cobit 4 0 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
COBIT 4.0 PowerPoint Presentation
Download Presentation
COBIT 4.0

Loading in 2 Seconds...

play fullscreen
1 / 104

COBIT 4.0 - PowerPoint PPT Presentation


  • 481 Views
  • Uploaded on

COBIT 4.0 WHAT YOU NEED TO KNOW Howard DuBois, CISA howard@hallux.ca Objectives Review structure and content of COBIT Assess challenges for IT management Explore impact of a successful implementation of COBIT on application owners What is COBIT?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'COBIT 4.0' - LeeJohn


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cobit 4 0

COBIT 4.0

WHAT YOU NEED TO KNOW

Howard DuBois, CISA

howard@hallux.ca

objectives
Objectives
  • Review structure and content of COBIT
  • Assess challenges for IT management
  • Explore impact of a successful implementation of COBIT on application owners
what is cobit
What is COBIT?
  • COBIT is a highly regarded IT Governance framework produced and supported by the IT Governance Institute (ITGI)
  • COBIT 4.0 is the most recent release of this model
what does cobit stand for
What Does COBIT Stand For?

C Control

OBOBjectives

I for Information

T and Related Technology

why is cobit important
Why is COBIT Important?

Some interesting questions:

  • Why are “control objectives” of interest to application owners and users?
  • What is the history behind COBIT?
  • Where does IT Governance fit in?
cobit s history
COBIT’s History
  • COBIT started as a control model for IT auditors – hence control objectives for IT organizations and operations
  • At some point, someone realized that if the model was good enough for the auditor to measure IT control and effectiveness, it was good enough for management
  • This became a “governance framework” when it was realized that good control required implementation of best practices
cobit s history7
COBIT’s History
  • Control Objectives produced as an audit product by EDPAF early 1990’s
  • COBIT first edition - 1996
  • COBIT second edition – 1998
    • First reference to governance and seeing COBIT as a set of best practices for IT management
  • COBIT third edition – 2000
    • First reference to ITGI
    • First reference to management guidelines
cobit s history8
COBIT’s History
  • COBIT 4.0 - 2005
    • 4.0 is an update of 3rd edition – better mapping to business goals, further development of maturity models
    • COBIT On-Line introduced
  • During the process, other products were issued
    • Control Practices – 2004 – more detailed exploration of individual practices seen as best practices
slide9

Purpose of COBIT

  • Provide generally applicable and accepted Standards for Good Practices for Information and Information Technology (IT) Control
  • Based on a management-oriented Framework for Control in IT
  • Aligned with De Jure and De Facto Standards and Regulations
  • Create a manageable and logical structure
slide10

The Pieces of COBIT

Exec Summary - Senior Executives (CEO, CIO) - 16 pages

Framework -Senior Operational Management (Directors of IT and IS Audit /Controls) - 68 pages

Control Objectives -Middle Management (IT Management and IS Audit/Controls Managers/ Seniors) - 148 pages

Audit Guidelines -Line Management and Controls Practitioner (Applications or Operations Manager and Auditor) – 226 pages

Management Guidelines - Senior Operational Management, Director of IS, Mid-Level IT Management and IT Audit/Control Managers - 122 pages

Implementation Tool Set - Director of IS and Audit/Control, Mid-Level IS Management and IS Audit/Control Managers - 86 pages

slide11

The Framework’s Principles

    • Business
  • Requirements

IT Processes

IT Resources

slide12

Business Requirements = Information Criteria

Quality Requirements

Quality,

Cost,

Delivery

Fiduciary Requirements(COSO Report)

Effectiveness and Efficiency of Operations

Reliability of Financial Reporting

Compliance with Laws and Regulations

Security Requirements

Confidentiality

Integrity

Availability

slide13

Information Technology Resources

Data

Data objects in their widest sense, i.e., external and internal,

structured and non-structured, graphics, sound, etc.

Application Systems

Application systems is understood to be the sum of manual

and programmed procedures.

Technology

Technology covers hardware, operating systems, database

management systems, networking, multimedia, etc.

Facilities

Resources to house and support information systems.

People

Staff skills, awareness and productivity to plan, organize,

acquire, deliver, supportand monitor information systems

and services.

slide15

Domains

Processes

Activities

IT Domains & Processes

Natural grouping of processes, often matching an organisational domain of responsibility.

A series of joined activities with natural (control) breaks.

Actions needed to achieve a measurable result. Activities havea life-cycle whereas tasks are discreet.

slide16

CONTROL OBJECTIVES

The DOMAINS

* Planning & Organization

* Acquisition & Implementation

* Delivery & Support

*Monitoring

slide17

Planning and Organisation

  • Define a Strategic IT Plan
  • Define the Information Architecture
  • Determine Technological Direction
  • Define the IT Organisation and Relationships
  • Manage the IT Investment
  • Communicate Management Aims and Direction
  • Manage Human Resources
  • Ensure Compliance with External Requirements
  • Assess Risks
  • Manage Projects
  • Manage Quality
slide18

Acquisition and Implementation

  • Identify Automated Solutions
  • Acquire and Maintain Application Software
  • Acquire and Maintain Technology Infrastructure
  • Develop and Maintain Procedures
  • Install and Accredit Systems
  • Manage Changes
slide19

Delivery and Support

  • Define and Manage Service Levels
  • Manage Third-Party Services
  • Manage Performance and Capacity
  • Ensure Continuous Service
  • Ensure Systems Security
  • Identify and Allocate Costs
  • Educate and Train Users
  • Assist and Advise Customers
  • Manage the Configuration
  • Manage Problems and Incidents
  • Manage Data
  • Manage Facilities
  • Manage Operations
slide20

Monitoring

  • Monitor the Processes
  • Access Internal Control Adequacy
  • Obtain Independent Assurance
  • Provide for Independent Audit
slide21

IT Process Overview

1.0 Define a Strategic IT Plan

The IT function should ensure that there are IT

long- and short-range plans for managing and directing

all IT resources of the organisation. These plans

should be timely and accurately updated to accommodate

changes in IT conditions. Assessments of existing systems

should be performed prior to developing or changing the

strategic IT plan. Furthermore, IT management should

ensure that the strategic IT plan is consistent with the

business objectives and long- and short-range plans

of the organisation.

slide22

Linking to Control Objectives

  • Control over the IT process of
  • DEFINING A STRATEGIC IT PLAN PO-1
  • that satisfies the business requirement
  • to strike an optimum balance of information technology opportunities
  • and IT business requirements as well as ensuring its further accomplishment
  • is enabled by
        • a strategic planning process undertaken at regular intervals giving
        • rise to long-term plans; the long-term plans should periodically be
        • translated into operational plans setting clear and concrete short-term goals
          • and takes into consideration:
  • * enterprise business strategy
  • * definition of how IT supports the business objectives
  • * inventory of technological solutions and current infrastructure
  • * monitoring the technology watch markets
  • * timely feasibility studies and reality checks
  • * existing systems assessments
  • * enterprise position on risk, time-to-market, quality
  • * need for senior management buy-in, support and critical review
slide23

SUMMARY OF COBIT TO THIS POINT

  • Framework defines a construct for reviewing and managing IT.
  • Four domains are identified.
  • Within each domain there are processes -- 34 total.
  • Within each process there are high-level IT control objectives
  • defining controls that should be in place.
  • For each of the 34 processes, there are from 3 to 30 detailed
  • IT control objectives.
  • There are navigational tools including a “waterfall” approach.
  • A systematic and logical method for defining and
  • communicating IT control objectives.
slide24

AUDIT GUIDELINES

  • The objectives of auditing are to:
  • provide management with reasonable assurance that
  • control objectives are being met
  • where there are significant control weaknesses, to
  • substantiate the resulting risks
  • advise management on corrective actions
slide25

AUDIT GUIDELINES

The process is audited by:

Obtaining an understandingof business requirements,

related risks, and relevant control measures

Evaluating the appropriatenessof stated controls

Assessing complianceby testing whether the stated

controls are working as prescribed, consistently and

continuously

Substantiating the riskof the control objectives

not being met by using analytical

techniques and/or consulting

alternative sources.

slide26

Audit Guidelines

1 Generic Guideline

34 Process Oriented Guidelines

A generic guidelineidentifies various tasks to be performed in assessing ANY control objective within a process.

Others are specific process-orientedtask suggestions to provide management assurance that a control is in place and working.

slide27

GENERIC AUDIT GUIDELINE

OBTAINING AN UNDERSTANDING

The audit steps to be performed to document the activities underlying

the control objectives as well as to identify the stated control measures/

procedures in place.

Interview appropriate management and staff to gain an understanding of:

* Business requirements and associated risks, Organization structure,

* Roles and responsibilities, Policies and procedures, Laws and regulations,

Control measures in place, Management reporting (status, performance,

action items)

Document the process-related IT resources particularly affected by the

process under review. Confirm the understanding of the process under

review, the Key Performance Indicators (KPI) of the process, and the

control implications (e.g., by a process walk through).

slide28

GENERIC AUDIT GUIDELINE

  • EVALUATING THE CONTROLS
  • The audit steps to be performed in assessing the effectiveness of
  • control measures in place or the degree to which the control objective
  • is achieved. Basically deciding what, whether and how to test.
  • Evaluate the appropriateness of control measures for the process under
  • review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying professional judgment.
    • •Documented processes exist
    • • Appropriate deliverables exist
    • • Responsibility and accountability are clear and effective
    • • Compensating controls exist, where necessary
  • Conclude the degree to which the control objective is met.
slide29

GENERIC AUDIT GUIDELINE

ASSESSING COMPLIANCE

The audit steps to be performed to ensure that the control

measures established are working as prescribed, consistently

and continuously, and to conclude on the appropriateness of

the control environment.

Obtain direct or indirect evidence for selected items/periods to ensure that

the procedures have been complied with for the period under review using

both direct and indirect evidence.

Perform a limited review of the adequacy of the process deliverables.

Determine the level of substantive testing and additional work needed to

provide assurance that the IT process is adequate.

slide30

GENERIC AUDIT GUIDELINE

SUBSTANTIATINGTHE RISK

The audit steps to be performed to substantiate the risk of the

control objective not being met by using analytical techniques

and/or consulting alternative sources. The objective is to support

the opinion and to “shock” management into action. Auditors

have to be creative in finding and presenting this often sensitive

and confidential information.

Document the control weaknesses and resulting threats and vulnerabilities.

Identify and document the actual and potential impact (e.g., through

root-cause analysis).

Provide comparative information (e.g., through benchmarks).

slide31

AUDIT GUIDELINES

Audit Guidelines are GUIDELINES.

They are only a start for identifying

tasks associated with particular process

control objectives.

slide32

PO 1 DEFINEA STRATEGIC INFORMATION TECHNOLOGY PLAN

Identifying:

IT failures to meet the organization’s missions and goals

IT failures to match short-range plans with long-range plans

IT projects failures to meet short-range plans

IT failures to meet cost and time guidelines

Missed business opportunities

Missed IT opportunities

summary of c obi t to this point
SUMMARY OF COBIT TO THIS POINT
  • Framework of four domains and 34 key IT processes.
    • Defines high-level IT control objectives defining controls that should be in place.
    • For each of the 34 processes, there are from 3 to 30 detailed IT controls
  • Audit Guidelines identify a process to:
    • Obtain an understanding of the BUSINESS requirements
    • Evaluate the stated controls
    • Assess compliance with controls
    • Substantiate the risk to the BUSINESS
management guidelines
Management Guidelines
  • COBIT is meant to be “IMPLEMENTED”, not just used as a measure. Thus it has:
  • Maturity Models
  • Critical Success Factors
  • Key Performance Indicators
  • IT Generic Process and IT Governance
  • Guidelines
slide35

Management GuidelinesCRITICAL SUCCESS FACTORS - the most important things you need to do based on the choices made in a Maturity ModelKEY PERFORMANCE INDICATORS – key monitoring points to measure whether or not you will reach the organizational goals for ITKEY GOAL INDICATORS – the goals for the organization to be measured by the KPIs during the process of implementing COBIT

slide36

Management Guidelines

  • Generic and action oriented
  • For the purpose of
    • IT Control profiling –what is important?
    • Awareness – where is the risk?
    • Benchmarking - what do others do?
  • Supporting decision making and follow-up
    • Key performance indicators of IT Processes
    • Critical success factors of controls
    • Control implementation choices
slide38

Generic Maturity Model - Dimensions

  • Understanding and awareness
  • Training and communications
  • Processes and practices
  • Techniques and automation
  • Compliance
  • Expertise
generic maturity model dimensions
Generic Maturity Model - Dimensions
  • Training & Communication
    • Level 1 – Sporadic
    • Level 2 – Overall needs only
    • Level 3 – Informal training
    • Level 4 – Formal training
    • Level 5 – Supports best practices
generic maturity model dimensions40
Generic Maturity Model - Dimensions
  • Processes & Practices
    • Level 1 – Ad hoc
    • Level 2 – Intuitive practices
    • Level 3 – Defined and documented
    • Level 4 – Ownership assigned, best internal practices
    • Level 5 – Supports best external practices
generic maturity model dimensions41
Generic Maturity Model - Dimensions
  • Techniques & Automation
    • Level 1 –
    • Level 2 – Some common tools
    • Level 3 – Standard tool set
    • Level 4 – Mature techniques, tactical technology
    • Level 5 – Sophisticated tools, optimized technology
slide42

Critical Success Factors

  • Management oriented IT control implementation guidance
  • Most important things that contribute to the IT process achieving its goal
  • Control Statement and Considerations of the ‘Waterfall’
  • Visible and measurable signs of success
  • Short, focussed and action oriented
  • Leveraging the resources of primary importance in this process
in summary
In summary
  • Critical Success Factors
  • Represent the most important things to do to increase the probability of success of the process
  • Are observable - usually measurable - characteristics of the organisation and process
  • Are either strategic, technological, organisational or procedural in nature
  • Focus on obtaining, maintaining and leveraging capability and skills
  • Are expressed in terms of the process, not necessarily the business
slide44

Key Performance Indicators

Guidance for measurement can be obtained from the Balanced Business Scorecard concepts, where goals and measures fromthe financial, customer, process and innovation perspective are set and monitored.

In the Balanced Business Scorecard approach, the Goal is measured based on its outcome. The Drivers or Enablers that make it possible to achieve the goal are measured based on their performance in support of reaching the goal

slide45

Key Performance Indicators

  • The degree of importance of each of these criteria is a function of the business and the environment that the enterprise operates in
  • COBIT then allows selection of those controlobjectives that best fit the degree of importance, i.e., the Profile
  • This profile also expresses the enterprise’s position on risk
slide46

Key Performance Indicators

The goal for IT can then be expressed as

The performance measure of the enabler becomes the goal for IT, which in turn will have a number of enablers. These could be the COBIT IT domains. Here again the measures can be cascaded, the performance measure of the domain becoming, for example, a goal for the process

in summary48
In summary
  • Key Performance Indicators
  • Are a measure of “how well” the process is performing
  • Predict the probability of success or failure in the future
  • Are process oriented, but IT driven
  • Focus on the process and learning dimensions of the balanced scorecard
  • Are expressed in precise, measurable terms
  • Help in improving the IT process
slide49

Key Goal Indicators

  • KGI for goal;
    • measurable indicators
    • of the process achieving
    • its goal
  • Business Requirement of the ‘Waterfall’
  • Influenced by the primary and secondary information
  • criteria
  • A potential source can be found in COBIT’s
  • ‘Substantiating Risk’ section in the Audit Guidelines
slide50

Key Goal Indicators

Given that the link between the business and IT scorecards is expressed in terms of the information criteria, the KGIs will usually be stated as:

  • Availability of systems and services
  • Absence of integrity and confidentiality risks
  • Cost-efficiency of processes and operations
  • Confirmation of reliability, effectiveness and compliance
in summary51
In summary
  • Key Goal Indicators
  • Describe the outcome of the process and are therefore measurable after the fact
  • Are indicators of the success of the process, but may be expressed as well in terms of the business contribution, if that contribution is specific to that IT process
  • Focus on the customer and financial dimensions of the balanced business scorecard
  • Represent the process goal, i.e., a measure of “what”, a target to achieve
  • Are IT oriented, but business driven
  • Are expressed in precise measurable terms, wherever possible
  • Focus on those information criteria that have been identified to be of most importance for this process
generic it process
Generic IT Process

Control over an IT process and its activities with specific business goals

is determined by the delivery of information to the business that addresses the required information criteria and is measured by KGIs

is enabled by creating and maintaining a system of process and control excellence appropriate for the business

considers CSFs that leverage specific IT resources and is measured by KPIs

generic it process55
Generic IT Process

Potential Critical Success Factors

  • IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability,
  • The processes are aligned with the IT strategy and with the business goals; they are scalable and their resources are appropriately managed and leveraged
  • A business culture is established, encouraging cross-divisional co-operation and teamwork, as well as continuous process improvement
  • Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and allow scalability
  • Goals and objectives are communicated and are understood
  • It is known how to implement and monitor process objectives and who is accountable for process performance
  • A continuous process quality improvement effort is applied
  • The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, re-train) exist
generic it process56
Generic IT Process

Potential Key Goal Indicators

  • Increased level of service delivery
  • Number of customers and cost per customer served
  • Availability of systems and services
  • Absence of integrity and confidentiality risks
  • Cost efficiency of processes and operations
  • Confirmation of reliability and effectiveness
  • Adherence to development cost and schedule
  • Cost efficiency of the process
  • Staff productivity and morale
  • Number of timely changes to processes and systems
  • Improved productivity (e.g., delivery of value per employee)
generic it process57
Generic IT Process
  • Potential Key Performance Indicators
  • System downtime
  • Throughput and response times
  • Amount of errors and rework
  • Number of staff trained in new technology and customer service skills
  • Benchmark comparisons
  • Number of non-compliance reportings
  • Reduction in development and processing time
slide58

Management Guidelines Components

  • IT governance guideline
  • Generic IT process guideline
  • For each of the 34 IT processes
    • one maturity model
    • 5 to 7 KGIs
    • 8 to 10 CSFs
    • 6 to 8 KPIs
summary of c obi t to this point59
SUMMARY OF COBIT TO THIS POINT
  • Framework of four domains 34 key IT processes.
    • Defines high-level IT control objectives defining controls that should be in place.
    • For each of the 34 processes, there are from 3 to 30 detailed
  • Audit Guidelines identify a process to:
    • Obtain an understanding of the BUSINESS requirements
    • Evaluate the stated controls
    • Assess compliance with controls
    • Substantiate the risk to the BUSINESS
  • Management Guidelines outline:
    • The process to implement COBIT with key indicators of success
    • A maturity model to measure progress
slide60

Why Should an Organization

Adopt COBIT?

  • Attention focused on Corporate Governance
    • Management Accountability for Resources
    • Specific Need for Control of IT Resources
  • Stresses business-oriented solutions
  • Provides an authoritative framework for Risk Assessment
  • Improved communication among management, users and auditors
slide61

Management Expectations of IT

*Re-Engineered Processes

* Right-Sizing

* Distributed Processing

* Flattened organizations

* Outsourcing

slide62

Management Responsibilities for IT

* Safeguarding Assets

* Information as Most Valuable Asset

slide63

COBIT Framework

Blends Management’s IT

Expectations

with Management’s IT

Responsibilities

management needs c obi t
Management Needs COBIT
  • To evaluate IT investment decisions
    • Making the link to the business needs
    • Ensuring best use is made of information
    • Ensuring regulatory and legislative compliance
    • To balance risk and control of investment
  • To Benchmark Existing and Future

IT Environment

    • Organizing into a generally accepted model of IT processes
    • Identifying major IT resources to be leveraged
why do application owners need cobit
Why do Application Owners need COBIT?
  • COBIT is a control-oriented framework
    • Helps organizations to align Control Objectives with existing “de jure” and “de facto” standards,regulations and best practices
  • Information, and by relationship IT, is one of an organization’s most valuable assets
    • Value, risk and control are the core of IT governance
    • Management responsibility – to ensure IT sustains and extends business objectives
  • A more responsive IT organization should result in a better alignment with your business
it needs cobit
IT needs COBIT
  • Ensure strategic alignment
    • Ensure linkage of business and IT plans
    • Align operations with enterprise objectives
  • Value delivery
    • Ensure IT delivers promised benefits – focus on controlling costs
  • Optimise resource management
    • Proper management of IT resources – data, applications, infrastructure, people
it needs cobit67
IT needs COBIT
  • Apply risk management
    • Embed risk management responsibilities into the organization
    • Raise awareness of all senior officers
    • Track risks and ensure transparency of risks
  • Performance measurement
    • Track and monitor strategy implementation
    • Benchmark operations
    • Allow for continuous improvement
current situation
Current Situation
  • Varied maturity levels across government, and even within individual organizations
  • Historically IT has tended to be an objective unto itself
  • Often IT plans bear no relationship to the business plans of the business organization
  • Often shows up as lack of control over IT projects – large projects often fail
current situation69
Current Situation
  • Recent focus on IT infrastructure and operations control across government – implementation of ITIL
    • IT Infrastructure Library is a compendium of best practices –and is contained within COBIT
  • Improvement in project governance
    • Enhanced Management Framework
  • COBIT can enhance all these initiatives
slide70

COBIT

Questions and Answers

slide71

COBIT

For additional information: www.isaca.org

www.itgi.org

the end

cobit appendices
COBIT - Appendices
  • Information Criteria
  • Implementing COBIT
slide73

Information Criteria Working Definitions

Effectiveness: deals with information

being relevant and pertinent to the

business process as well as being

delivered in a timely, correct,

consistent and usable manner.

slide74

Information Criteria Working Definitions

Efficiency: concerns the provision of

information through the optimal

(most productive and economical) usage

of resources.

slide75

Information Criteria Working Definitions

Confidentiality: concerns the

protection of sensitive information

from unauthorised disclosure.

slide76

Information Criteria Working Definitions

Integrity:relates to the accuracy and

completeness of information as well

as its validity in accordance with

business’ set of values and expectations.

slide77

Information Criteria Working Definitions

Availability:relates to information

being available when required by the

business process, and hence also

concerns the safeguarding of resources.

slide78

Information Criteria Working Definitions

Compliance: deals with complying

with those laws, regulations, and

contractual arrangements to which

the business process is subject, i.e.,

externally imposed business criteria.

slide79

Information Criteria Working Definitions

Reliability of Information:relates to

systems providing management with

appropriate information for it to use in

operating the entity, in providing reporting

to users of the financial information, and

in providing information to regulatory

bodies with regard to compliance with

laws and regulations.

slide81

To Adopt COBIT,

Who Needs To Be Influenced?

Management, especially IT policy makers,

play a major role in influencing the adoption

of COBIT in the organisation. Examples of

such policy makers include:

 Chief Executive (e.g., CEO)

 Senior IT Executive (CIO or VP of IT)

 IT Steering Committee

 IT Management

slide82

A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Executive manager Accept and promote Use COBIT to compliment

COBIT as general IT existing internal control

governance model framework

for all enterprises

within enterprise Use COBIT process model

to establish common

language between business

and IT; allocate clear

responsibilities

slide83

A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Business manager Use COBIT to establish Use COBIT control objectives

a common entity-wide as a code of good practice

model to manage and for dealing with IT within the

monitor IT’s contribution business function

to the business

Use COBIT control objectives

to determine needs to be

covered by Service Level

Agreements (internal

or outsourced)

slide84

A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

IT manager Use the COBIT process Use the COBIT control model to

model and detailed establish SLAs and communicate

control objectives to with business functions

structure IT services

function into manageable Use the COBIT control model

and controllable as basis for process-related

processes focussing on performance measures and IT-

business contribution related policies and norms

Use COBIT as baseline model to

establish the appropriate level of

control objectives and

external certifications

slide85

A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Project manager As a general framework Use COBIT to help ensure that

for minimal project and project plans incorporate

quality assurance generally accepted phases in

standards IT planning, acquisition and

development, service delivery

and project management, and

assessment

slide86

A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Developer As minimal guidance Use COBIT to ensure that all

for controls to be applicable IT control objectives

applied within in the development project

development processes have been addressed

as well as for internal

control to be integrated

in information systems

being built

slide87

A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Operations As general framework Use COBIT to ensure that

for minimal controls to operational policies and

be integrated into service procedures are sufficiently

delivery and support comprehensive

processes, placing clear

focus on client objectives

slide88

A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

User As minimal guidance Use COBIT to guide service

for internal control to level agreements

be integrated within

information systems,

being fully operational

or under development

slide89

A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Information As harmonising frame- Use COBIT to structure the

Security Officer work providing a way information security program,

to integrate information policies and procedures

security with other

business related IT

objectives

slide90

A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Auditor As basis for determining Use COBIT as criteria for review

the IT audit universe and review and examination, and for

as IT control reference framing IT-related audits

slide91

COBIT Management Awareness

Diagnostic Tools

One of the most challenging tasks will be getting top

management’s attention. Two tools for getting management’s attention and raising management’s

awareness are:

  • IT Governance Self-Assessment
  • Management’s IT Concerns Diagnostic
slide92

IT Governance Self-Assessment

Asks Management to Determine for EACH

of the COBIT Processes

How Important is the Process for Business Objectives

 Whether the Process is Performed

 Who performs the Process

 Whether the Process is Audited

 Whether the Process and its Control Are Formalized

slide93

Management’s IT Concerns Diagnostic

Identifies which IT Processes need to be under Control for various IT Concerns

Management Issues

 Internet/Intranet

 Enterprise Packaged Solutions

 Client/Server Architecture

 Workgroups and GroupWare

 Network Management

slide94

How To Implement COBIT in

an Organisation

  • Top Down Approach
  • Audit Committee Approach
  • Audit and IT Management Consensus Approach
  • Regulation/Legislation
slide95

Ways to Implement

Approach #1 -- Top Down

 Communicate COBIT to Senior Operating

Management and IT Management

 Communicate Framework to CIO

 Communicate within CIO’s Organisation via

education

 Gain Commitment to Processes and Control

Objectives

 Develop Cyclical Audit Programs to Cover all

Processes

slide96

Ways to Implement

Approach #2 -- The Audit Committee

 Communicate and Education Audit Committee

 Develop Cycle / Coverage Scenarios to Minimise

Potential Liability of Committee Members

 Communication Cyclical Coverage within IT

 Execute Audit Plan using COBIT to Scope Audits

and Define Required IT Control Objectives

slide97

Ways to Implement

Approach #3 -- Audit and IT Management

Consensus

 COBIT is Communicated Within Audit

 Audit Performs Internal Assessment of IT

 Audit Shares Assessment with IT

 IT and Audit Reconcile Variances to Reach

Consensus

 Audit Program Developed and Executed,

Based on Self Assessment

slide98

Ways to Implement

Approach #4 -- Regulation/Legislation

 COBIT is specified for compliance by

Regulating Authority

 COBIT is specified for compliance by

legislation

slide99

Implementation Action Plan for Organization

Distribute copies of the COBIT Executive Overview and/or

Summary to key managers, triggering analysis of and thoughts

about the existing organisation’s approach to IT controls

 Present to Operations and Technology management team and

key staff

 Present to outsourced service provider management and key staff

 Assist key managers in developing action plans to integrate COBIT

concepts into business process

 Present COBIT concepts and activities progress reports to senior

management to inform and gain commitment

 Develop or update audit programs consistent with COBIT Audit

Guidelines

 Restructure audit inventory to reflect a COBIT process orientation

 Present COBIT concepts, progress and results to Audit

Committee

slide100

Implementing COBIT

from An Audit Perspective

As an Organizational Tool

 As a Consensus-Building Tool

 As an Engagement “Scoping” Tool

 As a Self-Assessment Tool

 Risk Assessment and Audit Planning

Using COBIT

slide101

COBIT as an Organizational Tool

Domain #1 (Planning & Organisation) = Auditor #1

Domain #2 (Acquisition & Implement) = Auditor #2

Domain #3 (Delivery & Support) = Auditor #3

Domain #4 (Monitoring) = Auditor #4

slide102

COBIT as a Consensus-Building Tool

CEO ----- Senior Audit Executive - Auditor #1

CIO -------- Director of Audit -------- Auditor #2

Dir. IT ---- Senior Audit Manager --- Auditor #3

Appl. Mgr.. - Practitioner --------- Auditor #4

slide103

COBIT as an Engagement “Scoping” Tool

 “ I want to look at this area of IT...”

 “ What are the processes involved?”

 “ What are the control objectives involved?”

COBIT Allows Identification of Minimum Controls

slide104

COBIT as an IT Self-Assessment Tool

“Are there specific areas where too few or too

many resources are being applied?”

 “How am I doing against COBIT’s IT control

requirements?”

 “Can Audit focus on strengths for improvement;

I already know my weaknesses.”

 “Show me what controls should be in place

before you come in, so I can clean up my

shop.”-- reallocate resources to higher

risk projects