Abstract image of a woman sitting on books and studying on a laptop

COBIT® Presentation Package.ppt

Download as PPT, PDF
E
Emmacuet

This document provides an overview of the COBIT framework. It includes a PowerPoint presentation intended for use by professors to explain COBIT. The presentation covers why IT needs a control framework, who needs it, and how and why COBIT is used. It also describes the key elements of the COBIT framework, including its business focus, process orientation, and the domains and processes it covers.

Data & Analytics
1 of 82
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
Most read
14
15
Most read
16
17
18
19
20
21
22
23
24
Most read
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
© ITGI 2004 - not for commercial use. 1 COBIT® Presentation Package The COBIT® framework explained in a complete PowerPoint presentation, to be used by professors in information systems management, information security management, auditing, information systems auditing and/or accounting information systems
© ITGI 2004 - not for commercial use. 2 Disclaimer The IT Governance Institute® (ITGI), Information Systems Audit and Control Association® (ISACA®) [the “Owner(s)”] and the authors have designed and created COBIT® in Academia™ and its related publications, titled COBIT® Presentation Package, COBIT® Student Book, COBIT® Case Study and COBIT® Caselets (the “Work”), primarily as an educational resource for assurance professionals. The Owners make no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the assurance professional should apply his/her own professional judgement to the specific circumstances presented by the particular systems or information technology environment.
© ITGI 2004 - not for commercial use. 3 Disclosure Copyright © 2004 IT Governance Institute. All rights reserved. This publication is intended solely for academic use and shall not be used in any other manner (including for any commercial purpose). Reproductions of selections of this publication are permitted solely for the use described above and must include the following copyright notice and acknowledgement: “Copyright © 2004 IT Governance Institute. All rights reserved. Reprinted by permission.” COBIT in Academia may not otherwise be used, copied, or reproduced, in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written permission of the IT Governance Institute. Any modification, distribution, performance, display, transmission, or storage, in any form by any means (electronic, mechanical, photocopying, recording or otherwise) of COBIT in Academia is strictly prohibited. No other right or permission is granted with respect to this work. COBIT in Academia ISBN 1-893209-96-2
© ITGI 2004 - not for commercial use. 4 Acknowledgements Development Team  Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium (Chair)  Roger Debreceny, Ph.D., FCPA, University of Hawaii, USA  Steven De Haes, University of Antwerp Management School, Belgium (Project Manager)  Roger Lux, Farmers Insurance Group, USA  John Mitchell, CISA, CIA, CFE, LHS Business Control, UK  Ed O’Donnell, Ph.D., Arizona State University, USA  Scott Summers, Ph.D., Brigham Young University, USA  Wim Van Grembergen, Ph.D., University of Antwerp Management School, Belgium
© ITGI 2004 - not for commercial use. 5 Acknowledgements Review Team  Rob Nehmer, Ph.D., Quinnipiac University, USA  Malcolm Pattinson, CISA, University of South Australia, Australia  Elaine Mauldin, CPA, University of Missouri-Columbia, USA  Faye Borthick, Ph.D., CISA, CPA, AMA, CDP, Georgia State University, USA  José Roberto Alpizar Fallas, CPA, Universidad de Costa Rica, Costa Rica
© ITGI 2004 - not for commercial use. 6 Purpose of This Document This COBIT Presentation Package, developed in collaboration with a group of international academics and practitioners, is a product of the IT Governance Institute (www.itgi.org). It provides a complete PowerPoint presentation explaining all the core elements of the COBIT framework, which can be used by professors in information systems management, information security management, auditing, information systems auditing and/or accounting information systems. Professors can use the complete set, make extractions if they want to focus on specific parts, or can even add their own materials and examples in accordance with their needs. There are some speaker notes included in the package, but it is advisable to use the COBIT Student Book (included in COBIT in Academia) as guidance and source material to prepare this presentation. The IT Governance Institute also developed three other components that are part of COBIT in Academia. The COBIT Student Book explains and illustrates all the COBIT components. The COBIT Case Study:TIBO can be used by students to apply the COBIT knowledge in a real-life situation and the COBIT Caselets provides some minicases for smaller COBIT exercises.
© ITGI 2004 - not for commercial use. 7 COBIT Introduction Why does IT need an IT control framework? Who needs an IT control framework? How and why is COBIT used?
© ITGI 2004 - not for commercial use. 8 Why does IT need a control framework? Do any of these conditions sound familiar?  Increasing pressure to leverage technology in business strategies  Growing complexity of IT environments  Fragmented IT infrastructures  Communication gap between business and IT managers  IT service levels that are disappointing from internal IT functions and from increasingly outsourced IT providers  IT costs perceived to be out of control  Marginal ROI/productivity gains on technology investments  Impaired organisational flexibility and nimbleness to change  User frustration leading to ad hoc solutions
© ITGI 2004 - not for commercial use. 9  Increasing dependence on information and the systems that deliver this information  Increasing vulnerabilities and a wide spectrum of threats, such as cyberthreats and information warfare  Scale and cost of the current and future investments in information and information systems  The need to comply with regulations  The potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs  Recognition by many organisations of the potential benefits that technology can yield Successful organisations understand and manage the risks associated with implementing new technologies. Why does IT need a control framework?
© ITGI 2004 - not for commercial use. 10  IT provides value  Cost, time and functionality are as expected  IT does not provide surprises  Risks are mitigated  IT pushes the envelope  New opportunities and innovations for process, product and services Why does IT need a control framework? To ensure that management needs to get IT under control.
© ITGI 2004 - not for commercial use. 11  Board and Executive • To ensure management follows and implements the strategic direction for IT  Management • To make IT investment decisions • To balance risk and control investment • To benchmark existing and future IT environment  Users • To obtain assurance on security and control of products and services they acquire internally or externally  Auditors • To substantiate opinions to management on internal controls • To advise on what minimum controls are necessary Who needs a control framework?
© ITGI 2004 - not for commercial use. 12 Incorporates major international standards Has become the de facto standard for overall control over IT Starts from business requirements Is process-oriented IT Processes IT Processes IT Management Processes IT Management Processes IT Governance Processes IT Governance Processes CobiT CobiT best practices repository for IT Processes IT Processes IT Management Processes IT Management Processes IT Governance Processes IT Governance Processes COBIT COBIT best practices repository for COBIT as a response to the needs Why and how is COBIT used?
© ITGI 2004 - not for commercial use. 13  Helps substantially increase acceptance and reduce time to implement IT governance program  Provides a guide for formal audits/reviews  Helps use results of audits as an opportunity to plan improvements  Is a strong factor in achieving primary goals for IT governance: transform organisational practices and pursue improved processes  Provides economical continuous improvement framework  Provides a credible source for management's decision on controls  Impresses and helps IT operations managers with its ability to assist in understanding what auditors want  Is ideal for business management to communicate requirements and concerns  Is recognised as a reliable source reference that ensures identification of all major risk areas  Improves communications and relations with IT management Testimonials from Case Studies Why and how is COBIT used?
© ITGI 2004 - not for commercial use. 14  To improve audit approach/programmes  To support audit work with detailed audit guidelines  To provide guidance for IT governance  As a valuable benchmark for IS/IT control  To improve IS/IT controls  To standardise audit approach/programmes Results from Surveys Why and how is COBIT used?
© ITGI 2004 - not for commercial use. 15 The COBIT Framework The COBIT framework explained:  Business focus  Process orientation  IT resources
© ITGI 2004 - not for commercial use. 16 Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of over 300 detailed control objectives  Effectiveness  Efficiency  Availability  Integrity  Confidentiality  Reliability  Compliance  Plan and Organise  Acquire and Implement  Deliver and Support  Monitor and Evaluate COBIT: Of what does it consist?
© ITGI 2004 - not for commercial use. 17 “In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”  Relates to business requirements (expressed as information criteria)  Links to business processes  Empowers business owners  Decomposes IT into four domains and 34 processes  Domains: (plan-build-run) + monitor  Control, audit, implementation and performance management knowledge structured by process Business Process Business Orientation and Process Focus IT IT Processes Processes Business Requirements IT IT Resources Resources IT IT Processes Processes Business Requirements IT IT Resources Resources
© ITGI 2004 - not for commercial use. 18 COBIT Framework Definition “To provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.” IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources IT RESOURCES IT RESOURCES IT RESOURCES IT PROCESSES IT PROCESSES IT PROCESSES BUSINESS REQUIREMENTS BUSINESS BUSINESS REQUIREMENTS REQUIREMENTS IT RESOURCES IT RESOURCES IT RESOURCES IT PROCESSES IT PROCESSES IT PROCESSES BUSINESS REQUIREMENTS BUSINESS BUSINESS REQUIREMENTS REQUIREMENTS IT RESOURCES IT RESOURCES IT RESOURCES IT PROCESSES IT PROCESSES IT PROCESSES BUSINESS REQUIREMENTS BUSINESS BUSINESS REQUIREMENTS REQUIREMENTS A process orientation is a proven management approach to efficiently exercise responsibilities, achieve set goals and reasonably manage risks. WHY
© ITGI 2004 - not for commercial use. 19 Quality Requirements: • Quality • Delivery • Cost Security Requirements • Confidentiality • Integrity • Availability Fiduciary Requirements (COSO Report) • Effectiveness and efficiency of operations • Compliance with laws and regulations • Reliability of financial reporting Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability of information Business Requirements IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 20 Effectiveness –Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Efficiency –Concerns the provision of information through the optimal (most productive and economical) usage of resources Confidentiality –Concerns protection of sensitive information from unauthorised disclosure Integrity –Relates to the accuracy and completeness of information as well as to its validity in accordance with the business‘s set of values and expectations Availability –Relates to information being available when required by the business process, and hence also concerns the safeguarding of resources Compliance –Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria Reliability of information–Relates to systems providing management with appropriate information for it to use in operating the entity, providing financial reporting to users of the financial information, and providing information to report to regulatory bodies with regard to compliance with laws and regulations Business Requirements IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 21 Processes A series of joined activities with natural control breaks Activities or Tasks Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete. Domains Natural grouping of processes, often matching an organisational domain of responsibility Process Orientation IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 22 IT Domains • Plan and Organise • Acquire and Implement • Deliver and Support • Monitor and Evaluate IT Processes • IT strategy • Computer operations • Incident handling • Acceptance testing • Change management • Contingency planning • Problem management Activities • Record new problem • Analyse • Propose solution • Monitor solution • Record known problem • Etc. Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete. Process Orientation IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 23 Description  This domain covers strategy and tactics, and concerns the identification of how IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place. Topics  Strategy and tactics  Vision planned  Organisation and infrastructure Questions  Are IT and the business strategy aligned?  Is the enterprise achieving optimum use of its resources?  Does everyone in the organisation understand the IT objectives?  Are IT risks understood and being managed?  Is the quality of IT systems appropriate for business needs? Domains Process Orientation Plan and Organise IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 24  PO1 Define a strategic information technology plan  PO2 Define the information architecture  PO3 Determine the technological direction  PO4 Define the IT organisation and relationships  PO5 Manage the investment in information technology  PO6 Communicate management aims and direction  PO7 Manage human resources  PO8 Ensure compliance with external requirements  PO9 Assess risks  PO10 Manage projects  PO11 Manage quality . Process Orientation Plan and Organise
© ITGI 2004 - not for commercial use. 25 Acquire and Implement Description  To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems. Topics  IT solutions  Changes and maintenance Questions  Are new projects likely to deliver solutions that meet business needs?  Are new projects likely to deliver on time and within budget?  Will the new systems work properly when implemented?  Will changes be made without upsetting current business operations? Domains Process Orientation IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 26  AI1 Identify automated solutions  AI2 Acquire and maintain application software  AI3 Acquire and maintain technology infrastructure  AI4 Develop and maintain IT procedures  AI5 Install and accredit systems  AI6 Manage changes Process Orientation Acquire and Implement
© ITGI 2004 - not for commercial use. 27 Description  This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. To deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls. Topics  Delivery of required services  Setup of support processes  Processing by application systems Questions  Are IT services being delivered in line with business priorities?  Are IT costs optimised?  Is the work force able to use the IT systems productively and safely?  Are adequate security, integrity and availability in place? Domains Process Orientation Deliver and Support IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 28  DS1 Define and manage service levels  DS2 Manage third-party services  DS3 Manage performance and capacity  DS4 Ensure continuous service  DS5 Ensure systems security  DS6 Identify and allocate costs  DS7 Educate and train users  DS8 Assist and advise customers  DS9 Manage the configuration  DS10 Manage problems and incidents  DS11 Manage data  DS12 Manage facilities  DS13 Manage operations Process Orientation Deliver and Support
© ITGI 2004 - not for commercial use. 29 Description  All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain thus addresses management’s oversight of the organisation’s control process and independent assurance provided by internal and external audit or obtained from alternative sources. Topics  Assessment over time, delivering assurance  Management’s oversight of the control system  Performance measurement Questions  Can IT’s performance be measured and can problems be detected before it is too late?  Is independent assurance needed to ensure critical areas are operating as intended? Domains Process Orientation Monitor and Evaluate IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 30 M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit Process Orientation Monitor and Evaluate
© ITGI 2004 - not for commercial use. 31 Data: Data objects in their widest sense, i.e., external and internal, structured and nonstructured, graphics, sound, etc. Application Systems: Understood to be the sum of manual and programmed procedures Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc. Facilities: Resources to house and support information systems People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support, monitor and evaluate information systems and services IT Resources IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 32 IT Processes IT Resources Business Requirements  Data  Application systems  Technology  Facilities  People  Plan and Organise  Aquire and Implement  Deliver and Support  Monitor and Evaluate  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Information reliability How do they relate? IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
© ITGI 2004 - not for commercial use. 33 IT Processes IT Resources Business Requirements  Data  Application systems  Technology  Facilities  People  Plan and Organise  Aquire and Implement  Deliver and Support  Monitor and Evaluate  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Information reliability How IT is organised to respond to the requirements What the stakeholders expect from IT The resources made available to—and built up by—IT
© ITGI 2004 - not for commercial use. 34 PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage projects PO11 Manage quality AI1 Identify automated solutions AI2 Acquire and mantain application software AI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT procedures AI5 Install and accredit systems AI6 Manage changes M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit DS1 Define service levels DS2 Manage third-party services DS3 Manage peformance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Assist and advise IT customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage operations IT RESOURCES • Data • Application systems • Technology • Facilities • People PLAN AND ORGANISE ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT • Effectiveness • Efficiency • Confidenciality • Integrity • Availability • Compliance • Reliability Criteria COBIT Framework MONITOR AND EVALUATE
© ITGI 2004 - not for commercial use. 35 BUSINESS PROCESSES INFORMATION • Effectiveness • Efficiency • Confidenciality • Integrity • Availability • Compliance • Reliability Criteria COBIT IT RESOURCES • Data • Aplication systems • Technology • Facilities • People PLAN AND ORGANISE AQUIRE AND IMPLEMENT DELIVER AND SUPPORT COBIT Framework To provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes. MONITOR AND EVALUATE
© ITGI 2004 - not for commercial use. 36 Summarising up to now  IT is indispensable for the survival and growth of enterprises.  Management is responsible for control.  That responsibility needs a framework: Business requirements can be expressed as information criteria. IT is generally organised in a set of processes. IT needs a set of resources.  COBIT is an internationally accepted standard. To provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes. COBIT Framework
© ITGI 2004 - not for commercial use. 37 The COBIT Cube
© ITGI 2004 - not for commercial use. 38 IT Domains Information Criteria Plan and Organise Aquire and Implement Deliver and Support Monitor and Evaluate S P Navigational Aids COBIT Cube
© ITGI 2004 - not for commercial use. 39 Summary Processes, Criteria and Resources
© ITGI 2004 - not for commercial use. 40 Domain Process Acquire and Implement AI1 Identify automated solutions P S    AI2 Acquire and maintain application software P P S S S  AI3 Acquire and maintain technology infrastructure P P S  AI4 Develop and maintain procedures P P S S S     AI5 Install and accredit systems P S S      AI6 Manage changes P P P P S      COBIT Summary of Processes, Criteria and Resources AI6
© ITGI 2004 - not for commercial use. 41 Assignment The most important COBIT processes “For a business with which you are familiar, what would be the most important IT processes? Why?”
© ITGI 2004 - not for commercial use. 42 Important COBIT Products Control Objectives— “Minimum controls are...” Management Guidelines— “Here is how you measure…” Audit Guidelines— “Here is how you audit...”
© ITGI 2004 - not for commercial use. 43 Control and Control Objective Definitions The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected Definition of Control Definition of IT Control Objective A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity
© ITGI 2004 - not for commercial use. 44 High-level control objective • One per process Detailed control objectives • Three to 30 per process (Avg >9 ) Control practices • Five to seven per control objective Control Objectives and Control Practices
© ITGI 2004 - not for commercial use. 45 The control of IT Processes which satisfy is enabled by Control Statements considering Control Practices Waterfall Model 4 Domains - 34 Processes - 318 Control Objectives ~ 1900 Control Practices! Business Requirements
© ITGI 2004 - not for commercial use. 46 AI6 Manage changes Managing changes to computer programs is required to ensure processing integrity between versions, and for consistency of results period to period. Change must be formally managed via change control request, impact assessment, documentation, authorisation, release, and distribution policies and procedures. High-level Control Objective
© ITGI 2004 - not for commercial use. 47 AI6 High-level Control Objective
© ITGI 2004 - not for commercial use. 48 AI6 Manage Changes 6.1 Change request initiation and control IT management should ensure that all requests for changes, system maintenance and supplier maintenance are standardised and are subject to formal change management procedures. Changes should be categorised and prioritised, and specific procedures should be in place to handle urgent matters. Change requesters should be kept informed about the status of their request. 6.2 Impact assessment A procedure should be in place to ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality. 6.3 Control of changes IT management should ensure that change management and software control and distribution are properly integrated with a comprehensive configuration management system. The system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems. 6.4 Emergency changes IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation. Detailed Control Objectives
© ITGI 2004 - not for commercial use. 49 Detailed Control Objectives AI6 Manage Changes (continued) 6.5 Documentation and procedures The change process should ensure that, whenever system changes are implemented, the associated documentation and procedures are updated accordingly. 6.6 Authorised maintenance IT management should ensure that maintenance personnel have specific assignments and their work is properly monitored. In addition, their system access rights should be controlled to avoid risks of unauthorised access to automated systems. 6.7 Software release policy IT management should ensure that the release of software is governed by formal procedures—ensuring sign-off, packaging, regression testing, handover, etc. 6.8 Distribution of software Specific internal control measures should be established to ensure distribution of the correct software element to the right place, with integrity, in a timely manner and with adequate audit trails.
© ITGI 2004 - not for commercial use. 50 COBIT AI6 Detailed Control Objectives
© ITGI 2004 - not for commercial use. 51  Control practices are key control mechanisms that support the: • Achievement of control objectives • Prevention, detection and correction of undesired events  Control practices achieve that through: • Responsible use of resources • Appropriate management of risk • Alignment of IT with business Translate COBIT’s control objectives into detailed, implementable practices and provide the business argumentation for implementation, from a value and a risk perspective Control Practices
© ITGI 2004 - not for commercial use. 52 1. Management defines parameters, characteristics and procedures that identify and declare emergencies. 2. All emergency changes are documented, if not before, then after, implementation. 3. All emergency changes are tested, if not before, then after, implementation. 4. All emergency changes are formally authorised by the system owner and management before implementation. 5. Before and after images as well as intervention logs are retained for subsequent review. Controlling emergency changes by implementing the control practices will :  Ensure that emergency procedures are used in declared emergencies only  Ensure that urgent changes can be implemented without compromising integrity, availability, reliability, security, confidentiality or accuracy AI6 Manage change AI6.4 Emergency changes IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation. Control Practices Why do it? Control Practices
© ITGI 2004 - not for commercial use. 53 Important COBIT Products Control Objectives— “Minimum controls are...” Management Guidelines – “Here is how you measure…” Audit Guidelines— “Here is how you audit...”
© ITGI 2004 - not for commercial use. 54 IT Governance Model IT governance helps ascertain how automated systems: • Simplify operations • Cut costs • Increase revenue Needs an IT control framework
© ITGI 2004 - not for commercial use. 55 How Does COBIT Link to IT Governance? Goals Responsibilities Control Objectives Requirements Business IT Governance Information the Business Needs to Achieve Its Objectives Information Executives and Board Need to Exercise Their Responsibilities Direction and Resourcing
© ITGI 2004 - not for commercial use. 56 IT Governance Goals Responsibilities Control Objectives Requirements Business Business IT IT Governance Information the Business Needs to Achieve Its Objectives Direction (IT Strategy and Policy) Information (IT Control, Risk and Assurance) How Does COBIT Link to IT Governance?
© ITGI 2004 - not for commercial use. 57 However, management has questions that go beyond a control framework:  How do responsible managers "keep the ship on course"? DASHBOARD  How to achieve results that are satisfactory for the largest possible segment of our stakeholders ? SCORECARDS  How to adapt the organisation in a timely manner to trends and developments in the enterprise's environment ? BENCHMARKING Indicators? Measures? Scales? Management Guidelines
© ITGI 2004 - not for commercial use. 58 Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Process Description Critical Success Factors       Key Goal Indicators    Key Performance Indicators   Information Criteria Resources 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated. Maturity Model Management Guidelines Framework
© ITGI 2004 - not for commercial use. 59  Describe the outcome of the process (i.e., measurable after the fact); are measures of “what,” and may describe the impact of not reaching the process goal  Are indicators of the success of the process and its business contribution  Focus on the customer and financial dimensions of the balanced scorecard Key Goal Indicators Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Definitions
© ITGI 2004 - not for commercial use. 60  Increased level of service delivery  Number of customers and cost per customer served  Availability of systems and services  Absence of integrity and confidentiality risks  Cost-efficiency of processes and operations  Confirmation of reliability and effectiveness  Adherence to development cost and schedule  Cost-efficiency of the process  Staff productivity and morale  Number of timely changes to processes and systems  Improved productivity (e.g., delivery of value per employee) Key Goal Indicators Examples
© ITGI 2004 - not for commercial use. 61  Are measures of “how well” the process is performing  Predict the probability of success or failure  Focus on the process and learning dimensions of the balanced scorecard  Are expressed in precise, measurable terms  Should help in improving the IT process Key Performance Indicators Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Definitions
© ITGI 2004 - not for commercial use. 62 • Number of IT customers • Cost per IT customer • Cost-efficiency of IT processes up • Delivery of IT value per employee Information • Availability of systems and services • Developments on schedule and budget • Throughput and response times • Amount of errors and rework • Level of service delivery • Satisfaction of existing customers • Number of new customers reached • Number of new service delivery channels Financial Customer • Staff productivity and morale • Number of staff trained in new techno/services • Value delivery per employee • Increased availability knowledge systems Learning Process Key Performance Indicators Examples
© ITGI 2004 - not for commercial use. 63  Are the most important things to do to increase the probability of success of the process  Are observable—usually measurable—characteristics of the organisation and process  Focus on obtaining, maintaining and leveraging capability, skills and behaviour Critical Success Factors Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Definitions Replaced by Inputs & Activity Goals In Cobit 4.0!
© ITGI 2004 - not for commercial use. 64 • The IT strategic plan clearly states a risk position such as leading-edge or road-tested, innovator or follower, and the required balance between time-to- market, cost of ownership and service quality. • If you are not ready to enforce the policy, do not issue the policy. • A building permit programme for building IT systems and a “driver’s licence” programme for those doing the building • A good security plan takes time to evolve. Strategy Policy Compliance Security Examples Critical Success Factors
© ITGI 2004 - not for commercial use. 65  Refer to business requirements (KGIs) and the enabling aspects (KPIs) at the different levels  Are a scale that lend themselves to pragmatic comparison, where the difference can be made measurable in an easy manner  Are recognisable as a profile of the enterprise in relation to IT governance and control  Assist in determining as-is and to-be positions relative to IT governance and control maturity and analyse the gap  Are not industry-specific nor generally applicable. The nature of the business determines what is an appropriate level. Maturity Models Definitions
© ITGI 2004 - not for commercial use. 66 0 1 2 3 4 5 Nonexistent Initial Repeatable Defined Managed Optimised Enterprise current status International standard guidelines Industry best practice Enterprise strategy Legend for Symbols Used Legend for Rankings Used 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated. Maturity Models Usage Comparable to CMMi-Continuous
© ITGI 2004 - not for commercial use. 67 AI6 Management Guideline
© ITGI 2004 - not for commercial use. 68 AI6 Management Guideline
© ITGI 2004 - not for commercial use. 69 Important COBIT Products Control Objectives— “Minimum controls are...” Management Guidelines— “Here is how you measure… Audit Guidelines— “Here is how you audit...”
© ITGI 2004 - not for commercial use. 70  Provide management with reasonable assurance that control objectives are being met  Where there are significant control weaknesses, substantiate the resulting risks  Advise management on corrective actions Objectives of Auditing “Am I all right? And, if not, how do I fix it? ”
© ITGI 2004 - not for commercial use. 71 Structure of the Audit Process Identification and Documentation Evaluation Compliance Testing Substantive Testing
© ITGI 2004 - not for commercial use. 72 An IT process is audited by: • Obtaining an understanding of business requirements-related risks, and relevant control measures • Evaluating the appropriateness of stated controls • Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously • Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources
© ITGI 2004 - not for commercial use. 73 One Generic Guideline and 34 Process-oriented Guidelines  A generic guideline identifies various tasks to be performed in assessing any control objective within a process. This generic guideline is a model for all control objectives.  Others are specific, process-oriented task suggestions to provide management assurance that a control exists and has a reasonable level of effectiveness. COBIT Audit Guidelines
© ITGI 2004 - not for commercial use. 74 Obtaining an Understanding The audit steps to be performed to document the activities underlying the control objectives as well as to identify the control measures/procedures put in place  Interview appropriate management and staff to obtain and gain an understanding of: • Business requirements and associated risks • Organisation structure • Roles and responsibilities • Policies and procedures • Laws and regulations • Control measures in place • Management reporting (status, performance, actions)  Document the process-related IT resources particularly affected by the process under review.  Confirm the understanding of the process under review, the control implications, e.g., by a process walkthrough. Generic Audit Guideline (1 of 4)
© ITGI 2004 - not for commercial use. 75 Evaluating the Controls The audit steps to be performed, in light of assessing the effectiveness of control measures in place or the degree to which the control objective is achieved  Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices and applying professional judgement. Determine whether: • Documented processes exist. • Appropriate deliverables exist. • Responsibility and accountability are clear and effective. • Compensating controls exist, where necessary.  Conclude the degree to which the control objective is met. Generic Audit Guideline (2 of 4)
© ITGI 2004 - not for commercial use. 76 Assessing Compliance The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously  Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review, using both direct and indirect evidence.  Perform a limited review of the adequacy of the process deliverables.  Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate. Generic Audit Guideline (3 of 4)
© ITGI 2004 - not for commercial use. 77 Substantiating the Risk The audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources  Document the control weaknesses and resulting threats and vulnerabilities.  Identify and document the actual and potential impact. Generic Audit Guideline (4 of 4)
© ITGI 2004 - not for commercial use. 78 AI6 Audit Guideline
© ITGI 2004 - not for commercial use. 79 AI6 Audit Guideline
© ITGI 2004 - not for commercial use. 80 AI6 Audit Guideline
© ITGI 2004 - not for commercial use. 81 How Audit Guidelines and Control Objectives Are Linked  Obtaining an understanding  Evaluating the appropriateness  Assessing compliance  Substantiating the risk Control objectives translated to verify whether they are addressed and take into account the appropriateness for the enterprise and management claims about their presence Control objectives translated to test and/or measure whether controls in support of the control objectives are present as claimed and whether they operate satisfactorily • Collect background information referencing business drivers, risks, infrastructure, etc. • Illustrate missed business objectives, losses, etc., due to absence of adequate control.
© ITGI 2004 - not for commercial use. 82 Business IT Processes Audit Guidelines (in v. 4?) Control Objectives Control Practices (in v. 4?) Activity Goals (Critical Success Factors) Key Performance Indicators Key Goal Indicators Maturity Models requirements information = takes into consideration How Audit Guidelines and All Other COBIT Elements Are Linked

More Related Content

PPTX
Introduction to COBIT 5 and IT management
Christian F. Nissen
 
PPTX
COBIT 5 IT Governance Model: an Introduction
aqel aqel
 
PDF
COBIT 2019 Executive Summary_v1.1 .pdf
DiegoIvanAlvaradoVel
 
PDF
It governance & cobit 5
Laddawan Rattanaruang
 
PDF
cobit-2019 introduction overview for student
ssusercf2d3e
 
PDF
IT Governance & ISO 38500
Ramiro Cid
 
PPTX
Itil,cobit and ıso27001
Burcu Pelin TELLİ
 
PDF
What is Cobit
Ben Kalland
 
Introduction to COBIT 5 and IT management
Christian F. Nissen
 
COBIT 5 IT Governance Model: an Introduction
aqel aqel
 
COBIT 2019 Executive Summary_v1.1 .pdf
DiegoIvanAlvaradoVel
 
It governance & cobit 5
Laddawan Rattanaruang
 
cobit-2019 introduction overview for student
ssusercf2d3e
 
IT Governance & ISO 38500
Ramiro Cid
 
Itil,cobit and ıso27001
Burcu Pelin TELLİ
 
What is Cobit
Ben Kalland
 

What's hot (20)

PDF
IT Governance
Carlos Chalico
 
PDF
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
PPTX
Cobit5 owerwiev and implementation proposal
Emilio Gratton
 
PPTX
Introduction to COBIT 2019 and IT management
Christian F. Nissen
 
PPTX
Cobit 2019 framework by ISACA
MDFazlaRabbiAbir
 
PPTX
Project plan for ISO 27001
technakama
 
PPTX
Iso 27001 awareness
Ãsħâr Ãâlâm
 
PPSX
IT Governance - COBIT Perspective
Sayyed Zakir Ali Rizwe
 
PPTX
Cobit
ifourkhushbooshah
 
PDF
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Implementing ISO27001 2013
scttmcvy
 
PDF
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 
PDF
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
PPTX
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
PPT
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
COBIT5 Introduction
Mohammad Reda Katby
 
PDF
An Introduction to IT Management with COBIT 2019
Gregor Polančič
 
PPT
ISMS Requirements
humanus2
 
PDF
IT Governance - COBIT 5 Capability Assessment
Eryk Budi Pratama
 
IT Governance
Carlos Chalico
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
Mark Constable
 
Cobit5 owerwiev and implementation proposal
Emilio Gratton
 
Introduction to COBIT 2019 and IT management
Christian F. Nissen
 
Cobit 2019 framework by ISACA
MDFazlaRabbiAbir
 
Project plan for ISO 27001
technakama
 
Iso 27001 awareness
Ãsħâr Ãâlâm
 
IT Governance - COBIT Perspective
Sayyed Zakir Ali Rizwe
 
Cobit
ifourkhushbooshah
 
ISO 27001:2022 What has changed.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Implementing ISO27001 2013
scttmcvy
 
COBIT 2019 Overview_v1.1.pdf
MartinPatrici
 
ISO27001: Implementation & Certification Process Overview
Shankar Subramaniyan
 
ISO_ 27001:2022 Controls & Clauses.pptx
foram74
 
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
ISO 27001:2022 Introduction
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
COBIT5 Introduction
Mohammad Reda Katby
 
An Introduction to IT Management with COBIT 2019
Gregor Polančič
 
ISMS Requirements
humanus2
 
IT Governance - COBIT 5 Capability Assessment
Eryk Budi Pratama
 
Ad

Similar to COBIT® Presentation Package.ppt (20)

PPT
Accountability Corbit Overview 06262007
Humberto Bruno Pontes Silva
 
PPT
01 intro-cobit
yusrizalmukhtar
 
PPTX
COBIT
Ai Lun Wu
 
PPTX
COBIT stands for (Control Objectives for Information and Related Technology
MahmoudElmahdy23
 
PPT
Governance and Management of Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
 
PPTX
CobiT Foundation Free Training
EnterpriseGRC Solutions, Inc.
 
PDF
Cobi t 4.1-brochure
Deloitte
 
PPT
Use COBIT for IT SAVINGS
Sanjiv Arora
 
PPTX
Cobit
munib11b023bs
 
PPTX
information system and computers
9535814851
 
PPTX
rethinking marketing
Navneet Singh
 
PPT
Cobit Foundation Training
vyomlabs
 
PPT
Information systems audit and control
Kashif Rana ACCA
 
PPTX
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
aqel aqel
 
PPTX
Governance and Management of Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
 
PPT
This one cobit_introduction cobit notes.ppt
kong100
 
PDF
Comparación de CobiT 5 con CobiT 4.1
Slime Argentina
 
PPT
It governance in_higher_education_by_james_yung
norsaidatul_akmar
 
PPTX
IT Governance Framework
Sherri Booher
 
PPTX
20201119225332cobit.pptxcobit introductio
zayadeen2003
 
Accountability Corbit Overview 06262007
Humberto Bruno Pontes Silva
 
01 intro-cobit
yusrizalmukhtar
 
COBIT
Ai Lun Wu
 
COBIT stands for (Control Objectives for Information and Related Technology
MahmoudElmahdy23
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
 
CobiT Foundation Free Training
EnterpriseGRC Solutions, Inc.
 
Cobi t 4.1-brochure
Deloitte
 
Use COBIT for IT SAVINGS
Sanjiv Arora
 
Cobit
munib11b023bs
 
information system and computers
9535814851
 
rethinking marketing
Navneet Singh
 
Cobit Foundation Training
vyomlabs
 
Information systems audit and control
Kashif Rana ACCA
 
COBIT Approach to Maintain Healthy Cyber Security Status Using NIST - CSF
aqel aqel
 
Governance and Management of Enterprise IT with COBIT 5 Framework
Goutama Bachtiar
 
This one cobit_introduction cobit notes.ppt
kong100
 
Comparación de CobiT 5 con CobiT 4.1
Slime Argentina
 
It governance in_higher_education_by_james_yung
norsaidatul_akmar
 
IT Governance Framework
Sherri Booher
 
20201119225332cobit.pptxcobit introductio
zayadeen2003
 
Ad

Recently uploaded (20)

PDF
technical specifications solar ear 2025.
ViniciusLira30
 
PPTX
inbound6529290805104538764.pptxmmmmmmmmm
hacheldelrosario
 
PPTX
GPS sensor used agriculture land for automation
masanimasani2020
 
PPT
Classification methods in data analytics.ppt
kavita20193
 
PDF
Hikvision-IR-PPT---EN.pdfSADASDASSAAAAAAAAAAAAAAA
BryanPratama11
 
PPTX
865628565-Pertemuan-2-chapter-03-NUMERICAL-MEASURES.pptx
DibyenduRoy49
 
PPTX
PPT for Diseases (1)-2, types of diseases.pptx
salilbansal7
 
PPTX
ifsm.pptx, institutional food service management
salilbansal7
 
PDF
book-34714 (2).pdfhjkkljgfdssawtjiiiiiujj
TawfekReda1
 
PPT
dsa Lec-1 Introduction FOR THE STUDENTS OF bscs
MuddassarAli6
 
PPTX
recommendation Project PPT with details attached
AlanChen266674
 
PPTX
inbound2857676998455010149.pptxmmmmmmmmm
hacheldelrosario
 
PPTX
Hushh Hackathon for IIT Bombay: Create your very own Agents
adil643655
 
PPTX
cp-and-safeguarding-training-2018-2019-mmfv2-230818062456-767bc1a7.pptx
rachellegalit2
 
PPTX
lung disease detection using transfer learning approach.pptx
abhaychaudhary35
 
PPTX
Chapter security of computer_8_v8.1.pptx
78linux78
 
PPTX
Capstone Presentation a.pptx on data sci
anukritijs
 
PPTX
indiraparyavaranbhavan-240418134200-31d840b3.pptx
janbenijami
 
PPTX
DATA ANALYTICS COURSE IN PITAMPURA.pptx
venikaa7soni
 
PDF
CS3352FOUNDATION OF DATA SCIENCE _1_MAterial.pdf
mohanapriya462996
 
technical specifications solar ear 2025.
ViniciusLira30
 
inbound6529290805104538764.pptxmmmmmmmmm
hacheldelrosario
 
GPS sensor used agriculture land for automation
masanimasani2020
 
Classification methods in data analytics.ppt
kavita20193
 
Hikvision-IR-PPT---EN.pdfSADASDASSAAAAAAAAAAAAAAA
BryanPratama11
 
865628565-Pertemuan-2-chapter-03-NUMERICAL-MEASURES.pptx
DibyenduRoy49
 
PPT for Diseases (1)-2, types of diseases.pptx
salilbansal7
 
ifsm.pptx, institutional food service management
salilbansal7
 
book-34714 (2).pdfhjkkljgfdssawtjiiiiiujj
TawfekReda1
 
dsa Lec-1 Introduction FOR THE STUDENTS OF bscs
MuddassarAli6
 
recommendation Project PPT with details attached
AlanChen266674
 
inbound2857676998455010149.pptxmmmmmmmmm
hacheldelrosario
 
Hushh Hackathon for IIT Bombay: Create your very own Agents
adil643655
 
cp-and-safeguarding-training-2018-2019-mmfv2-230818062456-767bc1a7.pptx
rachellegalit2
 
lung disease detection using transfer learning approach.pptx
abhaychaudhary35
 
Chapter security of computer_8_v8.1.pptx
78linux78
 
Capstone Presentation a.pptx on data sci
anukritijs
 
indiraparyavaranbhavan-240418134200-31d840b3.pptx
janbenijami
 
DATA ANALYTICS COURSE IN PITAMPURA.pptx
venikaa7soni
 
CS3352FOUNDATION OF DATA SCIENCE _1_MAterial.pdf
mohanapriya462996
 

COBIT® Presentation Package.ppt

  • 1. © ITGI 2004 - not for commercial use. 1 COBIT® Presentation Package The COBIT® framework explained in a complete PowerPoint presentation, to be used by professors in information systems management, information security management, auditing, information systems auditing and/or accounting information systems
  • 2. © ITGI 2004 - not for commercial use. 2 Disclaimer The IT Governance Institute® (ITGI), Information Systems Audit and Control Association® (ISACA®) [the “Owner(s)”] and the authors have designed and created COBIT® in Academia™ and its related publications, titled COBIT® Presentation Package, COBIT® Student Book, COBIT® Case Study and COBIT® Caselets (the “Work”), primarily as an educational resource for assurance professionals. The Owners make no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, the assurance professional should apply his/her own professional judgement to the specific circumstances presented by the particular systems or information technology environment.
  • 3. © ITGI 2004 - not for commercial use. 3 Disclosure Copyright © 2004 IT Governance Institute. All rights reserved. This publication is intended solely for academic use and shall not be used in any other manner (including for any commercial purpose). Reproductions of selections of this publication are permitted solely for the use described above and must include the following copyright notice and acknowledgement: “Copyright © 2004 IT Governance Institute. All rights reserved. Reprinted by permission.” COBIT in Academia may not otherwise be used, copied, or reproduced, in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written permission of the IT Governance Institute. Any modification, distribution, performance, display, transmission, or storage, in any form by any means (electronic, mechanical, photocopying, recording or otherwise) of COBIT in Academia is strictly prohibited. No other right or permission is granted with respect to this work. COBIT in Academia ISBN 1-893209-96-2
  • 4. © ITGI 2004 - not for commercial use. 4 Acknowledgements Development Team  Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium (Chair)  Roger Debreceny, Ph.D., FCPA, University of Hawaii, USA  Steven De Haes, University of Antwerp Management School, Belgium (Project Manager)  Roger Lux, Farmers Insurance Group, USA  John Mitchell, CISA, CIA, CFE, LHS Business Control, UK  Ed O’Donnell, Ph.D., Arizona State University, USA  Scott Summers, Ph.D., Brigham Young University, USA  Wim Van Grembergen, Ph.D., University of Antwerp Management School, Belgium
  • 5. © ITGI 2004 - not for commercial use. 5 Acknowledgements Review Team  Rob Nehmer, Ph.D., Quinnipiac University, USA  Malcolm Pattinson, CISA, University of South Australia, Australia  Elaine Mauldin, CPA, University of Missouri-Columbia, USA  Faye Borthick, Ph.D., CISA, CPA, AMA, CDP, Georgia State University, USA  José Roberto Alpizar Fallas, CPA, Universidad de Costa Rica, Costa Rica
  • 6. © ITGI 2004 - not for commercial use. 6 Purpose of This Document This COBIT Presentation Package, developed in collaboration with a group of international academics and practitioners, is a product of the IT Governance Institute (www.itgi.org). It provides a complete PowerPoint presentation explaining all the core elements of the COBIT framework, which can be used by professors in information systems management, information security management, auditing, information systems auditing and/or accounting information systems. Professors can use the complete set, make extractions if they want to focus on specific parts, or can even add their own materials and examples in accordance with their needs. There are some speaker notes included in the package, but it is advisable to use the COBIT Student Book (included in COBIT in Academia) as guidance and source material to prepare this presentation. The IT Governance Institute also developed three other components that are part of COBIT in Academia. The COBIT Student Book explains and illustrates all the COBIT components. The COBIT Case Study:TIBO can be used by students to apply the COBIT knowledge in a real-life situation and the COBIT Caselets provides some minicases for smaller COBIT exercises.
  • 7. © ITGI 2004 - not for commercial use. 7 COBIT Introduction Why does IT need an IT control framework? Who needs an IT control framework? How and why is COBIT used?
  • 8. © ITGI 2004 - not for commercial use. 8 Why does IT need a control framework? Do any of these conditions sound familiar?  Increasing pressure to leverage technology in business strategies  Growing complexity of IT environments  Fragmented IT infrastructures  Communication gap between business and IT managers  IT service levels that are disappointing from internal IT functions and from increasingly outsourced IT providers  IT costs perceived to be out of control  Marginal ROI/productivity gains on technology investments  Impaired organisational flexibility and nimbleness to change  User frustration leading to ad hoc solutions
  • 9. © ITGI 2004 - not for commercial use. 9  Increasing dependence on information and the systems that deliver this information  Increasing vulnerabilities and a wide spectrum of threats, such as cyberthreats and information warfare  Scale and cost of the current and future investments in information and information systems  The need to comply with regulations  The potential for technologies to dramatically change organisations and business practices, create new opportunities and reduce costs  Recognition by many organisations of the potential benefits that technology can yield Successful organisations understand and manage the risks associated with implementing new technologies. Why does IT need a control framework?
  • 10. © ITGI 2004 - not for commercial use. 10  IT provides value  Cost, time and functionality are as expected  IT does not provide surprises  Risks are mitigated  IT pushes the envelope  New opportunities and innovations for process, product and services Why does IT need a control framework? To ensure that management needs to get IT under control.
  • 11. © ITGI 2004 - not for commercial use. 11  Board and Executive • To ensure management follows and implements the strategic direction for IT  Management • To make IT investment decisions • To balance risk and control investment • To benchmark existing and future IT environment  Users • To obtain assurance on security and control of products and services they acquire internally or externally  Auditors • To substantiate opinions to management on internal controls • To advise on what minimum controls are necessary Who needs a control framework?
  • 12. © ITGI 2004 - not for commercial use. 12 Incorporates major international standards Has become the de facto standard for overall control over IT Starts from business requirements Is process-oriented IT Processes IT Processes IT Management Processes IT Management Processes IT Governance Processes IT Governance Processes CobiT CobiT best practices repository for IT Processes IT Processes IT Management Processes IT Management Processes IT Governance Processes IT Governance Processes COBIT COBIT best practices repository for COBIT as a response to the needs Why and how is COBIT used?
  • 13. © ITGI 2004 - not for commercial use. 13  Helps substantially increase acceptance and reduce time to implement IT governance program  Provides a guide for formal audits/reviews  Helps use results of audits as an opportunity to plan improvements  Is a strong factor in achieving primary goals for IT governance: transform organisational practices and pursue improved processes  Provides economical continuous improvement framework  Provides a credible source for management's decision on controls  Impresses and helps IT operations managers with its ability to assist in understanding what auditors want  Is ideal for business management to communicate requirements and concerns  Is recognised as a reliable source reference that ensures identification of all major risk areas  Improves communications and relations with IT management Testimonials from Case Studies Why and how is COBIT used?
  • 14. © ITGI 2004 - not for commercial use. 14  To improve audit approach/programmes  To support audit work with detailed audit guidelines  To provide guidance for IT governance  As a valuable benchmark for IS/IT control  To improve IS/IT controls  To standardise audit approach/programmes Results from Surveys Why and how is COBIT used?
  • 15. © ITGI 2004 - not for commercial use. 15 The COBIT Framework The COBIT framework explained:  Business focus  Process orientation  IT resources
  • 16. © ITGI 2004 - not for commercial use. 16 Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high-level control objective for each Considers fiduciary, quality and security needs of enterprises, providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of over 300 detailed control objectives  Effectiveness  Efficiency  Availability  Integrity  Confidentiality  Reliability  Compliance  Plan and Organise  Acquire and Implement  Deliver and Support  Monitor and Evaluate COBIT: Of what does it consist?
  • 17. © ITGI 2004 - not for commercial use. 17 “In order to provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.”  Relates to business requirements (expressed as information criteria)  Links to business processes  Empowers business owners  Decomposes IT into four domains and 34 processes  Domains: (plan-build-run) + monitor  Control, audit, implementation and performance management knowledge structured by process Business Process Business Orientation and Process Focus IT IT Processes Processes Business Requirements IT IT Resources Resources IT IT Processes Processes Business Requirements IT IT Resources Resources
  • 18. © ITGI 2004 - not for commercial use. 18 COBIT Framework Definition “To provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.” IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources IT RESOURCES IT RESOURCES IT RESOURCES IT PROCESSES IT PROCESSES IT PROCESSES BUSINESS REQUIREMENTS BUSINESS BUSINESS REQUIREMENTS REQUIREMENTS IT RESOURCES IT RESOURCES IT RESOURCES IT PROCESSES IT PROCESSES IT PROCESSES BUSINESS REQUIREMENTS BUSINESS BUSINESS REQUIREMENTS REQUIREMENTS IT RESOURCES IT RESOURCES IT RESOURCES IT PROCESSES IT PROCESSES IT PROCESSES BUSINESS REQUIREMENTS BUSINESS BUSINESS REQUIREMENTS REQUIREMENTS A process orientation is a proven management approach to efficiently exercise responsibilities, achieve set goals and reasonably manage risks. WHY
  • 19. © ITGI 2004 - not for commercial use. 19 Quality Requirements: • Quality • Delivery • Cost Security Requirements • Confidentiality • Integrity • Availability Fiduciary Requirements (COSO Report) • Effectiveness and efficiency of operations • Compliance with laws and regulations • Reliability of financial reporting Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability of information Business Requirements IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 20. © ITGI 2004 - not for commercial use. 20 Effectiveness –Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner Efficiency –Concerns the provision of information through the optimal (most productive and economical) usage of resources Confidentiality –Concerns protection of sensitive information from unauthorised disclosure Integrity –Relates to the accuracy and completeness of information as well as to its validity in accordance with the business‘s set of values and expectations Availability –Relates to information being available when required by the business process, and hence also concerns the safeguarding of resources Compliance –Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria Reliability of information–Relates to systems providing management with appropriate information for it to use in operating the entity, providing financial reporting to users of the financial information, and providing information to report to regulatory bodies with regard to compliance with laws and regulations Business Requirements IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 21. © ITGI 2004 - not for commercial use. 21 Processes A series of joined activities with natural control breaks Activities or Tasks Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete. Domains Natural grouping of processes, often matching an organisational domain of responsibility Process Orientation IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 22. © ITGI 2004 - not for commercial use. 22 IT Domains • Plan and Organise • Acquire and Implement • Deliver and Support • Monitor and Evaluate IT Processes • IT strategy • Computer operations • Incident handling • Acceptance testing • Change management • Contingency planning • Problem management Activities • Record new problem • Analyse • Propose solution • Monitor solution • Record known problem • Etc. Natural grouping of processes, often matching an organisational domain of responsibility A series of joined activities with natural (control) breaks Actions needed to achieve a measurable result. Activities have a life cycle, whereas tasks are discrete. Process Orientation IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 23. © ITGI 2004 - not for commercial use. 23 Description  This domain covers strategy and tactics, and concerns the identification of how IT can best contribute to the achievement of the business objectives. Furthermore, the realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. Finally, a proper organisation as well as technological infrastructure must be put in place. Topics  Strategy and tactics  Vision planned  Organisation and infrastructure Questions  Are IT and the business strategy aligned?  Is the enterprise achieving optimum use of its resources?  Does everyone in the organisation understand the IT objectives?  Are IT risks understood and being managed?  Is the quality of IT systems appropriate for business needs? Domains Process Orientation Plan and Organise IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 24. © ITGI 2004 - not for commercial use. 24  PO1 Define a strategic information technology plan  PO2 Define the information architecture  PO3 Determine the technological direction  PO4 Define the IT organisation and relationships  PO5 Manage the investment in information technology  PO6 Communicate management aims and direction  PO7 Manage human resources  PO8 Ensure compliance with external requirements  PO9 Assess risks  PO10 Manage projects  PO11 Manage quality . Process Orientation Plan and Organise
  • 25. © ITGI 2004 - not for commercial use. 25 Acquire and Implement Description  To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure that the life cycle is continued for these systems. Topics  IT solutions  Changes and maintenance Questions  Are new projects likely to deliver solutions that meet business needs?  Are new projects likely to deliver on time and within budget?  Will the new systems work properly when implemented?  Will changes be made without upsetting current business operations? Domains Process Orientation IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 26. © ITGI 2004 - not for commercial use. 26  AI1 Identify automated solutions  AI2 Acquire and maintain application software  AI3 Acquire and maintain technology infrastructure  AI4 Develop and maintain IT procedures  AI5 Install and accredit systems  AI6 Manage changes Process Orientation Acquire and Implement
  • 27. © ITGI 2004 - not for commercial use. 27 Description  This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. To deliver services, the necessary support processes must be set up. This domain includes the actual processing of data by application systems, often classified under application controls. Topics  Delivery of required services  Setup of support processes  Processing by application systems Questions  Are IT services being delivered in line with business priorities?  Are IT costs optimised?  Is the work force able to use the IT systems productively and safely?  Are adequate security, integrity and availability in place? Domains Process Orientation Deliver and Support IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 28. © ITGI 2004 - not for commercial use. 28  DS1 Define and manage service levels  DS2 Manage third-party services  DS3 Manage performance and capacity  DS4 Ensure continuous service  DS5 Ensure systems security  DS6 Identify and allocate costs  DS7 Educate and train users  DS8 Assist and advise customers  DS9 Manage the configuration  DS10 Manage problems and incidents  DS11 Manage data  DS12 Manage facilities  DS13 Manage operations Process Orientation Deliver and Support
  • 29. © ITGI 2004 - not for commercial use. 29 Description  All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain thus addresses management’s oversight of the organisation’s control process and independent assurance provided by internal and external audit or obtained from alternative sources. Topics  Assessment over time, delivering assurance  Management’s oversight of the control system  Performance measurement Questions  Can IT’s performance be measured and can problems be detected before it is too late?  Is independent assurance needed to ensure critical areas are operating as intended? Domains Process Orientation Monitor and Evaluate IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 30. © ITGI 2004 - not for commercial use. 30 M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit Process Orientation Monitor and Evaluate
  • 31. © ITGI 2004 - not for commercial use. 31 Data: Data objects in their widest sense, i.e., external and internal, structured and nonstructured, graphics, sound, etc. Application Systems: Understood to be the sum of manual and programmed procedures Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc. Facilities: Resources to house and support information systems People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support, monitor and evaluate information systems and services IT Resources IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 32. © ITGI 2004 - not for commercial use. 32 IT Processes IT Resources Business Requirements  Data  Application systems  Technology  Facilities  People  Plan and Organise  Aquire and Implement  Deliver and Support  Monitor and Evaluate  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Information reliability How do they relate? IT Processes Business Requirements IT Resources IT Processes Business Requirements IT Resources
  • 33. © ITGI 2004 - not for commercial use. 33 IT Processes IT Resources Business Requirements  Data  Application systems  Technology  Facilities  People  Plan and Organise  Aquire and Implement  Deliver and Support  Monitor and Evaluate  Effectiveness  Efficiency  Confidentiality  Integrity  Availability  Compliance  Information reliability How IT is organised to respond to the requirements What the stakeholders expect from IT The resources made available to—and built up by—IT
  • 34. © ITGI 2004 - not for commercial use. 34 PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine the technological direction PO4 Define the IT organisation and relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage human resources PO8 Ensure compliance with external requirements PO9 Assess risks PO10 Manage projects PO11 Manage quality AI1 Identify automated solutions AI2 Acquire and mantain application software AI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT procedures AI5 Install and accredit systems AI6 Manage changes M1 Monitor the process M2 Assess internal control adequacy M3 Obtain independent assurance M4 Provide for independent audit DS1 Define service levels DS2 Manage third-party services DS3 Manage peformance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and attribute costs DS7 Educate and train users DS8 Assist and advise IT customers DS9 Manage the configuration DS10 Manage problems and incidents DS11 Manage data DS12 Manage facilities DS13 Manage operations IT RESOURCES • Data • Application systems • Technology • Facilities • People PLAN AND ORGANISE ACQUIRE AND IMPLEMENT DELIVER AND SUPPORT • Effectiveness • Efficiency • Confidenciality • Integrity • Availability • Compliance • Reliability Criteria COBIT Framework MONITOR AND EVALUATE
  • 35. © ITGI 2004 - not for commercial use. 35 BUSINESS PROCESSES INFORMATION • Effectiveness • Efficiency • Confidenciality • Integrity • Availability • Compliance • Reliability Criteria COBIT IT RESOURCES • Data • Aplication systems • Technology • Facilities • People PLAN AND ORGANISE AQUIRE AND IMPLEMENT DELIVER AND SUPPORT COBIT Framework To provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes. MONITOR AND EVALUATE
  • 36. © ITGI 2004 - not for commercial use. 36 Summarising up to now  IT is indispensable for the survival and growth of enterprises.  Management is responsible for control.  That responsibility needs a framework: Business requirements can be expressed as information criteria. IT is generally organised in a set of processes. IT needs a set of resources.  COBIT is an internationally accepted standard. To provide the information that the organisation needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes. COBIT Framework
  • 37. © ITGI 2004 - not for commercial use. 37 The COBIT Cube
  • 38. © ITGI 2004 - not for commercial use. 38 IT Domains Information Criteria Plan and Organise Aquire and Implement Deliver and Support Monitor and Evaluate S P Navigational Aids COBIT Cube
  • 39. © ITGI 2004 - not for commercial use. 39 Summary Processes, Criteria and Resources
  • 40. © ITGI 2004 - not for commercial use. 40 Domain Process Acquire and Implement AI1 Identify automated solutions P S    AI2 Acquire and maintain application software P P S S S  AI3 Acquire and maintain technology infrastructure P P S  AI4 Develop and maintain procedures P P S S S     AI5 Install and accredit systems P S S      AI6 Manage changes P P P P S      COBIT Summary of Processes, Criteria and Resources AI6
  • 41. © ITGI 2004 - not for commercial use. 41 Assignment The most important COBIT processes “For a business with which you are familiar, what would be the most important IT processes? Why?”
  • 42. © ITGI 2004 - not for commercial use. 42 Important COBIT Products Control Objectives— “Minimum controls are...” Management Guidelines— “Here is how you measure…” Audit Guidelines— “Here is how you audit...”
  • 43. © ITGI 2004 - not for commercial use. 43 Control and Control Objective Definitions The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected Definition of Control Definition of IT Control Objective A statement of the desired result or purpose to be achieved by implementing control practices in a particular IT activity
  • 44. © ITGI 2004 - not for commercial use. 44 High-level control objective • One per process Detailed control objectives • Three to 30 per process (Avg >9 ) Control practices • Five to seven per control objective Control Objectives and Control Practices
  • 45. © ITGI 2004 - not for commercial use. 45 The control of IT Processes which satisfy is enabled by Control Statements considering Control Practices Waterfall Model 4 Domains - 34 Processes - 318 Control Objectives ~ 1900 Control Practices! Business Requirements
  • 46. © ITGI 2004 - not for commercial use. 46 AI6 Manage changes Managing changes to computer programs is required to ensure processing integrity between versions, and for consistency of results period to period. Change must be formally managed via change control request, impact assessment, documentation, authorisation, release, and distribution policies and procedures. High-level Control Objective
  • 47. © ITGI 2004 - not for commercial use. 47 AI6 High-level Control Objective
  • 48. © ITGI 2004 - not for commercial use. 48 AI6 Manage Changes 6.1 Change request initiation and control IT management should ensure that all requests for changes, system maintenance and supplier maintenance are standardised and are subject to formal change management procedures. Changes should be categorised and prioritised, and specific procedures should be in place to handle urgent matters. Change requesters should be kept informed about the status of their request. 6.2 Impact assessment A procedure should be in place to ensure that all requests for change are assessed in a structured way for all possible impacts on the operational system and its functionality. 6.3 Control of changes IT management should ensure that change management and software control and distribution are properly integrated with a comprehensive configuration management system. The system used to monitor changes to application systems should be automated to support the recording and tracking of changes made to large, complex information systems. 6.4 Emergency changes IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation. Detailed Control Objectives
  • 49. © ITGI 2004 - not for commercial use. 49 Detailed Control Objectives AI6 Manage Changes (continued) 6.5 Documentation and procedures The change process should ensure that, whenever system changes are implemented, the associated documentation and procedures are updated accordingly. 6.6 Authorised maintenance IT management should ensure that maintenance personnel have specific assignments and their work is properly monitored. In addition, their system access rights should be controlled to avoid risks of unauthorised access to automated systems. 6.7 Software release policy IT management should ensure that the release of software is governed by formal procedures—ensuring sign-off, packaging, regression testing, handover, etc. 6.8 Distribution of software Specific internal control measures should be established to ensure distribution of the correct software element to the right place, with integrity, in a timely manner and with adequate audit trails.
  • 50. © ITGI 2004 - not for commercial use. 50 COBIT AI6 Detailed Control Objectives
  • 51. © ITGI 2004 - not for commercial use. 51  Control practices are key control mechanisms that support the: • Achievement of control objectives • Prevention, detection and correction of undesired events  Control practices achieve that through: • Responsible use of resources • Appropriate management of risk • Alignment of IT with business Translate COBIT’s control objectives into detailed, implementable practices and provide the business argumentation for implementation, from a value and a risk perspective Control Practices
  • 52. © ITGI 2004 - not for commercial use. 52 1. Management defines parameters, characteristics and procedures that identify and declare emergencies. 2. All emergency changes are documented, if not before, then after, implementation. 3. All emergency changes are tested, if not before, then after, implementation. 4. All emergency changes are formally authorised by the system owner and management before implementation. 5. Before and after images as well as intervention logs are retained for subsequent review. Controlling emergency changes by implementing the control practices will :  Ensure that emergency procedures are used in declared emergencies only  Ensure that urgent changes can be implemented without compromising integrity, availability, reliability, security, confidentiality or accuracy AI6 Manage change AI6.4 Emergency changes IT management should establish parameters defining emergency changes and procedures to control these changes when they circumvent the normal process of technical, operational and management assessment prior to implementation. The emergency changes should be recorded and authorised by IT management prior to implementation. Control Practices Why do it? Control Practices
  • 53. © ITGI 2004 - not for commercial use. 53 Important COBIT Products Control Objectives— “Minimum controls are...” Management Guidelines – “Here is how you measure…” Audit Guidelines— “Here is how you audit...”
  • 54. © ITGI 2004 - not for commercial use. 54 IT Governance Model IT governance helps ascertain how automated systems: • Simplify operations • Cut costs • Increase revenue Needs an IT control framework
  • 55. © ITGI 2004 - not for commercial use. 55 How Does COBIT Link to IT Governance? Goals Responsibilities Control Objectives Requirements Business IT Governance Information the Business Needs to Achieve Its Objectives Information Executives and Board Need to Exercise Their Responsibilities Direction and Resourcing
  • 56. © ITGI 2004 - not for commercial use. 56 IT Governance Goals Responsibilities Control Objectives Requirements Business Business IT IT Governance Information the Business Needs to Achieve Its Objectives Direction (IT Strategy and Policy) Information (IT Control, Risk and Assurance) How Does COBIT Link to IT Governance?
  • 57. © ITGI 2004 - not for commercial use. 57 However, management has questions that go beyond a control framework:  How do responsible managers "keep the ship on course"? DASHBOARD  How to achieve results that are satisfactory for the largest possible segment of our stakeholders ? SCORECARDS  How to adapt the organisation in a timely manner to trends and developments in the enterprise's environment ? BENCHMARKING Indicators? Measures? Scales? Management Guidelines
  • 58. © ITGI 2004 - not for commercial use. 58 Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Process Description Critical Success Factors       Key Goal Indicators    Key Performance Indicators   Information Criteria Resources 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated. Maturity Model Management Guidelines Framework
  • 59. © ITGI 2004 - not for commercial use. 59  Describe the outcome of the process (i.e., measurable after the fact); are measures of “what,” and may describe the impact of not reaching the process goal  Are indicators of the success of the process and its business contribution  Focus on the customer and financial dimensions of the balanced scorecard Key Goal Indicators Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Definitions
  • 60. © ITGI 2004 - not for commercial use. 60  Increased level of service delivery  Number of customers and cost per customer served  Availability of systems and services  Absence of integrity and confidentiality risks  Cost-efficiency of processes and operations  Confirmation of reliability and effectiveness  Adherence to development cost and schedule  Cost-efficiency of the process  Staff productivity and morale  Number of timely changes to processes and systems  Improved productivity (e.g., delivery of value per employee) Key Goal Indicators Examples
  • 61. © ITGI 2004 - not for commercial use. 61  Are measures of “how well” the process is performing  Predict the probability of success or failure  Focus on the process and learning dimensions of the balanced scorecard  Are expressed in precise, measurable terms  Should help in improving the IT process Key Performance Indicators Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Definitions
  • 62. © ITGI 2004 - not for commercial use. 62 • Number of IT customers • Cost per IT customer • Cost-efficiency of IT processes up • Delivery of IT value per employee Information • Availability of systems and services • Developments on schedule and budget • Throughput and response times • Amount of errors and rework • Level of service delivery • Satisfaction of existing customers • Number of new customers reached • Number of new service delivery channels Financial Customer • Staff productivity and morale • Number of staff trained in new techno/services • Value delivery per employee • Increased availability knowledge systems Learning Process Key Performance Indicators Examples
  • 63. © ITGI 2004 - not for commercial use. 63  Are the most important things to do to increase the probability of success of the process  Are observable—usually measurable—characteristics of the organisation and process  Focus on obtaining, maintaining and leveraging capability, skills and behaviour Critical Success Factors Control Statements Control Practices is enabled by and considers IT Processes The control of Business Requirements which satisfy Definitions Replaced by Inputs & Activity Goals In Cobit 4.0!
  • 64. © ITGI 2004 - not for commercial use. 64 • The IT strategic plan clearly states a risk position such as leading-edge or road-tested, innovator or follower, and the required balance between time-to- market, cost of ownership and service quality. • If you are not ready to enforce the policy, do not issue the policy. • A building permit programme for building IT systems and a “driver’s licence” programme for those doing the building • A good security plan takes time to evolve. Strategy Policy Compliance Security Examples Critical Success Factors
  • 65. © ITGI 2004 - not for commercial use. 65  Refer to business requirements (KGIs) and the enabling aspects (KPIs) at the different levels  Are a scale that lend themselves to pragmatic comparison, where the difference can be made measurable in an easy manner  Are recognisable as a profile of the enterprise in relation to IT governance and control  Assist in determining as-is and to-be positions relative to IT governance and control maturity and analyse the gap  Are not industry-specific nor generally applicable. The nature of the business determines what is an appropriate level. Maturity Models Definitions
  • 66. © ITGI 2004 - not for commercial use. 66 0 1 2 3 4 5 Nonexistent Initial Repeatable Defined Managed Optimised Enterprise current status International standard guidelines Industry best practice Enterprise strategy Legend for Symbols Used Legend for Rankings Used 0 - Management processes are not applied at all. 1 - Processes are ad hoc and disorganised. 2 - Processes follow a regular pattern. 3 - Processes are documented and communicated. 4 - Processes are monitored and measured. 5 - Best practices are followed and automated. Maturity Models Usage Comparable to CMMi-Continuous
  • 67. © ITGI 2004 - not for commercial use. 67 AI6 Management Guideline
  • 68. © ITGI 2004 - not for commercial use. 68 AI6 Management Guideline
  • 69. © ITGI 2004 - not for commercial use. 69 Important COBIT Products Control Objectives— “Minimum controls are...” Management Guidelines— “Here is how you measure… Audit Guidelines— “Here is how you audit...”
  • 70. © ITGI 2004 - not for commercial use. 70  Provide management with reasonable assurance that control objectives are being met  Where there are significant control weaknesses, substantiate the resulting risks  Advise management on corrective actions Objectives of Auditing “Am I all right? And, if not, how do I fix it? ”
  • 71. © ITGI 2004 - not for commercial use. 71 Structure of the Audit Process Identification and Documentation Evaluation Compliance Testing Substantive Testing
  • 72. © ITGI 2004 - not for commercial use. 72 An IT process is audited by: • Obtaining an understanding of business requirements-related risks, and relevant control measures • Evaluating the appropriateness of stated controls • Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously • Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources
  • 73. © ITGI 2004 - not for commercial use. 73 One Generic Guideline and 34 Process-oriented Guidelines  A generic guideline identifies various tasks to be performed in assessing any control objective within a process. This generic guideline is a model for all control objectives.  Others are specific, process-oriented task suggestions to provide management assurance that a control exists and has a reasonable level of effectiveness. COBIT Audit Guidelines
  • 74. © ITGI 2004 - not for commercial use. 74 Obtaining an Understanding The audit steps to be performed to document the activities underlying the control objectives as well as to identify the control measures/procedures put in place  Interview appropriate management and staff to obtain and gain an understanding of: • Business requirements and associated risks • Organisation structure • Roles and responsibilities • Policies and procedures • Laws and regulations • Control measures in place • Management reporting (status, performance, actions)  Document the process-related IT resources particularly affected by the process under review.  Confirm the understanding of the process under review, the control implications, e.g., by a process walkthrough. Generic Audit Guideline (1 of 4)
  • 75. © ITGI 2004 - not for commercial use. 75 Evaluating the Controls The audit steps to be performed, in light of assessing the effectiveness of control measures in place or the degree to which the control objective is achieved  Evaluate the appropriateness of control measures for the process under review by considering identified criteria and industry standard practices and applying professional judgement. Determine whether: • Documented processes exist. • Appropriate deliverables exist. • Responsibility and accountability are clear and effective. • Compensating controls exist, where necessary.  Conclude the degree to which the control objective is met. Generic Audit Guideline (2 of 4)
  • 76. © ITGI 2004 - not for commercial use. 76 Assessing Compliance The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously  Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review, using both direct and indirect evidence.  Perform a limited review of the adequacy of the process deliverables.  Determine the level of substantive testing and additional work needed to provide assurance that the IT process is adequate. Generic Audit Guideline (3 of 4)
  • 77. © ITGI 2004 - not for commercial use. 77 Substantiating the Risk The audit steps to be performed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources  Document the control weaknesses and resulting threats and vulnerabilities.  Identify and document the actual and potential impact. Generic Audit Guideline (4 of 4)
  • 78. © ITGI 2004 - not for commercial use. 78 AI6 Audit Guideline
  • 79. © ITGI 2004 - not for commercial use. 79 AI6 Audit Guideline
  • 80. © ITGI 2004 - not for commercial use. 80 AI6 Audit Guideline
  • 81. © ITGI 2004 - not for commercial use. 81 How Audit Guidelines and Control Objectives Are Linked  Obtaining an understanding  Evaluating the appropriateness  Assessing compliance  Substantiating the risk Control objectives translated to verify whether they are addressed and take into account the appropriateness for the enterprise and management claims about their presence Control objectives translated to test and/or measure whether controls in support of the control objectives are present as claimed and whether they operate satisfactorily • Collect background information referencing business drivers, risks, infrastructure, etc. • Illustrate missed business objectives, losses, etc., due to absence of adequate control.
  • 82. © ITGI 2004 - not for commercial use. 82 Business IT Processes Audit Guidelines (in v. 4?) Control Objectives Control Practices (in v. 4?) Activity Goals (Critical Success Factors) Key Performance Indicators Key Goal Indicators Maturity Models requirements information = takes into consideration How Audit Guidelines and All Other COBIT Elements Are Linked