Docstoc

Internal Control COSO and CobiT

Document Sample
Internal Control COSO and CobiT Powered By Docstoc
					Part 2

         1
  AUDIT
GUIDELINES



         2
 Audit Guidelines -- 226 pages

 1 Generic Guideline and 34 Process Oriented
 A generic guideline identifies various tasks to
  be performed in assessing ANY control
  objective within a process. This generic
  guideline extracted all repetitive tasks into one
  -- to be performed for all control objectives.
 Others are specific process-oriented task
  suggestions to provide management assurance
  that a control is in place and is working.
                                                      3
        Audit Guidelines
   Purpose of audit guidelines is to provide
    simple structure for auditing controls
   Audit guidelines are generic and high-level in
    structure
   Although intended as a guide for auditing
    high-level control objectives, CobiT can assist
    overall audit planning
   Enables auditor to review processes against
    control objectives

                                                      4
CobiT supports generally accepted
  structure of the audit process:

   Identification and documentation
 Evaluation
 Compliance testing, and
 Substantive testing

                                       5
The IT process is therefore audited by:

Obtaining an understanding of business requirements,
  related risks, and relevant control measures
   Evaluating the appropriateness of stated controls
      Assessing compliance by testing whether the
        stated controls are working as prescribed,
        consistently and continuously.
           Substantiating the risk of the control objective
             not being met by using analytical techniques
             and/or consulting alternative sources.


                                                              6
       GENERIC AUDIT GUIDELINE
OBTAINING AN UNDERSTANDING
The audit steps to be performed to document the activities under-
lying the control objectives as well as to identify the stated control
measures/procedures in place.
Interview appropriate management and staff to gain an understanding of:
* Business requirements and associated risks
* Organisation structure
* Roles and responsibilities
* Policies and procedures
* Laws and regulations and contractual obligations
* Control measures in place
* Management reporting (status, performance, action items)
Document the process-related IT resources particularly affected by the
process under review. Confirm the understanding of the process under
review, the Key Performance Indicators (KPI) of the process, and the
control implications (e.g., by a process walk through).
                                                                          7
        GENERIC AUDIT GUIDELINE

EVALUATING THE CONTROLS
The audit steps to be performed in assessing the effectiveness of
control measures in place or the degree to which the control
objective is achieved. Basically deciding what, whether and how to
test.
Evaluate the appropriateness of control measures for the process under
review by considering identified criteria and industry standard practices, the
Critical Success Factors (CSF) of the control measures and applying
professional judgment.
    •   Documented processes exist
    •   Appropriate deliverables exist
    •   Responsibility and accountability are clear and effective
    •   Compensating controls exist, where necessary
Conclude the degree to which the control objective is met.
                                                                                 8
      GENERIC AUDIT GUIDELINE
ASSESSING COMPLIANCE
The audit steps to be performed to ensure that the control
measures established are working as prescribed, consistently
and continuously, and to conclude on the appropriateness of
the control environment.

Obtain direct or indirect evidence for selected items/periods to ensure that
the procedures have been complied with for the period under review using
both direct and indirect evidence.

Perform a limited review of the adequacy of the process deliverables.

Determine the level of substantive testing and additional work needed to
provide assurance that the IT process is adequate.

                                                                               9
     GENERIC AUDIT GUIDELINE

SUBSTANTIATING THE RISK
The audit steps to be performed to substantiate the risk of the
control objective not being met by using analytical techniques
and/or consulting alternative sources. The objective is to support
the opinion and to “shock” management into action. Auditors
have to be creative in finding and presenting this often sensitive
and confidential information.

Document the control weaknesses and resulting threats and vulnerabilities.

Identify and document the actual and potential impact (e.g., through
root-cause analysis).

Provide comparative information (e.g., through benchmarks).

                                                                         10
Audit Guidelines are GUIDELINES
  They are a starting point for identifying
   control tasks and activities associated with
   particular control objectives.
  To plan and conduct the audit, an auditor
   must add knowledge about the business,
   risk analysis, and controls; perform
   adequate audit procedures; and draw
   conclusions from the results of the audit
   procedures.                                    11
Using CobiT to Develop an Audit Program
    Start with Control Objectives to refresh the
     purpose of the control objective and the
     recommended IT control practices
    Use the Audit Guidelines’ generic audit
     guideline as a starting point
    Use the selected process-oriented audit
     guidelines to refine the audit work program
    Select appropriate portions of the Audit
     Guidelines in sync with selected detailed
     control objectives (selected control tasks
     and activities)                                12
Using CobiT to Review an Audit Program

  Use the Audit Guidelines to benchmark the
   existing audit program against
  Use the Control Objectives’ high-level
   control objectives to review audit objectives
   and detailed control objectives to review
   criteria identification
  Use the generic and process-oriented audit
   guidelines to review audit process and
   procedures
                                                   13
 Adopting CobiT
 Start by identifying the “need” for use, and
  how it might be used
 Focus on the benefits to be derived from using
  CobiT
 Assess the acceptance and implementation
  capabilities
 Assign priority of multiple uses
 Identify one or more champions
                                                   15
             Adopting CobiT
 For those responsible for systems and those who
  audit systems, the value lies in having an organized
  IT control model that links management control
  practices to control objectives, and in turn to business
  objectives.
 From a management perspective:
   – management and IT policy makers such as CEO, CIO, VP
     of IT
   – IT steering committee
   – business process owners and users
 From an Audit perspective:
   – evaluators and internal/external auditors
                                                             16
            Factors to Consider
   Dimension and depth of the IT environment
   Organizational structure of IT services
   Level of internal and outsourced IT functions
   Relationships of IT, IS Audit, business process
    owners, management
   Management philosophy regarding control and audit
   Extent of business process reengineering
   Level of consensus needed
                                                    17
       Benefits of CobiT
 Supports IT governance objectives.
 Helps ensure that IT processes are
  defined and assigned.
 Helps to ensure that there is focus on
  control objectives.
 Leads to more cost-effective IT
  services.

                                           18
           Benefits of CobiT
Helps to provide reasonable assurance that:
  – IT process objectives are understood
  – IT risks have been identified
  – Appropriate controls have been implemented
  – Appropriate monitoring and evaluation processes
    in effect
  – IT process objectives and can be achieved.


                                                      19
          Benefits of CobiT
 Helps to ensure that the organization complies
  with applicable rules, regulations and contractual
  obligations.
 Opportunity for complementary adoption of
  COSO and CobiT (or other control models).
 Authoritative nature of Cobit encompassing
  adoption of well-recognized and established
  standards for IT control.
                                                   20
         Benefits of CobiT

 Strengthens assessment, understanding and
  exercise of appropriate internal controls.
 Provides a good framework for risk assessment
  and risk management.
 Improves communication among management,
  business process owners, users and auditors
  regarding IT governance, and between internal
  and external audit.
                                                  21
         Benefits of CobiT
 Provides a framework for ensuring that
  outsourced IT functions are addressed in third-
  party contracts.
 Helps to strengthen the relationship between IS
  Services and the user community through
  improved SLAs.
 Supports management’s efforts to demonstrate
  due diligence with respect to IT-based
  operations.

                                                    22
       Using COBIT

   Organizational Tool
 Audit Planning and Support Tool
 IT Control Self Assessment Tool



                                    24
CobiT as an Organizational Tool

   Provides framework and benchmarks for IT
    planning and management
   Identification of primary IT processes (by
    broad management-oriented Domains)
   Assists in establishing responsibilities and
    points of accountability
   Assists in clarifying IT’s and Audit’s role
                                                   25
CobiT As An Audit Planning Tool

 “To look at a functional area.”

        –   “Which functional area?”
        –   “What systems are involved?”
        –   “What IT processes are involved?”
        –   “What are the objectives and risks?”
        –   “What are the control objectives?”

                                                   26
Using CobiT in Audit Planning
 IT audit shop planning --- audit
 engagement selection
 Determining type of audit services
 Engagement planning
 Framing audit scope and audit objectives to
 CobiT
 Development of audit approach

                                                27
         Audit Planning
Adequate planning    is a necessary first step
 in performing effective IT Audits.
Need to understand the general business
 environment as well as the associated
 business and control risks.
Assess operational and control risks and
 identify control objectives during audit
 planning.
                                                  28
          Use of CobiT during
          the Audit Planning
 Assessing the control environment and
  identifying high risk processes
 Conducting a high-level policy and
  procedures review
 Conducting a detailed review of policies and
  procedures against the entire control
  objectives document
 Using CobiT-related matrices

                                                 29
CobiT-related
  Matrices


           30
Using CobiT Matrices to Focus on:
   IT Functions
     – Their importance?
     – Level of performance?
     – Control documentation?
   Responsible Parties of IT
     – Performed by?
     – Contracted services?
     – Primary responsible party?
   Risk Assessment
     – Importance, level of risk, control documentation?

                                                           31
      CobiT-Related Matrices
 Submit matrix of processes to IT management to attain
  assertions regarding:
   – Importance, performance and risk of each process
   – self assessment of how well control is being carried out
     for each process
 Have the review or audit team also independently rate
  preliminary understanding of importance, performance
  and risk of each process
 Use matrix of IT processes to be performed and identify
  who performs the process and who has final responsibility;
  can be used to identify processes not performed by
  “traditional” IT organization
                                                                32
                                                                                                  ENTITY SHORT FORM
                 Importance                                                                                                                                     Performance
                                                                                         IT Process
                 Somewhat Important




                                                                                                                                                                                                 Formally Rated
Very Important




                                                                 Not Applicable




                                                                                                                                                                                                                              Not Applicable
                                      Not Important




                                                                                                                                                                Satisfactory
                                                                                                                                                    Very good




                                                                                                                                                                                                                  Not Rated
                                                                                                                                        Excellent




                                                                                                                                                                                      Not Sure
                                                      Not sure




                                                                                                                                                                               Poor
                                                                                  PO1    Define a strategic IT plan
                                                                                  PO2    Define the information architecture
                                                                                  PO3    Determine technological direction
                                                                                  PO4    Define organisation and relationships
                                                                                  PO5    Manage the investment
                                                                                  PO6    Communicate management aims & direction
                                                                                  PO7    Manage human resources
                                                                                  PO8    Ensure compliance with external requirements
                                                                                  PO9    Assess risk
                                                                                  PO10   Manage projects
                                                                                  PO11   Manage quality

                                                                                  AI1    Identify automated solutions
                                                                                  AI2    Acquire & maintain application software
                                                                                  AI3    Acquire & maintain technology architecture
                                                                                  AI4    Develop & maintain procedures
                                                                                  AI5    Install & accredit system
                                                                                  AI6    Manage changes

                                                                                  DS1    Define service levels
                                                                                  DS2    Manage third party services
                                                                                  DS3    Manage performance & capacity
                                                                                  DS4    Ensure continuous service
                                                                                  DS5    Ensure system security
                                                                                  DS6    Identify & allocate costs
                                                                                  DS7    Educate & train users
                                                                                  DS8    Assist & advise customers
                                                                                  DS9    Manage the configuration
                                                                                  DS10   Manage problems & incidents
                                                                                  DS11   Manage data
                                                                                  DS12   Manage facilities
                                                                                  DS13   Manage operations

                                                                                  M1     Monitor the process
                                                                                  M2     Assess Internal Control Adequacy
                                                                                  M3     Obtain independent assurance
                                                                                  M4     Provide for Independent Audit

                                                                                                                                                                                                                                               33
                                                                         ENTITY LONG FORM
                                                                                                                                                                                                    Internal                               WP
           Importance                                                                                                Performance                                                                    Controls                               Ref.
                                                        IT Process
Somewhat Important




                                                                                                                                                                                                               Not Documented
                                                                                                                                                    Formally Rated
Very Important




                                Not Applicable




                                                                                                                                                                                 Not Applicable
Not Important




                                                                                                                                                                                                  Documented
                                                                                                                   Satisfactory
                                                                                                       Very good




                                                                                                                                                                     Not Rated
                                                                                                       Excellent




                                                                                                                                         Not Sure




                                                                                                                                                                                                                                Not Sure
                     Not sure




                                                                                                                                  Poor
                                                 PO1    Define a strategic IT plan
                                                 PO2    Define the information architecture
                                                 PO3    Determine technological direction
                                                 PO4    Define organisation and relationships
                                                 PO5    Manage the investment
                                                 PO6    Communicate management aims & direction
                                                 PO7    Manage human resources
                                                 PO8    Ensure compliance with external requirements
                                                 PO9    Assess risk
                                                 PO10   Manage projects
                                                 PO11   Manage quality

                                                 AI1    Identify automated solutions
                                                 AI2    Acquire & maintain application software
                                                 AI3    Acquire & maintain technology architecture
                                                 AI4    Develop & maintain procedures
                                                 AI5    Install & accredit system
                                                 AI6    Manage changes

                                                 DS1    Define service levels
                                                 DS2    Manage third party services
                                                 DS3    Manage performance & capacity
                                                 DS4    Ensure continuous service
                                                 DS5    Ensure system security
                                                 DS6    Identify & allocate costs
                                                 DS7    Educate & train users
                                                 DS8    Assist & advise customers
                                                 DS9    Manage the configuration
                                                 DS10   Manage problems & incidents
                                                 DS11   Manage data
                                                 DS12   Manage facilities
                                                 DS13   Manage operations

                                                 M1     Monitor the process
                                                 M2     Assess Internal Control Adequacy
                                                 M3     Obtain independent assurance
                                                 M4     Provide for Independent Audit
                                                                                                                                                                                                                                                  34
                                                                                     RISK ASSESSMENT FORM
                                                                                                                                                                         Internal                              WP
         Importance                                                                                                                    Risk                              Controls                              Ref.
                                                                        IT Process
                 Somewhat Important




                                                                                                                                                                                   Not Documented
Very Important



                                      Not Important




                                                                                                                                                                      Documented
                                                                                                                                              Immaterial
                                                                                                                                                           Not Sure




                                                                                                                                                                                                    Not Sure
                                                      Not sure




                                                                                                                              Medium
                                                                                                                       High


                                                                                                                                       Low
                                                                 PO1    Define a strategic IT plan
                                                                 PO2    Define the information architecture
                                                                 PO3    Determine technological direction
                                                                 PO4    Define organiation and relationships
                                                                 PO5    Manage the investment
                                                                 PO6    Communicate management aims & direction
                                                                 PO7    Manage human resources
                                                                 PO8    Ensure compliance with external requirements
                                                                 PO9    Assess risk
                                                                 PO10   Manage projects
                                                                 PO11   Manage quality

                                                                 AI1    Identify automated solutions
                                                                 AI2    Acquire & maintain application software
                                                                 AI3    Acquire & maintain technology architecture
                                                                 AI4    Develop & maintain procedures
                                                                 AI5    Install & accredit system
                                                                 AI6    Manage changes

                                                                 DS1    Define service levels
                                                                 DS2    Manage third party services
                                                                 DS3    Manage performance & capacity
                                                                 DS4    Ensure continuous service
                                                                 DS5    Ensure system security
                                                                 DS6    Identify & allocate costs
                                                                 DS7    Educate & train users
                                                                 DS8    Assist & advise customers
                                                                 DS9    Manage the configuration
                                                                 DS10   Manage problems & incidents
                                                                 DS11   Manage data
                                                                 DS12   Manage facilities
                                                                 DS13   Manage operations

                                                                 M1     Monitor the process
                                                                 M2     Assess Internal Control Adequacy
                                                                 M3     Obtain independent assurance
                                                                 M4     Provide for Independent Audit                                                                                                                 35
 Pre-Audit: Performance and Risk

Level of      Function &      Level of
Performance   Operation       Risk
high          A/P             low
high          payroll         low
medium        IT processing   high
                  etc.




                                         36
    Pre-Audit: Risk/Importance
    and Control Documentation

Risk/         Function &      Control
Importance    Operation       Documentation
Low/medium    A/P             yes
Low/high      payroll         none
High/medium   IT processing   partial
                  etc.




                                              37
                                        RESPONSIBLE PARTY FORM                                                           Primary
     Performed by (1)                                         IT Process                                             Responsible Party
                                      PO1 Define a strategic IT plan
                                      PO2 Define the information architecture
                                      PO3 Determine technological direction
                                      PO4 Define organisation and relationships
                                      PO5 Manage the investment
                                      PO6 Communicate management aims & direction
                                      PO7 Manage human resources
                                      PO8 Ensure compliance with external requirements
                                      PO9 Assess risk
                                      PO10 Manage projects
                                      PO11 Manage quality

                                       AI1    Identify automated solutions
                                       AI2    Acquire & maintain application software
                                       AI3    Acquire & maintain technology architecture
                                       AI4    Develop & maintain procedures
                                       AI5    Install & accredit system
                                       AI6    Manage changes

                                      DS1     Define service levels
                                      DS2     Manage third party services
                                      DS3     Manage performance & capacity
                                      DS4     Ensure continuous service
                                      DS5     Ensure system security
                                      DS6     Identify & allocate costs
                                      DS7     Educate & train users
                                      DS8     Assist & advise customers
                                      DS9     Manage the configuration
                                      DS10    Manage problems & incidents
                                      DS11    Manage data
                                      DS12    Manage facilities
                                      DS13    Manage operations

                                        M1    Monitor the process
                                        M2    Assess Internal Control Adequacy
                                        M3    Obtain independent assurance
                                        M4    Provide for Independent Audit
(1) Identify organiational units(IT department, withinorganisation, outsourced or not sure) which perform activities incorporated within the IT process




                                                                                                                                                          38
Pre-Audit: Functions & Responsibilities
Points of Points of Accountability
Function       Function &      Responsible
performed by   Operation       Party
internal       A/P             Accounting
outsourced     payroll         Accounting
IT Dept        IT processing   VP of IT
                   etc.




                                             39
                      CONTRACT SERVICE/SERVICE LEVEL AGREEMENT (SLA) FORM
                                                                                                             Internal                       Formal Contract/SLA WP
  Performed by                                                                                               Controls                            in place?      Ref.
                                                 IT Process




                                                                                                                Not Documented




                                                                                                                                                       Not Applicable
IT Department


                Organisation




                                                                                                Documented
                Outsourced




                                                                                                                                 Not Sure




                                                                                                                                                                        Not Sure
                               Not sure
                Within




                                                                                                                                            Yes
                                                                                                                                                  No
                                          PO1    Define a strategic IT plan
                                          PO2    Define the information architecture
                                          PO3    Determine technological direction
                                          PO4    Define organisation and relationships
                                          PO5    Manage the investment
                                          PO6    Communicate management aims & direction
                                          PO7    Manage human resources
                                          PO8    Ensure compliance with external requirements
                                          PO9    Assess risk
                                          PO10   Manage projects
                                          PO11   Manage quality

                                          AI1    Identify automated solutions
                                          AI2    Acquire & maintain application software
                                          AI3    Acquire & maintain technology architecture
                                          AI4    Develop & maintain procedures
                                          AI5    Install & accredit system
                                          AI6    Manage changes

                                          DS1    Define service levels
                                          DS2    Manage third party services
                                          DS3    Manage performance & capacity
                                          DS4    Ensure continuous service
                                          DS5    Ensure system security
                                          DS6    Identify & allocate costs
                                          DS7    Educate & train users
                                          DS8    Assist & advise customers
                                          DS9    Manage the configuration
                                          DS10   Manage problems & incidents
                                          DS11   Manage data
                                          DS12   Manage facilities
                                          DS13   Manage operations

                                          M1     Monitor the process
                                          M2     Assess Internal Control Adequacy
                                          M3     Obtain independent assurance
                                          M4     Provide for Independent Audit



                                                                                                                                                                                   40
                                     PRIOR AUDIT WORK FORM
In Prior                                                                                      Prior Audit                                                            Disposition
 Scope                                                                                      Opinion                                                                  of Findings
Yes No                                  IT Process




                                                                                                                               Material Weaknesses




                                                                                                                                                                                              Not Determined
                                                                              Unqualified




                                                                                                                                                                           Unresolved
                                                                                                                  Disclaimer




                                                                                                                                                                Resolved
                                                                                            Qualified




                                                                                                                                                     Findings
                                                                                                        Adverse




                                                                                                                                                                                        N/A
           PO1    Define a strategic IT plan
           PO2    Define the information architecture
           PO3    Determine technological direction
           PO4    Define organisation and relationships
           PO5    Manage the investment
           PO6    Communicate management aims & direction
           PO7    Manage human resources
           PO8    Ensure compliance with external requirements
           PO9    Assess risk
           PO10   Manage projects
           PO11   Manage quality

           AI1    Identify automated solutions
           AI2    Acquire & maintain application software
           AI3    Acquire & maintain technology architecture
           AI4    Develop & maintain procedures
           AI5    Install & accredit system
           AI6    Manage changes

           DS1    Define service levels
           DS2    Manage third party services
           DS3    Manage performance & capacity
           DS4    Ensure continuous service
           DS5    Ensure system security
           DS6    Identify & allocate costs
           DS7    Educate & train users
           DS8    Assist & advise customers
           DS9    Manage the configuration
           DS10   Manage problems & incidents
           DS11   Manage data
           DS12   Manage facilities
           DS13   Manage operations

           M1     Monitor the process
           M2     Assess Internal Control Adequacy
           M3     Obtain independent assurance
           M4     Provide for Independent Audit                                                                                                                                                                41
                  Insert the number of material weaknesses and/or findings if there is more than one per process category and
                     then reflect the appropriate number under each column.
COBIT’s 34 Audits (or audit entities)
Processes     A B C D E F - - -
  PO 1
  PO 2        S= Pre-audit survey
   .          A= Audit
   .          R= Report - Positive conclusion
   .                    - Finding
  M4



                                                42
Use of CobiT in Audit Planning:


  Supports objectives of AU.319
   “Consideration of Internal
   Control in a Financial Statement
   Audit”, and

  Risk-Based Audit planning
                                      43
Key Features of Risk-Based Approach


  Focuses on the business from a
   management perspective
  Emphasis on knowledge of the business
   and the technology
  Focus on assessing the effectiveness of a
   “combination” of controls
  Linkage between risk assessment and
   testing focusing on control objectives
                                               44
    Risk-Based Audit Planning
 What is most critical to the business?
 What are the CSFs?

 What are the risks and threats?

 How robust and appropriate does the
 internal control structure appear?
 What are management’s concerns?


                                           45
     Risks to the Business?
   Unaware of the risks
   Poor understanding of CSFs
   Absence of KPIs
   No “scorecard” or basis of measurement
   Absence of monitoring and evaluation
   Weak IT control environment
   Loss of data or system integrity
                                             46
      Control Risk Assessment
 Control Risk assessment at maximum
  – addresses relevant audit objectives using
    substantive tests
  – perform all applicable substantive tests
 Control risk assessment at below maximum
  – identify control procedures that allow control risk
    to be below maximum
  – design & perform tests of controls
  – Identify reduced substantive tests
                                                          47
 Control Risk Assessment

 Control Risk assessment at low
  – perform tests of controls for application and
    IT controls
  – perform analytical procedures (reduced
    substantive testing)




                                                    48
    Control Assessment Steps
 What is the control objective?
 Identify the type of control (application or general; primary
  or secondary; and preventive, detective, or corrective)
 What business objective is impacted?
 Appropriateness of the stated control?
 Number of components used to execute the control and
  number of subsystems or control objectives impacted?
 Evidence that the control is in effect, or impact that it is
  not.

                                                                  49
  Setting Audit Objectives
 Depends on the type of audit
 Best phrased when focused on whether
  selected control objectives are met
 Build the linkage between the control
  objective and the controls to the audit
  objectives and audit procedures (review
  and examination steps) to obtain sufficient
  audit evidence to draw conclusions
                                                50
Use of CobiT in
The Pre-Audit
    Process

              51
  Overview of Pre-Audit Process
 Auditee selection (may be CobiT driven)
 Off-site preliminary information gathering
 Entrance Conference and on-site preaudit
  information gathering (reference to CobiT)
 Develop proposed scope and audit objectives
 Internal scope meeting (review & approval)
 Finalize audit work program (CobiT-framed)
 Engagement conference (reference CobiT as
  criteria) and audit (CobiT as examination criteria)
                                                        52
Pre-Audit Planning

 Who are they? (type of organization, industry)
 What do they do? (mission, business objectives)
 How do they plan to do it? (strategy/plan)
 How do they do it? (functions, processes)
 With what resources? (IT, operational resources,
  management & staff, raw materials, etc.)
 By what rules? (policies, standards, legal and
  regulatory requirements)
 Under what risks? (risk analysis)
                                                     53
Pre-Audit Planning

 Who does it? (internal & external players, their roles
  and responsibilities)
 Who knows what is done? (reporting lines,
  designated points of accountability)
 How do they known it is done right?
  (measurement registers, assurance mechanisms, evaluations,
  score cards, etc.)
 Where are they? (global or national, centralized or
  distributed organizational structure, etc.)
                                                               54
          On-Site Pre-Audit
 Entrance conference and subsequent interviews
  (CobiT discussion)
 Tour of facility and observations
 Documentation review (high-level CobiT)
 Obtain management assertions (CobiT matrices)
 Identification of data/information sources and
  their information criteria (CobiT)
 Risk and exposure analysis
 Review of internal controls (includes CobiT)
 Determination of planned materiality           55
On-Site Pre-Audit Procedures
 Identification of accounting and operational
  control objectives and related control practices
  (CobiT)
 Perform selected tests of stated procedures or
  controls (CobiT)
 Determination of auditability
 Summary conclusions and development of
  proposed scope and audit objectives
                                                     56
       Internal Scope Meeting
 AIC and manager present understanding of the
  entity and its audit requirements
 Provides opportunity to discuss CobiT-related
  matters
 Acquaints the Audit Shop’s management with
  proposed audit and CobiT-related matters
 Serves as review and approval point for scope
  and audit objectives

                                                  57
        Internal Scope Meeting
 Addresses fundamental elements of preaudit
  planning; preliminary audit work; development
  and documentation of audit scope, objectives and
  methodology; identification of control objectives
  and criteria; and staffing and logistics issues
 Cobit helps to ensure appropriate audit direction
  and allocation of audit resources to the
  engagement
 Serves as a “practice run” for presenting audit
  scope and audit objectives, methodology and
  criteria (including CobiT) to the auditee
                                                      58
      For the Audit Engagement
   May identify CobiT as criteria at entrance
    conference
   Use CobiT to develop and benchmark audit
    work programs
   Introduce generally accepted control
    practices to auditee via CobiT



                                                 59
          Where CobiT Helps on
         Pre-Audit Considerations

 Framing IT processes by domains for the existing
  IT environment and automated systems

 Identification of major processes and activities
  which support the entity’s mission and business
  objectives Review of acquisition and development
  plans or projects for IT

 Performing risk analysis and internal control
  review
                                                     60
Using CobiT
  in other
Audit Areas


              61
  Using CobiT on
System Development
      Audits


                     62
         Three Types of System
         Development IT Audits
 Type 1: examination of development
  methodology, policy and procedures
 Type 2: examination of development and
  implementation of a particular information
  system
 Type 3: participation as “control advisor”
  throughout the development and
  implementation process
                                               63
System Development Audit Planning
  Conduct preliminary survey and pre-audit
   work sufficient to select the “type” of system
   development audit
  Use CobiT to assist in framing the audit with
   respect to processes and detailed control
   objectives applicable to the “type” of
   development audit
  Use CobiT processes and detailed control
   objectives to identify criteria
                                                    64
  System Development Audit Planning

 Start with CobiT summary table to select
  processes directly impacting application(s)
 Suggest focus on Planing & Organization,
  Acquisition & Implementation, and Monitoring
  domains for development audits
 Note: not all processes will be selected nor will
  detailed control objectives within each process
 Select applicable IT control practices (tasks and
  activities) for each process
                                                 65
      SDLC Audits Type 1
The IT auditor reviews the organization’s system
development and implementation procedures.
Here, the auditor would determine whether
appropriate SDLC procedures were in place to
ensure that automated systems developed meet
user needs, function as intended, meet any
required legal or regulatory requirements, are
sufficiently controlled to provide reasonable
assurance for data and system integrity, and that
the system operates effectively and efficiently.
                                                    66
Type 1 Development Audit
 Process audit
 Determine whether appropriate SDLC
  policies & procedures are in place
 Emphasis on Planning & Organization and
  Acquisition & Implementation domains
 Detailed control objectives focused on good
  practices for development

                                                67
    Type 1 Development Audit
          Assumptions
 Linkage to Planning & Organization
  processes based on the premise that PO’s set
  the stage for IT environment and
  development
 Audits or reviews of SDLC methodology
  should be in context of organization’s IT
  strategy, policies, and standards

                                                 68
       SDLC Audits Type 2
The IT auditor reviews the development
and implementation of a particular
system, determining whether the
organization’s (and generally-accepted)
development procedures were followed,
whether the system meets the needs of the
organization and its users, is
maintainable, and operates efficiently.
                                            69
Type 2 Development Audit
 Compliance audit
 Operations/Performance audit
 Post-implementation examination
 Focus on compliance with SDLC methods
  and assessment of the system’s “operational
  status”
 May include 3rd-party review

                                                70
   SDLC Audits Type 3
The IT auditor participates in the
development and implementation of the
automated system where the auditor
serves as a non-voting member of the
development team. Under this
arrangement, the auditor serves as an
advisor, a “control consultant”.

                                        71
  Type 3 Development Audit
 Management advisory services (MAS)
 Use CobiT to facilitate discussions on design,
  development, testing, etc.
 May involve audit work of each phase
 Greater emphasis placed on under-standing of
  Audit’s role as “advisor”
 Good opportunities to design control self
  assessment processes
                                                   72
Processes Selected for Type 1, 2 & 3
       Development Audits
    PO1:    Define strategic IT plan
    PO2:    Define information architecture
    PO4:    Define organization & relationships
    PO5:    Manage the investment
    PO6:    Communicate management aims
    PO8:    External requirements compliance
    PO9:    Assess Risk
    PO10:   Manage projects
    PO11:   Manage quality
                                                   73
Processes selected for Type 1, 2 & 3
       Development Audits
     AI1:   Identify automated solutions
     AI2:   Acquire/maintain application software
     AI3:   Acquire/maintain technology architecture
     AI4:   Develop & maintain procedures
     AI5:   Install & accredit systems
     AI6:   Managing changes
   M1: Monitor the process


                                                        74
  Detailed Control Objectives by
  Process for Type 1 SDM Audit
 PO1      1.1 Assessment of technology issues
            in L-R & S-R plans
           1.5 Feasibility studies performed

 PO2
           2.1 Current architecture model
           2.2 current corporate data dictionary
           2.3 data classification scheme


 PO4      4.1 Oversight role of steering
            committee
                                                    75
  Detailed Control Objectives by
  Process for Type 2 SDM Audit
 PO1      1.2 Development initiatives should
            be in L-R & S-R plans
           1.5 Feasibility studies performed

 PO2      2.2 current corporate data dictionary
           2.3 data classification scheme
           2.4 Maintain security levels for
            information classes

           4.1 Oversight role of steering
 PO4       committee        etc.
                                                    76
  Detailed Control Objectives by
  Process for Type 3 SDM Audit
 PO1       1.3 IT-related issues to be
             considered in L-R planning
            1.5 Plans to reflect IS resources

 PO2       2.2 Corporate data dictionary
             incorporates data syntax rules
            2.3 Placement of data on
             information classes
            2.4 Implement security levels

 PO3       3.4 Software acquisition plans
            3.5 Standardization - infrastructure
                                                    77
         System Development
         Audit Work Program
 Use Control Objectives and Audit
  Guidelines together to start audit work
  program.
 While primary focus may be on AI1-AI6,
  selected control objectives from Planning
  & Organization.
 Include appropriate SDLC requirements of
  the organization, if available.

                                              78
Summary Thoughts on Using CobiT
    on Development Audits
 Participate in quality assurance for CobiT
  targeting software development
 Use CobiT as for risk assessment and
  subsequent allocation of audit resources to
  development projects
 Use CobiT to develop Type 1, 2, & 3
  development audit work programs
 Used CobiT to evaluate adequacy of audit
  approach on type 3 SDM audits
                                                79
 Developing a Change Control
       Audit Program
 Select relevant objectives from the 34 high-level
  control objectives (e.g., AI1, AI2, AI4, AI6, DS9)
 Select relevant detailed control objectives (e.g., AI
  6.2)
  These become audit objectives in the audit program
 Compare the audit program to the COBIT Audit
  Guidelines

                                                          80
Using Cobit on Management Audits

  Framing audits via Planning & Organization
   Domain
  Using CobiT to evaluate assignment of
   responsibility of IT-related functions.
  Using CobiT to evaluate points of
   accountability.


                                                81
Using CobiT for Review of
     Responsibilities
& Evaluation of Points of
      Accountability

                        82
  Conducting Responsibility and
     Accountability Reviews

 Determine the extent to which discrete tasks
  and activities referenced by CobiT are in
  place.

 Determine the extent to which policies,
  procedures, and mechanisms referenced by
  CobiT have been established.

                                                 83
Factors to consider when identifying
    relevant tasks and activities

 Not all tasks & responsibilities have an
  assigned responsible party
 When planning your assessments (extent,
  scheduling, area to be reviewed, MAS),
  recommend comprehensive review by:
  – domain
  – key process(es)


                                             84
Factors to consider when identifying
    relevant tasks and activities
 If reviewing the control environment, you
  may elect to target tasks and responsibilities
  with CobiT-designated responsible parties.
 Consider the difference between single
  tasks and on-going activities with respect to
  the purpose of your review or audit work.



                                                   85
 Task/Activity Monitoring & Evaluation

Task or    Responsibility   Monitored Evaluated
Activity   to:              by:       by:

Control    Establish a      Initially &   Periodic
task       Function or      Upon          At least
           procedure        Changes       annual
Control    On-going         On-going      Periodic
activity   Function or      With          To
           activity         reporting     On-going
                                                     86
  “Lock in” Responsibilities
 Complete “responsible party” form
 Prepare list of responsible parties
 Based on entity and organizational structure,
  and CobiT responsibility designations, agree or
  modify responsibility designations for the
  selected tasks and activities
 Establish “Locked in” responsibility list


                                                87
“Locked in” Responsibility List
 Serves as established list of desired
  responsibility assignments.

 Use as criteria for reviewing responsibility
  assignments for entity under audit.




                                                 88
    Review and Evaluate
 Clarity and appropriateness of responsibility
  definitions
 assignment of responsibilities
 points of accountability
 reporting of actions taken and activities
 mechanisms to monitor and evaluate
  adequacy of exercise of responsibilities

                                                  89
Determine extent to which Audit
   Team Needs to Perform:


 A review of assigned responsibilities
  for discrete tasks during pre-audit.

 A review of assigned responsibilities
  for activities during audit


                                          90
            Examination Steps
 Determine whether IT-related responsibilities have
  been adequately defined and assigned, and that
  adequate points of accountability are in place.

 Determine whether adequate controls and mechanisms
  are in place to monitor, evaluate, and hold accountable
  internal and outsourced parties for assigned
  responsibilities and desired deliverables


                                                            91
  Evidence gathered in review of assigned
responsibilities and points of accountability

   Can assist assessments of internal
    structures for financial and
    operations audits

   Can serve to identify the potential
    cause of audit results or findings


                                                92
    Evidence gathered in review of assigned
  responsibilities and points of accountability

 Can assist management in reviewing and
  determining the adequacy of structures of
  accountability when organization incur
  organizational or significant technical change

 Can provide insight into recommendations
  regarding task and activity assignment and
  monitoring

                                                   93
     Using Cobit to Address Third-Party
      Providers of IT-Related Services

 Determine whether desired processes are in
  place and establish accountability
 Agree on levels of control

   Use CobiT to help design service contracts
    by identifying deliverables and responsibilities
   Use CobiT for ongoing monitoring and
    evaluation of providers and partners
                                                       94
As An IT Self Assessment Tool

   “How am I doing against recommended
    COBIT IT benchmarks?”
   Use COBIT to facilitate operational and
    control improvements.
   Identify controls that should be in place.
   Reallocate resources to more important
    projects.
                                                 95
Using Cobit on Control Self Assessment

   Use CobiT to assist the development of
   Control Self Assessment programs by
   establishing benchmarks, gathering
   appropriate information on control
   objectives and control practices, and
   developing action plans.


                                            96
 Benchmarking - Self-Assessment
 0   Very poor                    Complete lack of good practice
 1   Poor                         Recognized the issues
 2   Fair                         Some effort made to address issues
 3   Good                         Moderately good level of practice
 4   Very good                    Advanced level of practice
 5   Excellent                    Best possible, highly integrated




Source: Erik Guldentops, DC presentation, July 1997.             97
0 Very poor. Complete lack of good practices.
Organization has not recognized that there is
an issue to be addressed.
1 Poor. There is evidence that the
organization has recognized that the issues
exist and need to be addressed. There may
also be some rudimentary attempts to solve
the problem although these are relatively
ineffective without greater levels of good
practice to support them
                                                98
2 Fair. There is some effort within the organization to
provide a level of practice which is acceptable. This
includes partial definitions of responsibility, organizational
models and processes. Although these may not have
been followed through to deliver effective and acceptable
levels of practice.
3 Good. There is a moderately good level of practice
which should not draw undue criticism. The processes
are reasonably well defined at levels of detail which make
them effective. Responsibilities and organizational
models are at a similar level of development. There is a
recognition of the need for integration, but this has not
evolved very far.
                                                            99
4 Very Good. There is generally a high level of
good practices, with advanced tools being used
to gain productivity, cost reduction and
effectiveness. There is also considerable
integration of related practices to give consistent
and effective control within this area.
5 Excellent. The very best possible levels of
good practice, given the available knowledge
and tools. There is also very high level of
integration across all aspects related to this
area.

                                                 100
          COBIT
Management Guidelines
 Includes:
 – Critical Success Factors
 – Key Performance Indicators
 – Key Goal Indicators
 – Maturity models
                                101
HGHGHGHGHGHG




               102
Using the Management
      Guidelines



                       103
           IT Management
 Is IT well managed?
  –   Are we doing the right things?
  –   Are we doing them the best way?
  –   Are they being done well?
  –   Are we achieving desired benefits?
 Is IT properly controlled?
 Do we exercise due diligence?
 Is management driving the information
  technology?
                                           104
CobiT : An IT control framework
Starts from the premise that IT needs    to
 deliver the information that the enterprise
 needs to achieve its objectives.              Planning
Promotes process focus and process            Acquiring & Implementing
 ownership                                     Delivery   & Support
Divides IT into 34 processes belonging to     Monitoring

 four domains
                                               Effectiveness
Looks at fiduciary, quality and security
                                               Efficiency
 needs of enterprises and provides for         Availability,
 seven information criteria that can be used   Integrity
                                               Confidentiality
 to generically define what the business
                                               Reliability
 requires from IT                              Compliance.


                                                                       105
Why governance?
   “Due diligence”
   IT is strategic to the business
   IT is critical to the business
   Expectations and reality don’t match
   IT involves huge investments and large risks


                                               106
IT is strategic to most businesses
If so, wouldn’t you want to know whether your
information technology organization is:
   Likely to achieve its objectives?
   Resilient enough to learn and adapt?
   Judiciously managing the risks it faces?
   Appropriately recognizing opportunities and acting
    upon them?


                                                         107
Management Guidelines

 • Generic and action oriented
 • For the purpose of
   •   IT Control profiling - what‟s important?
   •   Awareness - where‟s the risk?
   •   Benchmarking - what do others do?
 • Supporting decision making and follow up
   • Key performance indicators of IT processes
   • Critical success factors of controls
   • Control implementation choices

                                                  108
Management Guidelines
Critical Success Factors
 the most important things to do to increase the
  probability of success of the process
 observable - usually measurable - characteristics of
  the organisation and process
 are either strategic, technological, organizational or
  procedural in nature
 focus on obtaining, maintaining and leveraging
  capability and skills
 expressed in terms of the IT process, not necessarily
  the business


                                                           109
    Management Guidelines
Key Goal Indicators
   describe the outcome of the process and are therefore a „lag‟
    indicator, i.e., measurable after the fact
   Are an indicator of the success of the process but may also
    be expressed in terms of the business contribution if that
    contribution is specific to the IT process
   represent the process goal, i.e., a measure of “what”, a target
    to achieve
   may also describe a measure of the impact of not reaching
    the process goal
   KGIs are IT oriented but are also business driven
   Are expressed in precise measurable terms wherever
    possible

                                                                      110
      Management Guidelines
Key Performance Indicators
 are a measure of “how well” the process is
    performing
   predict the probability of success or failure in the
    future, i.e. KPIs are „LEAD‟ indicators
   are process oriented but IT driven
   focus on the process and learning dimensions of
    the balanced scorecard
   are expressed in precise measurable terms
   should help in improving the IT process

                                                           111
              Maturity Models
•   Refer to business requirements and control capabilities
    at different levels
•   Are scales that lend themselves to pragmatic comparison
•   Are scales where the difference can be made measurable
    in an easy manner
•   Are recognizable as a “profile” of the enterprise in
    relation to IT governance and control
•   Assist in determining As-Is and To-Be positions relative
    to IT governance and control maturity
•   Lend themselves to support gap analysis to determine
    what needs to be done to achieve a chosen level
                                                          112
           Start from a Maturity Model
              for Self-Assessment
 Non-
Existent        Initial        Repeatable   Defined        Managed         Optimised
   0               1               2             3              4                5


 Legend for symbols used                          Legend for rankings used

   Enterprise current status            0 - Management processes are not applied at all
                                        1 - Processes are ad hoc and disorganised
   International standard guidelines    2 - Processes follow a regular pattern
                                        3 - Processes are documented and communicated
   Industry best practice
                                        4 - Processes are monitored and measured
                                        5 - Best practices are followed and automated
   Enterprise strategy




                                                                                          113
Indicators?


Measures?


Scales?




          114
Generic Maturity Model - Dimensions

     Understanding and awareness
     Training and communications
     Process and practices
     Techniques and automation
     Compliance
     Expertise




                                      115
    Generic Maturity Model - Dimensions
   UNDERSTANDING           TRAINING &             PROCESS &            TECHNIQUES &                  COMPLIANCE                EXPERTISE
    & AWARENESS        COMMUNICATION               PRACTICES            AUTOMATION
1 recognition        sporadic communica-     ad hoc approaches to
                     tion on the issues      process and practices
2 awareness          communication on        similar/common           common tools are        inconsitent monitoring in
                     the overall issue and   processes emerge;        emerging                isolated areas
                     need                    largely intuitive
3 understand need to informal training       existing practices       currently available     inconsistent monitoring         involvement of
  act                supports individual     defined, standardis-ed   techniques are          globally; measurement           IT specialists
                     initiative              & documented;            used; minimum           processes emerge; IT
                                             sharing of the better    practices are           Balanced Scorecard ideas are
                                             practices                enforced; tool-set      being adopted; occasional
                                                                      becomes                 intuitive application of root
                                                                      standardised            cause analysis
4 understand full      formal training     process ownership          mature techniques       IT Balanced Scorecards          involvement of
  requirements         supports a managed and responsibilities        applied; standard       implemented in some areas       all internal
                       program             assigned; process is       tools enforced;         with exceptions noted by        domain experts
                                           sound & complete;          limited, tactical use   management; root cause
                                           interal best practices     of technology           analysis being standardised
                                           applied;
5 advanced forward-    training and        best external practices    sophisticated           global application of IT        use of external
  looking              communications      applied;                   techni-ques are         Balance Scorecard and           experts and
  understanding        supports external                              deployed;               exceptions are globally &       industry
                       best practices and                             extensive,              consistently noted by           leaders for
                       use of leading edge                            optimised use of        management; root cause          guidance
                       concepts/techniques                            technology              analysis consistently applied


                                                                                                                                                116
                                Generic Maturity Model

0 Non-Existent. Complete lack of any recognizable processes. The organisation has not even
recognised that there is an issue to be addressed.
1 Initial. There is evidence that the organisation has recognized that the issues exist and need
to be addressed. There are however no standardized processes but instead there are ad hoc
approaches that tend to be applied on an individual or case by case basis. The overall approach
to management is disorganized.
2 Repeatable. Processes have developed to the stage where similar procedures are followed
by different people undertaking the same task. There is no formal training or communication of
standard procedures and responsibility is left to the individual. There is a high degree of
reliance on the knowledge of individuals and therefore errors are likely.
3 Defined. Procedures have been standardized and documented, and communicated through
training. It is however left to the individual to follow these processes, and it is unlikely that
deviations will be detected. The procedures themselves are not sophisticated but are the
formalization of existing practices.
4 Managed. It is possible to monitor and measure compliance with procedures and to take
action where processes appear not to be working effectively. Processes are under constant
improvement and provide good practice. Automation and tools are used in a limited or
fragmented way.
5 Optimized. Processes have been refined to a level of best practice, based on the results of
continuous improvement and maturity modeling with other organizations. IT is used in an
integrated way to automate the workflow, providing tools to improve quality and effectiveness, 117
making the enterprise quick to adapt.
                   In summary
Maturity Models
• Refer to business requirements and the enabling aspects at the
    different levels
•   Are scales that lend themselves to pragmatic comparison
•   Are scales where the difference can be made measurable in an
    easy manner
•   Are recognisable as a “profile” of the enterprise in relation to IT
    governance and control
•   Assist in determining As-Is and To-Be positions relative to IT
    governance and control maturity
•   Lend themselves to support gap analysis to determine what
    needs to be done to achieve a chosen level
•   Are neither industry specific nor always applicable; the nature of
    the business will determine what is an appropriate level
                                                                          118
      IT Governance Guideline
Governance over IT and its processes with goal of adding value to the
business, while balancing risk versus return


       ensures delivery of information to the business that addresses the
       required information criteria and is measured by KGIs


              is enabled by creating and maintaining a system of process
              and control excellence appropriate for the business that
              directs and monitors the business value delivery of IT

                     considers CSFs that leverage all IT resources and is
                     measured by KPIs




                                                                            119
IT governance summarized
Objectives
    understand the issues and the strategic importance of IT
    ensure that the enterprise can sustain its operations and
    ascertain it can implement the strategies required to extend its activities
     into the future
Goal
    ensuring that expectations for IT are met and IT risks are mitigated
Position
    within broad governance arrangements that cover relationships among
     the entity's management and its governing body, its owners and its other
     stakeholders and providing the structure through which:
         the entity's overall objectives are set
         the method of attaining those objectives is outlined
         the manner is which performance will be monitored is described
                                                                                   120
       Audit Organization

 Use CobiT to identify and assess risk of
  IT processes
 Use CobiT-related matrices in standard
  audit work programs
 Frame IT audits via CobiT
 Development of MAS focused on CobiT

                                             121
        Cobitizing Audit -- Phases
 Self assessment and modification
 Internal audit guidelines
    – Text of policy & procedure manual
    –   Generic work programs and matrices
    Overall audit planning
    Engagement planning
    Discussions with auditees for self assessment
    Modify QA to include CobiT
    Strengthen focus on business processes, system
    integrity, and IT environment
                                                      122
           CobiT Recognizes
 IT is an integral part of the organization
 IT governance is an integral part of corporate
  governance
 Focus on control objectives can strengthen
  appropriateness and use of internal controls
 Measurement is crucial to internal control
 Monitoring and evaluation are integral to a
  system of internal control
                                                   123
           Learned So Far
Need Internal Control refresher course
 covering control models (such as COSO),
 CobiT, internal control acts, SAS 78,
 techniques in evaluating controls

 There are good opportunities to leverage
 the understanding of internal controls
 and CobiT among management and staff,
 auditors, out-sourced services, academic
 community, and vendors
                                             124
        Learned So Far

 Audit Teams and auditees seem to have better
 understanding of control objectives with
 CobiT
 Increased consistency of discussions
 regarding IT domains, control objectives and
 controls
 Increased emphasis on information criteria



                                             125
            Learned So Far
 Pilot use of CobiT
 Network and share “ideas” on CobiT
 CobiT has assisted identification of IT-
 related processes, who performs them, and
 who is responsible
 CobiT provides Value-Added opportunities
 and time savings
 CobiT reinforces the final objective of
 effective and efficient operations
                                             126
  A Tip regarding CobiT
 CobiT is generic - adapt it to your
 organization in cooperation with the
 business-process owners!
  –   Determine focus (quality, security, fiduciary)
  –   Harmonize existing policies and procedures
      with CobiT
  –   Determine control responsibilities
  –   Identify key performance indicators and critical
      success factors
                                                         127
    Another Tip or Two
 Study it carefully -- it takes some time to
  understand - keep in mind that you are dealing
  with a control framework
 For auditors and reviewers, provide sufficient
  time for using CobiT in pre-audit and
  engagement planning.
 Promote discussions on CobiT
 Identify CobiT as a control framework and
  basis for benchmark criteria and evaluation
                                                   128
       The Last of the Tips
 Use CobiT initially as a control model and tool
  to assist controls evaluations, framing audits,
  identifying criteria, and performing high-level
  benchmarking.
 Share your insights regarding control design
  and evaluation
 Study the Management       Guidelines

                                                    129
                                                                                           E X E C U T IV E S U M M A R Y



                                                                                                                     Im p le m e n ta tio n
                                                                     C O B IT                                            Tool S et
                                                            P ro d u c t F a m ily                                                      • E x e cu tiv e S u m m a ry
                                                                                                                                        •    E x e cu tiv e O v e rv ie w
                                                                                                                                        •    C a s e S tu d ie s


COBIT Product Family                                                                    F ra m e w o rk
                                                                          w ith H ig h -L e v e l C o n tro l O b je c tiv e s
                                                                                                                                        •
                                                                                                                                        •
                                                                                                                                        •
                                                                                                                                             F A Q ’s
                                                                                                                                             P re s e n ta tio n s
                                                                                                                                             Im p le m e n ta tio n G u id e
                                                                                                                                            -M a n a g e m e n t A w a re n e ss
                                                                                                                                            -IT C o n tro l D ia g n o s tic

                                                       M anagem ent                     D e ta ile d C o n tro l                     A u d it
                                                        G u id e lin e s                   O b je ctive s                          G u id e lin e s



4 major elements                                       K e y P e rfo rm a n c e
                                                      In d ic a to rs (p ro c e s s )
                                                                                          C ritic a l S u c c e s s
                                                                                          F a c to rs (c o n tro l)
                                                                                                                                 B e n ch m a rks



• COBIT as an open standard for increased world-wide
    adoption covering summary, framework and detailed
    control objectives;
•   Three proprietary guideline products
     -- Implementation Tool Set : how to introduce the C T standard in the enterprise
                                                                   OBI

     -- Audit Guidelines : how to audit against the standard
     -- Management Guidelines : how to benchmark, implement and
         self-assess
                                                                                                                                                                                   130
       CobiT
 For additional information:
     www.isaca.org
 www.ITgovernance.org
or email or give me a call at
   (617) 727-6200 ext 135

                                131
Go Forth Safely
And COBITize
            Thank
            You
                    132

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:108
posted:7/22/2011
language:English
pages:132