IT Long-Range Planning—Approach and Structure Supporting Control Objective: (Published as part of CobiT materials.)

1.4 IT Long-Range Plan Changes

Supporting Control Objective: (Published as part of CobiT materials.) 1.5 Short-Range Planning for the IT Function

Supporting Control Objective: (Published as part of CobiT materials.) 1.6 Communication of IT Plans

Supporting Control Objective: (Published as part of CobiT materials.) 1.7 Monitoring and Evaluating of IT Plans

Supporting Control Objective: (Published as part of CobiT materials.) 1.8 Assessment of Existing Systems

Supporting Control Objective: (Published as part of CobiT materials.)

Note: This is an example of CobiT’s definition of processes and subprocesses. The CobiT guidance material includes a detailed Supporting Control Objective for each process.

levels in the organization with consideration given to funding alternatives, clear budget ownership, controls over the actual spending, and a cost justification and awareness of total cost of ownership, among other factors.

This process flow is shown in Exhibit 7.5. The published ISACA CobiT mate-rials are filled with these factors to consider for each of the processes. In a first pass reading, the CobiT framework materials can be almost formidable with four identified domains each with 34 defined processes. Within each process, there are from 3 to 30 detailed IT control objectives defining controls that should be in place. Although complex, this forms a systematic and logical method for defining and communicating IT control objectives. It leads to the CobiT audit and management guidelines discussed in the next sections.

(d) CobiT Audit Guidelines

Effective reviews of IT controls and procedures have presented challenges to internal auditors ever since automated systems have become a major component of overall business processes. CobiT tries to improve this process. A major com-ponent of CobiT and its published materials is a set of generic and high-level audit guidelines to help with reviews of processes against IT control objectives.

The CobiT audit process is built upon several generic guidelines that can be used for all processes as well as specific audit procedures oriented to each of the defined CobiT processes.

The CobiT generic guidelines are just that, a guideline, to identify tasks to be performed in assessing any process control objective. There are also process-specific guidelines with suggested audit steps to provide management assur-ance that a control is in place and working. While we suggest that the reader

EXHIBIT 7.5

Cobit IT Process to Control Practices Linkages

Source: Control Objectives for Information and Related Technology (COBIT®), 3^rd Edition, © Copyright 1996, 1998, 2000, the IT Governance Institute® (ITGI), http://isaca.org and http://itgi.org, Rolling Meadows, IL 60008, USA. Reprinted by permission.

obtain the previously referenced CobiT materials for details and specific word-ing, the generic audit guidelines cover the following areas:

• Obtaining an Understanding. A description of the audit steps to be per-formed to document activities underlying the control objectives as well as to identify the control procedures in place.

• Evaluating the Controls. The guideline outlines audit steps to be per-formed in assessing the effectiveness of control measures in place or the degree to which the control objective is achieved. This is the step to basi-cally decide what, whether, and how to test.

• Assessing Compliance. The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuously, and to reach a conclusion on the appropriateness of the con-trol environment.

• Substantiating the Risk. This guideline outlines the audit steps to be per-formed to substantiate the risk of the control objective not being met by using analytical techniques and/or consulting alternative sources. The objective is to support the opinion and to “shock” management into action (CobiT’s words!). Auditors have to be creative in finding and pre-senting this often sensitive and confidential information.

CobiT suggests that each of the four generic guidelines should be used for every process reviewed. Each guideline also contains guidance for obtaining direct or indirect evidence for selected items/periods, suggestions for limited reviews of the adequacy of the process deliverables, general guidance on the level of substantive testing, and additional work needed to provide assurance that the IT process is adequate.

The published CobiT materials also include specific audit procedures for each of the detailed processes. These are very generic documents with guidance along the lines of “Consider whether . . .” followed by lists of items specific to that process area. The general structure of these detailed processes follows these steps:

1. Items or areas to consider when evaluating controls.

2. Items to examine or test to assess compliance with control procedures.

3. Steps to perform to substantiate the risk of control objectives not being met.

4. The identification of such matters as IT failures to meet the organization’s missions and goals, IT failures to meet cost and time guidelines, or missed business or IT opportunities

The result of all of this material is some excellent guidance material for assessing controls over IT processes. There is sufficient CobiT material to allow any internal auditor and a computer audit specialist in particular to review and assess controls for an IT organization. Although CobiT is heavily oriented toward

IT, these same procedures can be used as a basis for internal control reviews in many areas.

(e) Management and Implementation Guidelines

The overall CobiT materials also include sets described as Management and Implementation Guidelines. Unfortunately, the CobiT Management Guidelines do not fit as neatly with the other Framework and Audit Guideline materials.

The CobiT Management and Implementation materials discuss an organization’s maturity model along with the Software Engineering Institute’s Capability Maturity Model (CMM)³ discussed in Chapter 20, “Software Engineering, the Capability Maturity Model, and Project Management,” and sections on critical success factors among other topics. This chapter will not be discussing this sec-tion of CobiT.

The Implementation Guidelines reaffirm who should benefit from CobiT and discuss steps to implement CobiT in the organization. It suggests multiple ways to implement CobiT ranging from a top-down approach through the CIO or audit committee to a mandate-regulated situation. The general recommendation is that internal audit—the chief audit executive (CAE)—should communicate the COBIT approach to appropriate senior operating and IT management. The CobiT frame-work, processes and control objectives should be communicated to teams such as the CIO’s organization via education to help sell the overall CobiT approach.

7.3 USING COBIT FOR SOA SECTION 404 ASSESSMENTS