Beruflich Dokumente
Kultur Dokumente
for
IT Auditor
Armanto Witjaksono
1
2
● Authoritative, up-to-date, international set of
generally accepted IT control objectives and
control practices for day-to-day use by
business managers and auditors.
● Structured and organized to provide a
powerful control model and evaluative tool
3
Overview
Text Text
Te
xt
Text Text Text
Text Te Text
xt 4
Overview of CobiT
5
Overview of CobiT
Then what is CobiT?
o It is the Control Objectives for Information and related Technology
6
Overview of CobiT
o CobiT represents
1. A control framework,
2. a set of generally accepted control objectives, and
3. the CobiT Audit Guidelines.
7
Overview of CobiT
8
Overview of CobiT
9
Focuses on information having integrity, being
secure, and available.
Management-oriented
Supports corporate and IT governance
Process-oriented
Controls-based
Measurement-driven
Based on a Strong Foundation and Sound
Principles of Internal Control
10
IT Resource Management
11
COBIT
12
Addresses key attributes of information produced by
IT.
Links recommended control practices for IT to
business and control objectives.
Provides guidance in implementing and evaluating the
appropriateness of IT-related management control
practices.
13
14
Focus on Information and IT
Management
“Right” information, to only the “right” party, in
the “right” format, at the “right” time, at the
“right” cost.
Information that is relevant, reliable, secure,
and available.
Information provided by systems that have
integrity by means of a well-managed and
properly controlled IT environment.
15
COBIT Target Groups
16
Who is COBIT aimed at?
18
4 COBIT Domains
Plan & Organize – concerned with identification of the way IT can best
contribute to the achievement of business objectives
Monitor & Evaluate – regular assessment over time for quality and
compliance with control requirements
19
COBIT mapped onto Management Cycle
20
Components of CobiT
21
Components of CobiT
22
Components of CobiT
MONITORING (MO)
All IT processes need to be regularly
assessed over time for their quality
and compliance with control and
regulatory requirements
23
Components of CobiT
24
Components of CobiT
Is the process to choose and implement IT
AI1- Identify solutions
AI2- Acquire and maintain application software
solutions a controlled process? Does this process
AI3- Acquire and maintain technology architecture
AI4- Develop and maintain IT procedures
AI5- Install and accredit systems
meet control standards?
AI6- Managing changes
25
Components of CobiT
26
Overview of Internal Audit
Internal Audit
o "Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control, and governance processes."
(Definition of Internal Auditing by the Institute of Internal Auditors,
Inc.)
27
VIDEO
http://www.youtube.com/watch?v=bg_GEN8AZA0
28
29
CobiT For Internal Auditors
30
CobiT For Internal Auditors
31
CobiT For Internal Auditors
Audits that can be performed
with the use of CobiT
1. Reviews of Baselines and 6. Audits of the Business Continuity
Standards for IT Program
BE CREATIVE! How can you fit CobiT into your audit plan?32
Applications of the
4 CobiT Domains
33
CobiT Trends
In general, each of the 4 domains can be applied to each review with
careful planning
With the right planning, all reviews can be performed with the use of the
4 domains as a reference, standard, and “Best Practice” template
34
Top Ten Strengths of CobiT
in Internal Audit
6. A common language between auditee, auditor, user management and data owners is provided
5. CobiT is a globally-recognized as a tool that provides guidance on IT audits and sets IT control “Best
Practices”
4. International IT Audit groups can knowledge share (i.e. workprograms, test plans)
3. Audit groups can recruit based on experience with an internationally recognized audit tool
2. CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC, HIPAA)
36
Problems Inherent to the Implementation and
Use of CobiT
37
Opportunities to Implement CobiT
Ideal Times to Implement the CobiT Framework
o Beginning of an audit year
38
Threats to CobiT in the
Internal Audit World
Threats to Cobit in Internal Audit
o Initial audits are time intensive and difficult because auditors
are unfamiliar with CobiT terminology
39
40
Framework for Managing Operational
Risk
41
Need for better operational controls
Importance of technology
Risks associated with an ever changing technology
environment
Demand for recognizable value
Need to hold senior management accountable and
strengthen governance
42
• Achieving sufficient value from IT to support the entity’s
mission within a complex, vulnerable and ever changing
environment
• Adequately managing risk with increasing IT dependence
• Effectively dealing with the scale and cost of current and
future IT investments
• Protecting operations and IT resources against increasing
vulnerabilities and a wide spectrum of threats
43
• Being able to adequately track and measure IT
performance in support of business objectives
• Obtaining adequate assurance for the integrity,
security and availability of IT systems
• Being able to demonstrate due diligence in
meeting IT governance objectives
44
• Today, we are no longer just automating an
established business process.
• Instead, we are using technology to expand business
process capabilities and management decision
making -- It is about IT-enabled change.
• Poorly-managed IT places the integrity, security, and
availability of data and systems at risk and increases
the likelihood of unrealized benefit.
45
Management Issues
Difficulty of obtaining adequate assurance that operational
and control objectives are being addressed and will be met
Not being sufficiently aware of the impact of technology on
control assessment
Not knowing who is really responsible for system integrity,
security, and availability
Having cluttered or defused points of accountability for IT
processes across the organization
46
Management Issues
Not recognizing that we often manage IT as if it
were separate from the enterprise when in fact it is
highly integrated with business operations
Uncoordinated strategic planning between
business and IT operations
Outsourcing without adequate monitoring and
evaluation
47
Management Issues
• There are a whole host of folks who pose a real
danger to IT systems
Meeting privacy requirements
Failing to meet regulatory or legal requirements
Having a false sense of security
Achieving adequate value to support the entity’s
mission
48
Management Questions
Is IT well managed?
o Are we doing the right things?
o Are we doing them the best way?
o Are they being done well?
o Are we achieving desired benefits?
Is IT properly controlled?
Do we exercise and can we demonstrate due diligence?
Are the information technology drivers in sync with the
agency’s mandates and business goals?
49
How do responsible managers keep the ship on
course? …… keep it afloat?
How do we achieve satisfactory results for our
citizens and stake-holders?
How do we adapt in a timely manner to “best
practices” for our organization’s environment?
50
To establish and maintain course . . . and afloat
Strategic and tactical planning, monitoring and
evaluation – dashboards with indicators –
Disaster recovery and BCP to keep it afloat
To achieve satisfactory results for our customers and stake-
holders
Measurement processes, balanced scorecard, etc.
To adapt in a timely manner to “best practices” for our
organization’s environment
Benchmarking, CMM comparisons
51
IT Value
How do we manage to achieve acceptable IT
value?
What policies, practices and assurance
mechanisms do we apply to the “right”
resources to achieve value?
What guidance is there to assist
management in understanding IT processes
and how to achieve IT process results?
What standards should be applied to our IT
environment?
How do we address governance?
52
53
COBIT as an IT Governance
Framework
COBIT provides a framework to control IT and supports the
following 5 requirements for an IT control framework
54
IT Governance Focus Areas
55
IT Governance Focus Areas
56
The Need for IT Governance
C
GI T Enterprise governance is a set of
E N DE VAL
RAT ME LI U E responsibilities and practices exercised by the
VE
ST IGN RY board and executive management with the goal
AL
of:
• Providing strategic direction
PER SUREM
MEA
MAN RISK
AGE
www.itgi.org
www.itgi.org
• Verifying that the enterprise’s resources are
E
CE
RESOURCE
used responsibly
MANAGEMENT
57
IT Governance, as Defined by ITGI
IT governance is:
• The responsibility of the board of directors and
C executive management
E GI T DE VAL
N
RAT ME LI U E • An integral part of enterprise governance,
VE
ST IGN RY consisting of the leadership, organisational
AL
structures and processes that ensure that the
enterprise’s IT sustains and extends the
organisation’s strategies and objectives
PER SUREM
MEA
T
MEN
F OR
MAN RISK
AGE
MAN NT
www.itgi.org
www.itgi.org
E
CE
Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005
58
Enterprise Governance Drives IT Governance
Performance Performance
• Improving profitability, efficiency,
effectiveness, growth, etc.
Conformance
59
IT Governance Focus Areas
Is about executing the value proposition throughout the delivery cycle, ensuring
Value delivery that IT delivers the promised benefits against the strategy, concentrating on
optimising costs and proving the intrinsic value of IT
Resource Is about the optimal investment in, and the proper management of, critical IT
resources: applications, information, infrastructure and people. Key issues
management relate to the optimisation of knowledge and infrastructure.
60
Making IT Governance Work
61
IT Governance Stakeholders
Board and Set direction for IT, monitor results and insist on corrective
executive measures
62
Need for IT Governance Control
Framework
63
The Need for IT Governance
Security Keeping
IT Running
Aligning Managing
IT with Complexity
Business
Regulatory
Value/Cost Compliance
64
Need for IT Governance Control
Framework
65
COBIT Provides a Framework for IT Governance
COBIT helps bridge the gaps between business risks, control needs and
technical issues. It provides good practices across a domain and process
framework and presents activities in a manageable and logical structure.
COBIT:
Starts from business requirements
Is process-oriented, organizing IT activities into a
generally accepted process model
Identifies the major IT resources to be leveraged
Defines the management control objectives to be
considered
Incorporates major international standards
Has become the de facto standard for overall
control of IT
IT resources need to be managed by a set of naturally
grouped processes. COBIT provides a framework that
achieves this objective.
66
How Does COBIT View IT Governance?
67
IT Governance Objectives
68
IT Governance
69
COBIT IT Governance
70
IT Governance Focus Areas
Strategic alignment
Value delivery
Resource management
Risk management
Performance
measurement
71
IT Governance Focus Areas
Strategic Alignment focuses on
ensuring the linkage of business and IT
plans; defining, maintaining and
validating the IT value proposition; and
aligning IT operations with enterprise
operations.
Value Delivery is about executing the
value proposition throughout the
delivery cycle, ensuring that IT delivers
the promised benefits against the
strategy, concentrating on optimizing
costs and proving the intrinsic value of
IT.
72
IT Governance Focus Areas
Resource Management is about the optimal
investment in, and the proper management of,
critical IT resources: applications, information,
infrastructure and people. Key issues relate to
the optimization of knowledge and infrastructure.
Risk Management requires risk awareness by
senior corporate officers, a clear understanding
of the enterprise’s appetite for risk,
understanding of compliance requirements,
transparency about the significant risks to the
enterprise and embedding of risk management
responsibilities into the organization.
73
IT Governance Focus Areas
74
What Should Management Do?
• Inquire: Ask the right questions
• Focus on IT’s
Alignment with the agency objectives
Value delivery
Risk management
• Adopt an IT governance framework
• Focus on important IT processes and core IT
competencies
• Embed responsibilities for IT security and
management in the organization
• Measure performance and results
75
To Manage and Control IT,
COBIT Recommends:
76
Agencies Need Assurance
➨ That information and systems can be relied upon
➨ That operations are adequately controlled
➨ That information has integrity, is protected, and will
be available
➨ That due diligence and compliance with good
business practices can be demonstrated.
CobiT provides the control criteria and
evaluation methodology
77
CobiT is an Authoritative Source
78
COBIT’s View of the Definition of Control
avoid
risks
79
COBIT’s View of the Definition of Control
80
Control (as defined by COBIT)
81
To Achieve To Avoid
Business Risks,
Objectives Threats and
Exposures
82
CobiT promotes a healthy understanding
about “reasonable assurance” and “residual
risk”
83
Assurance Level
100%
Residual Risk
Reasonable
Assurance
0%
84
Relation to Other Control Models
85
COBIT and Other IT Management
Frameworks
Organizations will consider and use a variety of IT models, standards
and best practices. They must be understood to consider how they can be
used together, with COBIT acting as the consolidator (‘umbrella’).
COSO
COBIT
ISO 17799
ISO 9000
SCOPE OF COVERAGE
86
Where Does COBIT Fit?
CONFORMANCE
Drivers PERFORMANCE: Basel II, Sarbanes-
Business Goals Oxley Act, etc.
Balanced
Enterprise Governance COSO
Scorecard
IT Governance COBIT
87
COBIT Framework
Governance
Management
Evolution
Control
Audit
89
COBIT: Value and Limitations
COBIT:
► Has internationally accepted good practices
► Is management-oriented
► Is supported by tools and training
► Is freely downloadable
► Allows the knowledge of expert volunteers to be shared and leveraged
► Continually evolves
► Is maintained by a reputable not-for-profit organisation
► Maps 100 percent to COSO
► Maps strongly to all major, related standards
► Is a reference, not an ‘off-the-shelf’ cure
Enterprises still need to analyse control requirements and customise COBIT based on their:
► Value drivers
► Risk profile
90
► IT infrastructure, organisation and project portfolio
COBIT Components
An organisation depends on reliable and timely data and information. COBIT components provide a
comprehensive framework for delivering value while managing risk and control over data and
information.
IT Resources
Business Strategy
IT Processes
Information
Criteria
91
COBIT: Advantages
92
COBIT and IT Governance
Provides Defines a
sharper common
business language
Has general
acceptability
amongst
organisations
93
COBIT and IT Governance (Cont.)
Business Focus
► COBIT achieves sharper business focus
by aligning IT with business objectives. Provides
Defines a
sharper
► The measurement of IT performance common
business
should focus on IT’s contribution to language
focus
enabling and extending the business
strategy.
► COBIT, supported by appropriate
business-focused metrics, can ensure Ensures Helps meet
that the primary focus is value delivery process Control regulatory
orientation Framework requirements
and not technical excellence as an end
in itself.
Has general
acceptability
amongst
organisations
94
COBIT and IT Governance (Cont.)
Process Orientation
► When organisations implement COBIT,
their focus is more process-oriented. Provides
Defines a
sharper
► Incidents and problems no longer divert common
business
language
attention from processes. focus
► Exceptions can be clearly defined as
part of standard processes.
► With process ownership defined, Ensures Helps meet
assigned and accepted, the organisation process Control regulatory
is better able to maintain control orientation Framework requirements
through periods of rapid change or
organisational crisis.
Has general
acceptability
amongst
organisations
95
COBIT and IT Governance (Cont.)
Provides
Defines a
General Acceptability sharper
common
business
► COBIT is a proven and globally focus language
accepted standard for increasing the
contribution of IT to organisational
success.
► The framework continues to improve Ensures Helps meet
and develop to keep pace with good process Control regulatory
orientation Framework requirements
practices.
► IT professionals from all over the world
contribute their ideas and time to
regular review meetings. Has general
acceptability
amongst
organisations
96
COBIT and IT Governance (Cont.)
97
COBIT and IT Governance (Cont.)
Provides
Defines a
sharper
common
business
language
focus
Common Language
► A framework helps get everybody on Ensures Helps meet
process Control regulatory
the same page by defining critical terms Framework
orientation requirements
and providing a glossary.
► Co-ordination within and across project
teams and organisations can play a key
Has general
role in the success of any project.
acceptability
► Common language helps build amongst
confidence and trust. organisations
98
COBIT: Premise
for Business
achieving Objectives
i to
Business
Processes
Information
provide
IT Resources
and Processes
► The COBIT framework helps align IT with the business by focusing on business information
requirements and organising IT resources. COBIT provides the framework and guidance to
implement IT governance.
99
COBIT: Principle
The principle of the COBIT framework is to link management’s IT expectations with management’s IT
responsibilities. The objective is to facilitate IT governance to deliver IT value whilst managing IT
risks.
IT Resources
Business Strategy
IT Processes
Information
Criteria
100
COBIT Framework
As a control and governance framework for IT, COBIT focuses on two key areas:
► Providing the information required to support business objectives and requirements
► Treating information as the result of the combined application of IT-related resources
that need to be managed by IT processes Information Criteria
Effectiveness
IT Process Efficiency
Confidentiality
Integrity
Availability
Business Requirement Compliance
Reliability
Control Approach
IT Resources
IT Processes Applications
Domains
Consideration Information
Processes
• ……………………………
• …………………………… Activities Infrastructure
• ……………………..…….. People
101
COBIT Cube
The COBIT framework describes how IT processes deliver the information that the business needs to
achieve its objectives.
For controlling this delivery, COBIT provides three key components, each forming a dimension of the
COBIT cube.
IT Resources
IT Processes
102
COBIT Cube: IT Processes
► COBIT describes the IT life cycle with the help of four domains:
Plan and Organise
Acquire and Implement
Deliver and Support
Monitor and Evaluate
► Processes are series of activities with natural control breaks. There are 34 processes across the four
domains. These processes specify what the business needs to achieve its objectives. The delivery of
information is controlled through 34 IT processes.
► Activities are actions that are required to achieve measurable results. Moreover, activities have life
cycles and include many discrete tasks.
Information Criteria
Domains IT Resources
Processes
Activities
IT Processes
103
COBIT Cube: IT Domains
IT and Business
104
COBIT Cube: IT Domains (Cont.)
Let’s look at the COBIT process model, which consists of 34 IT processes defined within the four IT
domains.
Plan and Organise
105
COBIT Cube: IT Domains (Cont.)
?
New Projects Organisation
106
COBIT Cube: IT Domains (Cont.)
107
COBIT Cube: IT Domains (Cont.)
109
COBIT Cube: IT Domains (Cont.)
IT Performance 110
COBIT Cube: IT Domains (Cont.)
111
COBIT Cube: Information Criteria
► To satisfy business objectives, information needs to conform to specific control criteria, which
COBIT refers to as business requirements for information.
► Broadly, information criteria are based on the following requirements:
Quality
Fiduciary
Security
Quality Requirements
Fiduciary Requirements
Security Requirements
Information Criteria
IT Resources
IT Processes
112
COBIT Cube: Information Criteria (Cont.)
Deals with complying with those laws, regulations and contractual arrangements to which the
Compliance business process is subject, i.e., externally imposed business criteria as well as internal policies
Relates to the provision of appropriate information for management to operate the entity and to
Reliability
exercise its fiduciary and governance responsibilities
113
COBIT Cube: IT Resources
► IT processes manage IT resources to generate, deliver and store the information that the organisation needs to achieve its objectives.
► The IT resources identified in COBIT are defined as:
Applications are automated user systems and manual procedures that process information.
Information is data that are input, processed and output by information systems, in whatever form used by
the business.
Infrastructure includes the technology and facilities, such as hardware, operating systems and
networking, that enable the processing of applications.
People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and
evaluate information systems and services. They may be internal, outsourced or contracted, as required.
Information Criteria
Applications
Information
Infrastructure
People
IT Processes
IT Resources
114
COBIT Framework
C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION
PO2 Define the information
ME2 Monitor and evaluate internal
architecture.
control.
Efficiency Integrity PO3 Determine technological
ME3 Ensure compliance with
Effectiveness Availability direction.
external requirements.
Compliance Confidentiality
PO4 Define the IT processes,
ME4 Provide IT governance.
organisation and relationships.
Reliability PO5 Manage the IT investment.
MONITOR PLAN PO6 Communicate management aims
AND AND and direction.
EVALUATE ORGANISE PO7 Manage IT human resources.
IT PO8 Manage quality.
DS1 Define and manage service RESOURCES PO9 Assess and manage IT risks.
levels.
PO10 Manage projects.
DS2 Manage third-party services.
DS3 Manage performance and
capacity.
DS4 Ensure continuous service. Applications
Information
DS5 Ensure systems security. AI1 Identify automated solutions.
Infrastructure
DS6 Identify and allocate costs. People AI2 Acquire and maintain application
DS7 Educate and train users. software.
DELIVER ACQUIRE
DS8 Manage service desk and AND AI3 Acquire and maintain technology
AND
incidents. SUPPORT IMPLEMENT infrastructure.
DS9 Manage the configuration. AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical AI7 Install and accredit solutions and
environment. changes.
DS13 Manage operations.
115
COBIT Cube
116
Interrelationship of the COBIT Components
117
COBIT Cube
IT Resources
IT Processes
118
COBIT: Premise
► The COBIT framework is based on the premise that IT needs to deliver
the information that an enterprise requires to achieve its objectives.
for Business
achieving Objectives
i to
Business
Processes
Information
provide
IT Resources
and Processes
119
COBIT Processes within Domains
120
Domains and processes
121
COBIT Domains with Processes
122
COBIT Process Descriptions
123
Where is COBIT Today?
124
How is CobiT Focused?
IT Governance – better coverage with governance practices
Business requirements – better business to IT linkages with cascading
goals and supporting metrics
Harmonization – improved integration with key practices
Value Creation – extended focus on IT investment
Enterprise architecture - process structure and resources
Process definitions and process flows – improved descriptions,
activities, inputs and output
Language and presentation – more concise in presentation, action-
oriented, control model and management guidelines are consolidated into
one document
125
What are the key COBIT Documents?
126
COBIT and Related Products
COBIT 4.1 COBIT is an IT governance framework and supporting tool set that allows
managers to bridge the gap between control requirements, technical issues and
business risks.
Board Briefing on IT To help executives understand why IT governance is important, what its issues are
Governance and what their responsibility is for managing it
Control Practices Provide guidance on why the control objectives are worth implementing and how to
implement them
IT Assurance Guide Provides guidance on how COBIT can be used to support a variety of assurance
activities together with suggested testing steps for all the IT processes and control
objectives
127
COBIT and Related Products
COBIT Quickstart To summarized version of the COBIT resources, focusing on the most crucial IT
processes, control objectives and metrics, all presented in an easy-to-follow
format to help users gain the benefits of COBIT quickly.
COBIT Security To focuses on IT security risk in a way that is simple to follow and implement for
Baseline (available everyone, from the home user or small- to medium-sized enterprise to executives
3rd quarter 2007) and board members of larger organizations.
IT Control To provides guidance on how to ensure compliance for the IT environment based
Objectives for on the COBIT control objectives related to financial reporting.
Sarbanes-Oxley
Aligning COBIT, To explain to business users and senior management the value of IT best
ITIL and ISO 17799 practices and how harmonization, implementation and
integration of best practices (COBIT, ITIL and ISO/IEC 17799) may be made
easier.
128
COBIT and Related Products
129
130
Control Objectives
Framework
Control Objectives
Management Guidelines
Maturity Models
131
COBIT Objectives - IT Governance
Topics
Focus on IT Alignment by linking Information
Criteria, IT Resources and IT Goals to Business
Goals
Focus on Value Delivery by using value-
oriented IT goals to focus on the IT processes
that are critical to deliver effectively
Focus on Risk Management by using risk-
oriented IT goals to focus on the IT processes
that are needed to manage risk
Focus on Resource Management by using
Maturity Models to ensure there is a capability
to deliver
Focus on Performance Management by
using metrics and scorecards to ensure plans
are on track and deviations are identified and 132
133
Concise Control Objectives
CobiT 4.1 CobiT 4.0
PO1.2 Business-IT Alignment PO1.2 Business-IT Alignment
Establish processes of bi-directional education and Educate executives on current technology capabilities and
reciprocal involvement in strategic planning to achieve future directions, the opportunities that IT provides, and
business and IT alignment and integration. Mediate what the business has to do to capitalize on those
between business and IT imperatives so priorities can be opportunities. Make sure the business direction to which IT
mutually agreed. is aligned is understood. The business and IT strategies
should be integrated, clearly linking enterprise goals and IT
goals and recognizing opportunities as well as current
capability limitations, and broadly communicated. Identify
where the business (strategy) is critically dependent on IT
and mediate between imperatives of the business and the
technology, so agreed priorities can be established.
134
135
136
Framework Update
137
COBIT Framework
Documents relationships among information criteria,
IT resources, and IT processes
Links control objectives and control practices to
business processes and business objectives
Assists in confirming that appropriate IT processes
(and practices) are in place
Facilitates evaluation and assurance methods
138
Information Criteria -- The 1st Component
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
139
IT Resources -- The 2nd Component
Application Systems
Information
Infrastructure
People
140
IT Process Domains -- The 3rd Component
141
COBIT Process Model
142
What Are the Main Changes?
143
COBIT Domains: Information
Processes (3rd Component)
Plan and
a ck Organize
e db
Fe
144
COBIT Framework
145
CobiT Framework
Helps one understand the:
relationship of controls to control objectives,
importance of focusing on control objectives and
their relationship to the business organization and its
business processes, and
value of managed processes and resources to
attain data integrity, security and availability.
146
147
CobiT is Business-focused
148
Business Orientation of COBIT
149
Business Goals
Financial Perspective
Expand market share
Increase revenue
Return on Investment
Optimize asset utilization
Manage business risks
Customer Perspective
Improve customer orientation and service
Offer competitive products and service
Service availability
Agility in responding to changing business requirements
Cost optimization of service delivery
150
Business Goals
Internal Perspective
Automate and integrate the business value chain
Improve and maintain business process functionality
Lower process costs
Compliance with external laws and regulations
Transparency
Compliance with internal policies
Improve and maintain operational and staff productivity
Learning and Growth Perspective
Product and business innovation
Obtain reliable and useful information for strategic decision making
Acquire and maintain skilled and motivated personnel
151
IT Goals
1. Respond to business requirements in alignment with business
strategy
2. Respond to governance requirements in line with board direction
3. Ensure the satisfaction of end users with service offerings and service
levels
4. Optimize the use of information
5. Create IT agility
6. Define how business function and control requirements are translated
in effective and efficient automated solutions
7. Acquire and maintain integrated and standardized application
systems
8. Acquire and maintain and integrated and standardized infrastructure
152
IT Goals
9. Acquire and maintain IT skills that respond to the IT strategy
10. Ensure mutual satisfaction of third-party relationships
11. Seamlessly integrate applications and technology solutions into
business processes
12. Ensure transparency and understanding of IT cost, benefits, strategy,
policies and service levels
13. Ensure proper use and performance of the applications and
technology solutions
14. Account for and protect all IT assets
15. Optimize the IT infrastructure, resources and capabilities
16. Reduce solution and service delivery defects and rework
17. Protect the achievement of IT objectives
18. Establish clarity of business impact of risks to IT objectives and
resources
153
IT Goals
19. Ensure critical and confidential information is withheld from those who should
not have access to it
20. Ensure automated business transactions and information exchanges can be
trusted
21. Ensure IT services and infrastructure can properly resist and recover from
failures due to error, deliberate attack or disaster
22. Ensure minimum business impact in the event of an IT service disruption or
change
23. Make sure that IT service are available as required
24. Improve IT’s cost-efficiency and its contribution to business profitability
25. Deliver projects on time and on budget meeting quality standards
26. Maintain the integrity of information and processing infrastructure
27. Ensure IT compliance with laws and regulations
28. Ensure that IT demonstrates cost-efficient service quality, continuous
improvement and readiness for future change
154
155
Linking Business Goals to IT Goals
An Example:
• The business goal of increasing revenue is
linked to IT goals numbers 25 and 28, which
are:
• “Deliver projects on time and on budget
meeting quality standards” and
• “Ensure that IT demonstrates cost-
efficient service quality, continuous
improvement and readiness for future
change”
156
157
Linking IT Goals to IT Processes
158
159
The WATERFALL Navigation Aid --
High Level Control Objectives for Each Process
162
Primary Inputs and Outputs
163
164
Metrics
Performance measurement is essential for IT
governance.
165
Metrics
Activity Goals tells us how well the process
is performing
o Measured by KPIs
Process Goals tell us what IT must deliver
o Measured by Key Goal indicators
IT Goals tell us what we expect from IT
o Measured by Key Goal Indicators
166
167
168
169
Use of Maturity Models
170
171
Control Practices
Control Practices
Control Objectives
Value Drivers
Risk Drivers
172
Control Design
173
IT Control Practices
Provides guidance on risks to avoided and value to be
gained
Provides detailed guidance on specific controls needed
to address high-level and detailed control objectives
Provides guidance on how, why and what to implement
to improve IT performance
Includes key elements of value and risk statements and
control practices
174
IT Control Practices
Describing the different necessary and sufficient steps
to achieve a control objective
Action-oriented, enabling timely execution and
measurable
Relevant to the purpose of the control objective
Supporting clear roles and responsibility including
segregation
175
Control Practices
Characteristics:
The benefits listed under ‘why do it’ are tangible and motivate to
implement controls
The set of control practices is complete (e.g. key controls) and
implementation satisfies the control objective
Control practices listed are generally accepted as good business
practice
Control practices suggest sustainable solutions
The control practices are effective in addressing the risk linked to
not achieving the detailed control objective
The control practices suggest efficient solutions
The wording of the control practices is concise while providing
clear and unambiguous guidance on what is expected for
implementation
The control practices are realistic
176
IT Assurance Guide
177
Approach
IT Assurance Steps
Testing of a control approach covering 4 assurance objectives
1. Existence
2. Design effectiveness
3. Operating effectiveness (implemented,
consistent application and proper use)
4. Design and operating efficiency (cost/benefit
and possible use of automation)
Providing 3 types of assurance guidance
Testing the suggested control design
Testing control objective achievement
Documenting impact of control weaknesses
178
Approach
IT Assurance Steps
Tests based on a documented taxonomy of relevant assurance
methods
Enquire and confirm (via different source)
Inspect (walk-through, search, compare,
review)
Observe (confirmation is inherent)
Re-perform or re-calculate and analyze
(often based on a sample)
Automated evidence collection (sample,
trace, extract) and analyze
179
180
181
182
Using CobiT
1
183
CobiT provides the basis for IT
Governance CobiT IT
CobiT Links Processes
business and Maturity
goals to IT
Goals Provide Models
focus on IT
Direction capability
185
Strong Basis for Policy Development
186
Using CobiT Matrices to Focus on:
IT Functions
o Their importance?
o Level of performance?
o Control documentation?
Responsible Parties of IT
o Performed by?
o Contracted services?
o Primary responsible party?
Risk Assessment
o Importance, level of risk, control documentation?
187
CobiT’s Evaluation Focus
188
Risks to the Entity?
189
COBIT Focuses on Risk-Based Approach
190
To Address Outsourced Services
191
Recap: CobiT Recognizes
IT is an integral part of the organization
IT governance is an integral part of corporate
governance
Focus on control objectives can strengthen
appropriateness and use of internal controls
Measurement is crucial to internal control
Monitoring and evaluation are integral to a system of
internal control
192
193
Interrelationships
of CobiT
Components
194
COBIT Content
Diagram
Asset
Identification Threat Counter-
and Valuation Assessment measures
Action Residual
Plan Risk
196
IT Risk Analysis—A Generally Accepted Framework
Alternative Alternative
Entry Point Entry Point
Asset
Identification Threat Counter-
and Valuation Assessment measures
Action Residual
Plan Risk
197
IT Risk Analysis—A Generally Accepted Framework
Three Approaches:
1. Ignore.
Asset 2. Only prevent.
Identification Threat Counter- 3. Prevent and detect.
and Valuation Assessment measures
Translate into
Vulnerability Risk Control business
Assessment Assessment Evaluation consequences
and into
financial risks.
Action Residual
Plan Risk
198
Summary
199