process capability & performance
control practices, detailed "how" and "why" that may be needed
high-level, statement of the desired result to be achieved by implementing control procedures within a specific IT activity.
detailed, underpin high-level control objectives by focusing on the control of key tasks and activities that are related to the IT process.
Strategic alignment, strategic objectives, Setting goals, Devising strategies to achieve stated goals, Designing action plans to implement strategies, benefits, Value addition to business products and services, Optimal use of resources, Enable cost-effective administration and management
Performance management, Balanced scorecard, financial, strategy, customer, process, knowledge, key success factor, effective metrics, defined and approved by stakeholders
Risk management, activities, Understanding the risk appetite or the Organization’s attitude to taking risks, Defining the impact and likelihood of a risk., Approving the Risk Management action plan., management of risks, Risk Mitigation, Risk Transfer, Risk Acceptance, Risk Avoidance
Resource management, resource optimization, features, Ensuring that sufficient capability exists for business critical activities, Optimizing costs, outsourcing, look ahead strategy, A Look Ahead Strategy will help to update the required skills inventory and make an effective recruitment, retention and training program to ensure that the organization is not suddenly short of the required skills.
direct and control, Executive management provides direction by setting objectives and authorizing specific IT activities., Control ensures that the objective is achieved and no undesired incidents occur.
keep IT running
value, alignment business - IT, requirements management, project & portfolio management, business case management, return of investment management
costs, reasons, Most organizations don’t understand the costs associated with their IT assets., Operational budgets increase every year as a result of complex licensing, maintenance, and outsourcing contracts., Failed projects result in large financial losses., IT spending by business units and central IT departments is not coordinated.
mastering complexity, problems, Maintaining technical competence, Managing diverse technical infrastructures, Adapting to rapid changes and new developments, Managing external relationships and service providers
alignment IT - business, reasons, Poorly defined business requirements, Inability to set priorities, Complexity of projects, Lack of committed business sponsors, Lack of clear business drivers for solutions, Communication gaps between business and IT
regulatory compliance, Corporate governance and financial reporting, Privacy and security
confidence of top management, by providing, common language, enabling clearer, decision-making mechanisms, and facilitating transparency and accuracy of management information.
responsiveness of IT to business, by providing, clear chains of command, effective decision making, and greater confidence in taking risks and making investments.
higher ROI, IT governance helps reduce project failures, optimize IT infrastructure, and increase the efficiency of IT processes.
more reliable services, IT governance gives framework to ensure lower risks, better quality of services, and greater customer satisfaction
more transparency, ensures that the right information is available to the right level of decision makers.
process orientation, 4 domains, plan & organize, objective, How can IT contribute to achievement of business objectives, focus, proper organization & governance, scope, strategy & tactics, vision planned, organization & infrastructure, acquire & implement, objective, integration of IT into business process, focus, IT solutions, changes & maintenance, scope, deliver & support, objective, delivery of required services, design of support services, focus, delivery of required services, design of support services, scope, monitor & evaluate, objective, assess IT processes on quality & compliance, scope, regular assessment, delivering assurance, performance measurement, management oversight of the control system, 34 processes, per domain, plan & organize, PO1 Define a strategic IT plan, PO2 Define the information architecture, PO3 Define technical direction, PO4 Define the IT processes, organization & relationships, PO5 Manage the IT investment, PO6 Communicate management aims & direction, PO7 Manage IT human resources, PO8 Manage quality, PO9 Assess & manage IT risks, PO10 Manage projects, PO10.1 Programme management framework, PO10.2 Project Management Framework, PO10.3 Project Management Approach, PO10.4 Stakeholder Commitment, PO10.5 Project Scope Statement, PO10.6 Project Phase Initiation, PO10.7 Integrated Project Plan, PO10.8 Project resources, PO10.9 Project Risk Management, PO10.10 Project quality plan, PO10.11 Project change control, PO10.12 Project planning of assurance methods, PO10.13 Project performance management, reporting and monitoring, PO10.14 Project closure, IT KGI, Percentage of projects meeting stakeholders expectations (on time, on budget, and meeting requirements—weighted by importance), process KGI, Percentage of projects on time, on budget, Percentage of projects meeting stakeholder expectations, KPI, Percentage of projects following project management standards and practices, Percentage of certified or trained project managers, Percentage of projects receiving post implementation reviews, Percentage of stakeholders participating in projects (involvement index), acquire & implement, AI1 Identity automated solutions, AI2 Acquire & maintain application software, AI3 Acquire & maintain technology infrastructure, AI4 Enable operation & use, AI5 Procure IT resources, AI6 Manage changes, AI7 Install & accredit solutions & changes, deliver & support, DS1 Define & manage service levels, DS2 Manage third-party services, DS2.1 Definition of all supplier relationships, DS2.2 Supplier relationship management, DS2.3 Supplier risk management, IT KGI, Percentage of stakeholders participating in projects (involvement index), Percentage of purchase spent subject to competitive procurement, process KGI, Percentage of major suppliers meeting clearly defined requirements and service levels, Percentage of formal disputes with suppliers, Percentage of supplier invoices disputed, KPI, Percentage of major suppliers subject to clearly defined requirements and service levels, Percentage of major suppliers subject to monitoring, Level of business satisfaction with effectiveness of communication from the supplier, Level of supplier satisfaction with effectiveness of communication from the business, Percentage of significant incidents of supplier noncompliance for a given time period, DS3 Manage performance & quality, DS4 Ensure continuous service, DS5 Ensure systems security, DS6 Identify & allocate costs, DS7 Educate & train users, DS8 Manage service desk & incidents, DS9 Manage the configuration, DS10 Manage problems, DS11 Manage data, DS12 Manage the physical environment, DS13 Manage operations, monitor & evaluate, ME1 Monitor & evaluate IT performance, ME2 Monitor & evaluate internal control, ME3 Ensure compliance & external requirements, ME4 Provide IT governance, control leveling, enterprise, IT function, business process owner, application, IT responsibility, framework, generic, process owner, repeatability, goals & objective, roles & responsibility, process performance, policy, plans & procedures, control measures, degrees, primary, The defined control objective directly impacts the information criterion., secundary, The defined control objective satisfies only to a lesser extent or indirectly the information criterion concerned., blank, This could be applicable; however, requirements are more appropriately satisfied by another criterion in this process and/or by another process., responsibility area, plan, build, run, monitor, Untitled, enterprise architecture, applications, information, infrastructure, people, key activities, responsibility & accountability chart
applications, the automated user systems and manual procedures that process the information.
information, data, in all their forms, input, processed and output by the information systems in whatever form is used by the business
infrastructure, technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications.
people, personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.
quality, quality, costs, delivery
fiduciary, categories, effectiveness, information that is relevant and pertinent to the business process as well as timely and consistent delivery., efficiency, provision of information through the optimal use of resources., reliability, provision of appropriate information for management to operate the entity and exercise its financial and compliance reporting responsibilities., compliance, complying with those laws, regulations, and contractual arrangements to which the business process is subject.
security, categories, confidentiality, protection of sensitive information from unauthorized disclosure., integrity, accuracy and completeness of information as well as to its validity with business values and expectations., availability, information being available when required by the business process, both now and in the future. It also refers to the safeguarding of necessary resources and associated capabilities.
repository of all COBIT information and enables feedback from users, COBIT online, PDF downloads, COBIT Executive Summary, COBIT Framework, COBIT Control Objectives, COBIT Management Guidelines, COBIT IT Assurance Guide, COBIT Implementation Toolset, benchmarking
maintain the content and implement future versions
aimed at, SME
focus, 30 IT processes, 62 control objectives, metrics
available to Full subscribers
nontechnical security guide and a QuickStart for security objectives
X-reference to ISO17799
survival kits, 1 -> home users, 9 simple rules, 2 -> professional users, do's & don't's, 3 -> managers, important conditions to be checked, 4 -> executives, questionnaire & action list, 5 -> senior executives, 6 -> board of directors
free PDF download
approach, need to create & preserve value, gap analysis, taking measures, Untitled
road map, bootstrap, generic process, Untitled, templates & tools
tool set, presentations, documents, assessment tools
provide sharper business focus
defines a common language
helps meet regulatory requirements, Sarbanes Oxley Act of 2002, New and enhanced standards of responsibility and accountability for accuracy, reliability, and transparency of financial reporting, audit standards, issued by Public Company Accounting Oversight Board (PCAOB), mapping PCAOB standard to COBIT, Untitled, standard #2, Establish the need to audit internal controls over financial reporting., IT general controls, program development, Acquisition and implementation of new applications, Maintenance of existing applications, program changes, change management, computer operations, controls over the definition, acquisition, installation, configuration, integration, and maintenance of IT infrastructure., access to programs and data, Provide guidance about the scope and approach required by auditors., fraud detection, Emphasis on transparent disclosures for meaningful analysis and interpretation, Emphasis on the use of a recognized Internal Control Framework for evaluation of internal controls, section 302, CEOs and CFOs must make quarterly and annual statements about the adequacy of internal controls over financial reporting., company’s management should create a certification for the certifying officers, statement, they have designed or supervised the creation of internal controls over financial reporting, provide reasonable assurance regarding the reliability of financial reporting, disclosure changes in the company’s internal controls over financial reporting, what's the reason for change?, financial statements, conform to US GAAP, auditing requirements, inquire, Ask the management about significant changes in the design or operation of internal controls over financial reporting., evaluate, Evaluate the implications of misstatements identified by the auditor as part of the auditor’s interim financial information review., determine, Determine whether any change in internal controls over financial reporting has affected, or may affect, the company’s internal control over financial reporting., section 404, a company's internal controls and the systems, processes, applications, and policies used to develop and maintain the financial reports be documented, assessed for effectiveness, and certified., areas covered, internal controls, specify the responsibility of management to establish and maintain adequate internal controls over financial reporting., framework, framework used, management review for effectiveness of controls, attestation report, about management’s assessment of the company’s internal controls over financial reporting, written conclusion, about the effectiveness of the company’s internal controls over financial reporting., material weakness, auditing requirements, attest, ensure, access, impact on, organization, Maintain documentation about the internal control system and make quarterly and annual statements of the adequacy of internal controls., Provide an annual report about the management assessment of the effectiveness of internal controls., Ensure that the statements and reports cover all entities and relevant controls including relevant IT controls., management, Enhance its knowledge of internal control and understand the organization’s overall Sarbanes-Oxley Act compliance process and how IT supports that process., Develop a compliance plan to specifically address IT controls., Integrate this plan into the overall Sarbanes-Oxley Act compliance plan., IT, understand how its systems and operational environments support financial reporting., understand the controls required to meet the requirements of the Sarbanes-Oxley Act, and design, implement, and demonstrate them., If IT controls already exist, they must be formalized or documented to enable compliance., responsibilities, Understanding the organization’s internal control program and financial reporting process, Mapping the IT systems that support internal control and the financial reporting process to the financial statements, Identifying the risks related to these IT systems, Designing and implementing controls to mitigate and monitor the identified risks, Documenting and testing IT controls, Ensuring that IT controls are updated and changed to correspond with changes in internal control or financial reporting processes, Monitoring IT controls for effective operation over time, Participation by IT in the Sarbanes-Oxley process or project management office, auditors, Attest management’s assessment of internal controls. The board of directors must form its own opinion of controls, which is subsequently attested by auditors., Not perform certain consulting services in addition to the role of independent auditor to the same client. They can provide advice in accordance with their usual audit responsibilities., Stricter penalties for wrongdoing — intentional or otherwise, Implementation guidance or directives by the Securities and Exchange Commission (SEC), goals, improve corporate accountability and restore investor confidence in US public markets., by, implementing internal controls, drivers, Keep the company on course toward the achievement of business goals and mission, minimizing surprises along the way., Enable management to deal with rapidly changing economic and competitive environments, shifting customer demands, and restructuring for future growth., Promote efficiency., Reduce the risk of asset loss., Ensure the reliability of financial statements and compliance with laws and regulations., meeting or exceeding disclosure requirements, ensuring accurate & timely reporting, implementation roadmap, plan and scope, objectives, Determine the project scope., Identify the stakeholders in the project., Identify key IT systems and subsystems to be included in the scope., controls to be included, Controls over initiating, recording, processing, and reporting significant accounts and disclosures in the financial statements, Controls over the selection and application of accounting policies that conform with generally accepted accounting principles, Antifraud programs and controls, Controls on which other controls are dependent, Controls over significant nonroutine and nonsystematic transactions, such as those involving judgments and estimates, Controls over the period-end financial reporting process, activities, Identify the IT requirements., Assign project resources., Form an IT control subcommittee., Create project contact list., Create detailed project plan., Understand the organization’s preliminary scoping., key success factors, Communication to stakeholders, Understanding the Act’s requirements for IT, Identification of a compliance approach, Accurate scoping of the business environment, Effective communication between business and IT, deliverable, project work plan, application inventory, stakeholders, Untitled, perform risk assessment, key objectives, Determine the inherent risks to establishing the level of documentation required for compliance, Determine the extent of testing that needs to be performed to verify the effectiveness of key controls., activities, key success factors, Understanding risks, deliverable, Applications inventory with assessment of inherent risk completed, stakeholders, Untitled, identify significant accounts/controls, key objectives, Identify the general control objectives that support the quality and integrity of the financial information processed., Document the policies and key controls that meet the objectives of each IT environment where compliance needs to be demonstrated., activities, Assess and enhance policies, develop control matrices, key success factors, Technical ability in understanding the functionality of the application and related IT general control concepts, Understanding risks to financial reporting and controls is necessary to mitigate these risks, deliverable, Application inventory with key controls identified, stakeholders, Untitled, document control design, key objectives, Document the organization’s policy for addressing each control objective., Obtain an understanding of how the control objectives are met within the IT environments., Document the control design at the entity level and the activity level to show how the control objectives are met., activities, Management should discuss the extent and detail of control documentation with independent accountants to minimize risks., key success factors, Ensuring documentation is at an appropriate level, Avoiding too much, too little, or no documentation, deliverable, Documented controls in a format agreed between the Sarbanes-Oxley team and the external auditor, stakeholders, Untitled, requirements, How each significant transaction is initiated, authorized, recorded, processed, and reported, Sufficient information about the flow of transactions to identify the points at which material misstatements due to error or fraud could occur, Controls designed to prevent or detect fraud, including who performs the controls and related segregation of duties, Controls over safeguarding of assets, Results of management’s testing and evaluation, evaluate control design, key objectives, Understand controls that support the achievement of Sarbanes-Oxley Act compliance, Evaluate the design considering control attributes and whether the approach addresses risks effectively, If appropriate, enhance the design to provide for an effective approach, activities, Review the list of controls identified in documenting the control design, Evaluate the effectiveness and reliability of the control design, especially key controls., Investigate weaknesses and enhance the design or operation of controls to improve effectiveness., Update the control matrix with the results of the design evaluation., key success factors, Suitability and availability of existing documentation, Understanding of process by person interviewed, Good understanding and communication of the Sarbanes-Oxley Act, COSO, and COBIT concepts by both business and IT, Good communication and facilitation between Sarbanes-Oxley Act IT team and the rest of the organization, Good research on closing the gap by IT specialists, Common rules and understanding of how to deal with similar situations across different IT facilities, deliverable, preliminary completion of the application inventory up to the gap analysis, updated inventory and identified key controls, stakeholders, Untitled, evaluate operational effectiveness, key objectives, confirm operational effectiveness of the controls as designed, activities, Determine the controls to be tested; testing depends on their significance to financial reporting., Test the effectiveness of control activities for key controls., Test third-party service providers within the scope of compliance., Identify weaknesses (compliance gaps)., key success factors, Good understanding of the Sarbanes-Oxley Act, COSO, and COBIT concepts by business and IT, Good communication and facilitation between Sarbanes-Oxley Act IT team and the rest of the organization, Good research on closing the gap by IT specialists, Common rules for dealing with similar situations across different IT facilities, Preparation of an efficient testing plan, Agreement on sampling sizes and attribute being tested, Record keeping of normal testing; leveraging of existing test results from normal IT implementation activities, deliverable, Completed test plans, Updated applications inventory summarizing testing and results of testing, Updated gap list including dates for closing gaps, Dates for retesting failed tests, Reassessment of significant gaps in gap list, showing whether a gap could be a deficiency, significant deficiency, or material weakness, Summary of testing results for the Sarbanes-Oxley project manager, stakeholders, Untitled, identify and remediate deficiencies, activities, Identify the remediation action., Create the implementation plan., Assess deficiencies., Categorize deficiencies as material weaknesses or significant deficiencies., Identify compensating controls and preventive controls., key success factors, Management demonstration of commitments to closing gaps, Most effective method of closing a gap for section 404 reporting, Efficient gap solutions for the future, Setting realistic remediation dates, Proposed solution’s acceptability to management and the external auditor, Communication with the external auditor, business process teams, and Sarbanes-Oxley project manager, deliverable, Updated application inventory, Updated gap list, Dates for retesting, Summary of gaps, deficiencies and material weaknesses, and solutions for Sarbanes-Oxley project manager, stakeholders, Untitled, key objective, identify improvements required for gaps between IT & business, document process and results, key objectives, Document the results of tests performed., Produce a management report of control effectiveness., Provide a record of the process followed, decisions reached, and conclusions drawn to facilitate management’s certification of control., activities, Document and record the results of tests performed., Use the test results as a basis for management assertion and auditor attestation., Provide a comprehensive summary of control effectiveness that includes all testing activities., Include material weaknesses and proposed corrective actions and dates to implement., Assess potential impact on application controls and other controls to reduce risk such as monitoring controls and application controls., key success factors, Effective communication, Identification of gap solutions and remediation dates, deliverable, Management summary, Management report, Documentation of test results, stakeholders, Untitled, build sustainability, activities, Perform a postimplementation review of the Sarbanes project., Review recent PCAOB and SEC speeches and guidance., Review other independent material., Meet peers in other organizations to discuss process improvements., Assess long-term solutions to address Sarbanes-Oxley issues., Develop a plan and timetable for the following year., Plan wider IT governance initiatives., key success factors, Communication with all stakeholders, Commitment to improvement, Ongoing commitment of executive and senior management, deliverable, Postimplementation review report, Assessment of longer term solutions to address Sarbanes-Oxley issues such as automation of process and implementation of program change controls software, Development of a preliminary plan and timetable for the following year, stakeholders, all stakeholders, key objectives, make internal control and compliance business as usual, documentation requirements, Entity policy manuals, IT policy and procedures, Narratives, Flowcharts, Decision tables, Procedural write-ups, Completed questionnaires, levels, company level, statement of control, activity level, Description of processes or subprocesses and related risks, Statement of the control objective to reduce the risk to an acceptable level, Description of control activities, Description of the approach followed to confirm the existence and effectiveness of control activities, Conclusions about the effectiveness of controls
has general acceptability among organizations, best practices
ensures process orientation
means, Balanced Business Scorecards, Financial, Customer, Internal process, Learning / innovation
resources per process, process inputs & outputs, key activities & RACI charts, IT, process & activity goals, IT goals, what the business would use to measure IT, process goals, how the IT process owner would be measured, activity goals, indicate if the goals are likely to be met, key goal indicators (KGI's), IT KGI, process KGI, key performance indicators (KPI's), measure the activity goals, maturity models, non-existent, Management processes are not applied at all., initial, Processes are ad hoc and disorganised., repeatable but intuitive, Processes follow a regular pattern., defined process, Processes are documented and communicated., managed & measurable, Processes are monitored and measured., optimized, Good practices are followed and automated.
structure, stages, identification & documentation, Obtaining an understanding of risks related to business requirements and relevant control measures, Interviewing appropriate management and staff, Documenting process-related IT resources that are affected by the process under review, Confirming the process under review and control implications, for example, with a process walk-through, evaluation, Evaluating the appropriateness of stated controls, considering identified criteria and industry standard practices and applying professional judgment, Concluding the degree to which the control objective is met, compliance testing, Assessing compliance by testing whether the stated controls are working as prescribed, consistently and continuously, Obtain direct or indirect evidence for selected items/periods to ensure that the procedures are complied with for the period under review, by using both direct and indirect evidence., Perform a limited review of the adequacy of process deliverables., Determine the level of substantive testing and additional work required to provide assurance that the IT process is adequate., substantive testing, Substantiating the risk of the control objectives not being met by using analytical techniques and/or consulting alternative sources, Document control weaknesses and resulting threats and vulnerabilities, Identifying and documenting actual and potential impact, levels, General IT audit approach, COBIT Framework, Audit Process Requirement, Control Observation, Generic Audit Guideline, Process audit guidelines, Detailed Audit Guidelines, Audit attention points to complement Detailed Control Objective, local condition, Sector specific criteria, Industry standards, Platform specific elements, Detailed control techniques used
process requirements, Define audit scope, Business process concerned., Platforms, systems, and their interconnectivity, supporting the process., Roles, responsibilities, and organizational structure., Identify information requirements relevant for the business process, Relevance to the business process., Identify inherent IT risks and overall level of control, Recent changes and incidents in business, and technology environment., Result of audits, self-assessments, and certification., Monitoring controls applied by management., Select processes and platforms to audit, processes, resources, Set audit strategy, Controls X risk., Steps and tasks., decision points
objectives, management reassurance, direction setting, manage risks, corrective actions, develop audit programs
ITIL, best practices for IT service management, process level, process execution, process control
ISO / IEC 17799, Code of Practice for Information Security Management, process level, process control, strategic
CMM, model for improvement software delivery process execution and process control, process level, process execution, process control
COSO, framework for establishing internal controls and determining their effectiveness., elements, risk assessment, control activities, general controls, Data center operation controls such as job setup and scheduling, operator actions, and data backup and recovery procedures, System software controls such as effective acquisition, implementation and maintenance of system software, and database management, Access security controls that prevent inappropriate and unauthorized use of the system, Application system development and maintenance controls over development methodology, including system design and implementation, characteristics, General controls support secure and continuous operation. For general controls, organizations should assess those controls that support the quality and integrity of information and are designed to mitigate the identified risks., application controls, ensure the completeness, accuracy, authorization, and validity of transactions, information and communication, quality of information, Current, Appropriate, Accurate, Accessible, Timely, company level, Development and communication of corporate policies, Development and communication of reporting requirements, including deadlines, reconciliations, and the format and content of monthly, quarterly, and annual management reports, Consolidation and communication of financial information, activity level, Development and communication of standards to achieve corporate policy objectives, Identification and timely communication of information to assist in achieving business objectives, Identification and timely reporting of security violations, monitoring, company level, Centralized continuous monitoring of computer operations, Centralized monitoring of security, IT internal audit reviews, activity level, Defect identification and management, Local monitoring of computer operations or security, Supervision of local IT personnel, control environment, IT control environment, IT governance process, information systems strategic plan, the IT risk management process, compliance and regulatory management, IT policies, procedures, and standards., monitoring, reporting, Untitled, compliance with COBIT, internal control is a process, high level compliance, COBIT is IT specific
COBIT, process level, process control, strategic
version 3, management guidelines
version 4, extended guidelines, integrated single volume, free as PDF, COBIT online
Balanced business scorecard