Introduction to COBIT

for
IT Auditor
Armanto Witjaksono

1
2
● Authoritative, up-to-date, international set of
generally accepted IT control objectives and
control practices for day-to-day use by
business managers and auditors.
● Structured and organized to provide a
powerful control model and evaluative tool

3
 Overview

 COBIT – Control Objectives for Information and related

Technology
 Currently at version 4.1
 A model designed to control of the IT function
 Supports IT governance by providing a comprehensive
description of the control objectives for IT processes

Text Text
Te
xt
Text Text Text

Text Te Text
xt 4
 Overview of CobiT

What CobiT is not!!

 Audit software
 An IT audit plan
 An IT Internal Audit workprogram
 An IT audit testing plan
 Guide on “How to Audit” IT

5
 Overview of CobiT
 Then what is CobiT?
o It is the Control Objectives for Information and related Technology

o A methodology consisting of standards and controls created to

assist IT professionals in the implementation, review,
administration and monitoring of an IT environment.

o The CobiT Executive Summary and Framework were released

in December 1995, Control Objectives in April 1996, and Audit
Guidelines followed in September 1996.

o A tool that for IT professionals that has linked information

technology and control practices

o CobiT consolidates and harmonizes standards from prominent

global sources into a critical resource for management, control
professionals and auditors.

6
 Overview of CobiT

o CobiT represents
1. A control framework,
2. a set of generally accepted control objectives, and
3. the CobiT Audit Guidelines.

o CobiT is based on the philosophy that IT resources need to be managed

by a set of naturally grouped processes in order to provide the pertinent
and reliable information an organization needs to achieve its objectives.

o CobiT is business process oriented provides the business process

owners with a framework, which should enable them to control all the
different activities underlying IT deployment.

7
 Overview of CobiT

 What is the purpose of CobiT?

o To provide management and business process owners with
an Information Technology (IT) governance model that
helps in understanding and managing the risks associated
with IT.

o CobiT helps bridge the gaps between business risks,

control needs and technical issues by presenting the
controls through one vehicle.

o It is a control model to meet the needs of IT governance

and ensure the integrity of information and information
systems.

8
 Overview of CobiT

 Promotes an improved focus on business

information requirements
 Helps ensure that IT processes are defined
and that responsibilities are assigned
 Supports management’s efforts to
demonstrate due diligence
 Serves as excellent criteria for evaluation
 Strengthens the understanding, design,
implementation, exercise, and evaluation of
internal control

9
 Focuses on information having integrity, being
secure, and available.
 Management-oriented
 Supports corporate and IT governance
 Process-oriented
 Controls-based
 Measurement-driven
 Based on a Strong Foundation and Sound
Principles of Internal Control

10
 IT Resource Management

CobiT underscores and demonstrates that IT

resources need to be managed by
naturally grouped processes to provide
organizations with type and quality of
information required to achieve
organizational objectives.

11
 COBIT

COBIT is a valuable IT governance tool that helps

in the understanding and management of risks
and benefits associated with information integrity,
security, and availability, and the management of
related technology.

12
 Addresses key attributes of information produced by
IT.
 Links recommended control practices for IT to
business and control objectives.
 Provides guidance in implementing and evaluating the
appropriateness of IT-related management control
practices.

13
14
 Focus on Information and IT
Management
 “Right” information, to only the “right” party, in
the “right” format, at the “right” time, at the
“right” cost.
 Information that is relevant, reliable, secure,
and available.
 Information provided by systems that have
integrity by means of a well-managed and
properly controlled IT environment.

15
 COBIT Target Groups

 COBIT is primarily intended for management, business users of IT

and auditors

 Main target groups

o Managers – holding executive responsibility for operation of the
enterprise
o End users – provide assurance of security and controls
o Auditors – independent assurance of quality and controls
o Business and IT consultants – bring knowledge and advice
o IT Service Management Professionals – provides a framework
covering complete lifecycle of IT systems and services

16
 Who is COBIT aimed at?

To Those Individuals Who are

Interested in and Responsible for the
Management and Evaluation of
Information Technology
 Management
 IT & Business Users
 Auditors / Advisors
 Academics & Students of
Management and IT
 Legislators, Regulators,
Oversight Bodies 17
 COBIT Structure

 IT Governance Cube with 3 interrelated viewpoints(Quality

Criteria,IT Processes, and IT Resources

18
 4 COBIT Domains

 Plan & Organize – concerned with identification of the way IT can best
contribute to the achievement of business objectives

 Acquire and Implement – acquiring, implementing or development of IT

Solutions to be integrated into business process

 Deliver & Support – delivery of required services including traditional

operations, security, and training

 Monitor & Evaluate – regular assessment over time for quality and
compliance with control requirements

19
COBIT mapped onto Management Cycle

20
Components of CobiT

21
 Components of CobiT

The 4 Domains of CobiT

 MONITORING (MO)

 PLANNING & ORGANIZATION (PO)

 ACQUISITION & IMPLEMENTATION (AI)

 DELIVERY & SUPPORT (DS)

22
 Components of CobiT

MONITORING (MO)
All IT processes need to be regularly
assessed over time for their quality
and compliance with control and
regulatory requirements

Auditors need to perform procedures to

ensure that the IT environment meets
predefined standards with respect to
 M1- Monitor the process
controls.
M2- Obtain independent assurance

23
 Components of CobiT

PLANNING & ORGANIZATION

(PO)
Addresses strategy and tactics, and concerns
the identification of the way information
technology can best contribute to the
achievement of business objectives.
 PO1- Define a strategic IT plan  PO6- Communicate management aims and directions


Is the IT strategy be effectively controlled and
PO2- Define the Information architecture
PO3- Determine technical direction


PO7- Manage Human Resources
PO8- Ensure compliance with external requirements


will it contribute to the business objectives?
PO4- Define IT Organization and relationships
PO5- Manage the investment in IT


PO9- Assess risks
PO10- Manage projects
 PO11- Manage quality

24
 Components of CobiT

ACQUISITION & IMPLEMENTATION

(AI)
To realize the IT strategy, IT solutions need
to be identified, developed and/or acquired
as well as implemented and integrated
into the business process.



Is the process to choose and implement IT
AI1- Identify solutions
AI2- Acquire and maintain application software

 solutions a controlled process? Does this process
AI3- Acquire and maintain technology architecture
AI4- Develop and maintain IT procedures
AI5- Install and accredit systems
meet control standards?

 AI6- Managing changes

25
 Components of CobiT

DELIVERY & SUPPORT (DS)

Addresses the actual delivery of
required information services.

Are information related services delivered in a

controlled manner?
 DS1- Define service levels
 DS2- Manage Third Party services
 DS3- Manage performance capacity
 DS4- Ensure continuous service
 DS5- Ensure systems security
 DS6- Identify and allocate costs
 DS7- Educate and train users
 DS8- Assist and advise IT customers
 DS9- Manage the configuration of IT systems
 DS10- Manage problems and incidents
 DS11- Manage data
 DS12- Manage facilities
 DS13- Manage operations

26
 Overview of Internal Audit

 Internal Audit
o "Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control, and governance processes."
(Definition of Internal Auditing by the Institute of Internal Auditors,
Inc.)

 The mission of Internal Audit is to evaluate the efficiency and

effectiveness of the entity’s procedures and related internal controls.

 As Internal Auditors, we also provide control recommendations and

controls advisory.

27
 VIDEO

 http://www.youtube.com/watch?v=bg_GEN8AZA0

28
29
 CobiT For Internal Auditors

 Who uses CobiT in the Internal Audit world?

o Typically, the IT Auditor

o Business Process Auditor

o The IT Inspection Team, or

o The IT Control Team

30
 CobiT For Internal Auditors

How is CobiT used by Internal Audit?

o Establishing control baselines and standards

o Facilitating and creating performance metrics for Risk Assessments

o Developing the audit plan

o Facilitating the audit

o Managing residual risk

o Issuing control advisory and recommendations to the IT groups

31
 CobiT For Internal Auditors
Audits that can be performed
with the use of CobiT
1. Reviews of Baselines and 6. Audits of the Business Continuity
Standards for IT Program

2. Information System 7. Audits of Security Configuration

Implementations
 Pre-Implementation Review 8. Reviews of Security Administration
 Implementation of Controls
Certification Reviews
9. Reviews of IT Purchasing and
 Post Implementation Review Procurement
1. Code Development / Source Code
Management Reviews
10. Application Review / Audits

2. General Controls Reviews

11. Audits of Business Processes

3. Data Center reviews

BE CREATIVE! How can you fit CobiT into your audit plan?32
 Applications of the
4 CobiT Domains

All of the discussed types of reviews can

employ the 4 CobiT domains:
– MONITORING,
– PLANNING & ORGANIZATION,
– ACQUISITION & IMPLEMENTATION,
– DELIVERY & SUPPORT

33
 CobiT Trends
 In general, each of the 4 domains can be applied to each review with
careful planning

 All IT Audit reviews should have a component that includes

o Management controls of the information
o Review of controls over the way that information is delivered /
facilitated
o How the IT control review process works, and is it working
effectively

 With the right planning, all reviews can be performed with the use of the
4 domains as a reference, standard, and “Best Practice” template

34
 Top Ten Strengths of CobiT
in Internal Audit

 10. Control evaluations processes are standardized across the IT environment

 9. Benchmarks and standards are portable throughout the IT environment

 8. System management processes across different systems can compared

 7. Post-audit benchmarking is easily achieved through existing CobiT Control Objectives

 6. A common language between auditee, auditor, user management and data owners is provided

 5. CobiT is a globally-recognized as a tool that provides guidance on IT audits and sets IT control “Best
Practices”

 4. International IT Audit groups can knowledge share (i.e. workprograms, test plans)

 3. Audit groups can recruit based on experience with an internationally recognized audit tool

 2. CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC, HIPAA)

 1. Its just plain old fun!

35
 Problems Inherent to the Implementation and
Use of CobiT
 CobiT is a control framework with Audit Guidelines. Therefore,
o It is NOT an audit plan
o It is NOT a workprogram
o It does NOT provide for audit steps / techniques / procedures
o It does NOT define standards
o It does NOT define acceptable levels for IT processes

 The use of CobiT requires a sufficient amount of experience with IT controls

because it does not detail actual controls verification and testing steps

36
 Problems Inherent to the Implementation and
Use of CobiT

 CobiT is time & resource intensive to implement

o Steep learning curve
o New audit plans and workprograms
o New documentation methods needed

 Although CobiT is process focused, CobiT based reviews tend to

be more system-focused.
o Few, if any processes, are composed of one system.
o All data flows between systems, so how are data flows
evaluated?
o How can major information flow processes be evaluated
within reasonable time constraints?

37
 Opportunities to Implement CobiT
 Ideal Times to Implement the CobiT Framework
o Beginning of an audit year

o During a reorganization of the audit department

o During a change of strategy for the IT Audit group

o Upon implementation of Business Process focused audits

38
 Threats to CobiT in the
Internal Audit World
Threats to Cobit in Internal Audit
o Initial audits are time intensive and difficult because auditors
are unfamiliar with CobiT terminology

o Auditees can be unreceptive to controls based

recommendations as opposed to traditional IT
recommendations

o If the audit staff does not have a sufficient amount of

experience with IT controls, difficulties can arise in creating
procedures to test for the existence of CobiT prescribed
controls

39
40
Framework for Managing Operational
Risk

41
 Need for better operational controls
 Importance of technology
 Risks associated with an ever changing technology
environment
 Demand for recognizable value
 Need to hold senior management accountable and
strengthen governance

42
• Achieving sufficient value from IT to support the entity’s
mission within a complex, vulnerable and ever changing
environment
• Adequately managing risk with increasing IT dependence
• Effectively dealing with the scale and cost of current and
future IT investments
• Protecting operations and IT resources against increasing
vulnerabilities and a wide spectrum of threats

43
• Being able to adequately track and measure IT
performance in support of business objectives
• Obtaining adequate assurance for the integrity,
security and availability of IT systems
• Being able to demonstrate due diligence in
meeting IT governance objectives

44
• Today, we are no longer just automating an
established business process.
• Instead, we are using technology to expand business
process capabilities and management decision
making -- It is about IT-enabled change.
• Poorly-managed IT places the integrity, security, and
availability of data and systems at risk and increases
the likelihood of unrealized benefit.

45
 Management Issues
 Difficulty of obtaining adequate assurance that operational
and control objectives are being addressed and will be met
 Not being sufficiently aware of the impact of technology on
control assessment
 Not knowing who is really responsible for system integrity,
security, and availability
 Having cluttered or defused points of accountability for IT
processes across the organization

46
 Management Issues
 Not recognizing that we often manage IT as if it
were separate from the enterprise when in fact it is
highly integrated with business operations
 Uncoordinated strategic planning between
business and IT operations
 Outsourcing without adequate monitoring and
evaluation

47
 Management Issues
• There are a whole host of folks who pose a real
danger to IT systems
 Meeting privacy requirements
 Failing to meet regulatory or legal requirements
 Having a false sense of security
 Achieving adequate value to support the entity’s
mission

48
 Management Questions
 Is IT well managed?
o Are we doing the right things?
o Are we doing them the best way?
o Are they being done well?
o Are we achieving desired benefits?
 Is IT properly controlled?
 Do we exercise and can we demonstrate due diligence?
 Are the information technology drivers in sync with the
agency’s mandates and business goals?

49
 How do responsible managers keep the ship on
course? …… keep it afloat?
 How do we achieve satisfactory results for our
citizens and stake-holders?
 How do we adapt in a timely manner to “best
practices” for our organization’s environment?

50
 To establish and maintain course . . . and afloat
 Strategic and tactical planning, monitoring and
evaluation – dashboards with indicators –
 Disaster recovery and BCP to keep it afloat
 To achieve satisfactory results for our customers and stake-
holders
 Measurement processes, balanced scorecard, etc.
 To adapt in a timely manner to “best practices” for our
organization’s environment
 Benchmarking, CMM comparisons

51
 IT Value
 How do we manage to achieve acceptable IT
value?
 What policies, practices and assurance
mechanisms do we apply to the “right”
resources to achieve value?
 What guidance is there to assist
management in understanding IT processes
and how to achieve IT process results?
 What standards should be applied to our IT
environment?
 How do we address governance?

52
53
 COBIT as an IT Governance
Framework
 COBIT provides a framework to control IT and supports the
following 5 requirements for an IT control framework

o Providing a sharper business focus

o Ensuring a process orientation
o Having a general acceptability among organizations
o Defining a common language
o Helping to meet regulatory requirements

54
 IT Governance Focus Areas

 Strategic Alignment – focus on ensuring the linkage of

business and IT plans
 Value Delivery – executing the value proposition throughout
the delivery cycle
 Risk Management – requires risk awareness by senior
corporate officers, compliance requirements, transparency
 Resource Management – optimal investment in and
management of critical resources: people, applications,
information and infrastructure
 Performance Measurement – tracks and monitors strategy
implementation

55
IT Governance Focus Areas

56
The Need for IT Governance

C
GI T Enterprise governance is a set of
E N DE VAL
RAT ME LI U E responsibilities and practices exercised by the
VE
ST IGN RY board and executive management with the goal
AL
of:
• Providing strategic direction
PER SUREM
MEA

• Ensuring that objectives are achieved

MEN
F OR

MAN RISK
AGE

• Ascertaining that risks are managed appropriately

MAN NT

www.itgi.org
www.itgi.org
• Verifying that the enterprise’s resources are
E
CE

RESOURCE
used responsibly
MANAGEMENT

57
IT Governance, as Defined by ITGI

IT governance is:
• The responsibility of the board of directors and
C executive management
E GI T DE VAL
N
RAT ME LI U E • An integral part of enterprise governance,
VE
ST IGN RY consisting of the leadership, organisational
AL
structures and processes that ensure that the
enterprise’s IT sustains and extends the
organisation’s strategies and objectives
PER SUREM
MEA

T
MEN
F OR

MAN RISK
AGE
MAN NT

www.itgi.org
www.itgi.org
E
CE

RESOURCE 2005 64%

64% Doing
Doing something about it 36%
MANAGEMENT
2003 58% 42%
42% Not
Not doing
doing something
something about
about it
it

Source: Surveys by PwC for the IT Governance Institute Sep-Oct 2003 and Sep-Oct 2005

58
Enterprise Governance Drives IT Governance

Enterprise governance is about:

 Conformance
• Adhering to legislation, internal policies,
audit requirements, etc.

 Performance Performance
• Improving profitability, efficiency,
effectiveness, growth, etc.
Conformance

Enterprise governance and IT governance require a balance between conformance

and performance goals directed by the board.

59
IT Governance Focus Areas

Strategic Focuses on ensuring the linkage of business and IT plans;

alignment on defining, maintaining and validating the IT value proposition;
and on aligning IT operations with enterprise operations

Is about executing the value proposition throughout the delivery cycle, ensuring
Value delivery that IT delivers the promised benefits against the strategy, concentrating on
optimising costs and proving the intrinsic value of IT

Resource Is about the optimal investment in, and the proper management of, critical IT
resources: applications, information, infrastructure and people. Key issues
management relate to the optimisation of knowledge and infrastructure.

Requires risk awareness by senior corporate officers, a clear understanding of

Risk management the enterprise’s appetite for risk, understanding of compliance
requirements, transparency about the significant risks to the enterprise, and
embedding of risk management responsibilities in the organisation

Performance Tracks and monitors strategy implementation, project completion, resource

measurement usage, process performance and service delivery, using, for example, balanced
scorecards that translate strategy into action to achieve goals measurable
beyond conventional accounting

60
Making IT Governance Work

To make an IT governance implementation project successful:

 Make IT governance a workable solution—able to deal with the challenges and pitfalls presented by IT.
 Focus as much on improving performance and enabling competitive advantage as preventing problems.
 Make IT governance a shared responsibility between the business (customer) and the IT service provider, with the full commitment and
direction of the board.
 Align IT governance within a wider enterprise governance scheme.
 Boards and executive management need to extend enterprise governance to include IT, provide the necessary leadership and organisational
structures, and insist on well-managed and properly controlled processes.

61
IT Governance Stakeholders

Board and Set direction for IT, monitor results and insist on corrective
executive measures

Defines business requirements for IT and ensures that

Business management
value is delivered and risks are managed

Delivers and improves IT services as required by the

IT management business

Provides independent assurance to demonstrate that IT

IT audit delivers what is needed

Risk and Measures compliance with policies and focuses on alerts to

compliance new risks

62
 Need for IT Governance Control
Framework

 Many organizations recognize the potential benefits

of technology
 The successful organizations:
 Understand that IT is more than an enabler
 Understand and manage the risks associated
with implementing new technologies
 Keep a keen eye on the mission and goals, and
 Know where they are through measured
progress and monitoring and evaluation

63
 The Need for IT Governance

Security Keeping
IT Running
Aligning Managing
IT with Complexity
Business
Regulatory
Value/Cost Compliance

Organizations require a structured approach for

managing these and other challenges.
Need to ensure that IT objectives are agreed to, good management
controls are in place, and there is effective monitoring of
performance to keep on track and avoid unexpected outcomes.

64
 Need for IT Governance Control
Framework

 CobiT underscores the importance to recognize:

 Optimizing value, safeguarding, and ensuring the

availability of technology is an entity or senior
management issue, not just an IT management issue

 Business and IT goals depend on our understanding of

how to dynamically apply IT, measure results, and engage
IT and business process management

 Requires understanding of what we want the technology

to do, and how we are going to measure success

65
 COBIT Provides a Framework for IT Governance
COBIT helps bridge the gaps between business risks, control needs and
technical issues. It provides good practices across a domain and process
framework and presents activities in a manageable and logical structure.

COBIT:
 Starts from business requirements
 Is process-oriented, organizing IT activities into a
generally accepted process model
 Identifies the major IT resources to be leveraged
 Defines the management control objectives to be
considered
 Incorporates major international standards
 Has become the de facto standard for overall
control of IT
IT resources need to be managed by a set of naturally
grouped processes. COBIT provides a framework that
achieves this objective.

66
 How Does COBIT View IT Governance?

 Consists of leadership, organizational

structures, and processes that ensure
that IT sustains and extends the
enterprise’s strategies and objectives

 IT governance is the responsibility of

executives and the board of directors

67
 IT Governance Objectives

 IT is aligned with the business and enables the

business to maximize benefit
 IT resources are safeguarded and used in a
responsible and ethical manner
 IT-related risks are addressed through
appropriate controls and managed to minimize
risk and exposure

68
 IT Governance

 Integrates and institutionalizes good practices

to ensure that IT supports the business
objectives.

 Enables the enterprise to take advantage of its

information and IT resources to maximize
benefit and capitalize on opportunities.

69
 COBIT IT Governance

 IT is aligned with the business

 IT enables the business and maximizes benefits
 IT resources are used responsibly
 IT risks are managed appropriately

70
IT Governance Focus Areas
 Strategic alignment
 Value delivery
 Resource management
 Risk management
 Performance
measurement

71
IT Governance Focus Areas
 Strategic Alignment focuses on
ensuring the linkage of business and IT
plans; defining, maintaining and
validating the IT value proposition; and
aligning IT operations with enterprise
operations.
 Value Delivery is about executing the
value proposition throughout the
delivery cycle, ensuring that IT delivers
the promised benefits against the
strategy, concentrating on optimizing
costs and proving the intrinsic value of
IT.

72
IT Governance Focus Areas
 Resource Management is about the optimal
investment in, and the proper management of,
critical IT resources: applications, information,
infrastructure and people. Key issues relate to
the optimization of knowledge and infrastructure.
 Risk Management requires risk awareness by
senior corporate officers, a clear understanding
of the enterprise’s appetite for risk,
understanding of compliance requirements,
transparency about the significant risks to the
enterprise and embedding of risk management
responsibilities into the organization.

73
IT Governance Focus Areas

 Performance Measurement tracks and

monitors strategy implementation, project
completion, resource usage, process
performance and service delivery, using, for
example, balanced scorecards that translate
strategy into action to achieve goals measurable
beyond conventional accounting.

74
 What Should Management Do?
• Inquire: Ask the right questions
• Focus on IT’s
 Alignment with the agency objectives
 Value delivery
 Risk management
• Adopt an IT governance framework
• Focus on important IT processes and core IT
competencies
• Embed responsibilities for IT security and
management in the organization
• Measure performance and results

75
 To Manage and Control IT,
COBIT Recommends:

 Employing fundamentals of IT governance

 Understanding strategic value of IT
 Understanding and managing associated risks
 Exercising appropriate frameworks of control
 Having mechanisms to provide adequate assurance
that IT governance objectives are addressed

76
 Agencies Need Assurance
➨ That information and systems can be relied upon
➨ That operations are adequately controlled
➨ That information has integrity, is protected, and will
be available
➨ That due diligence and compliance with good
business practices can be demonstrated.
CobiT provides the control criteria and
evaluation methodology

77
 CobiT is an Authoritative Source

 Built on a sound framework of control and IT-related

control practices.
 Aligned with de jure and de facto standards and
regulations.
 Subject to extensive review and exposure.
 Aligned with control models, standards and best
practices for IT management

78
 COBIT’s View of the Definition of Control

Why Control Information Systems?

➨ The answer lies in the realm of what the business

wants:
 to accomplish and

 avoid

➨ It therefore falls to the spectrum of:

 objectives and

 risks

79
 COBIT’s View of the Definition of Control

 The Objectives and Risks

become
 Value Drivers and Risk
Drivers in COBIT

80
Control (as defined by COBIT)

The policies, procedures, practices and

organizational structures designed to
provide reasonable assurance that
business objectives will be achieved and
that undesired events will be prevented or
detected and corrected.

81
 To Achieve To Avoid
Business Risks,
Objectives Threats and
Exposures

Control (as defined by COBIT)

The policies, procedures, practices and organizational

structures designed to provide reasonable assurance that
business objectives will be achieved and that undesired events
will be prevented or detected and corrected.

Source: COBIT Control Objectives. P. 12.

82
 CobiT promotes a healthy understanding
about “reasonable assurance” and “residual
risk”

Knowing the acceptable levels for reasonable

assurance and residual risk is a critical
success factor for designing and managing an
adequate framework of control

83
 Assurance Level
100%

Residual Risk

Reasonable
Assurance

0%
84
 Relation to Other Control Models

CobiT is in alignment with other control

models:
o COSO
o COCO
o Cadbury
o King

85
 COBIT and Other IT Management
Frameworks
Organizations will consider and use a variety of IT models, standards
and best practices. They must be understood to consider how they can be
used together, with COBIT acting as the consolidator (‘umbrella’).

COSO

COBIT

ISO 17799

ISO 9000

WHAT ITIL HOW

SCOPE OF COVERAGE

86
 Where Does COBIT Fit?

CONFORMANCE
Drivers PERFORMANCE: Basel II, Sarbanes-
Business Goals Oxley Act, etc.

Balanced
Enterprise Governance COSO
Scorecard

IT Governance COBIT

ISO ISO ISO

Best Practice Standards 9001:2000 17799 20000

Processes and Procedures QA Security ITIL

Procedures Principles

87
 COBIT Framework

► The COBIT framework was created with the main characteristics:

 Business-focused
 Process-oriented
 Controls-based
 Measurement-driven

COBIT Framework Characteristics

88
 COBIT: An IT Control Framework

Governance

Management
Evolution

Control

Audit

COBIT 1 COBIT 2 COBIT 3 COBIT 4

1996 1998 2000 2005

For latest updates on COBIT, log on to www.isaca.org/cobit.

89
 COBIT: Value and Limitations

COBIT:
► Has internationally accepted good practices
► Is management-oriented
► Is supported by tools and training
► Is freely downloadable
► Allows the knowledge of expert volunteers to be shared and leveraged
► Continually evolves
► Is maintained by a reputable not-for-profit organisation
► Maps 100 percent to COSO
► Maps strongly to all major, related standards
► Is a reference, not an ‘off-the-shelf’ cure

Enterprises still need to analyse control requirements and customise COBIT based on their:
► Value drivers
► Risk profile
90
► IT infrastructure, organisation and project portfolio
 COBIT Components

An organisation depends on reliable and timely data and information. COBIT components provide a
comprehensive framework for delivering value while managing risk and control over data and
information.

IT Resources

Business Strategy

IT Processes

Information
Criteria

91
 COBIT: Advantages

Some of the advantages of adopting COBIT are:

► COBIT is aligned with other standards and good practices and should be used together with them.
► COBIT’s framework and supporting best practices provide a well-managed and flexible IT
environment in an organisation.
► COBIT provides a control environment that is responsive to business needs and serves
management and audit functions in terms of their control responsibilities.
► COBIT provides tools to help manage IT activities.

92
 COBIT and IT Governance

► COBIT focuses on improving IT governance in organisations.

► COBIT provides a framework to manage and control IT activities and supports five requirements for a control framework.

Provides Defines a
sharper common
business language

Ensures Helps meet

Control
process regulatory
Framework
orientation requirements

Has general
acceptability
amongst
organisations

93
COBIT and IT Governance (Cont.)

Business Focus
► COBIT achieves sharper business focus
by aligning IT with business objectives. Provides
Defines a
sharper
► The measurement of IT performance common
business
should focus on IT’s contribution to language
focus
enabling and extending the business
strategy.
► COBIT, supported by appropriate
business-focused metrics, can ensure Ensures Helps meet
that the primary focus is value delivery process Control regulatory
orientation Framework requirements
and not technical excellence as an end
in itself.

Has general
acceptability
amongst
organisations

94
COBIT and IT Governance (Cont.)

Process Orientation
► When organisations implement COBIT,
their focus is more process-oriented. Provides
Defines a
sharper
► Incidents and problems no longer divert common
business
language
attention from processes. focus
► Exceptions can be clearly defined as
part of standard processes.
► With process ownership defined, Ensures Helps meet
assigned and accepted, the organisation process Control regulatory
is better able to maintain control orientation Framework requirements
through periods of rapid change or
organisational crisis.
Has general
acceptability
amongst
organisations

95
 COBIT and IT Governance (Cont.)

Provides
Defines a
General Acceptability sharper
common
business
► COBIT is a proven and globally focus language
accepted standard for increasing the
contribution of IT to organisational
success.
► The framework continues to improve Ensures Helps meet
and develop to keep pace with good process Control regulatory
orientation Framework requirements
practices.
► IT professionals from all over the world
contribute their ideas and time to
regular review meetings. Has general
acceptability
amongst
organisations

96
 COBIT and IT Governance (Cont.)

Regulatory Requirements Provides

Defines a
sharper
► Recent corporate scandals have common
business
increased regulatory pressures on language
focus
boards of directors to report their status
and ensure that internal controls are
appropriate. This pressure covers IT
controls as well. Ensures Helps meet
► Organisations constantly need to process Control regulatory
orientation Framework requirements
improve IT performance and
demonstrate adequate controls over
their IT activities.
► Many IT managers, advisors and Has general
acceptability
auditors are turning to COBIT as the de
amongst
facto response to regulatory IT organisations
requirements.

97
 COBIT and IT Governance (Cont.)

Provides
Defines a
sharper
common
business
language
focus

Common Language
► A framework helps get everybody on Ensures Helps meet
process Control regulatory
the same page by defining critical terms Framework
orientation requirements
and providing a glossary.
► Co-ordination within and across project
teams and organisations can play a key
Has general
role in the success of any project.
acceptability
► Common language helps build amongst
confidence and trust. organisations

98
 COBIT: Premise

► The COBIT framework is based on the premise that IT needs to

deliver the information that an enterprise requires to achieve
its objectives.

for Business
achieving Objectives

i to
Business
Processes
Information
provide

IT Resources
and Processes

► The COBIT framework helps align IT with the business by focusing on business information
requirements and organising IT resources. COBIT provides the framework and guidance to
implement IT governance.

99
 COBIT: Principle

The principle of the COBIT framework is to link management’s IT expectations with management’s IT
responsibilities. The objective is to facilitate IT governance to deliver IT value whilst managing IT
risks.

IT Resources

Business Strategy

IT Processes

Information
Criteria

100
 COBIT Framework

As a control and governance framework for IT, COBIT focuses on two key areas:
► Providing the information required to support business objectives and requirements
► Treating information as the result of the combined application of IT-related resources
that need to be managed by IT processes Information Criteria
Effectiveness
IT Process Efficiency
Confidentiality
Integrity
Availability
Business Requirement Compliance
Reliability

Control Approach
IT Resources
IT Processes Applications
Domains
Consideration Information
Processes
• ……………………………
• …………………………… Activities Infrastructure
• ……………………..…….. People

101
 COBIT Cube

The COBIT framework describes how IT processes deliver the information that the business needs to
achieve its objectives.
For controlling this delivery, COBIT provides three key components, each forming a dimension of the
COBIT cube.

Business Requirements for Information Criteria

IT Resources

IT Processes

102
 COBIT Cube: IT Processes

► COBIT describes the IT life cycle with the help of four domains:
 Plan and Organise
 Acquire and Implement
 Deliver and Support
 Monitor and Evaluate
► Processes are series of activities with natural control breaks. There are 34 processes across the four
domains. These processes specify what the business needs to achieve its objectives. The delivery of
information is controlled through 34 IT processes.
► Activities are actions that are required to achieve measurable results. Moreover, activities have life
cycles and include many discrete tasks.
Information Criteria

Domains IT Resources
Processes
Activities
IT Processes
103
 COBIT Cube: IT Domains

Plan and Organise (PO)

► Objectives:
 Formulating strategy and tactics
 Identifying how IT can best contribute to achieving business objectives
 Planning, communicating and managing the realisation of the strategic vision
 Implementing organisational and technological infrastructure
► Scope:
 Are IT and the business strategically aligned?
 Is the enterprise achieving optimum use of its resources?
 Does everyone in the organisation understand the IT objectives?
 Are IT risks understood and being managed?
 Is the quality of IT systems appropriate for business needs?

IT and Business
104
 COBIT Cube: IT Domains (Cont.)

Let’s look at the COBIT process model, which consists of 34 IT processes defined within the four IT
domains.
Plan and Organise

PO1 Define a strategic IT plan.

PO2 Define the information architecture.
PO3 Determine technological direction.
PO4 Define the IT processes, organisation
Plan and Acquire and and relationships.
Organise Implement
PO5 Manage the IT investment.
IT Processes PO6 Communicate management aims and
direction.
PO7 Manage IT human resources.
Deliver and Monitor and PO8 Manage quality.
Support Evaluate
PO9 Assess and manage IT risks.
PO10 Manage projects.

105
 COBIT Cube: IT Domains (Cont.)

Acquire and Implement (AI)

► Objectives:
 Identifying, developing or acquiring, implementing, and integrating IT solutions
 Changes in and maintenance of existing systems
► Scope:
 Are new projects likely to deliver solutions that meet business needs?
 Are new projects likely to be delivered on time and within budget?
 Will the new systems work properly when implemented?
 Will changes be made without upsetting current business operations?

?
New Projects Organisation

106
 COBIT Cube: IT Domains (Cont.)

Acquire and Implement

AI1 Identify automated solutions.
AI2 Acquire and maintain application
Plan and Acquire and
Organise Implement software.
AI3 Acquire and maintain technology
IT Processes
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
Deliver and Monitor and
Support Evaluate
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.

107
 COBIT Cube: IT Domains (Cont.)

Deliver and Support (DS)

► Objectives:
 The actual delivery of required services, including service delivery
 The management of security, continuity, data and operational facilities
 Service support for users
► Scope:
 Are IT services being delivered in line with business priorities?
 Are IT costs optimised?
 Is the workforce able to use IT systems productively and safely?
 Are adequate confidentiality, integrity and availability in place?

IT Services Business Priorities

108
COBIT Cube: IT Domains (Cont.)

Deliver and Support

DS1 Define and manage service levels.

DS2 Manage third-party services.
DS3 Manage performance and capacity.
Plan and Acquire and
DS4 Ensure continuous service. Implement
Organise
DS5 Ensure systems security.
IT Processes
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration. Deliver and Monitor and
Support Evaluate
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.

109
 COBIT Cube: IT Domains (Cont.)

Monitor and Evaluate (ME)

► Objectives:
 Performance management
 Monitoring of internal control
 Regulatory compliance
 Governance
► Scope:
 Is IT’s performance measured to detect problems before it is too late?
 Does management ensure that internal controls are effective and efficient?
 Can IT performance be linked to business goals?
 Are risk, control, compliance and performance measured and reported?

IT Performance 110
 COBIT Cube: IT Domains (Cont.)

Monitor and Evaluate Plan and Acquire and

Organise Implement

ME1 Monitor and evaluate IT performance. IT Processes

ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance. Monitor and
Deliver and
Support Evaluate

111
 COBIT Cube: Information Criteria

► To satisfy business objectives, information needs to conform to specific control criteria, which
COBIT refers to as business requirements for information.
► Broadly, information criteria are based on the following requirements:
 Quality
 Fiduciary
 Security
Quality Requirements

Fiduciary Requirements

Security Requirements

Information Criteria

IT Resources
IT Processes

112
COBIT Cube: Information Criteria (Cont.)

Deals with information being relevant and pertinent to the business

Effectiveness process as well as being delivered in a timely, correct, consistent Quality Requirements
and usable manner Fiduciary Requirements
Concerns the provision of information through the optimal Security Requirements
Efficiency (most productive and economical) use of resources
Information Criteria

Concerns the protection of sensitive information IT Resources

Confidentiality
from unauthorised disclosure IT Processes

Relates to the accuracy and completeness of information as

Integrity well as to its validity in accordance with business values
and expectations
Relates to information being available when required by the business process
Availability now and in the future. It also concerns the safeguarding of necessary resources
and associated capabilities.

Deals with complying with those laws, regulations and contractual arrangements to which the
Compliance business process is subject, i.e., externally imposed business criteria as well as internal policies

Relates to the provision of appropriate information for management to operate the entity and to
Reliability
exercise its fiduciary and governance responsibilities

113
 COBIT Cube: IT Resources

► IT processes manage IT resources to generate, deliver and store the information that the organisation needs to achieve its objectives.
► The IT resources identified in COBIT are defined as:
 Applications are automated user systems and manual procedures that process information.
 Information is data that are input, processed and output by information systems, in whatever form used by
the business.
 Infrastructure includes the technology and facilities, such as hardware, operating systems and
networking, that enable the processing of applications.
 People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and
evaluate information systems and services. They may be internal, outsourced or contracted, as required.

Information Criteria
Applications
Information
Infrastructure
People
IT Processes
IT Resources

114
 COBIT Framework

BUSINESS OBJECTIVES AND

GOVERNANCE OBJECTIVES

C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION
PO2 Define the information
ME2 Monitor and evaluate internal
architecture.
control.
Efficiency Integrity PO3 Determine technological
ME3 Ensure compliance with
Effectiveness Availability direction.
external requirements.
Compliance Confidentiality
PO4 Define the IT processes,
ME4 Provide IT governance.
organisation and relationships.
Reliability PO5 Manage the IT investment.
MONITOR PLAN PO6 Communicate management aims
AND AND and direction.
EVALUATE ORGANISE PO7 Manage IT human resources.
IT PO8 Manage quality.
DS1 Define and manage service RESOURCES PO9 Assess and manage IT risks.
levels.
PO10 Manage projects.
DS2 Manage third-party services.
DS3 Manage performance and
capacity.
DS4 Ensure continuous service. Applications
Information
DS5 Ensure systems security. AI1 Identify automated solutions.
Infrastructure
DS6 Identify and allocate costs. People AI2 Acquire and maintain application
DS7 Educate and train users. software.
DELIVER ACQUIRE
DS8 Manage service desk and AND AI3 Acquire and maintain technology
AND
incidents. SUPPORT IMPLEMENT infrastructure.
DS9 Manage the configuration. AI4 Enable operation and use.
DS10 Manage problems. AI5 Procure IT resources.
DS11 Manage data. AI6 Manage changes.
DS12 Manage the physical AI7 Install and accredit solutions and
environment. changes.
DS13 Manage operations.

115
 COBIT Cube

IT resources are managed by IT processes to achieve IT goals that respond to the

business requirements. This is the basic principle of the COBIT framework, as
illustrated by the COBIT cube.

116
Interrelationship of the COBIT Components

117
 COBIT Cube

The COBIT framework describes how IT processes deliver the

information that the business needs to achieve its objectives.
For controlling this delivery, COBIT provides three key components, each
forming a dimension of the COBIT cube.

Business Requirements for Information Criteria

IT Resources

IT Processes

118
 COBIT: Premise
► The COBIT framework is based on the premise that IT needs to deliver
the information that an enterprise requires to achieve its objectives.

for Business
achieving Objectives

i to
Business
Processes
Information
provide

IT Resources
and Processes

► TheCOBIT framework helps align IT with the business by focusing on

business information requirements and organising IT resources. COBIT
provides the framework and guidance to implement IT governance.

119
 COBIT Processes within Domains

 Each of the previous Domains are composed of

processes(34):

120
 Domains and processes

 A Domain contains the relationships of each individual

processes
 For example: Plan and Organize

121
COBIT Domains with Processes

122
 COBIT Process Descriptions

 COBIT does offer detailed descriptions for all 34 processes.

 The Process Descriptions:

o contain the inputs, outputs, responsibilities, metrics and goals

o Provide a basis of expert knowledge from which the enterprise

may decide is relevant to their organization

o Diagrams with relationships to other processes are also

illustrated

123
Where is COBIT Today?

124
 How is CobiT Focused?
 IT Governance – better coverage with governance practices
 Business requirements – better business to IT linkages with cascading
goals and supporting metrics
 Harmonization – improved integration with key practices
 Value Creation – extended focus on IT investment
 Enterprise architecture - process structure and resources
 Process definitions and process flows – improved descriptions,
activities, inputs and output
 Language and presentation – more concise in presentation, action-
oriented, control model and management guidelines are consolidated into
one document

125
 What are the key COBIT Documents?

 Control Objectives define what needs to be done to implement

an effective control structure to improve IT performance and
address IT solutions and service delivery risks.
 Control Practices provides guidance on the risks to be avoided
and value to be gained from implementing a control objective, and
instruction on how to implement the objective.
 IT Assurance Guide provides guidance for the assurance
team with a structured assurance approach linked to the
COBIT framework that is understandable for business and
IT professionals

126
 COBIT and Related Products
COBIT 4.1 COBIT is an IT governance framework and supporting tool set that allows
managers to bridge the gap between control requirements, technical issues and
business risks.

Board Briefing on IT To help executives understand why IT governance is important, what its issues are
Governance and what their responsibility is for managing it

Information Security To help overcome these barriers by explaining information security in

Governance business terms. It comes complete with tools and techniques to help
managers uncover security-related problems
IT Governance Provides a generic road map for implementing IT governance using the COBIT and
Implementation Guide Val IT resources

Control Practices Provide guidance on why the control objectives are worth implementing and how to
implement them

IT Assurance Guide Provides guidance on how COBIT can be used to support a variety of assurance
activities together with suggested testing steps for all the IT processes and control
objectives

127
 COBIT and Related Products
COBIT Quickstart To summarized version of the COBIT resources, focusing on the most crucial IT
processes, control objectives and metrics, all presented in an easy-to-follow
format to help users gain the benefits of COBIT quickly.

COBIT Security To focuses on IT security risk in a way that is simple to follow and implement for
Baseline (available everyone, from the home user or small- to medium-sized enterprise to executives
3rd quarter 2007) and board members of larger organizations.

Val IT To provides guidance for managing an organization’s portfolio of

IT-enabled business investments and for maximizing the quality of business cases
for IT-enabled business investments.

IT Control To provides guidance on how to ensure compliance for the IT environment based
Objectives for on the COBIT control objectives related to financial reporting.
Sarbanes-Oxley
Aligning COBIT, To explain to business users and senior management the value of IT best
ITIL and ISO 17799 practices and how harmonization, implementation and
integration of best practices (COBIT, ITIL and ISO/IEC 17799) may be made
easier.

COBIT Mapping To overview and various mappings of COBIT to other international

Series guidance have been published by ITGI, such as CMM, ISO17799.

128
COBIT and Related Products

129
130
Control Objectives

Framework
Control Objectives
Management Guidelines
Maturity Models

131
 COBIT Objectives - IT Governance
Topics
 Focus on IT Alignment by linking Information
Criteria, IT Resources and IT Goals to Business
Goals
 Focus on Value Delivery by using value-
oriented IT goals to focus on the IT processes
that are critical to deliver effectively
 Focus on Risk Management by using risk-
oriented IT goals to focus on the IT processes
that are needed to manage risk
 Focus on Resource Management by using
Maturity Models to ensure there is a capability
to deliver
 Focus on Performance Management by
using metrics and scorecards to ensure plans
are on track and deviations are identified and 132
133
 Concise Control Objectives
CobiT 4.1
PO1.2 Business-IT Alignment
Establish processes of bi-directional education and
reciprocal involvement in strategic planning to achieve
business and IT alignment and integration. Mediate
between business and IT imperatives so priorities can be
mutually agreed.
PO5.1 Financial Management Framework
Establish and maintain a financial framework to manage the
investment and cost of IT assets and services through portfolios
of IT enabled investments, business cases and IT budgets.
CobiT 4.0
PO1.2 Business-IT Alignment
Educate executives on current technology capabilities and
future directions, the opportunities that IT provides, and
what the business has to do to capitalize on those
opportunities. Make sure the business direction to which IT
is aligned is understood. The business and IT strategies
should be integrated, clearly linking enterprise goals and IT
goals and recognizing opportunities as well as current
capability limitations, and broadly communicated. Identify
where the business (strategy) is critically dependent on IT
and mediate between imperatives of the business and the
technology, so agreed priorities can be established.
PO5.1 Financial Management Framework
Establish a financial framework for IT that drives budgeting and
cost/benefit analysis, based on investment, service and asset
portfolios. Maintain the portfolios of IT-enabled investment
programmers, IT services and IT assets, which form the basis for
the current IT budget. Provide input to business cases for new
investments, taking into account current IT asset and service
portfolios.
New investments and maintenance to service and asset portfolios
will influence the future IT budget. Communicate the cost and
benefit aspects of these portfolios to the budget prioritization, cost
management and benefit management processes.
134
135
136
Framework Update

137
 COBIT Framework
 Documents relationships among information criteria,
IT resources, and IT processes
 Links control objectives and control practices to
business processes and business objectives
 Assists in confirming that appropriate IT processes
(and practices) are in place
 Facilitates evaluation and assurance methods

138
Information Criteria -- The 1st Component

 Effectiveness
 Efficiency
 Confidentiality
 Integrity
 Availability
 Compliance
 Reliability

139
 IT Resources -- The 2nd Component

 Application Systems
 Information
 Infrastructure
 People

140
IT Process Domains -- The 3rd Component

 Plan and Organize

 Acquire and Implement
 Deliver and Support
 Monitor and Evaluate

141
 COBIT Process Model

 Subdivides IT into four domains

 34 processes in line with the domains
 Responsibility areas of plan, build, run and
monitor, providing an end-to-end
 Enterprise architecture concepts help
identify the resources essential for process
success

142
What Are the Main Changes?

143
COBIT Domains: Information
Processes (3rd Component)

Plan and
a ck Organize
e db
Fe

Monitor and Acquire and

Feedback Implement
Evaluate
Fe
ed
ba
ck Deliver and
Support

144
 COBIT Framework

To provide the information

Basic COBIT Principle that the enterprise
requires to achieve its
objectives, the enterprise
needs to invest in and
manage and control IT
resources using a
structured set of processes
in order to provide the
services that deliver the
required enterprise
information.

145
 CobiT Framework
 Helps one understand the:
 relationship of controls to control objectives,
 importance of focusing on control objectives and
their relationship to the business organization and its
business processes, and
 value of managed processes and resources to
attain data integrity, security and availability.

146
147
 CobiT is Business-focused

 Business orientation is the main theme of

COBIT.
 Designed to be used by IT service providers,
users and auditors, and to also provide
comprehensive guidance for management
and business process owners.

148
 Business Orientation of COBIT

 Links business goals to IT goals

 Provides metrics and maturity models to
measure their achievement
 Identifies the associated responsibilities of
business and IT process owners.

149
 Business Goals

 Financial Perspective
 Expand market share
 Increase revenue
 Return on Investment
 Optimize asset utilization
 Manage business risks
 Customer Perspective
 Improve customer orientation and service
 Offer competitive products and service
 Service availability
 Agility in responding to changing business requirements
 Cost optimization of service delivery

150
 Business Goals

 Internal Perspective
 Automate and integrate the business value chain
 Improve and maintain business process functionality
 Lower process costs
 Compliance with external laws and regulations
 Transparency
 Compliance with internal policies
 Improve and maintain operational and staff productivity
 Learning and Growth Perspective
 Product and business innovation
 Obtain reliable and useful information for strategic decision making
 Acquire and maintain skilled and motivated personnel

151
 IT Goals
1. Respond to business requirements in alignment with business
strategy
2. Respond to governance requirements in line with board direction
3. Ensure the satisfaction of end users with service offerings and service
levels
4. Optimize the use of information
5. Create IT agility
6. Define how business function and control requirements are translated
in effective and efficient automated solutions
7. Acquire and maintain integrated and standardized application
systems
8. Acquire and maintain and integrated and standardized infrastructure

152
 IT Goals
9. Acquire and maintain IT skills that respond to the IT strategy
10. Ensure mutual satisfaction of third-party relationships
11. Seamlessly integrate applications and technology solutions into
business processes
12. Ensure transparency and understanding of IT cost, benefits, strategy,
policies and service levels
13. Ensure proper use and performance of the applications and
technology solutions
14. Account for and protect all IT assets
15. Optimize the IT infrastructure, resources and capabilities
16. Reduce solution and service delivery defects and rework
17. Protect the achievement of IT objectives
18. Establish clarity of business impact of risks to IT objectives and
resources

153
 IT Goals
19. Ensure critical and confidential information is withheld from those who should
not have access to it
20. Ensure automated business transactions and information exchanges can be
trusted
21. Ensure IT services and infrastructure can properly resist and recover from
failures due to error, deliberate attack or disaster
22. Ensure minimum business impact in the event of an IT service disruption or
change
23. Make sure that IT service are available as required
24. Improve IT’s cost-efficiency and its contribution to business profitability
25. Deliver projects on time and on budget meeting quality standards
26. Maintain the integrity of information and processing infrastructure
27. Ensure IT compliance with laws and regulations
28. Ensure that IT demonstrates cost-efficient service quality, continuous
improvement and readiness for future change

154
155
 Linking Business Goals to IT Goals

 An Example:
• The business goal of increasing revenue is
linked to IT goals numbers 25 and 28, which
are:
• “Deliver projects on time and on budget
meeting quality standards” and
• “Ensure that IT demonstrates cost-
efficient service quality, continuous
improvement and readiness for future
change”

156
157
 Linking IT Goals to IT Processes

 Example of linking IT goals to IT processes:

• The IT goal of optimizing the use of

information is linked to IT processes PO2 and
DS11 (information architecture and managing
data)

158
159
The WATERFALL Navigation Aid --
High Level Control Objectives for Each Process

The control of High-Level

Control Objective
IT Processes
which satisfy
Business
Requirements
is focusing on
Control
Statements
Is achieved by
Control
Practices
Is measured by
Users satisfaction
160
161
 “RACI” Chart

 Identifies who is Responsible, Accountable, Consulted and/or

Informed
 Addresses considerations for points of accountability
 Addresses issues of communication and desired input (who
would be consulted)
 Rather than titles, think of positions in terms of roles
 Depending on the size of the organization or the IT function,
several roles may be combined

162
 Primary Inputs and Outputs

 CobiT identifies from where primary inputs are obtained for

each process
 The inputs are identifies and where they came from
 Also identifies to which IT processes the process provides
output to
 The outputs (from the process) are identified to where they
would be directed

163
164
 Metrics
 Performance measurement is essential for IT
governance.

 Requires setting and monitoring measurable

objectives of what the IT processes need to
deliver (process outcome) and how they
deliver it (process capability and
performance).

165
 Metrics
 Activity Goals tells us how well the process
is performing
o Measured by KPIs
 Process Goals tell us what IT must deliver
o Measured by Key Goal indicators
 IT Goals tell us what we expect from IT
o Measured by Key Goal Indicators

166
167
168
169
 Use of Maturity Models

 The assessment of process capability based

on the COBIT maturity models is a key part
of IT governance implementation.
 Enables gaps in capability to be identified
and demonstrated to management.
 Action plans can then be developed

170
171
Control Practices

Control Practices
Control Objectives
Value Drivers
Risk Drivers

172
 Control Design

 Necessary and sufficient steps

 Roles & responsibilities
 Characteristics
 Generic and specific practices
 Active and passive
 Input, outputs, activities

173
 IT Control Practices
 Provides guidance on risks to avoided and value to be
gained
 Provides detailed guidance on specific controls needed
to address high-level and detailed control objectives
 Provides guidance on how, why and what to implement
to improve IT performance
 Includes key elements of value and risk statements and
control practices

174
 IT Control Practices
 Describing the different necessary and sufficient steps
to achieve a control objective
 Action-oriented, enabling timely execution and
measurable
 Relevant to the purpose of the control objective
 Supporting clear roles and responsibility including
segregation

175
 Control Practices
Characteristics:
 The benefits listed under ‘why do it’ are tangible and motivate to
implement controls
 The set of control practices is complete (e.g. key controls) and
implementation satisfies the control objective
 Control practices listed are generally accepted as good business
practice
 Control practices suggest sustainable solutions
 The control practices are effective in addressing the risk linked to
not achieving the detailed control objective
 The control practices suggest efficient solutions
 The wording of the control practices is concise while providing
clear and unambiguous guidance on what is expected for
implementation
 The control practices are realistic

176
 IT Assurance Guide

Need for IT Governance and Assurance

The CobiT Framework
IT Assurance Approaches
How CobiT Supports IT Assurance Activities

177
 Approach
IT Assurance Steps
 Testing of a control approach covering 4 assurance objectives
1. Existence
2. Design effectiveness
3. Operating effectiveness (implemented,
consistent application and proper use)
4. Design and operating efficiency (cost/benefit
and possible use of automation)
 Providing 3 types of assurance guidance
 Testing the suggested control design
 Testing control objective achievement
 Documenting impact of control weaknesses

178
 Approach
IT Assurance Steps
 Tests based on a documented taxonomy of relevant assurance
methods
 Enquire and confirm (via different source)
 Inspect (walk-through, search, compare,
review)
 Observe (confirmation is inherent)
 Re-perform or re-calculate and analyze
(often based on a sample)
 Automated evidence collection (sample,
trace, extract) and analyze

179
180
181
182
Using CobiT

1
183
 CobiT provides the basis for IT
Governance CobiT IT
CobiT Links Processes
business and Maturity
goals to IT
Goals Provide Models
focus on IT
Direction capability

Set Objectives IT Activities

IT is aligned with the  Increase automation
business (make the business
IT enables the effective)
business and Compare Decrease cost
(make the enterprise
maximizes benefits
IT resources are used efficient)
responsibly Manage risks
IT-related risks are (security, reliability and
managed appropriately compliance)
Measure
CobiT Performanc
Framework
provides a e CobiT KGIs
common and KPIs
understandi enable
ng of IT’s measuremen
role t
184
 Using CobiT

From an organizational perspective,

entities should use control models such
as COSO and CobiT along with generally
accepted control practices to build and
exercise appropriate controls to help
manage their entities.

185
 Strong Basis for Policy Development

 Use CobiT as a basis to develop or strengthen

policies and control practices
 Compare existing policies and standard
procedures against CobiT
 Conduct high-level and detailed policy
reviews

186
 Using CobiT Matrices to Focus on:

 IT Functions
o Their importance?
o Level of performance?
o Control documentation?
 Responsible Parties of IT
o Performed by?
o Contracted services?
o Primary responsible party?
 Risk Assessment
o Importance, level of risk, control documentation?

187
 CobiT’s Evaluation Focus

 What is most critical to the business?

 What are the CSFs?
 What are the risks and threats?
 How robust and appropriate does the internal
control structure appear?
 What are management’s concerns?

188
 Risks to the Entity?

➨ Unaware of the risks

➨ Poor understanding of CSFs
➨ Absence of KPIs
➨ No “scorecard” or basis of measurement
➨ Absence of monitoring and evaluation
➨ Weak IT control environment
➨ Unknown loss of data or system integrity

189
 COBIT Focuses on Risk-Based Approach

 Focuses on the entity from a management

perspective
 Emphasis on knowledge of the business and the
technology
 Focus on assessing the effectiveness of a
“combination” of controls
 Linkage between risk assessment and testing
focusing on control objectives

190
 To Address Outsourced Services

 Determine whether desired processes are in place

and establish accountability
 Agree on levels of control, measurement and
evaluation
 Use CobiT to help design service contracts by
identifying deliverables and responsibilities
 Use CobiT for ongoing monitoring and evaluation of
providers and partners

191
 Recap: CobiT Recognizes
 IT is an integral part of the organization
 IT governance is an integral part of corporate
governance
 Focus on control objectives can strengthen
appropriateness and use of internal controls
 Measurement is crucial to internal control
 Monitoring and evaluation are integral to a system of
internal control

192
193
Interrelationships
of CobiT
Components

194
 COBIT Content
Diagram

CobiT and Val IT IT Governance

IT Assurance Guide
frameworks Implementation Guide,
2nd Edition
Control Objectives
CobiT Control Practices
Key Management 2nd Edition
Pratices 195
IT Risk Analysis—A Generally Accepted Framework

Asset
Identification Threat Counter-
and Valuation Assessment measures

Vulnerability Risk Control

Assessment Assessment Evaluation

Action Residual
Plan Risk

196
IT Risk Analysis—A Generally Accepted Framework

Alternative Alternative
Entry Point Entry Point
Asset
Identification Threat Counter-
and Valuation Assessment measures

Vulnerability Risk Control

Assessment Assessment Evaluation

Action Residual
Plan Risk

197
IT Risk Analysis—A Generally Accepted Framework

Three Approaches:
1. Ignore.
Asset 2. Only prevent.
Identification Threat Counter- 3. Prevent and detect.
and Valuation Assessment measures

Translate into
Vulnerability Risk Control business
Assessment Assessment Evaluation consequences
and into
financial risks.
Action Residual
Plan Risk

198
Summary

199