Integrating CobiT Domains Into The IT Audit Process

Integrating COBIT into the IT Audit Process
(Planning, Scope Development, Practices)
April 20, 2006

San Francisco ISACA Chapter Luncheon Seminar
Presented By
Lance M. Turcato, CISA, CISM, CPA
Deputy City Auditor Information Technology
City of Phoenix
Audience Poll
COBIT Knowledge
- First exposure?
- General understanding?
- Strong knowledge of COBIT framework?
Current Users of COBIT

- Incorporated Into Audit Process?
- Adopted by IT Management?
- Users of a framework other than COBIT?
April 20, 2006
SF ISACA - April Chapter Luncheon
Page 2
AGENDA
Topic
Overview of COBIT Components

Integrating COBIT Domains into IT Audit Planning & Scope Development
- Audit Universe Considerations
- Ensuring Consistent Coverage
- Integrating Relevant Industry Standards, Guidelines, and Best Practices
- Organizational IT Policy, Standard, Guideline, and Procedure Considerations
Integrating COBIT into the IT Audit Lifecycle

Using COBIT to Establish IT Risk & Control Measurement
Resources & Wrap-up
April 20, 2006
Page 3
Overview of COBIT Components
IT Governance Institute
(http://www.itgi.org/ )
COBIT - Background
Generally applicable and accepted international standard
of good practice for IT control
C
OB
I
T
Control
OBjectives
for Information
and Related Technology
An authoritative, up-to-date, international set of generally

accepted Information Technology Control Objectives for
day-to-day use by business managers and auditors.
April 20, 2006
Page 5
COBITs Scope & Objectives

COBIT 4.0 was developed and by the IT Governance Institute

(www.itgi.org) and was released in December, 2005.
COBIT has evolved into an IT governance / control framework:

April 20, 2006
A toolkit of best practices for IT control representing the

consensus of experts
IT Governance focus
Linkage with business requirements (bridges the gap between control
requirements, technical issues, and business risks).
Management process owner orientation (accountability)
Measurement and maturity driven
Generic focus applicable to multiple environments
Organizes IT activities into a generally accepted process model (in
alignment with ITIL, ISO, and other relevant best practices)
Identifies the major IT resources to be leveraged
Defines control objectives and associated assurance guidelines
Page 6
COBIT As A Framework
Enables the auditor to review specific IT processes against
COBITs Control Objectives to determine where controls are
sufficient or advise management where processes need to be
improved.
Helps process owners answer questions - Is what Im doing

adequate and in line with best practices? If not, what should I be
doing and where should I focus my efforts?
COBIT is a framework and is NOT exhaustive or definitive.

The scope and breadth of a COBIT implementation varies from
organization to organization.
COBIT prescribes what best practices should be in place. An

effective implementation requires that COBIT be supplemented
with other sources of best practice that prescribe the how for IT
governance and controlled process execution.
April 20, 2006
Page 7
Hierarchy of COBIT Components
How You
Measure Your
Performance
The Method Is...
How You Audit...
How You Implement...
Minimum Controls Are...
April 20, 2006
Page 8
Relationship of COBIT Components
April 20, 2006
Page 9
COBIT Structure
Overview
Starts
from the premise that IT needs to

deliver the information that the enterprise
needs to achieve its objectives
Promotes process focus and process
ownership
Divides IT into 34 processes belonging to
four domains (providing a high level control
objective for each process)
Looks at fiduciary, quality and security needs
of enterprises, providing seven information
criteria that can be used to generically define
what the business requires from IT
Is supported by a set of over 200 detailed
control objectives
IT Domains
Plan
& Organize
Acquire
& Implement
Deliver
& Support
Monitor
& Evaluate
Information Criteria
Effectiveness
Efficiency
Availability
Integrity
Confidentiality
Reliability
Compliance
Business Requirements
April 20, 2006
Page 10
COBIT Structure
Aligning Requirements, Processes, Resources & Activities
Business
Requirements
IT
Processes
Processes
A series of joined
activities with natural
(control) breaks.
it
ur
c
Se
Activities
Actions needed to achieve

a measurable result.
Activities have a life-cycle
whereas tasks are
discreet.
Re
so
ur
ce
s
IT
IT Processes
Activities
ar
People
Applications
Infrastructure
Facilities
Data
i
lit y
uc
a
d
u
i
Q
F
Processes
Natural grouping of
processes, often matching
an organizational domain
of responsibility.
IT
Resources
Information Criteria
Domains
Domains
April 20, 2006
Page 11
COBIT Structure
Example
IT Domains
Plan & Organize
Acquire & Implement
Deliver & Support
Monitor & Evaluate
IT Processes
Change Management
Contingency Planning
Problem Management
Policy & Procedures
Acceptance Testing
etc...
Activities
April 20, 2006
Record new problem

Analyze problem
Propose solution
Monitor solution
Record known problem
etc...
Page 12
COBIT High-Level Processes / Objectives
Plan & Organize

PO 1
PO 2
PO 3
PO 4
PO 5
PO 6
PO 7
PO 8
PO 9
PO 10
April 20, 2006
Define a Strategic IT Plan

Define the Information Architecture
Determine Technological Direction
Define the IT Processes, Organization, & Relationships
Manage the IT Investment
Communicate Management Aims and Direction
Manage IT Human Resources
Manage Quality
Assess & Manage IT Risks
Manage Projects
Page 13
Acquire & Implement

AI 1
AI 2
AI 3
AI 4
AI 5
AI 6
AI7
April 20, 2006
Identify Automated Solutions

Acquire and Maintain Application Software
Acquire and Maintain Technology Infrastructure
Enable Operation and Use
Procure IT Resources
Manage Changes
Install and Accredit Solutions and Changes
Page 14

Deliver & Support
DS 1
DS 2
DS 3
DS 4
DS 5
DS 6
DS 7
DS 8
DS 9
DS 10
DS 11
DS 12
DS 13
April 20, 2006
Define and Manage Service Levels

Manage Third-Party Services
Manage Performance and Capacity
Ensure Continuous Service
Ensure Systems Security
Identify and Allocate Costs
Educate and Train Users
Manage Service Desk and Incidents
Manage the Configuration
Manage Problems
Manage Data
Manage the Physical Environment
Manage Operations
Page 15
Monitor & Evaluate

M1
M2
M3
M4
April 20, 2006
Monitor and Evaluate IT Performance

Monitor and Evaluate Internal Control
Ensure Regulatory Compliance
Provide IT Governance
Page 16
Linking The Processes To Control Objectives

(34 High-level and 200+ Detailed Objectives)
COBITs Waterfall and Navigation Aids

Linking Process, Resource & Criteria
Plan &
Organize
Information
Criteria
ss
ty
ty ce ity
ne ncy iali ty
ili n
l
e
it v cie ent gri lab plia abi
i m
i
c ffi
e
l
d
t
a
e
i
f
e
re
n f i n av co
ef
co
SS
Acquire &
Implement
Deliver &
Support
The control of
Process
Domains
Monitor &
Evaluate
IT Process
that satisfies
Business Requirements
by focusing on
IT Goals
is achieved by
Key Controls

is measured by
Key Metrics
April 20, 2006
ns y
s
e
pl atio log itie ta
o
l
o
c
i
e
i
da
p pl
hn fac
ap tec
IT
Resources
Page 17
Example of COBIT 4.0 - DS5 (page 1)

Process
Description
IT Domains &
Information Indicators
IT Goals
Process Goals
Key Practices
Key Metrics
IT Governance &
IT Resource Indicators
April 20, 2006
Page 18
Detailed
Control
Objectives
April 20, 2006
Page 19
COBIT Management Guidelines

COBIT 3rd Edition added a Management and
Governance layer, providing management with a
toolbox containing
A maturity model to assist in benchmarking and decision-making for
control over IT
A list of critical success factors (CSF) that provides succinct nontechnical best practices for each IT process
Generic and action oriented performance measurement elements (key
performance indicators [KPI] and key goal indicators [KGI] - outcome
measures and performance drivers for all IT processes)
Purpose
IT Control profiling what is important?
Awareness where is the risk?
Benchmarking - what do others do?
April 20, 2006
Page 20
COBIT Maturity Model

Maturity Model: Method of scoring the maturity of IT processes
GAP Analysis
(Current Vs. Goal)
Managements
Target Goal
April 20, 2006
Page 21
Metrics as CSF, KPI, & KGI

Critical Success Factors
(CSF)
What are the most important things
to do to increase the probability of
success of the process?
Key Performance Indicators

(KPI)
Measure how well a process is
performing.
Key Goal Indicators

(KGI)
Measure whether a process
achieved its business requirements.
April 20, 2006
Page 22
Measuring Success Example of COBIT DS5
April 20, 2006
Page 23

Process
Relationships
RACI Chart
(Major activities and
associated responsibilities)
IT Goals &
Performance Metrics
April 20, 2006
Page 24
Process
Specific
Maturity
Model
April 20, 2006
Page 25
Summing It All Up
Business Goals Drive IT Goals
April 20, 2006
Page 26
Integrating COBIT Domains Into IT

Audit Planning & Scope Development
Integration Overview
Map COBIT to the Technology Audit Universe
Ensure Consistent Audit Coverage By Establishing IT
Audit Focal Points
Integrating
COBIT
Into IT
Audit
Approach
Map COBIT to Relevant Regulatory, Industry, and

Technology Specific Standards / Guidelines /Best Practice
and the Organizations IT Policies, Standards, Guidelines,
and Procedures
Integrate COBIT Into the IT Audit Lifecycle
Map COBIT to the Annual and Rotational Audit Plans
Develop Work Programs (Supplement Existing Work
Programs With COBIT Audit Guidelines)
Joint Risk Self-Assessments
Analyze, Document, Validate Results
Report To Management
Use COBIT To Establish IT Risk & Control Measurement
April 20, 2006
Page 28
Mapping COBIT to the

Technology Audit Universe
Understand / Asses Risk
Drilling Down to the Technology Infrastructure

Division /
Business
Business
Cycles
Applications
Operating
System /
Platform
April 20, 2006
Financial Statement Accounts
Financial
Accounting
Fixed
Assets
Expenditures Inventory
SAP
UNIX
Revenue
Payroll
Various
Others
Various
Other Systems
Page 30
Understanding the Technology Infrastructure

External Risks
Internal Risks
Vulnerability to Hackers
Unauthorized Access by Internal Users (employees or contractors)
Internet
Distributed Systems
UNIX & Windows
DMZ
Other Servers
Email
FTP
DNS
Firewalls
Databases
& Applications
Subsidiaries
Router
Firewalls /
Secure
Routing
Router
Mainframe Systems
3rd Parties
Remote LANS
LANS
VPN
Remote Access
Databases & Applications
Router
Databases
& Applications
Monitoring, Intrusion Detection & Anti-Virus Systems

April 20, 2006
Page 31
Identifying Relevant Technology Layers
<-- Multiple Layers of Control -->
INFORMATION TECHNOLOGY POLICIES & STANDARDS

IT
Administration
& Management
IT Procedures (document how to implement security standards / requirements)

Administration Tools
Distributed Applications
Mainframe Applications
Distributed Databases
Mainframe Databases
Oracle
DB2
Sybase
Datacom
Database
Controls
MVS (OS/390), TopSecret, RACF
Platform
Controls
SQL/Server
DB2
Distributed Servers
Windows NT / 2000 / XP
Mainframes
UNIX
Application
Controls
Firewall Components (Routers, Bastion Hosts & Firewall Applications)

Other Network Components
Network
Controls
Monitoring & Incident Response

April 20, 2006
Page 32
Understanding the IT Governance Framework

IT Governance
Policies
Standards
Regulatory & Legal
Evolving Technology
Industry Trends
IT Risk Management
Oversight
IT & Business Alignment
IT Strategy & Planning

IT Planning
Strategic Sourcing
IT Organization
Budget & Control
IT Management
Program Management
Change Management
Project Management
Technology Management
* Technology Planning
* Architecture Design
* Vendor / Product Selection
Quality Assurance
Operations
Applications
* Data Center Operations

* Storage Management
* Data Management
* Network & Systems Mgt
* Desktop Management
* Release Management
* Performance Management
* Development
- Testing
- Conversion
- Implementation
* IT Change Management
* Maintenance
Portfolio Management
Support
* Vendors / 3rd Party
* Help Desk
* End User Support
* Training
Enterprise Security Architecture & Management

Disaster Recovery Planning
IT Human Resources
April 20, 2006
Page 33
Defining the Technology Audit Universe

User Support
Data Center Operations
Recoverability
Information Security
Distributed Servers
Mainframe
Distributed & Mainframe Databases
Information Privacy
Monitoring & Intrusion Detection
Physical Security
Network & Perimeter

Remote Access
Security Engineering
Security Management
Virus Prevention
Applications
Telecommunications
Performance & Capacity
Audit
Universe
Architecture
Hardware Management
Network Management
Problem Management
Change Management
Software Management
Database Management
System Development
April 20, 2006
Page 34
Security Audit Universe
Distributed Servers
Mainframe
Distributed & Mainframe Databases
Information Privacy
Monitoring & Intrusion Detection
Physical Security
Network & Perimeter

Remote Access
Security Management
Virus Prevention
Applications
Mainframe Security
O/S (OS/390)
Security Systems (Top Secret / RACF)
Sub-systems (CICS, TSO, IMS DC, MQ)
Mainframe Databases (DB2, Datacom)
Distributed Server Security

UNIX (Solaris, AIX, HP-UX)
Windows NT / 2000 / XP
Netware
Distributed Database Security

DB2 6000
Oracle
SQL/Server
Sybase
Network & Perimeter Security

Firewalls
Subsidiary Connectivity
3rd Party Connectivity
Audit
Universe
Remote Access Security

VPNs
Modem Usage
Other Remote Access Facilities
Vendor Access
Monitoring & Incident Response

Information Privacy
System Logging & Reporting

Automated Intrusion Detection Systems (IDS)
Vulnerability Assessment Process
Incident Response Program
Privacy Office Compliance Program
Virus Prevention
Anti-Virus Program
Application Security
ETS Audit Coverage
System Development Projects
Security Management
Policy, Standards, & Procedures Maintenance Process
Security Awareness Program
Security Metrics & Performance Reporting
April 20, 2006
Research & Development
Security Self-Assessments
Physical Security
Page 35
Map Audit Universe To COBIT

High
Level
Objective
(e.g. PO2)
Ill
on
i
t
a
ustr
April 20, 2006
y
Onl
Applicable
Objectives
Noted
With X
Page 36
Ensuring Consistent Coverage

IT Audit Focal Points
Audit Focal Points

Audit Focal Points
ensure consistent coverage across audits
and allow for trending
the state of controls over time.
Infrastructure
Strategy & Structure

Methodologies & Procedures
Measurement & Reporting
Tools & Technology
Access Control
System Security Configuration
Monitoring, Vulnerability
Assessment, & Response
Security Management &
Administration
April 20, 2006
Example
Page 38
Security Audit Focal Points / Areas of Emphasis

(Example)
Access
AccessControl
Control
Standards & Procedures
Standards and procedures for access control are
documented, approved, and communicated.
Account Management
Account management procedures exists and are
effective.
Password Management
Password management mechanisms are in place to
ensure that user passwords comply with Schwab
password syntax and management criteria.
User Profile Configurations

User profile configurations are defined based on job
responsibilities.
Group Profile Configurations

Group profile configurations are defined to ensure
consistent access by users performing similar job
responsibilities.
Privileged & Special User Accounts

Privileged and Special User accounts are authorized and
restricted.
Generic & Shared Accounts
System
SystemSecurity
Security
Configuration
Configuration
Standards
Monitoring,
Monitoring,Vulnerability
Vulnerability
Assessment
&
Assessment &Response
Response
Standards for secure platform

configuration are documented, approved,
and communicated.
Configuration Management
Procedures are in place to facilitate an
effective configuration management
process for standard images, patches and
other updates. Procedures are in place
for handling exceptions for non-standard
configurations.
Procedures
Defined procedures exist to ensure that
systems are configured in compliance
with Schwab security standards. The
procedures are tested, documented and
approved by management.
Formal standards and procedures for

monitoring and incident response are
documented, approved and
communicated.
Logging
Critical system and security events are
logged according to logging standards.
Reporting & Review

Reports are produced and reviewed by
management periodically.
Incident Response
Security incident response procedures
exist and are applied consistently in an
event of a security breach. Escalation
protocols have been defined.
System Security Parameters

Systems are configured with security
parameters consistent with corporate
standards.
System Utilities
System utilities are managed effectively.
Generic & Shared accounts are not used as per Schwab

standards.
Remote Access
Appropriate mechanisms are in place to control and
monitor remote user access to Schwab's internal
network.
Overall security strategy and direction has

been established and communicated.
Security Policy & Standards

Overall security policy and standards are
documented, approved and communicated.
Procedures
Daily operational procedures have been
defined, documented and communicated to
ensure that individuals with administrative
responsibilities are able to effectively
execute standard administration
procedures.
Roles, Responsibilities, & Staffing

Roles and responsibilities have been
defined, documented and communicated to
ensure that individuals are informed of
their responsibilities.
User Education & Awareness

Awareness and education programs have
been established to ensure that users are
aware of appropriate corporate security
policy and standards.
Industry security advisories and alerts
should be closely monitored to ensure that
appropriate mitigating controls are in place
for identified vulnerabilities / exposures.
Systems should be configured to lock after consecutive

invalid attempts.
System boot process is configured to ensure that only
authorized security settings and system services are
initiated during the system boot / IPL process.
Security Program Strategy
Security Advisories & Alerts
Logon / Logoff Processes

System Boot Process
Security
SecurityManagement
Management
&&Administration
Administration
Security Audit Focal Points

ensure consistent coverage across audits
and allow for trending
the state of security over time.
Security Administration
Responsibility for security administration
is appropriately assigned and
accountability has been established.
Environment Understanding
Gain a comprehensive understanding of
the computer-processing environment and
the relevant controls in place.
Resource Safeguards (File/Dataset &

Directory/Volume Protection)
System level security has been configured to
appropriately protect critical system resources
(files/datasets, directories/volumes, applications, etc.).
April 20, 2006
Page 39
Map Focal Points / Areas of Emphasis to COBIT

(Example)
Record Applicable
Focal Points &
Areas of Emphasis
Access
AccessControl
Control
Standards and procedures for access control are
documented, approved, and communicated.
Account Management
Account management procedures exists and are
effective.
Password Management
Password management mechanisms are in place to
ensure that user passwords comply with Schwab
password syntax and management criteria.
User Profile Configurations

User profile configurations are defined based on job
responsibilities.
Group Profile Configurations

Group profile configurations are defined to ensure
consistent access by users performing similar job
responsibilities.
Privileged & Special User Accounts

Privileged and Special User accounts are authorized and
restricted.
Generic & Shared Accounts

Generic & Shared accounts are not used as per Schwab
standards.
Logon / Logoff Processes

Systems should be configured to lock after consecutive
invalid attempts.
System Boot Process

System boot process is configured to ensure that only
authorized security settings and system services are
initiated during the system boot / IPL process.
Remote Access
Appropriate mechanisms are in place to control and
monitor remote user access to Schwab's internal
network.
Detailed
Objectives
Resource Safeguards (File/Dataset &

Directory/Volume Protection)
System level security has been configured to
appropriately protect critical system resources
(files/datasets, directories/volumes, applications, etc.).
April 20, 2006
Page 40
Mapping COBIT to Relevant

Industry Standards, Guidelines &
Best Practices
Vendor-Specific
Guidance
Classifying Sources
Identify relevant industry standards, guidelines,
and best practices (classify by purpose)
Governance (strategic) focus versus Management
(tactical) focus.
Process Control focus versus process Execution
focus.
What To Do versus How To Do IT
April 20, 2006
Page 42
Classification (Example)
GOVERN
W
H
A
T
Strategic
Control
MANAGE
H
O
W
April 20, 2006
ISO17799
Tactical
Vendor-Specific
Guidance
Execute
Page 43
ITIL Overview
Information Technology Infrastructure Library (ITIL)
Set of books detailing best practices for IT Service
Management (the how)
Originally developed by the UK government to improve
IT Service Management
Now more globally accepted
Currently under revision
www.itil.co.uk
April 20, 2006
Page 44
ITIL The Most Popular Books
Source: 2005 COBIT User Convention

April 20, 2006
Page 45
ITIL Mapping To COBIT

April 20, 2006
Page 46
ITIL Mapping To COBIT

(continued)
Service Management
Service Delivery
Service Support

April 20, 2006
Page 47
ISO 17799 Overview

ISO/IEC 17799:2005
Code of Practice for Information Security Management
Established guidelines and general principles for
initiating, implementing, maintaining, and improving
information security management.
Objectives outlined provide general guidance on the
commonly accepted goals of information security
management.
Updated in 2005
www.iso.org
April 20, 2006
Page 48
ISO 17799 Components

ISO 17799 contains best practices for control
objectives and controls in the following areas
Security Policy
Organization of Information Security
Asset Management
Human Resource Security
Physical & Environmental Security
Communications & Operations Management
Access Control
Information Systems Acquisition, Development, and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
April 20, 2006
Page 49
Aligning COBIT , ITIL, and ISO 17799

A Management Briefing from ITGI and OGC
IT Governance Institute
Office of Government Commerce.
Useful guidance for implementing COBIT, ITIL
and ISO17799
Useful mapping of ITIL and ISO17799 to COBIT
(3rd edition)
Available at ISACA.ORG
Go to Downloads
Then COBIT
April 20, 2006
Page 50
Mapping COBIT to Organizational

IT Policies, Standards, Guidelines &
Procedures
Policies, Standards, Guidelines & Procedures

IT Policies
W
H
A
T
H
O
W
April 20, 2006
Policies:
High-level statements. When there is no specific
standard to follow, policies provide general
guidance.
IT Standards
Standards:
Standards establish a point of reference, providing
criteria that may be used to measure the accuracy
and effectiveness of procedures / mechanisms that
are in place.
IT Guidelines
Guidelines:
Guidelines provide specific and detailed
requirements relative to implementing specific IT
standards (i.e., platform specific; function specific;
component specific, etc.).
IT Procedures
Procedures:
Procedures provide step-by-step instructions for
end-users and technical staff for the execution of
specific IT processes.
Page 52
Map COBIT To IT Policies, Standards,
Guidelines & Procedures
High
Level
Objective
(e.g. PO1)
ti
a
r
t
llus
nly
O
on
IT Policies
ETC
Detailed
Level
Objective
(e.g. 2.1)
April 20, 2006
IT Standards
Applicable
Objectives
Noted
Page 53
Integrating COBIT Into the

IT Audit Lifecycle
IT Audit Approach Overview
Client Work Sessions
COBIT Risk & Control

Assessment Questionnaire
COBIT
Manuals &
Other Best
Practice Material
Audit Planning Session
Audit Testing
Audit Team
Work Program
7
Exit Meeting
COBIT To Audit
Mapping Template
Engagement
Scope
4
4
Kick-Off
Meeting
April 20, 2006
Reporting
QAR
Page 55
Map Audit Scope To COBIT

Supplemented
by other mapping
results
High
Level
Objective
(e.g. PO1)
Detailed
Level
Objective
(e.g. 2.1)
April 20, 2006
Applicable
Objectives
Noted In
This
Column
Page 56
Using COBIT Framework To Tie It All Together

Audit Scope Memo Defined
COBIT Risk & Control

Assessment Questionnaire
Work
Program
Audit Report
Use of a Framework
ensures consistent coverage
across audits and allows for
trending the state of controls
over time.
April 20, 2006
Page 57
COBIT Control Assessment Questionnaire

One Table For Each
High-Level COBIT
Objective Included In Scope
Questionnaire is used during joint work

sessions held with clients to complete a joint
risk assessment of the area under review.
Overall Maturity Rating for each

High-Level Control Objective
assigned based on results of
joint assessments of each
Detailed Control Objective.
XYZ Company
Specific Control
Objectives
One COBIT
Control Objective
Per Row
April 20, 2006
COBIT Maturity
Rating (0-5)
assigned based on
Joint Assessment
Preplanned
Assessment
Questions
Clients Response
&
Assessment Results
Page 58
COBIT Based Executive Audit Report

Overall Rating
Clients Target Goal
Overall
Conclusion
Statements
Supporting
Overall Rating
Audit
Metrics
Concise
Background
&
Scope
Responsible Manager
Provided Response
Control Weakness
highlighting
business impact
Due Date
Client
Provided
Responses
Issue Priority
(A, B, C)
April 20, 2006
MGT
Reports
Page 59
COBIT Based Audit Report

(continued)
Strategic Focal Point Table

(one row for each high-level
objective included in scope)
Highlighting Key
Performance Indicators
(i.e., Metrics)
Detailed Control
Objectives Included
In Scope Listed
Summary Conclusions
and
Points Supporting Rating
Overall Rating
For High-Level
Control Objective
Control Focal Point Table

(highlighting key controls)
Applicable Detailed
Control Objective
(one per row;
corresponds to a row
in the Assessment
Questionnaire)
Highlighting Key
(i.e., Metrics)
Summary Conclusions
and
Points Supporting Rating
Assigned
Maturity Rating
April 20, 2006
Page 60
COBIT Based Audit Report

(continued)
Process
Workflow
Diagram
For
Area
Assessed
Table
Defining
Key
Control
Points
In
Process
Flow
Highlighting Key
(i.e., Metrics)
Automated
or
Manual
Control
April 20, 2006
Page 61
Using COBIT to Establish

IT Risk & Control Measurement
Analysis of Audit & Key Technology Metrics

Goal is to proactively monitor audit results and IT
metrics on an ongoing basis to focus the scope of
audits on high-risk processes and tasks where
performance indicators indicate potential
problems.
Results of metric analysis is presented to client
management on a periodic basis via management
reports. The analysis indicates any changes to the
audit scope planned for upcoming audits.
April 20, 2006
Page 63
COBIT Measurement Repository

Continuous
Monitoring
Questionnaire
Audit Reports
MGT REPORTS
Trending Audit Results
Over Time
April 20, 2006
Page 64
Periodic Management Reports

Audit Results Metrics
IAD Focal Point Methodology Scorecard
Overall Audit Results

Security
Audits
Security
Audits
(refer to slide 7)
12%
25%
25%
25%
25%
75%
90%
75%
100%
17%
OVERALL
OVERALL
(refer to slide 7)
12%
(refer to slide 6)
25%
Infrastructure
Audits
Infrastructure
Audits
(refer to slide 6)
TBD
70%
60%
Data Not Available For 2001
68%
68%
20%
YTD
75%
20%
TBD
Q4
10%
13%
40%
20%
40%
40%
30%
75%
40%
50%
75%
60%
60%
No Reports Issued
70%
TBD
60%
80%
0%
Q1 Q2 Q3
2002
Q4
YTD
Prior
Year
Q1
Q2 Q3 Q4
2002
YTD
Prior
Year
Q1 Q2 Q3
2002
Prior
Year
Legend:
5 - Optimized
4 - Managed
3 - Defined
2 -Repeatable
Report to IT Management
Audit Results
&
Analysis of Key Technology Metrics
1 - Initial
0 Non-Existent
Date Printed: 03/24/2003
Charles Schwab & Co, Inc.
Analysis of
Key Technology Metrics
Example of Metric Analysis To Include In QAR
(Illustration Only)
Although target rates have not been achieved, change management

processes are successful on average 75% of the time. Less then 1% of
appropriately recorded changes resulted in problems or outages
For the Quarter Ended

March 31, 2006
Target Rate
97%
(Source:
Technology
Management
Balanced
Scorecard)
100.00%
Successful
90.00%
Failed & Backed Out
80.00%
Caused Problem
70.00%
Caused Outage
60.00%
Cancelled
50.00%
Unstatused
40.00%
30.00%
2 5 .0 0 %
20.00%
10.00%
0.00%
Q1, 2002
Q2, 2002
Q3, 2002
YTD
Failed & Backed Out
2 0 .0 0 %
Caused Problem
1 5 .0 0 %
Caused Outage
Cancelled
1 0 .0 0 %
Unstatused
5 .0 0 %
0 .0 0 %
Q1,
2002
Internal Audit Observations:
YTD
Change management processes appear to be consistently applied with only minor variances in volume.
Large percentage (~20%) of unstatused tickets indicates process adherence issues. True results cannot accurately
be determined; therefore, additional management scrutiny is appropriate for the unstatused items.
Trend for tickets with implementation problems is increasing - additional analysis to ascertain root cause of the
increase in this activity would be appropriate. Root cause may rest with testing and validation processes.
May 20, 2003
April 20, 2006
Q2,
Q3,
2002 2002
2003 North America CACS Conference
Slide 77
Page 65
Example of Audit Result Metrics

(Illustration Only)
15%
25%
Q1
40%
30%
75%
50%
55%
68%
60%
35%
20%
25%
12%
25%
68%
25%
30%
75%
75%
40%
Prior
Year
20%
60%
45%
25%
OVERALL
OVERALL
68%
40%
30%
10%
40%
30%
20%
30%
60%
40%
30%
25%
25%
45%
25%
50%
20%
45%
60%
75%
70%
60%
60%
80%
60%
90%
40%
25%
10%
100%
Security
SecurityAudits
Audits
12%
Infrastructure
InfrastructureAudits
Audits
0%
Q1
Q2 Q3
2002
Q4
YTD
Prior
Year
Q1
Q2 Q3
2002
Q4
YTD
Q2 Q3
2002
Q4
YTD
Prior
Year
Legend:
5 - Optimized
4 - Managed
3 - Defined
2 -Repeatable
1 - Initial
0 Non-Existent
April 20, 2006
Page 66
Continuous Monitoring / Auditing

Ongoing Measurement / Ongoing Dialogue
Auditors monitor key indicators for mission

critical technology functions on an ongoing basis
Traditional Audit Approach
Ongoing Monitoring Of Indicators

Ongoing Measurement
Control Environment
Control Environment
Expectation
Assess 2
Expectation
Report
Report
Assess 2
Report
Reality
Assess 1
Asses 1
t1
April 20, 2006
t2
Time
Reality
t1
t2 Time
Page 67

Traditional Audit Approach
(Audit rotation schedule based on annual risk assessment of function)
Control Environment
Expectation
Assess 2
Reality
Asses 1
t2
t1
Time
Point-In-Time Audit Challenges
Evaluation of risk and control is as of a point in time.

Audit reporting is reflective of results as of a point in time.
Audit scope may be influenced by prior results.
If an audit of the function has not been completed for a long time, there may be a
learning curve.
April 20, 2006
Page 68

Ongoing Monitoring Of Risk Indicators
(Gaining Efficiencies Through Focus On High Risk Indicators)
Control Environment
Ongoing Measurement
Expectation
Report
Report
Assess 2
Report
Assess 1
Reality
t1
t2 Time
Benefits of Ongoing Monitoring

Periodic (e.g., quarterly) readout of assessment results for technology management.
Ongoing dialogue regarding areas of significant or increasing risk.
IAD focuses the scope of individual audits on known risk factors ultimately leading
to audit efficiencies which may result in less time impact on client personnel.
April 20, 2006
Page 69
Information Security:
Measuring Performance (illustration only)
The Security Officer consistently performs both internal and external
vulnerability scans on a monthly basis. The majority of vulnerabilities
identified are low risk
Internal Vulnerability Scans
External Vulnerability Scans
1000
3000
900
2500
800
700
600
500
400
300
200
Low Risk
Vulnerabilities
Medium Risk
Vulnerabilities
2000
1500
Medium Risk
Vulnerabilities
High Risk
Vulnerabilities
1000
High Risk
Vulnerabilities
Low Risk
Vulnerabilities
500
100
0
0
Q1, 2002
Q2, 2002
YTD
Q1, 2002
Q2, 2002
YTD
Slight increase in high risk vulnerabilities
Observations:

An increase in internal vulnerabilities occurred from Q1 to Q2. The increase is explained due to new system
patches checked for by the vulnerability scanner that have not been applied to the XYZ company servers.
Technology management appropriately applies patches only after the patches have been tested and certified.
A
A decrease in external vulnerabilities was noted from Q1 to Q2. These results demonstrate that a significant
number of Q1 vulnerabilities have been resolved.
April 20, 2006
Page 70
Change Management:
Measuring Performance (illustration only)
Although target rates have not been achieved, change management
processes are successful on average 75% of the time. Less then 1% of
appropriately recorded changes resulted in problems or outages
Target Rate
97%
(Source:
Technology
Management
Balanced
Scorecard)
100.00%
Successful
90.00%
Failed & Backed Out
80.00%
Caused Problem
70.00%
Caused Outage
60.00%
Cancelled
50.00%
Unstatused
40.00%
30.00%
2 5 .0 0 %
20.00%
Failed & Backed Out
10.00%
0.00%
Q1, 2002
Q2, 2002
Q3, 2002
YTD
2 0 .0 0 %
Caused Problem
15 .0 0 %
Caused Outage
Cancelled
10 .0 0 %
Unstatused
5 .0 0 %
0 .0 0 %
Q 1,
Q2 ,
Q3 ,
2002 2002 2002
Internal Audit Observations:
Y TD
Change management processes appear to be consistently applied with only minor variances in volume.
Large percentage (~20%) of unstatused tickets indicates process adherence issues. True results cannot accurately
be determined; therefore, additional management scrutiny is appropriate for the unstatused items.
Trend for tickets with implementation problems is increasing - additional analysis to ascertain root cause of the
increase in this activity would be appropriate. Root cause may rest with testing and validation processes.
April 20, 2006
Page 71
Summary & Wrap-Up
Benefits Realized
IT management partners with Internal Audit throughout the audit life cycle,
including input into the audit schedule and scope.
IT management becomes conversant in risk, control, and audit concepts.
Relationships transformed into partnerships by jointly assessing control
procedures.
Audit Report streamlinedconcise report supported by detailed
questionnaire.
Audit approach is methodical and is consistent with industry standards / best
practices as well as IT Governance practices implemented throughout the
companys technology organization.
Meaningful reporting for senior IT management.
April 20, 2006
Page 73
Templates & Additional Resources

Templates (www.sfisaca.org/resources/downloads.htm)
IT Governance Implementation Guide (www.isaca.org)
IT Control Practice Statements (www.isaca.org)
Questionnaire for IT Control Practice Statements (www.isaca.org)
IT Control Objectives for Sarbanes-Oxley (www.isaca.org)
COBIT Security Baseline (www.isaca.org)
ITIL (www.itil.co.uk)
ISO (www.iso.org)
ISO 17799 Related Information (www.iso-17799.com/)
COBIT Case Studies
(available at www.itgi.org/ and www.isaca.org)
April 20, 2006
Page 74
Questions / Thank You!
Lance M. Turcato, CISA, CISM, CPA

Deputy City Auditor Information Technology
City of Phoenix
Email: lance.turcato@phoenix.gov
Phone: 602-262-4714
April 20, 2006
Page 75

Integrating CobiT Domains Into The IT Audit Process

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Integrating CobiT Domains Into The IT Audit Process

Загружено:

Авторское право:

Доступные форматы

Integrating COBIT into the IT Audit Process

(Planning, Scope Development, Practices)

April 20, 2006

Current Users of COBIT

April 20, 2006

SF ISACA - April Chapter Luncheon

Overview of COBIT Components

Integrating COBIT into the IT Audit Lifecycle

SF ISACA - April Chapter Luncheon

Overview of COBIT Components

An authoritative, up-to-date, international set of generally

SF ISACA - April Chapter Luncheon

COBITs Scope & Objectives

COBIT 4.0 was developed and by the IT Governance Institute

COBIT has evolved into an IT governance / control framework:

April 20, 2006

A toolkit of best practices for IT control representing the

Helps process owners answer questions - Is what Im doing

COBIT is a framework and is NOT exhaustive or definitive.

COBIT prescribes what best practices should be in place. An

SF ISACA - April Chapter Luncheon

Hierarchy of COBIT Components

The Method Is...

How You Audit...

How You Implement...

Minimum Controls Are...

April 20, 2006

SF ISACA - April Chapter Luncheon

Relationship of COBIT Components

April 20, 2006

SF ISACA - April Chapter Luncheon

from the premise that IT needs to

April 20, 2006

SF ISACA - April Chapter Luncheon

Actions needed to achieve

April 20, 2006

SF ISACA - April Chapter Luncheon

April 20, 2006

SF ISACA - April Chapter Luncheon

Record new problem

COBIT High-Level Processes / Objectives

Plan & Organize

April 20, 2006

Define a Strategic IT Plan

SF ISACA - April Chapter Luncheon

COBIT High-Level Processes / Objectives

Acquire & Implement

April 20, 2006

Identify Automated Solutions

SF ISACA - April Chapter Luncheon

COBIT High-Level Processes / Objectives

Define and Manage Service Levels

COBIT High-Level Processes / Objectives

Monitor & Evaluate

April 20, 2006

Monitor and Evaluate IT Performance

SF ISACA - April Chapter Luncheon

Linking The Processes To Control Objectives

COBITs Waterfall and Navigation Aids

SF ISACA - April Chapter Luncheon

Example of COBIT 4.0 - DS5 (page 1)

SF ISACA - April Chapter Luncheon

Example of COBIT 4.0 - DS5 (page 2)