Latest notes by SIR Muhammad Suleman Saleem

Control Objectives for Information and related Technology (COBIT®)

• IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives.

• Furthermore, IT governance integrates and institutionalizes good practices to ensure that the enterprise’s IT supports the business objectives. IT governance enables the enterprise to take full advantage of its information, thereby maximizing benefits, capitalizing on opportunities and gaining competitive advantage.

• Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help in optimizing IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.

• For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:

a.             Making a link to the business requirements

b.            Organizing IT activities into a generally accepted process model

c.             Identifying the major IT resources to be leveraged

d.            Defining the management control objectives to be considered

·         Thus, COBIT supports IT governance by providing a framework to ensure that:

a.             IT is aligned with the business

b.            IT enables the business and maximizes benefits

c.             IT resources are used responsibly

d.            IT risks are managed appropriately

·         The benefits of implementing COBIT as a governance framework over IT include:

·               Better alignment, based on a business focus

·               A view, understandable to management, of what IT does

·               Clear ownership and responsibilities, based on process orientation

·               General acceptability with third parties and regulators

·               Shared understanding amongst all stakeholders, based on a common language

·               Fulfillment of the COSO requirements for the IT control environment

·         To govern IT effectively, it is important to appreciate the activities and risks within IT that need to be managed. They are usually ordered into the responsibility domains of plan, build, run and monitor. Within the COBIT framework, these domains, as shown in figure 8, are called:

·         Plan and Organize (PO)—Provides direction to solution delivery (AI) and service delivery (DS)

·         Acquire and Implement (AI) — provides the solutions and passes them to be turned into services

·         Deliver and Support (DS)—receives the solutions and makes them usable for end users

·         Monitor and Evaluate (ME)—monitors all processes to ensure that the direction provided is followed

PLAN AND ORGANISE (PO)

This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organization as well as technological infrastructure should be put in place. This domain typically addresses the following management questions:

a.             Are IT and the business strategy aligned?

b.            Is the enterprise achieving optimum use of its resources?

c.             Does everyone in the organization understand the IT objectives?

d.            Are IT risks understood and being managed?

e.             Is the quality of IT systems appropriate for business needs?

ACQUIRE AND IMPLEMENT (AI)

To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions:

a.       Are new projects likely to deliver solutions that meet business needs?

b.      Are new projects likely to be delivered on time and within budget?

c.       Will the new systems work properly when implemented?

d.      Will changes be made without upsetting current business operations?

DELIVER AND SUPPORT (DS)

This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions:

a.             Are IT services being delivered in line with business priorities?

b.            Is IT costs optimized?

c.             Is the workforce able to use the IT systems productively and safely?

d.            Are adequate confidentiality, integrity and availability in place for information security?

MONITOR AND EVALUATE (ME)

All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions:

a.             Is IT’s performance measured to detect problems before it is too late?

b.            Does management ensure that internal controls are effective and efficient?

c.             Can IT performance be linked back to business goals?

d.                        Are adequate confidentiality, integrity and availability controls in place for information security?

e.             Across these four domains, COBIT has identified 34 IT processes that are generally used.

f.             While most enterprises have defined plan, build, run and monitor responsibilities for IT, and most have the same key processes, few will have the same process structure or apply all 34 COBIT processes. COBIT provides a complete list of processes that can be used to verify the completeness of activities and responsibilities; however, they need not all apply, and, even more, they can be combined as required by each enterprise. For each of these 34 processes, a link is made to the business and IT goals that are supported. Information on how the goals can be measured, what the key activities and major deliverables are, and who is responsible for them is also provided.

IT GOVERNANCE

• Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations.
• Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT.
• Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure.
• Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization.
• Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting.

No:2

A control objective can be defined as a goal that ensures that some set of risks does not occur. Control objectives almost can be thought of as the inverse of a risk. If a risk is the potential that something bad can happen, then a control objective ensures that the risk does not materialize.

Corporate Governance

Corporate governance is the system by which businesses are directed and controlled. The rights and responsibilities of running the company start at the top of the organization. They are subsequently distributed and managed effectively by formal development and deployment as a structure that spells out the policies and procedures for making decisions and declaring the corporation’s directives in-line with the business culture and its mission and objectives. By doing this, a governance structure is established that results in the motivation of management and other persons who are deemed accountable to meet companies stated objectives, assuring that these objectives are attained through monitoring and incentive programs.

Auditing IT governance

Information security governance

Outcomes of security governance

• Strategic alignment – Align information security with business strategy to support business objectives
• Risk management – Manage & execute appropriate measures to mitigate risk and reduce potential impacts on information resources to an acceptably low level
• Value delivery – Optimize security investment in support of business objectives
• Resource management – Utilize information security knowledge and infrastructure efficiently and effectively
• Performance management – Measure, monitor and report on information security process to ensure that objectives are achieved
  
  
  NO:3

  COSO Framework Description

  
  

  In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed a model for evaluating internal controls. This model has been adopted as the generally accepted framework for internal control and is widely recognized as the definitive standard against which organizations measure the effectiveness of their systems of internal control. The COSO model defines internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance of the achievement of objectives in the following categories:

  ·         Effectiveness and efficiency of operations

  ·         Reliability of financial reporting

  ·         Compliance with applicable laws and regulations”

  
  In an “effective” internal control system, the following five components work to support the achievement of an entity’s mission, strategies and related business objectives.

  1. Control Environment

  ·         Integrity and Ethical Values

  ·         Commitment to Competence

  ·         Board of Directors and Audit Committee

  ·         Management’s Philosophy and Operating Style

  ·         Organizational Structure

  ·         Assignment of Authority and Responsibility

  ·         Human Resource Policies and Procedures

  2. Risk Assessment
  • Company-wide Objectives
  • Process-level Objectives
  • Risk Identification and Analysis
  • Managing Change
  3. Control Activities
  • Policies and Procedures
  • Security (Application and Network)
  • Application Change Management
  • Business Continuity / Backups
  • Outsourcing
  4. Information and Communication
  • Quality of Information
  • Effectiveness of Communication
  5. Monitoring
  • On-going Monitoring
  • Separate Evaluations
  • Reporting Deficiencies

  
  These components work to establish the foundation for sound internal control within the company through directed leadership, shared values and a culture that emphasizes accountability for control. The various risks facing the company are identified and assessed routinely at all levels and within all functions in the organization. Control activities and other mechanisms are proactively designed to address and mitigate the significant risks. Information critical to identifying risks and meeting business objectives is communicated through established channels up, down and across the company. The entire system of internal control is monitored continuously and problems are addressed timely.