Beruflich Dokumente
Kultur Dokumente
gives further guidance on how to fulfill the requirements of Sarbanes-Oxley section 404, including the recommendation that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model for internal controls be used in the evaluation process. Immediately, auditors began to search for ways to map business processes, application controls and IT controls to the COSO model. The Parson Consulting Study surveyed implementers of Sarbanes-Oxley section 404 and found that 88.9 percent of the respondents were using generic tools, such as spreadsheets and databases. But the same survey found that 95 percent of respondents were using COSO as their internal control evaluation framework. Over time, COBIT has become the tool of choice in mapping IT controls to COSO, because of the ease of use and success others have had in using it. ITIL The Information Technology Infrastructure Library (ITIL) was developed by the UK Office of Government Commerce. It has been gaining global acceptance as a reference framework for IT service management. Those performing IT audits in the area of service delivery will find ITIL useful as an effective tool in that task. Materials are now available to assist those auditors in using that framework, including one that maps COBIT to the ITIL framework.1
Refining IT Processes IT process refinement is not only beneficial for improving efficiency and effectiveness, but also for changing the way IT and business managers view IT services. COBIT can be used successfully to perform this task.8 Information Security Perhaps the most growing and important area of IT audit is information security. ISACA issued Information Security HarmonisationClassification of Global Guidance in 2005, which addresses many areas of information security and maps COBIT to the various technical models and literature.9
indispensable tool to fulfill the expectations, obligations and technical guidelines in areas related to IT audit. Therefore, one of the best choices an IT auditor can make is to become an expert in COBIT. That understanding and ability to apply COBIT will likely increase the efficiency and effectiveness of the IT auditors tasks and responsibilities. It seems the IS, IT and business world as a whole believes that statement, as seen by the number of models mapped to COBIT and the number of areas to which COBIT has been applied.
References
Bagranoff, Nancy; Laurie Henry; Choosing and Using Sarbanes-Oxley Software, Information Systems Control Journal, vol. 2, 2005, p. 49-51 Butler, Charles W.; Gary L. Richardson; Potential Control Processes for Sarbanes-Oxley Compliance, 2005, Journal Online, www.isaca.org/journalonline Cerullo, M. Virginia; Michael J. Cerullo; How the New Standards and Regulations Affect an Auditors Assessment of Compliance With Internal Controls, Journal Online, 2005, www,isaca.org/jonline Dietrich, Robert J.; After Year OneAutomating IT Controls for Sarbanes-Oxley Compliance, Information Systems Control Journal, vol. 3, 2005, p. 53-55 Rafeq, A; Using COBIT for IT Control Health Check-up, Information Systems Control Journal, vol. 5, 2005, p. 18-19 Sayana; S. Anantha; Auditing IT Service Delivery, Information Systems Control Journal, vol. 5, 2005, p. 13-14
Summary
These articles and anecdotes demonstrate the flexibility and usefulness of COBIT in a variety of IT audit-related tasks and functions. Therefore, it is beneficial and valuable to know and understand COBIT well enough to apply it as an IT auditor. COBIT has been an established set of guidelines for years. In the post-Enron business environment, it is quickly becoming an
Endnotes
Glenfis, ITIL COBIT Mapping Linked With Control Objectives, www.glenfis.ch/english/gf00-tools.asp, accessed 2005 2 Van Grembergen, Wim; Steven De Haes; Jan Moons; Linking Business Goals to IT Goals and COBIT Processes, Information Systems Control Journal, vol. 4, 2005, p. 18-21 3 ITGI, IT Control Objectives for Sarbanes-Oxley, USA, 2004, www.isaca.org/sox 4 Op. cit., Glenfis 5 ITGI and OGC, Aligning COBIT, ITIL and ISO 17799 for Business Benefit, 2005, www.isaca.org/research 6 Op. cit., Mallette and Jain 7 Mallette, Debra; Monica Jain; IT Performance Improvement With COBIT and the SEI CMM, Information Systems Control Journal, vol. 3, 2005, p. 46-50 8 Reingold, Stephen; Refining IT Processes Using COBIT, Information Systems Control Journal, vol. 3, 2005, p. 51-52 9 ISACA, Information Security HarmonisationClassification of Global Guidance, USA, 2005, www.isaca.org 10 ITGI, COBIT Mapping: Overview of International IT Guidance, USA, 2003, www.isaca.org/research 11 ITGI, COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, USA, 2004
1
Editors Note:
Aligning COBIT, ITIL and ISO 17799 for Business Benefit
JOURNALONLINE
can be downloaded on a complimentary basis from www.isaca.org/research. To learn more about the ITGI publication, please read Gary Hardys article on p. 32, Guidance on Aligning COBIT, ITIL and ISO 17799. Additionally, COBIT 4.0 is now available for complimentary download at www.isaca.org/cobit and can be ordered in print from www.isaca.org/bookstore. Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP is an assistant professor of information systems at the University of Alabama at Birmingham (USA), Marshall IS Scholar, and director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small value-added dealer of accounting information systems using microcomputers for 11 years. His education and experience are a mix of information systems and accounting. He is a member of several professional organizations related to IT/IS and accounting, including ISACA, Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants (AICPA) and Association of Certified Fraud Examiners (ACFE). He serves on several boards of those professional organizations. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous journals, including the Information Systems Control Journal.
COBIT MappingITGI
With so many of these mappings occurring, ITGI issued COBIT Mapping: Overview of International IT Guidance in 2003.10 It addresses the information security issues of IT audit. In it, the following are mapped to COBIT: ITIL (collection of best practices) ISO/IEC 17799:2000The Code of Practice for Information Security Management (best practice), which is also mapped at a detail level in COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, published in 2004.11 ISO/IEC TR 13335Guidelines for the Management of IT Security (technical guidelines) ISO/IEC 15408Security TechniquesEvaluation Criteria for IT Security (technical reference and information security certification) TickIT (software quality management certification) NIST 800-14Generally Accepted Principles and Practices for Securing Information Technology Systems (reference) COSOInternal ControlIntegrated Framework COBIT Mapping: Overview of International IT Guidance, 2nd Edition, will be published in 2006 and will include mapping to the: Capability Maturity Model Integration (CMMI) (best practice for improving processes) IT Baseline Protection Manual (standard security safeguards for typical IT systems) US Federal Information Processing Standards (FIPS) Pub 200Minimum Security Requirements for Federal Information and Information Systems
Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2006 by ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org
JOURNALONLINE