Part 2

AUDIT
GUIDELINES

Audit Guidelines -- 226 pages

1 Generic Guideline and 34 Process Oriented
A generic guideline identifies various tasks to
be performed in assessing ANY control
objective within a process. This generic
guideline extracted all repetitive tasks into one
-- to be performed for all control objectives.
Others are specific process-oriented task
suggestions to provide management assurance
that a control is in place and is working.
3

Audit Guidelines

Purpose of audit guidelines is to provide

simple structure for auditing controls
Audit guidelines are generic and high-level in
structure
Although intended as a guide for auditing
high-level control objectives, CobiT can assist
overall audit planning
Enables auditor to review processes against
control objectives
4

CobiT supports generally accepted

structure of the audit process:

Identification and documentation

Evaluation
Compliance testing, and
Substantive testing
5

The IT process is therefore audited by:

Obtaining an understanding of business requirements,
related risks, and relevant control measures
Evaluating the appropriateness of stated controls
Assessing compliance by testing whether the
stated controls are working as prescribed,
consistently and continuously.
Substantiating the risk of the control objective
not being met by using analytical techniques
and/or consulting alternative sources.

GENERIC AUDIT GUIDELINE

OBTAINING AN UNDERSTANDING
The audit steps to be performed to document the activities underlying the control objectives as well as to identify the stated control
measures/procedures in place.
Interview appropriate management and staff to gain an understanding of:
* Business requirements and associated risks
* Organisation structure
* Roles and responsibilities
* Policies and procedures
* Laws and regulations and contractual obligations
* Control measures in place
* Management reporting (status, performance, action items)
Document the process-related IT resources particularly affected by the
process under review. Confirm the understanding of the process under
review, the Key Performance Indicators (KPI) of the process, and the
control implications (e.g., by a process walk through).

GENERIC AUDIT GUIDELINE

EVALUATING THE CONTROLS
The audit steps to be performed in assessing the effectiveness of
control measures in place or the degree to which the control
objective is achieved. Basically deciding what, whether and how to
test.
Evaluate the appropriateness of control measures for the process under
review by considering identified criteria and industry standard practices, the
Critical Success Factors (CSF) of the control measures and applying
professional judgment.

Documented processes exist

Appropriate deliverables exist
Responsibility and accountability are clear and effective
Compensating controls exist, where necessary

Conclude the degree to which the control objective is met.

GENERIC AUDIT GUIDELINE

ASSESSING COMPLIANCE
The audit steps to be performed to ensure that the control
measures established are working as prescribed, consistently
and continuously, and to conclude on the appropriateness of
the control environment.
Obtain direct or indirect evidence for selected items/periods to ensure that
the procedures have been complied with for the period under review using
both direct and indirect evidence.
Perform a limited review of the adequacy of the process deliverables.
Determine the level of substantive testing and additional work needed to
provide assurance that the IT process is adequate.

GENERIC AUDIT GUIDELINE

SUBSTANTIATING THE RISK
The audit steps to be performed to substantiate the risk of the
control objective not being met by using analytical techniques
and/or consulting alternative sources. The objective is to support
the opinion and to shock management into action. Auditors
have to be creative in finding and presenting this often sensitive
and confidential information.
Document the control weaknesses and resulting threats and vulnerabilities.
Identify and document the actual and potential impact (e.g., through
root-cause analysis).
Provide comparative information (e.g., through benchmarks).

10

Audit Guidelines are GUIDELINES

They are a starting point for identifying

control tasks and activities associated with

particular control objectives.
To plan and conduct the audit, an auditor
must add knowledge about the business,
risk analysis, and controls; perform
adequate audit procedures; and draw
conclusions from the results of the audit
procedures.

11

Using CobiT to Develop an Audit Program

Start with Control Objectives to refresh the
purpose of the control objective and the
recommended IT control practices
Use the Audit Guidelines generic audit
guideline as a starting point
Use the selected process-oriented audit
guidelines to refine the audit work program
Select appropriate portions of the Audit
Guidelines in sync with selected detailed
control objectives (selected control tasks
and activities)

12

Using CobiT to Review an Audit Program

Use the Audit Guidelines to benchmark the
existing audit program against
Use the Control Objectives high-level
control objectives to review audit objectives
and detailed control objectives to review
criteria identification
Use the generic and process-oriented audit
guidelines to review audit process and
procedures
13

Adopting CobiT
Start by identifying the need for use, and
how it might be used
Focus on the benefits to be derived from using
CobiT
Assess the acceptance and implementation
capabilities
Assign priority of multiple uses
Identify one or more champions
15

Adopting CobiT
For those responsible for systems and those who audit
systems, the value lies in having an organized IT control
model that links management control practices to control
objectives, and in turn to business objectives.
From a management perspective:
management and IT policy makers such as CEO, CIO, VP of IT
IT steering committee
business process owners and users

From an Audit perspective:

evaluators and internal/external auditors

16

Factors to Consider

Dimension and depth of the IT environment

Organizational structure of IT services
Level of internal and outsourced IT functions
Relationships of IT, IS Audit, business process
owners, management
Management philosophy regarding control and audit
Extent of business process reengineering
Level of consensus needed
17

Benefits of CobiT
Supports IT governance objectives.
Helps ensure that IT processes are
defined and assigned.
Helps to ensure that there is focus on
control objectives.
Leads to more cost-effective IT
services.
18

Benefits of CobiT
Helps to provide reasonable assurance that:
IT process objectives are understood
IT risks have been identified
Appropriate controls have been implemented
Appropriate monitoring and evaluation processes

in effect
IT process objectives and can be achieved.

19

Benefits of CobiT
Helps to ensure that the organization complies
with applicable rules, regulations and contractual
obligations.
Opportunity for complementary adoption of
COSO and CobiT (or other control models).
Authoritative nature of Cobit encompassing
adoption of well-recognized and established
standards for IT control.
20

Benefits of CobiT
Strengthens assessment, understanding and
exercise of appropriate internal controls.
Provides a good framework for risk assessment
and risk management.
Improves communication among management,
business process owners, users and auditors
regarding IT governance, and between internal
and external audit.
21

Benefits of CobiT
Provides a framework for ensuring that
outsourced IT functions are addressed in thirdparty contracts.
Helps to strengthen the relationship between IS
Services and the user community through
improved SLAs.
Supports managements efforts to demonstrate
due diligence with respect to IT-based
operations.
22

Using COBIT

Organizational Tool

Audit Planning and Support Tool

IT Control Self Assessment Tool

24

CobiT as an Organizational Tool

Provides framework and benchmarks for IT
planning and management
Identification of primary IT processes (by
broad management-oriented Domains)
Assists in establishing responsibilities and
points of accountability
Assists in clarifying ITs and Audits role
25

CobiT As An Audit Planning Tool

To look at a functional area.

Which functional area?

What systems are involved?

What IT processes are involved?

What are the objectives and risks?

What are the control objectives?

26

Using CobiT in Audit Planning

IT audit shop planning --- audit

engagement selection
Determining type of audit services
Engagement planning
Framing audit scope and audit objectives to
CobiT
Development of audit approach
27

Audit Planning
Adequate

planning is a necessary first step

in performing effective IT Audits.
Need to understand the general business
environment as well as the associated
business and control risks.
Assess operational and control risks and
identify control objectives during audit
planning.
28

Use of CobiT during

the Audit Planning
Assessing the control environment and
identifying high risk processes
Conducting a high-level policy and
procedures review
Conducting a detailed review of policies and
procedures against the entire control
objectives document
Using CobiT-related matrices
29

CobiT-related
Matrices

30

Using CobiT Matrices to Focus on:

IT Functions
Their importance?
Level of performance?
Control documentation?

Responsible Parties of IT
Performed by?
Contracted services?
Primary responsible party?

Risk Assessment
Importance, level of risk, control documentation?

31

CobiT-Related Matrices
Submit matrix of processes to IT management to attain
assertions regarding:
Importance, performance and risk of each process
self assessment of how well control is being carried out
for each process
Have the review or audit team also independently rate
preliminary understanding of importance, performance
and risk of each process
Use matrix of IT processes to be performed and identify
who performs the process and who has final responsibility;
can be used to identify processes not performed by
traditional IT organization
32

PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
PO11
AI1
AI2
AI3
AI4
AI5
AI6
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
M1
M2
M3
M4

N o t R a te d

N o t A p p lic a b le

F o r m a lly R a te d

N o t S u re

Poor

V e ry g o o d

S a tis fa c to r y

Performance
IT Process

E x c e lle n t

N o t s u re

N o t Im p o r ta n t

Importance

N o t A p p lic a b le

S o m e w h a t Im p o r ta n t

V e r y Im p o r ta n t

ENTITY SHORT FORM

Define a strategic IT plan

Define the information architecture
Determine technological direction
Define organisation and relationships
Manage the investment
Communicate management aims & direction
Manage human resources
Ensure compliance with external requirements
Assess risk
Manage projects
Manage quality
Identify automated solutions
Acquire & maintain application software
Acquire & maintain technology architecture
Develop & maintain procedures
Install & accredit system
Manage changes
Define service levels
Manage third party services
Manage performance & capacity
Ensure continuous service
Ensure system security
Identify & allocate costs
Educate & train users
Assist & advise customers
Manage the configuration
Manage problems & incidents
Manage data
Manage facilities
Manage operations
Monitor the process
Assess Internal Control Adequacy
Obtain independent assurance
Provide for Independent Audit

33

AI1
AI2
AI3
AI4
AI5
AI6
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
M1
M2
M3
M4

WP
Ref.

N o t S u re

N o t D o c u m e n te d

N o t A p p lic a b le

N o t R a te d

F o rm a lly R a te d

N o t S u re

Poor

S a tis fa c to ry

E x c e lle n t
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
PO11

V e ry g o o d

IT Process

D o c u m e n te d

Internal
Controls

Performance

N o t A p p lic a b le

N o t s u re

Importance

N o t Im p o rta n t

S o m e w h a t Im p o rta n t

V e ry Im p o rta n t

ENTITY LONG FORM

Define a strategic IT plan

Define the information architecture
Determine technological direction
Define organisation and relationships
Manage the investment
Communicate management aims & direction
Manage human resources
Ensure compliance with external requirements
Assess risk
Manage projects
Manage quality
Identify automated solutions
Acquire & maintain application software
Acquire & maintain technology architecture
Develop & maintain procedures
Install & accredit system
Manage changes
Define service levels
Manage third party services
Manage performance & capacity
Ensure continuous service
Ensure system security
Identify & allocate costs
Educate & train users
Assist & advise customers
Manage the configuration
Manage problems & incidents
Manage data
Manage facilities
Manage operations
Monitor the process
Assess Internal Control Adequacy
Obtain independent assurance
Provide for Independent Audit

34

AI1
AI2
AI3
AI4
AI5
AI6
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
M1
M2
M3
M4

WP
Ref.

N o t S u re

D o c u m e n te d

N o t S u re

Im m a te ria l

M e d iu m

H ig h

N o t s u re
PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
PO11

N o t D o c u m e n te d

Internal
Controls

Risk
IT Process

N o t Im p o rta n t

V e ry Im p o rta n t

Importance

Low

S o m e w h a t Im p o rta n t

RISK ASSESSMENT FORM

Define a strategic IT plan

Define the information architecture
Determine technological direction
Define organiation and relationships
Manage the investment
Communicate management aims & direction
Manage human resources
Ensure compliance with external requirements
Assess risk
Manage projects
Manage quality
Identify automated solutions
Acquire & maintain application software
Acquire & maintain technology architecture
Develop & maintain procedures
Install & accredit system
Manage changes
Define service levels
Manage third party services
Manage performance & capacity
Ensure continuous service
Ensure system security
Identify & allocate costs
Educate & train users
Assist & advise customers
Manage the configuration
Manage problems & incidents
Manage data
Manage facilities
Manage operations
Monitor the process
Assess Internal Control Adequacy
Obtain independent assurance
Provide for Independent Audit

35

Pre-Audit: Performance and Risk

Level of
Performance

Function &
Operation

Level of
Risk

high
high
medium

A/P
payroll
IT processing

low
low
high

etc.

36

Pre-Audit: Risk/Importance
and Control Documentation
Risk/
Importance

Function &
Operation

Control
Documentation

Low/medium
Low/high
High/medium

A/P
payroll
IT processing

yes
none
partial

etc.

37

RESPONSIBLE PARTY FORM

Performed by (1)

IT Process
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define organisation and relationships
PO5 Manage the investment
PO6 Communicate management aims & direction
PO7 Manage human resources
PO8 Ensure compliance with external requirements
PO9 Assess risk
PO10 Manage projects
PO11 Manage quality
AI1
AI2
AI3
AI4
AI5
AI6
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
M1
M2
M3
M4

Primary
Responsible Party

Identify automated solutions

Acquire & maintain application software
Acquire & maintain technology architecture
Develop & maintain procedures
Install & accredit system
Manage changes
Define service levels
Manage third party services
Manage performance & capacity
Ensure continuous service
Ensure system security
Identify & allocate costs
Educate & train users
Assist & advise customers
Manage the configuration
Manage problems & incidents
Manage data
Manage facilities
Manage operations
Monitor the process
Assess Internal Control Adequacy
Obtain independent assurance
Provide for Independent Audit

(1) Identify organiational units(IT department, within organisation, outsourced or not sure) which perform activities incorporated within the IT process

38

Pre-Audit: Functions & Responsibilities

Points of Points of Accountability
Function
performed by

Function &
Operation

Responsible
Party

internal
outsourced
IT Dept

A/P
payroll
IT processing

Accounting
Accounting
VP of IT

etc.

39

PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
PO11
AI1
AI2
AI3
AI4
AI5
AI6
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
M1
M2
M3
M4

N o t S u re

N o t A p p lic a b le

No

Formal Contract/SLA WP
in place?
Ref.

Yes

D o c u m e n te d

N o t s u re

W ith in
O rg a n is a tio n
O u ts o u rc e d

IT Process

N o t S u re

Internal
Controls

Performed by

IT D e p a r tm e n t

N o t D o c u m e n te d

CONTRACT SERVICE/SERVICE LEVEL AGREEMENT (SLA) FORM

Define a strategic IT plan

Define the information architecture
Determine technological direction
Define organisation and relationships
Manage the investment
Communicate management aims & direction
Manage human resources
Ensure compliance with external requirements
Assess risk
Manage projects
Manage quality
Identify automated solutions
Acquire & maintain application software
Acquire & maintain technology architecture
Develop & maintain procedures
Install & accredit system
Manage changes
Define service levels
Manage third party services
Manage performance & capacity
Ensure continuous service
Ensure system security
Identify & allocate costs
Educate & train users
Assist & advise customers
Manage the configuration
Manage problems & incidents
Manage data
Manage facilities
Manage operations
Monitor the process
Assess Internal Control Adequacy
Obtain independent assurance
Provide for Independent Audit

40

PO1
PO2
PO3
PO4
PO5
PO6
PO7
PO8
PO9
PO10
PO11
AI1
AI2
AI3
AI4
AI5
AI6
DS1
DS2
DS3
DS4
DS5
DS6
DS7
DS8
DS9
DS10
DS11
DS12
DS13
M1
M2
M3
M4

N o t D e t e r m in e d

N /A

U n r e s o lv e d

D i s c la im e r

A d v e rs e

Q u a lif ie d

U n q u a lif ie d

IT Process

Disposition
of Findings

R e s o lv e d

Prior Audit
Opinion

F in d in g s

In Prior
Scope
Yes No

M a t e r ia l W e a k n e s s e s

PRIOR AUDIT WORK FORM

Define a strategic IT plan

Define the information architecture
Determine technological direction
Define organisation and relationships
Manage the investment
Communicate management aims & direction
Manage human resources
Ensure compliance with external requirements
Assess risk
Manage projects
Manage quality
Identify automated solutions
Acquire & maintain application software
Acquire & maintain technology architecture
Develop & maintain procedures
Install & accredit system
Manage changes
Define service levels
Manage third party services
Manage performance & capacity
Ensure continuous service
Ensure system security
Identify & allocate costs
Educate & train users
Assist & advise customers
Manage the configuration
Manage problems & incidents
Manage data
Manage facilities
Manage operations
Monitor the process
Assess Internal Control Adequacy
Obtain independent assurance
Provide for Independent Audit
Insert the number of material weaknesses and/or findings if there is more than one per process category and
then reflect the appropriate number under each column.

41

COBITs 34 Audits (or audit entities)

Processes

PO 1
PO 2
.
.
.
M4

A B C D E F - - -

S= Pre-audit survey
A= Audit
R= Report - Positive conclusion
- Finding

42

Use of CobiT in Audit Planning:

Supports objectives of AU.319

Consideration of Internal
Control in a Financial Statement
Audit, and
Risk-Based Audit planning
43

Key Features of Risk-Based Approach

Focuses on the business from a
management perspective
Emphasis on knowledge of the business
and the technology
Focus on assessing the effectiveness of a
combination of controls
Linkage between risk assessment and
testing focusing on control objectives
44

Risk-Based Audit Planning

What is most critical to the business?
What are the CSFs?
What are the risks and threats?
How robust and appropriate does the
internal control structure appear?
What are managements concerns?

45

Risks to the Business?

Unaware of the risks

Poor understanding of CSFs
Absence of KPIs
No scorecard or basis of measurement
Absence of monitoring and evaluation
Weak IT control environment
Loss of data or system integrity
46

Control Risk Assessment

Control Risk assessment at maximum
addresses relevant audit objectives using

substantive tests
perform all applicable substantive tests

Control risk assessment at below maximum

identify control procedures that allow control risk to

be below maximum
design & perform tests of controls
Identify reduced substantive tests
47

Control Risk Assessment

Control Risk assessment at low
perform tests of controls for application and

IT controls
perform analytical procedures (reduced
substantive testing)

48

Control Assessment Steps

What is the control objective?
Identify the type of control (application or general; primary
or secondary; and preventive, detective, or corrective)
What business objective is impacted?
Appropriateness of the stated control?
Number of components used to execute the control and
number of subsystems or control objectives impacted?
Evidence that the control is in effect, or impact that it is
not.
49

Setting Audit Objectives

Depends on the type of audit
Best phrased when focused on whether
selected control objectives are met
Build the linkage between the control
objective and the controls to the audit
objectives and audit procedures (review
and examination steps) to obtain sufficient
audit evidence to draw conclusions
50

Use of CobiT in
The Pre-Audit
Process
51

Overview of Pre-Audit Process

Auditee selection (may be CobiT driven)
Off-site preliminary information gathering
Entrance Conference and on-site preaudit
information gathering (reference to CobiT)
Develop proposed scope and audit objectives
Internal scope meeting (review & approval)
Finalize audit work program (CobiT-framed)
Engagement conference (reference CobiT as
criteria) and audit (CobiT as examination criteria)
52

Pre-Audit Planning
Who are they? (type of organization, industry )
What do they do? (mission, business objectives)
How do they plan to do it? (strategy/plan)
How do they do it? (functions, processes)
With what resources? (IT, operational resources, management
& staff, raw materials, etc.)
By what rules? (policies, standards, legal and regulatory
requirements)
Under what risks? (risk analysis)
53

Pre-Audit Planning
Who does it? (internal & external players, their roles and
responsibilities)
Who knows what is done? (reporting lines, designated
points of accountability)
How do they known it is done right?
(measurement registers, assurance mechanisms, evaluations, score
cards, etc.)
Where are they? (global or national, centralized or
distributed organizational structure, etc. )
54

On-Site Pre-Audit
Entrance conference and subsequent interviews
(CobiT discussion)
Tour of facility and observations
Documentation review (high-level CobiT)
Obtain management assertions (CobiT matrices)
Identification of data/information sources and
their information criteria (CobiT)
Risk and exposure analysis
Review of internal controls (includes CobiT)
Determination of planned materiality

55

On-Site Pre-Audit Procedures

Identification of accounting and operational
control objectives and related control practices
(CobiT)
Perform selected tests of stated procedures or
controls (CobiT)
Determination of auditability
Summary conclusions and development of
proposed scope and audit objectives
56

Internal Scope Meeting

AIC and manager present understanding of the
entity and its audit requirements
Provides opportunity to discuss CobiT-related
matters
Acquaints the Audit Shops management with
proposed audit and CobiT-related matters
Serves as review and approval point for scope
and audit objectives
57

Internal Scope Meeting

Addresses fundamental elements of preaudit
planning; preliminary audit work; development
and documentation of audit scope, objectives and
methodology; identification of control objectives
and criteria; and staffing and logistics issues
Cobit helps to ensure appropriate audit direction
and allocation of audit resources to the
engagement
Serves as a practice run for presenting audit
scope and audit objectives, methodology and
criteria (including CobiT) to the auditee
58

For the Audit Engagement

May identify CobiT as criteria at entrance
conference
Use CobiT to develop and benchmark
audit work programs
Introduce generally accepted control
practices to auditee via CobiT

59

Where CobiT Helps on

Pre-Audit Considerations
Framing IT processes by domains for the existing IT
environment and automated systems
Identification of major processes and activities
which support the entitys mission and business
objectives Review of acquisition and development
plans or projects for IT
Performing risk analysis and internal control review
60

Using CobiT
in other
Audit Areas

61

Using CobiT on
System Development
Audits

62

Three Types of System Development

IT Audits
Type 1: examination of development
methodology, policy and procedures
Type 2: examination of development and
implementation of a particular information
system
Type 3: participation as control advisor
throughout the development and
implementation process
63

System Development Audit Planning

Conduct preliminary survey and pre-audit
work sufficient to select the type of system
development audit
Use CobiT to assist in framing the audit with
respect to processes and detailed control
objectives applicable to the type of
development audit
Use CobiT processes and detailed control
objectives to identify criteria
64

System Development Audit Planning

Start with CobiT summary table to select
processes directly impacting application(s)
Suggest focus on Planing & Organization,
Acquisition & Implementation, and Monitoring
domains for development audits
Note: not all processes will be selected nor will
detailed control objectives within each process
Select applicable IT control practices (tasks
and activities) for each process
65

SDLC Audits Type 1

The IT auditor reviews the organizations system
development and implementation procedures.
Here, the auditor would determine whether
appropriate SDLC procedures were in place to
ensure that automated systems developed meet
user needs, function as intended, meet any
required legal or regulatory requirements, are
sufficiently controlled to provide reasonable
assurance for data and system integrity, and that
the system operates effectively and efficiently.
66

Type 1 Development Audit

Process audit
Determine whether appropriate SDLC
policies & procedures are in place
Emphasis on Planning & Organization and
Acquisition & Implementation domains
Detailed control objectives focused on good
practices for development
67

Type 1 Development Audit

Assumptions
Linkage to Planning & Organization
processes based on the premise that POs set
the stage for IT environment and
development
Audits or reviews of SDLC methodology
should be in context of organizations IT
strategy, policies, and standards
68

SDLC Audits Type 2

The IT auditor reviews the development
and implementation of a particular
system, determining whether the
organizations (and generally-accepted)
development procedures were followed,
whether the system meets the needs of the
organization and its users, is maintainable,
and operates efficiently.
69

Type 2 Development Audit

Compliance audit
Operations/Performance audit
Post-implementation examination
Focus on compliance with SDLC methods
and assessment of the systems operational
status
May include 3rd-party review
70

SDLC Audits Type 3

The IT auditor participates in the
development and implementation of the
automated system where the auditor
serves as a non-voting member of the
development team. Under this
arrangement, the auditor serves as an
advisor, a control consultant.
71

Type 3 Development Audit

Management advisory services (MAS)
Use CobiT to facilitate discussions on design,
development, testing, etc.
May involve audit work of each phase
Greater emphasis placed on under-standing of
Audits role as advisor
Good opportunities to design control self
assessment processes
72

Processes Selected for Type 1, 2 & 3

Development Audits

PO1:
PO2:
PO4:
PO5:
PO6:
PO8:
PO9:
PO10:
PO11:

Define strategic IT plan

Define information architecture
Define organization & relationships
Manage the investment
Communicate management aims
External requirements compliance
Assess Risk
Manage projects
Manage quality
73

Processes selected for Type 1, 2 & 3

Development Audits

AI1:
AI2:
AI3:
AI4:
AI5:
AI6:

Identify automated solutions

Acquire/maintain application software
Acquire/maintain technology architecture
Develop & maintain procedures
Install & accredit systems
Managing changes

M1: Monitor the process

74

Detailed Control Objectives by

Process for Type 1 SDM Audit
PO1

PO2

PO4

1.1 Assessment of technology issues

in L-R & S-R plans
1.5 Feasibility studies performed
2.1 Current architecture model
2.2 current corporate data dictionary
2.3 data classification scheme
4.1 Oversight role of steering
committee
75

Detailed Control Objectives by

Process for Type 2 SDM Audit
PO1

PO2

PO4

1.2 Development initiatives should

be in L-R & S-R plans
1.5 Feasibility studies performed
2.2 current corporate data dictionary
2.3 data classification scheme
2.4 Maintain security levels for
information classes
4.1 Oversight role of steering
committee
etc.
76

Detailed Control Objectives by

Process for Type 3 SDM Audit
PO1

1.3 IT-related issues to be considered in

L-R planning
1.5 Plans to reflect IS resources

PO2

2.2 Corporate data dictionary

incorporates data syntax rules
2.3 Placement of data on information
classes
2.4 Implement security levels

PO3

3.4 Software acquisition plans

3.5 Standardization - infrastructure

77

System Development
Audit Work Program

Use Control Objectives and Audit

Guidelines together to start audit work
program.
While primary focus may be on AI1-AI6,
selected control objectives from Planning
& Organization.
Include appropriate SDLC requirements of
the organization, if available.
78

Summary Thoughts on Using CobiT

on Development Audits
Participate in quality assurance for CobiT
targeting software development
Use CobiT as for risk assessment and
subsequent allocation of audit resources to
development projects
Use CobiT to develop Type 1, 2, & 3
development audit work programs
Used CobiT to evaluate adequacy of audit
approach on type 3 SDM audits
79

Developing a Change Control

Audit Program
Select relevant objectives from the 34 high-level
control objectives (e.g., AI1, AI2, AI4, AI6, DS9)
Select relevant detailed control objectives (e.g., AI
6.2)
These become audit objectives in the audit program
Compare the audit program to the COBIT Audit

Guidelines
80

Using Cobit on Management Audits

Framing audits via Planning & Organization
Domain
Using CobiT to evaluate assignment of
responsibility of IT-related functions.
Using CobiT to evaluate points of
accountability.

81

Using CobiT for Review of

Responsibilities
& Evaluation of Points of
Accountability
82

Conducting Responsibility and

Accountability Reviews
Determine the extent to which discrete tasks
and activities referenced by CobiT are in
place.
Determine the extent to which policies,
procedures, and mechanisms referenced by
CobiT have been established.
83

Factors to consider when identifying

relevant tasks and activities
Not all tasks & responsibilities have an
assigned responsible party
When planning your assessments (extent,
scheduling, area to be reviewed, MAS),
recommend comprehensive review by:
domain
key process(es)
84

Factors to consider when identifying

relevant tasks and activities
If reviewing the control environment, you
may elect to target tasks and responsibilities
with CobiT-designated responsible parties.
Consider the difference between single
tasks and on-going activities with respect to
the purpose of your review or audit work.

85

Task/Activity Monitoring & Evaluation

Task or
Activity

Responsibility
to:

Monitored Evaluated
by:
by:

Control
task

Establish a
Function or
procedure

Initially &
Upon
Changes

Periodic
At least
annual

Control
activity

On-going
Function or
activity

On-going
With
reporting

Periodic
To
On-going
86

Lock in Responsibilities
Complete responsible party form
Prepare list of responsible parties
Based on entity and organizational structure,
and CobiT responsibility designations, agree
or modify responsibility designations for the
selected tasks and activities
Establish Locked in responsibility list
87

Locked in Responsibility List

Serves as established list of desired
responsibility assignments.
Use as criteria for reviewing responsibility
assignments for entity under audit.

88

Review and Evaluate

Clarity and appropriateness of responsibility
definitions
assignment of responsibilities
points of accountability
reporting of actions taken and activities
mechanisms to monitor and evaluate
adequacy of exercise of responsibilities

89

Determine extent to which Audit

Team Needs to Perform:
A review of assigned responsibilities

for discrete tasks during pre-audit.

A review of assigned responsibilities

for activities during audit

90

Examination Steps
Determine whether IT-related responsibilities have
been adequately defined and assigned, and that
adequate points of accountability are in place.
Determine whether adequate controls and mechanisms
are in place to monitor, evaluate, and hold accountable
internal and outsourced parties for assigned
responsibilities and desired deliverables
91

Evidence gathered in review of assigned

responsibilities and points of accountability
Can assist assessments of internal
structures for financial and
operations audits
Can serve to identify the potential
cause of audit results or findings

92

Evidence gathered in review of assigned

responsibilities and points of accountability
Can assist management in reviewing and
determining the adequacy of structures of
accountability when organization incur
organizational or significant technical change
Can provide insight into recommendations
regarding task and activity assignment and
monitoring
93

Using Cobit to Address Third-Party

Providers of IT-Related Services
Determine whether desired processes are in
place and establish accountability
Agree on levels of control

Use CobiT to help design service contracts by

identifying deliverables and responsibilities

Use CobiT for ongoing monitoring and

evaluation of providers and partners
94

As An IT Self Assessment Tool

How am I doing against recommended

COBIT IT benchmarks?
Use COBIT to facilitate operational and
control improvements.
Identify controls that should be in place.
Reallocate resources to more important
projects.
95

Using Cobit on Control Self Assessment

Use CobiT to assist the development of
Control Self Assessment programs by
establishing benchmarks, gathering
appropriate information on control
objectives and control practices, and
developing action plans.

96

Benchmarking - Self-Assessment
0
1
2
3
4
5

Very poor
Poor
Fair
Good
Very good
Excellent

Complete lack of good practice

Recognized the issues
Some effort made to address issues
Moderately good level of practice
Advanced level of practice
Best possible, highly integrated

Source: Erik Guldentops, DC presentation, July 1997.

97

0 Very poor. Complete lack of good practices.

Organization has not recognized that there is
an issue to be addressed.
1 Poor. There is evidence that the
organization has recognized that the issues
exist and need to be addressed. There may
also be some rudimentary attempts to solve
the problem although these are relatively
ineffective without greater levels of good
practice to support them
98

2 Fair. There is some effort within the organization to

provide a level of practice which is acceptable. This
includes partial definitions of responsibility, organizational
models and processes. Although these may not have
been followed through to deliver effective and acceptable
levels of practice.
3 Good. There is a moderately good level of practice
which should not draw undue criticism. The processes
are reasonably well defined at levels of detail which make
them effective. Responsibilities and organizational
models are at a similar level of development. There is a
recognition of the need for integration, but this has not
evolved very far.
99

4 Very Good. There is generally a high level of

good practices, with advanced tools being used
to gain productivity, cost reduction and
effectiveness. There is also considerable
integration of related practices to give consistent
and effective control within this area.
5 Excellent. The very best possible levels of
good practice, given the available knowledge
and tools. There is also very high level of
integration across all aspects related to this
area.
100

COBIT
Management Guidelines
Includes:
Critical Success Factors
Key Performance Indicators
Key Goal Indicators
Maturity models
101

HGHGHGHGHGHG

102

Using the Management

Guidelines

103

IT Management
Is IT well managed?

Are we doing the right things?

Are we doing them the best way?
Are they being done well?
Are we achieving desired benefits?

Is IT properly controlled?
Do we exercise due diligence?
Is management driving the information
technology?
104

CobiT : An IT control framework

Starts from the premise that IT needs to

deliver the information that the enterprise

needs to achieve its objectives.
Promotes process focus and process
ownership
Divides IT into 34 processes belonging to
four domains
Looks at fiduciary, quality and security
needs of enterprises and provides for
seven information criteria that can be used
to generically define what the business
requires from IT

Planning
Acquiring & Implementing
Delivery & Support
Monitoring
Effectiveness
Efficiency
Availability,
Integrity
Confidentiality
Reliability
Compliance.

105

Why governance?

Due diligence

IT is strategic to the business

IT is critical to the business

Expectations and reality dont match

IT involves huge investments and large risks

106

IT is strategic to most businesses

If so, wouldnt you want to know whether your
information technology organization is:
Likely to achieve its objectives?
Resilient enough to learn and adapt?
Judiciously managing the risks it faces?
Appropriately recognizing opportunities and acting
upon them?

107

Management Guidelines
Generic and action oriented
For the purpose of

IT Control profiling - whats important?

Awareness - wheres the risk?
Benchmarking - what do others do?

Key performance indicators of IT processes

Critical success factors of controls
Control implementation choices

Supporting decision making and follow up

108

Management Guidelines
Critical Success Factors
the most important things to do to increase the

probability of success of the process

observable - usually measurable - characteristics of
the organisation and process
are either strategic, technological, organizational or
procedural in nature
focus on obtaining, maintaining and leveraging
capability and skills
expressed in terms of the IT process, not necessarily
the business
109

Management Guidelines
Key Goal Indicators

describe the outcome of the process and are therefore a lag

indicator, i.e., measurable after the fact
Are an indicator of the success of the process but may also
be expressed in terms of the business contribution if that
contribution is specific to the IT process
represent the process goal, i.e., a measure of what, a
target to achieve
may also describe a measure of the impact of not reaching
the process goal
KGIs are IT oriented but are also business driven
Are expressed in precise measurable terms wherever
possible
110

Management Guidelines
Key Performance Indicators
are a measure of how well the process is

performing
predict the probability of success or failure in the
future, i.e. KPIs are LEAD indicators
are process oriented but IT driven
focus on the process and learning dimensions of
the balanced scorecard
are expressed in precise measurable terms
should help in improving the IT process
111

Maturity Models

Refer to business requirements and control capabilities

at different levels
Are scales that lend themselves to pragmatic comparison
Are scales where the difference can be made measurable
in an easy manner
Are recognizable as a profile of the enterprise in
relation to IT governance and control
Assist in determining As-Is and To-Be positions relative
to IT governance and control maturity
Lend themselves to support gap analysis to determine
what needs to be done to achieve a chosen level
112

Start from a Maturity Model

for Self-Assessment
Non
Existent

Initial

Repeatable

Defined

Managed

Optimised

Legendforsymbolsused
Enterprisecurrentstatus
Internationalstandardguidelines
Industrybestpractice
Enterprisestrategy

Legendforrankingsused
0Managementprocessesarenotappliedatall
1Processesareadhocanddisorganised
2Processesfollowaregularpattern
3Processesaredocumentedandcommunicated
4Processesaremonitoredandmeasured
5Bestpracticesarefollowedandautomated

113

Indicators?

Measures?
Scales?

114

Generic Maturity Model - Dimensions

Understanding and awareness
Training and communications
Process and practices
Techniques and automation
Compliance
Expertise

115

Generic Maturity Model - Dimensions

UNDERSTANDING
TRAINING &
& AWARENESS
COMMUNICATION
1 recognition
sporadic communication on the issues
2 awareness
communication on
the overall issue and
need
3 understand need to informal training
act
supports individual
initiative

4 understand full
requirements

5 advanced forwardlooking
understanding

PROCESS &
PRACTICES
ad hoc approaches to
process and practices
similar/common
processes emerge;
largely intuitive
existing practices
defined, standardis-ed
& documented;
sharing of the better
practices

formal training
process ownership
supports a managed and responsibilities
program
assigned; process is
sound & complete;
interal best practices
applied;
training and
best external practices
communications
applied;
supports external
best practices and
use of leading edge
concepts/techniques

TECHNIQUES &
AUTOMATION

COMPLIANCE

EXPERTISE

common tools are

emerging

inconsitent monitoring in
isolated areas

currently available
techniques are
used; minimum
practices are
enforced; tool-set
becomes
standardised
mature techniques
applied; standard
tools enforced;
limited, tactical use
of technology

inconsistent monitoring
globally; measurement
processes emerge; IT
Balanced Scorecard ideas are
being adopted; occasional
intuitive application of root
cause analysis
IT Balanced Scorecards
implemented in some areas
with exceptions noted by
management; root cause
analysis being standardised

involvement of
IT specialists

sophisticated
techni-ques are
deployed;
extensive,
optimised use of
technology

global application of IT
Balance Scorecard and
exceptions are globally &
consistently noted by
management; root cause
analysis consistently applied

use of external
experts and
industry
leaders for
guidance

involvement of
all internal
domain experts

116

Generic Maturity Model

0 Non-Existent. Complete lack of any recognizable processes. The organisation has not even

recognised that there is an issue to be addressed.

1 Initial. There is evidence that the organisation has recognized that the issues exist and need
to be addressed. There are however no standardized processes but instead there are ad hoc
approaches that tend to be applied on an individual or case by case basis. The overall approach
to management is disorganized.
2 Repeatable. Processes have developed to the stage where similar procedures are followed
by different people undertaking the same task. There is no formal training or communication of
standard procedures and responsibility is left to the individual. There is a high degree of
reliance on the knowledge of individuals and therefore errors are likely.
3 Defined. Procedures have been standardized and documented, and communicated through
training. It is however left to the individual to follow these processes, and it is unlikely that
deviations will be detected. The procedures themselves are not sophisticated but are the
formalization of existing practices.
4 Managed. It is possible to monitor and measure compliance with procedures and to take
action where processes appear not to be working effectively. Processes are under constant
improvement and provide good practice. Automation and tools are used in a limited or
fragmented way.
5 Optimized. Processes have been refined to a level of best practice, based on the results of
continuous improvement and maturity modeling with other organizations. IT is used in an
integrated way to automate the workflow, providing tools to improve quality and effectiveness, 117
making the enterprise quick to adapt.

In summary

Maturity Models

Refer to business requirements and the enabling aspects at the

different levels
Are scales that lend themselves to pragmatic comparison
Are scales where the difference can be made measurable in an
easy manner
Are recognisable as a profile of the enterprise in relation to IT
governance and control
Assist in determining As-Is and To-Be positions relative to IT
governance and control maturity
Lend themselves to support gap analysis to determine what
needs to be done to achieve a chosen level
Are neither industry specific nor always applicable; the nature of
the business will determine what is an appropriate level
118

IT Governance Guideline
Governance over IT and its processes with goal of adding value to the
business, while balancing risk versus return
ensures delivery of information to the business that addresses the
required information criteria and is measured by KGIs
is enabled by creating and maintaining a system of process
and control excellence appropriate for the business that
directs and monitors the business value delivery of IT
considers CSFs that leverage all IT resources and is
measured by KPIs

119

IT governance summarized
Objectives

understand the issues and the strategic importance of IT

ensure that the enterprise can sustain its operations and
ascertain it can implement the strategies required to extend its activities
into the future

Goal

ensuring that expectations for IT are met and IT risks are mitigated

Position
within broad governance arrangements that cover relationships among
the entity's management and its governing body, its owners and its other
stakeholders and providing the structure through which:
the entity's overall objectives are set
the method of attaining those objectives is outlined
the manner is which performance will be monitored is described

120

Audit Organization
Use CobiT to identify and assess risk of
IT processes
Use CobiT-related matrices in standard
audit work programs
Frame IT audits via CobiT
Development of MAS focused on CobiT
121

Cobitizing Audit -- Phases

Self assessment and modification
Internal audit guidelines
Text of policy & procedure manual

Generic work programs and matrices

Overall audit planning

Engagement planning
Discussions with auditees for self assessment
Modify QA to include CobiT
Strengthen focus on business processes, system integrity, and IT
environment

122

CobiT Recognizes
IT is an integral part of the organization
IT governance is an integral part of corporate
governance
Focus on control objectives can strengthen
appropriateness and use of internal controls
Measurement is crucial to internal control
Monitoring and evaluation are integral to a
system of internal control
123

Learned So Far
Need Internal Control refresher course
covering control models (such as COSO),
CobiT, internal control acts, SAS 78,
techniques in evaluating controls
There are good opportunities to leverage
the understanding of internal controls
and CobiT among management and staff,
auditors, out-sourced services, academic
community, and vendors
124

Learned So Far
Audit Teams and auditees seem to have better
understanding of control objectives with
CobiT
Increased consistency of discussions
regarding IT domains, control objectives and
controls
Increased emphasis on information criteria

125

Learned So Far
Pilot use of CobiT
Network and share ideas on CobiT
CobiT has assisted identification of IT-related
processes, who performs them, and who is
responsible
CobiT provides Value-Added opportunities
and time savings
CobiT reinforces the final objective of
effective and efficient operations

126

A Tip regarding CobiT

CobiT is generic - adapt it to your
organization in cooperation with the
business-process owners!
Determine focus (quality, security, fiduciary)
Harmonize existing policies and procedures

with CobiT
Determine control responsibilities
Identify key performance indicators and critical
success factors

127

Another Tip or Two

Study it carefully -- it takes some time to
understand - keep in mind that you are dealing
with a control framework
For auditors and reviewers, provide sufficient
time for using CobiT in pre-audit and
engagement planning.
Promote discussions on CobiT
Identify CobiT as a control framework and
basis for benchmark criteria and evaluation
128

The Last of the Tips

Use CobiT initially as a control model and tool
to assist controls evaluations, framing audits,
identifying criteria, and performing high-level
benchmarking.
Share your insights regarding control design
and evaluation
Study the Management

Guidelines
129

EXECUTIVE SUMMARY

COBIT

Product Family

COBIT Product Family

Framework

with High-Level Control Objectives

Management
Guidelines

4 major elements

Implementation
Tool Set
Executive Summary

Executive Overview
Case Studies
FAQs
Presentations
Implementation Guide
-Management Awareness
-IT Control Diagnostic

Detailed Control
Objectives

Audit
Guidelines

Key Performance

Critical Success

Indicators (process)

Benchmarks

Factors (control)

COBIT as an open standard for increased world-wide

adoption covering summary, framework and detailed
control objectives;

Three proprietary guideline products

-- Implementation Tool Set : how to introduce the C T standard in the enterprise

-- Audit Guidelines : how to audit against the standard
-- Management Guidelines : how to benchmark, implement and
OBI

self-assess

130

CobiT
For additional information:

www.isaca.org
www.ITgovernance.org
or email or give me a call at
(617) 727-6200 ext 135
131

Go Forth Safely
And COBITize
Thank
You
132