1
IT Directors BriefingOctober 16, 2001
2
Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts
Adjunct faculty at Bentley College Member of CobiT Steering Committee Served as member of Y2K Coordinating Council,
Commonwealth of Massachusetts 1994-1995 International President of ISACA/F Served as member of Governor’s Commission on
Computer Crime, Governor’s Commission on Computer Technology and Law, and Governor’s Task Force on E-Commerce
e-mail: [email protected]
3
How do responsible managers keep the ship on course?
How do we achieve satisfactory results for our stake-holders?
How do we adapt in a timely manner to “best practices” for our organization’s environment?
4
When we spend a lot of moneyand what we have built
doesn’t work, or is difficult to maintain,
or is not accepted,or appears vulnerable,People have a lot to say
5
Stakeholders apply pressureStakeholders apply pressure
Shareholders and ExecutiveLower cost, higher profitability andLower cost, higher profitability andincreased market shareincreased market share
Customers and Staff More functionality at lower cost andMore functionality at lower cost andgreater ease of usegreater ease of use
Society Greater accountability for executives inGreater accountability for executives inprivate and public sectorprivate and public sector
6
E-business FactorsE-business Factors Guarantee of delivery Customer service Ease of use Increased dependence Security
What are the customers saying ?What are the customers saying ?
7
Focus on Operational Risk within which security and IT are very significant
All major risk issues have been caused by breakdowns in Internal control Oversight Information Technology
What signals are regulators giving?What signals are regulators giving?
Federal ReserveFederal Reserve
8
Most Pressing Concerns about Information Technology
Security Availability Integrity and Effectiveness Cost
9
September 11th has Impacted us all in a Whole Lot of Ways
Personal Economic Security Risk
10
Measures?
Scales?
Indicators?
11
The Answer Lies In: Having clear understandings of the strategic
value of technology Bringing that strategic value to reality Having appropriate frameworks of control Employing the fundamentals of IT goverance Building mechanisms to provide adequate
assurance that IT governance objectives are addressed
12
CobiTCobiT CobiT’s Control Objectives and Management Guidelines are valuable IT governance tools that help in the understanding and management of risks and benefits associated with information integrity, security and availability and the management of related IT.
13
Authoritative, up-to-date set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.
Structured and organized to provide a powerful
control model
14
Executive Summary -- Senior Executives (CEO, COO, CFO, CIO)
Framework -- Senior Operational Management (Directors of IS and Audit / Controls)
Control Objectives -- Middle Management (Mid-Level IS and IS Audit/ Controls Managers)
Audit Guidelines -- The Line Manager and Controls Practitioner (Applications or Operations Manager and Auditor)
Implementation Tool Set -- Any of the above Management Guidelines -- Management and Audit
15
Management GuidelinesIncludes:– Critical Success Factors– Key Performance Indicators– Key Goal Indicators– Maturity models
CCOBIOBITTCCOBIOBITT
16
Right information, to only the right party, at the right time.
Information that is relevant, reliable and secure.
Information provided by systems that have integrity by a well-managed and properly controlled IT environment.
17
IT Governance Objectives
IT is aligned with the business enabling the entity to maximize benefit
IT resources are safeguarded and used in a responsible and ethical manner
IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure
18
The need for better operational control While technology makes new business processes
possible, it may come with reduced control Demand for increased effectiveness, efficiency
and security Strategic importance of technology The need to hold officers and senior
management accountable and strengthen governance
19
Addresses key attributes of information produced by IT.
Provides a working control model for IT-
related control objectives
Links recommended control practices for IT to business and control objectives.
Assists in evaluating appropriateness of controls
20
CobiT is an Authoritative Source
Built on a sound framework of control
and IT-related control practices. Aligned with de jure and de facto
standards and regulations. Has undergone expert review and
exposure process
21
CobiT Sources Professional standards for internal control and
auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes
(ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry
forums (ESF, I4) Emerging industry-specific requirements from
banking, e-com, IT manufacturing.
22
Based on a Strong Based on a Strong Foundation and Sound Foundation and Sound Principles of Internal Principles of Internal
ControlControl
23
What is Internal Control?What is Internal Control?
How it is defined How it is defined impacts its design, impacts its design,
exercise, and exercise, and evaluationevaluation..
24
Control (as defined by COBIT)
The policies, procedures, practices and
organizational structures designed to provide
reasonable assurance that business objectives
will be achieved and that undesired events
will be prevented or detected and corrected.
Source: COBIT Control Objectives, p. 12.
25
IT Control Objective
A statement of desired result or
purpose to be achieved by
implementing control procedures
in a particular IT activity
26
Internal Control
Controls are framed by what is to be attained
(control objectives) and the means to attain those goals (the controls).
27
CobiT Incorporates Key Internal Control Requirements
Systemization
Documentation
Standards, defined expectations
Measurement
Appropriate risk assessment
28
CobiT Incorporates Key Internal Control Requirements
Well-defined operational and control
objectives
Appropriate controls
Competent and trustworthy people
Monitoring & evaluation
29
CobiT Framework
Built on an understanding of the:relationship of controls to control objectives,importance of focusing on the relationship of
control objectives to business objectives and business processes,
value of managed processes and resources tied to strategic initiatives.
30
BUSINESSPROCESSESBUSINESS
PROCESSES
INFORMATIONINFORMATION
IT RESOURCESIT RESOURCES
• data• application systems• technology• facilities• people
• data• application systems• technology• facilities• people
• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability
• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability
Information CriteriaInformation Criteria
Do they match?
FrameworkWhat you needWhat you get
31
Framework’s Three Components
“Business Requirements” for Information
IT Resources
IT Processes
32
Information Criteria -- The 1st Component
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of Information
33
IT Resources -- The 2nd Component
Data
Application Systems
Technology
Facilities
People
34
Domains
Processes
Tasks &Activities
Natural grouping of processes, oftenmatching an organizational domainof responsibilityA series of joined tasks & Activities with natural (control) breaks.
Actions needed to achieve a measurable result. Activitieshave a life-cycle whereas tasksare discrete
(4)
(34)
(318)
Information Processes (3rd component)
35
Planning/Organization
Acquisition /Implementation
Delivery /Support
Monitoring
COBIT Domains: Information Processes (3rd Component)
36
How do they relate ?How do they relate ?
IT Processes
IT Processes
IT Resources
IT Resources
Business Requirements
Business Requirements
Data Information
Systems Technology Facilities Human
Resources
Planning and organisation
Aquisition and implementation
Delivery and Support
Monitoring
Effectiveness Efficiency Confidenciality Integrity Availability Compliance Information
Reliability
37
IT Resource Management
CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality, and security of information required to achieve organizational objectives.
38
The WATERFALL Navigation Aid --High Level Control Objectives for Each Process
The control of
which satisfy
is enabled by
considering
IT Processes
BusinessRequirements
ControlStatements
ControlPractices
See Framework, p. 18. 56
39
CobiT’s Control Objectives
Contains management control practices by high-level control objective within four categories, or domains, of the control objectives.
Contains statements of the desired results or purposes to be achieved by implementing specific control procedures within an IT activity.
Assists in establishing clear policy and good practices for IT control
40
Planning and Organization
Strategy and tactical plans for IT Identify ways that IT can best contribute to the
achievement of business objectives Plan, communicate, and manage the
realization of the strategic vision Establish the IT organization, and Set the stage for managing information and the
technology infrastructure
41
Acquisition and Implementation Domain
IT solutions– Identified– Developed or acquired– Implemented– Integrated into the business processes
Change and maintain existing systems
42
Delivery and Support Domain
Deliver required services Ensure security and continuity of
services Set up support processes, including
training Process data (including “application”
controls)
43
Monitoring Domain
Regularly assess IT processes for– Quality– Appropriateness of controls– Compliance with control requirements
Addresses management oversight of organization’s control provisions
Provide for an audit function
44
Relation to Other Control Models
CobiT is in alignment with other control models:– COSO
– COCO
– Cadbury
– King
45
Reinforces Control Responsibilities
Management -- has primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met.
Users -- exercise and monitor controls.
Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls.
46
As a control model, CobiT should beAs a control model, CobiT should betailored to agency, IT platform, tailored to agency, IT platform,
and system standardsand system standards
Use CobiT as the Structure to which you link agency-specific operational and control requirements, policies, and
standards
48
CobiT as an Organizational Tool
Provides framework and benchmarks for IT
planning and management Identification of primary IT processes (by
broad management-oriented Domains) Assists in establishing responsibilities and
points of accountability Assists in clarifying the roles of management,
business process owners, IT and Audit
49
CobiT As An Control Evaluation Tool
“To review controls over functional areas”
– “Which functional area?”
– “Which systems are involved?”
– “What IT processes are involved?”
– “What are the operational objectives and
risks?”
– “What are the control objectives?”
50
Using CobiT in Evaluating IT Controls
Selecting areas or control objectives for evaluation
Determining type of evaluation Engagement/assessment planning Framing scope and evaluation objectives to
CobiT Development of control assessment
approach
51
Use of CobiT to Plan Control Evaluations
Assessing the control environment and identifying high risk processes
Conducting a high-level and detailed policy and procedures review
Performing a control review Using CobiT-related matrices
52
Using CobiT Matrices to Focus on:
IT Functions– Their importance?– Level of performance?– Control documentation?
Responsible Parties of IT– Performed by?– Contracted services?– Primary responsible party?
Risk Assessment– Importance, level of risk, control documentation
53
RISK ASSESSMENT FORMInternal WP
Importance Risk Controls Ref.
Very
Im
po
rta
nt
So
mew
ha
t Im
po
rta
nt
No
t Im
po
rta
nt
No
t s
ure
IT Process
Hig
h
Me
diu
m
Lo
w
Imm
ate
ria
l
No
t S
ure
Do
cu
me
nte
d
No
t D
oc
um
en
ted
No
t S
ure
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organiation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk
PO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire & maintain application softwareAI3 Acquire & maintain technology architectureAI4 Develop & maintain proceduresAI5 Install & accredit systemAI6 Manage changes
DS1 Define service levelsDS2 Manage third party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify & allocate costsDS7 Educate & train usersDS8 Assist & advise customersDS9 Manage the configuration
DS10 Manage problems & incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
M1 Monitor the processM2 Assess Internal Control AdequacyM3 Obtain independent assuranceM4 Provide for Independent Audit
54
PrimaryPerformed by (1) IT Process Responsible Party
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine technological directionPO4 Define organisation and relationshipsPO5 Manage the investmentPO6 Communicate management aims & directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risk
PO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire & maintain application softwareAI3 Acquire & maintain technology architectureAI4 Develop & maintain proceduresAI5 Install & accredit systemAI6 Manage changes
DS1 Define service levelsDS2 Manage third party servicesDS3 Manage performance & capacityDS4 Ensure continuous serviceDS5 Ensure system securityDS6 Identify & allocate costsDS7 Educate & train usersDS8 Assist & advise customersDS9 Manage the configuration
DS10 Manage problems & incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
M1 Monitor the processM2 Assess Internal Control AdequacyM3 Obtain independent assuranceM4 Provide for Independent Audit
(1) Identify organiational units(IT department, within organisation, outsourced or not sure) which perform activities incorporated within the IT process
RESPONSIBLE PARTY FORM
55
CobiT Helps Identify Key Risks to the Organization
Unaware of the risks Poor understanding of CSFs Absence of KPIs No “scorecard” or basis of measurement Absence of monitoring and evaluation Weak IT control environment
56
CobiT helps senior management, business process owners, and IT
gain increased benefit from independent examiners
57
Audit Insight: Overview of Audit Planning
Auditee selection (may be CobiT driven) Entrance Conference and on-site preaudit
information gathering (CobiT) Develop proposed scope and audit
objectives (CobiT-framed) Finalize audit work program (CobiT-
framed) Engagement conference (reference
CobiT as criteria) and audit (CobiT as review criteria)
58
Pre-Audit Planning
Who are they? (type of agency, enabling legislation) What do they do? (mission, business objectives) How do they plan to do it? (strategy/plan) How do they do it? (functions, processes) With what resources? (IT, operational resources,
management & staff, raw materials, etc.) By what rules? (policies, standards, legal and regulatory
requirements) Under what risks? (risk analysis)
59
Pre-Audit Planning
Who does it? (internal & external players, their roles
and responsibilities) Who knows what is done? (reporting lines,
designated points of accountability) How do they known it is done right?
(measurement registers, assurance mechanisms, evaluations,
score cards, etc.) Where are they? (centralized or distributed)
60
Audit Guidelines
They are evaluation guidelines. Generic guideline identifies various tasks to
be performed in assessing ANY control objective within a process. This generic guideline extracted all repetitive tasks into one -- to be performed for all control objectives.
34 others are specific process-oriented task suggestions to provide management assurance that a control objective is being addressed.
61
Obtaining an understanding of business requirements, related risks, and relevant control measures Evaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously. Substantiating the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources.
The IT process is therefore audited by:
62
Task/Activity Monitoring & Evaluation
Task or
Activity
Responsibility
to:
Monitored
by:
Evaluated
by:
Control
task
Establish a
Function or procedure
Initially &
Upon
Changes
Periodic
At least
annual
Control
activity
On-going
Function or activity
On-going
With
reporting
Periodic
To
On-going
63
Organization & Management Review
Clarity and appropriateness of responsibility definitions
assignment of responsibilities points of accountability reporting of actions taken and activities mechanisms to monitor and evaluate
adequacy of exercise of responsibilities
64
Using Cobit to Address Third-Party Providers of IT-Related Services
Determine whether desired processes are in place and establish accountability
Agree on levels of control Use CobiT to help design service contracts
by identifying deliverables and responsibilities
Use CobiT for ongoing monitoring and evaluation of providers and partners
65
Using the Management Guidelines
66
Are they doing the right things?Are they doing it the right way?Are they being done well?Are we getting benefits?
What IT Problem?
IT governance is the responsibility of the board of directors and consists of the leadership, organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.
What does the agency
do?
Cascading strategy and goals Organizational alignmentA control frameworkBalanced Business Scorecard
How does management
react?
67
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives.
Promotes process focus and process ownership
Divides IT into 34 processes belonging to four domains
Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT
EffectivenessEfficiencyAvailability,IntegrityConfidentialityReliabilityCompliance.
PlanningAcquiring & ImplementingDelivery & SupportMonitoring
CobiT : An IT control frameworkCobiT : An IT control framework
68
“Due diligence” IT is strategic to the business IT is critical to the business Expectations and reality don’t match IT involves huge investments and large risks
Why governance?Why governance?
69
If so, wouldn’t you want to know whether your information technology organization is:
Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognizing opportunities and acting
upon them?
IT is strategic to most businessesIT is strategic to most businesses
70
• Generic and action oriented• For the purpose of
• IT Control profiling - what’s important?• Awareness - where’s the risk?• Benchmarking - what do others do?
• Supporting decision making and follow up• Key performance indicators of IT processes• Critical success factors of controls• Control implementation choices
Management Guidelines
71
Management GuidelinesCritical Success Factors the most important things to do to increase the
probability of success of the process observable - usually measurable - characteristics of
the organisation and process are either strategic, technological, organizational or
procedural in nature focus on obtaining, maintaining and leveraging
capability and skills expressed in terms of the IT process, not necessarily
the business
72
Management GuidelinesKey Goal Indicators describe the outcome of the process and are therefore a ‘lag’
indicator, i.e., measurable after the fact Are an indicator of the success of the process but may also
be expressed in terms of the business contribution if that contribution is specific to the IT process
represent the process goal, i.e., a measure of “what”, a target to achieve
may also describe a measure of the impact of not reaching the process goal
KGIs are IT oriented but are also business driven Are expressed in precise measurable terms wherever
possible
73
Management Guidelines
Key Performance Indicators are a measure of “how well” the process is
performing predict the probability of success or failure in the
future, i.e. KPIs are ‘LEAD’ indicators are process oriented but IT driven focus on the process and learning dimensions of
the balanced scorecard are expressed in precise measurable terms should help in improving the IT process
74
Maturity Models• Refer to business requirements and control capabilities
at different levels
• Are scales that lend themselves to pragmatic comparison
• Are scales where the difference can be made measurable in an easy manner
• Are recognizable as a “profile” of the enterprise in relation to IT governance and control
• Assist in determining As-Is and To-Be positions relative to IT governance and control maturity
• Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level
75
0 1 2 3 4 5
Non-Existent Initial Repeatable Defined Managed Optimised
Enterprise current status
International standard guidelines
Industry best practice
Enterprise strategy
Legend for symbols used Legend for rankings used
0 - Management processes are not applied at all1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communicated4 - Processes are monitored and measured5 - Best practices are followed and automated
Start from a Maturity Model
76
Generic Maturity Model - Dimensions
Understanding and awareness Training and communications Process and practices Techniques and automation Compliance Expertise
77
UNDERSTANDING& AWARENESS
TRAINING &COMMUNICATION
PROCESS &PRACTICES
TECHNIQUES &AUTOMATION
COMPLIANCE EXPERTISE
1 recognition sporadic communica-tion on the issues
ad hoc approaches toprocess and practices
2 awareness communication onthe overall issue andneed
similar/commonprocesses emerge;largely intuitive
common tools areemerging
inconsitent monitoring inisolated areas
3 understand need toact
informal trainingsupports individualinitiative
existing practicesdefined, standardis-ed& documented;sharing of the betterpractices
currently availabletechniques areused; minimumpractices areenforced; tool-setbecomesstandardised
inconsistent monitoringglobally; measurementprocesses emerge; ITBalanced Scorecard ideas arebeing adopted; occasionalintuitive application of rootcause analysis
involvement ofIT specialists
4 understand fullrequirements
formal trainingsupports a managedprogram
process ownershipand responsibilitiesassigned; process issound & complete;interal best practicesapplied;
mature techniquesapplied; standardtools enforced;limited, tactical useof technology
IT Balanced Scorecardsimplemented in some areaswith exceptions noted bymanagement; root causeanalysis being standardised
involvement ofall internaldomain experts
5 advanced forward-lookingunderstanding
training andcommunicationssupports externalbest practices anduse of leading edgeconcepts/techniques
best external practicesapplied;
sophisticatedtechni-ques aredeployed;extensive,optimised use oftechnology
global application of ITBalance Scorecard andexceptions are globally &consistently noted bymanagement; root causeanalysis consistently applied
use of externalexperts andindustryleaders forguidance
Generic Maturity Model - Dimensions
78
Objectives understand the issues and the strategic importance of IT ensure that the enterprise can sustain its operations and ascertain it can implement the strategies required to extend its activities
into the future
Goal ensuring that expectations for IT are met and IT risks are mitigated
Position within broad governance arrangements that cover relationships among
the entity's management and its governing body, its owners and its other stakeholders and providing the structure through which:
the entity's overall objectives are set the method of attaining those objectives is outlined the manner is which performance will be monitored is described
IT governance summarizedIT governance summarized
79
CobiT Recognizes IT is an integral part of the organization IT governance is an integral part of corporate
governance Focus on control objectives can strengthen
appropriateness and use of internal controls Measurement is crucial to internal control Monitoring and evaluation are integral to a
system of internal control
80
Benefits of CobiT
Supports IT governance objectives.
Helps ensure that IT processes are defined and assigned.
Helps to focus on control objectives.
Leads to more cost-effective IT services.
Helps management to better utilize internal and external auditors
Provides benchmarks for best practices for IT management and IT control
81
Benefits of CobiT
Helps ensure the organization complies with applicable rules, regulations and contractual obligations.
Opportunity for complementary adoption of COSO and CobiT (or other control models).
Authoritative nature of Cobit encompassing adoption of well-recognized and established standards for IT control.
82
Benefits of CobiT
Strengthens assessment, understanding and exercise of appropriate internal controls.
Provides a good framework for risk assessment and risk management.
Improves communication among management, business process owners, users and auditors regarding IT governance, and between internal and external audit.
Helps auditors and control professionals to be proactive business advisors.
83
Benefits of CobiT
Provides a framework for ensuring that outsourced IT functions are addressed in third-party contracts.
Helps to strengthen the relationship between IT Services and the user community through improved SLAs.
Supports management’s efforts to demonstrate due diligence with respect to IT-based operations.
84
Benefits of CobiT
Helps to provide reasonable assurance that:– IT process objectives are understood
– IT risks have been identified
– Appropriate controls have been implemented
– Appropriate monitoring and evaluation processes in effect
– IT process objectives and can be achieved.
85
CobiT Strengthens the understanding, design,
implementation, exercise, and evaluation of internal control through improved focus on information criteria and IT-related control objectives
Strengthens management’s efforts to “ensure” and Audit’s efforts to provide “assurance”
86
A Tip regarding CobiT
CobiT is generic - adapt it to your organization in cooperation with the business-process owners!– Determine focus (quality, security, fiduciary)
– Harmonize existing policies and procedures with CobiT
– Determine control responsibilities– Identify key performance indicators and critical
success factors
87
Another Tip or Two
Study it carefully -- it takes some time to understand - keep in mind that you are dealing with a control framework
Start with CobiT’s Control Objectives Framework and progress to the Management Guidelines.
Build the mechanisms to provide assurance that control objectives are being addressed and that controls are working as intended
88
CobiT
For additional information:
www.isaca.orgwww.ITgovernance.org
or email or give me a call at(617) 727-6200 ext 135
Go Forth andCOBITize
Thank You
89
Top Related