joburg cobit assurance

Using COBIT 4.1 for Using COBIT 4.1 for Assurance AssignmentsAssurance Assignments

Prof. dr. Wim Van GrembergenUniversity of Antwerp (UA)

University of Antwerp Management School (UAMS)IT Alignment and Governance research institute (ITAG)

[email protected]/itag

mailto:[email protected]

2

Agenda

• COBIT introduction

• COBIT framework

• COBIT elements

- High-level and detailed Control Objectives

- IT control practices

- Management Guidelines

- Maturity models

• IT assurance using COBIT

• IT assurance assignments in practice (templates)

COBIT introduction

4

COBIT evolution

Governance

COBIT 4

2005

Governance

COBIT 4

2005

COBIT 3

Management

2000

COBIT 3

Management

2000

COBIT 2

Control

1998

COBIT 2

Control

1998

COBIT 1

Audit

1996

COBIT 1

Audit

1996

Evo

lutio

nE

volu

tion

5

Incorporates major

International Standards

Has become the de facto

standard for overall control

over IT

Starting from business

requirements

Process oriented IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes

IT Governance ProcessesIT Governance Processes

CobiTCobiTbest practices repository for

IT ProcessesIT ProcessesIT Management ProcessesIT Management Processes

IT Governance ProcessesIT Governance Processes

CobiTCobiTbest practices repository for

Some key strenghts

6

COBIT and other standards

ITILITILActivitiesActivities

BS7799BS7799SecuritySecurity

CobiTCobiTControlControl

WHATWHAT

HOWHOW

Gartner Research Note

7

Who needs an IT Control Framework ?

• Board and Executive- to ensure management follows and implements the strategic

direction for IT

• Management- IT investment decisions- balance risk and control investment- benchmark existing and future IT environment

• Users- to obtain assurance on security and control of products and

services they acquire internally or externally

• Auditors- to substantiate opinions to management on internal controls- to advise on what minimum controls are necessary

The COBIT framework

9

Defi

nit

ion

s

IT IT ProcessesProcesses

BusinessRequirements

IT IT ResourcesResources




“In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”

IT PROCESSES

COBIT Framework

BUSINESS REQUIREMENTS

IT RESOURCES

10

Quality Requirements: • Quality, • Delivery• Cost

Security Requirements• Confidentiality• Integrity• Availability

Fiduciary Requirements(COSO Report)• Effectiveness and Efficiency

of Operations• Compliance with Laws and

Regulations • Reliability of Financial

Reporting

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability of

Information

B

usin

ess

req

uir

em

en

ts







Business requirements

11

effectiveness - deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner.

efficiency - concerns the provision of information through the optimal (most productive and economical) usage of resources

confidentiality - concerns protection of sensitive information from unauthorized disclosure.

integrity - relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations

availability - relates to information being available when required by the business process, and hence also concerns the safeguarding of resources

compliance - deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria

reliability of information - relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations.

B

usin

ess

req

uir

em

en

ts

Business requirements

12

Linking business goals - IT goals – IT processes

Ensure IT services can resist and recover from

attacks

IT GoalIT Goaldrives

drives

Understanding security requirements,

vulnerabilities and threats

Process Goal


attacks

IT GoalIT Goal

Maintain enterprise reputation and leadership

Business Goal

15

ProcessesA series of joined activities with natural control breaks.

Activities or tasks

Actions needed to achieve a measurable result. Activities have a life-cycle whereas tasks are discrete.

Domains Natural grouping of processes, often matching an organisational domain of responsibility

IT P

rocesses







IT processes

16

Planning and Organisation

PO1. Define a strategic IT plan

PO2. Define the information architecture

PO3. Determine technological direction

PO4. Define the IT processes, organization and relationships

PO5. Manage the IT investment

PO6. Communicate management aims and direction

PO7. Manage IT human resources

PO8. Manage quality

PO9. Assess and manage IT risks

PO10. Manage projects

COBIT IT Processes

17

Acquisition and Implementation

AI1. Identify automated solutions

AI2. Acquire and maintain application software

AI3. Acquire and maintain technology infrastructure

AI4. Enable operation and use

AI5. Procure IT resources

AI6. Manage changes

AI7. Install and accredit solutions and changes

COBIT IT Processes

18

Delivery and Support

DS1. Define and manage service levels

DS2. Manage third-party services

DS3. Manage performance and capacity

DS4. Ensure continuous service

DS5. Ensure systems security

DS6. Identify and allocate costs

DS7. Educate and train users

DS8. Manage service desk and incidents

DS9. Manage the configuration

DS10. Manage problems

DS11. Manage data

DS12. Manage the physical environment

DS13.Manage operations

COBIT IT Processes

19

Monitor an Evaluate

ME1. Monitor and evaluate IT performance

ME2. Monitor and evaluate internal control

ME3. Ensure regulatory compliance

ME4. Provide IT governance

COBIT IT Processes

20

Linking business goals - IT goals – IT processes

Assignment


attacks

IT GoalIT Goaldrives

drives

????

Process Goal


attacks

IT GoalIT Goal


Business Goal

21

Linking business goals to IT goals

Linking Business goals to IT goals

Business goals

IT goals

22

Linking business goals to IT goals

Linking IT goals to IT processes

IT processes

IT goals

23

PO1 PO1 define a strategic IT plandefine a strategic IT planPO3 determine the technological directionPO5 manage the IT investmentPO9 PO9 assess risksassess risksPO10 PO10 manage projectsmanage projectsAI1 identify solutionsAI2 acquire and maintain applications s/wAI5 install and accredit systemsAI6 AI6 manage changesmanage changesDS1 define service levelsDS4 ensure continuous serviceDS5 DS5 ensure system securityensure system securityDS10 manage problems and incidentsDS11 DS11 manage datamanage dataM1 M1 monitor the processesmonitor the processes

The most important IT Processes (COBIT3.2)The most important IT Processes (COBIT3.2)

3434

1515

77

SurveySurvey

24

Data : Data objects in their widest sense, i.e., external and internal, structured and non-structured, graphics, sound, etc.

Application Systems : understood to be the sum of manual and programmed procedures.

Infrastructure : covers hardware, operating systems, database management systems, networking, multimedia, facilities, etc..

People : Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services.

IT

Resou

rces







IT Resources

25

IT Processes

IT Processes

IT Resources

IT Resources

Data Application

Systems Infrastructure People

Planning and organisation

Aquisition and implementation


Monitor and evaluate

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

Reliability

H

ow

do t

hey

rela

te?

COBIT Framework

Business Requirements

26

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information

Reliability

Business Requirements

What the What the stakeholders stakeholders

expect from ITexpect from IT

What the What the stakeholders stakeholders

expect from ITexpect from IT

IT Processes

IT Processes

Planning and organisation

Aquisition and implementation


Monitor and evaluate

How IT is How IT is organised to organised to

respond to the respond to the requirementsrequirements

How IT is How IT is organised to organised to

respond to the respond to the requirementsrequirements

IT Resources

IT Resources

Data Application

Systems Infrastructure People

The resources The resources made available to made available to - and built up by - - and built up by -

ITIT

The resources The resources made available to made available to - and built up by - - and built up by -

ITIT

27

PO1. define a strategic IT planPO2. define the information architecturePO3. determine technological directionPO4. define the IT processes, organization and relationshipsPO5. manage the IT investmentPO6.communicate management aims and directionPO7. manage IT human resourcesPO8. manage qualityPO9. assess and manage riskPO10. manage projects

AI1. identify automated solutionsAI2. acquire and maintain application softwareAI3. acquire and maintain technology infrastructureAI4. enable operation and useAI5. procure IT resourcesAI6. manage changesAI7. install and accredit solutions and changes

ME1. monitor and evaluate IT performanceME2. monitor and evaluate internal controlME3. ensure regulatory complianceME4. provide IT governance

DS1. define and manage service levelsDS2. manage third party servicesDS3. manage performance and capacityDS4. ensure continuous serviceDS5. ensure systems securityDS6. identify and allocate costsDS7. educate and train usersDS8. manage service desk and incidentsDS9. manage the configurationDS10. manage problems DS11. manage dataDS12. manage the physical environmentDS13.manage operations

INFORMATIONINFORMATION

• data• application systems• Infrastructure• people

• data• application systems• Infrastructure• people

PLANNING AND ORGANISATIONPLANNING AND ORGANISATION

ACQUISITION ANDIMPLEMENTATIONACQUISITION ANDIMPLEMENTATION

DELIVERY AND SUPPORT

DELIVERY AND SUPPORT

MONITOR AND EVALUATE

MONITOR AND EVALUATE

• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability

• effectiveness• efficiency• confidentiality• integrity• availability• compliance• reliability

Criteria

IT RESOURCESIT RESOURCES

Business and Governance Objectives

COBIT Framework

28

High-level and detailed Control Objectives

Management Guidelines

Inputs – outputs

RACI chart

Goals and metrics

Maturity models

Assurance Guidelines – Implementation Guidelines

The Major Elements of COBIT

COBIT Control Objectives

30

COBIT Control ObjectivesThe policies, procedures, practices and organisational structures, designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected

Definition of Definition of ControlControl

Definition of Definition of IT Control IT Control ObjectiveObjective

IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. They:• Are statements of managerial actions to increase value or reduce risk• Consist of policies, procedures, practices and organisational structures• Are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected

31

Example: Detailed Control Objectives for Manage Changes (AI6)

AI6.1 Change Standards and ProceduresSet up formal change management procedures to handle in a standardised manner all requests (including maintenance and patches) for changes to applications, procedures, processes, system and service parameters, and the underlying platforms.

AI6.2 Impact Assessment, Prioritisation and AuthorisationEnsure that all requests for change are assessed in a structured way for impacts on the operational system and its functionality. This assessment should include categorisation and prioritisation of changes. Prior to migration to production, changes are authorized by the appropriate stakeholder.

AI6.3 Emergency ChangesEstablish a process for defining, raising, assessing and authorising emergency changes that do not follow the established change process. Documentation and testing should be performed, possibly after implementation of the emergency change.

AI6.4 Change Status Tracking and ReportingEstablish a tracking and reporting system for keeping change requestors and relevant stakeholders up to date about the status of the change to applications, procedures, processes, system and service parameters, and the underlying platforms.

AI6.5 Change Closure and DocumentationWhenever system changes are implemented, update the associated system and user documentation and procedures accordingly. Establish a review process to ensure complete implementation of changes.

32

Generic process controls

• Each COBIT process has generic control requirements that are identified by generic process controls within the Process Control (PC) domain. These are applicable for all COBIT processes and should be considered together with the detailed COBIT control objectives to have a complete view of control requirements.

• PC1 Process goals and objectives• PC2 Process ownership• PC3 Process repeatability• PC4 Roles and responsibilities• PC5 Policy, plans and procedures• PC6 Process performance improvement

33

Application controls

• Application controls relate to the transactions and standing data pertaining to each automated application system and are specific to each such application. They ensure the completeness and accuracy of the records and the validity of the entries made in transactions and standing data resulting from both manual and automated processing.

• COBIT assumes the design and implementation of automated application controls to be the responsibility of IT, covered in the Acquire and Implement (AI) domain. The operational management and control responsibility for application controls is not with IT, but with the business process owner. Therefore, the COBIT IT processes cover general IT controls but not application controls.

• AC1 Source document preparation and authorisation• AC2 Source document collection and data entry• AC3 Accuracy, completeness, authenticity checks• AC4 Data processing integrity and validity• AC5 Output review, reconciliation and error handling• AC6 Transaction authentication and integrity

34

COBIT COBIT

Control PracticesControl Practices

35

• For each of the control objectives, a list of specific control practices is defined. In addition, three generic control practices are defined, which are applicable to all control objectives. (Design control approach, Accountability and responsibility, Communication and understanding)

• The complete set of generic and specific control practices provides one control approach, consisting of practices that are necessary for achieving the control objective. They provide high-level generic guidance, at a more detailed level under the control objective, for assessing process maturity, considering potential improvements and implementing the controls.

• They do not describe specific solutions, and further guidance may need to be obtained from specific, relevant standards and best practices, such as ITIL or PRINCE2.

COBIT - IT Control Practices

36

1. Establish a service desk as a single, initial point of contact for the reporting, monitoring, escalation and resolution of customer requests and incidents. Develop business requirements for the service desk, based on service definitions and SLAs, including hours of operation and expected response time to a call. Ensure that service desk requirements include identifying staffing, tools and integration with other processes, such as change management and problem management.

2. Ensure that there are clear instructions for service desk staff when a request cannot be immediately resolved by service desk personnel. Establish time thresholds to determine when escalation should occur based on the categorisation/prioritisation of the request or incident.

3. Implement the necessary support software and tools (e.g., incident management, knowledge management, incident escalation systems, automated call monitoring) required for operation of the service desk and configured in accordance with SLA requirements, to facilitate automated prioritisation of incidents and rapid resolution.

4. Advise customers of the existence of the service desk and the standards of service they can expect. Obtain user feedback on a regular basis to ensure customer satisfaction and confirm the effectiveness of the service desk operation.

5. Using the service desk software, create service desk performance reports to enable performance monitoring and continuous improvement of the service desk.

DS8.1 Service DeskEstablish a service desk function, which is the user interface with IT, to register, communicate, dispatch and analyse all calls, reported incidents, service requests and information demands. There should be monitoring and escalation procedures based on agreed-upon service levels relative to the appropriate SLA that allow classification and prioritisation of any reported issue as an incident, service request or information request. Measure end users’ satisfaction with the quality of the service desk and IT services.

COBIT - IT Control Practices

37

COBIT COBIT

Management GuidelinesManagement Guidelines

Inputs –OutputsInputs –Outputs

39

Each process has primary inputs and outputs with process linkages

Mission and Goals

Understanding of the business context, capability and capacity

Business Strategy

Risk Appetite

Strategic Plan

Tactical Plan

Project Portfolio

Service Portfolio

InputsOutputs

PO1

40

Inputs / ouputs• Process:

Input from: Output to:

Process what Process what

41

Example: Input/Outputsfor Manage Changes (AI6)

42

COBIT COBIT

Management GuidelineManagement Guideline

RACI ChartRACI Chart

43

RACI chart providing roles and responsibilities

CEO

CFO BusinessExecutive

CIO

BusinessSr Management

Head ofOperations

ChiefArchitect or CTO

Head ofDevelopment

Head ofIT Admin

HR, Fin, etc

CARS

PMO

CEO

CFO BusinessExecutive

CIO

BusinessSr Management

Head ofOperations

ChiefArchitect or CTO

Head ofDevelopment

Head ofIT Admin

HR, Fin, etc

CARS

PMO

PO1

44

CEO

CFO

Busi

ness

Exec

CIO

Busi

ness

Sr

Mngm

tH

ead O

pera

tions

Chie

f A

rchit

ect

Head D

evelo

pm

ent

Head I

T A

dm

inPM

O

CA

RS

CARS includes Risk, Security, Audit and Compliance

Functions

Activities

FunctionsRACI Chart

45

Example: RACI Diagramfor Manage Changes (AI6)

46

COBIT COBIT

Management GuidelineManagement Guideline

Goals and metricsGoals and metrics

47

COBIT Management GuidelinesGoals an Metrics

Key Goal Indicators (KGIs)• lag indicator• is an indicator of the success of the process and its

business contribution • describes the outcome of the process, i.e.

measurable after the fact; a measure of “what”; may describe the impact of not reaching the process goal

• focuses on the customer and financial dimensions of the balanced scorecard

48


Examples of Key Goal Indicators (KGIs)- Increased level of service delivery- Reduced time and effort required to make changes- Availability of systems and services- Absence of integrity and confidentiality risks- Cost efficiency of processes and operations- Confirmation of reliability and effectiveness- Adherence to development cost and schedule- Cost efficiency of the process- Staff productivity and morale- Number of timely changes to processes and systems- Improved productivity (e.g., delivery of value per

employee)

49


Key Performance Indicators (KPIs)• lead indicator• are a measure of “how well” the process is

performing• predict the probability of success or failure • focus on the process and learning dimensions of

the balanced scorecard• are expressed in precise measurable terms• should help in improving the IT process

50


Examples of Key Performance Indicators (KPIs)

- System downtime

- Throughput and response times

- Amount of errors and rework

- Number of staff trained in new technology

- customer service skills

- Benchmark comparisons

- Number of non-compliance reportings

- Reduction in development and processing time

51

KGI’s/KPI’s “Ensure System Security” (DS5)

Metrics for BSC of IT process owner

Number of security breaches

Number of incidents causing public

embarrassment

KGIKGI

number of incidents because of unauthorised

access

KPIKPI

Security expertise

Metrics for BSC of IT manager

Metrics for BSC of business manager

KPIKPI

KPIKPI

These KGIs represent the goals of the IT manager and can be derived from the list of IT goals. Together with the KPIs (horizontal arrow) they are building blocks for the IT manager’s BSC. The KGIs at the IT manager’s

level are in the same time KPIs at the business

manager’s level (vertical lines).

These KGIs represent the goals of the business manager and can be

derived from the list of business goals. Together with the KPIs (horizontal arrow) they are building blocks for the business

manager’s BSC

These metrics represent the KPIs and KGIs of the IT

process owner and can be used as building blocks for a BSC at process level. They map on the current KGIs

and KPIs of COBIT. The KGIs at process level are in the same time KPIs at the IT manager’s level (vertical

lines)

KGIKGI

KGIKGI

52

Metrics for BSC of IT process owner

KPIKPI Metrics for BSC of IT manager

Metrics for BSC of business manager

KPIKPI

KGIKGI

KPIKPI

KPIKPI

KGIKGI

KPIKPI

KPIKPI

KGIKGI

KPIKPI

KGIKGI

KPIKPI

KGIKGI

KPIKPI KGIKGI

A KGI at business level is

supported by many other KPIs

at IT and process level.

Cascade of metrics

53

Process GoalProcess Goal

IT GoalIT Goal

Business GoalBusiness Goal

KGIKGIKPIKPI

KGIKGIKPIKPI

KGIKGIKPIKPI

Nr and type of new security incidents

Number of incidents causing public

embarrassment

Nr of incidents because of

unauthorised access

Nr of IT security incidents

METRICSMETRICS

GOALSGOALS



vulnerabilities and threats

Process GoalProcess Goal


attacks

IT GoalIT Goal




vulnerabilities and threatsProcess GoalProcess Goal


attacksIT GoalIT Goal


drives

drives

Cascade of metrics for “Ensure System Security” (DS5)

56

IT goals Process goals Activity goals

Activity KGI (process KPI)Process KGIIT KGI

57

Example: Goals and metricsfor Manage Changes (AI6)

58

COBIT COBIT

Maturity modelsMaturity models

59

Maturity Models

• refers to business requirements (KGI) and the enabling aspects (KPI) at the different levels

• are a scale that lends itself to pragmatic comparison, where the difference can be made measurable in an easy manner

• are recognisable as a “profile” of the enterprise in relation to IT governance and control

• assist in determining As-Is and To-Be positions relative to IT governance and control maturity and analyse the gap

• are not industry specific nor generally applicable, the nature of the business will determine what is an appropriate level

60

Maturity Models: Goal setting and measurement

0 1 2 3 4 5

Non-Existent Initial Repeatable Defined Managed Optimised

Enterprise current status

International standard guidelines

Industry practice

Enterprise target

Legend for symbols used Legend for rankings used

0 - Management processes are not applied at all1 - Processes are ad hoc and disorganised2 - Processes follow a regular pattern3 - Processes are documented and communicated4 - Processes are monitored and measured5 - Best practices are followed and automated

61

Maturity models

are improved starting from a new generic qualitative model based on the following attributes:

•awareness and communication

•policies, standards and procedures

•tools and automation

•skills and expertise

•responsibility and accountability

•goal setting and measurement

62

Example: Maturity Modelfor Manage Changes (AI6)

0 Non-existent whenThere is no defined change management process and changes can be made with virtually no control. There is no awareness that change can be disruptive for IT and business operations, and no awareness of the benefits of good change management.1 Initial/ Ad Hoc whenIt is recognised that changes should be managed and controlled. Practices vary and it is likely that unauthorised changes take place. There is poor or non-existent documentation of change, and configuration documentation is incomplete and unreliable. Errors are likely to occur together with interruptions to the production environment caused by poor change management.2 Repeatable but Intuitive whenThere is an informal change management process in place and most changes follow this approach; however, it is unstructured, rudimentary and prone to error. Configuration documentation accuracy is inconsistent and only limited planning and impact assessment takes place prior to a change.3 Defined Process whenThere is a defined formal change management process in place, including categorisation, prioritisation, emergency procedures, change authorisation and release management, and compliance is emerging. Workarounds take place and processes are often bypassed. Errors may still occur and unauthorised changes occasionally occur. The analysis of the impact of IT changes on business operations is becoming formalised, to support planned rollouts of new applications and technologies.4 Managed and Measurable whenThe change management process is well developed and consistently followed for all changes, and management is confident that there are minimal exceptions. The process is efficient and effective, but relies on considerable manual procedures and controls to ensure that quality is achieved. All changes are subject to thorough planning and impact assessment to minimise the likelihood of post-production problems. An approval process for changes is in place. Change management documentation is current and correct, with changes formally tracked. Configuration documentation is generally accurate. IT change management planning and implementation are becoming more integrated with changes in the business processes, to ensure that training, organisational changes and business continuity issues are addressed. There is increased co-ordination between IT change management and business process redesign. There is a consistent process for monitoring the quality and performance of the change management process.5 Optimised whenThe change management process is regularly reviewed and updated to stay in line with good practices. The review process reflects the outcome of monitoring. Configuration information is computer-based and provides version control. Tracking of changes is sophisticated and includes tools to detect unauthorised and unlicensed software. IT change management is integrated with business change management to ensure that IT is an enabler in increasing productivity and creating new business opportunities for the organisation.

63

COBIT4.1• Released May 2007• Incremental updates, no fundamental changes• CobiT 4.1 features

- an enhanced Executive Overview introduction and explanation of goals and metrics in the framework section and better definitions of the core concepts.

- improved control objectives resulting from updated control practices and Val IT development activity.

- A new definition of a control objectives, shifting more towards management practices statements

- Grouping/rewording of some control objectives to avoid overlaps and make the list of control objectives within a process more consistent and action-oriented

• AI5.4, AI5.5 and AI5.6 were combined • AI7.9, AI7.10 and AI7.11 were combined• Changes were also made to ME3 to include compliance with contractual requirements

in addition to legal and regulatory. - reworded application controls, to support financial controls effectiveness

assessment and reporting. • six Application Controls replacing the 18 in COBIT 4.0, with further detail being

provided in the COBIT Control Practices. - An updated list of business goals and IT goals, based on new insights obtained

during validation research executed by UAMS- an expanded pull-out to provide amongst others a quick reference list of the

COBIT processes

64

IT Assurance using COBIT

65

Implementation Guide - IT Assurance Guide

Briefing

CIOBaseline for

IT Governance

IT Governance Implementation

Guide using CobiT

BoardBriefing

Audit DirectorBaseline for

IT Governance

ITAssurance

Guide using CobiT

HOWHOWFramework

ControlObjectives

ManagementGuidelines

MaturityModels

ControlObjective

ControlPractices

AssuranceApproach

Value Risk

WHATWHAT

HOWHOW

BoardBriefing

CIOBaseline for

IT Governance


Guide using CobiT

BoardBriefing

ExecutiveBaseline for

IT Governance


Guide using CobiT

66

• Assurance Guide instead of Audit Guide- Assurance also covers evaluation activities not

governed by internal and/or external audit standards.

Assurance & audit

67

Assurance Roadmap

68

Assurance planning

• IT audit universe- 34 IT processes- 4 IT resources

• Risk based assurance planning- The assurance professional should use an appropriate risk

assessment technique or approach in developing the overall plan for the effective allocation of IT assurance resources.

- Risk assessment is a technique used to examine units in the assurance universe and select those areas for review that have the greatest risk exposure, by analysing

• Risk• impact

69

Assurance planning• High-level assessment can provide support in

assurance planning by identifying processes where the maturity/control gap between as-is and to-be is the most significant.

• The results of such high-level assessment can be used to prioritise the IT assurance work. Specific benefits of such high-level assessments are:- Making members of IT management aware

of their accountability for controlling IT and gaining their buy-in

- High-level checking of compliance with established IT control requirements

- Optimising and prioritising IT assurance resources

- Bridging to IT governance

70

• Define the scope and objectives- define the scope and objectives of the assurance work and perform a

preliminary assessment of internal control/maturity of the function/activities being reviewed to provide reasonable assurance that all material items will be adequately covered during the assurance initiative.

Assurance planning

71

Assurance scoping

• Define the scope and objectives

- Business goals – IT goals – IT processes / IT resources – control objectives – customized control objectives

72

Derived from control practices

Originally 1 ITCP translated into 1 testing step. Later all individual testing steps grouped into three blocks:

1. Testing control design (design effectiveness)

2. Testing outcome of the objective (operational effectiveness)

3. Document impact of control weaknesses

Assurance execution

73

AI6: Change Management

Testing control design

• Enquire whether and confirm that the change management process allows business process owners and IT to request changes to infrastructure, systems or applications.

• Enquire whether and confirm that the overall change management process includes emergency change procedures (e.g., defining, raising, testing, documenting, assessing and authorising emergency changes).

• Enquire whether and confirm that processes and procedures for contracted services providers (e.g., infrastructure, application development, application service providers, shared services) are included in the change management process.

• Determine if the process and procedures include the contractual terms and SLAs.

The audit steps to be performed in assessing the adequacy of the

design of controls.

74


Testing CO outcome

• Inspect a selection of changes and determine if requests have been categorised.• Inspect a selection of changes and determine if changes have been prioritised based on

predefined criteria.• Inspect a selection of changes and determine if changes have been assessed in a

structured method (e.g., security, legal, contractual and compliance implications are considered and business owners are involved).

• Inspect a sample of emergency changes and verify that they have been processed in accordance with the change management framework. Verify that procedures have been followed to authorise, document and revoke access after the change has been applied.

• Inspect a sample of emergency changes and determine if a post-implementation review has been conducted after the changes were applied. Consider implications for further application system maintenance, impact on development and test environments, application software development quality, documentation and manuals, and data integrity.

The audit steps to be performed to ensure that the control measures

established are working as prescribed, consistently and

continuously and to conclude on the appropriateness of the control

environment.

75


Document impact

• Assess the time and cost of lack of formal change management standards and procedures (e.g., improper resource allocation, unclear roles and responsibilities, security breaches, lack of rollback procedures, lack of documentation and audit trails, inadequate training).

• Assess the time and cost of lack of formal impact assessment to prioritise and authorise changes.

• Assess the time and cost of lack of formal emergency change standards and procedures (e.g., compromised security, failure to

• properly terminate additional access authorisations, unauthorised access to corporate information).

The audit steps to be performed to substantiate

the risk of the control objective not being met by using analytical techniques

and/or consulting alternative sources.

76

Structure of assurance guidance provided

77

Example: Control practices

78

Example: testing control design

79

Example: testing operational effectiveness

80

Example: documenting impact

81

IT Assurance assignments in practice (templates)

82

Assurance assignment1. Scoping

1.1 Processes

1.2 Control objectives

1.3 Control practices

2. Testing

2.1 Evaluate Design Effectiveness (testing control design)

2.2 Evaluate Operating Effectiveness (testing outcome of the control process)

3. Findings and recommendations

83

1.1 Scoping: processes

• Define cascade of business goals – IT goals – IT processes

Goal:

first list of IT processes

84

1.1 Scoping: processes

• Define/refine list of IT processes based on risk based scoping

- Risk and value drivers

Goal:

refined list of IT processes

85

1.1 Scoping: processes• Define/refine list of IT processes based on risk

based scoping

- Maturity assessment

Goal:

refined list of IT processes

86

1.2 Scoping: control objectives

• Define control framework for 1 process based on control objectives attributes

Goal:

Set of important control objectives for one IT process

87

1.3 Scoping: control practices

• Define control design for 1 control objectives

Goal:

Mininum and sufficient set of control practices to achieve a control objective

88

2. Testing• Structured approach for each of the control objectives /

control practices

RACI CHART

AUDIT PLANS:Assurance GuideInputs/outputs

….

CONTACT PERSON

CONTROL OBJECTIVE

DESIGN EFFECTIVENESS APPROACH

OPERATING EFFECTIVENESS APPROACH

1

2

3

4

ASSURANCE STEP COBIT 4Control Practices

89

2.1 Evaluate design effectiveness

• Translate control practices into assurance steps to evaluate design effectiveness

RACI CHARTAUDIT PLANS:Assurance guide

….

COBIT 4 Control Practices

90

2.1 Evaluate design effectivenessExample

91

2.2 Evaluate operating effectiveness

92

2.2 Evaluate operating effectiveness

RACI CHARTAUDIT PLANS:Assurance Guide

COBIT 4.0 Control Practices

Inputs/outputs

93

2.2 Evaluate operating effectivenessExample

94

3. Findings & Recommendations

• FINDINGDescription Detection

Walkthrough / Testing

• RISKDescription Categorization

• RECOMMENDATIONDescription Priority

1

2

3

Resolution < 6 months

Resolution < 1 year

Resolution < 2 years

95

Findings & Recommendations

FINDINGDescription Detection

DS8.1 : There is no monitoring process in place that focuses on the quality of the Service Desk and the end users’ satisfaction.

RISK

Description ClassificationIT management is not informed on how the business percepts the Service Desk in particular and the IT department in general. This lack of information can cause a disconnection/misalignment between business and IT (i.e. no perception of added value by IT). It also prevents the implementation of an effective continuous improvement process.

RECOMMENDATIONDescription PriorityOrganize regular user satisfaction surveys via the different available media (intranet, phone, direct…) and use this information to compare the responses of the satisfied users with the dissatisfied users. This information can also be used to enable continuous improvement.

High

WT

1

Example

joburg cobit assurance

Documents