PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the...

1/12/2018

1

Purposing the entirety of COBIT5 for the Assurance

Professional

Ross E. Wescott MA CISA CIA CCP CUERME

Wescott & Associates

The Conference that Counts, Albany New York

Monday March 19, 2018

ROSS WESCOTT is Principal of Wescott and Associates, established in 2016 to provide IT audit, risk,

governance, and control consulting to a variety of industries and government. He has experience in

• IT audit program development and implementation using leading standards including Cobit5

• IT governance

• Internal Audit strategy, policy, standards, procedures, and guidelines development and maintenance

• Risk identification and assessment

• Controls identification, design and evaluation

• Data analytics

• End-to-end IT audit management and execution

• IT SOX program development and operation

• Disaster recovery plan development and review, scenario/exercise development and testing

• Recruiting, team building, development, teaching.

Ross Wescott graduated from Portland State University in 1975 with a major in Mathematics/Computer Science.

He also graduated in 1986 from Marylhurst University with a Master in Management. He is a Certified Internal

Auditor, Certified Information Systems Auditor, Certified Computer Professional, and a Credit Union Enterprise

Risk Management Expert. He is a current and active member of the Institute of Internal Auditors and the

Information Systems Audit and Control Association. He has been published in the major Internal Auditing

publications and has been a speaker at conventions and conferences on many Internal Audit topics.

2

Wescott & Associates. Copyright 2018. All rights reserved.

1/12/2018

2

3


IT assurance professionals have successfully used ISACA’s COBIT products for

many years. The IT assurance professional focus of these products made them the

right tool to perform the right audits of IT. However, the IT management and

governance focus of COBIT5 is a noticeable departure from previous versions. With

the refocus of COBIT5, how can the IT Assurance professional take advantage of the

advances and concepts of COBIT5 in the performance of their work? In this session,

you will learn:

• the history of COBIT and its predecessor

• assurance vs. governance vs. management

• the guiding principles of COBIT 5

• transitioning to COBIT 5

• turning COBIT 5 into an IT Audit assurance tool

4


Before I begin, there is a bit of a conundrum…

1/12/2018

3

5


• I want to set the foundation for COBIT as thoroughly as possible. But…

• There is so much information on COBIT available, it would take days to do it justice. So…

• I will give you a taste of COBIT just to get started.• The rest you will have to do on your own.• But, we will cover COBIT for the Assurance

professional more thoroughly.

6


• From the ‘70s, a compilation of guidelines, procedures, best

practices, and standards for conducting EDP audits entitled "Control

Objectives” updated four times between 1980 and 1992.

• COBIT (1996) and COBIT 2nd Edition (1998). Focus: Control

Objectives

• COBIT 3rd Edition (2000), Focus: Management Guidelines added

• COBIT 4.0 (2005) and COBIT 4.1 (2007). Focus: Governance and

compliance processes added

• COBIT 5.0 (2012) Focus: Assurance processes removed, Full focus

on IT governance and management

1/12/2018

4

7


8


“COBIT 5 is primarily a business framework made by,

and for, practitioners and includes insights from IT and

general management literature, including concepts and

models such as strategic alignment, balanced

scorecard, IT savviness and organizational systems.

The core elements of COBIT 5 are built on these IT and

general management insights.”

* ISACA COBIT Series White Paper © 2014 ISACA. All rights reserved. For usage guidelines, see

www.isaca.org/COBITuse.

1/12/2018

5

9


And that can be audited:

• For Gaining Compliance: because it outlines the steps a business

needs to take to be in accordance with legislative constraints by

offering a set of best/good practices that will improve weaknesses

in IT control areas.

• For Assessing Risk: because the uniform approach to IT/business

integration can identify and help to mitigate organizational risk for

IT and business as a whole.

• For Achieving Strategy: because it relates IT-goals to enterprise

goals in a goal cascade that help define priorities improvements.

10


COBIT 5 is based on 5 principles that enable the organization to

build an effective governance and management framework that

optimizes information and technology investment and use for the

benefit of a wide range of organizational stakeholders.

These 5 COBIT principles are specifically designed to be generic

so that, while they provide guidance, they are at the same time

applicable for enterprises of all sizes, whether commercial, not for

profit, or in the public sector.

1/12/2018

6

11


The 5 Principles

12


Enablers are aspects that, separately and together, guide whether

something will work—in the case of COBIT 5: governance and

management over enterprise IT.

Enablers are driven by COBIT goals, where higher-level IT-related

goals define what the different enablers should achieve.

1/12/2018

7

13


1. Principles, policies and frameworks are the vehicle to translate the

desired behavior into practical guidance for day-to-day management.

2. Processes describe an organized set of practices and activities to

achieve certain objectives and produce a set of outputs in support of

achieving overall IT-related goals.

3. Organizational structures are the key decision-making entities in an

enterprise.

4. Culture, ethics and behavior of individuals and of the enterprise are

very often underestimated as a success factor in governance and

management activities.

14


5. Information is required for keeping the organization running and well

governed, but at the operational level, information is very often the key

product of the enterprise itself.

6. Services, infrastructure and applications include the infrastructure,

technology and applications that provide the enterprise with information

technology processing and services.

7. People, skills and competencies are required for successful

completion of all activities, and for making correct decisions and taking

corrective actions.

1/12/2018

8

15


Also, COBIT

Assessment

Guide

16


• Unlike COBIT (1996) and COBIT 2nd Edition (1998) where the

focus was on assurance and the control objective as a bridge

from the 1970’s, COBIT 5 is NOT about control objectives.

• In fact, control objectives are gone.

• Control objectives were turned into best or good management

practices.

• The audience for the product is not the assurance professional

but IT management.

• So what is the assurance professional to do when the COBIT

product seems to not be for them?

1/12/2018

9

17


CRY?

18


Get Angry?

1/12/2018

10

19


Give Up?

20


Or, figure out how to make it work?

1/12/2018

11

21


I decided to figure it out!

22


From COBIT 5

– Enabling

Processes

Documentation

1/12/2018

12

23


COBIT 4.1

to COBIT5

Mapping -

From

COBIT 5 –

Enabling

Processes

24


• VAL-IT - Framework for Business Technology Management -

set of guiding principles for governance framework, and

supporting publications addressing the governance of IT-enabled

business investments

• RISK-IT - Framework for Management of IT Related Business

Risks - provides an end-to-end, comprehensive view of all risks

related to the use of IT and a similarly thorough treatment of risk

management, from the tone and culture at the top, to operational

issues

1/12/2018

13

25


VAL IT 2.0 to

COBIT 5 -

From COBIT

5 – Enabling

Processes

26


From RISK

IT to COBIT

5: From

COBIT 5 –

Enabling

Processes

1/12/2018

14

27


• Using COBIT 5 as the foundation

• Using the related linkages to COBIT 4.1, RISK IT, and VAL

IT

• And changing the wording of the COBIT5 Management

Objectives to turn them into Assurance Objectives…

COBIT5 became instantly usable to me as an assurance

professional.

28


Let’s look at an example.

1/12/2018

15

29


Let’s use EDM01 as the basis

for our example.

30



for our example.

1/12/2018

16

31



for our example.

32



for our example.

1/12/2018

17

33


Let’s Briefly See What I Did With This

34


• It took me 6 months of effort in 2013 to take COBIT 5 and do exactly

what ISACA told us to do, albeit late, in 2014 but without the ways

to do it.

• I customized COBIT5 for my assurance practice.

• What I came out with in the end was a fully functional audit program

using 100% of my own tests and approach that covered all of

COBIT5 supplemented with CobIT 4.1, RISK IT, and VAL IT.

• Over 1000 audit objectives and nearly 1500 tests, all based on these

management objectives.

• I put it into practice from 2014 to 2015 and audited our IT group

against Cobit5. All in all, the whole effort took 3 years.

1/12/2018

18

35


Process Background

An IT governance framework allows IT to bridge the gaps effectively among control

requirements, technical issues, and business risks. A well-established system of IT governance

also enables clear policy development and good practice for IT control throughout , emphasizes

regulatory compliance, and helps to increase the value attains from IT. IT governance puts

structure around how to align IT strategy with business strategy, ensuring that stays on track to

achieve stated strategies and goals, and implements good ways to measure IT’s performance.

An IT governance framework answers some key questions such as: how the IT department is

functioning overall, what key metrics management needs and what return IT is giving back to the

business from the investment it’s making.

Every organization needs a way to ensure that the IT function sustains the organization’s

strategies and objectives. To ensure that IT-related decisions are made in line with strategies

and objectives, IT-related processes should receive effective and transparent oversight, comply

with legal and regulatory requirements, and meet Board requirements.

36


Process Description

Analyze and articulate the requirements for the governance of enterprise IT,

and put in place and maintain effective enabling structures, principles,

processes and practices, with clarity of responsibilities and authority to achieve

the enterprise’s mission, goals and objectives.

Process Purpose Statement

Provide a consistent approach integrated and aligned with the enterprise

governance approach. To ensure that IT-related decisions are made in line with

the enterprise’s strategies and objectives, ensure that IT-related processes are

overseen effectively and transparently, compliance with legal and regulatory

requirements is confirmed, and the governance requirements for board

members are met.

1/12/2018

19

37


Process Assessment Objectives

The objectives of this assessment are to determine if

• A consistent and integrated approach aligned with the enterprise

governance approach is provided.

• IT-related decisions are made in line with the enterprise’s strategies and

objectives.

• IT-related processes are overseen effectively and transparently.

• Compliance with legal and regulatory requirements is confirmed.

• The governance requirements for board members are met.

38


• Process Risk Drivers (partial list)

• Controls not operating as expected

• Decreased stakeholder confidence

• High effort required to achieve compliance because of wrong

or late decisions

• Ineffective responsibilities and accountabilities established

for IT processes

• Non-compliance with regulatory requirements

• Organizational failure to maximize the use of emerging

technological opportunities to improve business and IT

capability

1/12/2018

20

39


EDM01.01 Governance Practice

Evaluate the governance

system. IT should continually

identify and engage with the

enterprise’s stakeholders, document

an understanding of the

requirements, and make a

judgement on the current and future

design of governance of enterprise

IT.

Evaluate the governance

system. Continually identify and

engage with the enterprise’s

stakeholders, document an

understanding of the

requirements, and make a

judgement on the current and

future design of governance of

enterprise IT.

Original My Change

40


Activity Title: EDM01.01.01

Activity Assessment

Objective: Continually identify

and engage with the

enterprise’s stakeholders,

document an understanding of

the requirements, and make a

judgement on the current and

future design of governance of

enterprise IT.

Activity Assessment

Objective: Identify and

analyze the internal and

external environmental factors

(e.g., legal, regulatory, and

contractual obligations) and

trends in the business

environment that may influence

governance design.

1/12/2018

21

41


Note: I rarely

changed the

activity wording,

just the overall

activity objective.

Activities

became audit

steps. The

activity

assessments

(tests) I created

from scratch.

42


1/12/2018

22

43


The audit programs are fully aligned with COBIT 5:

• They explicitly reference all seven enablers. In other

words, they are not exclusively process-focused; they

also use the different dimensions of the enabler model

to cover all aspects contributing to the performance of

the enablers.

• They reference the COBIT 5 goals cascade to ensure

that detailed objectives of the audit engagement can be

put into the enterprise and IT context, and concurrently

they enable linkage of the assurance objectives to

enterprise and IT risk and benefits.

44


• In practice, assurance professionals need to use their own

professional judgment to develop their own customized

audit programs based on these assurance guidelines.

• The reason: the guidelines are very comprehensive, very

academic, and, as stated in the guidance, cannot be used

directly as is. They must be tailored.

• It is up to the advanced assurance professional to take the

material, customize it to their organizations format, and

then execute their own version of COBIT5.

• I did and it was very revealing and compelling to my clients.

1/12/2018

23

45

Any Final

Questions?


46

If you have any questions, please feel free to call and have a meaningful conversation:

Ross Wescott MA CISA CIA CCP CUERME

Principal

Wescott and Associates

503-961-4780

[email protected]


PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the...

Documents

Transcript of PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the...