Upload
lambert-porter
View
218
Download
0
Embed Size (px)
DESCRIPTION
3 ► released in 2007 ► free downloadable PDF + part of CobiT Online for Isaca members ► 'collaborative' work of CobiT development groups worldwide Introduction
Citation preview
IT Assurance using CobiT
Round Table
Saturday, March 19th 2008
Philip DE PICKERpresident of Isaca.be
Monique GARSOUXvice-president IT Assurance of Isaca.be
2
Content► Introduction► IT Assurance Principles and Context► IT Assurance Planning► IT Resource and Control Scoping► IT Assurance Initiative Execution► ITA Guidance for CobiT Processes & Controls► How CobiT Components support ITA Activities► Appendixes
● Process Control (generic / detailed )● Application Control● Maturity Model for Internal Control● IT Scoping
3
► released in 2007► free downloadable PDF + part of CobiT Online for Isaca members► 'collaborative' work of CobiT development groups worldwide
Introduction
4
Introduction Objective
► guidance : how to use CobiT to support IT assurance activities
► efficient and effective development of IT assurance work (planning, scoping, executing)
► no detailed assurance programme that can be used as is - NO 'COOKBOOK‘
► part of IT Assurance Framework (ITAF) – exposure draft released August 2007final just released at www.isaca.org
5
Introduction Audience
► assurance and IT professionals► having basic knowledge of concepts of CobiT► familiar with assurance concepts in general
6
Introduction Major CobiT-based Products
7 from Board briefing on it gov 2nd ed
Introduction Implementation and Assurance Guides
8
Introduction Components
► Generic controls, applicable to all processes(PCn identifier)
► Application controls(ACn identifier)
► Specific process controls(CobiT process number)
9
Introduction Components
Assurance steps and guidelines to test► the control design of the co► the outcome of the co
● confirm control is in operation● assess its operational effectiveness
► document control weaknesses and their impact
10
Introduction Components
Assurance advice at different levels► at process level► at co level
(based on control practices)► generic
(applicable to all processes or co’s)(in addition or as an alternative)
11
Introduction Components
Different test types assist in forming opinion► enquire (via different source) and confirm
(E&C)► inspect (walk-through, search, compare and
review)► observe► reperform or recalculate (often on sample)► collect (sample, trace, extract) and analyse
automated evidence
12
Introduction Overview of the
IT Assurance Advice provided
13
Introduction Components
IT control objectives are ► statements of desired result or purpose► achieved by implementing control practices► high level requirements ► short, action-oriented management practices► often with logical 'life cycle' sequence
14
Introduction Components
IT control objectivesChoices for (enterprise) management► select applicable ones ► balance cost of implementation and risk of not
achieving it► decide on control practices► choose how to implement them
15
Introduction Components
Relation with Control Practices► CPs
● in CobiT Online● book● NOT (yet?) as PDF
► more detail for each co► co = what to do► cp = how to do it► 3 generic cps
16
Introduction Components
Relation with Control Practices Value and risk drivers(repeated in Assurance Guide)► value driver = business benefit that can result
from good control (examples)► risk driver = risk to avoid or mitigate (examples)
17
Introduction Components
Relation with Control Practices► NOT specific solutions► relevance of more specific other standards
● ITIL● Prince2● ...
► usable by implementors and assurance professionals
18
Introduction Components
CP's design criteria (~ SMAR(R)T [specific, measurable, agreed, relevant/realistic, timely])
► relevant► executable in timely fashion► realistic and cost-effective► measurable► with defined roles► action-oriented► life-cycle where possible
19
Content► Introduction► IT Assurance Principles and Context► IT Assurance Planning► IT Resource and Control Scoping► IT Assurance Initiative Execution► ITA Guidance for CobiT Processes & Controls► How CobiT Components support ITA Activities► Appendixes
● Process Control (generic / detailed )● Application Control● Maturity Model for Internal Control● IT Scoping
20
IT Assurance Guidance for CobiT Processes and Controls► Introduction
● Detailed testing guidance based on CobiT Six generic controls Six application controls IT general controls based on the 34 CobiT processes
● Guidance for testing control design, testing control outcome and documenting the impact
21
IT Assurance Guidance for CobiT Processes and Controls► Generic Process Controls
● Each CobiT process has generic control requirements identified by generic process controls, to be considered with the detailed CO's to have a complete view● The six generic process controls are:
PC1 Process goals and objectives PC2 Process ownership PC3 Process repeatability PC4 Roles and responsibilities PC5 Policy, plans and procedures PC6 Process performance improvement
22
IT Assurance Guidance for CobiT Processes and Controls
► Generic Control Practices● 3 generic control practices -> 3 generic assurance steps
Approach Accountability and responsibility Communication and understanding
23
IT Assurance Guidance for CobiT Processes and Controls
► Generic Control Practices● Approach
Generic control practice: Designs the control approach Defines and maintains the cps that implement the design
Assurance step: E&C a set of practices was defined to achieve the objective Observes/inspects and reviews the control approach Tests the design for completeness, relevancy, timeliness and measurability
24
IT Assurance Guidance for CobiT Processes and Controls► Generic Control Practices
● Accountability and Responsibility Generic control practice:
Defines and assigns accountability and responsibility for the co as a whole, and responsibility for the different cps (see RACI charts) Makes sure personnel have the right skills and necessary resources to execute these responsibilities
Assurance step: E&C responsibilities for the cps as well as overall accountability were assigned in a cost-effective and efficient manner Tests whether accountability and responsibilities are understood and accepted Verifies the right skills and necessary resources are available
25
IT Assurance Guidance for CobiT Processes and Controls
► Generic Control Practices● Communication and Understanding
Generic control practice: Ensures the cps, as implemented, address the co’s and are communicated and understood
Assurance step Enquires through interviews with key staff members whether the control mechanism, its purpose, and accountability and responsibilities were communicated and are understood
26
IT Assurance Guidance for CobiT Processes and Controls
► IT General Controlsrelate to the environment within which applications are developed, maintained and operated and are applicable to all applications. They ensure proper development, implementation and maintenance of applications, the integrity of program and data files and of computer operations. E.g.:● Systems development● Change management● Security● Computer operations
27
IT Assurance Guidance for CobiT Processes and Controls► Application Controlsrelate to transactions and standing data of each application (application specific). They ensure accuracy and completeness of records and validity of entries resulting from manual and automated processing. E.g.: ● Completeness● Accuracy● Validity● Authorisation● Segregation of duties
28
IT Assurance Guidance for CobiT Processes and Controls► Application ControlsThe objectives generally involve ensuring that:● Completeness● Data prepared for entry are complete, valid, reliable● Data are converted to an automated form and entered into the application accurately, completely, and on time● Data are processed completely and on time, and in accordance with established requirements● Output is protected from unauthorised modification or damage and distributed in accordance with prescribed policies
29
IT Assurance Guidance for CobiT Processes and Controls
► Application ControlsCobiT assumes design and implementation of automated application controls is an IT responsibility (AI-domain), based on business requirements defined using information criteria.The operational management and control responsibility for ACs is not with IT, but with the business process owner.
30
IT Assurance Guidance for CobiT Processes and Controls
► Application ControlsIT delivers and supports the applications’ services and the supporting databases and infrastructures. CobiT IT processes cover general IT controls but not application controls as these are the responsibility of business process owners and are integrated into business processesBusiness controls are not in the scope of CobiT and IT Assurance Guide
31
IT Assurance Guidance for CobiT Processes and Controls
Boundaries of IT general controls and application controls
32
IT Assurance Guidance for CobiT Processes and Controls
► Application ControlsFor automated services, the business is responsible for defining functional & control requirements to be included in all business processes supported by applications. IT responsibilities include automation of these requirements and establishment of controls to maintain the integrity of the business applications
33
IT Assurance Guidance for CobiT Processes and Controls
► Application ControlsGuidance for testing the design and outcome and documenting impact● AC1 Source document preparation and authorisation● AC2 Source document collection and data entry● AC3 Accuracy, completeness and authenticity checks● AC4 Data processing integrity and validity● AC5 Output review, reconciliation and error handling● AC6 Transaction authentication and integrity
34
IT Assurance Guidance for CobiT Processes and Controls
► Application ControlsAC weaknesses may impact the entity’s ability to process business transactions.ACs are a subcomponent of business controls. Weaknesses may be mitigated by compensating manual business and organisational control activities. Consider the impact in the context of the underlying business process nature, related transactions and other business process controls and in consultation with the business process assurance provider.
35
Content► Introduction► IT Assurance Principles and Context► IT Assurance Planning► IT Resource and Control Scoping► IT Assurance Initiative Execution► ITA Guidance for CobiT Processes & Controls► How CobiT Components support ITA Activities► Appendixes
● Process Control (generic / detailed )● Application Control● Maturity Model for Internal Control● IT Scoping
36
How CobiT Components support ITA Activities Linking ITA Activities and CobiT components
37
How CobiT Components support ITA Activities
► Linking ITA Activities and CobiT components● Links have been indicated where there is specific and strong support for an ITA activity● Some key components support all activities● In practice, users tailor CobiT resources for their specific purposes. The table is only a guide● Most important for ITA (shaded in grey)
goals and outcome measures + RACI charts. They support all aspects of planning, scoping and assurance execution COBIT Online (searching, browsing, benchmarking data)
● Strongest links between activities and components are circled
38
How CobiT Components support ITA Activities
► CobiT Components● Control objectives and practices
mostly useful for testing related activities since the co's are high-level and similar to key management practices, they can be considered during planning activities both are helpful for the selection and customisation of co's for an assurance initiative
● List of COBIT processes and the domains responsibility structure for IT -> completeness of coverage in planning phase when summarising the conclusions information criteria provide a generic and simple high-level structure of the objectives of IT processes and are equally useful for structuring assurance plans and conclusions
39
How CobiT Components support ITA Activities ► CobiT Components● Maturity models
useful tools for high-level assessments of processes identification of key processes planning which processes need most attention summarising assurance conclusions increasingly used by IT management for self-assessment -> a common approach for assurance and IT professionals to agree upon priorities and areas on which to focus attention
● Maturity attributes provide more details for process maturity assessment generic for all processes -> alternative to the specific process maturity descriptions
Maturity models describe how processes are managed; the detailed attributes can be used to customise CO's (describe what needs to be done)
40
How CobiT Components support ITA Activities
► CobiT Components● Performance drivers
planning and reporting phases good source for customising CO's -> they imply certain actions to happen or conditions to exist to increase the probability of successfully achieving the process’s objectives and goals
● Value and risk statements arguments to justify controls primary inputs when performing high-level or detailed risk assessments starting point to identifying critical processes / IT components
41
How CobiT Components support ITA Activities ► CobiT Components
● Management awareness and diagnostic tools Supplemental Tools & Materials, online / CD-ROM / ITGovernance Implementation Guide: Using CobiT & Val IT tools for initial high-level assessments of process importance, significant risks and the state of process controls, done in early stages of the ITA initiative
● Assessment form presentation of CobiT Quickstart quick / high-level assessments efficient self-assessments
● CobiT Online Benchmarking data and functionality useful to portray how the entity compares on process management and controls give credibility to the conclusions to identify processes that need early or in-depth coverage
42
How CobiT Components support ITA Activities
► IT Assurance activities● Best support
process structure maturity models goals, outcome measures performance drivers
● Risk-based ITA planning maturity modelling & Cobit Online’s benchmarking to identify where the highest potential risks are the risk and value statements of the CO's provide additional support if more detailed risk assessment is required Quickstart & the awareness and diagnostic tools aid to perform high-level assessments quickly and efficiently
43
How CobiT Components support ITA Activities
► IT Assurance activities● Planning and reporting (scoping to a lesser extent)
most of the CobiT components as input or reference
● Detailed planning and scoping, as well as testing use fewer of the COBIT components but tend to use them more intensely extensively use the material that is at the ‘heart’of COBIT: the CO's
44
How CobiT Components support ITA Activities
► The Strongest Links● Goals & outcome measures ~ planning risk-based assurance initiatives● Risk and value statements ~ risk assessments and risk substantiation● Key activities and RACI charts ~ detailed assurance planning● Control objectives and practices ~ testing and evaluating controls● Maturity models and attributes ~ process maturity and other high-level assessments