100%(1)100% menganggap dokumen ini bermanfaat (1 suara)
85 tayangan31 halaman
CobiT is a methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of An IT environment. It is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes. CobiT helps bridge the gaps between business risks, control needs and technical issues.
CobiT is a methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of An IT environment. It is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes. CobiT helps bridge the gaps between business risks, control needs and technical issues.
CobiT is a methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of An IT environment. It is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes. CobiT helps bridge the gaps between business risks, control needs and technical issues.
Lucas Kowal, AVP BNP Paribas NA CPA, CISA, CISSP 2 Overview of CobiT What is CobiT? 3 Overview of CobiT What CobiT is not!! Audit software An IT audit plan An IT Internal Audit workprogram An IT audit testing plan Guide on How to Audit IT 4 Then what is CobiT? It is the Control Objectives for Information and related Technology
A methodology consisting of standards and controls created to assist IT professionals in the implementation, review, administration and monitoring of an IT environment.
The CobiT Executive Summary and Framework were released in December 1995, Control Objectives in April 1996, and Audit Guidelines followed in September 1996.
A tool that for IT professionals that has linked information technology and control practices
CobiT consolidates and harmonizes standards from prominent global sources into a critical resource for management, control professionals and auditors.
Overview of CobiT 5 Overview of CobiT CobiT represents 1. A control framework, 2. a set of generally accepted control objectives, and 3. the CobiT Audit Guidelines.
CobiT is based on the philosophy that IT resources need to be managed by a set of naturally grouped processes in order to provide the pertinent and reliable information an organization needs to achieve its objectives.
CobiT is business process oriented provides the business process owners with a framework, which should enable them to control all the different activities underlying IT deployment. 6 Overview of CobiT What is the purpose of CobiT?
To provide management and business process owners with an Information Technology (IT) governance model that helps in understanding and managing the risks associated with IT.
CobiT helps bridge the gaps between business risks, control needs and technical issues by presenting the controls through one vehicle.
It is a control model to meet the needs of IT governance and ensure the integrity of information and information systems. 7 Components of CobiT 8 Components of CobiT The 4 Domains of CobiT
MONITORING (MO)
PLANNING & ORGANIZATION (PO)
ACQUISITION & IMPLEMENTATION (AI)
DELIVERY & SUPPORT (DS) 9 Components of CobiT M1- Monitor the process M2- Obtain independent assurance
MONITORING (MO) All IT processes need to be regularly assessed over time for their quality and compliance with control and regulatory requirements
Auditors need to perform procedures to ensure that the IT environment meets predefined standards with respect to controls. 10 Components of CobiT PO1- Define a strategic IT plan PO2- Define the Information architecture PO3- Determine technical direction PO4- Define IT Organization and relationships PO5- Manage the investment in IT PLANNING & ORGANIZATION (PO) Addresses strategy and tactics, and concerns the identification of the way information technology can best contribute to the achievement of business objectives.
Is the IT strategy be effectively controlled and will it contribute to the business objectives? PO6- Communicate management aims and directions PO7- Manage Human Resources PO8- Ensure compliance with external requirements PO9- Assess risks PO10- Manage projects PO11- Manage quality
11 Components of CobiT AI1- Identify solutions AI2- Acquire and maintain application software AI3- Acquire and maintain technology architecture AI4- Develop and maintain IT procedures AI5- Install and accredit systems AI6- Managing changes
ACQUISITION & IMPLEMENTATION (AI) To realize the IT strategy, IT solutions need to be identified, developed and/or acquired as well as implemented and integrated into the business process.
Is the process to choose and implement IT solutions a controlled process? Does this process meet control standards? 12 Components of CobiT DS1- Define service levels DS2- Manage Third Party services DS3- Manage performance capacity DS4- Ensure continuous service DS5- Ensure systems security DS6- Identify and allocate costs DS7- Educate and train users DS8- Assist and advise IT customers DS9- Manage the configuration of IT systems DS10- Manage problems and incidents DS11- Manage data DS12- Manage facilities DS13- Manage operations
DELIVERY & SUPPORT (DS) Addresses the actual delivery of required information services.
Are information related services delivered in a controlled manner? 13 Overview of Internal Audit Internal Audit "Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." (Definition of Internal Auditing by the Institute of Internal Auditors, Inc.)
The mission of Internal Audit is to evaluate the efficiency and effectiveness of the entitys procedures and related internal controls.
As Internal Auditors, we also provide control recommendations and controls advisory. 14 CobiT For Internal Auditors Who uses CobiT in the Internal Audit world?
Typically, the IT Auditor
Business Process Auditor
The IT Inspection Team, or
The IT Control Team 15 CobiT For Internal Auditors How is CobiT used by Internal Audit? Establishing control baselines and standards
Facilitating and creating performance metrics for Risk Assessments
Developing the audit plan
Facilitating the audit
Managing residual risk
Issuing control advisory and recommendations to the IT groups 16
1. Reviews of Baselines and Standards for IT
2. Information System Implementations Pre-Implementation Review Implementation of Controls Certification Reviews Post Implementation Review 3. Code Development / Source Code Management Reviews
4. General Controls Reviews
5. Data Center reviews 6. Audits of the Business Continuity Program
7. Audits of Security Configuration
8. Reviews of Security Administration
9. Reviews of IT Purchasing and Procurement
10. Application Review / Audits
11. Audits of Business Processes CobiT For Internal Auditors Audits that can be performed with the use of CobiT BE CREATI VE! How can you fit CobiT into your audit plan? 17 Applications of the 4 CobiT Domains All of the discussed types of reviews can employ the 4 CobiT domains: MONITORING, PLANNING & ORGANIZATION, ACQUISITION & IMPLEMENTATION, DELIVERY & SUPPORT
18 CobiT Trends In general, each of the 4 domains can be applied to each review with careful planning
All IT Audit reviews should have a component that includes Management controls of the information Review of controls over the way that information is delivered / facilitated How the IT control review process works, and is it working effectively
With the right planning, all reviews can be performed with the use of the 4 domains as a reference, standard, and Best Practice template 19 10. Control evaluations processes are standardized across the IT environment
9. Benchmarks and standards are portable throughout the IT environment
8. System management processes across different systems can compared
7. Post-audit benchmarking is easily achieved through existing CobiT Control Objectives
6. A common language between auditee, auditor, user management and data owners is provided
5. CobiT is a globally-recognized as a tool that provides guidance on IT audits and sets IT control Best Practices
4. International IT Audit groups can knowledge share (i.e. workprograms, test plans)
3. Audit groups can recruit based on experience with an internationally recognized audit tool
2. CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC, HIPAA)
1. Its just plain old fun!
Top Ten Strengths of CobiT in Internal Audit
20 Problems Inherent to the Implementation and Use of CobiT CobiT is a control framework with Audit Guidelines. Therefore, It is NOT an audit plan It is NOT a workprogram It does NOT provide for audit steps / techniques / procedures It does NOT define standards It does NOT define acceptable levels for IT processes
The use of CobiT requires a sufficient amount of experience with IT controls because it does not detail actual controls verification and testing steps
21 Problems Inherent to the Implementation and Use of CobiT CobiT is time & resource intensive to implement Steep learning curve New audit plans and workprograms New documentation methods needed
Although CobiT is process focused, CobiT based reviews tend to be more system-focused. Few, if any processes, are composed of one system. All data flows between systems, so how are data flows evaluated? How can major information flow processes be evaluated within reasonable time constraints?
22 Opportunities to Implement CobiT Ideal Times to Implement the CobiT Framework Beginning of an audit year
During a reorganization of the audit department
During a change of strategy for the IT Audit group
Upon implementation of Business Process focused audits
23 Threats to CobiT in the Internal Audit World Threats to Cobit in Internal Audit Initial audits are time intensive and difficult because auditors are unfamiliar with CobiT terminology
Auditees can be unreceptive to controls based recommendations as opposed to traditional IT recommendations
If the audit staff does not have a sufficient amount of experience with IT controls, difficulties can arise in creating procedures to test for the existence of CobiT prescribed controls 24 CobiT: A Real World Example at a Major International Financial Services Firm Situation: A major international financial services firm uses the SWIFT network as a payment messaging system at its worldwide locations All major locations of the financial services firm have their own local SWIFT systems installations Worldwide IT Management seeks efficiencies and decides to consolidate SWIFT messaging systems to regional platforms. IT managements strategy is to create three regional hubs for messages to flow through to the SWIFT network. 25 CobiT: A Real World Example at a Major International Financial Services Firm Internal Audit Internal Audit conducted an IT Audit of the management strategy, selection, acquisition, implementation, and configuration of the new SWIFT Alliance messaging hubs
Controls Advisory was also provided as a complimentary service.
The CobiT methodology was used. 26 Examples of IT Audits Role 1. Participated on the SWIFT implementation team 2. Reviewed the project charter for financial, human resources, regulatory, compliance, and IT management strategy controls 3. Reviewed Service Level Agreements and contracts with vendors for controls prescribed by CobiT 4. Examined project details for the processes to chose hardware, software, and implementation methods. 5. Reviewed project plans for reasonableness and the ability to meet prescribed timelines 6. Performed reviews of SWIFT system configurations pre- and post-implementation 7. Examined regulatory constraints and gave opinions based on regulatory requirements CobiT: A Real World Example at a Major International Financial Services Firm 27 Highlights: Planning & Organization Reviewed the strategy and plan for management controls
Critiqued the new IT architecture
Monitored progress with respect to timelines
Ensured that compliance and regulatory constraints were addressed during implementation
CobiT: A Real World Example at a Major International Financial Services Firm 28 Highlights: Acquisition & Implementation Reviewed choices for messaging hub locations
Reviewed alternatives for hardware and software
Verified that changes were in compliance with CobiT and best practices for change control
Determined whether procedures were created for the administration of the implemented system
CobiT: A Real World Example at a Major International Financial Services Firm 29 Highlights: Delivery & Support Reviewed agreements with vendors and business partners for reasonableness and compliance with best practices
Attended user training sessions
Tested controls for security configuration and security administration
Determined whether controlled procedures were created for administration and management of data, facilities, and operations
CobiT: A Real World Example at a Major International Financial Services Firm 30 Highlights: Monitoring Determined whether controlled procedures were in place for the monitoring of the new SWIFT system
Verified that monitoring procedures were in compliance with regulatory requirements
CobiT: A Real World Example at a Major International Financial Services Firm 31 Questions? Lucas Kowal, CPA is an AVP of Information Systems Audit at the international financial services conglomerate, BNP Paribas. Mr. Kowal has several years of audit and consulting experience of information systems and technology applications having worked with Arthur Andersens Technology Risk Consulting Group and the Depository Trust Clearing Co. prior to joining BNP Paribas.
In addition to being a Certified Public Accountant (CPA-NY), Lucas has attained both the Certified Information Systems Auditor (CISA) accreditation and the Certified Information Systems Security Professional (CISSP) accreditation. Lucas is a graduate of the prestigious BS (Public Accounting) / MBA (Management Information Systems) program from the State University of New York at Buffalo.
Lucas can be reached at lucas.kowal@BNPPARIBAS.com