Institute of Internal Auditors COBIT Presentation October 9, 2001

Institute of Internal Auditors

COBIT PresentationOctober 9, 2001

Internal Audit Consulting Group Assurance and Consulting on Business Risk Management, Controls, and Governance 9/26/01 2

Confidential and Proprietary - Internal Audit Consulting Group Use Only

For More Information on COBIT

Phone847-253-1545

[email protected]

Websiteswww.Itgovernance.org

www.isaca.org



Cost

• ISACA Member$115

• Non-Member $225



Background

• Control OBjectives for Information and related Technology– Originally released in 1996 by the Information Systems Audit and Control

Foundation (ISACF)

– Current primary publisher is the IT Governance Institute - formed by the Information Systems Audit and Control Association (ISACA) in 1998

– COBIT was formed through research of sources such as the technical standards from ISO, codes of conduct issued by the Council of Europe and ISACA, professional standards for internal control and auditing issued by COSO, AICPA, GAO, etc.

– The above sources were used to formulate COBIT to “be both pragmatic and responsive to business needs while being independent of the technical IT platforms adopted in an organization.”



The COBIT Mission

• To research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors



Objectives of COBIT

• To provide a framework to bridge gaps between business risks, control needs and technical issues in order to maximize benefits, capitalize on opportunities and gain competitive advantage



Components

• Executive Summary

• Framework

• Control Objectives

• Audit Guidelines

• Management Guidelines



Executive Summary

• Provides a synopsis of COBIT’s objectives and processes



Framework

• A tool to be used as a comprehensive guidance for users, auditors, management & business process owners



Control Objectives

• Generically defined high-level business needs organized by process/activity used to facilitate the implementation of a process



Audit Guidelines

• A template used to facilitate the obtaining, evaluating, assessing and substantiating of of information needed to evaluate overall control



Management Guidelines• Set of action oriented guidelines developed

to assist management in answering:– Does the benefit outweigh the cost?– What are the indicators of good performance?– What are the critical success factors?– What are the risks of not achieving our

objectives?– What do others do?– How do we measure and compare?



COBIT Family of Products

M aturityM odels

Critical SuccessFactors

Key GoalIndicators

Key Perform anceIndicators

M anagem entGuidelines

Detailed ControlObjectives

AuditGuidelines

Fram ew orkW ith high-level control objectives

Executive OverviewCase StudiesFAQ'sPow er Point Presentations

M anagem ent Aw areness DiagnosticsIT Control Diagnostic

Im plem entation Guide

Im plem entation Tool Set

Executive Sum m ary



Framework (see handout)

• 4 Domains

– Planning & Organization

– Acquisition & Implementation

– Delivery & Support

– Monitoring

• 34 Control Objectives

• 318 Detailed Control

Objectives





Audit Guidelines

Obtain Understanding– Interviewing– Obtaining

Evaluate Controls– Considering

Assess Compliance– Testing

Substantiate Risk– Performing– Identifying



Management Guidelines

Critical Success Factors

Key Goal Indicators

Key Performance Indicators

Maturity Model



Example

Manage Changes



Domain

Acquisition & Implementation



Control Objective

AI6



Detailed Control Objectives

Change Request Initiation and ControlImpact AssessmentControl of ChangesEmergency ChangesDocumentation and ProceduresAuthorized MaintenanceSoftware Release PolicyDistribution of Software



Audit Guidelines

Obtain Understanding– Interviewing

– Obtaining

Evaluate Controls– Considering

Assess Compliance– Testing

Substantiate Risk– Performing

– Identifying



Management Guidelines

Non-existent

Initial/Ad Hoc

2 Repeatable but Intuitive

Defined Process

Managed & Measurable

Optimized



Findings

Issues

Benchmarking



Adopting COBIT Tool Set

When youare…

COBITobjectivesserved…

Useful COBITapproaches…

ProjectManager

General Framework forminimal project andquality standards

Use COBIT to help ensure thatproject plans incorporategenerally accepted phases inIT planning, acquisition anddevelopment, service delivery,and project management andassessment




When youare…



Developer As minimal guidance forcontrols to be appliedwithin developmentprocesses as well as forinternal control to beintegrated in informationsystems being built

Use COBIT to help ensure thatall applicable IT controlobjectives in the developmentproject have been addressed




When youare…



Operations As general framework forminimal controls to beintegrated into servicedelivery and supportprocesses, placing clearfocus on client objectives

Use COBIT to ensure thatoperational policies andprocedures are sufficientlycomprehensive




When youare…



User As minimal guidance forinternal control to beintegrated withininformation systems, beingfully operational or underdevelopment

Use COBIT to guide servicelevel agreements




When youare…



InformationSecurityOfficer

As harmonizingframework providing away to integrateinformation securitywith other businessrelated IT objectives

Use COBIT to structure theinformation security program,policies, and procedures




When youare…



Auditor As basis for determiningthe IT audit universe andas IT control reference

Use COBIT as criteria forreview and examination andfor framing IT-related audits



COBIT Case Studies• Cedel Group• Office of the State Auditor of Massachusetts• PWC• Fidelity Investments• Department of Defense• Boston Gas Company• Santa Barbara Bank and Trust• Society for Worldwide Interbank Financial

Telecommunication

Documents

Institute of Internal Auditors COBIT Presentation October 9, 2001