Cobit 4.1

Cobit 4.1
measurement
benchmarking of IT process &
capability
CMM
goals and metrics of IT processes
Balanced business scorecard
activity goals
history
1996
version 1
1998
version 2
2002
version 3
management guidelines
2005
version 4
extended guidelines
integrated single volume
free as PDF
COBIT online
control framework
requirements
provide sharper business focus
defines a common language
helps meet regulatory requirements
Sarbanes Oxley Act of 2002
New and enhanced standards of responsibility and accountability for accuracy, reliability, and transparency of financial reporting
audit standards
issued by Public Company Accounting Oversight Board (PCAOB)
mapping PCAOB standard to COBIT
Untitled
standard #2
Establish the need to audit internal controls over financial reporting.
IT general controls
program development
Acquisition and implementation of new applications
Maintenance of existing applications
program changes
change management
computer operations
controls over the definition, acquisition, installation, configuration, integration, and maintenance of IT infrastructure.
access to programs and data
Provide guidance about the scope and approach required by auditors.
fraud detection
Emphasis on transparent disclosures for meaningful analysis and interpretation
Emphasis on the use of a recognized Internal Control Framework for evaluation of internal controls
section 302
CEOs and CFOs must make quarterly and annual statements about the adequacy of internal controls over financial reporting.
company’s management should create a certification for the certifying officers
statement
they have designed or supervised the creation of internal controls over financial reporting
provide reasonable assurance regarding the reliability of financial reporting
disclosure changes in the company’s internal controls over financial reporting
what's the reason for change?
financial statements
conform to US GAAP
auditing requirements
inquire
Ask the management about significant changes in the design or operation of internal controls over financial reporting.
evaluate
Evaluate the implications of misstatements identified by the auditor as part of the auditor’s interim financial information review.
determine
Determine whether any change in internal controls over financial reporting has affected, or may affect, the company’s internal control over financial reporting.
section 404
a company's internal controls and the systems, processes, applications, and policies used to develop and maintain the financial reports be documented, assessed for effectiveness, and certified.
areas covered
internal controls
specify the responsibility of management to establish and maintain adequate internal controls over financial reporting.
framework
framework used
management review for effectiveness of controls
attestation report
about management’s assessment of the company’s internal controls over financial reporting
written conclusion
about the effectiveness of the company’s internal controls over financial reporting.
material weakness
auditing requirements
attest
ensure
access
impact on
organization
Maintain documentation about the internal control system and make quarterly and annual statements of the adequacy of internal controls.
Provide an annual report about the management assessment of the effectiveness of internal controls.
Ensure that the statements and reports cover all entities and relevant controls including relevant IT controls.
management
Enhance its knowledge of internal control and understand the organization’s overall Sarbanes-Oxley Act compliance process and how IT supports that process.
Develop a compliance plan to specifically address IT controls.
Integrate this plan into the overall Sarbanes-Oxley Act compliance plan.
IT
understand how its systems and operational environments support financial reporting.
understand the controls required to meet the requirements of the Sarbanes-Oxley Act, and design, implement, and demonstrate them.
If IT controls already exist, they must be formalized or documented to enable compliance.
responsibilities
Understanding the organization’s internal control program and financial reporting process
Mapping the IT systems that support internal control and the financial reporting process to the financial statements
Identifying the risks related to these IT systems
Designing and implementing controls to mitigate and monitor the identified risks
Documenting and testing IT controls
Ensuring that IT controls are updated and changed to correspond with changes in internal control or financial reporting processes
Monitoring IT controls for effective operation over time
Participation by IT in the Sarbanes-Oxley process or project management office
auditors
Attest management’s assessment of internal controls. The board of directors must form its own opinion of controls, which is subsequently attested by auditors.
Not perform certain consulting services in addition to the role of independent auditor to the same client. They can provide advice in accordance with their usual audit responsibilities.
Stricter penalties for wrongdoing — intentional or otherwise
Implementation guidance or directives by the Securities and Exchange Commission (SEC)
goals
improve corporate accountability and restore investor confidence in US public markets.
by
implementing internal controls
drivers
Keep the company on course toward the achievement of business goals and mission, minimizing surprises along the way.
Enable management to deal with rapidly changing economic and competitive environments, shifting customer demands, and restructuring for future growth.
Promote efficiency.
Reduce the risk of asset loss.
Ensure the reliability of financial statements and compliance with laws and regulations.
meeting or exceeding disclosure requirements
ensuring accurate &
timely reporting
implementation roadmap
plan and scope
objectives
Determine the project scope.
Identify the stakeholders in the project.
Identify key IT systems and subsystems to be included in the scope.
controls to be included
Controls over initiating, recording, processing, and reporting significant accounts and disclosures in the financial statements
Controls over the selection and application of accounting policies that conform with generally accepted accounting principles
Antifraud programs and controls
Controls on which other controls are dependent
Controls over significant nonroutine and nonsystematic transactions, such as those involving judgments and estimates
Controls over the period-end financial reporting process
activities
Identify the IT requirements.
Assign project resources.
Form an IT control subcommittee.
Create project contact list.
Create detailed project plan.
Understand the organization’s preliminary scoping.
key success factors
Communication to stakeholders
Understanding the Act’s requirements for IT
Identification of a compliance approach
Accurate scoping of the business environment
Effective communication between business and IT
deliverable
project work plan
application inventory
stakeholders
Untitled
perform risk assessment
key objectives
Determine the inherent risks to establishing the level of documentation required for compliance
Determine the extent of testing that needs to be performed to verify the effectiveness of key controls.
activities
key success factors
Understanding risks
deliverable
Applications inventory with assessment of inherent risk completed
stakeholders
Untitled
identify significant accounts/controls
key objectives
Identify the general control objectives that support the quality and integrity of the financial information processed.
Document the policies and key controls that meet the objectives of each IT environment where compliance needs to be demonstrated.
activities
Assess and enhance policies
develop control matrices
key success factors
Technical ability in understanding the functionality of the application and related IT general control concepts
Understanding risks to financial reporting and controls is necessary to mitigate these risks
deliverable
Application inventory with key controls identified
stakeholders
Untitled
document control design
key objectives
Document the organization’s policy for addressing each control objective.
Obtain an understanding of how the control objectives are met within the IT environments.
Document the control design at the entity level and the activity level to show how the control objectives are met.
activities
Management should discuss the extent and detail of control documentation with independent accountants to minimize risks.
key success factors
Ensuring documentation is at an appropriate level
Avoiding too much, too little, or no documentation
deliverable
Documented controls in a format agreed between the Sarbanes-Oxley team and the external auditor
stakeholders
Untitled
requirements
How each significant transaction is initiated, authorized, recorded, processed, and reported
Sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur
Controls designed to prevent or detect fraud, including who performs the controls and related segregation of duties
Controls over safeguarding of assets
Results of management’s testing and evaluation
evaluate control design
key objectives
Understand controls that support the achievement of Sarbanes-Oxley Act compliance
Evaluate the design considering control attributes and whether the approach addresses risks effectively
If appropriate, enhance the design to provide for an effective approach
activities
Review the list of controls identified in documenting the control design
Evaluate the effectiveness and reliability of the control design, especially key controls.
Investigate weaknesses and enhance the design or operation of controls to improve effectiveness.
Update the control matrix with the results of the design evaluation.
key success factors
Suitability and availability of existing documentation
Understanding of process by person interviewed
Good understanding and communication of the Sarbanes-Oxley Act, COSO, and COBIT concepts by both business and IT
Good communication and facilitation between Sarbanes-Oxley Act IT team and the rest of the organization
Good research on closing the gap by IT specialists
Common rules and understanding of how to deal with similar situations across different IT facilities
deliverable
preliminary completion of the application inventory up to the gap analysis
updated inventory and identified key controls
stakeholders
Untitled
evaluate operational effectiveness
key objectives
confirm operational effectiveness of the controls as designed
activities
Determine the controls to be tested; testing depends on their significance to financial reporting.
Test the effectiveness of control activities for key controls.
Test third-party service providers within the scope of compliance.
Identify weaknesses (compliance gaps).
key success factors
Good understanding of the Sarbanes-Oxley Act, COSO, and COBIT concepts by business and IT
Good communication and facilitation between Sarbanes-Oxley Act IT team and the rest of the organization
Good research on closing the gap by IT specialists
Common rules for dealing with similar situations across different IT facilities
Preparation of an efficient testing plan
Agreement on sampling sizes and attribute being tested
Record keeping of normal testing; leveraging of existing test results from normal IT implementation activities
deliverable
Completed test plans
Updated applications inventory summarizing testing and results of testing
Updated gap list including dates for closing gaps
Dates for retesting failed tests
Reassessment of significant gaps in gap list, showing whether a gap could be a deficiency, significant deficiency, or material weakness
Summary of testing results for the Sarbanes-Oxley project manager
stakeholders
Untitled
identify and remediate deficiencies
activities
Identify the remediation action.
Create the implementation plan.
Assess deficiencies.
Categorize deficiencies as material weaknesses or significant deficiencies.
Identify compensating controls and preventive controls.
key success factors
Management demonstration of commitments to closing gaps
Most effective method of closing a gap for section 404 reporting
Efficient gap solutions for the future
Setting realistic remediation dates
Proposed solution’s acceptability to management and the external auditor
Communication with the external auditor, business process teams, and Sarbanes-Oxley project manager
deliverable
Updated application inventory
Updated gap list
Dates for retesting
Summary of gaps, deficiencies and material weaknesses, and solutions for Sarbanes-Oxley project manager
stakeholders
Untitled
key objective
identify improvements required for gaps between IT &
business
document process and results
key objectives
Document the results of tests performed.
Produce a management report of control effectiveness.
Provide a record of the process followed, decisions reached, and conclusions drawn to facilitate management’s certification of control.
activities
Document and record the results of tests performed.
Use the test results as a basis for management assertion and auditor attestation.
Provide a comprehensive summary of control effectiveness that includes all testing activities.
Include material weaknesses and proposed corrective actions and dates to implement.
Assess potential impact on application controls and other controls to reduce risk such as monitoring controls and application controls.
key success factors
Effective communication
Identification of gap solutions and remediation dates
deliverable
Management summary
Management report
Documentation of test results
stakeholders
Untitled
build sustainability
activities
Perform a postimplementation review of the Sarbanes project.
Review recent PCAOB and SEC speeches and guidance.
Review other independent material.
Meet peers in other organizations to discuss process improvements.
Assess long-term solutions to address Sarbanes-Oxley issues.
Develop a plan and timetable for the following year.
Plan wider IT governance initiatives.
key success factors
Communication with all stakeholders
Commitment to improvement
Ongoing commitment of executive and senior management
deliverable
Postimplementation review report
Assessment of longer term solutions to address Sarbanes-Oxley issues such as automation of process and implementation of program change controls software
Development of a preliminary plan and timetable for the following year
stakeholders
all stakeholders
key objectives
make internal control and compliance business as usual
documentation requirements
Entity policy manuals
IT policy and procedures
Narratives
Flowcharts
Decision tables
Procedural write-ups
Completed questionnaires
levels
company level
statement of control
activity level
Description of processes or subprocesses and related risks
Statement of the control objective to reduce the risk to an acceptable level
Description of control activities
Description of the approach followed to confirm the existence and effectiveness of control activities
Conclusions about the effectiveness of controls
has general acceptability among organizations
best practices
ensures process orientation
management guidelines
means
Balanced Business Scorecards
Financial
Customer
Internal process
Learning / innovation
resources per process
process inputs &
outputs
key activities &
RACI charts
IT, process &
activity goals
IT goals
what the business would use to measure IT
process goals
how the IT process owner would be measured
activity goals
indicate if the goals are likely to be met
key goal indicators (KGI's)
IT KGI
process KGI
key performance indicators (KPI's)
measure the activity goals
maturity models
non-existent
Management processes are not applied at all.
initial
Processes are ad hoc and disorganised.
repeatable but intuitive
Processes follow a regular pattern.
defined process
Processes are documented and communicated.
managed &
measurable
Processes are monitored and measured.
optimized
Good practices are followed and automated.
audit guidelines
structure
stages
identification &
documentation
Obtaining an understanding of risks related to business requirements and relevant control measures
Interviewing appropriate management and staff
Documenting process-related IT resources that are affected by the process under review
Confirming the process under review and control implications, for example, with a process walk-through
evaluation
Evaluating the appropriateness of stated controls
considering identified criteria and industry standard practices and applying professional judgment
Concluding the degree to which the control objective is met
compliance testing
Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously
Obtain direct or indirect evidence for selected items/periods to ensure that the procedures are complied with for the period under review, by using both direct and indirect evidence.
Perform a limited review of the adequacy of process deliverables.
Determine the level of substantive testing and additional work required to provide assurance that the IT process is adequate.
substantive testing
Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources
Document control weaknesses and resulting threats and vulnerabilities
Identifying and documenting actual and potential impact
levels
General IT audit approach
COBIT Framework
Audit Process Requirement
Control Observation
Generic Audit Guideline
Process audit guidelines
Detailed Audit Guidelines
Audit attention points to complement Detailed Control Objective
local condition
Sector specific criteria
Industry standards
Platform specific elements
Detailed control techniques used
process requirements
Define audit scope
Business process concerned.
Platforms, systems, and their interconnectivity, supporting the process.
Roles, responsibilities, and organizational structure.
Identify information requirements relevant for the business process
Relevance to the business process.
Identify inherent IT risks and overall level of control
Recent changes and incidents in business, and technology environment.
Result of audits, self-assessments, and certification.
Monitoring controls applied by management.
Select processes and platforms to audit
processes
resources
Set audit strategy
Controls X risk.
Steps and tasks.
decision points
objectives
management reassurance
direction setting
manage risks
corrective actions
develop audit programs
related to other frameworks
ITIL
best practices for IT service management
process level
process execution
process control
ISO / IEC 17799
Code of Practice for Information Security Management
process level
process control
strategic
CMM
model for improvement software delivery process execution and process control
process level
process execution
process control
COSO
framework for establishing internal controls and determining their effectiveness.
elements
risk assessment
control activities
general controls
Data center operation controls such as job setup and scheduling, operator actions, and data backup and recovery procedures
System software controls such as effective acquisition, implementation and maintenance of system software, and database management
Access security controls that prevent inappropriate and unauthorized use of the system
Application system development and maintenance controls over development methodology, including system design and implementation
characteristics
General controls support secure and continuous operation. For general controls, organizations should assess those controls that support the quality and integrity of information and are designed to mitigate the identified risks.
application controls
ensure the completeness, accuracy, authorization, and validity of transactions
information and communication
quality of information
Current
Appropriate
Accurate
Accessible
Timely
company level
Development and communication of corporate policies
Development and communication of reporting requirements, including deadlines, reconciliations, and the format and content of monthly, quarterly, and annual management reports
Consolidation and communication of financial information
activity level
Development and communication of standards to achieve corporate policy objectives
Identification and timely communication of information to assist in achieving business objectives
Identification and timely reporting of security violations
monitoring
company level
Centralized continuous monitoring of computer operations
Centralized monitoring of security
IT internal audit reviews
activity level
Defect identification and management
Local monitoring of computer operations or security
Supervision of local IT personnel
control environment
IT control environment
IT governance process
information systems strategic plan
the IT risk management process
compliance and regulatory management
IT policies, procedures, and standards.
monitoring
reporting
Untitled
compliance with COBIT
internal control is a process
high level compliance
COBIT is IT specific
COBIT
process level
process control
strategic
resources
COBIT online
repository of all COBIT information and enables feedback from users
COBIT online
PDF downloads
COBIT Executive Summary
COBIT Framework
COBIT Control Objectives
COBIT Management Guidelines
COBIT IT Assurance Guide
COBIT Implementation Toolset
benchmarking
maintain the content and implement future versions
community
COBIT Quickstart
aimed at
SME
focus
30 IT processes
62 control objectives
metrics
available to Full subscribers
COBIT Security baseline
nontechnical security guide and a QuickStart for security objectives
X-reference to ISO17799
survival kits
1 -> home users
9 simple rules
2 -> professional users
do's &
don't's
3 -> managers
important conditions to be checked
4 -> executives
questionnaire &
action list
5 -> senior executives
6 -> board of directors
free PDF download
Untitled
IT Governance implementation guide
approach
need to create &
preserve value
gap analysis
taking measures
Untitled
road map
bootstrap
generic process
Untitled
templates &
tools
tool set
presentations
documents
assessment tools
document proces
Components
IT processes
process orientation
4 domains
plan &
organize
objective
How can IT contribute to achievement of business objectives
focus
proper organization &
governance
scope
strategy &
tactics
vision planned
organization &
infrastructure
acquire &
implement
objective
integration of IT into business process
focus
IT solutions
changes &
maintenance
scope
deliver &
support
objective
delivery of required services
design of support services
focus
delivery of required services
design of support services
scope
monitor &
evaluate
objective
assess IT processes on quality &
compliance
scope
regular assessment, delivering assurance
performance measurement
management oversight of the control system
34 processes
per domain
plan &
organize
PO1 Define a strategic IT plan
PO2 Define the information architecture
PO3 Define technical direction
PO4 Define the IT processes, organization &
relationships
PO5 Manage the IT investment
PO6 Communicate management aims &
direction
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess &
manage IT risks
PO10 Manage projects
PO10.1 Programme management framework
PO10.2 Project Management Framework
PO10.3 Project Management Approach
PO10.4 Stakeholder Commitment
PO10.5 Project Scope Statement
PO10.6 Project Phase Initiation
PO10.7 Integrated Project Plan
PO10.8 Project resources
PO10.9 Project Risk Management
PO10.10 Project quality plan
PO10.11 Project change control
PO10.12 Project planning of assurance methods
PO10.13 Project performance management, reporting and monitoring
PO10.14 Project closure
IT KGI
Percentage of projects meeting stakeholders expectations (on time, on budget, and meeting requirements—weighted by importance)
process KGI
Percentage of projects on time, on budget
Percentage of projects meeting stakeholder expectations
KPI
Percentage of projects following project management standards and practices
Percentage of certified or trained project managers
Percentage of projects receiving post implementation reviews
Percentage of stakeholders participating in projects (involvement index)
acquire &
implement
AI1 Identity automated solutions
AI2 Acquire &
maintain application software
AI3 Acquire &
maintain technology infrastructure
AI4 Enable operation &
use
AI5 Procure IT resources
AI6 Manage changes
AI7 Install &
accredit solutions &
changes
deliver &
support
DS1 Define &
manage service levels
DS2 Manage third-party services
DS2.1 Definition of all supplier relationships
DS2.2 Supplier relationship management
DS2.3 Supplier risk management
IT KGI
Percentage of stakeholders participating in projects (involvement index)
Percentage of purchase spent subject to competitive procurement
process KGI
Percentage of major suppliers meeting clearly defined requirements and service levels
Percentage of formal disputes with suppliers
Percentage of supplier invoices disputed
KPI
Percentage of major suppliers subject to clearly defined requirements and service levels
Percentage of major suppliers subject to monitoring
Level of business satisfaction with effectiveness of communication from the supplier
Level of supplier satisfaction with effectiveness of communication from the business
Percentage of significant incidents of supplier noncompliance for a given time period
DS3 Manage performance &
quality
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify &
allocate costs
DS7 Educate &
train users
DS8 Manage service desk &
incidents
DS9 Manage the configuration
DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
monitor &
evaluate
ME1 Monitor &
evaluate IT performance
ME2 Monitor &
evaluate internal control
ME3 Ensure compliance &
external requirements
ME4 Provide IT governance
control leveling
enterprise
IT function
business process owner
application
IT responsibility
framework
generic
process owner
repeatability
goals &
objective
roles &
responsibility
process performance
policy, plans &
procedures
control measures
degrees
primary
The defined control objective directly impacts the information criterion.
secundary
The defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned.
blank
This could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process.
responsibility area
plan
build
run
monitor
Untitled
enterprise architecture
applications
information
infrastructure
people
key activities
responsibility &
accountability chart
IT resources
applications
the automated user systems and manual procedures that process the information.
information
data, in all their forms, input, processed and output by the information systems in whatever form is used by the business
infrastructure
technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications.
people
personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.
business requirements / information criteria
quality
quality
costs
delivery
fiduciary
categories
effectiveness
information that is relevant and pertinent to the business process as well as timely and consistent delivery.
efficiency
provision of information through the optimal use of resources.
reliability
provision of appropriate information for management to operate the entity and exercise its financial and compliance reporting responsibilities.
compliance
complying with those laws, regulations, and contractual arrangements to which the business process is subject.
security
categories
confidentiality
protection of sensitive information from unauthorized disclosure.
integrity
accuracy and completeness of information as well as to its validity with business values and expectations.
availability
information being available when required by the business process, both now and in the future. It also refers to the safeguarding of necessary resources and associated capabilities.
Mission
To research, develop, publicize, and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors.
IT Governance
focus areas
Strategic alignment
strategic objectives
Setting goals
Devising strategies to achieve stated goals
Designing action plans to implement strategies
benefits
Value addition to business products and services
Optimal use of resources
Enable cost-effective administration and management
Performance management
Balanced scorecard
financial
strategy
customer
process
knowledge
key success factor
effective metrics, defined and approved by stakeholders
Risk management
activities
Understanding the risk appetite or the Organization’s attitude to taking risks
Defining the impact and likelihood of a risk.
Approving the Risk Management action plan.
management of risks
Risk Mitigation
Risk Transfer
Risk Acceptance
Risk Avoidance
Resource management
resource optimization
features
Ensuring that sufficient capability exists for business critical activities
Optimizing costs
outsourcing
look ahead strategy
A Look Ahead Strategy will help to update the required skills inventory  and make an effective recruitment, retention and training program to ensure that the organization is not suddenly short of the required skills.
Value delivery
principles
direct and control
Executive management provides direction by setting objectives and authorizing specific IT activities.
Control ensures that the objective is achieved and no undesired incidents occur.
responsibility
accountability
activities
stakeholders
scope
IT challenges
keep IT running
value
alignment business IT
requirements management
project &
portfolio management
business case management
return of investment management
costs
reasons
Most organizations don’t understand the costs associated with their IT assets.
Operational budgets increase every year as a result of complex licensing, maintenance, and outsourcing contracts.
Failed projects result in large financial losses.
IT spending by business units and central IT departments is not coordinated.
mastering complexity
problems
Maintaining technical competence
Managing diverse technical infrastructures
Adapting to rapid changes and new developments
Managing external relationships and service providers
alignment IT business
reasons
Poorly defined business requirements
Inability to set priorities
Complexity of projects
Lack of committed business sponsors
Lack of clear business drivers for solutions
Communication gaps between business and IT
regulatory compliance
Corporate governance and financial reporting
Privacy and security
security
benefits
confidence of top management
by providing
common language, enabling clearer
decision-making mechanisms, and facilitating transparency and accuracy of management information.
responsiveness of IT to business
by providing
clear chains of command, effective decision making, and greater confidence in taking risks and making investments.
higher ROI
IT governance helps reduce project failures, optimize IT infrastructure, and increase the efficiency of IT processes.
more reliable services
IT governance gives framework to ensure lower risks, better quality of services, and greater customer satisfaction
more transparency
ensures that the right information is available to the right level of decision makers.
control objectives
achievement of business goals
process outcome
process capability &
performance
prevention, detection and correction of undesired events
control design tests
control practices
detailed "how" and "why" that may be needed
best practice management statements based on global standards and expert views
high-level
statement of the desired result to be achieved by implementing control procedures within a specific IT activity.
detailed
underpin high-level control objectives by focusing on the control of key tasks and activities that are related to the IT process.
business orientation
link business &
IT goals
metrics
maturity models
responsibilities
Basic COBIT principle
11