CobiT for Internal Auditors

Lucas Kowal, AVP BNP Paribas NA

1

CPA, CISA, CISSP

 Overview of CobiT
What is CobiT?

2
 Overview of CobiT

What CobiT is not!!

 Audit software
 An IT audit plan
 An IT Internal Audit workprogram
 An IT audit testing plan
 Guide on “How to Audit” IT

3
 Overview of CobiT
 Then what is CobiT?

It is the Control Objectives for Information and related
Technology
 A methodology consisting of standards and controls created to
assist IT professionals in the implementation, review,
administration and monitoring of an IT environment.

 The CobiT Executive Summary and Framework were released

in December 1995, Control Objectives in April 1996, and Audit
Guidelines followed in September 1996.

 A tool that for IT professionals that has linked information

technology and control practices

 CobiT consolidates and harmonizes standards from prominent

global sources into a critical resource for management,
control professionals and auditors.

4
 Overview of CobiT
 CobiT represents
1. A control framework,
2. a set of generally accepted control objectives, and
3. the CobiT Audit Guidelines.

 CobiT is based on the philosophy that IT resources need to

be managed by a set of naturally grouped processes in
order to provide the pertinent and reliable information an
organization needs to achieve its objectives.

 CobiT is business process oriented provides the business

process owners with a framework, which should enable
them to control all the different activities underlying IT
deployment.

5
 Overview of CobiT
 What is the purpose of CobiT?

 To provide management and business process

owners with an Information Technology (IT)
governance model that helps in understanding and
managing the risks associated with IT.

 CobiT helps bridge the gaps between business

risks, control needs and technical issues by
presenting the controls through one vehicle.

 It is a control model to meet the needs of IT

governance and ensure the integrity of information
and information systems.
6
Components of CobiT

7
 Components of CobiT
The 4 Domains of CobiT
 MONITORING (MO)

 PLANNING & ORGANIZATION (PO)

 ACQUISITION & IMPLEMENTATION (AI)

 DELIVERY & SUPPORT (DS)

8
 Components of CobiT
MONITORING (MO)
All IT processes need to be regularly assessed over
time for their quality and compliance with control and
regulatory requirements

Auditors need to perform procedures to ensure that the IT

environment meets predefined standards with respect to
controls.
 M1- Monitor the process
 M2- Obtain independent assurance

9
 Components of CobiT
PLANNING & ORGANIZATION (PO)
Addresses strategy and tactics, and concerns the identification of
the way information technology can best contribute to the
achievement of business objectives.

Is the IT strategy be effectively controlled and will it contribute to

the business objectives?
 PO1- Define a strategic IT plan
 PO2- Define the Information
architecture
 PO3- Determine technical direction
 PO4- Define IT Organization and
relationships
 PO5- Manage the investment in IT
 PO6- Communicate management aims and
directions
 PO7- Manage Human Resources
 PO8- Ensure compliance with external
requirements
 PO9- Assess risks
 PO10- Manage projects
 PO11- Manage quality
10
 Components of CobiT
ACQUISITION & IMPLEMENTATION (AI)
To realize the IT strategy, IT solutions need to be identified,
developed and/or acquired as well as implemented and
integrated into the business process.

Is the process to choose and implement IT solutions a controlled

process? Does this process meet control standards?
 AI1- Identify solutions
 AI2- Acquire and maintain application software
 AI3- Acquire and maintain technology architecture
 AI4- Develop and maintain IT procedures
 AI5- Install and accredit systems
11
 AI6- Managing changes
 Components of CobiT

DELIVERY & SUPPORT (DS)

Addresses the actual delivery of required information
services.

Are information related services delivered in a controlled

manner?
 DS1- Define service levels  DS8- Assist and advise IT customers
 DS2- Manage Third Party services  DS9- Manage the configuration of IT systems
 DS3- Manage performance capacity  DS10- Manage problems and incidents
 DS4- Ensure continuous service  DS11- Manage data
 DS5- Ensure systems security  DS12- Manage facilities
 DS6- Identify and allocate costs  DS13- Manage operations
 DS7- Educate and train users 12
 Overview of Internal Audit
 Internal Audit
 "Internal auditing is an independent, objective assurance
and consulting activity designed to add value and
improve an organization's operations. It helps an
organization accomplish its objectives by bringing a
systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and
governance processes."
(Definition of Internal Auditing by the Institute of
Internal Auditors, Inc.)

 The mission of Internal Audit is to evaluate the

efficiency and effectiveness of the entity’s procedures
and related internal controls.

 As Internal Auditors, we also provide control

recommendations and controls advisory.
13
 CobiT For Internal Auditors

 Who uses CobiT in the Internal

Audit world?
 Typically, the IT Auditor

 Business Process Auditor

 The IT Inspection Team, or

 The IT Control Team

14
 CobiT For Internal Auditors
How is CobiT used by Internal Audit?
 Establishing control baselines and standards

 Facilitating and creating performance metrics for Risk

Assessments

 Developing the audit plan

 Facilitating the audit

 Managing residual risk

 Issuing control advisory and recommendations to the IT groups

15
 CobiT For Internal Auditors
Audits that can be performed
with the use of CobiT
1. Reviews of Baselines and 6. Audits of the Business Continuity
Standards for IT Program

2. Information System 7. Audits of Security Configuration

Implementations
 Pre-Implementation Review 8. Reviews of Security
 Implementation of Controls Administration
Certification Reviews
 Post Implementation Review
3. Code Development / Source 9. Reviews of IT Purchasing and
Code Management Reviews Procurement

4. General Controls Reviews 10. Application Review / Audits

5. Data Center reviews 11. Audits of Business Processes

BE CREATIVE! How can you fit CobiT into your audit plan?
16
 Applications of the
4 CobiT Domains
All of the discussed types of
reviews can employ the 4 CobiT
domains:
– MONITORING,
– PLANNING & ORGANIZATION,
– ACQUISITION & IMPLEMENTATION,
– DELIVERY & SUPPORT

17
 CobiT Trends
 In general, each of the 4 domains can be applied to each
review with careful planning

 All IT Audit reviews should have a component that includes

 Management controls of the information
 Review of controls over the way that information is delivered /
facilitated
 How the IT control review process works, and is it working effectively

 With the right planning, all reviews can be performed with

the use of the 4 domains as a reference, standard, and
“Best Practice” template

18
 Top Ten Strengths of CobiT in
Internal Audit

 10. Control evaluations processes are standardized across the IT environment

 9. Benchmarks and standards are portable throughout the IT environment

 8. System management processes across different systems can compared

 7. Post-audit benchmarking is easily achieved through existing CobiT Control Objectives

 6. A common language between auditee, auditor, user management and data owners is
provided

 5. CobiT is a globally-recognized as a tool that provides guidance on IT audits and sets IT

control “Best Practices”

 4. International IT Audit groups can knowledge share (i.e. workprograms, test plans)

 3. Audit groups can recruit based on experience with an internationally recognized audit tool

 2. CobiT can easily be mapped to relevant regulatory examination criteria (FFIEC, HIPAA)
19

 1. Its just plain old fun!

 Problems Inherent to the
Implementation and Use of CobiT
 CobiT is a control framework with Audit
Guidelines. Therefore,
 It is NOT an audit plan
 It is NOT a workprogram
 It does NOT provide for audit steps /
techniques / procedures
 It does NOT define standards
 It does NOT define acceptable levels for IT
processes

 The use of CobiT requires a sufficient

amount of experience with IT controls
because it does not detail actual controls
verification and testing steps

20
 Problems Inherent to the
Implementation and Use of CobiT
 CobiT is time & resource intensive to implement
 Steep learning curve
 New audit plans and workprograms
 New documentation methods needed

 Although CobiT is process focused, CobiT based

reviews tend to be more system-focused.
 Few, if any processes, are composed of one system.
 All data flows between systems, so how are data
flows evaluated?
 How can major information flow processes be
evaluated within reasonable time constraints?

21
 Opportunities to Implement
CobiT
 Ideal Times to Implement the CobiT Framework
 Beginning of an audit year

 During a reorganization of the audit department

 During a change of strategy for the IT Audit group

 Upon implementation of Business Process focused

audits

22
 Threats to CobiT in the
Internal Audit World
Threats to Cobit in Internal Audit
 Initial audits are time intensive and difficult because
auditors are unfamiliar with CobiT terminology

 Auditees can be unreceptive to controls based

recommendations as opposed to traditional IT
recommendations

 If the audit staff does not have a sufficient amount of

experience with IT controls, difficulties can arise in
creating procedures to test for the existence of CobiT
prescribed controls

23
 CobiT: A Real World Example at a Major
International Financial Services Firm
Situation:
 A major international financial services firm uses the SWIFT
network as a payment messaging system at its worldwide
locations
 All major locations of the financial services firm have their
own “local” SWIFT systems installations
 Worldwide IT Management seeks efficiencies and decides to
“consolidate” SWIFT messaging systems to regional
platforms.
 IT management’s strategy is to create three regional
“hubs” for messages to flow through to the SWIFT network.

24
 CobiT: A Real World Example at a Major
International Financial Services Firm

Internal Audit
 Internal Audit conducted an IT Audit of the
management strategy, selection, acquisition,
implementation, and configuration of the new
SWIFT Alliance messaging “hubs”

 “Controls Advisory” was also provided as a

complimentary service.

 The CobiT methodology was used.

25
 CobiT: A Real World Example at a Major
International Financial Services Firm
Examples of IT Audit’s Role
1. Participated on the SWIFT implementation team
2. Reviewed the project charter for financial, human resources,
regulatory, compliance, and IT management strategy controls
3. Reviewed Service Level Agreements and contracts with
vendors for controls prescribed by CobiT
4. Examined project details for the processes to chose hardware,
software, and implementation methods.
5. Reviewed project plans for reasonableness and the ability to
meet prescribed timelines
6. Performed reviews of SWIFT system configurations pre- and
post-implementation
7. Examined regulatory constraints and gave opinions based on
regulatory requirements

26
 CobiT: A Real World Example at a Major
International Financial Services Firm

Highlights: Planning & Organization

 Reviewed the strategy and plan for management
controls

 Critiqued the “new” IT architecture

 Monitored progress with respect to timelines

 Ensured that compliance and regulatory constraints

were addressed during implementation

27
 CobiT: A Real World Example at a Major
International Financial Services Firm
Highlights: Acquisition & Implementation
 Reviewed choices for messaging hub locations

 Reviewed alternatives for hardware and software

 Verified that changes were in compliance with

CobiT and “best practices” for change control

 Determined whether procedures were created for

the administration of the implemented system

28
 CobiT: A Real World Example at a Major
International Financial Services Firm
Highlights: Delivery & Support
 Reviewed agreements with vendors and business partners for
reasonableness and compliance with “best practices”

 Attended user training sessions

 Tested controls for security configuration and security administration

 Determined whether controlled procedures were created for

administration and management of data, facilities, and operations

29
 CobiT: A Real World Example at a Major
International Financial Services Firm
Highlights: Monitoring
 Determined whether controlled procedures were in
place for the monitoring of the “new” SWIFT
system

 Verified that monitoring procedures were in

compliance with regulatory requirements

30
 Questions?

Lucas Kowal, CPA is an AVP of Information Systems Audit at the

international financial services conglomerate, BNP Paribas. Mr. Kowal has
several years of audit and consulting experience of information systems and
technology applications having worked with Arthur Andersen’s Technology
Risk Consulting Group and the Depository Trust Clearing Co. prior to joining
BNP Paribas.

In addition to being a Certified Public Accountant (CPA-NY), Lucas has

attained both the Certified Information Systems Auditor (CISA) accreditation
and the Certified Information Systems Security Professional (CISSP)
accreditation. Lucas is a graduate of the prestigious BS (Public Accounting) /
MBA (Management Information Systems) program from the State University
of New York at Buffalo.

Lucas can be reached at lucas.kowal@BNPPARIBAS.com 31