440 likes | 553 Views
IT Assurance using CobiT Round Table Saturday, March 19th 2008. Philip DE PICKER president of Isaca.be Monique GARSOUX vice-president IT Assurance of Isaca.be. Content. Introduction IT Assurance Principles and Context IT Assurance Planning IT Resource and Control Scoping
E N D
IT Assurance using CobiTRound TableSaturday, March 19th 2008 • Philip DE PICKER • president of Isaca.be • Monique GARSOUX • vice-president IT Assurance of Isaca.be
Content • Introduction • IT Assurance Principles and Context • IT Assurance Planning • IT Resource and Control Scoping • IT Assurance Initiative Execution • ITA Guidance for CobiT Processes & Controls • How CobiT Components support ITA Activities • Appendixes • Process Control (generic / detailed ) • Application Control • Maturity Model for Internal Control • IT Scoping
Introduction • released in 2007 • free downloadable PDF + part of CobiT Online for Isaca members • 'collaborative' work of CobiT development groups worldwide
Introduction Objective • guidance : how to use CobiT to support IT assurance activities • efficient and effective development of IT assurance work (planning, scoping, executing) • no detailed assurance programme that can be used as is - NO 'COOKBOOK‘ • part of IT Assurance Framework (ITAF) – exposure draft released August 2007 final just released at www.isaca.org
Introduction Audience • assurance and IT professionals • having basic knowledge of concepts of CobiT • familiar with assurance concepts in general
from Board briefing on it gov 2nd ed Introduction Implementation and Assurance Guides
Introduction Components • Generic controls, applicable to all processes (PCn identifier) • Application controls (ACn identifier) • Specific process controls (CobiT process number)
Introduction Components Assurance steps and guidelines to test • the control design of the co • the outcome of the co • confirm control is in operation • assess its operational effectiveness • document control weaknesses and their impact
Introduction Components Assurance advice at different levels • at process level • at co level (based on control practices) • generic (applicable to all processes or co’s) (in addition or as an alternative)
Introduction Components Different test types assist in forming opinion • enquire (via different source) and confirm (E&C) • inspect (walk-through, search, compare and review) • observe • reperform or recalculate (often on sample) • collect (sample, trace, extract) and analyse automated evidence
Introduction Components IT control objectives are • statements of desired result or purpose • achieved by implementing control practices • high level requirements • short, action-oriented management practices • often with logical 'life cycle' sequence
Introduction Components IT control objectives Choices for (enterprise) management • select applicable ones • balance cost of implementation and risk of not achieving it • decide on control practices • choose how to implement them
Introduction Components Relation with Control Practices • CPs • in CobiT Online • book • NOT (yet?) as PDF • more detail for each co • co = what to do • cp = how to do it • 3 generic cps
Introduction Components Relation with Control Practices Value and risk drivers (repeated in Assurance Guide) • value driver = business benefit that can result from good control (examples) • risk driver = risk to avoid or mitigate (examples)
Introduction Components Relation with Control Practices • NOT specific solutions • relevance of more specific other standards • ITIL • Prince2 • ... • usable by implementors and assurance professionals
Introduction Components CP's design criteria (~ SMAR(R)T [specific, measurable, agreed, relevant/realistic, timely]) • relevant • executable in timely fashion • realistic and cost-effective • measurable • with defined roles • action-oriented • life-cycle where possible
Content • Introduction • IT Assurance Principles and Context • IT Assurance Planning • IT Resource and Control Scoping • IT Assurance Initiative Execution • ITA Guidance for CobiT Processes & Controls • How CobiT Components support ITA Activities • Appendixes • Process Control (generic / detailed ) • Application Control • Maturity Model for Internal Control • IT Scoping
IT Assurance Guidance for CobiT Processes and Controls • Introduction • Detailed testing guidance based on CobiT • Six generic controls • Six application controls • IT general controls based on the 34 CobiT processes • Guidance for testing control design, testing control outcome and documenting the impact
IT Assurance Guidance for CobiT Processes and Controls • Generic Process Controls • Each CobiT process has generic control requirements identified by generic process controls, to be considered with the detailed CO's to have a complete view • The six generic process controls are: • PC1 Process goals and objectives • PC2 Process ownership • PC3 Process repeatability • PC4 Roles and responsibilities • PC5 Policy, plans and procedures • PC6 Process performance improvement
IT Assurance Guidance for CobiT Processes and Controls • Generic Control Practices • 3 generic control practices -> 3 generic assurance steps • Approach • Accountability and responsibility • Communication and understanding
IT Assurance Guidance for CobiT Processes and Controls • Generic Control Practices • Approach • Generic control practice: • Designs the control approach • Defines and maintains the cps that implement the design • Assurance step: • E&C a set of practices was defined to achieve the objective • Observes/inspects and reviews the control approach • Tests the design for completeness, relevancy, timeliness and measurability
IT Assurance Guidance for CobiT Processes and Controls • Generic Control Practices • Accountability and Responsibility • Generic control practice: • Defines and assigns accountability and responsibility for the co as a whole, and responsibility for the different cps (see RACI charts) • Makes sure personnel have the right skills and necessary resources to execute these responsibilities • Assurance step: • E&C responsibilities for the cps as well as overall accountability were assigned in a cost-effective and efficient manner • Tests whether accountability and responsibilities are understood and accepted • Verifies the right skills and necessary resources are available
IT Assurance Guidance for CobiT Processes and Controls • Generic Control Practices • Communication and Understanding • Generic control practice: • Ensures the cps, as implemented, address the co’s and are communicated and understood • Assurance step • Enquires through interviews with key staff members whether the control mechanism, its purpose, and accountability and responsibilities were communicated and are understood
IT Assurance Guidance for CobiT Processes and Controls • IT General Controls relate to the environment within which applications are developed, maintained and operated and are applicable to all applications. They ensure proper development, implementation and maintenance of applications, the integrity of program and data files and of computer operations. E.g.: • Systems development • Change management • Security • Computer operations
IT Assurance Guidance for CobiT Processes and Controls • Application Controls relate to transactions and standing data of each application (application specific). They ensure accuracy and completeness of records and validity of entries resulting from manual and automated processing. E.g.: • Completeness • Accuracy • Validity • Authorisation • Segregation of duties
IT Assurance Guidance for CobiT Processes and Controls • Application Controls The objectives generally involve ensuring that: • Completeness • Data prepared for entry are complete, valid, reliable • Data are converted to an automated form and entered into the application accurately, completely, and on time • Data are processed completely and on time, and in accordance with established requirements • Output is protected from unauthorised modification or damage and distributed in accordance with prescribed policies
IT Assurance Guidance for CobiT Processes and Controls • Application Controls CobiT assumes design and implementation of automated application controls is an IT responsibility (AI-domain), based on business requirements defined using information criteria. The operational management and control responsibility for ACs is not with IT, but with the business process owner.
IT Assurance Guidance for CobiT Processes and Controls • Application Controls IT delivers and supports the applications’ services and the supporting databases and infrastructures. CobiT IT processes cover general IT controls but not application controls as these are the responsibility of business process owners and are integrated into business processes Business controls are not in the scope of CobiT and IT Assurance Guide
IT Assurance Guidance for CobiT Processes and Controls Boundaries of IT general controls and application controls
IT Assurance Guidance for CobiT Processes and Controls • Application Controls For automated services, the business is responsible for defining functional & control requirements to be included in all business processes supported by applications. IT responsibilities include automation of these requirements and establishment of controls to maintain the integrity of the business applications
IT Assurance Guidance for CobiT Processes and Controls • Application Controls Guidance for testing the design and outcome and documenting impact • AC1 Source document preparation and authorisation • AC2 Source document collection and data entry • AC3 Accuracy, completeness and authenticity checks • AC4 Data processing integrity and validity • AC5 Output review, reconciliation and error handling • AC6 Transaction authentication and integrity
IT Assurance Guidance for CobiT Processes and Controls • Application Controls AC weaknesses may impact the entity’s ability to process business transactions. ACs are a subcomponent of business controls. Weaknesses may be mitigated by compensating manual business and organisational control activities. Consider the impact in the context of the underlying business process nature, related transactions and other business process controls and in consultation with the business process assurance provider.
Content • Introduction • IT Assurance Principles and Context • IT Assurance Planning • IT Resource and Control Scoping • IT Assurance Initiative Execution • ITA Guidance for CobiT Processes & Controls • How CobiT Components support ITA Activities • Appendixes • Process Control (generic / detailed ) • Application Control • Maturity Model for Internal Control • IT Scoping
How CobiT Components support ITA Activities Linking ITA Activities and CobiT components
How CobiT Components support ITA Activities • Linking ITA Activities and CobiT components • Links have been indicated where there is specific and strong support for an ITA activity • Some key components support all activities • In practice, users tailor CobiT resources for their specific purposes. The table is only a guide • Most important for ITA (shaded in grey) • goals and outcome measures + RACI charts. They support all aspects of planning, scoping and assurance execution • COBIT Online (searching, browsing, benchmarking data) • Strongest links between activities and components are circled
How CobiT Components support ITA Activities • CobiT Components • Control objectives and practices • mostly useful for testing related activities • since the co's are high-level and similar to key management practices, they can be considered during planning activities • both are helpful for the selection and customisation of co's for an assurance initiative • List of COBIT processes and the domains • responsibility structure for IT -> completeness of coverage • in planning phase • when summarising the conclusions • information criteria provide a generic and simple high-level structure of the objectives of IT processes and are equally useful for structuring assurance plans and conclusions
How CobiT Components support ITA Activities • CobiT Components • Maturity models • useful tools for high-level assessments of processes • identification of key processes • planning which processes need most attention • summarising assurance conclusions • increasingly used by IT management for self-assessment -> a common approach for assurance and IT professionals to agree upon priorities and areas on which to focus attention • Maturity attributes • provide more details for process maturity assessment • generic for all processes -> alternative to the specific process maturity descriptions Maturity models describe how processes are managed; the detailed attributes can be used to customise CO's (describe what needs to be done)
How CobiT Components support ITA Activities • CobiT Components • Performance drivers • planning and reporting phases • good source for customising CO's -> they imply certain actions to happen or conditions to exist to increase the probability of successfully achieving the process’s objectives and goals • Value and risk statements • arguments to justify controls • primary inputs when performing high-level or detailed risk assessments • starting point to identifying critical processes / IT components
How CobiT Components support ITA Activities • CobiT Components • Management awareness and diagnostic tools • Supplemental Tools & Materials, online / CD-ROM / ITGovernance Implementation Guide: Using CobiT & Val IT • tools for initial high-level assessments of process importance, significant risks and the state of process controls, done in early stages of the ITA initiative • Assessment form presentation of CobiT Quickstart • quick / high-level assessments • efficient self-assessments • CobiT Online Benchmarking data and functionality • useful to portray how the entity compares on process management and controls • give credibility to the conclusions • to identify processes that need early or in-depth coverage
How CobiT Components support ITA Activities • IT Assurance activities • Best support • process structure • maturity models • goals, outcome measures • performance drivers • Risk-based ITA planning • maturity modelling & Cobit Online’s benchmarking to identify where the highest potential risks are • the risk and value statements of the CO's provide additional support if more detailed risk assessment is required • Quickstart & the awareness and diagnostic tools aid to perform high-level assessments quickly and efficiently
How CobiT Components support ITA Activities • IT Assurance activities • Planning and reporting (scoping to a lesser extent) • most of the CobiT components as input or reference • Detailed planning and scoping, as well as testing • use fewer of the COBIT components but tend to use them more intensely • extensively use the material that is at the ‘heart’of COBIT: the CO's
How CobiT Components support ITA Activities • The Strongest Links • Goals & outcome measures ~ planning risk-based assurance initiatives • Risk and value statements ~ risk assessments and risk substantiation • Key activities and RACI charts ~ detailed assurance planning • Control objectives and practices ~ testing and evaluating controls • Maturity models and attributes ~ process maturity and other high-level assessments