Purposing the entirety of COBIT5 for the Assurance Professional Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates The Conference that Counts, Albany New York Monday March 19, 2018 ROSS WESCOTT is Principal of Wescott and Associates, established in 2016 to provide IT audit, risk, governance, and control consulting to a variety of industries and government. He has experience in IT audit program development and implementation using leading standards including Cobit5 IT governance Internal Audit strategy, policy, standards, procedures, and guidelines development and maintenance Risk identification and assessment Controls identification, design and evaluation Data analytics End-to-end IT audit management and execution IT SOX program development and operation Disaster recovery plan development and review, scenario/exercise development and testing Recruiting, team building, development, teaching. Ross Wescott graduated from Portland State University in 1975 with a major in Mathematics/Computer Science. He also graduated in 1986 from Marylhurst University with a Master in Management. He is a Certified Internal Auditor, Certified Information Systems Auditor, Certified Computer Professional, and a Credit Union Enterprise Risk Management Expert. He is a current and active member of the Institute of Internal Auditors and the Information Systems Audit and Control Association. He has been published in the major Internal Auditing publications and has been a speaker at conventions and conferences on many Internal Audit topics. 2 1
IT assurance professionals have successfully used ISACA s COBIT products for many years. The IT assurance professional focus of these products made them the right tool to perform the right audits of IT. However, the IT management and governance focus of COBIT5 is a noticeable departure from previous versions. With the refocus of COBIT5, how can the IT Assurance professional take advantage of the advances and concepts of COBIT5 in the performance of their work? In this session, you will learn: the history of COBIT and its predecessor assurance vs. governance vs. management the guiding principles of COBIT 5 transitioning to COBIT 5 turning COBIT 5 into an IT Audit assurance tool 3 Before I begin, there is a bit of a conundrum 4 2
I want to set the foundation for COBIT as thoroughly as possible. But There is so much information on COBIT available, it would take days to do it justice. So I will give you a taste of COBIT just to get started. The rest you will have to do on your own. But, we will cover COBIT for the Assurance professional more thoroughly. 5 From the 70s, a compilation of guidelines, procedures, best practices, and standards for conducting EDP audits entitled "Control Objectives updated four times between 1980 and 1992. COBIT (1996) and COBIT 2nd Edition (1998). Focus: Control Objectives COBIT 3rd Edition (2000), Focus: Management Guidelines added COBIT 4.0 (2005) and COBIT 4.1 (2007). Focus: Governance and compliance processes added COBIT 5.0 (2012) Focus: Assurance processes removed, Full focus on IT governance and management 6 3
7 COBIT 5 is primarily a business framework made by, and for, practitioners and includes insights from IT and general management literature, including concepts and models such as strategic alignment, balanced scorecard, IT savviness and organizational systems. The core elements of COBIT 5 are built on these IT and general management insights. * ISACA COBIT Series White Paper 2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/cobituse. 8 4
And that can be audited: For Gaining Compliance: because it outlines the steps a business needs to take to be in accordance with legislative constraints by offering a set of best/good practices that will improve weaknesses in IT control areas. For Assessing Risk: because the uniform approach to IT/business integration can identify and help to mitigate organizational risk for IT and business as a whole. For Achieving Strategy: because it relates IT-goals to enterprise goals in a goal cascade that help define priorities improvements. 9 COBIT 5 is based on 5 principles that enable the organization to build an effective governance and management framework that optimizes information and technology investment and use for the benefit of a wide range of organizational stakeholders. These 5 COBIT principles are specifically designed to be generic so that, while they provide guidance, they are at the same time applicable for enterprises of all sizes, whether commercial, not for profit, or in the public sector. 10 5
The 5 Principles 11 Enablers are aspects that, separately and together, guide whether something will work in the case of COBIT 5: governance and management over enterprise IT. Enablers are driven by COBIT goals, where higher-level IT-related goals define what the different enablers should achieve. 12 6
1. Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management. 2. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals. 3. Organizational structures are the key decision-making entities in an enterprise. 4. Culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. 13 5. Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services. 7. People, skills and competencies are required for successful completion of all activities, and for making correct decisions and taking corrective actions. 14 7
Also, COBIT Assessment Guide 15 Unlike COBIT (1996) and COBIT 2nd Edition (1998) where the focus was on assurance and the control objective as a bridge from the 1970 s, COBIT 5 is NOT about control objectives. In fact, control objectives are gone. Control objectives were turned into best or good management practices. The audience for the product is not the assurance professional but IT management. So what is the assurance professional to do when the COBIT product seems to not be for them? 16 8
CRY? 17 Get Angry? 18 9
Give Up? 19 Or, figure out how to make it work? 20 10
I decided to figure it out! 21 From COBIT 5 Enabling Processes Documentation 22 11
COBIT 4.1 to COBIT5 Mapping - From COBIT 5 Enabling Processes 23 VAL-IT - Framework for Business Technology Management - set of guiding principles for governance framework, and supporting publications addressing the governance of IT-enabled business investments RISK-IT - Framework for Management of IT Related Business Risks - provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues 24 12
VAL IT 2.0 to COBIT 5 - From COBIT 5 Enabling Processes 25 From RISK IT to COBIT 5: From COBIT 5 Enabling Processes 26 13
Using COBIT 5 as the foundation Using the related linkages to COBIT 4.1, RISK IT, and VAL IT And changing the wording of the COBIT5 Management Objectives to turn them into Assurance Objectives COBIT5 became instantly usable to me as an assurance professional. 27 Let s look at an example. 28 14
Let s use EDM01 as the basis for our example. 29 Let s use EDM01 as the basis for our example. 30 15
Let s use EDM01 as the basis for our example. 31 Let s use EDM01 as the basis for our example. 32 16
Let s Briefly See What I Did With This 33 It took me 6 months of effort in 2013 to take COBIT 5 and do exactly what ISACA told us to do, albeit late, in 2014 but without the ways to do it. I customized COBIT5 for my assurance practice. What I came out with in the end was a fully functional audit program using 100% of my own tests and approach that covered all of COBIT5 supplemented with CobIT 4.1, RISK IT, and VAL IT. Over 1000 audit objectives and nearly 1500 tests, all based on these management objectives. I put it into practice from 2014 to 2015 and audited our IT group against Cobit5. All in all, the whole effort took 3 years. 34 17
Process Background An IT governance framework allows IT to bridge the gaps effectively among control requirements, technical issues, and business risks. A well-established system of IT governance also enables clear policy development and good practice for IT control throughout, emphasizes regulatory compliance, and helps to increase the value attains from IT. IT governance puts structure around how to align IT strategy with business strategy, ensuring that stays on track to achieve stated strategies and goals, and implements good ways to measure IT s performance. An IT governance framework answers some key questions such as: how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it s making. Every organization needs a way to ensure that the IT function sustains the organization s strategies and objectives. To ensure that IT-related decisions are made in line with strategies and objectives, IT-related processes should receive effective and transparent oversight, comply with legal and regulatory requirements, and meet Board requirements. 35 Process Description Analyze and articulate the requirements for the governance of enterprise IT, and put in place and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise s mission, goals and objectives. Process Purpose Statement Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprise s strategies and objectives, ensure that IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed, and the governance requirements for board members are met. 36 18
Process Assessment Objectives The objectives of this assessment are to determine if A consistent and integrated approach aligned with the enterprise governance approach is provided. IT-related decisions are made in line with the enterprise s strategies and objectives. IT-related processes are overseen effectively and transparently. Compliance with legal and regulatory requirements is confirmed. The governance requirements for board members are met. 37 Process Risk Drivers (partial list) Controls not operating as expected Decreased stakeholder confidence High effort required to achieve compliance because of wrong or late decisions Ineffective responsibilities and accountabilities established for IT processes Non-compliance with regulatory requirements Organizational failure to maximize the use of emerging technological opportunities to improve business and IT capability 38 19
EDM01.01 Governance Practice Original My Change Evaluate the governance system. Continually identify and engage with the enterprise s stakeholders, document an understanding of the requirements, and make a judgement on the current and future design of governance of enterprise IT. Evaluate the governance system. IT should continually identify and engage with the enterprise s stakeholders, document an understanding of the requirements, and make a judgement on the current and future design of governance of enterprise IT. 39 Activity Title: EDM01.01.01 Activity Assessment Objective: Continually identify and engage with the enterprise s stakeholders, document an understanding of the requirements, and make a judgement on the current and future design of governance of enterprise IT. Activity Assessment Objective: Identify and analyze the internal and external environmental factors (e.g., legal, regulatory, and contractual obligations) and trends in the business environment that may influence governance design. 40 20
Note: I rarely changed the activity wording, just the overall activity objective. Activities became audit steps. The activity assessments (tests) I created from scratch. 41 42 21
The audit programs are fully aligned with COBIT 5: They explicitly reference all seven enablers. In other words, they are not exclusively process-focused; they also use the different dimensions of the enabler model to cover all aspects contributing to the performance of the enablers. They reference the COBIT 5 goals cascade to ensure that detailed objectives of the audit engagement can be put into the enterprise and IT context, and concurrently they enable linkage of the assurance objectives to enterprise and IT risk and benefits. 43 In practice, assurance professionals need to use their own professional judgment to develop their own customized audit programs based on these assurance guidelines. The reason: the guidelines are very comprehensive, very academic, and, as stated in the guidance, cannot be used directly as is. They must be tailored. It is up to the advanced assurance professional to take the material, customize it to their organizations format, and then execute their own version of COBIT5. I did and it was very revealing and compelling to my clients. 44 22
Any Final Questions? 45 If you have any questions, please feel free to call and have a meaningful conversation: Ross Wescott MA CISA CIA CCP CUERME Principal Wescott and Associates 503-961-4780 rew5@comcast.net 46 23
Thank You! ISACA 2014 All rights reserved. Used with Permission Walt Disney 1937. All rights reserved. 47 24