PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the...
Transcript of PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the...
![Page 1: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/1.jpg)
1/12/2018
1
Purposing the entirety of COBIT5 for the Assurance
Professional
Ross E. Wescott MA CISA CIA CCP CUERME
Wescott & Associates
The Conference that Counts, Albany New York
Monday March 19, 2018
ROSS WESCOTT is Principal of Wescott and Associates, established in 2016 to provide IT audit, risk,
governance, and control consulting to a variety of industries and government. He has experience in
• IT audit program development and implementation using leading standards including Cobit5
• IT governance
• Internal Audit strategy, policy, standards, procedures, and guidelines development and maintenance
• Risk identification and assessment
• Controls identification, design and evaluation
• Data analytics
• End-to-end IT audit management and execution
• IT SOX program development and operation
• Disaster recovery plan development and review, scenario/exercise development and testing
• Recruiting, team building, development, teaching.
Ross Wescott graduated from Portland State University in 1975 with a major in Mathematics/Computer Science.
He also graduated in 1986 from Marylhurst University with a Master in Management. He is a Certified Internal
Auditor, Certified Information Systems Auditor, Certified Computer Professional, and a Credit Union Enterprise
Risk Management Expert. He is a current and active member of the Institute of Internal Auditors and the
Information Systems Audit and Control Association. He has been published in the major Internal Auditing
publications and has been a speaker at conventions and conferences on many Internal Audit topics.
2
Wescott & Associates. Copyright 2018. All rights reserved.
![Page 2: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/2.jpg)
1/12/2018
2
3
Wescott & Associates. Copyright 2018. All rights reserved.
IT assurance professionals have successfully used ISACA’s COBIT products for
many years. The IT assurance professional focus of these products made them the
right tool to perform the right audits of IT. However, the IT management and
governance focus of COBIT5 is a noticeable departure from previous versions. With
the refocus of COBIT5, how can the IT Assurance professional take advantage of the
advances and concepts of COBIT5 in the performance of their work? In this session,
you will learn:
• the history of COBIT and its predecessor
• assurance vs. governance vs. management
• the guiding principles of COBIT 5
• transitioning to COBIT 5
• turning COBIT 5 into an IT Audit assurance tool
4
Wescott & Associates. Copyright 2018. All rights reserved.
Before I begin, there is a bit of a conundrum…
![Page 3: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/3.jpg)
1/12/2018
3
5
Wescott & Associates. Copyright 2018. All rights reserved.
• I want to set the foundation for COBIT as thoroughly as possible. But…
• There is so much information on COBIT available, it would take days to do it justice. So…
• I will give you a taste of COBIT just to get started.• The rest you will have to do on your own.• But, we will cover COBIT for the Assurance
professional more thoroughly.
6
Wescott & Associates. Copyright 2018. All rights reserved.
• From the ‘70s, a compilation of guidelines, procedures, best
practices, and standards for conducting EDP audits entitled "Control
Objectives” updated four times between 1980 and 1992.
• COBIT (1996) and COBIT 2nd Edition (1998). Focus: Control
Objectives
• COBIT 3rd Edition (2000), Focus: Management Guidelines added
• COBIT 4.0 (2005) and COBIT 4.1 (2007). Focus: Governance and
compliance processes added
• COBIT 5.0 (2012) Focus: Assurance processes removed, Full focus
on IT governance and management
![Page 4: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/4.jpg)
1/12/2018
4
7
Wescott & Associates. Copyright 2018. All rights reserved.
8
Wescott & Associates. Copyright 2018. All rights reserved.
“COBIT 5 is primarily a business framework made by,
and for, practitioners and includes insights from IT and
general management literature, including concepts and
models such as strategic alignment, balanced
scorecard, IT savviness and organizational systems.
The core elements of COBIT 5 are built on these IT and
general management insights.”
* ISACA COBIT Series White Paper © 2014 ISACA. All rights reserved. For usage guidelines, see
www.isaca.org/COBITuse.
![Page 5: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/5.jpg)
1/12/2018
5
9
Wescott & Associates. Copyright 2018. All rights reserved.
And that can be audited:
• For Gaining Compliance: because it outlines the steps a business
needs to take to be in accordance with legislative constraints by
offering a set of best/good practices that will improve weaknesses
in IT control areas.
• For Assessing Risk: because the uniform approach to IT/business
integration can identify and help to mitigate organizational risk for
IT and business as a whole.
• For Achieving Strategy: because it relates IT-goals to enterprise
goals in a goal cascade that help define priorities improvements.
10
Wescott & Associates. Copyright 2018. All rights reserved.
COBIT 5 is based on 5 principles that enable the organization to
build an effective governance and management framework that
optimizes information and technology investment and use for the
benefit of a wide range of organizational stakeholders.
These 5 COBIT principles are specifically designed to be generic
so that, while they provide guidance, they are at the same time
applicable for enterprises of all sizes, whether commercial, not for
profit, or in the public sector.
![Page 6: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/6.jpg)
1/12/2018
6
11
Wescott & Associates. Copyright 2018. All rights reserved.
The 5 Principles
12
Wescott & Associates. Copyright 2018. All rights reserved.
Enablers are aspects that, separately and together, guide whether
something will work—in the case of COBIT 5: governance and
management over enterprise IT.
Enablers are driven by COBIT goals, where higher-level IT-related
goals define what the different enablers should achieve.
![Page 7: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/7.jpg)
1/12/2018
7
13
Wescott & Associates. Copyright 2018. All rights reserved.
1. Principles, policies and frameworks are the vehicle to translate the
desired behavior into practical guidance for day-to-day management.
2. Processes describe an organized set of practices and activities to
achieve certain objectives and produce a set of outputs in support of
achieving overall IT-related goals.
3. Organizational structures are the key decision-making entities in an
enterprise.
4. Culture, ethics and behavior of individuals and of the enterprise are
very often underestimated as a success factor in governance and
management activities.
14
Wescott & Associates. Copyright 2018. All rights reserved.
5. Information is required for keeping the organization running and well
governed, but at the operational level, information is very often the key
product of the enterprise itself.
6. Services, infrastructure and applications include the infrastructure,
technology and applications that provide the enterprise with information
technology processing and services.
7. People, skills and competencies are required for successful
completion of all activities, and for making correct decisions and taking
corrective actions.
![Page 8: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/8.jpg)
1/12/2018
8
15
Wescott & Associates. Copyright 2018. All rights reserved.
Also, COBIT
Assessment
Guide
16
Wescott & Associates. Copyright 2018. All rights reserved.
• Unlike COBIT (1996) and COBIT 2nd Edition (1998) where the
focus was on assurance and the control objective as a bridge
from the 1970’s, COBIT 5 is NOT about control objectives.
• In fact, control objectives are gone.
• Control objectives were turned into best or good management
practices.
• The audience for the product is not the assurance professional
but IT management.
• So what is the assurance professional to do when the COBIT
product seems to not be for them?
![Page 9: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/9.jpg)
1/12/2018
9
17
Wescott & Associates. Copyright 2018. All rights reserved.
CRY?
18
Wescott & Associates. Copyright 2018. All rights reserved.
Get Angry?
![Page 10: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/10.jpg)
1/12/2018
10
19
Wescott & Associates. Copyright 2018. All rights reserved.
Give Up?
20
Wescott & Associates. Copyright 2018. All rights reserved.
Or, figure out how to make it work?
![Page 11: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/11.jpg)
1/12/2018
11
21
Wescott & Associates. Copyright 2018. All rights reserved.
I decided to figure it out!
22
Wescott & Associates. Copyright 2018. All rights reserved.
From COBIT 5
– Enabling
Processes
Documentation
![Page 12: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/12.jpg)
1/12/2018
12
23
Wescott & Associates. Copyright 2018. All rights reserved.
COBIT 4.1
to COBIT5
Mapping -
From
COBIT 5 –
Enabling
Processes
24
Wescott & Associates. Copyright 2018. All rights reserved.
• VAL-IT - Framework for Business Technology Management -
set of guiding principles for governance framework, and
supporting publications addressing the governance of IT-enabled
business investments
• RISK-IT - Framework for Management of IT Related Business
Risks - provides an end-to-end, comprehensive view of all risks
related to the use of IT and a similarly thorough treatment of risk
management, from the tone and culture at the top, to operational
issues
![Page 13: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/13.jpg)
1/12/2018
13
25
Wescott & Associates. Copyright 2018. All rights reserved.
VAL IT 2.0 to
COBIT 5 -
From COBIT
5 – Enabling
Processes
26
Wescott & Associates. Copyright 2018. All rights reserved.
From RISK
IT to COBIT
5: From
COBIT 5 –
Enabling
Processes
![Page 14: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/14.jpg)
1/12/2018
14
27
Wescott & Associates. Copyright 2018. All rights reserved.
• Using COBIT 5 as the foundation
• Using the related linkages to COBIT 4.1, RISK IT, and VAL
IT
• And changing the wording of the COBIT5 Management
Objectives to turn them into Assurance Objectives…
COBIT5 became instantly usable to me as an assurance
professional.
28
Wescott & Associates. Copyright 2018. All rights reserved.
Let’s look at an example.
![Page 15: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/15.jpg)
1/12/2018
15
29
Wescott & Associates. Copyright 2018. All rights reserved.
Let’s use EDM01 as the basis
for our example.
30
Wescott & Associates. Copyright 2018. All rights reserved.
Let’s use EDM01 as the basis
for our example.
![Page 16: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/16.jpg)
1/12/2018
16
31
Wescott & Associates. Copyright 2018. All rights reserved.
Let’s use EDM01 as the basis
for our example.
32
Wescott & Associates. Copyright 2018. All rights reserved.
Let’s use EDM01 as the basis
for our example.
![Page 17: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/17.jpg)
1/12/2018
17
33
Wescott & Associates. Copyright 2018. All rights reserved.
Let’s Briefly See What I Did With This
34
Wescott & Associates. Copyright 2018. All rights reserved.
• It took me 6 months of effort in 2013 to take COBIT 5 and do exactly
what ISACA told us to do, albeit late, in 2014 but without the ways
to do it.
• I customized COBIT5 for my assurance practice.
• What I came out with in the end was a fully functional audit program
using 100% of my own tests and approach that covered all of
COBIT5 supplemented with CobIT 4.1, RISK IT, and VAL IT.
• Over 1000 audit objectives and nearly 1500 tests, all based on these
management objectives.
• I put it into practice from 2014 to 2015 and audited our IT group
against Cobit5. All in all, the whole effort took 3 years.
![Page 18: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/18.jpg)
1/12/2018
18
35
Wescott & Associates. Copyright 2018. All rights reserved.
Process Background
An IT governance framework allows IT to bridge the gaps effectively among control
requirements, technical issues, and business risks. A well-established system of IT governance
also enables clear policy development and good practice for IT control throughout , emphasizes
regulatory compliance, and helps to increase the value attains from IT. IT governance puts
structure around how to align IT strategy with business strategy, ensuring that stays on track to
achieve stated strategies and goals, and implements good ways to measure IT’s performance.
An IT governance framework answers some key questions such as: how the IT department is
functioning overall, what key metrics management needs and what return IT is giving back to the
business from the investment it’s making.
Every organization needs a way to ensure that the IT function sustains the organization’s
strategies and objectives. To ensure that IT-related decisions are made in line with strategies
and objectives, IT-related processes should receive effective and transparent oversight, comply
with legal and regulatory requirements, and meet Board requirements.
36
Wescott & Associates. Copyright 2018. All rights reserved.
Process Description
Analyze and articulate the requirements for the governance of enterprise IT,
and put in place and maintain effective enabling structures, principles,
processes and practices, with clarity of responsibilities and authority to achieve
the enterprise’s mission, goals and objectives.
Process Purpose Statement
Provide a consistent approach integrated and aligned with the enterprise
governance approach. To ensure that IT-related decisions are made in line with
the enterprise’s strategies and objectives, ensure that IT-related processes are
overseen effectively and transparently, compliance with legal and regulatory
requirements is confirmed, and the governance requirements for board
members are met.
![Page 19: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/19.jpg)
1/12/2018
19
37
Wescott & Associates. Copyright 2018. All rights reserved.
Process Assessment Objectives
The objectives of this assessment are to determine if
• A consistent and integrated approach aligned with the enterprise
governance approach is provided.
• IT-related decisions are made in line with the enterprise’s strategies and
objectives.
• IT-related processes are overseen effectively and transparently.
• Compliance with legal and regulatory requirements is confirmed.
• The governance requirements for board members are met.
38
Wescott & Associates. Copyright 2018. All rights reserved.
• Process Risk Drivers (partial list)
• Controls not operating as expected
• Decreased stakeholder confidence
• High effort required to achieve compliance because of wrong
or late decisions
• Ineffective responsibilities and accountabilities established
for IT processes
• Non-compliance with regulatory requirements
• Organizational failure to maximize the use of emerging
technological opportunities to improve business and IT
capability
![Page 20: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/20.jpg)
1/12/2018
20
39
Wescott & Associates. Copyright 2018. All rights reserved.
EDM01.01 Governance Practice
Evaluate the governance
system. IT should continually
identify and engage with the
enterprise’s stakeholders, document
an understanding of the
requirements, and make a
judgement on the current and future
design of governance of enterprise
IT.
Evaluate the governance
system. Continually identify and
engage with the enterprise’s
stakeholders, document an
understanding of the
requirements, and make a
judgement on the current and
future design of governance of
enterprise IT.
Original My Change
40
Wescott & Associates. Copyright 2018. All rights reserved.
Activity Title: EDM01.01.01
Activity Assessment
Objective: Continually identify
and engage with the
enterprise’s stakeholders,
document an understanding of
the requirements, and make a
judgement on the current and
future design of governance of
enterprise IT.
Activity Assessment
Objective: Identify and
analyze the internal and
external environmental factors
(e.g., legal, regulatory, and
contractual obligations) and
trends in the business
environment that may influence
governance design.
![Page 21: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/21.jpg)
1/12/2018
21
41
Wescott & Associates. Copyright 2018. All rights reserved.
Note: I rarely
changed the
activity wording,
just the overall
activity objective.
Activities
became audit
steps. The
activity
assessments
(tests) I created
from scratch.
42
Wescott & Associates. Copyright 2018. All rights reserved.
![Page 22: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/22.jpg)
1/12/2018
22
43
Wescott & Associates. Copyright 2018. All rights reserved.
The audit programs are fully aligned with COBIT 5:
• They explicitly reference all seven enablers. In other
words, they are not exclusively process-focused; they
also use the different dimensions of the enabler model
to cover all aspects contributing to the performance of
the enablers.
• They reference the COBIT 5 goals cascade to ensure
that detailed objectives of the audit engagement can be
put into the enterprise and IT context, and concurrently
they enable linkage of the assurance objectives to
enterprise and IT risk and benefits.
44
Wescott & Associates. Copyright 2018. All rights reserved.
• In practice, assurance professionals need to use their own
professional judgment to develop their own customized
audit programs based on these assurance guidelines.
• The reason: the guidelines are very comprehensive, very
academic, and, as stated in the guidance, cannot be used
directly as is. They must be tailored.
• It is up to the advanced assurance professional to take the
material, customize it to their organizations format, and
then execute their own version of COBIT5.
• I did and it was very revealing and compelling to my clients.
![Page 23: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/23.jpg)
1/12/2018
23
45
Any Final
Questions?
Wescott & Associates. Copyright 2018. All rights reserved.
46
If you have any questions, please feel free to call and have a meaningful conversation:
Ross Wescott MA CISA CIA CCP CUERME
Principal
Wescott and Associates
503-961-4780
Wescott & Associates. Copyright 2018. All rights reserved.
![Page 24: PowerPoint Presentation · focus was on assurance and the control objective as a bridge from the 1970’s, COBIT 5 is NOT about control objectives. •In fact, control objectives](https://reader033.fdocuments.in/reader033/viewer/2022042020/5e771f5d88174e121b4f9b24/html5/thumbnails/24.jpg)
1/12/2018
24
47
Thank You!
Wescott & Associates. Copyright 2018. All rights reserved.
© ISACA 2014 All rights
reserved. Used with
Permission
© Walt Disney 1937. All rights
reserved.