ISA 3 COBIT
- 1. Lecture 3 COBIT (Control Objectives for Information and related Technology)
- 7. Introduction to COBIT (Control Objectives for Information and related Technology) • One major challenge faced by auditor – Lack of common framework within which to operate – This problem was first addressed with release of the COBIT framework, by IT Governance Institute, USA sponsored by ISACA (Information System Audit Control Association)
- 8. Introduction to COBIT (Control Objectives for Information and related Technology) • IT Governance and Auditors – To meet the business objectives, there had to be a common ground for proactive discussion among auditors, IT management, and the board. – COBIT, and IT governance framework, addresses these issues through several supporting tools and mechanism. – These mechanism – defined the role of the auditor within the realm of IT governance – IT governance activities have thirty four objectives, one for each of the IT process. These are grouped into four domains, viz.,
- 9. Introduction to COBIT (Control Objectives for Information and related Technology) • IT Governance and Auditors – IT governance activities have thirty four objectives, one for each of the IT process. These are grouped into four domains, viz., • Planning and Organization • Acquisition and Implementation • Delivery and Support • Monitoring – COBIT as a standard for IT security and control practices is not only meant for auditors but also the management, users, etc. – COBIT is helpful to manager, users, and auditors in the following manner:
- 10. Introduction to COBIT (Control Objectives for Information and related Technology) • IT Governance and Auditors – COBIT is helpful to manager, users, and auditors in the following manner: • Management: it helps them balance risk and control investments in an often unpredictable IT environment • Users: Help them obtain assurance on the security and control of IT services provided by internal and third parties • IS auditors: Enables them substantiate their opinion and/ or provide advice to the management on matters of internal controls
- 11. Introduction to COBIT (Control Objectives for Information and related Technology) • IT Governance and Auditors • Let us discuss the Role of auditor in each of four domains of COBIT mentioned earlier – Planning and Organization • Board of directors, and management decide the strategy that would help achieve business objectives, and ensure the technological infrastructure is in place. • Here, the auditor’s role is to evaluate and /or assess whether the functioning of these process is in accordance with the business objectives. • The only process that auditor is directly responsible for within this domain is quality management. • This process includes the development of long-term strategic plan • This process is concern with the measurement criteria to be applied • Identification of specific projects and work plan
- 12. Introduction to COBIT (Control Objectives for Information and related Technology) • The processes and auditor’s duties that are part of this domain are: – Define a strategic IT plan (evaluate/assess) – Define the information architecture (evaluate/assess) – Determine technological direction (evaluate/assess/inform/support) – Define the IT organization and relationship (evaluate/assess/inform/support) – Communicate management’s aim and direction (evaluate/assess/inform) – Manage human resources (evaluate/assess/inform) – Ensure compliance with external requirements (evaluate/assess) – Assess risks (evaluate/assess) – Manage projects (evaluate/assess/inform/support) – Manage quality (evaluate/assess/responsible)
- 13. Introduction to COBIT (Control Objectives for Information and related Technology) • IT Governance and Auditors – Acquisition and Implementation • To realize the business strategies and tactics, IT solutions need to be identified, developed or acquired. • Within this domain, the primary role of auditor is still to assess the process. • However, here support needed to control issues regarding the acquisition and maintenance of application software. • The processes and auditor’s duties that are part of this domain are:
- 14. Introduction to COBIT (Control Objectives for Information and related Technology) • Acquisition and Implementation – The processes and auditor’s duties that are part of this domain are: • Identify automated solutions (evaluate) • Acquire and maintain application software (evaluate / support) • Acquire and maintain technology infrastructure (evaluate) • Develop and maintain procedures (evaluate) • Install and accredit systems (evaluate) • Manage changes (evaluate / support)
- 15. Introduction to COBIT (Control Objectives for Information and related Technology) • Delivery and Support – This domain concern with the delivery of IT services, includes operations through security, training, and support. – The role of auditor here, is to evaluate and assess. – The processes and auditor’s duties that are part of this domain are: • Define and manage service levels (evaluate/assess) • Manage third party services (evaluate/assess) • Manage performance and capacity (evaluate/assess) • Ensure continuous service (evaluate/assess) • Ensure system security (evaluate/assess/support) • Identify and allocate costs (evaluate/assess) • Educate and train users (evaluate/assess) • Assist and advice customers (evaluate/assess) • Manage configuration (evaluate/assess) • Manage problems and incidents (evaluate/assess) • Manage data (evaluate/assess) • Manage facilities (evaluate/assess) • Manage operations (evaluate/assess)
- 16. Introduction to COBIT (Control Objectives for Information and related Technology) • Monitoring – In all previous domains, auditor required to check for compliance of processes with quality, and control requirements – Here the auditors have direct responsibility and provide direct support to the domain’s processes. – The processes and auditor’s duties that are a part of this domain are: • Monitor the process (evaluate/assess/support) • Asses internal control adequacy (evaluate/assess/support) • Obtain independent assurance (evaluate/assess/support) • Provide for an independent audit (evaluate/assess/support)
- 17. Directed Unsupervised Activity • Visit the website of ISACA and find out the standards for IS Audit documentation and give your comments. • List ten assurance services and group them into attestation and non-attestation services.
- 18. Control • “any input given to a dynamic system to produce a desired output.” • Here the word dynamic and desired output are very important. Input Dynamic System Desired output
- 19. Control • Dynamism of the system and Control Requirement – Static system – control is not required – More dynamism – the greater will be the control requirement of the system – Computer system – control not required, if it is not being used for any application or switched off – As complexity increases – its control requirement will also rise. – This implies that • Lesser control is required for stand-alone system • Greater for one which is connected to network or Internet
- 20. Control • Knowledge of Dynamism of the System Makes Control Effective – The predictability of the complexity of the disease has helped in development of vaccines to prevent and cure – Similarly, in computer system – control measures would operate effectively if the dynamism and complexity were known.
- 21. Control • The Input should be Directed towards Achieving the Desired Output – If the inputs are not focused and directed towards specific outputs – then control mechanism will not be successful. – There are No thumb rule – Each input or control measure should be directed towards achieving a specific output.
- 22. Control • The Output Should be Evaluated for Giving further Appropriate Input to the System
- 23. Effects of Computers on Internal Controls • The internal controls within an enterprise in a computerized environment the major areas of impact with the goal of asset safeguarding, data integrity, system efficiency and effectiveness are discussed below. – Personnel – Segregation of duties – Authorization Procedures