Introduction

01 ISACA Standards contain the basic principles and essential procedures,

identified in bold, that are mandatory, together with related guidance. 02 The
purpose of this IS Auditing Standard is to establish a standard and provide
guidance to the IS auditor to adhere to the ISACA Code of Professional Ethics
and exercise due professional care in conducting audit assignments.

Standard 05 The IS auditor should adhere to the ISACA Code of Professional

Ethics in conducting audit assignments. 06 The IS auditor should exercise due
professional care, including observance of applicable professional auditing
standards, in conducting the audit assignments.

Commentary 07 The Code of Professional Ethics issued by ISACA will be amended

from time to time to keep pace with emerging trends and demands of the auditing
profession. ISACA members and IS auditors should keep abreast of the latest Code
of Professional Ethics and adhere to the same while discharging duties as IS
auditors. 08 The IS Auditing Standards issued by ISACA are periodically reviewed for
continual improvement and amended as necessary to keep pace with the evolving
challenges in the auditing profession. ISACA members and IS auditors should be
aware of the latest applicable IS Auditing Standards and exercise due professional
care while conducting audit assignments. 09 Failure to comply with the ISACA Code
of Professional Ethics and/or IS Auditing Standards can result in investigation into a
members or CISA holders conduct and, ultimately, in disciplinary measures. 10
ISACA members and IS auditors should communicate with their team members and
ensure the teams adherence to the Code of Professional Ethics and observance of
applicable IS Auditing Standards in conducting audit assignments. 11 IS auditors
should appropriately deal with all concerns encountered, with regard to the
application of professional ethics or IS Auditing Standards during the conduct of the
audit assignment. If adherence to professional ethics or IS Auditing Standards is
impaired or appears impaired, the IS auditor should consider withdrawing from the
engagement. 12 The IS auditor should maintain the highest degree of integrity and
conduct, and not adopt any methods that could be seen as unlawful, unethical or
unprofessional to obtain or execute audit assignments. 11 The following guidance
should be referred to for further information on professional ethics and standards:
IS Auditing Guideline G19 Irregularities and Illegal Acts IS Auditing Guideline
G7 Due Professional Care IS Auditing Guideline G12 Organisational Relationship
and Independence COBIT Framework, Control objective M4

ISACA sets forth this Code of Professional Ethics to guide the professional and personal conduct of members of the
association and/or its certification holders.
Members and ISACA certification holders shall:

1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for
the effective governance and management of enterprise information systems and technology, including:
audit, control, security and risk management.
2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional
standards.
3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and
character, and not discrediting their profession or the Association.
4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless
disclosure is required by legal authority. Such information shall not be used for personal benefit or
released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities they can
reasonably expect to complete with the necessary skills, knowledge and competence.
6. Inform appropriate parties of the results of work performed including the disclosure of all significant facts
known to them that, if not disclosed, may distort the reporting of the results.
7. Support the professional education of stakeholders in enhancing their understanding of the governance and
management of enterprise information systems and technology, including: audit, control, security and risk
management.
Failure to comply with this Code of Professional Ethics can result in an investigation into a member's or certification
holder's conduct and, ultimately, in disciplinary measures.

What is COBIT5?
Its the leading framework for the governance and management of enterprise IT.

COBIT 5
The power of COBIT 5 is in its breadth of tools, resources and guidance. The value of COBIT 5 is in how it applies to
your profession. COBIT 5 is now online, search specific uses by topic area and bring the power and value of COBIT 5
to your organization.

Manage vulnerabilities
and ensure
compliance.

Evaluate and optimize Oversee and manage Keep ahead of rapidly

enterprise risk.

information security. changing regulations.

Align IT goals and

strategic business
objectives.

Insights
The COBIT 5 framework for the governance and management of enterprise IT is a leading-edge business
optimization and growth roadmap that leverages proven practices, global thought leadership and ground-breaking
tools to inspire IT innovation and fuel business success.

Example of COBIT.
This case study is a real-life example of using COBIT for IT risk management within a global bank. COBIT was used
effectively for managing risk within the technology teams to ensure that appropriate IT governance and IT assurance
processes were utilised throughout the bank.

Background
The bank in the given case is a global conglomerate with operations in more than 50 countries and with more than
125,000 employees across the globe. The banks technology teams are located throughout the world to support
global lines of business. The IT teams include development centres that are part of the bank and others that are
outsourced to vendors, as well as technology back offices that support IT infrastructure and services. The bank had a
history of multiple governance and assurance templates and processes followed by different teams, regions and
locations. Hence, the key challenge was to create a common governance and assurance process across technology
teams.
The technology governance and assurance programme was designed through a risk management framework to
ensure effective risk and control management.
The framework was defined to address existing risk and control management weaknesses, such as:
Immature processes for assessing and testing compliance
Lack of a single control repository, resulting in control duplication
Lack of a clear, repeatable process for completing risk assessments
The new framework was expected to enable technology teams to understand the significant operational risks and
their impact on the wider organisation by:
Addressing areas in which risks were not effectively controlled
Allowing technology executives to demonstrate regulatory responsibilities efficiently
Using a common platform for reporting all regulatory requirements across regions and countries
Effectively reporting technology risk and control weaknesses that may impact the business
Implementing a standard process across regions and offices to ensure consistency and avoid duplication of
reporting

Use of COBIT
The governance team decided to use COBIT as a standard framework. A team of professionalsincluding risk, IT
security and US Sarbanes-Oxley Act process expertswas set up to define the processes and templates. The team
primarily worked on three areas:

1. Defining a framework to useControl objective framework (COF)

2. Identifying a standard definition of entities against which risks and controls were to be evaluated
Key entity management model
3. Identifying a risk management processRisk and control assessment (RCA)
Key steps in the process of developing a new risk management framework are described in the following sections.

Step 1Defining COF

The COF was defined to link risks affecting technology offices and industry standard best practice controls as defined
by COBIT. Three objectives were set whilst defining the COF:
1. It should act as a tool to facilitate the effective assessment of risks and controls within technology.
2. It should act as a reporting framework to demonstrate how technology satisfies reporting regulatory
requirements, including those of Sarbanes-Oxley.
3. It should act as an aid to drive management assurance.
The steps in implementing COF using COBIT included:
Identify principal risksThe principal risks of level I were defined and frozen based on earlier information.
Those identified included risks related to technology, operations, people, legal and regulatory, financial
reporting, financial crime, brand, and change.
Identify level II risksThe principal risk was further broken down into level II risks. As an example, the
technology principal risk was further drilled down to:
- Inadequate design/testing of IT systems
- Unavailability of IT systems
- Lack of IT security
Identify control objectivesFor each of the level II risks, control objectives were identified using COBIT.
Figure 1 indicates the mapping of the level II risks with the control objectives identified against each of the
technology risks.

Benefit of Step 1
Prior to implementing this framework, each entity, organisation and location had its own set of controls. COBIT helped
in developing and managing a single list of controls for each type of risk through the mapping of needed controls to
COBIT. In turn, this assisted with the attestation of each type of risk, which provided confidence to senior executives
on the reporting and attestation process. Subsequently, a risk assessment process was developed to define risks and
controls. This helped in ensuring that adequate controls were deployed to cover the principal risks and level II risks.

Step 2Identifying Entities for Managing Risks and Controls

The key entity management model was defined to include IT building blocks, against which risk and control
assessments were to be performed. The IT building blocks are logically linked together for reporting purposes to
provide a risk and control assessment for all supporting services within the purview of the technology office.
The IT building blocks were defined as:
Process entitiesThese represent the processes used to support, control and manage the IT environment.
Any control issues in a process entity would affect many IT services, e.g., change control is pervasive
across most IT services.
Supporting services entitiesLinking with process and technology entities allows for a complete end-toend risk and control assessment for that supporting service, e.g., interfacing risks amongst technology
entities, service-level risks for end-to-end IT service, and integration risks (the management of handoffs
between departments).

 Technology entitiesThese represent the traditional IT components, e.g., servers, applications, networks
and firewalls. The service maps and the RCA process were used to facilitate the identification of the key
technology entities that make up each supporting service.
Project entitiesWhilst project entities have no effect on the top 20 services, it is very important to capture
any control and risk information ahead of go-live. This will allow the target state controls for a new
development/project change to be assessed, reported and communicated prior to go-live. Some examples
of the top 20 services include ATM connectivity and core banking application support services.
The banks method for defining IT services is through an IT service catalogue. As part of its IT service catalogue,
each of the top 20 services was identified for the supporting services that underpin it. A service map was created for
each supporting service. The service maps illustrate the technology components that are linked together to support
the end-to-end services.
Each process entity and technology entity is distinct and can be linked to multiple supporting services. As a result, the
key entity management model is flexible and can support expansion to additional IT services as required. The linkage
amongst entities allows risk assessments to be aggregated to provide an end-to-end service risk profile, which is
meaningful to management and the different clusters managing the entities in the overall service.

Benefit of Step 2
Prior to implementing the new risk management process, each region, country, etc., of the bank had its own risk and
control matrices. The risk and controls evaluation was based on the understanding of each team working on risk
management within the region, and there was no focus on the end result, i.e., the impact of risk on customer service.
COBIT helped in identifying key services that had an impact on business and customers and kept the focus on
controls. Once such risks were identified, the controls were frozen based on the COBIT framework and were
evaluated for control effectivenesswith the clear objective of determining the impact on customer service. This
resulted in reducing the total number of incidents and reducing the impact of incidents on customers and\or customer
services.

Step 3Defining and Implementing the RCA Process

The process overview in figure 2 highlights the five steps to performing a risk assessment. Within each of the steps,
the key tasks were identified. A series of tools/process aides was defined to assist with the scoping, scheduling and
delivery of the risk assessment, and is outlined in figure 2.

The objective in developing the common RCA process was to ensure that the analyses of risks and controls were
consistent across the teams globally.
One of the tools was a simple Excel template defined to capture risk and control information. The template then was
frozen for use by all of the entities. The template was defined to capture the following key information:

 Principal and level II risks

Control objectives with reference to the COBIT controls process
Reference to Sarbanes-Oxley control requirements
Control owner
Control assessmenteffective, ineffective
Actions to make the control effective
Action closure detailsaction owner, target date
The templates were filled by the risk and control owner and were sent to the central risk team for review. They were
then entered into the risk management tool to track actions for closure and reporting on open risks. Each was tagged
with:
Entity ownersTypically the owners of the RCA
Risk ownersThe owners responsible for the risk
Control ownersThe owners responsible for maintaining control effectiveness
Action ownersThe owners of actions defined due to ineffective controls

Benefit of Step 3
Through training programs, the terms entity/RCA owners, risk owners, control owners and action owners were
explained using a Responsible, Accountable, Consulted and Informed (RACI) chart (see figure 3 for an example).
The responsibilities were also mapped in the job descriptions and in performance evaluation criteria of the staff.

The example in figure 3 clarifies that, although the head of facilities was held accountable for providing physical
security on an ongoing basis, the chief operations officer (COO) was accountable for ensuring reporting of incidents
and follow-up thereof. For any actions of employees and vendor staff working out of the office, human resources (HR)
was consulted and informed.

Step 4Training Key Stakeholders

One of the main challenges was to explain the entire process to all of the stakeholders with different backgrounds
and understanding of risks and controls and at various locations. The challenge was managed by creating additional
training programs at various levels. This involved:
Creating risk experts (typically with background experience and certifications such as Certified Information
Systems Auditor [CISA] and Chartered Accountant [CA]) across the regions and offices who were
trained under a train-the-trainer program. Such resources were used to train the stakeholders.
Tailoring the training delivered by the risk experts to the audience. For entity owners, a simple process
overview was provided through mandatory computer-based training. For risk and control owners, training
was detailed and included examples and tests, and it was delivered through classrooms at different
locations or through web-based training sessions.
Offering, as part of the mandatory training program, an awareness training session that explained the
process and provided links and contacts for local risk experts within the organisation for further information
and guidance.
Arranging a workshop to disseminate the relevant information to stakeholders; this should begin any risk
assessment process. The training resources were used to facilitate the control self-assessment (CSA) at
different locations.
Modifying the role description and performance evaluation process to include specific tasks for risks and
controls

Benefit of Step 4
Due to this top-down approach, the importance of risk management was well accepted and it was effective at all
levels of the organisation.

Step 5Using a Reporting Tool

A simple spreadsheet was used for maintaining a risk and control repository for each entity. Within the entity, the risk
team member used an Excel spreadsheet for tracking risks, actions, etc. However, there was a requirement to have a
single, common database repository for maintaining organisationwide risks and controls. Hence, a tool was
developed to gather information for all entities. This helped in:
Tracking all risks related to a service
Centralising a repository for all risks and control information
Tracking all actions defined and agreed to in the RCA process
Tracking closure of actions
Reporting to senior executives on risks based on the specific requirements and levels of risk
Basing regulatory requirements reporting on a common, single database of risks and controls

Benefit of Step 5
A single repository of all risks, controls and actions was used by assurance teams in their reporting to the chief
information officer (CIO) and for tracking compliance at a high level.

Conclusion
The entire development and implementation of the new process took almost two years. While the central team was
responsible for developing the process, the location-based risk resources were instrumental in implementation,
training, etc. Since the implementers at the different locations were part of the team, their feedback was used in
making suitable changes and corrections that helped improve the maturity of the process.
Other tangible benefits of this initiative included:
Prior to this implementation, there were more than 500 entities for which risks and controls were tracked.
The number was optimised to around 100 entities. This was possible due to the implementation of the key
entity management model.
Earlier, there were more than 1,000 controls defined. The number was reduced as each control was mapped
to the COBIT framework. At the global level, the number of controls was reduced to almost 350. However,
within a particular entity, region, country, etc., further drilling down of a control was allowed for tracking
locally. For example, globally, in the RCA, a single control was identified for local compliances: local
regulatory compliance control. However, this control was further drilled down to various compliances
based on country-specific requirements. In India, for example, this was managed through a separate
spreadsheet that covered all of the Indian regulations, such as employee/labor laws and taxation
regulations.
The exercise helped the bank in managing risk and control process for Sarbanes-Oxley and other regulatory
processes. The RCA spreadsheet provided a separate filter for Sarbanes-Oxley compliance applicability.
The process repository in the tool helped in maintaining consistency. This was done by creating a separate
sub-unit within the risk team to check the quality of each RCA before it was entered in the RCA tool.
A common training pack was seen as an important and valuable deliverable by the risk team and was
defined based on the audience. For example, a training pack of 15 minutes for all entity owners (typically
centre heads in each country or region) was developed and implemented using the e-learning portal,
whereas a detailed process training pack was developed for risk and control owners.
JitendraBarve, CISA, FCA
is a certified accountant with more than 18 years of experience in accounting, finance, audit and consulting. He has
spent more than 10 years in information security audits and consulting and has worked on various assignments on
risk management, risk-based internal audits, and information security reviews and audits. Barve is a board member of
the ISACA Pune Chapter (India). He is associated with a mid-sized CA firm from Pune, G.D. Apte and Co.

Risk IT Framework for Management of IT Related Business Risks

The scope of the Risk IT framework is also fully covered within the scope of the
COBIT 5 framework. You are invited to review the COBIT 5 framework first and, if
more guidance on risk is needed, reference the Risk IT publications for more detail.

Risk IT provides an end-to-end, comprehensive view of all risks related to the use of
IT and a similarly thorough treatment of risk management, from the tone and
culture at the top, to operational issues.

Risk is a natural part of the business landscape.

If left unmanaged, the uncertainty can spread like weeds.
If managed effectively, losses can be avoided and benefits obtained.

In business today, risk plays a critical role. Almost every business decision requires
executives and managers to balance risk and reward. Effectively managing the
business risks is essential to an enterprises success.

Too often, IT risk (business risk related to the use of IT) is overlooked. Other
business risks, such as market risks, credit risk and operational risks have long been
incorporated into the corporate decision-making processes. IT risk has been
relegated to technical specialists outside the boardroom, despite falling under the
same umbrella risk category as other business risks: failure to achieve strategic
objectives

Risk IT is a framework based on a set of guiding principles for effective

management of IT risk. The framework complements COBIT, a comprehensive
framework for the governance and control of business-driven, IT-based solutions
and services.

While COBIT provides a set of controls to mitigate IT risk, Risk IT provides a

framework for enterprises to identify, govern and manage IT risk. Simply put, COBIT
provides the means of risk management; Risk IT provides the ends. Enterprises who
have adopted (or are planning to adopt) COBIT as their IT governance framework
can use Risk IT to enhance risk management.

1.
2.
3.
4.

Code of ethics

Integrity
Objectivity
Confidentiality
Competency

Each describe principles and rules of conducts.

Code of professional ethics

Version adopted in 2012 entering into force as amended at the
2015 Assembly.
I. Purpose and Scope
Article 1
1.

This Code of Professional Ethics (hereinafter called the "Code") lays down
the standards of integrity, professionalism and confidentiality which all members
of the Association shall be bound to respect in their work as conference
interpreters.

2.

Candidates and precandidates shall also undertake to adhere to the

provisions of this Code.

3.

The Disciplinary and Disputes Committee, acting in accordance with the

provisions of the Statutes, shall impose penalties for any breach of the rules of the
profession as defined in this Code.