IT Assurance using CobiT Round Table Saturday, March 19th 2008 Philip DE PICKER president of Isaca.be Monique GARSOUX vice-president IT Assurance of Isaca.be

IT Assurance using CobiT

Round Table

Saturday, March 19th 2008

Philip DE PICKERpresident of Isaca.be

Monique GARSOUXvice-president IT Assurance of Isaca.be

2

Content► Introduction► IT Assurance Principles and Context► IT Assurance Planning► IT Resource and Control Scoping► IT Assurance Initiative Execution► ITA Guidance for CobiT Processes & Controls► How CobiT Components support ITA Activities► Appendixes

● Process Control (generic / detailed )● Application Control● Maturity Model for Internal Control● IT Scoping

3

► released in 2007► free downloadable PDF + part of CobiT Online for Isaca members► 'collaborative' work of CobiT development groups worldwide

Introduction

4

Introduction Objective

► guidance : how to use CobiT to support IT assurance activities

► efficient and effective development of IT assurance work (planning, scoping, executing)

► no detailed assurance programme that can be used as is - NO 'COOKBOOK‘

► part of IT Assurance Framework (ITAF) – exposure draft released August 2007final just released at www.isaca.org

5

Introduction Audience

► assurance and IT professionals► having basic knowledge of concepts of CobiT► familiar with assurance concepts in general

6

Introduction Major CobiT-based Products

7 from Board briefing on it gov 2nd ed

Introduction Implementation and Assurance Guides

8

Introduction Components

► Generic controls, applicable to all processes(PCn identifier)

► Application controls(ACn identifier)

► Specific process controls(CobiT process number)

9


Assurance steps and guidelines to test► the control design of the co► the outcome of the co

● confirm control is in operation● assess its operational effectiveness

► document control weaknesses and their impact

10


Assurance advice at different levels► at process level► at co level

(based on control practices)► generic

(applicable to all processes or co’s)(in addition or as an alternative)

11


Different test types assist in forming opinion► enquire (via different source) and confirm

(E&C)► inspect (walk-through, search, compare and

review)► observe► reperform or recalculate (often on sample)► collect (sample, trace, extract) and analyse

automated evidence

12

Introduction Overview of the

IT Assurance Advice provided

13


IT control objectives are ► statements of desired result or purpose► achieved by implementing control practices► high level requirements ► short, action-oriented management practices► often with logical 'life cycle' sequence

14


IT control objectivesChoices for (enterprise) management► select applicable ones ► balance cost of implementation and risk of not

achieving it► decide on control practices► choose how to implement them

15


Relation with Control Practices► CPs

● in CobiT Online● book● NOT (yet?) as PDF

► more detail for each co► co = what to do► cp = how to do it► 3 generic cps

16


Relation with Control Practices Value and risk drivers(repeated in Assurance Guide)► value driver = business benefit that can result

from good control (examples)► risk driver = risk to avoid or mitigate (examples)

17


Relation with Control Practices► NOT specific solutions► relevance of more specific other standards

● ITIL● Prince2● ...

► usable by implementors and assurance professionals

18


CP's design criteria (~ SMAR(R)T [specific, measurable, agreed, relevant/realistic, timely])

► relevant► executable in timely fashion► realistic and cost-effective► measurable► with defined roles► action-oriented► life-cycle where possible

19



20

IT Assurance Guidance for CobiT Processes and Controls► Introduction

● Detailed testing guidance based on CobiT Six generic controls Six application controls IT general controls based on the 34 CobiT processes

● Guidance for testing control design, testing control outcome and documenting the impact

21

IT Assurance Guidance for CobiT Processes and Controls► Generic Process Controls

● Each CobiT process has generic control requirements identified by generic process controls, to be considered with the detailed CO's to have a complete view● The six generic process controls are:

PC1 Process goals and objectives PC2 Process ownership PC3 Process repeatability PC4 Roles and responsibilities PC5 Policy, plans and procedures PC6 Process performance improvement

22

IT Assurance Guidance for CobiT Processes and Controls

► Generic Control Practices● 3 generic control practices -> 3 generic assurance steps

Approach Accountability and responsibility Communication and understanding

23


► Generic Control Practices● Approach

Generic control practice: Designs the control approach Defines and maintains the cps that implement the design

Assurance step: E&C a set of practices was defined to achieve the objective Observes/inspects and reviews the control approach Tests the design for completeness, relevancy, timeliness and measurability

24

IT Assurance Guidance for CobiT Processes and Controls► Generic Control Practices

● Accountability and Responsibility Generic control practice:

Defines and assigns accountability and responsibility for the co as a whole, and responsibility for the different cps (see RACI charts) Makes sure personnel have the right skills and necessary resources to execute these responsibilities

Assurance step: E&C responsibilities for the cps as well as overall accountability were assigned in a cost-effective and efficient manner Tests whether accountability and responsibilities are understood and accepted Verifies the right skills and necessary resources are available

25


► Generic Control Practices● Communication and Understanding

Generic control practice: Ensures the cps, as implemented, address the co’s and are communicated and understood

Assurance step Enquires through interviews with key staff members whether the control mechanism, its purpose, and accountability and responsibilities were communicated and are understood

26


► IT General Controlsrelate to the environment within which applications are developed, maintained and operated and are applicable to all applications. They ensure proper development, implementation and maintenance of applications, the integrity of program and data files and of computer operations. E.g.:● Systems development● Change management● Security● Computer operations

27

IT Assurance Guidance for CobiT Processes and Controls► Application Controlsrelate to transactions and standing data of each application (application specific). They ensure accuracy and completeness of records and validity of entries resulting from manual and automated processing. E.g.: ● Completeness● Accuracy● Validity● Authorisation● Segregation of duties

28

IT Assurance Guidance for CobiT Processes and Controls► Application ControlsThe objectives generally involve ensuring that:● Completeness● Data prepared for entry are complete, valid, reliable● Data are converted to an automated form and entered into the application accurately, completely, and on time● Data are processed completely and on time, and in accordance with established requirements● Output is protected from unauthorised modification or damage and distributed in accordance with prescribed policies

29


► Application ControlsCobiT assumes design and implementation of automated application controls is an IT responsibility (AI-domain), based on business requirements defined using information criteria.The operational management and control responsibility for ACs is not with IT, but with the business process owner.

30


► Application ControlsIT delivers and supports the applications’ services and the supporting databases and infrastructures. CobiT IT processes cover general IT controls but not application controls as these are the responsibility of business process owners and are integrated into business processesBusiness controls are not in the scope of CobiT and IT Assurance Guide

31


Boundaries of IT general controls and application controls

32


► Application ControlsFor automated services, the business is responsible for defining functional & control requirements to be included in all business processes supported by applications. IT responsibilities include automation of these requirements and establishment of controls to maintain the integrity of the business applications

33


► Application ControlsGuidance for testing the design and outcome and documenting impact● AC1 Source document preparation and authorisation● AC2 Source document collection and data entry● AC3 Accuracy, completeness and authenticity checks● AC4 Data processing integrity and validity● AC5 Output review, reconciliation and error handling● AC6 Transaction authentication and integrity

34


► Application ControlsAC weaknesses may impact the entity’s ability to process business transactions.ACs are a subcomponent of business controls. Weaknesses may be mitigated by compensating manual business and organisational control activities. Consider the impact in the context of the underlying business process nature, related transactions and other business process controls and in consultation with the business process assurance provider.

35



36

How CobiT Components support ITA Activities Linking ITA Activities and CobiT components

37

How CobiT Components support ITA Activities

► Linking ITA Activities and CobiT components● Links have been indicated where there is specific and strong support for an ITA activity● Some key components support all activities● In practice, users tailor CobiT resources for their specific purposes. The table is only a guide● Most important for ITA (shaded in grey)

goals and outcome measures + RACI charts. They support all aspects of planning, scoping and assurance execution COBIT Online (searching, browsing, benchmarking data)

● Strongest links between activities and components are circled

38


► CobiT Components● Control objectives and practices

mostly useful for testing related activities since the co's are high-level and similar to key management practices, they can be considered during planning activities both are helpful for the selection and customisation of co's for an assurance initiative

● List of COBIT processes and the domains responsibility structure for IT -> completeness of coverage in planning phase when summarising the conclusions information criteria provide a generic and simple high-level structure of the objectives of IT processes and are equally useful for structuring assurance plans and conclusions

39

How CobiT Components support ITA Activities ► CobiT Components● Maturity models

useful tools for high-level assessments of processes identification of key processes planning which processes need most attention summarising assurance conclusions increasingly used by IT management for self-assessment -> a common approach for assurance and IT professionals to agree upon priorities and areas on which to focus attention

● Maturity attributes provide more details for process maturity assessment generic for all processes -> alternative to the specific process maturity descriptions

Maturity models describe how processes are managed; the detailed attributes can be used to customise CO's (describe what needs to be done)

40


► CobiT Components● Performance drivers

planning and reporting phases good source for customising CO's -> they imply certain actions to happen or conditions to exist to increase the probability of successfully achieving the process’s objectives and goals

● Value and risk statements arguments to justify controls primary inputs when performing high-level or detailed risk assessments starting point to identifying critical processes / IT components

41

How CobiT Components support ITA Activities ► CobiT Components

● Management awareness and diagnostic tools Supplemental Tools & Materials, online / CD-ROM / ITGovernance Implementation Guide: Using CobiT & Val IT tools for initial high-level assessments of process importance, significant risks and the state of process controls, done in early stages of the ITA initiative

● Assessment form presentation of CobiT Quickstart quick / high-level assessments efficient self-assessments

● CobiT Online Benchmarking data and functionality useful to portray how the entity compares on process management and controls give credibility to the conclusions to identify processes that need early or in-depth coverage

42


► IT Assurance activities● Best support

process structure maturity models goals, outcome measures performance drivers

● Risk-based ITA planning maturity modelling & Cobit Online’s benchmarking to identify where the highest potential risks are the risk and value statements of the CO's provide additional support if more detailed risk assessment is required Quickstart & the awareness and diagnostic tools aid to perform high-level assessments quickly and efficiently

43


► IT Assurance activities● Planning and reporting (scoping to a lesser extent)

most of the CobiT components as input or reference

● Detailed planning and scoping, as well as testing use fewer of the COBIT components but tend to use them more intensely extensively use the material that is at the ‘heart’of COBIT: the CO's

44


► The Strongest Links● Goals & outcome measures ~ planning risk-based assurance initiatives● Risk and value statements ~ risk assessments and risk substantiation● Key activities and RACI charts ~ detailed assurance planning● Control objectives and practices ~ testing and evaluating controls● Maturity models and attributes ~ process maturity and other high-level assessments

Documents

IT Assurance using CobiT Round Table Saturday, March 19th 2008 Philip DE PICKER president of Isaca.be Monique GARSOUX vice-president IT Assurance of Isaca.be