Professional Documents
Culture Documents
Cobit For Internal Auditors: Lucas Kowal, Avp BNP Paribas Na
Cobit For Internal Auditors: Lucas Kowal, Avp BNP Paribas Na
2
Overview of CobiT
3
Overview of CobiT
Then what is CobiT?
It is the Control Objectives for Information and related
Technology
A methodology consisting of standards and controls created to
assist IT professionals in the implementation, review,
administration and monitoring of an IT environment.
4
Overview of CobiT
CobiT represents
1. A control framework,
2. a set of generally accepted control objectives, and
3. the CobiT Audit Guidelines.
5
Overview of CobiT
What is the purpose of CobiT?
7
Components of CobiT
The 4 Domains of CobiT
MONITORING (MO)
9
Components of CobiT
PLANNING & ORGANIZATION (PO)
Addresses strategy and tactics, and concerns the identification of
the way information technology can best contribute to the
achievement of business objectives.
14
CobiT For Internal Auditors
How is CobiT used by Internal Audit?
Establishing control baselines and standards
BE CREATIVE! How can you fit CobiT into your audit plan?
16
Applications of the
4 CobiT Domains
All of the discussed types of
reviews can employ the 4 CobiT
domains:
– MONITORING,
– PLANNING & ORGANIZATION,
– ACQUISITION & IMPLEMENTATION,
– DELIVERY & SUPPORT
17
CobiT Trends
In general, each of the 4 domains can be applied to each
review with careful planning
18
Top Ten Strengths of CobiT in
Internal Audit
6. A common language between auditee, auditor, user management and data owners is
provided
4. International IT Audit groups can knowledge share (i.e. workprograms, test plans)
3. Audit groups can recruit based on experience with an internationally recognized audit tool
2. CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC, HIPAA)
19
20
Problems Inherent to the
Implementation and Use of CobiT
CobiT is time & resource intensive to implement
Steep learning curve
New audit plans and workprograms
New documentation methods needed
21
Opportunities to Implement
CobiT
Ideal Times to Implement the CobiT Framework
Beginning of an audit year
22
Threats to CobiT in the
Internal Audit World
Threats to Cobit in Internal Audit
Initial audits are time intensive and difficult because
auditors are unfamiliar with CobiT terminology
23
CobiT: A Real World Example at a Major
International Financial Services Firm
Situation:
A major international financial services firm uses the SWIFT
network as a payment messaging system at its worldwide
locations
All major locations of the financial services firm have their
own “local” SWIFT systems installations
Worldwide IT Management seeks efficiencies and decides to
“consolidate” SWIFT messaging systems to regional
platforms.
IT management’s strategy is to create three regional
“hubs” for messages to flow through to the SWIFT network.
24
CobiT: A Real World Example at a Major
International Financial Services Firm
Internal Audit
Internal Audit conducted an IT Audit of the
management strategy, selection, acquisition,
implementation, and configuration of the new
SWIFT Alliance messaging “hubs”
25
CobiT: A Real World Example at a Major
International Financial Services Firm
Examples of IT Audit’s Role
1. Participated on the SWIFT implementation team
2. Reviewed the project charter for financial, human resources,
regulatory, compliance, and IT management strategy controls
3. Reviewed Service Level Agreements and contracts with
vendors for controls prescribed by CobiT
4. Examined project details for the processes to chose hardware,
software, and implementation methods.
5. Reviewed project plans for reasonableness and the ability to
meet prescribed timelines
6. Performed reviews of SWIFT system configurations pre- and
post-implementation
7. Examined regulatory constraints and gave opinions based on
regulatory requirements
26
CobiT: A Real World Example at a Major
International Financial Services Firm
27
CobiT: A Real World Example at a Major
International Financial Services Firm
Highlights: Acquisition & Implementation
Reviewed choices for messaging hub locations
28
CobiT: A Real World Example at a Major
International Financial Services Firm
Highlights: Delivery & Support
Reviewed agreements with vendors and business partners for
reasonableness and compliance with “best practices”
29
CobiT: A Real World Example at a Major
International Financial Services Firm
Highlights: Monitoring
Determined whether controlled procedures were in
place for the monitoring of the “new” SWIFT
system
30
Questions?