Internal Control: COSO and CobiT - PowerPoint PPT Presentation


PPT – Internal Control: COSO and CobiT PowerPoint presentation | free to download - id: 7bf224-NzJiZ


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Internal Control: COSO and CobiT


Part 2 1 AUDIT GUIDELINES Audit Guidelines -- 226 pages 1 Generic Guideline and 34 Process Oriented A generic guideline identifies various tasks to be performed in ... – PowerPoint PPT presentation

Number of Views:170
Avg rating:3.0/5.0
Slides: 133
Provided by: Bent123
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Internal Control: COSO and CobiT

  • Part 2


Audit Guidelines -- 226 pages
  • 1 Generic Guideline and 34 Process Oriented
  • A generic guideline identifies various tasks to
    be performed in assessing ANY control objective
    within a process. This generic guideline
    extracted all repetitive tasks into one -- to be
    performed for all control objectives.
  • Others are specific process-oriented task
    suggestions to provide management assurance that
    a control is in place and is working.

Audit Guidelines
  • Purpose of audit guidelines is to provide simple
    structure for auditing controls
  • Audit guidelines are generic and high-level in
  • Although intended as a guide for auditing
    high-level control objectives, CobiT can assist
    overall audit planning
  • Enables auditor to review processes against
    control objectives

CobiT supports generally accepted structure of
the audit process
  • Identification and documentation
  • Evaluation
  • Compliance testing, and
  • Substantive testing

The IT process is therefore audited by
Obtaining an understanding of business
requirements, related risks, and relevant
control measures Evaluating the
appropriateness of stated controls
Assessing compliance by testing whether the
stated controls are working as prescribed,
consistently and continuously.
Substantiating the risk of the control
objective not being met by
using analytical techniques
and/or consulting alternative sources.
performed to document the activities under- lying
the control objectives as well as to identify the
stated control measures/procedures in
place. Interview appropriate management and
staff to gain an understanding of Business
requirements and associated risks Organisation
structure Roles and responsibilities
Policies and procedures Laws and regulations
and contractual obligations Control measures
in place Management reporting (status,
performance, action items) Document the
process-related IT resources particularly
affected by the process under review. Confirm
the understanding of the process under review,
the Key Performance Indicators (KPI) of the
process, and the control implications (e.g., by
a process walk through).
EVALUATING THE CONTROLS The audit steps to be
performed in assessing the effectiveness of
control measures in place or the degree to which
the control objective is achieved. Basically
deciding what, whether and how to test. Evaluate
the appropriateness of control measures for the
process under review by considering identified
criteria and industry standard practices, the
Critical Success Factors (CSF) of the control
measures and applying professional judgment.
Documented processes exist Appropriate
deliverables exist Responsibility and
accountability are clear and effective
Compensating controls exist, where
necessary Conclude the degree to which the
control objective is met.
ASSESSING COMPLIANCE The audit steps to be
performed to ensure that the control measures
established are working as prescribed,
consistently and continuously, and to conclude
on the appropriateness of the control
environment. Obtain direct or indirect evidence
for selected items/periods to ensure that the
procedures have been complied with for the period
under review using both direct and indirect
evidence. Perform a limited review of the
adequacy of the process deliverables. Determine
the level of substantive testing and additional
work needed to provide assurance that the IT
process is adequate.
SUBSTANTIATING THE RISK The audit steps to be
performed to substantiate the risk of the
control objective not being met by using
analytical techniques and/or consulting
alternative sources. The objective is to
support the opinion and to shock management
into action. Auditors have to be creative in
finding and presenting this often sensitive and
confidential information. Document the control
weaknesses and resulting threats and
vulnerabilities. Identify and document the
actual and potential impact (e.g., through
root-cause analysis). Provide comparative
information (e.g., through benchmarks).
Audit Guidelines are GUIDELINES
  • They are a starting point for identifying control
    tasks and activities associated with particular
    control objectives.
  • To plan and conduct the audit, an auditor must
    add knowledge about the business, risk analysis,
    and controls perform adequate audit procedures
    and draw conclusions from the results of the
    audit procedures.

Using CobiT to Develop an Audit Program
  • Start with Control Objectives to refresh the
    purpose of the control objective and the
    recommended IT control practices
  • Use the Audit Guidelines generic audit guideline
    as a starting point
  • Use the selected process-oriented audit
    guidelines to refine the audit work program
  • Select appropriate portions of the Audit
    Guidelines in sync with selected detailed control
    objectives (selected control tasks and

Using CobiT to Review an Audit Program
  • Use the Audit Guidelines to benchmark the
    existing audit program against
  • Use the Control Objectives high-level control
    objectives to review audit objectives and
    detailed control objectives to review criteria
  • Use the generic and process-oriented audit
    guidelines to review audit process and procedures

Recommending the Adoption of CobiT
Adopting CobiT
  • Start by identifying the need for use, and how
    it might be used
  • Focus on the benefits to be derived from using
  • Assess the acceptance and implementation
  • Assign priority of multiple uses
  • Identify one or more champions

Adopting CobiT
  • For those responsible for systems and those who
    audit systems, the value lies in having an
    organized IT control model that links management
    control practices to control objectives, and in
    turn to business objectives.
  • From a management perspective
  • management and IT policy makers such as CEO, CIO,
    VP of IT
  • IT steering committee
  • business process owners and users
  • From an Audit perspective
  • evaluators and internal/external auditors

Factors to Consider
  • Dimension and depth of the IT environment
  • Organizational structure of IT services
  • Level of internal and outsourced IT functions
  • Relationships of IT, IS Audit, business process
    owners, management
  • Management philosophy regarding control and audit
  • Extent of business process reengineering
  • Level of consensus needed

Benefits of CobiT
  • Supports IT governance objectives.
  • Helps ensure that IT processes are defined and
  • Helps to ensure that there is focus on control
  • Leads to more cost-effective IT services.

Benefits of CobiT
  • Helps to provide reasonable assurance that
  • IT process objectives are understood
  • IT risks have been identified
  • Appropriate controls have been implemented
  • Appropriate monitoring and evaluation processes
    in effect
  • IT process objectives and can be achieved.

Benefits of CobiT
  • Helps to ensure that the organization complies
    with applicable rules, regulations and
    contractual obligations.
  • Opportunity for complementary adoption of COSO
    and CobiT (or other control models).
  • Authoritative nature of Cobit encompassing
    adoption of well-recognized and established
    standards for IT control.

Benefits of CobiT
  • Strengthens assessment, understanding and
    exercise of appropriate internal controls.
  • Provides a good framework for risk assessment and
    risk management.
  • Improves communication among management, business
    process owners, users and auditors regarding IT
    governance, and between internal and external

Benefits of CobiT
  • Provides a framework for ensuring that outsourced
    IT functions are addressed in third-party
  • Helps to strengthen the relationship between IS
    Services and the user community through improved
  • Supports managements efforts to demonstrate due
    diligence with respect to IT-based operations.

Using CobiT
  • Organizational Tool
  • Audit Planning and Support Tool
  • IT Control Self Assessment Tool

CobiT as an Organizational Tool
  • Provides framework and benchmarks for IT planning
    and management
  • Identification of primary IT processes (by broad
    management-oriented Domains)
  • Assists in establishing responsibilities and
    points of accountability
  • Assists in clarifying ITs and Audits role

CobiT As An Audit Planning Tool
  • To look at a functional area.
  • Which functional area?
  • What systems are involved?
  • What IT processes are involved?
  • What are the objectives and risks?
  • What are the control objectives?

Using CobiT in Audit Planning
  • IT audit shop planning --- audit engagement
  • Determining type of audit services
  • Engagement planning
  • Framing audit scope and audit objectives to
  • Development of audit approach

Audit Planning
  • Adequate planning is a necessary first step in
    performing effective IT Audits.
  • Need to understand the general business
    environment as well as the associated business
    and control risks.
  • Assess operational and control risks and identify
    control objectives during audit planning.

Use of CobiT during the Audit
  • Assessing the control environment and identifying
    high risk processes
  • Conducting a high-level policy and procedures
  • Conducting a detailed review of policies and
    procedures against the entire control objectives
  • Using CobiT-related matrices

  • CobiT-related Matrices

Using CobiT Matrices to Focus on
  • IT Functions
  • Their importance?
  • Level of performance?
  • Control documentation?
  • Responsible Parties of IT
  • Performed by?
  • Contracted services?
  • Primary responsible party?
  • Risk Assessment
  • Importance, level of risk, control documentation?

CobiT-Related Matrices
  • Submit matrix of processes to IT management to
    attain assertions regarding
  • Importance, performance and risk of each process
  • self assessment of how well control is being
    carried out for each process
  • Have the review or audit team also independently
    rate preliminary understanding of importance,
    performance and risk of each process
  • Use matrix of IT processes to be performed and
    identify who performs the process and who has
    final responsibility can be used to identify
    processes not performed by traditional IT

Pre-Audit Performance and Risk
Level of Performance Function Operation Level of Risk
high A/P low
high payroll low
medium IT processing high

Pre-Audit Risk/Importance and Control
Risk/ Importance Function Operation Control Documentation
Low/medium A/P yes
Low/high payroll none
High/medium IT processing partial

Pre-Audit Functions Responsibilities Points of
Points of Accountability
Function performed by Function Operation Responsible Party
internal A/P Accounting
outsourced payroll Accounting
IT Dept IT processing VP of IT

Audits (or audit entities) A B C D E F -
- -
COBITs 34 Processes
PO 1 PO 2 . . . M 4
S Pre-audit survey A Audit R Report -
Positive conclusion - Finding
Use of CobiT in Audit Planning
  • Supports objectives of AU.319 Consideration of
    Internal Control in a Financial Statement Audit,
  • Risk-Based Audit planning

Key Features of Risk-Based Approach
  • Focuses on the business from a management
  • Emphasis on knowledge of the business and the
  • Focus on assessing the effectiveness of a
    combination of controls
  • Linkage between risk assessment and testing
    focusing on control objectives

Risk-Based Audit Planning
  • What is most critical to the business?
  • What are the CSFs?
  • What are the risks and threats?
  • How robust and appropriate does the internal
    control structure appear?
  • What are managements concerns?

Risks to the Business?
  • Unaware of the risks
  • Poor understanding of CSFs
  • Absence of KPIs
  • No scorecard or basis of measurement
  • Absence of monitoring and evaluation
  • Weak IT control environment
  • Loss of data or system integrity

Control Risk Assessment
  • Control Risk assessment at maximum
  • addresses relevant audit objectives using
    substantive tests
  • perform all applicable substantive tests
  • Control risk assessment at below maximum
  • identify control procedures that allow control
    risk to be below maximum
  • design perform tests of controls
  • Identify reduced substantive tests

Control Risk Assessment
  • Control Risk assessment at low
  • perform tests of controls for application and IT
  • perform analytical procedures (reduced
    substantive testing)

Control Assessment Steps
  • What is the control objective?
  • Identify the type of control (application or
    general primary or secondary and preventive,
    detective, or corrective)
  • What business objective is impacted?
  • Appropriateness of the stated control?
  • Number of components used to execute the control
    and number of subsystems or control objectives
  • Evidence that the control is in effect, or impact
    that it is not.

Setting Audit Objectives
  • Depends on the type of audit
  • Best phrased when focused on whether selected
    control objectives are met
  • Build the linkage between the control objective
    and the controls to the audit objectives and
    audit procedures (review and examination steps)
    to obtain sufficient audit evidence to draw

  • Use of CobiT in
  • The Pre-Audit Process

Overview of Pre-Audit Process
  • Auditee selection (may be CobiT driven)
  • Off-site preliminary information gathering
  • Entrance Conference and on-site preaudit
    information gathering (reference to CobiT)
  • Develop proposed scope and audit objectives
  • Internal scope meeting (review approval)
  • Finalize audit work program (CobiT-framed)
  • Engagement conference (reference CobiT as
    criteria) and audit (CobiT as examination

Pre-Audit Planning
  • Who are they? (type of organization, industry)
  • What do they do? (mission, business objectives)
  • How do they plan to do it? (strategy/plan)
  • How do they do it? (functions, processes)
  • With what resources? (IT, operational
    resources, management staff, raw materials,
  • By what rules? (policies, standards, legal and
    regulatory requirements)
  • Under what risks? (risk analysis)

Pre-Audit Planning
  • Who does it? (internal external players,
    their roles and responsibilities)
  • Who knows what is done? (reporting lines,
    designated points of accountability)
  • How do they known it is done right?
    (measurement registers, assurance mechanisms,
    evaluations, score cards, etc.)
  • Where are they? (global or national,
    centralized or distributed organizational
    structure, etc.)

On-Site Pre-Audit
  • Entrance conference and subsequent interviews
    (CobiT discussion)
  • Tour of facility and observations
  • Documentation review (high-level CobiT)
  • Obtain management assertions (CobiT matrices)
  • Identification of data/information sources and
    their information criteria (CobiT)
  • Risk and exposure analysis
  • Review of internal controls (includes CobiT)
  • Determination of planned materiality

On-Site Pre-Audit Procedures
  • Identification of accounting and operational
    control objectives and related control practices
  • Perform selected tests of stated procedures or
    controls (CobiT)
  • Determination of auditability
  • Summary conclusions and development of proposed
    scope and audit objectives

Internal Scope Meeting
  • AIC and manager present understanding of the
    entity and its audit requirements
  • Provides opportunity to discuss CobiT-related
  • Acquaints the Audit Shops management with
    proposed audit and CobiT-related matters
  • Serves as review and approval point for scope and
    audit objectives

Internal Scope Meeting
  • Addresses fundamental elements of preaudit
    planning preliminary audit work development
    and documentation of audit scope, objectives and
    methodology identification of control
    objectives and criteria and staffing and
    logistics issues
  • Cobit helps to ensure appropriate audit direction
    and allocation of audit resources to the
  • Serves as a practice run for presenting audit
    scope and audit objectives, methodology and
    criteria (including CobiT) to the auditee

For the Audit Engagement
  • May identify CobiT as criteria at entrance
  • Use CobiT to develop and benchmark audit work
  • Introduce generally accepted control practices to
    auditee via CobiT

Where CobiT Helps on Pre-Audit
  • Framing IT processes by domains for the existing
    IT environment and automated systems
  • Identification of major processes and activities
    which support the entitys mission and business
    objectives Review of acquisition and development
    plans or projects for IT
  • Performing risk analysis and internal control

  • Using CobiT in other Audit Areas

Using CobiT on System Development Audits

Three Types of System Development IT Audits
  • Type 1 examination of development methodology,
    policy and procedures
  • Type 2 examination of development and
    implementation of a particular information system
  • Type 3 participation as control advisor
    throughout the development and implementation

System Development Audit Planning
  • Conduct preliminary survey and pre-audit work
    sufficient to select the type of system
    development audit
  • Use CobiT to assist in framing the audit with
    respect to processes and detailed control
    objectives applicable to the type of
    development audit
  • Use CobiT processes and detailed control
    objectives to identify criteria

System Development Audit Planning
  • Start with CobiT summary table to select
    processes directly impacting application(s)
  • Suggest focus on Planing Organization,
    Acquisition Implementation, and Monitoring
    domains for development audits
  • Note not all processes will be selected nor
    will detailed control objectives within each
  • Select applicable IT control practices (tasks and
    activities) for each process

SDLC Audits Type 1
  • The IT auditor reviews the organizations
    system development and implementation procedures.
    Here, the auditor would determine whether
    appropriate SDLC procedures were in place to
    ensure that automated systems developed meet user
    needs, function as intended, meet any required
    legal or regulatory requirements, are
    sufficiently controlled to provide reasonable
    assurance for data and system integrity, and that
    the system operates effectively and efficiently.

Type 1 Development Audit
  • Process audit
  • Determine whether appropriate SDLC policies
    procedures are in place
  • Emphasis on Planning Organization and
    Acquisition Implementation domains
  • Detailed control objectives focused on good
    practices for development

Type 1 Development Audit Assumptions
  • Linkage to Planning Organization processes
    based on the premise that POs set the stage for
    IT environment and development
  • Audits or reviews of SDLC methodology should be
    in context of organizations IT strategy,
    policies, and standards

SDLC Audits Type 2
  • The IT auditor reviews the development and
    implementation of a particular system,
    determining whether the organizations (and
    generally-accepted) development procedures were
    followed, whether the system meets the needs of
    the organization and its users, is maintainable,
    and operates efficiently.

Type 2 Development Audit
  • Compliance audit
  • Operations/Performance audit
  • Post-implementation examination
  • Focus on compliance with SDLC methods and
    assessment of the systems operational status
  • May include 3rd-party review

SDLC Audits Type 3
  • The IT auditor participates in the development
    and implementation of the automated system where
    the auditor serves as a non-voting member of the
    development team. Under this arrangement, the
    auditor serves as an advisor, a control

Type 3 Development Audit
  • Management advisory services (MAS)
  • Use CobiT to facilitate discussions on design,
    development, testing, etc.
  • May involve audit work of each phase
  • Greater emphasis placed on under-standing of
    Audits role as advisor
  • Good opportunities to design control self
    assessment processes

Processes Selected for Type 1, 2 3 Development
  • PO1 Define strategic IT plan
  • PO2 Define information architecture
  • PO4 Define organization relationships
  • PO5 Manage the investment
  • PO6 Communicate management aims
  • PO8 External requirements compliance
  • PO9 Assess Risk
  • PO10 Manage projects
  • PO11 Manage quality

Processes selected for Type 1, 2 3 Development
  • AI1 Identify automated solutions
  • AI2 Acquire/maintain application software
  • AI3 Acquire/maintain technology architecture
  • AI4 Develop maintain procedures
  • AI5 Install accredit systems
  • AI6 Managing changes
  • M1 Monitor the process

Detailed Control Objectives by Process for Type 1
SDM Audit
  • PO1
  • PO2
  • PO4
  • 1.1 Assessment of technology issues in L-R S-R
  • 1.5 Feasibility studies performed
  • 2.1 Current architecture model
  • 2.2 current corporate data dictionary
  • 2.3 data classification scheme
  • 4.1 Oversight role of steering committee

Detailed Control Objectives by Process for Type 2
SDM Audit
  • PO1
  • PO2
  • PO4
  • 1.2 Development initiatives should be in L-R
    S-R plans
  • 1.5 Feasibility studies performed
  • 2.2 current corporate data dictionary
  • 2.3 data classification scheme
  • 2.4 Maintain security levels for information
  • 4.1 Oversight role of steering committee

Detailed Control Objectives by Process for Type 3
SDM Audit
  • PO1
  • PO2
  • PO3
  • 1.3 IT-related issues to be considered in L-R
  • 1.5 Plans to reflect IS resources
  • 2.2 Corporate data dictionary incorporates data
    syntax rules
  • 2.3 Placement of data on information classes
  • 2.4 Implement security levels
  • 3.4 Software acquisition plans
  • 3.5 Standardization - infrastructure

System Development Audit Work Program
  • Use Control Objectives and Audit Guidelines
    together to start audit work program.
  • While primary focus may be on AI1-AI6, selected
    control objectives from Planning Organization.
  • Include appropriate SDLC requirements of the
    organization, if available.

Summary Thoughts on Using CobiT on Development
  • Participate in quality assurance for CobiT
    targeting software development
  • Use CobiT as for risk assessment and subsequent
    allocation of audit resources to development
  • Use CobiT to develop Type 1, 2, 3 development
    audit work programs
  • Used CobiT to evaluate adequacy of audit approach
    on type 3 SDM audits

Developing a Change Control Audit Program
  • Select relevant objectives from the 34 high-level
    control objectives (e.g., AI1, AI2, AI4, AI6,
  • Select relevant detailed control objectives
    (e.g., AI 6.2)
  • These become audit objectives in the audit
  • Compare the audit program to the COBIT Audit

Using Cobit on Management Audits
  • Framing audits via Planning Organization Domain
  • Using CobiT to evaluate assignment of
    responsibility of IT-related functions.
  • Using CobiT to evaluate points of accountability.

Using CobiT for Review of Responsibilities
Evaluation of Points of Accountability

Conducting Responsibility and Accountability
  • Determine the extent to which discrete tasks and
    activities referenced by CobiT are in place.
  • Determine the extent to which policies,
    procedures, and mechanisms referenced by CobiT
    have been established.

Factors to consider when identifying relevant
tasks and activities
  • Not all tasks responsibilities have an assigned
    responsible party
  • When planning your assessments (extent,
    scheduling, area to be reviewed, MAS), recommend
    comprehensive review by
  • domain
  • key process(es)

Factors to consider when identifying relevant
tasks and activities
  • If reviewing the control environment, you may
    elect to target tasks and responsibilities with
    CobiT-designated responsible parties.
  • Consider the difference between single tasks and
    on-going activities with respect to the purpose
    of your review or audit work.

Task/Activity Monitoring Evaluation
Task or Activity Responsibility to Monitored by Evaluated by
Control task Establish a Function or procedure Initially Upon Changes Periodic At least annual
Control activity On-going Function or activity On-going With reporting Periodic To On-going
Lock in Responsibilities
  • Complete responsible party form
  • Prepare list of responsible parties
  • Based on entity and organizational structure, and
    CobiT responsibility designations, agree or
    modify responsibility designations for the
    selected tasks and activities
  • Establish Locked in responsibility list

Locked in Responsibility List
  • Serves as established list of desired
    responsibility assignments.
  • Use as criteria for reviewing responsibility
    assignments for entity under audit.

Review and Evaluate
  • Clarity and appropriateness of responsibility
  • assignment of responsibilities
  • points of accountability
  • reporting of actions taken and activities
  • mechanisms to monitor and evaluate adequacy of
    exercise of responsibilities

Determine extent to which Audit Team Needs to
  • A review of assigned responsibilities for
    discrete tasks during pre-audit.
  • A review of assigned responsibilities for
    activities during audit

Examination Steps
  • Determine whether IT-related responsibilities
    have been adequately defined and assigned, and
    that adequate points of accountability are in
  • Determine whether adequate controls and
    mechanisms are in place to monitor, evaluate, and
    hold accountable internal and outsourced parties
    for assigned responsibilities and desired

Evidence gathered in review of assigned
responsibilities and points of accountability
  • Can assist assessments of internal structures for
    financial and operations audits
  • Can serve to identify the potential cause of
    audit results or findings

Evidence gathered in review of assigned
responsibilities and points of accountability
  • Can assist management in reviewing and
    determining the adequacy of structures of
    accountability when organization incur
    organizational or significant technical change
  • Can provide insight into recommendations
    regarding task and activity assignment and

Using Cobit to Address Third-Party
Providers of IT-Related Services
  • Determine whether desired processes are in place
    and establish accountability
  • Agree on levels of control
  • Use CobiT to help design service contracts by
    identifying deliverables and responsibilities
  • Use CobiT for ongoing monitoring and evaluation
    of providers and partners

As An IT Self Assessment Tool
  • How am I doing against recommended COBIT IT
  • Use COBIT to facilitate operational and control
  • Identify controls that should be in place.
  • Reallocate resources to more important projects.

Using Cobit on Control Self Assessment
  • Use CobiT to assist the development of Control
    Self Assessment programs by establishing
    benchmarks, gathering appropriate information on
    control objectives and control practices, and
    developing action plans.

Benchmarking - Self-Assessment 0 Very
poor Complete lack of good practice 1
Poor Recognized the issues 2 Fair Some effort
made to address issues 3 Good Moderately good
level of practice 4 Very good Advanced level of
practice 5 Excellent Best possible, highly
Source Erik Guldentops, DC presentation, July
Generic Benchmark
0 Very poor. Complete lack of good practices.
Organization has not recognized that there is an
issue to be addressed. 1 Poor. There is evidence
that the organization has recognized that the
issues exist and need to be addressed. There may
also be some rudimentary attempts to solve the
problem although these are relatively ineffective
without greater levels of good practice to
support them
2 Fair. There is some effort within the
organization to provide a level of practice which
is acceptable. This includes partial definitions
of responsibility, organizational models and
processes. Although these may not have been
followed through to deliver effective and
acceptable levels of practice. 3 Good. There is
a moderately good level of practice which should
not draw undue criticism. The processes are
reasonably well defined at levels of detail which
make them effective. Responsibilities and
organizational models are at a similar level of
development. There is a recognition of the need
for integration, but this has not evolved very
4 Very Good. There is generally a high level of
good practices, with advanced tools being used to
gain productivity, cost reduction and
effectiveness. There is also considerable
integration of related practices to give
consistent and effective control within this
area. 5 Excellent. The very best possible levels
of good practice, given the available knowledge
and tools. There is also very high level of
integration across all aspects related to this
  • Management Guidelines
  • Includes
  • Critical Success Factors
  • Key Performance Indicators
  • Key Goal Indicators
  • Maturity models

Using the Management Guidelines
IT Management
  • Is IT well managed?
  • Are we doing the right things?
  • Are we doing them the best way?
  • Are they being done well?
  • Are we achieving desired benefits?
  • Is IT properly controlled?
  • Do we exercise due diligence?
  • Is management driving the information technology?

CobiT An IT control framework
  • Starts from the premise that IT needs to deliver
    the information that the enterprise needs to
    achieve its objectives.
  • Promotes process focus and process ownership
  • Divides IT into 34 processes belonging to four
  • Looks at fiduciary, quality and security needs of
    enterprises and provides for seven information
    criteria that can be used to generically define
    what the business requires from IT
  • Planning
  • Acquiring Implementing
  • Delivery Support
  • Monitoring
  • Effectiveness
  • Efficiency
  • Availability,
  • Integrity
  • Confidentiality
  • Reliability
  • Compliance.

Why governance?
  • Due diligence
  • IT is strategic to the business
  • IT is critical to the business
  • Expectations and reality dont match
  • IT involves huge investments and large risks

IT is strategic to most businesses
  • If so, wouldnt you want to know whether your
    information technology organization is
  • Likely to achieve its objectives?
  • Resilient enough to learn and adapt?
  • Judiciously managing the risks it faces?
  • Appropriately recognizing opportunities and
    acting upon them?

Management Guidelines
  • Generic and action oriented
  • For the purpose of
  • IT Control profiling - whats important?
  • Awareness - wheres the risk?
  • Benchmarking - what do others do?
  • Supporting decision making and follow up
  • Key performance indicators of IT processes
  • Critical success factors of controls
  • Control implementation choices

Management Guidelines
  • Critical Success Factors
  • the most important things to do to increase the
    probability of success of the process
  • observable - usually measurable - characteristics
    of the organisation and process
  • are either strategic, technological,
    organizational or procedural in nature
  • focus on obtaining, maintaining and leveraging
    capability and skills
  • expressed in terms of the IT process, not
    necessarily the business

Management Guidelines
  • Key Goal Indicators
  • describe the outcome of the process and are
    therefore a lag indicator, i.e., measurable
    after the fact
  • Are an indicator of the success of the process
    but may also be expressed in terms of the
    business contribution if that contribution is
    specific to the IT process
  • represent the process goal, i.e., a measure of
    what, a target to achieve
  • may also describe a measure of the impact of not
    reaching the process goal
  • KGIs are IT oriented but are also business driven
  • Are expressed in precise measurable terms
    wherever possible

Management Guidelines
  • Key Performance Indicators
  • are a measure of how well the process is
  • predict the probability of success or failure in
    the future, i.e. KPIs are LEAD indicators
  • are process oriented but IT driven
  • focus on the process and learning dimensions of
    the balanced scorecard
  • are expressed in precise measurable terms
  • should help in improving the IT process

Maturity Models
  • Refer to business requirements and control
    capabilities at different levels
  • Are scales that lend themselves to pragmatic
  • Are scales where the difference can be made
    measurable in an easy manner
  • Are recognizable as a profile of the enterprise
    in relation to IT governance and control
  • Assist in determining As-Is and To-Be positions
    relative to IT governance and control maturity
  • Lend themselves to support gap analysis to
    determine what needs to be done to achieve a
    chosen level

Start from a Maturity Model for Self-Assessment
(No Transcript)
Generic Maturity Model - Dimensions
  • Understanding and awareness
  • Training and communications
  • Process and practices
  • Techniques and automation
  • Compliance
  • Expertise


Generic Maturity Model - Dimensions
Generic Maturity Model
0 Non-Existent. Complete lack of any recognizable
processes. The organisation has not even
recognised that there is an issue to be
addressed. 1 Initial. There is evidence that the
organisation has recognized that the issues exist
and need to be addressed. There are however no
standardized processes but instead there are ad
hoc approaches that tend to be applied on an
individual or case by case basis. The overall
approach to management is disorganized. 2
Repeatable. Processes have developed to the stage
where similar procedures are followed by
different people undertaking the same task. There
is no formal training or communication of
standard procedures and responsibility is left to
the individual. There is a high degree of
reliance on the knowledge of individuals and
therefore errors are likely. 3 Defined.
Procedures have been standardized and documented,
and communicated through training. It is however
left to the individual to follow these processes,
and it is unlikely that deviations will be
detected. The procedures themselves are not
sophisticated but are the formalization of
existing practices. 4 Managed. It is possible to
monitor and measure compliance with procedures
and to take action where processes appear not to
be working effectively. Processes are under
constant improvement and provide good practice.
Automation and tools are used in a limited or
fragmented way. 5 Optimized. Processes have been
refined to a level of best practice, based on the
results of continuous improvement and maturity
modeling with other organizations. IT is used in
an integrated way to automate the workflow,
providing tools to improve quality and
effectiveness, making the enterprise quick to
In summary
  • Maturity Models
  • Refer to business requirements and the enabling
    aspects at the different levels
  • Are scales that lend themselves to pragmatic
  • Are scales where the difference can be made
    measurable in an easy manner
  • Are recognisable as a profile of the enterprise
    in relation to IT governance and control
  • Assist in determining As-Is and To-Be positions
    relative to IT governance and control maturity
  • Lend themselves to support gap analysis to
    determine what needs to be done to achieve a
    chosen level
  • Are neither industry specific nor always
    applicable the nature of the business
    will determine what is an appropriate level

IT Governance Guideline
Governance over IT and its processes with goal of
adding value to the business, while balancing
risk versus return
ensures delivery of information to the business
that addresses the required information criteria
and is measured by KGIs
is enabled by creating and maintaining a system
of process and control excellence appropriate for
the business that directs and monitors the
business value delivery of IT
considers CSFs that leverage all IT resources and
is measured by KPIs
IT governance summarized
  • Objectives
  • understand the issues and the strategic
    importance of IT
  • ensure that the enterprise can sustain its
    operations and
  • ascertain it can implement the strategies
    required to extend its activities into the future
  • Goal
  • ensuring that expectations for IT are met and IT
    risks are mitigated
  • Position
  • within broad governance arrangements that cover
    relationships among the entity's management and
    its governing body, its owners and its other
    stakeholders and providing the structure through
  • the entity's overall objectives are set
  • the method of attaining those objectives is
  • the manner is which performance will be monitored
    is described

Audit Organization
  • Use CobiT to identify and assess risk of IT
  • Use CobiT-related matrices in standard audit work
  • Frame IT audits via CobiT
  • Development of MAS focused on CobiT

Cobitizing Audit -- Phases
  • Self assessment and modification
  • Internal audit guidelines
  • Text of policy procedure manual
  • Generic work programs and matrices
  • Overall audit planning
  • Engagement planning
  • Discussions with auditees for self assessment
  • Modify QA to include CobiT
  • Strengthen focus on business processes, system
    integrity, and IT environment

CobiT Recognizes
  • IT is an integral part of the organization
  • IT governance is an integral part of corporate
  • Focus on control objectives can strengthen
    appropriateness and use of internal controls
  • Measurement is crucial to internal control
  • Monitoring and evaluation are integral to a
    system of internal control

Learned So Far
  • Need Internal Control refresher course covering
    control models (such as COSO), CobiT, internal
    control acts, SAS 78, techniques in evaluating
  • There are good opportunities to leverage the
    understanding of internal controls and CobiT
    among management and staff, auditors,
    out-sourced services, academic community, and

Learned So Far
  • Audit Teams and auditees seem to have better
    understanding of control objectives with CobiT
  • Increased consistency of discussions regarding
    IT domains, control objectives and controls
  • Increased emphasis on information criteria

Learned So Far
  • Pilot use of CobiT
  • Network and share ideas on CobiT
  • CobiT has assisted identification of IT-related
    processes, who performs them, and who is
  • CobiT provides Value-Added opportunities and
    time savings
  • CobiT reinforces the final objective of
    effective and efficient operations

A Tip regarding CobiT
  • CobiT is generic - adapt it to your organization
    in cooperation with the business-process owners!
  • Determine focus (quality, security, fiduciary)
  • Harmonize existing policies and procedures with
  • Determine control responsibilities
  • Identify key performance indicators and critical
    success factors

Another Tip or Two
  • Study it carefully -- it takes some time to
    understand - keep in mind that you are dealing
    with a control framework
  • For auditors and reviewers, provide sufficient
    time for using CobiT in pre-audit and engagement
  • Promote discussions on CobiT
  • Identify CobiT as a control framework and basis
    for benchmark criteria and evaluation

The Last of the Tips
  • Use CobiT initially as a control model and tool
    to assist controls evaluations, framing audits,
    identifying criteria, and performing high-level
  • Share your insights regarding control design and
  • Study the Management Guidelines

COBIT Product Family
4 major elements COBIT as an open standard for
increased world-wide adoption covering
summary, framework and detailed control
objectives Three proprietary guideline
products -- Implementation Tool Set how to
introduce the COBIT standard in the enterprise
-- Audit Guidelines how to audit against the
standard -- Management Guidelines how to
benchmark, implement and
  • For additional information
  • or email or give me a call at
  • (617) 727-6200 ext 135

Go Forth Safely And COBITize
Thank You