1 executive briefing october 16, 2001 2 deputy state auditor, mis & it audit, commonwealth of...
Post on 18-Dec-2015
217 views
TRANSCRIPT
![Page 1: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/1.jpg)
1
Executive BriefingOctober 16, 2001
![Page 2: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/2.jpg)
2
Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts
Adjunct faculty at Bentley College Member of CobiT Steering Committee Served as member of Y2K Coordinating Council,
Commonwealth of Massachusetts 1994-1995 International President of ISACA/F Served as member of Governor’s Commission on
Computer Crime, Governor’s Commission on Computer Technology and Law, and Governor’s Task Force on E-Commerce
e-mail: [email protected]
![Page 3: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/3.jpg)
3
How does responsible managment keep the ship on course?
How do we achieve satisfactory results for our clients and stake-holders?
How do we adapt in a timely manner to “best practices” for our organization’s environment?
![Page 4: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/4.jpg)
4
When we spend a lot of moneyand what we have built
doesn’t work, or is difficult to maintain,
or is not accepted,or appears vulnerable,People have a lot to say
![Page 5: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/5.jpg)
5
Stakeholders apply pressureStakeholders apply pressure
Shareholders and ExecutiveLower cost, higher profitability andLower cost, higher profitability andincreased market shareincreased market share
Customers and Staff More functionality at lower cost andMore functionality at lower cost andgreater ease of usegreater ease of use
Society Greater accountability for executives inGreater accountability for executives inprivate and public sectorprivate and public sector
![Page 6: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/6.jpg)
6
E-business FactorsE-business Factors Guarantee of delivery Customer service Ease of use Increased dependence Security
What are the customers saying ?What are the customers saying ?
![Page 7: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/7.jpg)
7
Focus on Operational Risk within which security and IT are very significant
All major risk issues have been caused by breakdowns in Internal control Oversight Information Technology
What signals are regulators giving?What signals are regulators giving?
Federal ReserveFederal Reserve
![Page 8: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/8.jpg)
8
Most Pressing Concerns about Information Technology
Security Availability Integrity and Effectiveness Cost
![Page 9: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/9.jpg)
9
September 11th has Impacted us all in a Whole Lot of Ways
Personal Economic Security Risk
![Page 10: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/10.jpg)
10
Measures?
Scales?
Indicators?
![Page 11: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/11.jpg)
11
The Answer Lies In: Having clear understandings of the strategic
value of technology Bringing that strategic value to reality Having appropriate frameworks of control Employing the fundamentals of IT goverance Building mechanisms to provide adequate
assurance that IT governance objectives are addressed
![Page 12: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/12.jpg)
12
CobiTCobiT CobiT’s Control Objectives and Management Guidelines are valuable IT governance tools that help in the understanding and management of risks and benefits associated with information integrity, security and availability and the management of related IT.
![Page 13: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/13.jpg)
13
Authoritative, up-to-date set of generally accepted IT control objectives and control practices for day-to-day use by business managers and auditors.
Structured and organized to provide a powerful
control model
![Page 14: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/14.jpg)
14
Executive Summary -- Senior Executives (CEO, COO, CFO, CIO)
Framework -- Senior Operational Management (Directors of IS and Audit / Controls)
Control Objectives -- Middle Management (Mid-Level IS and IS Audit/ Controls Managers)
Audit Guidelines -- The Line Manager and Controls Practitioner (Applications or Operations Manager and Auditor)
Implementation Tool Set -- Any of the above Management Guidelines -- Management and Audit
![Page 15: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/15.jpg)
15
Management GuidelinesIncludes:– Critical Success Factors– Key Performance Indicators– Key Goal Indicators– Maturity models
CCOBIOBITTCCOBIOBITT
![Page 16: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/16.jpg)
16
Right information, to only the right party, at the right time.
Information that is relevant, reliable and secure.
Information provided by systems that have integrity by a well-managed and properly controlled IT environment.
![Page 17: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/17.jpg)
17
IT Governance Objectives
IT is aligned with the business enabling the entity to maximize benefit
IT resources are safeguarded and used in a responsible and ethical manner
IT-related risks are addressed through appropriate controls and managed to minimize risk and exposure
![Page 18: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/18.jpg)
18
Need for better operational control While technology makes new business processes
possible, it may come with reduced control Demand for increased effectiveness, efficiency
and security Strategic importance of technology The need to hold officers and senior
management accountable and strengthen governance
![Page 19: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/19.jpg)
19
Addresses key attributes of information produced by IT.
Provides a working control model for IT-
related control objectives
Links recommended control practices for IT to business and control objectives.
Assists in evaluating appropriateness of controls
![Page 20: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/20.jpg)
20
CobiT is an Authoritative Source
Built on a sound framework of control
and IT-related control practices. Aligned with de jure and de facto
standards and regulations. Has undergone expert review and
exposure process, now in its 3rd edition
![Page 21: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/21.jpg)
21
CobiT Sources Professional standards for internal control and
auditing (COSO, IFAC, AICPA, IIA, etc) Technical standards (ISO, EDIFACT, etc.) Codes of Conduct Qualification criteria for IT systems and processes
(ISO9000, ITSEC, TCSEC, etc.) Industry practices and requirements from industry
forums (ESF, I4) Emerging industry-specific requirements from
banking, e-com, IT manufacturing.
![Page 22: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/22.jpg)
22
Based on a Strong Based on a Strong Foundation and Sound Foundation and Sound Principles of Internal Principles of Internal
ControlControl
![Page 23: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/23.jpg)
23
What is Internal Control?What is Internal Control?
How it is defined How it is defined impacts its design, impacts its design,
exercise, and exercise, and evaluationevaluation..
![Page 24: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/24.jpg)
24
Control (as defined by COBIT)
The policies, procedures, practices and
organizational structures designed to provide
reasonable assurance that business objectives
will be achieved and that undesired events
will be prevented or detected and corrected.
Source: COBIT Control Objectives, p. 12.
![Page 25: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/25.jpg)
25
IT Control Objective
A statement of desired result or
purpose to be achieved by
implementing control procedures
in a particular IT activity
![Page 26: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/26.jpg)
26
Internal Control
Controls are framed by what is to be attained
(control objectives) and the means to attain those goals (the controls).
![Page 27: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/27.jpg)
27
CobiT Incorporates Key Internal Control Requirements
Systemization
Documentation
Standards, defined expectations
Measurement
Appropriate risk assessment
![Page 28: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/28.jpg)
28
CobiT Incorporates Key Internal Control Requirements
Well-defined operational and control
objectives
Appropriate controls
Competent and trustworthy people
Monitoring & evaluation
![Page 29: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/29.jpg)
29
CobiT Framework
Built on an understanding of the:relationship of controls to control objectives,importance of focusing on the relationship of
control objectives to business objectives and business processes,
value of managed processes and resources tied to strategic initiatives.
![Page 30: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/30.jpg)
30
BUSINESSPROCESSESBUSINESS
PROCESSES
INFORMATIONINFORMATION
IT RESOURCESIT RESOURCES
• data• application systems• technology• facilities• people
• data• application systems• technology• facilities• people
• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability
• effectiveness• efficiency• confidentiality• integrity• Availability• Compliance• reliability
Information CriteriaInformation Criteria
Do they match?
FrameworkWhat you needWhat you get
![Page 31: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/31.jpg)
31
Framework’s Three Components
“Business Requirements” for Information
IT Resources
IT Processes
![Page 32: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/32.jpg)
32
Information Criteria -- The 1st Component
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of Information
![Page 33: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/33.jpg)
33
IT Resources -- The 2nd Component
Data
Application Systems
Technology
Facilities
People
![Page 34: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/34.jpg)
34
Domains
Processes
Tasks &Activities
Natural grouping of processes, oftenmatching an organizational domainof responsibilityA series of joined tasks & Activities with natural (control) breaks.
Actions needed to achieve a measurable result. Activitieshave a life-cycle whereas tasksare discrete
(4)
(34)
(318)
Information Processes (3rd component)
![Page 35: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/35.jpg)
35
Planning/Organization
Acquisition /Implementation
Delivery /Support
Monitoring
COBIT Domains: Information Processes (3rd Component)
![Page 36: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/36.jpg)
36
How do they relate ?How do they relate ?
IT Processes
IT Processes
IT Resources
IT Resources
Business Requirements
Business Requirements
Data Information
Systems Technology Facilities Human
Resources
Planning and organisation
Aquisition and implementation
Delivery and Support
Monitoring
Effectiveness Efficiency Confidenciality Integrity Availability Compliance Information
Reliability
![Page 37: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/37.jpg)
37
IT Resource Management
CobiT underscores and demonstrates that IT resources need to be managed by naturally grouped processes to provide organizations with type and quality, and security of information required to achieve organizational objectives.
![Page 38: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/38.jpg)
38
The WATERFALL Navigation Aid --High Level Control Objectives for Each Process
The control of
which satisfy
is enabled by
considering
IT Processes
BusinessRequirements
ControlStatements
ControlPractices
See Framework, p. 18. 56
![Page 39: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/39.jpg)
39
CobiT’s Control Objectives
Contains management control practices by high-level control objective within four categories, or domains, of the control objectives.
Contains statements of the desired results or purposes to be achieved by implementing specific control procedures within an IT activity.
Assists in establishing clear policy and good practices for IT control
![Page 40: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/40.jpg)
40
Planning and Organization
Strategy and tactical plans for IT Identify ways that IT can best contribute to the
achievement of business objectives Plan, communicate, and manage the
realization of the strategic vision Establish the IT organization, and Set the stage for managing information and the
technology infrastructure
![Page 41: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/41.jpg)
41
Acquisition and Implementation Domain
IT solutions– Identified– Developed or acquired– Implemented– Integrated into the business processes
Change and maintain existing systems
![Page 42: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/42.jpg)
42
Delivery and Support Domain
Deliver required services Ensure security and continuity of
services Set up support processes, including
training Process data (including “application”
controls)
![Page 43: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/43.jpg)
43
Monitoring Domain
Regularly assess IT processes for– Quality– Appropriateness of controls– Compliance with control requirements
Addresses management oversight of organization’s control provisions
Provide for an audit function
![Page 44: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/44.jpg)
44
Relation to Other Control Models
CobiT is in alignment with other control models:– COSO
– COCO
– Cadbury
– King
![Page 45: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/45.jpg)
45
Reinforces Control Responsibilities
Management -- has primary responsibility for ensuring that controls are in place and in effect to provide reasonable assurance that operational and control objectives will be met.
Users -- exercise and monitor controls.
Audit -- evaluates, advises and provides statements of assurance regarding the adequacy of controls.
![Page 46: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/46.jpg)
![Page 47: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/47.jpg)
47
As a control model, CobiT should beAs a control model, CobiT should betailored to agency, IT platform, tailored to agency, IT platform,
and system standardsand system standards
Use CobiT as the Structure to which you link agency-specific operational and control requirements, policies, and
standards
![Page 48: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/48.jpg)
48
Using CobiT
Organizational tool Management tool Good practices standard Strengthen third-party contracts Criteria for Evaluation Strengthen risk management Basis for improved management
![Page 49: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/49.jpg)
49
Using CobiT in Evaluating IT Controls
Selecting areas or control objectives for evaluation
Determining type of evaluation Engagement/assessment planning Framing scope and evaluation objectives to
CobiT Development of control assessment
approach
![Page 50: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/50.jpg)
50
Use of CobiT to Plan Control Evaluations
Assessing the control environment and identifying high risk processes
Conducting a high-level and detailed policy and procedures review
Performing a control review Using CobiT-related matrices
![Page 51: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/51.jpg)
51
Using CobiT Matrices to Focus on:
IT Functions– Their importance?– Level of performance?– Control documentation?
Responsible Parties of IT– Performed by?– Contracted services?– Primary responsible party?
Risk Assessment– Importance, level of risk, control documentation
![Page 52: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/52.jpg)
52
CobiT Helps Identify Key Risks to the Organization
Unaware of the risks Poor understanding of CSFs Absence of KPIs No “scorecard” or basis of measurement Absence of monitoring and evaluation Weak IT control environment
![Page 53: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/53.jpg)
53
CobiT helps senior management, business process owners, and IT
gain increased benefit from independent examiners
![Page 54: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/54.jpg)
54
Audit Insight: Overview of Audit Planning
Auditee selection (may be CobiT driven) Entrance Conference and on-site preaudit
information gathering (CobiT) Develop proposed scope and audit
objectives (CobiT-framed) Finalize audit work program (CobiT-
framed) Engagement conference (reference
CobiT as criteria) and audit (CobiT as review criteria)
![Page 55: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/55.jpg)
55
Audit Planning:
Who are they? (type of agency, enabling legislation) What do they do? (mission, business objectives) How do they plan to do it? (strategy/plan) How do they do it? (functions, processes) With what resources? (IT, operational resources,
management & staff, raw materials, etc.) By what rules? (policies, standards, legal and regulatory
requirements) Under what risks? (risk analysis)
![Page 56: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/56.jpg)
56
Audit Planning:
Who does it? (internal & external players, their roles
and responsibilities) Who knows what is done? (reporting lines,
designated points of accountability) How do they known it is done right?
(measurement registers, assurance mechanisms, evaluations,
score cards, etc.) Where are they? (centralized or distributed)
![Page 57: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/57.jpg)
57
Audit Guidelines
They are evaluation guidelines. Generic guideline identifies various tasks to
be performed in assessing ANY control objective within a process. This generic guideline extracted all repetitive tasks into one -- to be performed for all control objectives.
34 others are specific process-oriented task suggestions to provide management assurance that a control objective is being addressed.
![Page 58: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/58.jpg)
58
Obtaining an understanding of business requirements, related risks, and relevant control measures Evaluating the appropriateness of stated controls Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously. Substantiating the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources.
The IT process is therefore audited by:
![Page 59: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/59.jpg)
59
Organization & Management Review
Clarity and appropriateness of responsibility definitions
assignment of responsibilities points of accountability reporting mechanisms for actions taken and
activities performed Efforts to monitor and evaluate adequacy of
exercise of responsibilities
![Page 60: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/60.jpg)
60
Using Cobit to Address Third-Party Providers of IT-Related Services
Are desired processes are in place? Have we established accountability Do we agree on the levels of control? Do the service contracts adequately identify
deliverables and responsibilities? Is there ongoing monitoring and evaluation of
providers and partners?
![Page 61: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/61.jpg)
61
Using the Management Guidelines
![Page 62: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/62.jpg)
62
Are they doing the right things?Are they doing it the right way?Are they being done well?Are we getting benefits?
What IT Problem?
IT governance is the responsibility of the board of directors and consists of the leadership, organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives.
What does the agency
do?
Cascading strategy and goals Organizational alignmentA control frameworkBalanced Business Scorecard
How does management
react?
![Page 63: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/63.jpg)
63
Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives.
Promotes process focus and process ownership
Divides IT into 34 processes belonging to four domains
Looks at fiduciary, quality and security needs of enterprises and provides for seven information criteria that can be used to generically define what the business requires from IT
EffectivenessEfficiencyAvailability,IntegrityConfidentialityReliabilityCompliance.
PlanningAcquiring & ImplementingDelivery & SupportMonitoring
CobiT : An IT control frameworkCobiT : An IT control framework
![Page 64: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/64.jpg)
64
“Due diligence” IT is strategic to the business IT is critical to the business Expectations and reality don’t match IT involves huge investments and large risks
Why governance?Why governance?
![Page 65: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/65.jpg)
65
If so, wouldn’t you want to know whether your information technology organization is:
Likely to achieve its objectives? Resilient enough to learn and adapt? Judiciously managing the risks it faces? Appropriately recognizing opportunities and acting
upon them?
IT is strategic to most businessesIT is strategic to most businesses
![Page 66: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/66.jpg)
66
Generic and action oriented For the purpose of
• IT Control profiling - what’s important?• Awareness - where’s the risk?• Benchmarking - what do others do?
Supporting decision making and follow up• Key performance indicators of IT
processes• Critical success factors of controls• Control implementation choices
Management Guidelines
![Page 67: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/67.jpg)
67
Management GuidelinesCritical Success Factors the most important things to do to increase the
probability of success of the process observable - usually measurable - characteristics of
the organisation and process are either strategic, technological, organizational or
procedural in nature focus on obtaining, maintaining and leveraging
capability and skills expressed in terms of the IT process, not necessarily
the business
![Page 68: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/68.jpg)
68
Management GuidelinesKey Goal Indicators describe the outcome of the process and are therefore a ‘lag’
indicator, i.e., measurable after the fact Are an indicator of the success of the process but may also
be expressed in terms of the business contribution if that contribution is specific to the IT process
represent the process goal, i.e., a measure of “what”, a target to achieve
may also describe a measure of the impact of not reaching the process goal
KGIs are IT oriented but are also business driven Are expressed in precise measurable terms wherever
possible
![Page 69: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/69.jpg)
69
Management Guidelines
Key Performance Indicators are a measure of “how well” the process is
performing predict the probability of success or failure in the
future, i.e. KPIs are ‘LEAD’ indicators are process oriented but IT driven focus on the process and learning dimensions of
the balanced scorecard are expressed in precise measurable terms should help in improving the IT process
![Page 70: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/70.jpg)
70
Maturity Models• Refer to business requirements and control capabilities
at different levels
• Are scales that lend themselves to pragmatic comparison
• Are scales where the difference can be made measurable in an easy manner
• Are recognizable as a “profile” of the enterprise in relation to IT governance and control
• Assist in determining As-Is and To-Be positions relative to IT governance and control maturity
• Lend themselves to support gap analysis to determine what needs to be done to achieve a chosen level
![Page 71: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/71.jpg)
71
0 1 2 3 4 5
Non-Existent Initial Repeatable Defined Managed Optimised
Enterprise current status
International standard guidelines
Industry best practice
Enterprise strategy
Legend for symbols used Legend for rankings used
0 - Management processes are not applied at all1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communicated4 - Processes are monitored and measured5 - Best practices are followed and automated
Start from a Maturity Model
![Page 72: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/72.jpg)
72
What Management should do
Align IT strategy with business goals Cascade strategy and goals down into the agency Set up organizational structures that facilitate strategy
implementation Adopt a control and governance framework Provide IT infrastructures that facilitate creation and sharing of
business information Embed responsibilities for risk management in the
organization Focus on important IT processes and core IT competencies Measure performance (Balanced Business Scorecard)
![Page 73: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/73.jpg)
73
CobiT Recognizes IT is an integral part of the organization IT governance is an integral part of corporate
governance Focus on control objectives can strengthen
appropriateness and use of internal controls Measurement is crucial to internal control Monitoring and evaluation are integral to a
system of internal control
![Page 74: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/74.jpg)
74
Benefits of CobiT
Supports IT governance objectives.
Helps ensure that IT processes are defined and assigned.
Helps to focus on control objectives.
Leads to more cost-effective IT services.
Helps management to better utilize internal and external auditors
Provides benchmarks for best practices for IT management and IT control
![Page 75: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/75.jpg)
75
Benefits of CobiT
Helps ensure the organization complies with applicable rules, regulations and contractual obligations.
Opportunity for complementary adoption of COSO and CobiT (or other control models).
Authoritative nature of Cobit encompassing adoption of well-recognized and established standards for IT control.
![Page 76: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/76.jpg)
76
Benefits of CobiT
Strengthens assessment, understanding and exercise of appropriate internal controls.
Provides a good framework for risk assessment and risk management.
Improves communication among management, business process owners, users and auditors regarding IT governance, and between internal and external audit.
Helps auditors and control professionals to be proactive business advisors.
![Page 77: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/77.jpg)
77
Benefits of CobiT
Provides a framework for ensuring that outsourced IT functions are addressed in third-party contracts.
Helps to strengthen the relationship between IT Services and the user community through improved SLAs.
Supports management’s efforts to demonstrate due diligence with respect to IT-based operations.
![Page 78: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/78.jpg)
78
Benefits of CobiT
Helps to provide reasonable assurance that:– IT process objectives are understood
– IT risks have been identified
– Appropriate controls have been implemented
– Appropriate monitoring and evaluation processes in effect
– IT process objectives and can be achieved.
![Page 79: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/79.jpg)
79
CobiT Strengthens the understanding, design,
implementation, exercise, and evaluation of internal control through improved focus on information criteria and IT-related control objectives
Strengthens management’s efforts to “ensure” and Audit’s efforts to provide “assurance”
![Page 80: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/80.jpg)
80
A Tip regarding CobiT
CobiT is generic - adapt it to your organization in cooperation with the business-process owners!– Determine focus (quality, security, fiduciary)
– Harmonize existing policies and procedures with CobiT
– Determine control responsibilities– Identify key performance indicators and critical
success factors
![Page 81: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/81.jpg)
81
Another Tip or Two
Study it carefully -- it takes some time to understand - keep in mind that you are dealing with a control framework
Start with CobiT’s Control Objectives Framework and progress to the Management Guidelines.
Build the mechanisms to provide assurance that control objectives are being addressed and that controls are working as intended
![Page 82: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/82.jpg)
82
CobiT
For additional information:
www.isaca.orgwww.ITgovernance.org
or email or give me a call at(617) 727-6200 ext 135
![Page 83: 1 Executive Briefing October 16, 2001 2 Deputy State Auditor, MIS & IT Audit, Commonwealth of Massachusetts Adjunct faculty at Bentley College](https://reader030.vdocuments.site/reader030/viewer/2022033106/56649d255503460f949fbf4c/html5/thumbnails/83.jpg)
Go Forth andCOBITize
Thank You
83