Executive Briefing
October 16, 2001
1
Deputy State Auditor, MIS & IT Audit, Commonwealth
of Massachusetts
Adjunct faculty at Bentley College
Member of CobiT Steering Committee
Served as member of Y2K Coordinating Council,
Commonwealth of Massachusetts
1994-1995 International President of ISACA/F
Served as member of Governor’s Commission on
Computer Crime, Governor’s Commission on Computer
Technology and Law, and Governor’s Task Force on E-
Commerce
e-mail: john.beveridge@sao.state.ma.us 2
How does responsible managment keep
the ship on course?
How do we achieve satisfactory results for
our clients and stake-holders?
How do we adapt in a timely manner to
“best practices” for our organization’s
environment?
3
When we spend a lot of money
and what we have built
doesn’t work,
or is difficult to maintain,
or is not accepted,
or appears vulnerable,
People have a lot to say
4
Stakeholders apply pressure
Shareholders and Executive Lower cost, higher profitability and
increased market share
Customers and Staff More functionality at lower cost and
greater ease of use
Society Greater accountability for executives in
private and public sector
5
What are the customers saying ?
E-business Factors
Guarantee of delivery
Customer service
Ease of use
Increased dependence
Security
6
What signals are regulators giving?
Federal Reserve
Focus on Operational Risk within which security
and IT are very significant
All major risk issues have been caused by
breakdowns in
Internal control
Oversight
Information Technology
7
Most Pressing Concerns about
Information Technology
Security
Availability
Integrity and Effectiveness
Cost
8
September 11th has Impacted us
all in a Whole Lot of Ways
Personal
Economic
Security
Risk
9
Indicators?
Measures?
Scales?
10
The Answer Lies In:
Having clear understandings of the strategic
value of technology
Bringing that strategic value to reality
Having appropriate frameworks of control
Employing the fundamentals of IT goverance
Building mechanisms to provide adequate
assurance that IT governance objectives are
addressed
11
CobiT
CobiT’s Control Objectives and
Management Guidelines are valuable IT
governance tools that help in the
understanding and management of risks
and benefits associated with information
integrity, security and availability and the
management of related IT.
12
Authoritative, up-to-date set of generally
accepted IT control objectives and control
practices for day-to-day use by business
managers and auditors.
Structured and organized to provide a powerful
control model
13
Executive Summary -- Senior Executives
(CEO, COO, CFO, CIO)
Framework -- Senior Operational Management
(Directors of IS and Audit / Controls)
Control Objectives -- Middle Management
(Mid-Level IS and IS Audit/ Controls Managers)
Audit Guidelines -- The Line Manager and Controls
Practitioner (Applications or Operations Manager and
Auditor)
Implementation Tool Set -- Any of the above
Management Guidelines -- Management and Audit
14
COBIT
Management Guidelines
Includes:
– Critical Success Factors
– Key Performance Indicators
– Key Goal Indicators
– Maturity models
15
Right information, to only the right party,
at the right time.
Information that is relevant, reliable and
secure.
Information provided by systems that have
integrity by a well-managed and properly
controlled IT environment.
16
IT Governance Objectives
IT is aligned with the business enabling
the entity to maximize benefit
IT resources are safeguarded and used
in a responsible and ethical manner
IT-related risks are addressed through
appropriate controls and managed to
minimize risk and exposure
17
Need for better operational control
While technology makes new business processes
possible, it may come with reduced control
Demand for increased effectiveness, efficiency
and security
Strategic importance of technology
The need to hold officers and senior
management accountable and strengthen
governance 18
Addresses key attributes of information
produced by IT.
Provides a working control model for IT-
related control objectives
Links recommended control practices for
IT to business and control objectives.
Assists in evaluating appropriateness of
controls 19
CobiT is an Authoritative Source
Built on a sound framework of control
and IT-related control practices.
Aligned with de jure and de facto
standards and regulations.
Has undergone expert review and
exposure process, now in its 3rd edition
20
CobiT Sources
Professional standards for internal control and
auditing (COSO, IFAC, AICPA, IIA, etc)
Technical standards (ISO, EDIFACT, etc.)
Codes of Conduct
Qualification criteria for IT systems and
processes (ISO9000, ITSEC, TCSEC, etc.)
Industry practices and requirements from
industry forums (ESF, I4)
Emerging industry-specific requirements from
banking, e-com, IT manufacturing.
21
Based on a Strong
Foundation and Sound
Principles of Internal
Control
22
What is Internal Control?
How it is defined
impacts its design,
exercise, and
evaluation.
23
Control (as defined by COBIT)
The policies, procedures, practices and
organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
that undesired events will be prevented
or detected and corrected.
Source: COBIT Control Objectives, p. 12.
24
IT Control Objective
A statement of desired result or
purpose to be achieved by
implementing control procedures
in a particular IT activity
25
Internal Control
Controls are framed by
what is to be attained
(control objectives) and
the means to attain those
goals (the controls).
26
CobiT Incorporates Key Internal
Control Requirements
Systemization
Documentation
Standards, defined expectations
Measurement
Appropriate risk assessment
27
CobiT Incorporates Key Internal
Control Requirements
Well-defined operational and control
objectives
Appropriate controls
Competent and trustworthy people
Monitoring & evaluation
28
CobiT Framework
Built on an understanding of the:
relationship of controls to control objectives,
importance of focusing on the relationship of
control objectives to business objectives and
business processes,
value of managed processes and resources
tied to strategic initiatives.
29
Framework
What you get BUSINESS What you need
PROCESSES
Information Criteria
Do they match?
• effectiveness
INFORMATION • efficiency
• confidentiality
• integrity
• Availability
• Compliance
• reliability
IT RESOURCES
•
•
•
•
•
data
application systems
technology
facilities
people ? 30
Framework’s Three Components
“Business Requirements” for Information
IT Resources
IT Processes
31
Information Criteria -- The 1st Component
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of Information
32
IT Resources -- The 2nd Component
Data
Application Systems
Technology
Facilities
People
33
Information Processes (3rd component)
Natural grouping of processes,
(4) Domains often
matching an organizational domain
(34)
of responsibility
Processes A series of joined tasks &
Activities with natural
(control) breaks.
(318) Tasks & Actions needed to achieve a
Activities measurable result. Activities
have a life-cycle whereas
tasks
are discrete 34
COBIT Domains: Information
Processes (3rd Component)
Planning/
Organization
Monitoring Acquisition /
Implementation
Delivery /
Support
35
How do they relate ?
IT IT Business
Resources Processes Requirements
Data Planning and Effectiveness
organisation Efficiency
Information
Systems Aquisition and Confidenciality
implementation Integrity
Technology
Delivery and Availability
Facilities Support
Compliance
Human Monitoring
Resources Information
Reliability 36
IT Resource Management
CobiT underscores and demonstrates that
IT resources need to be managed by
naturally grouped processes to provide
organizations with type and quality, and
security of information required to
achieve organizational objectives.
37
The WATERFALL Navigation Aid --
High Level Control Objectives for Each Process
The control of
IT Processes
which satisfy
Business
Requirements
is enabled by
Control
Statements
considering
Control
Practices
See Framework, p. 18. 56
CobiT’s Control Objectives
Contains management control practices by
high-level control objective within four
categories, or domains, of the control
objectives.
Contains statements of the desired results or
purposes to be achieved by implementing
specific control procedures within an IT
activity.
Assists in establishing clear policy and good
practices for IT control
39
Planning and Organization
Strategy and tactical plans for IT
Identify ways that IT can best contribute to the
achievement of business objectives
Plan, communicate, and manage the realization
of the strategic vision
Establish the IT organization, and
Set the stage for managing information and the
technology infrastructure
40
Acquisition and Implementation Domain
IT solutions
– Identified
– Developed or acquired
– Implemented
– Integrated into the business processes
Change and maintain existing systems
41
Delivery and Support Domain
Deliver required services
Ensure security and continuity of
services
Set up support processes, including
training
Process data (including “application”
controls)
42
Monitoring Domain
Regularly assess IT processes for
– Quality
– Appropriateness of controls
– Compliance with control requirements
Addresses management oversight of
organization’s control provisions
Provide for an audit function
43
Relation to Other Control Models
CobiT is in alignment with
other control models:
– COSO
– COCO
– Cadbury
– King
44
Reinforces Control Responsibilities
Management -- has primary responsibility for
ensuring that controls are in place and in effect to
provide reasonable assurance that operational and
control objectives will be met.
Users -- exercise and monitor controls.
Audit -- evaluates, advises and provides statements
of assurance regarding the adequacy of controls.
45
As a control model, CobiT should be
tailored to agency, IT platform,
and system standards
Use CobiT as the Structure to which you
link agency-specific operational and
control requirements, policies, and
standards
47
Using CobiT
Organizational tool
Management tool
Good practices standard
Strengthen third-party contracts
Criteria for Evaluation
Strengthen risk management
Basis for improved management
48
Using CobiT in Evaluating IT Controls
Selecting areas or control objectives for
evaluation
Determining type of evaluation
Engagement/assessment planning
Framing scope and evaluation objectives to
CobiT
Development of control assessment
approach
49
Use of CobiT to Plan
Control Evaluations
Assessing the control environment
and identifying high risk processes
Conducting a high-level and detailed
policy and procedures review
Performing a control review
Using CobiT-related matrices
50
Using CobiT Matrices to Focus on:
IT Functions
– Their importance?
– Level of performance?
– Control documentation?
Responsible Parties of IT
– Performed by?
– Contracted services?
– Primary responsible party?
Risk Assessment
– Importance, level of risk, control documentation
51
CobiT Helps Identify Key
Risks to the Organization
Unaware of the risks
Poor understanding of CSFs
Absence of KPIs
No “scorecard” or basis of measurement
Absence of monitoring and evaluation
Weak IT control environment
52
CobiT helps senior management,
business process owners, and IT
gain increased benefit from
independent examiners
53
Audit Insight:
Overview of Audit Planning
Auditee selection (may be CobiT driven)
Entrance Conference and on-site preaudit
information gathering (CobiT)
Develop proposed scope and audit
objectives (CobiT-framed)
Finalize audit work program (CobiT-
framed)
Engagement conference (reference
CobiT as criteria) and audit (CobiT as
review criteria)
54
Audit Planning:
Who are they? (type of agency, enabling legislation)
What do they do? (mission, business objectives)
How do they plan to do it? (strategy/plan)
How do they do it? (functions, processes)
With what resources? (IT, operational resources,
management & staff, raw materials, etc.)
By what rules? (policies, standards, legal and
regulatory requirements)
Under what risks? (risk analysis)
55
Audit Planning:
Who does it? (internal & external players, their roles
and responsibilities)
Who knows what is done? (reporting lines,
designated points of accountability)
How do they known it is done right?
(measurement registers, assurance mechanisms, evaluations,
score cards, etc.)
Where are they? (centralized or distributed)
56
Audit Guidelines
They are evaluation guidelines.
Generic guideline identifies various tasks to
be performed in assessing ANY control
objective within a process. This generic
guideline extracted all repetitive tasks into one
-- to be performed for all control objectives.
34 others are specific process-oriented task
suggestions to provide management assurance
that a control objective is being addressed.
57
The IT process is therefore audited by:
Obtaining an understanding of business requirements,
related risks, and relevant control measures
Evaluating the appropriateness of stated controls
Assessing compliance by testing whether the
stated controls are working as prescribed,
consistently and continuously.
Substantiating the risk of the control objective
not being met by using analytical techniques
and/or consulting alternative sources.
58
Organization & Management Review
Clarity and appropriateness of responsibility
definitions
assignment of responsibilities
points of accountability
reporting mechanisms for actions taken and
activities performed
Efforts to monitor and evaluate adequacy of
exercise of responsibilities
59
Using Cobit to Address Third-Party
Providers of IT-Related Services
Are desired processes are in place?
Have we established accountability
Do we agree on the levels of control?
Do the service contracts adequately identify
deliverables and responsibilities?
Is there ongoing monitoring and evaluation of
providers and partners?
60
Using the Management
Guidelines
61
Are they doing the right things?
What IT Are they doing it the right way?
Problem? Are they being done well?
Are we getting benefits?
IT governance is the responsibility of the board of
What does directors and consists of the leadership, organizational
the agency structures and processes that ensure that the
do? organization’s IT sustains and extends the organization’s
strategies and objectives.
Cascading strategy and goals
How does
Organizational alignment
management A control framework
react? Balanced Business Scorecard
62
CobiT : An IT control framework
Starts from the premise that IT needs to
deliver the information that the enterprise
needs to achieve its objectives. Planning
Promotes process focus and process Acquiring & Implementing
ownership Delivery & Support
Divides IT into 34 processes belonging to Monitoring
four domains
Effectiveness
Looks at fiduciary, quality and security
Efficiency
needs of enterprises and provides for Availability,
seven information criteria that can be used Integrity
Confidentiality
to generically define what the business
Reliability
requires from IT Compliance.
63
Why governance?
“Due diligence”
IT is strategic to the business
IT is critical to the business
Expectations and reality don’t match
IT involves huge investments and large risks
64
IT is strategic to most businesses
If so, wouldn’t you want to know whether your
information technology organization is:
Likely to achieve its objectives?
Resilient enough to learn and adapt?
Judiciously managing the risks it faces?
Appropriately recognizing opportunities and acting
upon them?
65
Management Guidelines
Generic and action oriented
For the purpose of
• IT Control profiling - what‟s important?
• Awareness - where‟s the risk?
• Benchmarking - what do others do?
Supporting decision making and follow up
• Key performance indicators of IT
processes
• Critical success factors of controls
• Control implementation choices
66
Management Guidelines
Critical Success Factors
the most important things to do to increase the
probability of success of the process
observable - usually measurable - characteristics of
the organisation and process
are either strategic, technological, organizational or
procedural in nature
focus on obtaining, maintaining and leveraging
capability and skills
expressed in terms of the IT process, not necessarily
the business
67
Management Guidelines
Key Goal Indicators
describe the outcome of the process and are therefore a „lag‟
indicator, i.e., measurable after the fact
Are an indicator of the success of the process but may also
be expressed in terms of the business contribution if that
contribution is specific to the IT process
represent the process goal, i.e., a measure of “what”, a target
to achieve
may also describe a measure of the impact of not reaching
the process goal
KGIs are IT oriented but are also business driven
Are expressed in precise measurable terms wherever
possible
68
Management Guidelines
Key Performance Indicators
are a measure of “how well” the process is
performing
predict the probability of success or failure in the
future, i.e. KPIs are „LEAD‟ indicators
are process oriented but IT driven
focus on the process and learning dimensions of
the balanced scorecard
are expressed in precise measurable terms
should help in improving the IT process
69
Maturity Models
• Refer to business requirements and control capabilities
at different levels
• Are scales that lend themselves to pragmatic comparison
• Are scales where the difference can be made measurable
in an easy manner
• Are recognizable as a “profile” of the enterprise in
relation to IT governance and control
• Assist in determining As-Is and To-Be positions relative
to IT governance and control maturity
• Lend themselves to support gap analysis to determine
what needs to be done to achieve a chosen level
70
Start from a Maturity Model
Non-
Existent Initial Repeatable Defined Managed Optimised
0 1 2 3 4 5
Legend for symbols used Legend for rankings used
Enterprise current status 0 - Management processes are not applied at all
1 - Processes are ad hoc and disorganised
International standard guidelines 2 - Processes follow a regular pattern
3 - Processes are documented and communicated
Industry best practice
4 - Processes are monitored and measured
5 - Best practices are followed and automated
Enterprise strategy
71
What Management should do
Align IT strategy with business goals
Cascade strategy and goals down into the agency
Set up organizational structures that facilitate strategy
implementation
Adopt a control and governance framework
Provide IT infrastructures that facilitate creation and sharing of
business information
Embed responsibilities for risk management in the
organization
Focus on important IT processes and core IT competencies
Measure performance (Balanced Business Scorecard)
72
CobiT Recognizes
IT is an integral part of the organization
IT governance is an integral part of corporate
governance
Focus on control objectives can strengthen
appropriateness and use of internal controls
Measurement is crucial to internal control
Monitoring and evaluation are integral to a
system of internal control
73
Benefits of CobiT
Supports IT governance objectives.
Helps ensure that IT processes are defined and
assigned.
Helps to focus on control objectives.
Leads to more cost-effective IT services.
Helps management to better utilize internal and
external auditors
Provides benchmarks for best practices for IT
management and IT control
74
Benefits of CobiT
Helps ensure the organization complies with
applicable rules, regulations and contractual
obligations.
Opportunity for complementary adoption of
COSO and CobiT (or other control models).
Authoritative nature of Cobit encompassing
adoption of well-recognized and established
standards for IT control.
75
Benefits of CobiT
Strengthens assessment, understanding and
exercise of appropriate internal controls.
Provides a good framework for risk assessment
and risk management.
Improves communication among management,
business process owners, users and auditors
regarding IT governance, and between internal
and external audit.
Helps auditors and control professionals to be
proactive business advisors.
76
Benefits of CobiT
Provides a framework for ensuring that
outsourced IT functions are addressed in third-
party contracts.
Helps to strengthen the relationship between IT
Services and the user community through
improved SLAs.
Supports management’s efforts to demonstrate
due diligence with respect to IT-based
operations.
77
Benefits of CobiT
Helps to provide reasonable assurance that:
– IT process objectives are understood
– IT risks have been identified
– Appropriate controls have been implemented
– Appropriate monitoring and evaluation processes
in effect
– IT process objectives and can be achieved.
78
CobiT
Strengthens the understanding, design,
implementation, exercise, and evaluation of
internal control through improved focus on
information criteria and IT-related control
objectives
Strengthens management’s efforts to
“ensure” and Audit’s efforts to provide
“assurance”
79
A Tip regarding CobiT
CobiT is generic - adapt it to your
organization in cooperation with the
business-process owners!
– Determine focus (quality, security, fiduciary)
– Harmonize existing policies and procedures
with CobiT
– Determine control responsibilities
– Identify key performance indicators and critical
success factors
80
Another Tip or Two
Study it carefully -- it takes some time to
understand - keep in mind that you are dealing
with a control framework
Start with CobiT’s Control Objectives
Framework and progress to the Management
Guidelines.
Build the mechanisms to provide assurance
that control objectives are being addressed and
that controls are working as intended
81
CobiT
For additional information:
www.isaca.org
www.ITgovernance.org
or email or give me a call at
(617) 727-6200 ext 135
82
Go Forth and
COBITize
Thank
You
83