Control objectives for information and related technology c obi t overview l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 19

Control Objectives for Information and related Technology (C OBI T) Overview PowerPoint PPT Presentation


  • 96 Views
  • Uploaded on
  • Presentation posted in: General

Control Objectives for Information and related Technology (C OBI T) Overview. January 31, 2008. Overview. Background – trends in auditing affecting IT Overview of the COBIT Linkages to other methodologies Practical application – in audit and IT management. Auditing Trends.

Download Presentation

Control Objectives for Information and related Technology (C OBI T) Overview

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Control objectives for information and related technology c obi t overview l.jpg

Control Objectives for Information and related Technology (COBIT)Overview

January 31, 2008


Overview l.jpg

Overview

  • Background – trends in auditing affecting IT

  • Overview of the COBIT

  • Linkages to other methodologies

  • Practical application – in audit and IT management


Auditing trends l.jpg

Auditing Trends

  • Audit Committees

    • Increasing dependence on IT infrastructure to support traditional assurance/auditing

    • Increasing obligations regarding risk management and control including IT

    • Uses Internal Audit to give assurance – we adopted COBIT with the ability to use other frameworks as deemed appropriate

    • Management has a role as well


Slide4 l.jpg

  • Office of the Auditor General

    • Comments to entities who have been broad IT assessment include ensuring the following is in place:

      • IT strategies (not just for centralized IT services)

      • Integration of IT requirements into business planning

      • Documented IT risk assessments

      • Business continuity planning and emergency response planning

      • Service level performance measures

      • Processes to build awareness for IT internal controls and security

      • An IT control framework (recommended to several organizations) – recommended COBIT and being adopted


Cobit overview 1 it governance institute l.jpg

STRATEGIC

VALUE

ALIGNMENT

DELIVERY

RISK

PERFORMANCE

MANAGEMENT

MEASUREMENT

www.itgi.org

www.itgi.org

RESOURCE

MANAGEMENT

COBIT Overview1IT Governance Institute

  • Enterprise governance is a set of

  • responsibilities and practices exercised by the board and executive management with the goal of:

  • Providing strategic direction

  • Ensuring that objectives are achieved

  • Ascertaining that risks are managed appropriately

  • Verifying that the enterprise’s resources are used responsibly

1This information and that on the following slides is consolidated from information developed by the IT Governance Institute.


Major cobit elements l.jpg

Major COBIT Elements

  • IT Processes

  • Business Requirements

  • IT Resources


Slide7 l.jpg

IT Processes

  • 1. COBIT describes the IT life cycle with the help of four domains:

    • Plan and Organize

    • Acquire and Implement

    • Deliver and Support

    • Monitor and Evaluate

  • In each domain are processes are series of activities. There are 34 processes specifying what the business needs to achieve its objectives.

  • The last activities are actions that are required to achieve measurable results with the processes.


Slide8 l.jpg

Plan and Organise

PO1 Define a strategic IT plan.

PO2 Define the information architecture.

PO3 Determine technological direction.

PO4 Define the IT processes, organisation

and relationships.

PO5 Manage the IT investment.

PO6 Communicate management aims and

direction.

PO7 Manage IT human resources.

PO8 Manage quality.

PO9 Assess and manage IT risks.

PO10 Manage projects.

Acquire and Implement

Plan and Organise

IT Processes

Deliver and Support

Monitor and Evaluate


Slide9 l.jpg

Acquire and Implement

AI1 Identify automated solutions.

AI2 Acquire and maintain application

software.

AI3 Acquire and maintain technology

infrastructure.

AI4 Enable operation and use.

AI5 Procure IT resources.

AI6 Manage changes.

AI7 Install and accredit solutions and

changes.

Plan and Organise

Acquire and Implement

IT Processes

Deliver and Support

Monitor and Evaluate


Slide10 l.jpg

Deliver and Support

DS1 Define and manage service levels.

DS2 Manage third-party services.

DS3 Manage performance and capacity.

DS4 Ensure continuous service.

DS5 Ensure systems security.

DS6 Identify and allocate costs.

DS7 Educate and train users.

DS8 Manage service desk and incidents.

DS9 Manage the configuration.

DS10 Manage problems.

DS11 Manage data.

DS12 Manage the physical environment.

DS13 Manage operations.

Acquire and Implement

Plan and Organise

IT Processes

Deliver and Support

Monitor and Evaluate


Slide11 l.jpg

Monitor and Evaluate

Acquire and Implement

Plan and Organise

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.

IT Processes

Monitor and Evaluate

Deliver and Support


Business requirements l.jpg

Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner

Effectiveness

Concerns the provision of information through the optimal (most productive and economical) use of resources

Efficiency

Confidentiality

Concerns the protection of sensitive information from unauthorised disclosure

Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations

Integrity

Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.

Availability

Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies

Compliance

Reliability

Relates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities

Business Requirements


It resources l.jpg

IT Resources

  • Applications

  • Information

  • Infrastructure

  • People


Use of cobit in internal audit l.jpg

Use of COBIT in Internal Audit

  • Annual Risk Assessment (developed with Grant Thornton)

  • Can audit difference ways:

    • a application system (all processes)

    • a process (e.g. IT investment management across a unit or the campus)

    • a resource component (e.g. infrastructure) and/or a business requirement (e.g. security)

  • Maps to other frameworks

    Flexible yet defensible


Use of cobit in management l.jpg

Use of COBIT in Management

  • Seeing an increase in formal adoption of frameworks.

  • Supporting documentation being developed for management.

  • Flexible adoption – one size does not fit all.

  • Can be blended with other framework.


Organisations will consider and use a variety of it models standards and best practices l.jpg

COSO

COBIT

ISO 17799

ISO 9000

ITIL

WHAT

SCOPE OF COVERAGE

Organisations will consider and use a variety of IT models, standards and best practices.


Slide17 l.jpg

  • IT Process Capability Maturity Scorecard—Example


Slide18 l.jpg

BUSINESS OBJECTIVES AND

GOVERNANCE OBJECTIVES

INFORMATION

C O B I T

F R A M E W O R K

ME1 Monitor and evaluate IT performance.

ME2 Monitor and evaluate internal control.

ME3 Ensure compliance with external requirements.

ME4 Provide IT governance.

PO1 Define a strategic IT plan.

PO2 Define the information architecture.

PO3 Determine technological direction.

PO4 Define the IT processes, organisation and relationships.

PO5 Manage the IT investment.

PO6 Communicate management aims and direction.

PO7 Manage IT human resources.

PO8 Manage quality.

PO9 Assess and manage IT risks.

PO10 Manage projects.

Integrity

Efficiency

Effectiveness

Availability

Compliance

Confidentiality

PLAN

AND

ORGANISE

MONITOR

AND

EVALUATE

Reliability

IT

RESOURCES

DS1 Define and manage service levels.

DS2 Manage third-party services.

DS3 Manage performance and capacity.

DS4 Ensure continuous service.

DS5 Ensure systems security.

DS6 Identify and allocate costs.

DS7 Educate and train users.

DS8 Manage service desk and incidents.

DS9 Manage the configuration.

DS10 Manage problems.

DS11 Manage data.

DS12 Manage the physical environment.

DS13 Manage operations.

Applications

Information

Infrastructure

People

DELIVER

AND

SUPPORT

AI1 Identify automated solutions.

AI2 Acquire and maintain application software.

AI3 Acquire and maintain technology infrastructure.

AI4 Enable operation and use.

AI5 Procure IT resources.

AI6 Manage changes.

AI7 Install and accredit solutions and changes.

ACQUIRE

AND

IMPLEMENT


Questions l.jpg

Questions

  • Contact:

  • Ian Simpson

  • Systems Auditor

  • 492-2980


  • Login