© ITGI 2004 - not for commercial use. 1 C OBI T ® Presentation Package The C OBI T ® framework explained in a complete PowerPoint presentation, to be used

© ITGI 2004 - not for commercial use. 1

COBIT® Presentation Package

The CThe COBIOBITT®® framework explained in a complete PowerPoint presentation, to be framework explained in a complete PowerPoint presentation, to be used by professors in used by professors in information systems management, information security information systems management, information security

management, auditing, information systems auditing and/or accounting management, auditing, information systems auditing and/or accounting information systemsinformation systems


Disclaimer

The IT Governance Institute® (ITGI), Information Systems Audit and Control Association® (ISACA®) [the “Owner(s)”] and the authors have designed and created COBIT® in Academia™ and its related publications, titled COBIT® Presentation Package, COBIT® Student Book, COBIT® Case Study and COBIT® Caselets (the “Work”), primarily as an educational resource for assurance professionals. The Owners make no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the assurance professional should apply his/her own professional judgement to the specific circumstances presented by the particular systems or information technology environment.


Disclosure

Copyright © 2004 IT Governance Institute. All rights reserved. This publication is intended solely for academic use and shall not be used in any other manner (including for any commercial purpose). Reproductions of selections of this publication are permitted solely for the use described above and must include the following copyright notice and acknowledgement: “Copyright © 2004 IT Governance Institute. All rights reserved. Reprinted by permission.” COBIT in Academia may not otherwise be used, copied, or reproduced, in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written permission of the IT Governance Institute. Any modification, distribution, performance, display, transmission, or storage, in any form by any means (electronic, mechanical, photocopying, recording or otherwise) of COBIT in Academia is strictly prohibited. No other right or permission is granted with respect to this work.

COBIT in Academia ISBN 1-893209-96-2


Acknowledgements

Development Team

Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium (Chair)

Roger Debreceny, Ph.D., FCPA, University of Hawaii, USA Steven De Haes, University of Antwerp Management School,

Belgium (Project Manager) Roger Lux, Farmers Insurance Group, USA John Mitchell, CISA, CIA, CFE, LHS Business Control, UK Ed O’Donnell, Ph.D., Arizona State University, USA Scott Summers, Ph.D., Brigham Young University, USA Wim Van Grembergen, Ph.D., University of Antwerp

Management School, Belgium


Acknowledgements

Review Team

Rob Nehmer, Ph.D., Quinnipiac University, USA Malcolm Pattinson, CISA, University of South Australia,

Australia Elaine Mauldin, CPA, University of Missouri-Columbia, USA Faye Borthick, Ph.D., CISA, CPA, AMA, CDP, Georgia State

University, USA José Roberto Alpizar Fallas, CPA, Universidad de Costa Rica,

Costa Rica


Purpose of This Document

This COBIT Presentation Package, developed in collaboration with a group of international academics and practitioners, is a product of the IT Governance Institute (www.itgi.org). It provides a complete PowerPoint presentation explaining all the core elements of the COBIT framework, which can be used by professors in information systems management, information security management, auditing, information systems auditing and/or accounting information systems. Professors can use the complete set, make extractions if they want to focus on specific parts, or can even add their own materials and examples in accordance with their needs. There are some speaker notes included in the package, but it is advisable to use the COBIT Student Book (included in COBIT in Academia) as guidance and source material to prepare this presentation.

The IT Governance Institute also developed three other components that are part of COBIT in Academia. The COBIT Student Book explains and illustrates all the COBIT components. The COBIT Case Study:TIBO can be used by students to apply the COBIT knowledge in a real-life situation and the COBIT Caselets provides some minicases for smaller COBIT exercises.


COBIT Introduction

Why does IT need an IT control Why does IT need an IT control framework?framework?

Who needs an IT control framework?Who needs an IT control framework?

How and why is CHow and why is COBIOBIT used?T used?


Why does IT need a control framework?

Do any of these conditions sound familiar?Do any of these conditions sound familiar? Increasing pressure to leverage technology in

business strategies

Growing complexity of IT environments

Fragmented IT infrastructures

Communication gap between business and IT managers

IT service levels that are disappointing from internal IT functions and from increasingly outsourced IT providers

IT costs perceived to be out of control

Marginal ROI/productivity gains on technology investments

Impaired organisational flexibility and nimbleness to change

User frustration leading to ad hoc solutions


Increasing dependence on information and the systems that deliver this information

Increasing vulnerabilities and a wide spectrum of threats, such as cyberthreats and information warfare

Scale and cost of the current and future investments in information and information systems

The need to comply with regulations The potential for technologies to dramatically change

organisations and business practices, create new opportunities and reduce costs

Recognition by many organisations of the potential benefits that technology can yield

Successful organisations understand and Successful organisations understand and manage the risks associated with implementing manage the risks associated with implementing

new technologies.new technologies.



IT provides value Cost, time and functionality are as

expected

IT does not provide surprises Risks are mitigated

IT pushes the envelope New opportunities and innovations for

process, product and services


To ensure thatTo ensure that

management needs to get IT under management needs to get IT under control.control.


Board and Executive• To ensure management follows and implements the

strategic direction for IT Management

• To make IT investment decisions• To balance risk and control investment• To benchmark existing and future IT environment

Users• To obtain assurance on security and control of products and

services they acquire internally or externally Auditors

• To substantiate opinions to management on internal controls• To advise on what minimum controls are necessary

Who needs a control framework?


Incorporates major international standards

Has become the de facto standard for overall control over IT

Starts from business requirements

Is process-orientedIT ProcessesIT Processes

IT Management ProcessesIT Management Processes

IT Governance ProcessesIT Governance Processes

CobiTCobiTbest practices repository for

IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes

IT Governance ProcessesIT Governance Processes

COBITCOBITbest practices repository for

CCOBIOBIT as a response to the needsT as a response to the needs

Why and how is COBIT used?


Helps substantially increase acceptance and reduce time to implement IT governance program

Provides a guide for formal audits/reviews Helps use results of audits as an opportunity to plan improvements Is a strong factor in achieving primary goals for IT governance:

transform organisational practices and pursue improved processes Provides economical continuous improvement framework Provides a credible source for management's decision on controls Impresses and helps IT operations managers with its ability to

assist in understanding what auditors want Is ideal for business management to communicate requirements

and concerns Is recognised as a reliable source reference that ensures

identification of all major risk areas Improves communications and relations with IT management

Testimonials from Case Testimonials from Case StudiesStudies



To improve audit approach/programmes To support audit work with detailed audit

guidelines To provide guidance for IT governance As a valuable benchmark for IS/IT control To improve IS/IT controls To standardise audit approach/programmes

Results from SurveysResults from Surveys



The COBIT Framework

The CThe COBIOBIT framework explained:T framework explained:

Business focusBusiness focus

Process orientationProcess orientation

IT resourcesIT resources


Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives

Promotes process focus and process ownership

Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each

Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT

Is supported by a set of over 300 detailed control objectives

Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance

Plan and Organise Acquire and Implement Deliver and Support Monitor and Evaluate

COBIT: Of what does it consist?


“In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”

Relates to business requirements (expressed as information criteria)

Links to business processes Empowers business owners

Decomposes IT into four domains and 34 processes Domains: (plan-build-run) + monitor Control, audit, implementation and performance

management knowledge structured by process

Bu

sin

es

sP

roces

s

Business Orientation and Process Focus

IT IT ProcessesProcesses

BusinessRequirements

IT IT ResourcesResources

IT IT ProcessesProcesses


IT IT ResourcesResources


COBIT Framework Definition

“To provide the information that the organisation needs to achieve its objectives,

IT resources need to be managed by a set of naturally grouped processes.”

IT Processes


IT Resources

IT Processes


IT Resources

IT RESOURCESIT RESOURCESIT RESOURCES

IT PROCESSESIT PROCESSESIT PROCESSES

BUSINESSREQUIREMENTS

BUSINESSBUSINESS

REQUIREMENTSREQUIREMENTS




BUSINESSBUSINESS





BUSINESSBUSINESS


A process orientation is a proven management approach to A process orientation is a proven management approach to efficiently exercise efficiently exercise responsibilities, achieve set goals and reasonably manage risks.responsibilities, achieve set goals and reasonably manage risks.

WHYWHYWHYWHY


Quality RequirementsQuality Requirements: • Quality • Delivery• Cost

Security Security RequirementsRequirements• Confidentiality• Integrity• Availability

Fiduciary Fiduciary RequirementsRequirements (COSO Report)• Effectiveness and

efficiency of operations• Compliance with laws and

regulations • Reliability of financial

reporting

Effectiveness

Efficiency

Confidentialit

y

Integrity

Availability

Compliance

Reliability of

information

Business RequirementsIT Processes


IT Resources

IT Processes


IT Resources


Effectiveness –Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable mannerEfficiency –Concerns the provision of information through the optimal (most productive and economical) usage of resourcesConfidentiality –Concerns protection of sensitive information from unauthorised disclosureIntegrity –Relates to the accuracy and completeness of information as well as to its validity in accordance with the business‘s set of values and expectationsAvailability –Relates to information being available when required by the business process, and hence also concerns the safeguarding of resourcesCompliance –Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteriaReliability of information–Relates to systems providing management with appropriate information for it to use in operating the entity, providing financial reporting to users of the financial information, and providing information to report to regulatory bodies with regard to compliance with laws and regulations

Business RequirementsIT Processes


IT Resources

IT Processes


IT Resources


Processes

A series of joined activities with natural control breaks

Activities or Tasks

Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete.

Domains

Natural grouping of processes, often matching an organisational domain of responsibility

Process OrientationIT Processes


IT Resources

IT Processes


IT Resources


IT Domains• Plan and

Organise• Acquire and

Implement• Deliver and

Support• Monitor and

Evaluate

IT Processes• IT strategy• Computer operations• Incident handling• Acceptance testing• Change management• Contingency planning• Problem management

Activities• Record new problem• Analyse• Propose solution• Monitor solution• Record known problem• Etc.

Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities

with natural (control) breaks Actions needed to achieve a

measurable result. Activities have a life cycle, whereas tasks are discrete.



IT Resources

IT Processes


IT Resources


Description This domain covers strategy and tactics, and concerns the identification

of how IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place.

Topics Strategy and tactics Vision planned Organisation and infrastructure

Questions Are IT and the business strategy aligned? Is the enterprise achieving optimum use of its resources? Does everyone in the organisation understand the IT objectives? Are IT risks understood and being managed? Is the quality of IT systems appropriate for business needs?

D

om

ain

s

Process Orientation Plan and OrganisePlan and Organise

IT Processes


IT Resources

IT Processes


IT Resources


PO1 Define a strategic information technology plan

PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organisation and relationships PO5 Manage the investment in information technology PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage projects PO11 Manage quality.

Process Orientation Plan and OrganisePlan and Organise


Acquire and ImplementAcquire and Implement Description To realise the IT strategy, IT solutions need to be identified, developed or

acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems.

Topics IT solutions Changes and maintenance

Questions Are new projects likely to deliver solutions that meet business

needs? Are new projects likely to deliver on time and within budget? Will the new systems work properly when implemented? Will changes be made without upsetting current business

operations?

D

om

ain

s



IT Resources

IT Processes


IT Resources


AI1 Identify automated solutions

AI2 Acquire and maintain application software

AI3 Acquire and maintain technology infrastructure

AI4 Develop and maintain IT procedures

AI5 Install and accredit systems

AI6 Manage changes

Process Orientation

Acquire and ImplementAcquire and Implement


Description This domain is concerned with the actual delivery of required services, which

range from traditional operations over security and continuity aspects to training. To deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls.

Topics Delivery of required services Setup of support processes Processing by application systems

Questions Are IT services being delivered in line with business priorities? Are IT costs optimised? Is the work force able to use the IT systems productively and safely? Are adequate security, integrity and availability in place?

D

om

ain

s

Process Orientation Deliver and SupportDeliver and Support

IT Processes


IT Resources

IT Processes


IT Resources


DS1 Define and manage service levels DS2 Manage third-party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and allocate costs DS7 Educate and train users DS8 Assist and advise customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage operations

Process Orientation

Deliver and SupportDeliver and Support


Description All IT processes need to be regularly assessed over time for their quality and

compliance with control requirements. This domain thus addresses management’s oversight of the organisation’s control process and independent assurance provided by internal and external audit or obtained from alternative sources.

Topics Assessment over time, delivering assurance Management’s oversight of the control system Performance measurement

Questions Can IT’s performance be measured and can problems be detected

before it is too late? Is independent assurance needed to ensure critical areas are

operating as intended?

D

om

ain

s

Process Orientation Monitor and EvaluateMonitor and Evaluate

IT Processes


IT Resources

IT Processes


IT Resources


M1 Monitor the processM2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit

Process Orientation

Monitor and EvaluateMonitor and Evaluate


Data: Data objects in their widest sense, i.e., external and internal, structured and nonstructured, graphics, sound, etc.

Application Systems: Understood to be the sum of manual and programmed procedures

Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc.

Facilities: Resources to house and support information systems

People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support, monitor and evaluate information systems and services

IT ResourcesIT Processes


IT Resources

IT Processes


IT Resources


IT Processes

IT Processes

IT Resources

IT Resources

Business Requirements


Data Application

systems Technology Facilities People

Plan and Organise Aquire and

Implement Deliver and Support Monitor and

Evaluate

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

reliability

How do they relate?IT Processes


IT Resources

IT Processes


IT Resources


IT Processes

IT Processes

IT Resources

IT Resources



Data Application

systems Technology Facilities People

Plan and Organise Aquire and

Implement Deliver and

Support Monitor and

Evaluate

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

reliability

How IT is organised How IT is organised to respond to the to respond to the

requirementsrequirements

How IT is organised How IT is organised to respond to the to respond to the

requirementsrequirements

What the What the stakeholders stakeholders

expect from ITexpect from IT

What the What the stakeholders stakeholders

expect from ITexpect from IT

The resources The resources made available to—made available to—and built up by—ITand built up by—IT

The resources The resources made available to—made available to—and built up by—ITand built up by—IT


PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT organisation and relationshipsPO5 Manage the IT investmentPO6 Communicate management aims and directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risksPO10 Manage projectsPO11 Manage quality

AI1 Identify automated solutionsAI2 Acquire and mantain application softwareAI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT proceduresAI5 Install and accredit systemsAI6 Manage changes

M1 Monitor the processM2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit

DS1 Define service levelsDS2 Manage third-party servicesDS3 Manage peformance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and attribute costsDS7 Educate and train usersDS8 Assist and advise IT customersDS9 Manage the configurationDS10 Manage problems and incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations

IT RESOURCES

IT RESOURCES

• Data• Application systems• Technology• Facilities• People

• Data• Application systems• Technology• Facilities• People PLAN AND

ORGANISEPLAN AND ORGANISE

ACQUIRE ANDIMPLEMENT

ACQUIRE ANDIMPLEMENT

DELIVER AND SUPPORT

DELIVER AND SUPPORT

• Effectiveness• Efficiency• Confidenciality• Integrity• Availability• Compliance• Reliability


Criteria

Business ObjectivesCOBITFramework

MONITOR ANDEVALUATE


BUSINESSPROCESSESBUSINESS

PROCESSES

INFORMATIONINFORMATION



Criteria

COBITCOBIT

IT RESOURCES

IT RESOURCES

• Data• Aplication systems• Technology• Facilities• People

• Data• Aplication systems• Technology• Facilities• People PLAN AND

ORGANISEPLAN AND ORGANISE

AQUIRE ANDIMPLEMENT

AQUIRE ANDIMPLEMENT

DELIVER AND SUPPORT

DELIVER AND SUPPORT

COBITFramework

To provide the To provide the information that information that the organisation the organisation

needs to needs to achieve its achieve its

objectives, IT objectives, IT resources need resources need to be managed to be managed

by a set of by a set of naturally naturally grouped grouped

processes.processes.

MONITOR AND EVALUATE


Summarising up to now IT is indispensable for the survival and growth of

enterprises. Management is responsible for control. That responsibility needs a framework:

Business requirements can be expressed as information criteria.IT is generally organised in a set of processes.IT needs a set of resources.

COBIT is an internationally accepted standard.

To provide the information that the organisation To provide the information that the organisation needs to achieve its objectives, IT resources need needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped to be managed by a set of naturally grouped processes.processes.

COBIT Framework


The COBIT Cube


IT Domains

IT R

esou

rces

InformationCriteria

Plan and Organise

Aquire and Implement

Deliver and Support

Monitor and Evaluate

People

Aplicca

tion

Techn

ology

Faciliti

esData

Effecti

vene

ss

Efficie

ncy

Confid

entia

lity

Inte

grity

Availa

bility

Compli

ance

Reliab

ility

SS PP

Navigational Aids

COBIT Cube


SummarSummaryy

Processes, Processes, Criteria Criteria

and and ResourcesResources


Eff

ectiv

enes

sE

ffic

ienc

yC

onfid

entia

lity

Inte

grity

Ava

ilabi

lity

Com

plia

nce

Rel

iabi

lity

Peo

ple

App

licat

ions

Tech

nolo

gyFa

cilit

ies

Dat

a

Domain ProcessAcquire andImplement

AI1 Identify automated solutions P S AI2 Acquire and maintain application software P P S S S AI3 Acquire and maintain technology infrastructure P P S AI4 Develop and maintain procedures P P S S S AI5 Install and accredit systems P S S AI6 Manage changes P P P P S

COBIT Summary of Processes, Criteria and Resources

AI6


Assignment

The most important CThe most important COBIOBIT T processesprocesses

““For a business with which you are familiar, For a business with which you are familiar, what would be the most important IT what would be the most important IT

processes? Why?”processes? Why?”


Important COBIT Products

Control Objectives—Control Objectives—““Minimum controls Minimum controls are...”are...”

Management Guidelines—Management Guidelines—““Here is how you Here is how you measure…”measure…”

Audit Guidelines—Audit Guidelines—““Here is how you audit...”Here is how you audit...”


Control and Control Objective Definitions

The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected

Definition of Definition of ControlControl

Definition of IT Definition of IT Control ObjectiveControl Objective

A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity


High-level control objective• One per process

Detailed control objectives• Three to 30 per process

Control practices• Five to seven per control objective

Control Objectives and Control Practices


The control ofIT Processes which

satisfyis enabled byControl

Statements consideringControl

Practices

Waterfall Model

4 Domains - 34 Processes - 318 Control Objectives4 Domains - 34 Processes - 318 Control Objectives



AI6AI6 Manage changes Manage changes

Managing changes to computer programs is required to ensure processing integrity between versions, and for consistency of results period to period. Change must be formally managed via change control request, impact assessment, documentation, authorisation, release, and distribution policies and procedures.

High-level Control Objective


AI6High-level

Control Objective


AI6 Manage Changes

6.1 Change request initiation and controlIT management should ensure that all requests for changes, system maintenance and supplier maintenance are standardised and are subject to formal change management procedures. Changes should be categorised and prioritised, and specific procedures should be in place to handle urgent matters. Change requesters should be kept informed about the status of their request.

6.2 Impact assessmentA procedure should be in place to ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality.

6.3 Control of changesIT management should ensure that change management and software control and distribution are properly integrated with a comprehensive configuration management system. The system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems.

6.4 Emergency changesIT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation.

Detailed Control Objectives


Detailed Control Objectives

AI6 Manage Changes (continued)

6.5 Documentation and proceduresThe change process should ensure that, whenever system changes are implemented, the associated documentation and procedures are updated accordingly.

6.6 Authorised maintenanceIT management should ensure that maintenance personnel have specific assignments and their work is properly monitored. In addition, their system access rights should be controlled to avoid risks of unauthorised access to automated systems.

6.7 Software release policyIT management should ensure that the release of software is governed by formal procedures—ensuring sign-off, packaging, regression testing, handover, etc.

6.8 Distribution of softwareSpecific internal control measures should be established to ensure distribution of the correct software element to the right place, with integrity, in a timely manner and with adequate audit trails.


COBIT

AI6Detailed Control

Objectives


Control practices are key control mechanisms that support the:• Achievement of control objectives• Prevention, detection and correction of

undesired eventsControl practices achieve that through:

• Responsible use of resources• Appropriate management of risk • Alignment of IT with business

Translate CTranslate COBIOBIT’s control objectives into detailed, T’s control objectives into detailed, implementable practices and provide the business implementable practices and provide the business argumentation for implementation, from a value and a risk argumentation for implementation, from a value and a risk perspectiveperspective

Control Practices


1. Management defines parameters, characteristics and procedures that identify and declare emergencies.

2. All emergency changes are documented, if not before, then after, implementation.

3. All emergency changes are tested, if not before, then after, implementation.

4. All emergency changes are formally authorised by the system owner and management before implementation.

5. Before and after images as well as intervention logs are retained for subsequent review.

Controlling emergency changes by implementing the control practices will : Ensure that emergency procedures are used in declared emergencies only Ensure that urgent changes can be implemented without compromising integrity, availability, reliability, security, confidentiality or accuracy

AI6 Manage changeAI6 Manage changeAI6.4 Emergency changesAI6.4 Emergency changesIT management should establish parameters defining emergency changes and IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to emergency changes should be recorded and authorised by IT management prior to implementation.implementation.

Control Practices Why do it?

Control Practices



Control Objectives—Control Objectives—““Minimum controls are...”Minimum controls are...”

Management Guidelines Management Guidelines ––““Here is how you Here is how you measure…”measure…”

Audit Guidelines—Audit Guidelines—““Here is how you audit...”Here is how you audit...”


IT Governance Model

IT governance helps ascertain how automated systems:• Simplify operations• Cut costs• Increase revenue

Needs an IT control framework


How Does COBIT Link to IT Governance?

Goals ResponsibilitiesControl

Objectives

Requirements

BusinessBusiness ITIT GovernanceGovernance

Information the Business Needs to

Achieve Its Objectives

Information Executives and Board Need to Exercise Their

Responsibilities

Direction and Resourcing


IT GovernanceIT Governance

Goals ResponsibilitiesControl

Objectives

Requirements

BusinessBusiness ITIT Governance

Information theBusiness Needs to

Achieve Its Objectives

Direction(IT Strategy and Policy)

Information (ITControl, Risk and

Assurance)

How Does COBIT Link to IT Governance?


However, management has questions that go beyond a control

framework: How do responsible managers "keep the ship on

course"?

DASHBOARD

How to achieve results that are satisfactory for the largest possible segment of our stakeholders ?

SCORECARDS

How to adapt the organisation in a timely manner to trends and developments in the enterprise's environment ?

BENCHMARKING

Indicators?Indicators?

Measures?Measures?

Scales?Scales?

Management Guidelines


Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of


which satisfy

Process Description

Critical Success Factors

Key Goal Indicators

Key Performance Indicators

InformationCriteria

Resources

00 - Management processes are not applied at all.

11 - Processes are ad hoc and disorganised.22 - Processes follow a regular pattern.33 - Processes are documented and

communicated.44 - Processes are monitored and measured.55 - Best practices are followed and

automated.

Maturity Model

Management Guidelines Framework


Describe the outcome of the process (i.e., measurable after the fact); are measures of “what,” and may describe the impact of not reaching the process goal

Are indicators of the success of the process and its business contribution

Focus on the customer and financial dimensions of the balanced scorecard

Key Goal Indicators

Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of


which satisfy

Definitions


Increased level of service delivery Number of customers and cost per customer served Availability of systems and services Absence of integrity and confidentiality risks Cost-efficiency of processes and operations Confirmation of reliability and effectiveness Adherence to development cost and schedule Cost-efficiency of the process Staff productivity and morale Number of timely changes to processes and systems Improved productivity (e.g., delivery of value per

employee)

Key Goal Indicators

Examples


Are measures of “how well” the process is performing

Predict the probability of success or failure

Focus on the process and learning dimensions of the balanced scorecard

Are expressed in precise, measurable terms

Should help in improving the IT process


Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of


which satisfy

Definitions


• Number of IT customers

• Cost per IT customer• Cost-efficiency of IT

processes up• Delivery of IT value per

employee

Information

• Availability of systems and services

• Developments on schedule and budget

• Throughput and response times

• Amount of errors and rework

• Level of service delivery

• Satisfaction of existing customers

• Number of new customers reached

• Number of new service delivery channels

FFinancial

CCustomer

• Staff productivity and morale

• Number of staff trained in new techno/services

• Value delivery per employee

• Increased availability knowledge systems

LLearning

PProcess


Examples


Are the most important things to do to increase the probability of success of the process

Are observable—usually measurable—characteristics of the organisation and process

Focus on obtaining, maintaining and leveraging capability, skills and behaviour


Control Statements

Control Practices

is enabled by

and considers

IT Processes

The control of


which satisfy

Definitions


• The IT strategic plan clearly states a risk position such as leading-edge or road-tested, innovator or follower, and the required balance between time-to-market, cost of ownership and service quality.

• If you are not ready to enforce the policy, do not issue the policy.

• A building permit programme for building IT systems and a “driver’s licence” programme for those doing the building

• A good security plan takes time to evolve.

StrategyStrategy

PolicyPolicy

ComplianceCompliance

SecuritySecurity

Examples



Refer to business requirements (KGIs) and the enabling aspects (KPIs) at the different levels

Are a scale that lend themselves to pragmatic comparison, where the difference can be made measurable in an easy manner

Are recognisable as a profile of the enterprise in relation to IT governance and control

Assist in determining as-is and to-be positions relative to IT governance and control maturity and analyse the gap

Are not industry-specific nor generally applicable. The nature of the business determines what is an appropriate level.

Maturity Models

Definitions


0 1 2 3 4 5

Nonexistent Initial Repeatable Defined Managed Optimised

Enterprise current status

International standard guidelines

Industry best practice

Enterprise strategy

Legend for Symbols Used Legend for Rankings Used

0 - Management processes are not applied at all.1 - Processes are ad hoc and disorganised.2 - Processes follow a regular pattern.3 - Processes are documented and communicated.4 - Processes are monitored and measured.5 - Best practices are followed and automated.

Maturity Models

Usage


AI6Management

Guideline


AI6Management

Guideline



Control Objectives—Control Objectives—““Minimum controls are...”Minimum controls are...”

Management Guidelines—Management Guidelines—““Here is how you Here is how you measure…measure…

Audit Guidelines—Audit Guidelines—““Here is how you Here is how you audit...”audit...”


Provide management with reasonable assurance that control objectives are being met

Where there are significant control weaknesses, substantiate the resulting risks

Advise management on corrective actions

Objectives of Auditing

““Am I all right? And, if not, how do I fix Am I all right? And, if not, how do I fix it? it? ”” ““Am I all right? And, if not, how do I fix Am I all right? And, if not, how do I fix it? it? ””


Structure of the Audit Process

Identification and

Documentation

Identification and

DocumentationEvaluationEvaluation Compliance

TestingCompliance

TestingSubstantive Substantive

TestingTestingSubstantive Substantive

TestingTesting


An IT process is audited by:

• Obtaining an understandingObtaining an understanding of business requirements-related risks, and relevant control measures

• Evaluating the appropriatenessEvaluating the appropriateness of stated controls

• Assessing complianceAssessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously

• Substantiating the riskSubstantiating the risk of the control objectives

not being met by using analytical techniques and/or consulting alternative sources


OneOne Generic Guideline and Generic Guideline and 34 Process34 Process--orientedoriented Guidelines Guidelines

A generic guideline identifies various tasks to be performed in assessing any control objective within a process. This generic guideline is a model for all control objectives.

Others are specific, process-oriented task suggestions to provide management assurance that a control exists and has a reasonable level of effectiveness.

COBIT Audit Guidelines


Obtaining an UnderstandingThe audit steps to be performed to document the activities underlying the control objectives as well as to identify the control measures/procedures put in place

Interview appropriate management and staff to obtain and gain an understanding of:

• Business requirements and associated risks• Organisation structure• Roles and responsibilities• Policies and procedures• Laws and regulations• Control measures in place• Management reporting (status, performance, actions)

Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the control implications, e.g., by a process walkthrough.

Generic Audit Guideline (1 of 4)


Evaluating the ControlsThe audit steps to be performed, in light of assessing the effectiveness of control measures in place or the degree to which the control objective is achieved

Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices and applying professional judgement. Determine whether: • Documented processes exist. • Appropriate deliverables exist. • Responsibility and accountability are clear and effective. • Compensating controls exist, where necessary.

Conclude the degree to which the control objective is met.



Assessing ComplianceThe audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously

Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review, using both direct and indirect evidence.

Perform a limited review of the adequacy of the process deliverables.

Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate.



Substantiating the RiskThe audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources

Document the control weaknesses and resulting threats and vulnerabilities.

Identify and document the actual and potential impact.



AI6Audit

Guideline


AI6Audit

Guideline


AI6Audit

Guideline


How Audit Guidelines and Control Objectives Are Linked

Obtaining an Obtaining an understandingunderstanding

Evaluating the Evaluating the appropriatenessappropriateness

Assessing complianceAssessing compliance

Substantiating the riskSubstantiating the risk

Control objectives translated to verify whether they are addressed and take into account the appropriateness for the enterprise and management claims about their presence

Control objectives translated to test and/or measure whether controls in support of the control objectives are present as claimed and whether they operate satisfactorily

• Collect background information referencing business drivers, risks, infrastructure, etc.

• Illustrate missed business objectives, losses, etc., due to absence of adequate control.


Business

IT Processes

Audit Guidelines

Control Objectives

Control Practices


Key Performance

Indicators

Key Goal Indicators

Maturity Models

requirements information

mea

sure

d by

controlled by

implem

ented

with

audited by

for p

erfo

rman

ce

for

outc

om

e for maturity

made e

ffective

and e

fficie

nt w

ith

tran

slate

d in

to

= takes into consideration

How Audit Guidelines and All Other COBIT Elements Are Linked

Documents

© ITGI 2004 - not for commercial use. 1 C OBI T ® Presentation Package The C OBI T ® framework explained in a complete PowerPoint presentation, to be used