1

CobiT for Internal Auditors

Lucas Kowal, AVP BNP Paribas NA
CPA, CISA, CISSP
2
Overview of CobiT
What is CobiT?
3
Overview of CobiT
What CobiT is not!!
Audit software
An IT audit plan
An IT Internal Audit workprogram
An IT audit testing plan
Guide on How to Audit IT
4
Then what is CobiT?
It is the Control Objectives for Information and related
Technology

A methodology consisting of standards and controls created
to assist IT professionals in the implementation, review,
administration and monitoring of an IT environment.

The CobiT Executive Summary and Framework were released
in December 1995, Control Objectives in April 1996, and
Audit Guidelines followed in September 1996.

A tool that for IT professionals that has linked information
technology and control practices

CobiT consolidates and harmonizes standards from prominent
global sources into a critical resource for management,
control professionals and auditors.

Overview of CobiT
5
Overview of CobiT
CobiT represents
1. A control framework,
2. a set of generally accepted control objectives, and
3. the CobiT Audit Guidelines.

CobiT is based on the philosophy that IT resources need to
be managed by a set of naturally grouped processes in
order to provide the pertinent and reliable information an
organization needs to achieve its objectives.

CobiT is business process oriented provides the business
process owners with a framework, which should enable
them to control all the different activities underlying IT
deployment.
6
Overview of CobiT
What is the purpose of CobiT?

To provide management and business process
owners with an Information Technology (IT)
governance model that helps in understanding and
managing the risks associated with IT.

CobiT helps bridge the gaps between business risks,
control needs and technical issues by presenting
the controls through one vehicle.

It is a control model to meet the needs of IT
governance and ensure the integrity of information
and information systems.
7
Components of CobiT
8
Components of CobiT
The 4 Domains of CobiT

MONITORING (MO)

PLANNING & ORGANIZATION (PO)

ACQUISITION & IMPLEMENTATION (AI)

DELIVERY & SUPPORT (DS)
9
Components of CobiT
M1- Monitor the process
M2- Obtain independent assurance


MONITORING (MO)
All IT processes need to be regularly assessed over
time for their quality and compliance with control and
regulatory requirements

Auditors need to perform procedures to ensure that the IT
environment meets predefined standards with respect to
controls.
10
Components of CobiT
PO1- Define a strategic IT plan
PO2- Define the Information
architecture
PO3- Determine technical direction
PO4- Define IT Organization and
relationships
PO5- Manage the investment in IT
PLANNING & ORGANIZATION (PO)
Addresses strategy and tactics, and concerns the identification of
the way information technology can best contribute to the
achievement of business objectives.

Is the IT strategy be effectively controlled and will it contribute to
the business objectives?
PO6- Communicate management aims and
directions
PO7- Manage Human Resources
PO8- Ensure compliance with external
requirements
PO9- Assess risks
PO10- Manage projects
PO11- Manage quality

11
Components of CobiT
AI1- Identify solutions
AI2- Acquire and maintain application software
AI3- Acquire and maintain technology architecture
AI4- Develop and maintain IT procedures
AI5- Install and accredit systems
AI6- Managing changes


ACQUISITION & IMPLEMENTATION (AI)
To realize the IT strategy, IT solutions need to be identified,
developed and/or acquired as well as implemented and
integrated into the business process.

Is the process to choose and implement IT solutions a controlled
process? Does this process meet control standards?
12
Components of CobiT
DS1- Define service levels
DS2- Manage Third Party services
DS3- Manage performance capacity
DS4- Ensure continuous service
DS5- Ensure systems security
DS6- Identify and allocate costs
DS7- Educate and train users
DS8- Assist and advise IT customers
DS9- Manage the configuration of IT systems
DS10- Manage problems and incidents
DS11- Manage data
DS12- Manage facilities
DS13- Manage operations


DELIVERY & SUPPORT (DS)
Addresses the actual delivery of required information
services.

Are information related services delivered in a controlled
manner?
13
Overview of Internal Audit
Internal Audit
"Internal auditing is an independent, objective assurance
and consulting activity designed to add value and
improve an organization's operations. It helps an
organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control,
and governance processes."
(Definition of Internal Auditing by the Institute of
Internal Auditors, Inc.)

The mission of Internal Audit is to evaluate the
efficiency and effectiveness of the entitys procedures
and related internal controls.

As Internal Auditors, we also provide control
recommendations and controls advisory.
14
CobiT For Internal Auditors
Who uses CobiT in the Internal
Audit world?

Typically, the IT Auditor

Business Process Auditor

The IT Inspection Team, or

The IT Control Team
15
CobiT For Internal Auditors
How is CobiT used by Internal Audit?
Establishing control baselines and standards

Facilitating and creating performance metrics for Risk
Assessments

Developing the audit plan

Facilitating the audit

Managing residual risk

Issuing control advisory and recommendations to the IT groups
16


1. Reviews of Baselines and
Standards for IT

2. Information System
Implementations
Pre-Implementation Review
Implementation of Controls
Certification Reviews
Post Implementation Review
3. Code Development / Source
Code Management Reviews

4. General Controls Reviews

5. Data Center reviews
6. Audits of the Business
Continuity Program

7. Audits of Security Configuration

8. Reviews of Security
Administration

9. Reviews of IT Purchasing and
Procurement

10. Application Review / Audits

11. Audits of Business Processes
CobiT For Internal Auditors
Audits that can be performed
with the use of CobiT
BE CREATI VE! How can you fit CobiT into your audit plan?
17
Applications of the
4 CobiT Domains
All of the discussed types of
reviews can employ the 4 CobiT
domains:
MONITORING,
PLANNING & ORGANIZATION,
ACQUISITION & IMPLEMENTATION,
DELIVERY & SUPPORT



18
CobiT Trends
In general, each of the 4 domains can be applied to
each review with careful planning

All IT Audit reviews should have a component that
includes
Management controls of the information
Review of controls over the way that information is
delivered / facilitated
How the IT control review process works, and is it working
effectively

With the right planning, all reviews can be
performed with the use of the 4 domains as a
reference, standard, and Best Practice template
19
10. Control evaluations processes are standardized across the IT environment

9. Benchmarks and standards are portable throughout the IT environment

8. System management processes across different systems can compared

7. Post-audit benchmarking is easily achieved through existing CobiT Control Objectives

6. A common language between auditee, auditor, user management and data owners is
provided

5. CobiT is a globally-recognized as a tool that provides guidance on IT audits and sets IT
control Best Practices

4. International IT Audit groups can knowledge share (i.e. workprograms, test plans)

3. Audit groups can recruit based on experience with an internationally recognized audit tool

2. CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC, HIPAA)

1. Its just plain old fun!



Top Ten Strengths of CobiT in
Internal Audit

20
Problems Inherent to the
Implementation and Use of CobiT
CobiT is a control framework with Audit
Guidelines. Therefore,
It is NOT an audit plan
It is NOT a workprogram
It does NOT provide for audit steps /
techniques / procedures
It does NOT define standards
It does NOT define acceptable levels for IT
processes

The use of CobiT requires a sufficient
amount of experience with IT controls
because it does not detail actual controls
verification and testing steps

21
Problems Inherent to the
Implementation and Use of CobiT
CobiT is time & resource intensive to implement
Steep learning curve
New audit plans and workprograms
New documentation methods needed

Although CobiT is process focused, CobiT based
reviews tend to be more system-focused.
Few, if any processes, are composed of one system.
All data flows between systems, so how are data flows
evaluated?
How can major information flow processes be
evaluated within reasonable time constraints?

22
Opportunities to Implement CobiT
Ideal Times to Implement the CobiT Framework
Beginning of an audit year

During a reorganization of the audit department

During a change of strategy for the IT Audit group

Upon implementation of Business Process focused
audits

23
Threats to CobiT in the
Internal Audit World
Threats to Cobit in Internal Audit
Initial audits are time intensive and difficult because
auditors are unfamiliar with CobiT terminology

Auditees can be unreceptive to controls based
recommendations as opposed to traditional IT
recommendations

If the audit staff does not have a sufficient amount of
experience with IT controls, difficulties can arise in
creating procedures to test for the existence of CobiT
prescribed controls
24
CobiT: A Real World Example at a Major
International Financial Services Firm
Situation:
A major international financial services firm uses
the SWIFT network as a payment messaging
system at its worldwide locations
All major locations of the financial services firm
have their own local SWIFT systems installations
Worldwide IT Management seeks efficiencies and
decides to consolidate SWIFT messaging systems
to regional platforms.
IT managements strategy is to create three
regional hubs for messages to flow through to the
SWIFT network.
25
CobiT: A Real World Example at a Major
International Financial Services Firm
Internal Audit
Internal Audit conducted an IT Audit of the
management strategy, selection, acquisition,
implementation, and configuration of the new
SWIFT Alliance messaging hubs

Controls Advisory was also provided as a
complimentary service.

The CobiT methodology was used.
26
Examples of IT Audits Role
1. Participated on the SWIFT implementation team
2. Reviewed the project charter for financial, human
resources, regulatory, compliance, and IT
management strategy controls
3. Reviewed Service Level Agreements and contracts
with vendors for controls prescribed by CobiT
4. Examined project details for the processes to chose
hardware, software, and implementation methods.
5. Reviewed project plans for reasonableness and the
ability to meet prescribed timelines
6. Performed reviews of SWIFT system configurations
pre- and post-implementation
7. Examined regulatory constraints and gave opinions
based on regulatory requirements
CobiT: A Real World Example at a Major
International Financial Services Firm
27
Highlights: Planning & Organization
Reviewed the strategy and plan for management
controls

Critiqued the new IT architecture

Monitored progress with respect to timelines

Ensured that compliance and regulatory constraints
were addressed during implementation


CobiT: A Real World Example at a Major
International Financial Services Firm
28
Highlights: Acquisition & Implementation
Reviewed choices for messaging hub locations

Reviewed alternatives for hardware and software

Verified that changes were in compliance with
CobiT and best practices for change control

Determined whether procedures were created for
the administration of the implemented system



CobiT: A Real World Example at a Major
International Financial Services Firm
29
Highlights: Delivery & Support
Reviewed agreements with vendors and business
partners for reasonableness and compliance with
best practices

Attended user training sessions

Tested controls for security configuration and
security administration

Determined whether controlled procedures were
created for administration and management of
data, facilities, and operations



CobiT: A Real World Example at a Major
International Financial Services Firm
30
Highlights: Monitoring
Determined whether controlled procedures were in
place for the monitoring of the new SWIFT
system

Verified that monitoring procedures were in
compliance with regulatory requirements



CobiT: A Real World Example at a Major
International Financial Services Firm
31
Questions?
Lucas Kowal, CPA is an AVP of Information Systems Audit at the
international financial services conglomerate, BNP Paribas. Mr. Kowal has
several years of audit and consulting experience of information systems and
technology applications having worked with Arthur Andersens Technology
Risk Consulting Group and the Depository Trust Clearing Co. prior to joining
BNP Paribas.

In addition to being a Certified Public Accountant (CPA-NY), Lucas has
attained both the Certified Information Systems Auditor (CISA) accreditation
and the Certified Information Systems Security Professional (CISSP)
accreditation. Lucas is a graduate of the prestigious BS (Public Accounting) /
MBA (Management Information Systems) program from the State University
of New York at Buffalo.

Lucas can be reached at lucas.kowal@BNPPARIBAS.com