Using COBIT 4.1 for Using COBIT 4.1 for Assurance AssignmentsAssurance Assignments
Prof. dr. Wim Van GrembergenUniversity of Antwerp (UA)
University of Antwerp Management School (UAMS)IT Alignment and Governance research institute (ITAG)
[email protected]/itag
2
Agenda
• COBIT introduction
• COBIT framework
• COBIT elements
- High-level and detailed Control Objectives
- IT control practices
- Management Guidelines
- Maturity models
• IT assurance using COBIT
• IT assurance assignments in practice (templates)
COBIT introduction
4
COBIT evolution
Governance
COBIT 4
2005
Governance
COBIT 4
2005
COBIT 3
Management
2000
COBIT 3
Management
2000
COBIT 2
Control
1998
COBIT 2
Control
1998
COBIT 1
Audit
1996
COBIT 1
Audit
1996
Evo
lutio
nE
volu
tion
5
Incorporates major
International Standards
Has become the de facto
standard for overall control
over IT
Starting from business
requirements
Process oriented IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes
IT Governance ProcessesIT Governance Processes
CobiTCobiTbest practices repository for
Some key strenghts
6
COBIT and other standards
ITILITILActivitiesActivities
BS7799BS7799SecuritySecurity
CobiTCobiTControlControl
WHATWHAT
HOWHOW
Gartner Research Note
7
Who needs an IT Control Framework ?
• Board and Executive- to ensure management follows and implements the strategic
direction for IT
• Management- IT investment decisions- balance risk and control investment- benchmark existing and future IT environment
• Users- to obtain assurance on security and control of products and
services they acquire internally or externally
• Auditors- to substantiate opinions to management on internal controls- to advise on what minimum controls are necessary
The COBIT framework
9
Defi
nit
ion
s
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
“In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”
IT PROCESSES
COBIT Framework
BUSINESS REQUIREMENTS
IT RESOURCES
10
Quality Requirements: • Quality, • Delivery• Cost
Security Requirements• Confidentiality• Integrity• Availability
Fiduciary Requirements(COSO Report)• Effectiveness and Efficiency
of Operations• Compliance with Laws and
Regulations • Reliability of Financial
Reporting
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of
Information
B
usin
ess
req
uir
em
en
ts
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
Business requirements
11
effectiveness - deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.
efficiency - concerns the provision of information through the optimal (most productive and economical) usage of resources
confidentiality - concerns protection of sensitive information from unauthorized disclosure.
integrity - relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations
availability - relates to information being available when required by the business process, and hence also concerns the safeguarding of resources
compliance - deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria
reliability of information - relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.
B
usin
ess
req
uir
em
en
ts
Business requirements
12
Linking business goals - IT goals – IT processes
Ensure IT services can resist and recover from
attacks
IT GoalIT Goaldrives
drives
Understanding security requirements,
vulnerabilities and threats
Process Goal
Ensure IT services can resist and recover from
attacks
IT GoalIT Goal
Maintain enterprise reputation and leadership
Business Goal
13
14
15
ProcessesA series of joined activities with natural control breaks.
Activities or tasks
Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discrete.
Domains Natural grouping of processes, often matching an organisational domain of responsibility
IT P
rocesses
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT processes
16
Planning and Organisation
PO1. Define a strategic IT plan
PO2. Define the information architecture
PO3. Determine technological direction
PO4. Define the IT processes, organization and relationships
PO5. Manage the IT investment
PO6. Communicate management aims and direction
PO7. Manage IT human resources
PO8. Manage quality
PO9. Assess and manage IT risks
PO10. Manage projects
COBIT IT Processes
17
Acquisition and Implementation
AI1. Identify automated solutions
AI2. Acquire and maintain application software
AI3. Acquire and maintain technology infrastructure
AI4. Enable operation and use
AI5. Procure IT resources
AI6. Manage changes
AI7. Install and accredit solutions and changes
COBIT IT Processes
18
Delivery and Support
DS1. Define and manage service levels
DS2. Manage third-party services
DS3. Manage performance and capacity
DS4. Ensure continuous service
DS5. Ensure systems security
DS6. Identify and allocate costs
DS7. Educate and train users
DS8. Manage service desk and incidents
DS9. Manage the configuration
DS10. Manage problems
DS11. Manage data
DS12. Manage the physical environment
DS13.Manage operations
COBIT IT Processes
19
Monitor an Evaluate
ME1. Monitor and evaluate IT performance
ME2. Monitor and evaluate internal control
ME3. Ensure regulatory compliance
ME4. Provide IT governance
COBIT IT Processes
20
Linking business goals - IT goals – IT processes
Assignment
Ensure IT services can resist and recover from
attacks
IT GoalIT Goaldrives
drives
????
Process Goal
Ensure IT services can resist and recover from
attacks
IT GoalIT Goal
Maintain enterprise reputation and leadership
Business Goal
21
Linking business goals to IT goals
Linking Business goals to IT goals
Business goals
IT goals
22
Linking business goals to IT goals
Linking IT goals to IT processes
IT processes
IT goals
23
PO1 PO1 define a strategic IT plandefine a strategic IT planPO3 determine the technological directionPO5 manage the IT investmentPO9 PO9 assess risksassess risksPO10 PO10 manage projectsmanage projectsAI1 identify solutionsAI2 acquire and maintain applications s/wAI5 install and accredit systemsAI6 AI6 manage changesmanage changesDS1 define service levelsDS4 ensure continuous serviceDS5 DS5 ensure system securityensure system securityDS10 manage problems and incidentsDS11 DS11 manage datamanage dataM1 M1 monitor the processesmonitor the processes
The most important IT Processes (COBIT3.2)The most important IT Processes (COBIT3.2)
3434
1515
77
SurveySurvey
24
Data : Data objects in their widest sense, i.e., external and internal, structured and non-structured, graphics, sound, etc.
Application Systems : understood to be the sum of manual and programmed procedures.
Infrastructure : covers hardware, operating systems, database management systems, networking, multimedia, facilities, etc..
People : Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services.
IT
Resou
rces
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT Resources
25
IT Processes
IT Processes
IT Resources
IT Resources
Data Application
Systems Infrastructure People
Planning and organisation
Aquisition and implementation
Delivery and Support
Monitor and evaluate
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
Reliability
H
ow
do t
hey
rela
te?
COBIT Framework
Business Requirements
26
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
Reliability
Business Requirements
What the What the stakeholders stakeholders
expect from ITexpect from IT
What the What the stakeholders stakeholders
expect from ITexpect from IT
IT Processes
IT Processes
Planning and organisation
Aquisition and implementation
Delivery and Support
Monitor and evaluate
How IT is How IT is organised to organised to
respond to the respond to the requirementsrequirements
How IT is How IT is organised to organised to
respond to the respond to the requirementsrequirements
IT Resources
IT Resources
Data Application
Systems Infrastructure People
The resources The resources made available to made available to - and built up by - - and built up by -
ITIT
The resources The resources made available to made available to - and built up by - - and built up by -
ITIT
27
PO1. define a strategic IT planPO2. define the information architecturePO3. determine technological directionPO4. define the IT processes, organization and relationshipsPO5. manage the IT investmentPO6.communicate management aims and directionPO7. manage IT human resourcesPO8. manage qualityPO9. assess and manage riskPO10. manage projects
AI1. identify automated solutionsAI2. acquire and maintain application softwareAI3. acquire and maintain technology infrastructureAI4. enable operation and useAI5. procure IT resourcesAI6. manage changesAI7. install and accredit solutions and changes
ME1. monitor and evaluate IT performanceME2. monitor and evaluate internal controlME3. ensure regulatory complianceME4. provide IT governance
DS1. define and manage service levelsDS2. manage third party servicesDS3. manage performance and capacityDS4. ensure continuous serviceDS5. ensure systems securityDS6. identify and allocate costsDS7. educate and train usersDS8. manage service desk and incidentsDS9. manage the configurationDS10. manage problems DS11. manage dataDS12. manage the physical environmentDS13.manage operations
INFORMATIONINFORMATION
• data• application systems• Infrastructure• people
• data• application systems• Infrastructure• people
PLANNING AND ORGANISATIONPLANNING AND ORGANISATION
ACQUISITION ANDIMPLEMENTATIONACQUISITION ANDIMPLEMENTATION
DELIVERY AND SUPPORT
DELIVERY AND SUPPORT
MONITOR AND EVALUATE
MONITOR AND EVALUATE
• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability
• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability
Criteria
IT RESOURCESIT RESOURCES
Business and Governance Objectives
COBIT Framework
28
High-level and detailed Control Objectives
Management Guidelines
Inputs – outputs
RACI chart
Goals and metrics
Maturity models
Assurance Guidelines – Implementation Guidelines
The Major Elements of COBIT
COBIT Control Objectives
30
COBIT Control ObjectivesThe policies, procedures, practices and organisational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected
Definition of Definition of ControlControl
Definition of Definition of IT Control IT Control ObjectiveObjective
IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. They:• Are statements of managerial actions to increase value or reduce risk• Consist of policies, procedures, practices and organisational structures• Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected
31
Example: Detailed Control Objectives for Manage Changes (AI6)
AI6.1 Change Standards and ProceduresSet up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.
AI6.2 Impact Assessment, Prioritisation and AuthorisationEnsure that all requests for change are assessed in a structured way for impacts on the operational system and its functionality. This assessment should include categorisation and prioritisation of changes. Prior to migration to production, changes are authorized by the appropriate stakeholder.
AI6.3 Emergency ChangesEstablish a process for defining, raising, assessing and authorising emergency changes that do not follow the established change process. Documentation and testing should be performed, possibly after implementation of the emergency change.
AI6.4 Change Status Tracking and ReportingEstablish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date about the status of the change to applications, procedures, processes, system and service parameters, and the underlying platforms.
AI6.5 Change Closure and DocumentationWhenever system changes are implemented, update the associated system and user documentation and procedures accordingly. Establish a review process to ensure complete implementation of changes.
32
Generic process controls
• Each COBIT process has generic control requirements that are identified by generic process controls within the Process Control (PC) domain. These are applicable for all COBIT processes and should be considered together with the detailed COBIT control objectives to have a complete view of control requirements.
• PC1 Process goals and objectives• PC2 Process ownership• PC3 Process repeatability• PC4 Roles and responsibilities• PC5 Policy, plans and procedures• PC6 Process performance improvement
33
Application controls
• Application controls relate to the transactions and standing data pertaining to each automated application system and are specific to each such application. They ensure the completeness and accuracy of the records and the validity of the entries made in transactions and standing data resulting from both manual and automated processing.
• COBIT assumes the design and implementation of automated application controls to be the responsibility of IT, covered in the Acquire and Implement (AI) domain. The operational management and control responsibility for application controls is not with IT, but with the business process owner. Therefore, the COBIT IT processes cover general IT controls but not application controls.
• AC1 Source document preparation and authorisation• AC2 Source document collection and data entry• AC3 Accuracy, completeness, authenticity checks• AC4 Data processing integrity and validity• AC5 Output review, reconciliation and error handling• AC6 Transaction authentication and integrity
34
COBIT COBIT
Control PracticesControl Practices
35
• For each of the control objectives, a list of specific control practices is defined. In addition, three generic control practices are defined, which are applicable to all control objectives. (Design control approach, Accountability and responsibility, Communication and understanding)
• The complete set of generic and specific control practices provides one control approach, consisting of practices that are necessary for achieving the control objective. They provide high-level generic guidance, at a more detailed level under the control objective, for assessing process maturity, considering potential improvements and implementing the controls.
• They do not describe specific solutions, and further guidance may need to be obtained from specific, relevant standards and best practices, such as ITIL or PRINCE2.
COBIT - IT Control Practices
36
1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation and resolution of customer requests and incidents. Develop business requirements for the service desk, based on service definitions and SLAs, including hours of operation and expected response time to a call. Ensure that service desk requirements include identifying staffing, tools and integration with other processes, such as change management and problem management.
2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately resolved by service desk personnel. Establish time thresholds to determine when escalation should occur based on the categorisation/prioritisation of the request or incident.
3. Implement the necessary support software and tools (e.g., incident management, knowledge management, incident escalation systems, automated call monitoring) required for operation of the service desk and configured in accordance with SLA requirements, to facilitate automated prioritisation of incidents and rapid resolution.
4. Advise customers of the existence of the service desk and the standards of service they can expect. Obtain user feedback on a regular basis to ensure customer satisfaction and confirm the effectiveness of the service desk operation.
5. Using the service desk software, create service desk performance reports to enable performance monitoring and continuous improvement of the service desk.
DS8.1 Service DeskEstablish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyse all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritisation of any reported issue as an incident, service request or information request. Measure end users’ satisfaction with the quality of the service desk and IT services.
COBIT - IT Control Practices
37
COBIT COBIT
Management GuidelinesManagement Guidelines
Inputs –OutputsInputs –Outputs
38
39
Each process has primary inputs and outputs with process linkages
Mission and Goals
Understanding of the business context, capability and capacity
Business Strategy
Risk Appetite
Strategic Plan
Tactical Plan
Project Portfolio
Service Portfolio
InputsOutputs
PO1
40
Inputs / ouputs• Process:
Input from: Output to:
Process what Process what
41
Example: Input/Outputsfor Manage Changes (AI6)
42
COBIT COBIT
Management GuidelineManagement Guideline
RACI ChartRACI Chart
43
RACI chart providing roles and responsibilities
CEO
CFO BusinessExecutive
CIO
BusinessSr Management
Head ofOperations
ChiefArchitect or CTO
Head ofDevelopment
Head ofIT Admin
HR, Fin, etc
CARS
PMO
CEO
CFO BusinessExecutive
CIO
BusinessSr Management
Head ofOperations
ChiefArchitect or CTO
Head ofDevelopment
Head ofIT Admin
HR, Fin, etc
CARS
PMO
PO1
44
CEO
CFO
Busi
ness
Exec
CIO
Busi
ness
Sr
Mngm
tH
ead O
pera
tions
Chie
f A
rchit
ect
Head D
evelo
pm
ent
Head I
T A
dm
inPM
O
CA
RS
CARS includes Risk, Security, Audit and Compliance
Functions
Activities
FunctionsRACI Chart
45
Example: RACI Diagramfor Manage Changes (AI6)
46
COBIT COBIT
Management GuidelineManagement Guideline
Goals and metricsGoals and metrics
47
COBIT Management GuidelinesGoals an Metrics
Key Goal Indicators (KGIs)• lag indicator• is an indicator of the success of the process and its
business contribution • describes the outcome of the process, i.e.
measurable after the fact; a measure of “what”; may describe the impact of not reaching the process goal
• focuses on the customer and financial dimensions of the balanced scorecard
48
COBIT Management GuidelinesGoals an Metrics
Examples of Key Goal Indicators (KGIs)- Increased level of service delivery- Reduced time and effort required to make changes- Availability of systems and services- Absence of integrity and confidentiality risks- Cost efficiency of processes and operations- Confirmation of reliability and effectiveness- Adherence to development cost and schedule- Cost efficiency of the process- Staff productivity and morale- Number of timely changes to processes and systems- Improved productivity (e.g., delivery of value per
employee)
49
COBIT Management GuidelinesGoals an Metrics
Key Performance Indicators (KPIs)• lead indicator• are a measure of “how well” the process is
performing• predict the probability of success or failure • focus on the process and learning dimensions of
the balanced scorecard• are expressed in precise measurable terms• should help in improving the IT process
50
COBIT Management GuidelinesGoals an Metrics
Examples of Key Performance Indicators (KPIs)
- System downtime
- Throughput and response times
- Amount of errors and rework
- Number of staff trained in new technology
- customer service skills
- Benchmark comparisons
- Number of non-compliance reportings
- Reduction in development and processing time
51
KGI’s/KPI’s “Ensure System Security” (DS5)
Metrics for BSC of IT process owner
Number of security breaches
Number of incidents causing public
embarrassment
KGIKGI
number of incidents because of unauthorised
access
KPIKPI
Security expertise
Metrics for BSC of IT manager
Metrics for BSC of business manager
KPIKPI
KPIKPI
These KGIs represent the goals of the IT manager and can be derived from the list of IT goals. Together with the KPIs (horizontal arrow) they are building blocks for the IT manager’s BSC. The KGIs at the IT manager’s
level are in the same time KPIs at the business
manager’s level (vertical lines).
These KGIs represent the goals of the business manager and can be
derived from the list of business goals. Together with the KPIs (horizontal arrow) they are building blocks for the business
manager’s BSC
These metrics represent the KPIs and KGIs of the IT
process owner and can be used as building blocks for a BSC at process level. They map on the current KGIs
and KPIs of COBIT. The KGIs at process level are in the same time KPIs at the IT manager’s level (vertical
lines)
KGIKGI
KGIKGI
52
Metrics for BSC of IT process owner
KPIKPI Metrics for BSC of IT manager
Metrics for BSC of business manager
KPIKPI
KGIKGI
KPIKPI
KPIKPI
KGIKGI
KPIKPI
KPIKPI
KGIKGI
KPIKPI
KGIKGI
KPIKPI
KGIKGI
KPIKPI KGIKGI
A KGI at business level is
supported by many other KPIs
at IT and process level.
Cascade of metrics
53
Process GoalProcess Goal
IT GoalIT Goal
Business GoalBusiness Goal
KGIKGIKPIKPI
KGIKGIKPIKPI
KGIKGIKPIKPI
Nr and type of new security incidents
Number of incidents causing public
embarrassment
Nr of incidents because of
unauthorised access
Nr of IT security incidents
METRICSMETRICS
GOALSGOALS
Maintain enterprise reputation and leadership
Understanding security requirements,
vulnerabilities and threats
Process GoalProcess Goal
Ensure IT services can resist and recover from
attacks
IT GoalIT Goal
Business GoalBusiness Goal
Maintain enterprise reputation and leadership
Understanding security requirements,
vulnerabilities and threatsProcess GoalProcess Goal
Ensure IT services can resist and recover from
attacksIT GoalIT Goal
Business GoalBusiness Goal
drives
drives
Cascade of metrics for “Ensure System Security” (DS5)
54
55
56
IT goals Process goals Activity goals
Activity KGI (process KPI)Process KGIIT KGI
57
Example: Goals and metricsfor Manage Changes (AI6)
58
COBIT COBIT
Maturity modelsMaturity models
59
Maturity Models
• refers to business requirements (KGI) and the enabling aspects (KPI) at the different levels
• are a scale that lends itself to pragmatic comparison, where the difference can be made measurable in an easy manner
• are recognisable as a “profile” of the enterprise in relation to IT governance and control
• assist in determining As-Is and To-Be positions relative to IT governance and control maturity and analyse the gap
• are not industry specific nor generally applicable, the nature of the business will determine what is an appropriate level
60
Maturity Models: Goal setting and measurement
0 1 2 3 4 5
Non-Existent Initial Repeatable Defined Managed Optimised
Enterprise current status
International standard guidelines
Industry practice
Enterprise target
Legend for symbols used Legend for rankings used
0 - Management processes are not applied at all1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communicated4 - Processes are monitored and measured5 - Best practices are followed and automated
61
Maturity models
are improved starting from a new generic qualitative model based on the following attributes:
•awareness and communication
•policies, standards and procedures
•tools and automation
•skills and expertise
•responsibility and accountability
•goal setting and measurement
62
Example: Maturity Modelfor Manage Changes (AI6)
0 Non-existent whenThere is no defined change management process and changes can be made with virtually no control. There is no awareness that change can be disruptive for IT and business operations, and no awareness of the benefits of good change management.1 Initial/ Ad Hoc whenIt is recognised that changes should be managed and controlled. Practices vary and it is likely that unauthorised changes take place. There is poor or non-existent documentation of change, and configuration documentation is incomplete and unreliable. Errors are likely to occur together with interruptions to the production environment caused by poor change management.2 Repeatable but Intuitive whenThere is an informal change management process in place and most changes follow this approach; however, it is unstructured, rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning and impact assessment takes place prior to a change.3 Defined Process whenThere is a defined formal change management process in place, including categorisation, prioritisation, emergency procedures, change authorisation and release management, and compliance is emerging. Workarounds take place and processes are often bypassed. Errors may still occur and unauthorised changes occasionally occur. The analysis of the impact of IT changes on business operations is becoming formalised, to support planned rollouts of new applications and technologies.4 Managed and Measurable whenThe change management process is well developed and consistently followed for all changes, and management is confident that there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures and controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimise the likelihood of post-production problems. An approval process for changes is in place. Change management documentation is current and correct, with changes formally tracked. Configuration documentation is generally accurate. IT change management planning and implementation are becoming more integrated with changes in the business processes, to ensure that training, organisational changes and business continuity issues are addressed. There is increased co-ordination between IT change management and business process redesign. There is a consistent process for monitoring the quality and performance of the change management process.5 Optimised whenThe change management process is regularly reviewed and updated to stay in line with good practices. The review process reflects the outcome of monitoring. Configuration information is computer-based and provides version control. Tracking of changes is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management is integrated with business change management to ensure that IT is an enabler in increasing productivity and creating new business opportunities for the organisation.
63
COBIT4.1• Released May 2007• Incremental updates, no fundamental changes• CobiT 4.1 features
- an enhanced Executive Overview introduction and explanation of goals and metrics in the framework section and better definitions of the core concepts.
- improved control objectives resulting from updated control practices and Val IT development activity.
- A new definition of a control objectives, shifting more towards management practices statements
- Grouping/rewording of some control objectives to avoid overlaps and make the list of control objectives within a process more consistent and action-oriented
• AI5.4, AI5.5 and AI5.6 were combined • AI7.9, AI7.10 and AI7.11 were combined• Changes were also made to ME3 to include compliance with contractual requirements
in addition to legal and regulatory. - reworded application controls, to support financial controls effectiveness
assessment and reporting. • six Application Controls replacing the 18 in COBIT 4.0, with further detail being
provided in the COBIT Control Practices. - An updated list of business goals and IT goals, based on new insights obtained
during validation research executed by UAMS- an expanded pull-out to provide amongst others a quick reference list of the
COBIT processes
64
IT Assurance using COBIT
65
Implementation Guide - IT Assurance Guide
Briefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
Audit DirectorBaseline for
IT Governance
ITAssurance
Guide using CobiT
HOWHOWFramework
ControlObjectives
ManagementGuidelines
MaturityModels
ControlObjective
ControlPractices
AssuranceApproach
Value Risk
WHATWHAT
HOWHOW
BoardBriefing
CIOBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
BoardBriefing
ExecutiveBaseline for
IT Governance
IT Governance Implementation
Guide using CobiT
66
• Assurance Guide instead of Audit Guide- Assurance also covers evaluation activities not
governed by internal and/or external audit standards.
Assurance & audit
67
Assurance Roadmap
68
Assurance planning
• IT audit universe- 34 IT processes- 4 IT resources
• Risk based assurance planning- The assurance professional should use an appropriate risk
assessment technique or approach in developing the overall plan for the effective allocation of IT assurance resources.
- Risk assessment is a technique used to examine units in the assurance universe and select those areas for review that have the greatest risk exposure, by analysing
• Risk• impact
69
Assurance planning• High-level assessment can provide support in
assurance planning by identifying processes where the maturity/control gap between as-is and to-be is the most significant.
• The results of such high-level assessment can be used to prioritise the IT assurance work. Specific benefits of such high-level assessments are:- Making members of IT management aware
of their accountability for controlling IT and gaining their buy-in
- High-level checking of compliance with established IT control requirements
- Optimising and prioritising IT assurance resources
- Bridging to IT governance
70
• Define the scope and objectives- define the scope and objectives of the assurance work and perform a
preliminary assessment of internal control/maturity of the function/activities being reviewed to provide reasonable assurance that all material items will be adequately covered during the assurance initiative.
Assurance planning
71
Assurance scoping
• Define the scope and objectives
- Business goals – IT goals – IT processes / IT resources – control objectives – customized control objectives
72
Derived from control practices
Originally 1 ITCP translated into 1 testing step. Later all individual testing steps grouped into three blocks:
1. Testing control design (design effectiveness)
2. Testing outcome of the objective (operational effectiveness)
3. Document impact of control weaknesses
Assurance execution
73
AI6: Change Management
Testing control design
• Enquire whether and confirm that the change management process allows business process owners and IT to request changes to infrastructure, systems or applications.
• Enquire whether and confirm that the overall change management process includes emergency change procedures (e.g., defining, raising, testing, documenting, assessing and authorising emergency changes).
• Enquire whether and confirm that processes and procedures for contracted services providers (e.g., infrastructure, application development, application service providers, shared services) are included in the change management process.
• Determine if the process and procedures include the contractual terms and SLAs.
The audit steps to be performed in assessing the adequacy of the
design of controls.
74
AI6: Change Management
Testing CO outcome
• Inspect a selection of changes and determine if requests have been categorised.• Inspect a selection of changes and determine if changes have been prioritised based on
predefined criteria.• Inspect a selection of changes and determine if changes have been assessed in a
structured method (e.g., security, legal, contractual and compliance implications are considered and business owners are involved).
• Inspect a sample of emergency changes and verify that they have been processed in accordance with the change management framework. Verify that procedures have been followed to authorise, document and revoke access after the change has been applied.
• Inspect a sample of emergency changes and determine if a post-implementation review has been conducted after the changes were applied. Consider implications for further application system maintenance, impact on development and test environments, application software development quality, documentation and manuals, and data integrity.
The audit steps to be performed to ensure that the control measures
established are working as prescribed, consistently and
continuously and to conclude on the appropriateness of the control
environment.
75
AI6: Change Management
Document impact
• Assess the time and cost of lack of formal change management standards and procedures (e.g., improper resource allocation, unclear roles and responsibilities, security breaches, lack of rollback procedures, lack of documentation and audit trails, inadequate training).
• Assess the time and cost of lack of formal impact assessment to prioritise and authorise changes.
• Assess the time and cost of lack of formal emergency change standards and procedures (e.g., compromised security, failure to
• properly terminate additional access authorisations, unauthorised access to corporate information).
The audit steps to be performed to substantiate
the risk of the control objective not being met by using analytical techniques
and/or consulting alternative sources.
76
Structure of assurance guidance provided
77
Example: Control practices
78
Example: testing control design
79
Example: testing operational effectiveness
80
Example: documenting impact
81
IT Assurance assignments in practice (templates)
82
Assurance assignment1. Scoping
1.1 Processes
1.2 Control objectives
1.3 Control practices
2. Testing
2.1 Evaluate Design Effectiveness (testing control design)
2.2 Evaluate Operating Effectiveness (testing outcome of the control process)
3. Findings and recommendations
83
1.1 Scoping: processes
• Define cascade of business goals – IT goals – IT processes
Goal:
first list of IT processes
84
1.1 Scoping: processes
• Define/refine list of IT processes based on risk based scoping
- Risk and value drivers
Goal:
refined list of IT processes
85
1.1 Scoping: processes• Define/refine list of IT processes based on risk
based scoping
- Maturity assessment
Goal:
refined list of IT processes
86
1.2 Scoping: control objectives
• Define control framework for 1 process based on control objectives attributes
Goal:
Set of important control objectives for one IT process
87
1.3 Scoping: control practices
• Define control design for 1 control objectives
Goal:
Mininum and sufficient set of control practices to achieve a control objective
88
2. Testing• Structured approach for each of the control objectives /
control practices
RACI CHART
AUDIT PLANS:Assurance GuideInputs/outputs
….
CONTACT PERSON
CONTROL OBJECTIVE
DESIGN EFFECTIVENESS APPROACH
OPERATING EFFECTIVENESS APPROACH
1
2
3
4
ASSURANCE STEP COBIT 4Control Practices
89
2.1 Evaluate design effectiveness
• Translate control practices into assurance steps to evaluate design effectiveness
RACI CHARTAUDIT PLANS:Assurance guide
….
COBIT 4 Control Practices
90
2.1 Evaluate design effectivenessExample
91
2.2 Evaluate operating effectiveness
92
2.2 Evaluate operating effectiveness
RACI CHARTAUDIT PLANS:Assurance Guide
COBIT 4.0 Control Practices
Inputs/outputs
93
2.2 Evaluate operating effectivenessExample
94
3. Findings & Recommendations
• FINDINGDescription Detection
Walkthrough / Testing
• RISKDescription Categorization
• RECOMMENDATIONDescription Priority
1
2
3
Resolution < 6 months
Resolution < 1 year
Resolution < 2 years
95
Findings & Recommendations
FINDINGDescription Detection
DS8.1 : There is no monitoring process in place that focuses on the quality of the Service Desk and the end users’ satisfaction.
RISK
Description ClassificationIT management is not informed on how the business percepts the Service Desk in particular and the IT department in general. This lack of information can cause a disconnection/misalignment between business and IT (i.e. no perception of added value by IT). It also prevents the implementation of an effective continuous improvement process.
RECOMMENDATIONDescription PriorityOrganize regular user satisfaction surveys via the different available media (intranet, phone, direct…) and use this information to compare the responses of the satisfied users with the dissatisfied users. This information can also be used to enable continuous improvement.
High
WT
1
Example
96
97