Purposing the entirety of COBIT5 for the Assurance Professional. Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates

Similar documents
2013 COSO Internal Control Framework Update. September 5, 2013

AUDITING. Auditing PAGE 1

ISACA. The recognized global leader in IT governance, control, security and assurance

An IT Governance Journey April Disclaimer: opinion being those of presenter(s) and not necessarily State Farm

Implementation of the Continuous Learning Policy for the Department of Defense Acquisition, Technology, and Logistics Workforce (DoD AT&LWF)

If It s not a Business Initiative, It s not COBIT 5

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

Translate stakeholder needs into strategy. Governance is about negotiating and deciding amongst different stakeholders value interests.

CGEIT Certification Job Practice

Internal Audit Policy and Procedures Internal Audit Charter

Auditing Open Source Applications by Using COBIT 4.1

COSO 2013: Updated internal control framework

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Feature. Internal Audit s Contribution to the Effectiveness of Information Security (Part 2) Perceptions of Internal Auditors

ISO/IEC Process Mapping to COBIT 4.1 to Derive a Balanced Scorecard for IT Governance

H U M A N R E S O U R C E S M A N A G E R

BRANCH MANAGER COMPETENCY MODEL

Competency Area: Business Continuity and Information Assurance

IT GOVERNANCE. WITH ROBERT GOODSELL, MANAGING DIRECTOR JOE BRUTSCHE, DIRECTOR PwC. April 4, 2013

Audit of the Communication and Outreach programme at the United Nations Framework Convention on Climate Change EXECUTIVE SUMMARY

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

COBIT 5: IT is complicated. IT governance does not have to be

GLOBAL ADVOCACY PLATFORM

Master of Science in Accountancy Non Thesis Industry Track

A GUIDE FOR APPROVED PROVIDERS

Measuring and Improving Information Technology Governance through the Balanced Scorecard

Choosing the Right UX Vendor

In October 1997, the Trade Commissioner Service (TCS) Performance measurement in the Canadian Trade Commissioner Service THE MANAGER S CORNER

Changes Reviewed by Date. JO Technology Manager - Samer Huwwari JO Manager, Risk & Control Technology: Issa Laty. CIO, Jordan- Mohammad Aburoub

METROPOLITAN TRANSPORTATION AUTHORITY

Enterprise Risk Management Defined and Explained

COSO Internal Control Integrated Framework Proposed Update

Strengthening Your Enterprise Risk Management Process

Moving from BS to ISO The new international standard for business continuity management systems

BUSINESS CPA EXAM REVIEW V 3.0. For Exams Scheduled After March 31, 2017

Value-Added Internal Audit: Myth or Reality?

Table of Contents 1. What s New... 1

Introduction and Key Concepts Study Group Session 1

REPORT 2016/033 INTERNAL AUDIT DIVISION

KING III IT GOVERNANCE ALIGNED TO. Simon Liell-Cock Julio Graham Peter Hill CISA CISM CGEIT

Enhancing Audit Committee Excellences through Internal Audit. 21 November 2017

npliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for

Brink's Modern Internal Auditing

Cloudy skies. How to bring clarity to your cloud platform in order to optimize your investment. September 2016

CONTINUING PROFESSIONAL DEVELOPMENT GUIDELINES

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

risk and compliance department business plan

Inside of a ring or out, ain t nothing wrong with going down. It s staying down that s wrong. Muhammad Ali

THE INSIDE STORY DISCUSSING THE HOT TOPICS FROM ORACLE LICENSE MANAGEMENT OPEN WORLD 2016

Module 6: Business Application Software Audit. Chapter 1: Business Application Software Audit

Short, engaging headline

EVALUATION OF INFRASTRUCTURE INFORMATION TECHNOLOGY GOVERNANCE USING COBIT 4.1 FRAMEWORK

IoD Code of Practice for Directors

Audit Standards 6/23/2017. Outline. Let s Refresh. Changes to the IIA Standards

SA 210 (REVISED) AGREEING THE TERMS OF AUDIT ENGAGEMENTS (EFFECTIVE FOR ALL AUDITS RELATING TO ACCOUNTING PERIODS BEGINNING ON OR AFTER APRIL 1, 2010)

The IT Balanced Scorecard Revisited

MEASURING YOUR HIGH RELIABILITY ORGANIZATION (HRO) VITAL SIGNS

CORPORATE GOVERNANCE THEORY, SCOPE AND IMPORTANCE

FRAMEWORK FOR POLICY DEVELOPMENT

Portfolio, Program and Project Management Using COBIT 5

Certified Human Resources Professional (CHRP) Competency Framework

KPI Professional (KPI-P) Certification Program

Leadership Agility Profile: 360 Assessment. Prepared for J. SAMPLE DATE

ISO Standards in Strengthening Organizational Resilience, Mitigating Risk & Addressing Sustainability Concerns

ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

Director Procurement & Value Delivery

BOARD GUIDELINES ON SIGNIFICANT CORPORATE GOVERNANCE ISSUES

Internal controls over financial reporting

Challenges Facing the Accountancy Profession in Emerging Economies

System Council November 2017 paper

2014 Global Council. Dubai, UAE 6-9 March 2014 DAY 2. globaliia.org

December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:

The New COSO Framework: Avoiding Deficiencies and Driving Change

Corporate Governance and Financial Markets

Developing a successful governance strategy. By Muhammad Iqbal Hanafri, S.Pi., M.Kom. IT GOVERNANCE STMIK BINA SARANA GLOBAL

CLAconnect.com/creditunions. Impact the Future of Credit Unions

Using the COSO Map. Unpublished Article By Larry Hubbard

Ms. Maridel Piloto de Noronha, PAS Secretariat Via

Standard 5 Matching Operations with the Mission: Student Learning

Tools & Techniques II: Lead Auditor

TABLE OF CONTENTS WATER SERVICES ASSOCIATION OF AUSTRALIA PROCESS BENCHMARKING AUDIT PROTOCOLS COPYRIGHT:... 3

Compilation Engagements

Governance in a Multi-Supplier Environment

INTERNATIONAL STANDARD ON AUDITING (IRELAND) 210 AGREEING THE TERMS OF AUDIT ENGAGEMENTS

INTELLECTUAL PROPERTY MANAGEMENT ENTERPRISE ESCROW BEST PRACTICES REPORT

Education Quality Development for Excellence Performance with Higher Education by Using COBIT 5

Caribbean Association of Audit Committee Members Inc. Independent Quality Assurance Assessment of the Internal Audit function

PHASE TWO FOLLOW-UP REPORT ON THE AUDIT OF CONTRACTS (2008)

A Framework for Audit Quality Key Elements That Create an Environment for Audit Quality

2010 Study on the State of Performance Management. research. A report by WorldatWork and Sibson Consulting October 2010

IT and Enterprise Governance By Michael J. A. Parkinson, CISA, CIA, and Nicholas J. Baker, CPA

PART 6 - INTERNAL CONTROL

Practice Guide. Developing the Internal Audit Strategic Plan

Certified Identity Governance Expert (CIGE) Overview & Curriculum

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

IFAC Ethics Committee Meeting Agenda Item 6 February 2005 New York, United States

IPSec Professional Risk Victorian Protective Data Security Standards Compliance Services Overview in Brief

IN SEARCH OF BUSINESS VALUE: HOW TO ACHIEVE THE BENEFITS OF ERP TECHNOLOGY

Chapter 18. Quality Assurance and Quality Control

Transcription:

Purposing the entirety of COBIT5 for the Assurance Professional Ross E. Wescott MA CISA CIA CCP CUERME Wescott & Associates The Conference that Counts, Albany New York Monday March 19, 2018 ROSS WESCOTT is Principal of Wescott and Associates, established in 2016 to provide IT audit, risk, governance, and control consulting to a variety of industries and government. He has experience in IT audit program development and implementation using leading standards including Cobit5 IT governance Internal Audit strategy, policy, standards, procedures, and guidelines development and maintenance Risk identification and assessment Controls identification, design and evaluation Data analytics End-to-end IT audit management and execution IT SOX program development and operation Disaster recovery plan development and review, scenario/exercise development and testing Recruiting, team building, development, teaching. Ross Wescott graduated from Portland State University in 1975 with a major in Mathematics/Computer Science. He also graduated in 1986 from Marylhurst University with a Master in Management. He is a Certified Internal Auditor, Certified Information Systems Auditor, Certified Computer Professional, and a Credit Union Enterprise Risk Management Expert. He is a current and active member of the Institute of Internal Auditors and the Information Systems Audit and Control Association. He has been published in the major Internal Auditing publications and has been a speaker at conventions and conferences on many Internal Audit topics. 2 1

IT assurance professionals have successfully used ISACA s COBIT products for many years. The IT assurance professional focus of these products made them the right tool to perform the right audits of IT. However, the IT management and governance focus of COBIT5 is a noticeable departure from previous versions. With the refocus of COBIT5, how can the IT Assurance professional take advantage of the advances and concepts of COBIT5 in the performance of their work? In this session, you will learn: the history of COBIT and its predecessor assurance vs. governance vs. management the guiding principles of COBIT 5 transitioning to COBIT 5 turning COBIT 5 into an IT Audit assurance tool 3 Before I begin, there is a bit of a conundrum 4 2

I want to set the foundation for COBIT as thoroughly as possible. But There is so much information on COBIT available, it would take days to do it justice. So I will give you a taste of COBIT just to get started. The rest you will have to do on your own. But, we will cover COBIT for the Assurance professional more thoroughly. 5 From the 70s, a compilation of guidelines, procedures, best practices, and standards for conducting EDP audits entitled "Control Objectives updated four times between 1980 and 1992. COBIT (1996) and COBIT 2nd Edition (1998). Focus: Control Objectives COBIT 3rd Edition (2000), Focus: Management Guidelines added COBIT 4.0 (2005) and COBIT 4.1 (2007). Focus: Governance and compliance processes added COBIT 5.0 (2012) Focus: Assurance processes removed, Full focus on IT governance and management 6 3

7 COBIT 5 is primarily a business framework made by, and for, practitioners and includes insights from IT and general management literature, including concepts and models such as strategic alignment, balanced scorecard, IT savviness and organizational systems. The core elements of COBIT 5 are built on these IT and general management insights. * ISACA COBIT Series White Paper 2014 ISACA. All rights reserved. For usage guidelines, see www.isaca.org/cobituse. 8 4

And that can be audited: For Gaining Compliance: because it outlines the steps a business needs to take to be in accordance with legislative constraints by offering a set of best/good practices that will improve weaknesses in IT control areas. For Assessing Risk: because the uniform approach to IT/business integration can identify and help to mitigate organizational risk for IT and business as a whole. For Achieving Strategy: because it relates IT-goals to enterprise goals in a goal cascade that help define priorities improvements. 9 COBIT 5 is based on 5 principles that enable the organization to build an effective governance and management framework that optimizes information and technology investment and use for the benefit of a wide range of organizational stakeholders. These 5 COBIT principles are specifically designed to be generic so that, while they provide guidance, they are at the same time applicable for enterprises of all sizes, whether commercial, not for profit, or in the public sector. 10 5

The 5 Principles 11 Enablers are aspects that, separately and together, guide whether something will work in the case of COBIT 5: governance and management over enterprise IT. Enablers are driven by COBIT goals, where higher-level IT-related goals define what the different enablers should achieve. 12 6

1. Principles, policies and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management. 2. Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals. 3. Organizational structures are the key decision-making entities in an enterprise. 4. Culture, ethics and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities. 13 5. Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself. 6. Services, infrastructure and applications include the infrastructure, technology and applications that provide the enterprise with information technology processing and services. 7. People, skills and competencies are required for successful completion of all activities, and for making correct decisions and taking corrective actions. 14 7

Also, COBIT Assessment Guide 15 Unlike COBIT (1996) and COBIT 2nd Edition (1998) where the focus was on assurance and the control objective as a bridge from the 1970 s, COBIT 5 is NOT about control objectives. In fact, control objectives are gone. Control objectives were turned into best or good management practices. The audience for the product is not the assurance professional but IT management. So what is the assurance professional to do when the COBIT product seems to not be for them? 16 8

CRY? 17 Get Angry? 18 9

Give Up? 19 Or, figure out how to make it work? 20 10

I decided to figure it out! 21 From COBIT 5 Enabling Processes Documentation 22 11

COBIT 4.1 to COBIT5 Mapping - From COBIT 5 Enabling Processes 23 VAL-IT - Framework for Business Technology Management - set of guiding principles for governance framework, and supporting publications addressing the governance of IT-enabled business investments RISK-IT - Framework for Management of IT Related Business Risks - provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues 24 12

VAL IT 2.0 to COBIT 5 - From COBIT 5 Enabling Processes 25 From RISK IT to COBIT 5: From COBIT 5 Enabling Processes 26 13

Using COBIT 5 as the foundation Using the related linkages to COBIT 4.1, RISK IT, and VAL IT And changing the wording of the COBIT5 Management Objectives to turn them into Assurance Objectives COBIT5 became instantly usable to me as an assurance professional. 27 Let s look at an example. 28 14

Let s use EDM01 as the basis for our example. 29 Let s use EDM01 as the basis for our example. 30 15

Let s use EDM01 as the basis for our example. 31 Let s use EDM01 as the basis for our example. 32 16

Let s Briefly See What I Did With This 33 It took me 6 months of effort in 2013 to take COBIT 5 and do exactly what ISACA told us to do, albeit late, in 2014 but without the ways to do it. I customized COBIT5 for my assurance practice. What I came out with in the end was a fully functional audit program using 100% of my own tests and approach that covered all of COBIT5 supplemented with CobIT 4.1, RISK IT, and VAL IT. Over 1000 audit objectives and nearly 1500 tests, all based on these management objectives. I put it into practice from 2014 to 2015 and audited our IT group against Cobit5. All in all, the whole effort took 3 years. 34 17

Process Background An IT governance framework allows IT to bridge the gaps effectively among control requirements, technical issues, and business risks. A well-established system of IT governance also enables clear policy development and good practice for IT control throughout, emphasizes regulatory compliance, and helps to increase the value attains from IT. IT governance puts structure around how to align IT strategy with business strategy, ensuring that stays on track to achieve stated strategies and goals, and implements good ways to measure IT s performance. An IT governance framework answers some key questions such as: how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it s making. Every organization needs a way to ensure that the IT function sustains the organization s strategies and objectives. To ensure that IT-related decisions are made in line with strategies and objectives, IT-related processes should receive effective and transparent oversight, comply with legal and regulatory requirements, and meet Board requirements. 35 Process Description Analyze and articulate the requirements for the governance of enterprise IT, and put in place and maintain effective enabling structures, principles, processes and practices, with clarity of responsibilities and authority to achieve the enterprise s mission, goals and objectives. Process Purpose Statement Provide a consistent approach integrated and aligned with the enterprise governance approach. To ensure that IT-related decisions are made in line with the enterprise s strategies and objectives, ensure that IT-related processes are overseen effectively and transparently, compliance with legal and regulatory requirements is confirmed, and the governance requirements for board members are met. 36 18

Process Assessment Objectives The objectives of this assessment are to determine if A consistent and integrated approach aligned with the enterprise governance approach is provided. IT-related decisions are made in line with the enterprise s strategies and objectives. IT-related processes are overseen effectively and transparently. Compliance with legal and regulatory requirements is confirmed. The governance requirements for board members are met. 37 Process Risk Drivers (partial list) Controls not operating as expected Decreased stakeholder confidence High effort required to achieve compliance because of wrong or late decisions Ineffective responsibilities and accountabilities established for IT processes Non-compliance with regulatory requirements Organizational failure to maximize the use of emerging technological opportunities to improve business and IT capability 38 19

EDM01.01 Governance Practice Original My Change Evaluate the governance system. Continually identify and engage with the enterprise s stakeholders, document an understanding of the requirements, and make a judgement on the current and future design of governance of enterprise IT. Evaluate the governance system. IT should continually identify and engage with the enterprise s stakeholders, document an understanding of the requirements, and make a judgement on the current and future design of governance of enterprise IT. 39 Activity Title: EDM01.01.01 Activity Assessment Objective: Continually identify and engage with the enterprise s stakeholders, document an understanding of the requirements, and make a judgement on the current and future design of governance of enterprise IT. Activity Assessment Objective: Identify and analyze the internal and external environmental factors (e.g., legal, regulatory, and contractual obligations) and trends in the business environment that may influence governance design. 40 20

Note: I rarely changed the activity wording, just the overall activity objective. Activities became audit steps. The activity assessments (tests) I created from scratch. 41 42 21

The audit programs are fully aligned with COBIT 5: They explicitly reference all seven enablers. In other words, they are not exclusively process-focused; they also use the different dimensions of the enabler model to cover all aspects contributing to the performance of the enablers. They reference the COBIT 5 goals cascade to ensure that detailed objectives of the audit engagement can be put into the enterprise and IT context, and concurrently they enable linkage of the assurance objectives to enterprise and IT risk and benefits. 43 In practice, assurance professionals need to use their own professional judgment to develop their own customized audit programs based on these assurance guidelines. The reason: the guidelines are very comprehensive, very academic, and, as stated in the guidance, cannot be used directly as is. They must be tailored. It is up to the advanced assurance professional to take the material, customize it to their organizations format, and then execute their own version of COBIT5. I did and it was very revealing and compelling to my clients. 44 22

Any Final Questions? 45 If you have any questions, please feel free to call and have a meaningful conversation: Ross Wescott MA CISA CIA CCP CUERME Principal Wescott and Associates 503-961-4780 rew5@comcast.net 46 23

Thank You! ISACA 2014 All rights reserved. Used with Permission Walt Disney 1937. All rights reserved. 47 24

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback