Transcript Document 7333796
Control Objectives for Information and related Technology (C
OBI
T) Overview
January 31, 2008
Overview
• Background – trends in auditing affecting IT • Overview of the COBIT • Linkages to other methodologies • Practical application – in audit and IT management
Auditing Trends
Audit Committees – Increasing dependence on IT infrastructure to support traditional assurance/auditing – Increasing obligations regarding risk management and control including IT – Uses Internal Audit to give assurance – we adopted COBIT with the ability to use other frameworks as deemed appropriate – Management has a role as well
Office of the Auditor General – Comments to entities who have been broad IT assessment include ensuring the following is in place: • IT strategies (not just for centralized IT services) • Integration of IT requirements into business planning • Documented IT risk assessments • Business continuity planning and emergency response planning • Service level performance measures • Processes to build awareness for IT internal controls and security • An IT control framework (recommended to several organizations) – recommended COBIT and being adopted
COBIT Overview
1
IT Governance Institute
RESOURCE MANAGEMENT Enterprise governance
is a set of responsibilities and practices exercised by the board and executive management with the goal of: • Providing
strategic direction
• Ensuring that
objectives
are achieved • Ascertaining that
risks
are managed appropriately • Verifying that the
enterprise’s resources
are used responsibly 1 This information and that on the following slides is consolidated from information developed by the IT Governance Institute.
Major COBIT Elements
- IT Processes - Business Requirements - IT Resources
IT Processes
1. COBIT describes the IT life cycle with the help of four
domains
: – Plan and Organize – Acquire and Implement – Deliver and Support – Monitor and Evaluate 2. In each domain are
processes
are series of activities. There are 34 processes specifying what the business needs to achieve its objectives. 3. The last
activities
are actions that are required to achieve measurable results with the processes.
Plan and Organise IT Processes Acquire and Implement Deliver and Support Monitor and Evaluate
Plan and Organise
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
Plan and Organise IT Processes Acquire and Implement Deliver and Support Monitor and Evaluate
Acquire and Implement
AI1 Identify automated solutions.
AI2 Acquire and maintain application software.
AI3 Acquire and maintain technology infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.
Deliver and Support
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Plan and Organise IT Processes Acquire and Implement Deliver and Support Monitor and Evaluate
Monitor and Evaluate
ME1 Monitor and evaluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
Plan and Organise IT Processes Acquire and Implement Deliver and Support Monitor and Evaluate
Business Requirements
Effectiveness
Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner
Efficiency
Concerns the provision of information through the optimal (most productive and economical
)
use of resources
Confidentiality
Concerns the protection of sensitive information from unauthorised disclosure
Integrity
Relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations
Availability Compliance Reliability
Relates to information being available when required by the business process now and in the future. It also concerns the safeguarding of necessary resources and associated capabilities.
Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies Relates to the provision of appropriate information for management to operate the entity and to exercise its fiduciary and governance responsibilities
IT Resources
Applications
Information
Infrastructure
People
Use of COBIT in Internal Audit
• • Annual Risk Assessment (developed with Grant Thornton) • Can audit difference ways: – a application system (all processes) – a process (e.g. IT investment management across a unit or the campus) – a resource component (e.g. infrastructure) and/or a business requirement (e.g. security) Maps to other frameworks
Flexible yet defensible
Use of COBIT in Management
• Seeing an increase in formal adoption of frameworks.
• Supporting documentation being developed for management.
• Flexible adoption – one size does not fit all.
• Can be blended with other framework.
Organisations will consider and use a variety of IT models, standards and best practices. COSO C OBI T ISO 17799 ISO 9000 WHAT ITIL SCOPE OF COVERAGE
IT Process Capability Maturity Scorecard—Example
IT Process Capability Maturity Initial Repeatable Defined Managed Optimised Plan and Organise PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine the technological direction.
PO4 Define the IT process, organisation and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage risks.
PO10 Manage projects.
Acquire and Implement AI1 Identify automated solutions.
AI2 Acquire and maintain application softw are.
AI3 Acquire and maintain technology infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.
Deliver and Support DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems. DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Monitor and Evaluate ME1 Monitor and evluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance w ith external requirements.
ME4 Provide IT governance.
BUSINESS OBJECTIVES AND GOVERNANCE OBJECTIVES ME1 ME2 ME3 ME4
Monitor and evaluate IT performance.
Monitor and evaluate internal control.
Ensure compliance with external requirements.
Provide IT governance.
DS1 DS2 DS3 DS4 DS5 DS6 DS7
Define and manage service levels.
Manage third-party services.
Manage performance and capacity.
Ensure continuous service.
Ensure systems security.
Identify and allocate costs.
Educate and train users.
DS8 DS9 DS10 DS11 DS12
Manage service desk and incidents.
Manage the configuration.
Manage problems.
Manage data.
Manage the physical environment.
DS13
Manage operations.
C O B I T F R A M E W O R K INFORMATION MONITOR AND EVALUATE
Efficiency Effectiveness Compliance Reliability
IT RESOURCES
Integrity Availability Confidentiality
PLAN AND ORGANISE PO1 PO2 PO3 PO4 PO5 PO6
Define a strategic IT plan.
Define the information architecture.
Determine technological direction.
Define the IT processes, organisation and relationships.
Manage the IT investment.
Communicate management aims and direction.
PO7 PO8 PO9 PO10
Manage IT human resources.
Manage quality.
Assess and manage IT risks.
Manage projects.
DELIVER AND SUPPORT
Applications Information Infrastructure People
ACQUIRE AND IMPLEMENT AI1 AI2 AI3 AI4 AI5 AI6 AI7
Identify automated solutions.
Acquire and maintain application software.
Acquire and maintain technology infrastructure.
Enable operation and use.
Procure IT resources.
Manage changes.
Install and accredit solutions and changes.
Questions
Contact: Ian Simpson Systems Auditor 492-2980