Internal Audit Consulting - Download as PowerPoint by wka64484

VIEWS: 34 PAGES: 31

More Info
									Institute of Internal
      Auditors

 COBIT Presentation
     October 9, 2001
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




           For More Information on COBIT
                                                         Phone
                                                    847-253-1545


                                                          Email
                                               research@isaca.org


                                                      Websites
                                            www.Itgovernance.org
                                              www.isaca.org

Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 2
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                                         Cost

          • ISACA Member                                      $115



          • Non-Member                                        $225



Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 3
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                             Background
    • Control OBjectives for Information and related Technology
           – Originally released in 1996 by the Information Systems Audit and Control
             Foundation (ISACF)
           – Current primary publisher is the IT Governance Institute - formed by the
             Information Systems Audit and Control Association (ISACA) in 1998
           – COBIT was formed through research of sources such as the technical
             standards from ISO, codes of conduct issued by the Council of Europe and
             ISACA, professional standards for internal control and auditing issued by
             COSO, AICPA, GAO, etc.
           – The above sources were used to formulate COBIT to “be both pragmatic
             and responsive to business needs while being independent of the technical
             IT platforms adopted in an organization.”


Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 4
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                  The COBIT Mission

          • To research, develop, publicize and promote
            an authoritative, up-to-date, international set
            of generally accepted information
            technology control objectives for day-to-
            day use by business managers and auditors



Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 5
                                                Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                  Objectives of COBIT

          • To provide a framework to bridge gaps
            between business risks, control needs and
            technical issues in order to maximize
            benefits, capitalize on opportunities and
            gain competitive advantage



Internal Audit Consulting Group    Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 6
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                            Components

              •    Executive Summary
              •    Framework
              •    Control Objectives
              •    Audit Guidelines
              •    Management Guidelines


Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 7
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                  Executive Summary

                 • Provides a synopsis of COBIT’s
                   objectives and processes




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 8
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                              Framework

          • A tool to be used as a comprehensive
            guidance for users, auditors, management &
            business process owners




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 9
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                  Control Objectives

          • Generically defined high-level business
            needs organized by process/activity used to
            facilitate the implementation of a process




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 10
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                     Audit Guidelines

          • A template used to facilitate the obtaining,
            evaluating, assessing and substantiating of
            of information needed to evaluate overall
            control




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 11
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                           Management Guidelines
          • Set of action oriented guidelines developed
            to assist management in answering:
                 – Does the benefit outweigh the cost?
                 – What are the indicators of good performance?
                 – What are the critical success factors?
                 – What are the risks of not achieving our
                   objectives?
                 – What do others do?
                 – How do we measure and compare?

Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 12
                                                  Confidential and Proprietary - Internal Audit Consulting Group Use Only




                      COBIT Family of Products

                                                         Executive Summary


                                                      Framework                          Implementation Tool Set
                                           With high-level control objectives


                                  Management       Detailed Control          Audit         Executive Overview
                                   Guidelines        Objectives            Guidelines      Case Studies
                                                                                           FAQ's
                                                                                           Power Point Presentations
    Maturity         Critical Success        Key Goal        Key Performance               Implementation Guide
    Models                Factors           Indicators          Indicators
                                                                                               Management Awareness Diagnostics
                                                                                               IT Control Diagnostic




Internal Audit Consulting Group     Assurance and Consulting on Business Risk Management, Controls, and Governance     9/26/01 13
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                             Framework (see handout)
                                                     • 4 Domains
                                                            – Planning & Organization
                                                            – Acquisition & Implementation
                                                            – Delivery & Support
                                                            – Monitoring
                                                     • 34 Control Objectives
                                                     • 318 Detailed Control
                                                       Objectives
Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 14
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 15
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                     Audit Guidelines
                                                                 Obtain Understanding
                                                                        – Interviewing
                                                                        – Obtaining
                                                                 Evaluate Controls
                                                                        – Considering
                                                                 Assess Compliance
                                                                        – Testing
                                                                 Substantiate Risk
                                                                        – Performing
                                                                        – Identifying

Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 16
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                           Management Guidelines

                                                                Critical Success Factors

                                                                Key Goal Indicators

                                                                Key Performance Indicators

                                                                Maturity Model


Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 17
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                                  Example


                                       Manage Changes




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 18
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                                    Domain


                            Acquisition & Implementation




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 19
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                   Control Objective


                                                         AI6




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 20
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                    Detailed Control Objectives
          Change Request Initiation and Control
          Impact Assessment
          Control of Changes
          Emergency Changes
          Documentation and Procedures
          Authorized Maintenance
          Software Release Policy
          Distribution of Software
Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 21
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                     Audit Guidelines

          Obtain Understanding                                       Assess Compliance
                 – Interviewing                                                         – Testing
                 – Obtaining


          Evaluate Controls                                            Substantiate Risk
                 – Considering                                                       – Performing
                                                                                     – Identifying




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 22
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                           Management Guidelines

                  Non-existent                                             Defined Process


                  Initial/Ad Hoc                                           Managed &
                                                                             Measurable

                 2 Repeatable but
                                                                            Optimized
                   Intuitive



Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 23
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                                  Findings


                                                                      Issues

                                                                      Benchmarking



Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 24
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                       Adopting COBIT Tool Set
          When you COBIT                                                    Useful COBIT
          are…     objectives                                               approaches…
                   served…

                                      General Framework for                 Use COBIT to help ensure that
          Project                     minimal project and                   project plans incorporate
          Manager                     quality standards                     generally accepted phases in
                                                                            IT planning, acquisition and
                                                                            development, service delivery,
                                                                            and project management and
                                                                            assessment


Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 25
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                       Adopting COBIT Tool Set
         When you COBIT                                                       Useful COBIT
         are…     objectives                                                  approaches…
                  served…
                                    As minimal guidance for                   Use COBIT to help ensure that
         Developer                  controls to be applied                    all applicable IT control
                                    within development                        objectives in the development
                                    processes as well as for                  project have been addressed
                                    internal control to be
                                    integrated in information
                                    systems being built



Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 26
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                       Adopting COBIT Tool Set
         When you                     COBIT                                    Useful COBIT
         are…                         objectives                               approaches…
                                      served…
                                      As general framework for                 Use COBIT to ensure that
         Operations                   minimal controls to be                   operational policies and
                                      integrated into service                  procedures are sufficiently
                                      delivery and support                     comprehensive
                                      processes, placing clear
                                      focus on client objectives




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 27
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                       Adopting COBIT Tool Set
         When you COBIT                                                       Useful COBIT
         are…     objectives                                                  approaches…
                  served…

                                     As minimal guidance for    Use COBIT to guide service
         User                        internal control to be     level agreements
                                     integrated within
                                     information systems, being
                                     fully operational or under
                                     development




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 28
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                       Adopting COBIT Tool Set
        When you                         COBIT                                 Useful COBIT
        are…                             objectives                            approaches…
                                         served…

                                         As harmonizing                        Use COBIT to structure the
        Information                      framework providing a                 information security program,
        Security                         way to integrate                      policies, and procedures
                                         information security
        Officer                          with other business
                                         related IT objectives




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 29
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                       Adopting COBIT Tool Set
        When you                      COBIT                                    Useful COBIT
        are…                          objectives                               approaches…
                                      served…
                                      As basis for determining                 Use COBIT as criteria for
        Auditor                       the IT audit universe and                review and examination and
                                      as IT control reference                  for framing IT-related audits




Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 30
                                               Confidential and Proprietary - Internal Audit Consulting Group Use Only




                                  COBIT Case Studies
          •     Cedel Group
          •     Office of the State Auditor of Massachusetts
          •     PWC
          •     Fidelity Investments
          •     Department of Defense
          •     Boston Gas Company
          •     Santa Barbara Bank and Trust
          •     Society for Worldwide Interbank Financial
                Telecommunication
Internal Audit Consulting Group   Assurance and Consulting on Business Risk Management, Controls, and Governance   9/26/01 31

								
To top