COBIT 4.0 WHAT YOU NEED TO KNOW Howard DuBois, CISA email@example.com
Objectives • Review structure and content of COBIT • Assess challenges for IT management • Explore impact of a successful implementation of COBIT on application owners
What is COBIT? • COBIT is a highly regarded IT Governance framework produced and supported by the IT Governance Institute (ITGI) • COBIT 4.0 is the most recent release of this model
What Does COBIT Stand For? C Control OBOBjectives I for Information T and Related Technology
Why is COBIT Important? Some interesting questions: • Why are “control objectives” of interest to application owners and users? • What is the history behind COBIT? • Where does IT Governance fit in?
COBIT’s History • COBIT started as a control model for IT auditors – hence control objectives for IT organizations and operations • At some point, someone realized that if the model was good enough for the auditor to measure IT control and effectiveness, it was good enough for management • This became a “governance framework” when it was realized that good control required implementation of best practices
COBIT’s History • Control Objectives produced as an audit product by EDPAF early 1990’s • COBIT first edition - 1996 • COBIT second edition – 1998 • First reference to governance and seeing COBIT as a set of best practices for IT management • COBIT third edition – 2000 • First reference to ITGI • First reference to management guidelines
COBIT’s History • COBIT 4.0 - 2005 • 4.0 is an update of 3rd edition – better mapping to business goals, further development of maturity models • COBIT On-Line introduced • During the process, other products were issued • Control Practices – 2004 – more detailed exploration of individual practices seen as best practices
Purpose of COBIT • Provide generally applicable and accepted Standards for Good Practices for Information and Information Technology (IT) Control • Based on a management-oriented Framework for Control in IT • Aligned with De Jure and De Facto Standards and Regulations • Create a manageable and logical structure
The Pieces of COBIT Exec Summary - Senior Executives (CEO, CIO) - 16 pages Framework -Senior Operational Management (Directors of IT and IS Audit /Controls) - 68 pages Control Objectives -Middle Management (IT Management and IS Audit/Controls Managers/ Seniors) - 148 pages Audit Guidelines -Line Management and Controls Practitioner (Applications or Operations Manager and Auditor) – 226 pages Management Guidelines - Senior Operational Management, Director of IS, Mid-Level IT Management and IT Audit/Control Managers - 122 pages Implementation Tool Set - Director of IS and Audit/Control, Mid-Level IS Management and IS Audit/Control Managers - 86 pages
The Framework’s Principles • Business • Requirements IT Processes IT Resources
Business Requirements = Information Criteria Quality Requirements Quality, Cost, Delivery Fiduciary Requirements(COSO Report) Effectiveness and Efficiency of Operations Reliability of Financial Reporting Compliance with Laws and Regulations Security Requirements Confidentiality Integrity Availability
Information Technology Resources Data Data objects in their widest sense, i.e., external and internal, structured and non-structured, graphics, sound, etc. Application Systems Application systems is understood to be the sum of manual and programmed procedures. Technology Technology covers hardware, operating systems, database management systems, networking, multimedia, etc. Facilities Resources to house and support information systems. People Staff skills, awareness and productivity to plan, organize, acquire, deliver, supportand monitor information systems and services.
Domains Processes Activities IT Domains & Processes Natural grouping of processes, often matching an organisational domain of responsibility. A series of joined activities with natural (control) breaks. Actions needed to achieve a measurable result. Activities havea life-cycle whereas tasks are discreet.
CONTROL OBJECTIVES The DOMAINS * Planning & Organization * Acquisition & Implementation * Delivery & Support *Monitoring
Planning and Organisation • Define a Strategic IT Plan • Define the Information Architecture • Determine Technological Direction • Define the IT Organisation and Relationships • Manage the IT Investment • Communicate Management Aims and Direction • Manage Human Resources • Ensure Compliance with External Requirements • Assess Risks • Manage Projects • Manage Quality
Acquisition and Implementation • Identify Automated Solutions • Acquire and Maintain Application Software • Acquire and Maintain Technology Infrastructure • Develop and Maintain Procedures • Install and Accredit Systems • Manage Changes
Delivery and Support • Define and Manage Service Levels • Manage Third-Party Services • Manage Performance and Capacity • Ensure Continuous Service • Ensure Systems Security • Identify and Allocate Costs • Educate and Train Users • Assist and Advise Customers • Manage the Configuration • Manage Problems and Incidents • Manage Data • Manage Facilities • Manage Operations
Monitoring • Monitor the Processes • Access Internal Control Adequacy • Obtain Independent Assurance • Provide for Independent Audit
IT Process Overview 1.0 Define a Strategic IT Plan The IT function should ensure that there are IT long- and short-range plans for managing and directing all IT resources of the organisation. These plans should be timely and accurately updated to accommodate changes in IT conditions. Assessments of existing systems should be performed prior to developing or changing the strategic IT plan. Furthermore, IT management should ensure that the strategic IT plan is consistent with the business objectives and long- and short-range plans of the organisation.
Linking to Control Objectives • Control over the IT process of • DEFINING A STRATEGIC IT PLAN PO-1 • that satisfies the business requirement • to strike an optimum balance of information technology opportunities • and IT business requirements as well as ensuring its further accomplishment • is enabled by • a strategic planning process undertaken at regular intervals giving • rise to long-term plans; the long-term plans should periodically be • translated into operational plans setting clear and concrete short-term goals • and takes into consideration: • * enterprise business strategy • * definition of how IT supports the business objectives • * inventory of technological solutions and current infrastructure • * monitoring the technology watch markets • * timely feasibility studies and reality checks • * existing systems assessments • * enterprise position on risk, time-to-market, quality • * need for senior management buy-in, support and critical review
SUMMARY OF COBIT TO THIS POINT • Framework defines a construct for reviewing and managing IT. • Four domains are identified. • Within each domain there are processes -- 34 total. • Within each process there are high-level IT control objectives • defining controls that should be in place. • For each of the 34 processes, there are from 3 to 30 detailed • IT control objectives. • There are navigational tools including a “waterfall” approach. • A systematic and logical method for defining and • communicating IT control objectives.
AUDIT GUIDELINES • The objectives of auditing are to: • provide management with reasonable assurance that • control objectives are being met • where there are significant control weaknesses, to • substantiate the resulting risks • advise management on corrective actions
AUDIT GUIDELINES The process is audited by: Obtaining an understandingof business requirements, related risks, and relevant control measures Evaluating the appropriatenessof stated controls Assessing complianceby testing whether the stated controls are working as prescribed, consistently and continuously Substantiating the riskof the control objectives not being met by using analytical techniques and/or consulting alternative sources.
Audit Guidelines 1 Generic Guideline 34 Process Oriented Guidelines A generic guidelineidentifies various tasks to be performed in assessing ANY control objective within a process. Others are specific process-orientedtask suggestions to provide management assurance that a control is in place and working.
GENERIC AUDIT GUIDELINE OBTAINING AN UNDERSTANDING The audit steps to be performed to document the activities underlying the control objectives as well as to identify the stated control measures/ procedures in place. Interview appropriate management and staff to gain an understanding of: * Business requirements and associated risks, Organization structure, * Roles and responsibilities, Policies and procedures, Laws and regulations, Control measures in place, Management reporting (status, performance, action items) Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the Key Performance Indicators (KPI) of the process, and the control implications (e.g., by a process walk through).
GENERIC AUDIT GUIDELINE • EVALUATING THE CONTROLS • The audit steps to be performed in assessing the effectiveness of • control measures in place or the degree to which the control objective • is achieved. Basically deciding what, whether and how to test. • Evaluate the appropriateness of control measures for the process under • review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying professional judgment. • •Documented processes exist • • Appropriate deliverables exist • • Responsibility and accountability are clear and effective • • Compensating controls exist, where necessary • Conclude the degree to which the control objective is met.
GENERIC AUDIT GUIDELINE ASSESSING COMPLIANCE The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously, and to conclude on the appropriateness of the control environment. Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review using both direct and indirect evidence. Perform a limited review of the adequacy of the process deliverables. Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate.
GENERIC AUDIT GUIDELINE SUBSTANTIATINGTHE RISK The audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources. The objective is to support the opinion and to “shock” management into action. Auditors have to be creative in finding and presenting this often sensitive and confidential information. Document the control weaknesses and resulting threats and vulnerabilities. Identify and document the actual and potential impact (e.g., through root-cause analysis). Provide comparative information (e.g., through benchmarks).
AUDIT GUIDELINES Audit Guidelines are GUIDELINES. They are only a start for identifying tasks associated with particular process control objectives.
PO 1 DEFINEA STRATEGIC INFORMATION TECHNOLOGY PLAN Identifying: IT failures to meet the organization’s missions and goals IT failures to match short-range plans with long-range plans IT projects failures to meet short-range plans IT failures to meet cost and time guidelines Missed business opportunities Missed IT opportunities
SUMMARY OF COBIT TO THIS POINT • Framework of four domains and 34 key IT processes. • Defines high-level IT control objectives defining controls that should be in place. • For each of the 34 processes, there are from 3 to 30 detailed IT controls • Audit Guidelines identify a process to: • Obtain an understanding of the BUSINESS requirements • Evaluate the stated controls • Assess compliance with controls • Substantiate the risk to the BUSINESS
Management Guidelines • COBIT is meant to be “IMPLEMENTED”, not just used as a measure. Thus it has: • Maturity Models • Critical Success Factors • Key Performance Indicators • IT Generic Process and IT Governance • Guidelines
Management GuidelinesCRITICAL SUCCESS FACTORS - the most important things you need to do based on the choices made in a Maturity ModelKEY PERFORMANCE INDICATORS – key monitoring points to measure whether or not you will reach the organizational goals for ITKEY GOAL INDICATORS – the goals for the organization to be measured by the KPIs during the process of implementing COBIT
Management Guidelines • Generic and action oriented • For the purpose of • IT Control profiling –what is important? • Awareness – where is the risk? • Benchmarking - what do others do? • Supporting decision making and follow-up • Key performance indicators of IT Processes • Critical success factors of controls • Control implementation choices
Generic Maturity Model - Dimensions • Understanding and awareness • Training and communications • Processes and practices • Techniques and automation • Compliance • Expertise
Generic Maturity Model - Dimensions • Training & Communication • Level 1 – Sporadic • Level 2 – Overall needs only • Level 3 – Informal training • Level 4 – Formal training • Level 5 – Supports best practices
Generic Maturity Model - Dimensions • Processes & Practices • Level 1 – Ad hoc • Level 2 – Intuitive practices • Level 3 – Defined and documented • Level 4 – Ownership assigned, best internal practices • Level 5 – Supports best external practices
Generic Maturity Model - Dimensions • Techniques & Automation • Level 1 – • Level 2 – Some common tools • Level 3 – Standard tool set • Level 4 – Mature techniques, tactical technology • Level 5 – Sophisticated tools, optimized technology
Critical Success Factors • Management oriented IT control implementation guidance • Most important things that contribute to the IT process achieving its goal • Control Statement and Considerations of the ‘Waterfall’ • Visible and measurable signs of success • Short, focussed and action oriented • Leveraging the resources of primary importance in this process
In summary • Critical Success Factors • Represent the most important things to do to increase the probability of success of the process • Are observable - usually measurable - characteristics of the organisation and process • Are either strategic, technological, organisational or procedural in nature • Focus on obtaining, maintaining and leveraging capability and skills • Are expressed in terms of the process, not necessarily the business
Key Performance Indicators Guidance for measurement can be obtained from the Balanced Business Scorecard concepts, where goals and measures fromthe financial, customer, process and innovation perspective are set and monitored. In the Balanced Business Scorecard approach, the Goal is measured based on its outcome. The Drivers or Enablers that make it possible to achieve the goal are measured based on their performance in support of reaching the goal
Key Performance Indicators • The degree of importance of each of these criteria is a function of the business and the environment that the enterprise operates in • COBIT then allows selection of those controlobjectives that best fit the degree of importance, i.e., the Profile • This profile also expresses the enterprise’s position on risk
Key Performance Indicators The goal for IT can then be expressed as The performance measure of the enabler becomes the goal for IT, which in turn will have a number of enablers. These could be the COBIT IT domains. Here again the measures can be cascaded, the performance measure of the domain becoming, for example, a goal for the process
In summary • Key Performance Indicators • Are a measure of “how well” the process is performing • Predict the probability of success or failure in the future • Are process oriented, but IT driven • Focus on the process and learning dimensions of the balanced scorecard • Are expressed in precise, measurable terms • Help in improving the IT process
Key Goal Indicators • KGI for goal; • measurable indicators • of the process achieving • its goal • Business Requirement of the ‘Waterfall’ • Influenced by the primary and secondary information • criteria • A potential source can be found in COBIT’s • ‘Substantiating Risk’ section in the Audit Guidelines
Key Goal Indicators Given that the link between the business and IT scorecards is expressed in terms of the information criteria, the KGIs will usually be stated as: • Availability of systems and services • Absence of integrity and confidentiality risks • Cost-efficiency of processes and operations • Confirmation of reliability, effectiveness and compliance