Control Objectives for Information

and related Technology

(COBIT)
Overview

January 31, 2008

 Overview
• Background – trends in auditing affecting
IT
• Overview of the COBIT
• Linkages to other methodologies
• Practical application – in audit and IT
management
 Auditing Trends
Audit Committees
– Increasing dependence on IT infrastructure to support
traditional assurance/auditing
– Increasing obligations regarding risk management
and control including IT
– Uses Internal Audit to give assurance – we adopted
COBIT with the ability to use other frameworks as
deemed appropriate
– Management has a role as well
Office of the Auditor General
– Comments to entities who have been broad IT
assessment include ensuring the following is in place:
• IT strategies (not just for centralized IT services)
• Integration of IT requirements into business planning
• Documented IT risk assessments
• Business continuity planning and emergency response
planning
• Service level performance measures
• Processes to build awareness for IT internal controls and
security
• An IT control framework (recommended to several
organizations) – recommended COBIT and being adopted
 COBIT Overview1
IT Governance Institute
Enterprise governance is a set of
responsibilities and practices exercised by
the board and executive management
with the goal of:
• Providing strategic direction
• Ensuring that objectives are achieved
www.itgi.org
www.itgi.org • Ascertaining that risks are managed
appropriately
RESOURCE
MANAGEMENT • Verifying that the enterprise’s resources
are used responsibly

1 This information and that on the following slides is consolidated from

information developed by the IT Governance Institute.
 Major COBIT Elements
- IT Processes
- Business Requirements
- IT Resources
 IT Processes
1. COBIT describes the IT life cycle with the help of
four domains:
– Plan and Organize
– Acquire and Implement
– Deliver and Support
– Monitor and Evaluate

2. In each domain are processes are series of

activities. There are 34 processes specifying what
the business needs to achieve its objectives.

3. The last activities are actions that are required to

achieve measurable results with the processes.
 Plan and Organise

PO1 Define a strategic IT plan.

Plan and Acquire and
Organise Implement PO2 Define the information architecture.
PO3 Determine technological direction.
IT Processes
PO4 Define the IT processes, organisation
and relationships.
PO5 Manage the IT investment.
Deliver and Monitor and PO6 Communicate management aims and
Support Evaluate
direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage IT risks.
PO10 Manage projects.
 Acquire and Implement
AI1 Identify automated solutions.
AI2 Acquire and maintain application
Plan and Acquire and
Organise Implement software.
AI3 Acquire and maintain technology
IT Processes
infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
Deliver and Monitor and
Support Evaluate
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.
Deliver and Support

DS1 Define and manage service levels.

DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service. Acquire and
Plan and
DS5 Ensure systems security. Organise Implement

DS6 Identify and allocate costs. IT Processes

DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
Deliver and Monitor and
DS10 Manage problems. Support Evaluate
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Monitor and Evaluate Plan and Acquire and
Organise Implement

ME1 Monitor and evaluate IT performance. IT Processes

ME2 Monitor and evaluate internal control.
ME3 Ensure compliance with external requirements.
ME4 Provide IT governance.
Deliver and Monitor and
Support Evaluate
 Business Requirements
Deals with information being relevant and pertinent to the business process as
Effectiveness well as being delivered in a timely, correct, consistent and usable manner

Concerns the provision of information through the optimal (most productive and
Efficiency economical) use of resources

Confidentiality Concerns the protection of sensitive information from

unauthorised disclosure
Relates to the accuracy and completeness of information as well as to its validity in
Integrity accordance with business values and expectations

Relates to information being available when required by the business process now and
Availability in the future. It also concerns the safeguarding of necessary resources and associated
capabilities.
Deals with complying with those laws, regulations and contractual arrangements to
Compliance which the business process is subject, i.e., externally imposed business criteria as well
as internal policies

Reliability Relates to the provision of appropriate information for management to operate

the entity and to exercise its fiduciary and governance responsibilities
 IT Resources
 Applications
 Information
 Infrastructure
 People
 Use of COBIT in Internal Audit
• Annual Risk Assessment (developed with Grant Thornton)
• Can audit difference ways:
– a application system (all processes)
– a process (e.g. IT investment management across a unit or the
campus)
– a resource component (e.g. infrastructure) and/or a
business requirement (e.g. security)
• Maps to other frameworks
Flexible yet defensible
 Use of COBIT in Management
• Seeing an increase in formal adoption of frameworks.
• Supporting documentation being developed for
management.
• Flexible adoption – one size does not fit all.
• Can be blended with other framework.
Organisations will consider and use a variety of IT models,
standards and best practices.

COSO

COBIT

ISO 17799

ISO 9000

WHAT ITIL

SCOPE OF COVERAGE
 IT Process Capability Maturity Scorecard—Example
IT Process Capability Maturity
Initial Repeatable Defined Managed Optimised
Plan and Organise
PO1 Define a strategic IT plan.
PO2 Define the information architecture.
PO3 Determine the technological direction.
PO4 Define the IT process, organisation and relationships.
PO5 Manage the IT investment.
PO6 Communicate management aims and direction.
PO7 Manage IT human resources.
PO8 Manage quality.
PO9 Assess and manage risks.
PO10 Manage projects.
Acquire and Implement
AI1 Identify automated solutions.
AI2 Acquire and maintain application softw are.
AI3 Acquire and maintain technology infrastructure.
AI4 Enable operation and use.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and changes.
Deliver and Support
DS1 Define and manage service levels.
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs.
DS7 Educate and train users.
DS8 Manage service desk and incidents.
DS9 Manage the configuration.
DS10 Manage problems.
DS11 Manage data.
DS12 Manage the physical environment.
DS13 Manage operations.
Monitor and Evaluate
ME1 Monitor and evluate IT performance.
ME2 Monitor and evaluate internal control.
ME3 Ensure compliance w ith external requirements.
ME4 Provide IT governance.
 BUSINESS OBJECTIVES AND
GOVERNANCE OBJECTIVES

C O B I T
ME1 Monitor and evaluate IT FRAMEWORK
PO1 Define a strategic IT plan.
performance. INFORMATION PO2 Define the information architecture.
ME2 Monitor and evaluate internal
PO3 Determine technological direction.
control.
Efficiency Integrity PO4 Define the IT processes, organisation
ME3 Ensure compliance with external
and relationships.
requirements. Effectiveness Availability
PO5 Manage the IT investment.
ME4 Provide IT governance. Compliance Confidentiality PO6 Communicate management aims and
Reliability direction.
MONITOR PLAN PO7 Manage IT human resources.
AND AND PO8 Manage quality.
EVALUATE ORGANISE PO9 Assess and manage IT risks.
PO10 Manage projects.
IT
DS1 Define and manage service levels. RESOURCES
DS2 Manage third-party services.
DS3 Manage performance and capacity.
DS4 Ensure continuous service.
DS5 Ensure systems security.
DS6 Identify and allocate costs. Applications
DS7 Educate and train users. Information
Infrastructure AI1 Identify automated solutions.
DS8 Manage service desk and incidents.
People AI2 Acquire and maintain application
DS9 Manage the configuration.
DELIVER software.
DS10 Manage problems. ACQUIRE
AND AI3 Acquire and maintain technology
DS11 Manage data. AND
SUPPORT IMPLEMENT infrastructure.
DS12 Manage the physical environment.
AI4 Enable operation and use.
DS13 Manage operations.
AI5 Procure IT resources.
AI6 Manage changes.
AI7 Install and accredit solutions and
changes.
Questions
Contact:

Ian Simpson
Systems Auditor
492-2980