Activities with natural (control) breaks.

Actions needed to achieve a measurable result. Activitieshave a life-cycle whereas tasksare discrete

(4)

(34)

(318)


Information Processes (3rd component)

84

Planning/Organization

Acquisition /Implementation

Delivery /Support

Monitoring

COBIT Domains: Information Processes (3rd Component)

85

How do they relate ?How do they relate ?

IT Processes

IT Processes

IT Resources

IT Resources

Business Requirements


Data Information

Systems Technology Facilities Human

Resources

Planning and organisation

Aquisition and implementation

Delivery and Support

Monitoring

Effectiveness Efficiency Confidenciality Integrity Availability Compliance Information

Reliability

86

IT Resource Management

CobiT underscores and demonstrates a clear understanding that IT resources need to be managed by naturally grouped processes in order to provide organizations with type and quality, and availability and security of information needed to achieve organizational objectives.

87

BUSINESSPROCESSESBUSINESS

PROCESSES

INFORMATIONINFORMATION

IT RESOURCESIT RESOURCES

• data• application systems• technology• facilities• people

• data• application systems• technology• facilities• people

• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability

• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability

Information CriteriaInformation Criteria

Do they match?

FrameworkWhat you needWhat you get

88

Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of


which satisfy

effe

ctiv

enes

s

effic

iency

confid

entia

lity

inte

grity

avai

labili

ty

com

pliance

relia

bility

SS PP

people

applic

atio

ns

tech

nology

faci

litie

s

data

Planning &

Delivery &

Organisation

Support

Monitoring

Acquisition & Implementation

COBIT’s Waterfall and Navigation Aids

89

Process/Criteria Relationships

Primary: the degree to which the defined control objective directly impacts the information requirement concerned.

Secondary: the degree to which the defined control objective only satisfies to a lesser extent or indirectly the business requirement concerned.

Blank: could be applicable; however, requirements are more appropriately satisfied by another criteria in this process and/or another process.


= IT Resource is managed by this process

The WATERFALL Navigation Aid --High Level Control Objectives for Each Process

The control of

which satisfy

is enabled by

considering

IT Processes

BusinessRequirements

ControlStatements

ControlPractices

See Framework, p. 18. 56

91

Domains (processes)

Req

uirem

ents

Resources

Da

ta

Ap

plic

atio

n

Sys

tem

s

Te

chn

olo

gy

Fa

cilit

ies

Pe

op

le

Planning and Organisation

Aquisition and implementation

Monitoring


Effectiveness

Efficiency

Confidenciality

Integrity

Availability

Compliance

Reliability

The planning process must consider data

integrity requirements

(By Gustavo Solis)

92

Executive Summary Executive Overview States the case for control Introduces the concepts of the COBIT

Framework -- Setting the Scene Provides working Definitions The Framework’s Principles Introduces the Domains and Processes Relationships Among Principles, Domains,

and Processes

93

The Framework Executive Overview (again) The COBIT Framework -- Setting the

Scene The Framework’s Principles – Criteria,

Resources and Processes Guide to Using the Framework --

Navigation Aids Summary Table High Level Control Objectives

(Processes)

94

Control Objectives

95

Control Objectives, 3rd Edition148 pages

Contains statements of the desired results or purposes to be achieved by implementing specific control procedures within an IT activity

Assists in establishing clear policy and

good practice for IT control

96

Control Objectives Contains:

Executive Summary and FrameworkSummary Table (page 20)Title Headers for Domains, Processes and Control

Objectives (pages 23-27)High-Level Control Objectives and management

control practices by Domain (pages 31-134) IT Governance Management Guideline and Maturity

Model (pages137-140)CobiT Project Description (page 141)Primary Reference Materials (pages 142-143)Glossary of Terms & Index (pages 144-148)

97

Planning and Organization Domain

11 High-level Control Objectives

100 Detailed Control Objectives

(IT-related management control practices)

170+ Control Tasks and Activities

.

98

Planning and Organization

Develop strategy and tactical plans for IT Identify ways that IT can best contribute to the

achievement of business objectives Plan, communicate, and manage the

realization of the strategic vision Establish the IT organization and set the stage

for information management and the technology infrastructure


99


PO 1 Define a Strategic Information Technology Plan

PO 2 Define the Information Architecture

PO 3 Determine the Technological Direction

PO 4 Define the IT Organization and Relationships

PO 5 Manage the Investment in Information Technology

PO 6 Communicate Management Aims and Directions

.

100


PO 7 Manage Human Resources

PO 8 Ensure Compliance with External Requirements

PO 9 Assess Risks

PO 10 Manage Projects

PO 11 Manage Quality

.

101

PO 1 Define a StrategicInformation Technology Plan

To take advantage of information technology opportunities and address IT business requirements, a process for developing a strategic plan for the organization’s IT resources should be adopted and the IT strategic plan should be converted to short term tactical plans.

102

Linking the Processes to Control Objectives

Control over the IT process ofDEFINING A STRATEGIC IT PLAN PO-1

that satisfies the business requirement

to strike an optimum balance of IT opportunities and IT business requirements as well as ensuring its further accomplishment

is enabled bya strategic planning process undertaken at regular intervals giving rise to long-term plans. The long-term plans should periodically be translated into operational plans setting clear and concrete short-term goals

and takes into consideration: * definition of the business objectives and needs for IT * inventory of technological solutions and current

infrastructure * “technology watch” services

* organisation changes * timely feasibility studies

* existing systems assessments

103

PO 1 Define a StrategicInformation Technology Plan

• Reference: page 32 of Control Objectives 8 detailed control objectives IT as part of long-range goals IT long-range plan Contents of IT plan Modification of IT long-range plan IT tactical plan development Communication & evaluation of IT plans Assessing existing systems

104

PO 2 Define the InformationArchitecture

To ensure that the organization’s information is consistent with needs and enables people to carry out their responsibilities effectively and on a timely basis, an information architecture model, encompassing the corporate data model and the associated information systems should be created and regularly updated.

105

PO 2 Define the InformationArchitecture

Information architecture model Corporate data dictionary and data syntax rules Data classification scheme:

– security categories– ownership– access rules

Maintain security levels for each data classification

106


To ensure sufficient technology to perform the IS function and to take advantage of emerging technology, the information services function should create and regularly update a technology infrastructure that encompasses the systems architecture, technological direction and migration strategies.

107


Technological infrastructure planning

Monitor future trends and regulations

Assess infrastructure for contingency

aspects

Hardware & software acquisition plans

Define technology standards

108

PO 4 Define the IT Organization and Relationships

To ensure that IT services are delivered in an efficient and effective manner, there must be: adequate internal and external IT staff, administrative policies and procedures for all functions (with specific attention to organizational placement, roles and responsibilities, and segregation of duties), and an IS steering committee to determine prioritization of resource use.

109

PO 5 Manage the Investment in Information Technology

To ensure adequate funding for IT, controlled disbursement of financial resources, and effective and efficient utilization of IT resources, IT resources must be managed: through use of information services capital and operating budgets, by justifying IT expenditures, and by monitoring costs (in light of risks).

110

PO 6 Communicate Management Aims and Direction

To ensure the overall effectiveness of the IS function, IS management must establish direction and related policies addressing such aspects as: positive control environment throughout the organization, code of conduct/ethics, quality, and security. The policies must then be communicated (internally and externally) to obtain commitment and compliance.

111

PO 7 Manage Human Resources

IT personnel resources must be managed so

as to maximize their contributions to the IT

processes. Specific attention must be paid to

recruitment, promotion, personnel

qualifications, training, back up, performance

evaluation, job change, and termination.

112

PO 8 Ensure Compliance withExternal Requirements

To avoid fines, sanctions, and loss of business, the organization must maintain procedures to ensure awareness of and compliance with industry, regulatory, legal, and contractual obligations. IT related requirements include: safety, privacy, transborder data flows, electronic commerce, and insurance contracts.

113

PO 9 Assess Risks

To ensure the achievement of IT objectives, in support of business objectives, and to respond to threats to the provision of IT services, management should establish a risk assessment framework including: risk identification, measurement, risk action plan, and the formal acceptance and communication of the residual risk.

114

PO 9 Assess Risks Cornerstone high-level control objective for

developing and maintaining an appropriate system of internal control

Includes business risk assessment, risk assessment approach, identification of risk, risk measurement, & action plan

Understanding and acceptance of residual risk

115

PO 10 Manage Projects

To ensure that projects are completed on time, within budget, and are undertaken in order of importance, management must establish a project management framework to ensure that project selection is in line with plans and that a project management methodology is applied to each project undertaken.

116

PO 11 Manage Quality

To ensure that customer requirements are met, senior management should establish a quality assurance (QA) plan and implement related activities, including reviews, audits, and inspections, to ensure the attainment of IT customer requirements. A systems development life cycle methodology is an essential component of the QA plan.

117

Acquisition and Implementation Domain





118

Acquisition and Implementation

IT solutions– Identified– Developed or acquired– Implemented– Integrated into the business processes

Change and maintain existing systems


119

Acquisition and Implementation Domain

AI 1 Identify Automated Solutions

AI 2 Acquire and Maintain Application Software

AI 3 Acquire & Maintain Technology Infrastructure

AI 4 Develop and Maintain IT Procedures

AI 5 Install and Accredit Systems

AI 6 Manage Changes

120

AI 1 Identify Automated Solutions

SDLC having procedures to:

• define information requirements,

• formulate alternative courses of action,

• perform technological feasibility studies

• perform economic feasibility studies, and

• assess risks.

121

AI 2 Acquire and Maintain Application Software

SDLC having procedures to:• create design specifications for new, or significantly modified, application systems• verify those specifications against the user requirements.• Ensure specifications are developed with system users and approved by management and user departments.

122

AI 3 Acquire and Maintain Technology Infrastructure

To ensure that platforms (hardware and systems software) support business applications, the organization’s SDLC should provide for an assessment of the impact of new hardware and software on the performance of the overall system. In addition, procedures should be in place to ensure that hardware and systems software is installed, maintained, and changed to continue to support business applications.

123

AI 4 Develop and Maintain IT Procedures

To ensure the ongoing, effective use of IT, the organization’s SDLC should provide for the preparation and maintenance of service level requirements, training materials, and operating (user and operations) manuals.

124

AI 5 Install and Accredit Systems

• SDLC should provide for a planned, tested, controlled, and approved conversion to the new system. • After installation, the SDLC should call for a review to determine that the new system has met users’ needs in a cost-effective manner.

125

AI 6 Manage Changes

To ensure processing integrity between versions of systems and to ensure consistency of results from period to period, changes to the IT infrastructure must be managed via: change request, impact assessment, documentation, authorization, and release and distribution policies and procedures.

126

Delivery and Support Domain





127


Deliver required services Ensure security and continuity of

services Set up support processes, including

training Process data (including “application”

controls)


128

Delivery and Support Domain DS 1 Define Service Levels

DS 2 Manage Third-Party Services

DS 3 Manage Performance and Capacity

DS 4 Ensure Continuous Service

DS 5 Ensure Systems Security

DS 6 Identify and Allocate Costs

DS 7 Educate and Train Users

129

Delivery and Support Domain

DS 8 Assist and Advise IT Customers

DS 9 Manage the Configuration

DS 10 Manage Problems and Incidents

DS 11 Manage Data

DS 12 Manage Facilities

DS 13 Manage Operations

130

DS 1 Define Service Levels

To ensure that IT services continue to satisfy organizational requirements, senior management should establish a framework for reaching explicit agreements on the minimal acceptable levels of quantity and quality of IT services delivered by internal and external IT resources and then measure IT performance against these agreements.

131

DS 2 Manage Third-Party Services

To ensure that IT services delivered by third parties continue to satisfy organizational requirements, management should establish a process to identify, manage and monitor non-entity IT resources. Formal third-party contracts should address many of the same items contained in service level agreements (see DS 1).

132

DS 3 Manage Performance and Capacity

To ensure that sufficient capacity of IT resources remain available for optimal use to satisfy organizational requirements, management should establish a process to monitor the capacity and performance of all IT resources. Capacity of all IT resources must be determined, managed, and resource modifications (increases or decreases) planned for.

133

DS 4 Ensure Continuous Service

To ensure that sufficient IT resources continue to be available for use in the event of a service disruption, management should establish a process, coordinated with the overall business continuity strategy, that includes disaster recovery/contingency planning for all IT resources and related business resources, both internal and external.

134

DS 4 Ensure Continuous Service Continued

Example of Including Additional Guidelines:

Include “Control Practices Guideline for Information Systems Continuity Planning”, ISACA publication, July 1995, calls for:

Evaluation of continuity requirements• criticality assessment• risk assessment• impact assessment

135

DS 4 Ensure Continuous Service Continued

Control Practices Guideline for Information Systems Continuity Planning calls for:

Continuity Plan Risk Management Maintaining a Viable Continuity Plan

• Testing Continuity Plan• Maintenance of Plan• Communication and Training

136

DS 5 Ensure Systems Security

To ensure that organizational information is not subjected to unauthorized use, disclosure, modification, damage, or loss, management should implement logical access controls to restrict access to systems, data, and programs to only authorized users. This objective addresses logical, as opposed to physical security issues.

137

DS 6 Identify and Allocate Costs

To ensure that IT resources are delivered in a cost-effective manner and that they are used wisely, information services management should identify the costs of providing IT services and should allocate those costs to the users of those services.

138

DS 7 Educate and Train Users

To ensure that users make effective use of

IT, management should identify the training

needs of all personnel, internal and external,

who make use of the organization’s IT

resources and services and should see that

timely training sessions are conducted.

139

DS 8 Assist and Advise IT Customers

To effectively utilize IT resources, users often

require advice in how to properly utilize IT

resources and may require assistance to

overcome problems encountered in using

those resources. This assistance is generally

delivered via a “help desk” function.

140

DS 9 Manage the Configuration

To ensure that IT assets are not lost or altered, or used without authorization, management should establish a process to account for all IT components, including applications, technology, and facilities, and to prevent unauthorized alterations of assets or use of unauthorized assets.

141

DS 10 Manage Problems and Incidents

To ensure that barriers to efficient and effective use of the IT resource are prevented or eliminated and that the IT resource remains available, information services management should implement a system to identify, track, and resolve in a timely manner problems and incidents that occur.

142

DS 11 Manage Data

To ensure that data remains complete,

accurate and valid, management should

establish a combination of application

and general controls.

143

DS 12 Manage Facilities

To protect the IT facilities against man-made and natural hazards, the organization must install and regularly review suitable environmental and physical controls.

144

DS 13 Manage Operations

To ensure that important IT functions are performed regularly and in an orderly fashion, the information services function should establish and document standard procedures for IT operations.

145

Monitoring Domain

• 4 High-level Control Objectives

• 24 Detailed Control Objectives

• (IT-related management control practices)

• 51+ Control Tasks and Activities .

146

Monitoring Domain

Regularly assess IT processes for– Quality– Compliance with control requirements

Addresses management oversight of organization’s control provisions

Provides for audit function


147

Monitoring Domain

M 1 Monitor the Process

M 2 Assess Internal Control Adequacy

M 3 Obtain Independent Assurance

M 4 Provide for Independent Audit

.

148

M 1 Monitor the Process

To ensure the achievement of IT process objectives, management should establish a system for defining performance indicators, gathering data about all processes, and generating performance reports. Management should review these reports to measure progress toward identified goals.

149

M 2 Assess Internal Control Adequacy

To ensure the achievement of internal control objectives, management should establish a system for monitoring internal controls and assessing and reporting on their effectiveness on a regular basis.

150

M 3 Obtain Independent Assurance

To increase confidence that IT objectives are being achieved and that controls are in place and to benefit from advice regarding best practices for IT, independent assurance reviews should be conducted on a regular basis.

151

M 4 Provide for Independent Audit

To increase confidence levels that IT objectives are being achieved and that controls are in place and to benefit from advice regarding best practices for IT governance, independent audits should be conducted on a regular basis.

152

Business Objective– Business Processes (to meet objectives)

• IT Processes (to manage and control..)

– IT Resources (to provide info to..)

4 Domains 34 Processes/High-Level Control Objectives 318 Activities/Detailed Control Objectives

Cut the Framework by Info Criteria, IT Resources, IT processes

Summary of the Framework

153

SUMMARY OF COBIT TO THIS POINT

Defines a Framework for Reviewing IT. Four Domains Are Identified.

Achievement of each IT Process to meet a business objective represents a high-level Control Objective.

Identifies control objectives to be addressed. For Each of the 34 Processes, there are up to 30

Detailed IT Control Objectives or IT management control practices.

154

SUMMARY OF COBIT TO THIS POINT

The IT Control Objectives came from 41 primary

sources. There are Navigational Tools including a

“Waterfall” and a “Cube” approach. Provides a Systematic and Logical Method for

defining and communicating IT Control Objectives IT Control Objectives are linked to business

processes and objectives.

Domains•P&O•A&I•D&S•M

PO 1.1 .PO 11.18

PO 1.0 .PO 11.0

34 ProcessesHigh-Level ControlObjectives

318 Tasks & Activities

AI 1.0 .AI 6.0

DS 1.0 .DS 13.0

M 1.0 .M 4.0

AI 1.1 .AI 6.7

DS 1.1 .DS 13.7

M 1.1 .M 4.8

155

The CUBE--RelationshipsAmongComponents

IT P

roc

ess

es

Peo

ple

App

licat

ion

Sys

tem

sT

echn

olog

yF

acili

ties Dat

a

IT R

esources

Quality

Fiduciary

Secur

ity

Information Criteria

See Control Objectives, p. 16. 156

157

For Management, CobiT:

Addresses management's increasing legal responsibility for control

Expresses required IT control practices in management terms

Guides IT investment and operational decisions (to balance risk and control)

Helps management better utilize internal and external auditors

158

For Users, COBIT:

Provides benchmarks for best practices for IT management and IT control

Helps obtain assurance for business processes supported by IT

Strengthens relationship with IT services Helps ensure adequate level of integrity of

information provided by IT systems

159

For Auditors, COBIT:

Provides good benchmarks or criteria for evaluating IT control

Focuses on control objectives and controls Substantiates opinions to management on

internal controls Helps auditors and control professionals to

be proactive business advisors

160

For us All, CobiT: Strengthens the understanding, design,

implementation, exercise, and evaluation of internal control through improved focus on information criteria and IT-related control objectives

Strengthens management’s efforts to “ensure” and Audit’s efforts to provide “assurance”

End of Part 1Go To Part 2

161

Information systems audit and control

Business

Transcript of Information systems audit and control