Integration of COBIT into the IT

Audit Process
By Kris Seeburn
Audience Poll

• COBIT Knowledge
– First exposure?
– General understanding?
– Strong knowledge of COBIT framework?
• Current Users of COBIT
– Incorporated Into Audit Process?
– Adopted by IT Management?
– Users of a framework other than COBIT?

© ISACA Mauritius Chapter 2011 All Rights Reserved

Agenda
• Overview of COBIT Components
• Integrating COBIT Domains into IT Audit Planning &
Scope Development
• Audit Universe Considerations
• Ensuring Consistent Coverage
• Integrating Relevant Industry Standards, Guidelines, and Best Practices
• Organizational IT Policy, Standard, Guideline, and Procedure
Considerations

• Integrating COBIT into the IT Audit Lifecycle

• Using COBIT to Establish IT Risk & Control
Measurement
• Wrap-up

© ISACA Mauritius Chapter 2011 All Rights Reserved

Overview of COBIT Components
COBIT - Background
“Generally applicable and accepted international
standard of good practice for IT control”

“An authoritative, up-to-date, international set of

generally accepted Information Technology Control
Objectives for day-to-day use by business managers
and auditors.”

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT’s Scope & Objectives
COBIT® 4.1 was developed and by the IT Governance Institute
(www.itgi.org)
• COBIT has evolved into an IT governance / control framework:
– A toolkit of “best practices” for IT control representing the consensus of
experts IT Governance focus
– Linkage with business requirements (bridges the gap between control
requirements, technical issues, and business risks).
– Management – process owner – orientation (accountability)
– Measurement and maturity driven
– Generic focus – applicable to multiple environments
– Organizes IT activities into a generally accepted process model (in
alignment with ITIL, ISO, and other relevant ‘best practices’)
– Identifies the major IT resources to be leveraged
– Defines control objectives and associated assurance guidelines

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT As A Framework
• Enables the auditor to review specific IT processes against COBIT’s
Control Objectives to determine where controls are sufficient or
advise management where processes need to be improved.
• Helps process owners answer questions - “Is what I’m doing
adequate and in line with best practices? If not, what should I be
doing and where should I focus my efforts?”
• COBIT is a framework and is NOT exhaustive or definitive. The
scope and breadth of a COBIT implementation varies from
organization to organization.
• COBIT prescribes “what” best practices should be in place. An
effective implementation requires that COBIT be supplemented with
other sources of best practice that prescribe the “how” for IT
governance and controlled process execution.

© ISACA Mauritius Chapter 2011 All Rights Reserved

Hierarchy of COBIT Components

© ISACA Mauritius Chapter 2011 All Rights Reserved

Relationship of COBIT Components

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT Structure
Overview

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT® Structure
Aligning Requirements, Processes, Resources &
Activities

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT Structure
Example

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT
High-Level Processes / Objectives

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT
High-Level Processes / Objectives

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT
High-Level Processes / Objectives

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT
High-Level Processes / Objectives

© ISACA Mauritius Chapter 2011 All Rights Reserved

Linking The Processes To Control Objectives
(34 High-level and 200+ Detailed Objectives)

© ISACA Mauritius Chapter 2011 All Rights Reserved

Example of COBIT 4.1 – DS5)

© ISACA Mauritius Chapter 2011 All Rights Reserved

Example of COBIT 4.1 - DS5

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT Management Guidelines

COBIT 3rd Edition added a Management and Governance layer,

providing management with a toolbox containing…
• A maturity model to assist in benchmarking and decision-making for
control over IT
• A list of critical success factors (CSF) that provides succinct
nontechnical best practices for each IT process
• Generic and action oriented performance measurement elements
(key performance indicators [KPI] and key goal indicators [KGI] –
outcome measures and performance drivers for all IT processes)

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT Maturity Model

© ISACA Mauritius Chapter 2011 All Rights Reserved

Metrics as CSF, KPI, & KGI

© ISACA Mauritius Chapter 2011 All Rights Reserved

Measuring Success – Example of COBIT DS5

© ISACA Mauritius Chapter 2011 All Rights Reserved

Example of COBIT - DS5

© ISACA Mauritius Chapter 2011 All Rights Reserved

Example of COBIT - DS5

© ISACA Mauritius Chapter 2011 All Rights Reserved

Summing It All Up
Business Goals Drive IT Goals

© ISACA Mauritius Chapter 2011 All Rights Reserved

Integrating COBIT Domains Into IT
Audit Planning & Scope Development
Integration Overview

© ISACA Mauritius Chapter 2011 All Rights Reserved

Integrating COBIT Domains Into IT
Audit Planning & Scope Development
Mapping COBIT to the
Technology Audit Universe
Drilling Down to the Technology Infrastructure

© ISACA Mauritius Chapter 2011 All Rights Reserved

Understanding the Technology Infrastructure

© ISACA Mauritius Chapter 2011 All Rights Reserved

Identifying Relevant Technology “Layers”

© ISACA Mauritius Chapter 2011 All Rights Reserved

Understanding the IT Governance Framework

© ISACA Mauritius Chapter 2011 All Rights Reserved

Defining the Technology Audit Universe

© ISACA Mauritius Chapter 2011 All Rights Reserved

Security Audit Universe

© ISACA Mauritius Chapter 2011 All Rights Reserved

Map Audit Universe To COBIT

© ISACA Mauritius Chapter 2011 All Rights Reserved

Ensuring Consistent
Coverage
IT Audit Focal Points
Audit Focal Points

© ISACA Mauritius Chapter 2011 All Rights Reserved

Security Audit Focal Points / Areas of Emphasis
(Example)

© ISACA Mauritius Chapter 2011 All Rights Reserved

Map Focal Points / Areas of Emphasis to COBIT
(Example)

© ISACA Mauritius Chapter 2011 All Rights Reserved

Mapping COBIT to Relevant
Industry Standards,
Guidelines &
Best Practices
Classifying Sources

Identify relevant industry standards,

guidelines, and best practices (classify by
purpose)…
– Governance (strategic) focus versus
Management (tactical) focus.
– Process Control focus versus process
Execution focus.
– What To Do versus How To Do IT

© ISACA Mauritius Chapter 2011 All Rights Reserved

Classification (Example)

© ISACA Mauritius Chapter 2011 All Rights Reserved

ITIL Overview
• Information Technology Infrastructure Library (ITIL)
• Set of books detailing best practices for IT Service
Management (the “how”)
• Originally developed by the UK government to improve
IT Service Management
• Now more globally accepted
• Has just revised again
• www.itil.co.uk

© ISACA Mauritius Chapter 2011 All Rights Reserved

ITIL – The Most Popular Books

© ISACA Mauritius Chapter 2011 All Rights Reserved

ITIL Mapping To COBIT

© ISACA Mauritius Chapter 2011 All Rights Reserved

ITIL Mapping To COBIT
(continued)

© ISACA Mauritius Chapter 2011 All Rights Reserved

ISO 27001 Overview
• ISO/IEC 27001:2008
Code of Practice for Information Security
Management
• Established guidelines and general principles for
• initiating, implementing, maintaining, and
improving information security management.
• Objectives outlined provide general guidance on
the commonly accepted goals of information
security management.
• In process of being updated for 2012
• www.iso.org

© ISACA Mauritius Chapter 2011 All Rights Reserved

ISO 27001 Components
ISO 27001 contains best practices for control
objectives and controls in the following areas…
• Security Policy
• Organization of Information Security
• Asset Management
• Human Resource Security
• Physical & Environmental Security
• Communications & Operations Management
• Access Control
• Information Systems Acquisition, Development, and Maintenance
• Information Security Incident Management
• Business Continuity Management
• Compliance

© ISACA Mauritius Chapter 2011 All Rights Reserved

Aligning COBIT® , ITIL, and ISO 27001

A Management Briefing from ITGI and OGC…

• IT Governance Institute – Now fully given out by ISACA

• Office of Government Commerce.
• Useful guidance for implementing COBIT, ITIL and ISO27001
• Useful mapping of ITIL and ISO27001 to COBIT
• Available at ISACA.ORG
– Go to Downloads
– Then COBIT

© ISACA Mauritius Chapter 2011 All Rights Reserved

Mapping COBIT to
Organizational
IT Policies, Standards,
Guidelines &
Procedures
Policies, Standards, Guidelines & Procedures

© ISACA Mauritius Chapter 2011 All Rights Reserved

Guidelines & Procedures

© ISACA Mauritius Chapter 2011 All Rights Reserved

Integrating COBIT Into the
IT Audit Lifecycle
IT Audit Approach Overview

© ISACA Mauritius Chapter 2011 All Rights Reserved

Map Audit Scope To COBIT

© ISACA Mauritius Chapter 2011 All Rights Reserved

Using COBIT Framework To Tie It All Together…

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT Control Assessment Questionnaire

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT Based Executive Audit Report

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT Based Audit Report
(continued)

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT Based Audit Report
(continued)

© ISACA Mauritius Chapter 2011 All Rights Reserved

Using COBIT to Establish
IT Risk & Control Measurement
Analysis of Audit & Key Technology Metrics

Goal is to proactively monitor audit results and IT metrics

on an ongoing basis to focus the scope of audits on high-
risk processes and tasks where performance indicators
indicate potential problems.

Results of metric analysis is presented to client

management on a periodic basis via management reports.
The analysis indicates any changes to the audit scope
planned for upcoming audits.

© ISACA Mauritius Chapter 2011 All Rights Reserved

COBIT Measurement Repository

© ISACA Mauritius Chapter 2011 All Rights Reserved

Periodic Management Reports

© ISACA Mauritius Chapter 2011 All Rights Reserved

Example of Audit Result Metrics
(Illustration Only)

© ISACA Mauritius Chapter 2011 All Rights Reserved

Continuous Monitoring / Auditing
Ongoing Measurement / Ongoing Dialogue

Auditors monitor key indicators for mission critical

technology functions on an ongoing basis…

© ISACA Mauritius Chapter 2011 All Rights Reserved

Continuous Monitoring / Auditing
Ongoing Measurement / Ongoing Dialogue

© ISACA Mauritius Chapter 2011 All Rights Reserved

Continuous Monitoring / Auditing
Ongoing Measurement / Ongoing Dialogue

© ISACA Mauritius Chapter 2011 All Rights Reserved

Information Security:
Measuring Performance (illustration only)

The Security Officer consistently performs both internal and external vulnerability scans
on a monthly basis. The majority of vulnerabilities identified are low risk…

© ISACA Mauritius Chapter 2011 All Rights Reserved

Change Management:
Measuring Performance (illustration only)

Although target rates have not been achieved, change management processes are
successful on average 75% of the time. Less then 1% of appropriately recorded changes
resulted in problems or outages…

© ISACA Mauritius Chapter 2011 All Rights Reserved

Summary & Wrap-Up
Benefits Realized…
• IT management partners with Internal Audit throughout the audit life
cycle, including input into the audit schedule and scope.
• IT management becomes conversant in risk, control, and audit
concepts.
• Relationships transformed into partnerships by jointly assessing
control procedures.
• Audit Report streamlined…concise report supported by detailed
questionnaire.
• Audit approach is methodical and is consistent with industry
standards / best practices as well as IT Governance practices
implemented throughout the company’s technology organization.
• Meaningful reporting for senior IT management.

© ISACA Mauritius Chapter 2011 All Rights Reserved

QUESTIONS ?