310 likes | 484 Vues
Institute of Internal Auditors COBIT Presentation October 9, 2001. For More Information on COBIT. Phone 847-253-1545 Email research@isaca.org Websites www.Itgovernance.org www.isaca.org. Cost. ISACA Member $115 Non-Member $225. Background.
E N D
Institute of Internal AuditorsCOBIT PresentationOctober 9, 2001
For More Information on COBIT Phone 847-253-1545 Email research@isaca.org Websites www.Itgovernance.org www.isaca.org
Cost • ISACA Member $115 • Non-Member $225
Background • Control OBjectives for Information and related Technology • Originally released in 1996 by the Information Systems Audit and Control Foundation (ISACF) • Current primary publisher is the IT Governance Institute - formed by the Information Systems Audit and Control Association (ISACA) in 1998 • COBIT was formed through research of sources such as the technical standards from ISO, codes of conduct issued by the Council of Europe and ISACA, professional standards for internal control and auditing issued by COSO, AICPA, GAO, etc. • The above sources were used to formulate COBIT to “be both pragmatic and responsive to business needs while being independent of the technical IT platforms adopted in an organization.”
The COBIT Mission • To research, develop, publicize and promote an authoritative, up-to-date, international set of generally accepted information technology control objectives for day-to-day use by business managers and auditors
Objectives of COBIT • To provide a framework to bridge gaps between business risks, control needs and technical issues in order to maximize benefits, capitalize on opportunities and gain competitive advantage
Components • Executive Summary • Framework • Control Objectives • Audit Guidelines • Management Guidelines
Executive Summary • Provides a synopsis of COBIT’s objectives and processes
Framework • A tool to be used as a comprehensive guidance for users, auditors, management & business process owners
Control Objectives • Generically defined high-level business needs organized by process/activity used to facilitate the implementation of a process
Audit Guidelines • A template used to facilitate the obtaining, evaluating, assessing and substantiating of of information needed to evaluate overall control
Management Guidelines • Set of action oriented guidelines developed to assist management in answering: • Does the benefit outweigh the cost? • What are the indicators of good performance? • What are the critical success factors? • What are the risks of not achieving our objectives? • What do others do? • How do we measure and compare?
Framework (see handout) • 4 Domains • Planning & Organization • Acquisition & Implementation • Delivery & Support • Monitoring • 34 Control Objectives • 318 Detailed Control Objectives
Audit Guidelines • Obtain Understanding • Interviewing • Obtaining • Evaluate Controls • Considering • Assess Compliance • Testing • Substantiate Risk • Performing • Identifying
Management Guidelines • Critical Success Factors • Key Goal Indicators • Key Performance Indicators • Maturity Model
Example • Manage Changes
Domain • Acquisition & Implementation
Control Objective • AI6
Detailed Control Objectives • Change Request Initiation and Control • Impact Assessment • Control of Changes • Emergency Changes • Documentation and Procedures • Authorized Maintenance • Software Release Policy • Distribution of Software
Obtain Understanding Interviewing Obtaining Evaluate Controls Considering Assess Compliance Testing Substantiate Risk Performing Identifying Audit Guidelines
Non-existent Initial/Ad Hoc Repeatable but Intuitive Defined Process Managed & Measurable Optimized Management Guidelines
Findings • Issues • Benchmarking
COBIT Case Studies • Cedel Group • Office of the State Auditor of Massachusetts • PWC • Fidelity Investments • Department of Defense • Boston Gas Company • Santa Barbara Bank and Trust • Society for Worldwide Interbank Financial Telecommunication