IT audit in accordance with Cobit standard Dalibor Radovanović, Tijana Radojević, Dubravka Lučić, Marko Šarac Singidunum University Danijelova 32, Belgrade, Serbia E-mail:
[email protected],
[email protected],
[email protected]
Ernst & Young Belgrade Bulevar Mihajla Pupina 115d, Belgrade, Serbia E-mail:
[email protected]
Abstract - In today's market circumstances, the fact that the number of jobs that are taking place with the help of information systems constantly growing is indisputable. Managers often know very little about the information system and in that circumstance it is very difficult to them to effectively perform control function and successfully manage information’s. This paper explains the concept of information systems audit and methodologies used. IT governance and information systems audit is imposed as an imperative for successful business. To improve the management of IT in accordance with regulatory requirements, organizations are using best practice frameworks to facilitate the work. One of these frameworks for IT governance is Cobit, which provides guidelines on what can be done in an organization in terms of control activities, measurement and documentation of processes and operations.
ty and maintain data integrity. It is also necessary to determine whether IS enables effective achievement of business objectives and whether system resources are used in an effective and efficient manner. IT audit today represent a modern and advisory function, "right hand" that helps the management on IT governance. Furthermore represent a procedure used to assess whether the information technology acts in the function of successful accomplishment of business objectives. There are several methodologies and standards that deal with this issue: COBIT, ITIL, ISO 27002 (ex ISO 17799) and ISO 9000. Organizations will consider and use a variety of IT models, standards and best practices. These must be understood in order to consider how they can be used together (Fig 1.), COBIT with acting as the consolidator.
II. COBIT I. INTRODUCTION Critical element important for the survival and success of the organization is effectively managing information and communication technology or ICT, which is reflected in the increase depending on the information and their associated systems, increased vulnerability and a wide range of threats to the ICT technology, the extent and cost of existing and future investments in ICT systems , the potential of technology to change work organization and business practices, creating new opportunities and reduce costs.
COBIT (Control Objectives for Information and Related Technologies) is the worldwide accepted standard which prescribes areas and individual controls for IT governance, informatics and related IT processes. COBIT framework authors are non-profit organization ISACA (Information System Audit and Control Association) and ITGI (IT Governance Institute). COBIT combines business and IT goals, providing the ability to monitor the maturity of the information metric system. COBIT enables management to optimize IT resources such as applications, information, infrastructure and people. The practice recommended by COBIT is the mixture of knowledge of numerous experts as a result of good practice, applicable in any organization.
Fig 1. COBIT as consolidator
IT audit is the process of gathering and evaluating evidence based on which one can evaluate the performance of IT systems, i.e, to determine whether the operation of information systems in the function of preserving the proper-
Fig 2. Development COBIT framework [8]
The first version of COBIT was created as a tool to in order to support performance of audit of financial statements, but it continues further to develop following development of the IT role in business. By releasing second versions it became the most frequently used methodology for audit of information systems worldwide. Through further development and publishing of third version in the year 2004, COBIT became integrated framework for IT management, while the last version of COBIT 4.1 represents the major framework and methodology for IT governance. Figure 2 shows the development of the COBIT framework and roles it has had through his development and upgrading. COBIT consists of 34 key business control processes describing each process model of maturity. It contains over 300 detailed IT controls. The primary control objectives are divided into four domains [6]: 1) Planning and Organization - PO, includes processes for planning and design organization in the function of achievement of business goals of the organization. This domain includes risk assessment. 2) Acquisition and Implementation - AI, includes processes related to the acquisition and development of IT solutions and manages changes of these solutions throughout the time. 3) Delivery and Support - DS, includes the processes that affect the actual delivery of IT services to organization. This domain includes the processes for manage problems and incidents; manage security and other processes that affect the performance of IT. 4) Monitoring and Evaluation - ME, includes processes for regular review of IT processes and their successfulness in the function of achievement of relevant IT controls objectives. Each of these domains shows the key control activities of information technology related to the area. Each of these processes offers a so-called RACI matrix (the acronyms of Responsible, Accountable, Consulted, Informed), representing a matrix which for each process determines who is responsible and authorized for implementation of particular control activities and who only need to be informed and consulted.
Fig 3. Interrelationships of COBIT Components
For each of the key business and IT processes COBIT defines and provides (Fig 3.): Maturity models Critical success factors – CSF Key goal indicators – KGI Key performance indicators – KPI RACI chart Control objectives and control tests. By using COBIT methodology management and corporate structures is easy to determine which of these processes and in what extent are important. From the point of control and information systems audit COBIT determines 18 applications and 6 of process controls. Assessments of maturity are based on the famous CMM model, only that in COBIT model marks are very detailed described and explained for each process. Assessment of maturity of IT governance processes are in the range of 0 to 5 [2, 11]: 0 - There are no processes, process of IT governance do not exist. Management did not recognize the importance of this concept; the decisions on investments in IT are uncontrolled, from case to case ('ad hoc'), outside the system supervision and risk assessment and are completely in the hands of individuals. 1 - Initial processes, management is not aware of the importance of IT governance, although there are no formal procedures, management and oversight of information technology is mostly based on individual and uncontrolled based, and actions are taken on case by case basis. There are no standards, nor corporate rules, nor obligations and responsibilities regarding this issue. Management generally is not aware of the importance of IT risk. IT governance and its performance measurement are processes that are carried out only within the IT department, and management is passive, uneducated and not aware of this matter. 2 - Repeatable processes, IT governance processes exist, but it is uncoordinated and mainly initiated by IT department or some other operating level. It often happens that many people perform the same task (segregation of duties issue); there is no system's supervision, coordination, or standardized procedures. The responsibility is left to individuals; corporate policies do not exist or are not presented to employees. 3 - Defined processes, IT governance procedures are prescribed and documented, and constantly improved through formal trainings and education. Procedures and corporate rules, although formally exists, are not sophisticated, mature nor customized to organization business.. They only represent the formalization of existing procedures. Although procedures exist, the responsibility for its execution is on the individuals, and having in mind that there is no system supervision, it is unlikely that one can detect anomalies regarding this matter. 4 - Managed processes; except corporate policies and procedures exist, it also is possible to constantly monitor their execution, to measure their performance and to take necessary corrections in accordance with needs. Processes and activities are continuously improved. Very sophisticated IT governance objectives closely aligned with the business objectives are being set. Using of current methods and frameworks
(COBIT, IT BSC and ITIL) in performance measurement and IT audit is required. 5 - Optimized processes, IT governance processes are brought to the optimal level and the company is a leader in the area. Performance and efficiency of IT as a business function is constantly measured, and the results are compared with best practice and other organizations. Complete transparency in IT governance governs, corporate bodies have actual supervision over information technology through a series of formal mechanisms. Information technology is used in a strategic purpose, as key business resource and information activities (investments, projects, risks, etc.) are optimally functioning align with the real business priorities. It is essential that the most important methods of IT governance and information systems audit such as ITIL, COBIT and Sarbanes-Oxley use the same range for assessment of IT processes maturity and effectiveness of controls over them (from 0 to 5, with the same explanation).
Business objectives
Activities
e urc eso r IT
People
Infrastructure
Processes
Applications
IT Processes
Domains
Information
ity ess ce ty lity en cy ial tiv icien ident egrity ailabi plian iabili c e l f f f m t f v f a n o n E A E I C Re Co
s
Fig 4. The COBIT cube
To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as business requirements for information. Based on the broader quality, fiduciary and security requirements, seven distinct, certainly overlapping, information criteria are defined as follows [10, 11, 12]: Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. Efficiency concerns the provision of information through the optimal use of resources. Confidentiality concerns the protection of sensitive information from unauthorized disclosure. Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. Availability relates to information being available when required by the business process now and in the
future. It also concerns the safeguarding of necessary resources and associated capabilities. Compliance deals with complying with the laws, regulations and contractual arrangements to which the business process is subject, i.e., externally imposed business criteria as well as internal policies. Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities. Summary of IT resources are managed by IT processes to achieve goals that meet the business requirements of organizations. This basic principle of COBIT framework is illustrated in Fig 4. The IT resources identified in COBIT can be defined as follows [6]: Applications are the automated user systems and manual procedures that process the information. Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business. Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications. People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.
III. ITIL The UK Government recognized very early on the significance of IT best practices to Government and, for many years, has developed best practices to guide the use of IT in Government departments. These practices have now become common standards around the world in private and public sectors. ITIL was developed more than 15 years ago to document best practice for IT service management, with that best practice being determined through the involvement of industry experts, consultants and practitioners. ITIL is based on defining best practice processes for IT service management and support, rather than on defining a broad-based control framework. It focuses on the method and defines a more comprehensive set of processes. Additionally, ITIL provides a business and strategic context for IT decision making and for the first time describes continual service improvement as the key activity which drives maintenance of value delivery to customers. IT service management is concerned with planning, sourcing, designing, implementing, operating, supporting and improving IT services that are appropriate to business needs. ITIL provides a comprehensive, consistent and coherent best practice framework for IT service management and related processes, promoting a high-quality approach for achieving business effectiveness and efficiency in IT service management. ITIL is intended to underpin but not dictate the business processes of an organization. The role of the ITIL framework is to describe approaches, functions, roles and processes, upon which organizations may base their own practices and to give guidance at the lowest level that is applicable generally.
V. . COMPARISON OF A COBIT, ITIL AND ISO27002 A first difference of the three standards is the fact that they are issued by different organizations with different areas of activities and objectives. The general function of the standards is also slightly different (Table 1.). COBIT provides best practices and tools for monitoring and mapping IT processes while ITIL aims to map IT service level management and ISO27002 provides guidelines for implementing a standardized information security framework. COBIT consists of 4 domains and 34 processes which are required for the implementation of the information system audit.
Function Area Issuer Implementation
Consultant
Mapping IT Process 34 Processes 4 Domains ISACA Information System Audit Accounting Company, IT Consulting Company
ITIL Mapping IT Service Level Management
ISO27002 Information Security Framework
9 Processes
10 Domains
OGC
ISO Board Compliance with security standards Security Company, IT and Network Consulting
Manage Service Level IT Consulting Company
ITIL’s best practice framework covers a total of 9 processes and enables the implementation of IT service level management with focus on achieving business effectiveness and efficiency in IT service management. Table 2. Comparison of COBIT, ITIL and ISO 27002 COBIT CONTROL OBJECTIVES
STRATEGIC LEVEL
The international standard of IT security controls, ISO/IEC 27002:2005 was published by ISO and the IEC, which established a joint technical committee, ISO/IEC JTC 1, ISO 27000 [5] Directory (2005). Its goal is to provide information to parties responsible for implementing information security within an organization. It can be seen as a best practice for developing and maintaining security standards and management practices within an organization to improve reliability on information security in interorganizational relationships. It defines 133 security controls strategies under 11 major headings. The standard emphasizes the importance of risk management and makes it clear that it is not necessary to implement every stated guideline, only those that are relevant. The guiding principles in ISO/IEC 27002:2005 are the starting points for implementing information security. They rely on either legal requirements or generally accepted best practices. Measures based on legal requirements include: protection and non-disclosure of personal data, protection of internal information and protection of intellectual property rights. Best practices mentioned in the standard include: information security policy, assignment of responsibility for information security, problem escalation and business continuity management [1].
COBIT
TACTICAL AND OPERATIONAL LEVEL
IV. ISO 27002 AND ISO 27001 STANDARD
Table 1. Overview of COBIT, ITIL and ISO27002
STRATEGIC LEVEL
Below that level, and to implement ITIL in an organization, specific knowledge of its business processes is required to drive ITIL for optimum effectiveness. In ITIL V3, the most significant development has been the move from a process-based framework to a more comprehensive structure reflecting the life cycle of IT services. In this new context, the key processes have been updated, but more significantly, ITIL now describes IT service management functions, activities and organizational structure; strategic and sourcing concerns; and integration with the business, ITIL V3. Five volumes comprise the ITIL v3, published in May 2007 [7]: ITIL Service Strategy ITIL Service Design ITIL Service Transition ITIL Service Operation ITIL Continual Service Improvement
PO - PLAN AND ORGANISE PO1 Define a strategic IT plan PO2 Define the information architecture PO3 Determine technological direction Define the IT processes, PO4 organization and relationships PO5 Manage the IT investment Communicate management aims PO6 and direction PO7 Manage IT human resources PO8 Manage quality PO9 Assess and manage IT risks PO10 Manage projects DS - DELIVER AND SUPPORT DS1 Define and manage service levels DS2 Manage third-party services. DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and allocate costs DS7 Educate and train users DS8 Manage service desk and incidents DS9 Manage the configuration DS10 Manage problems DS11 Manage data DS12 Manage the physical environment DS13 Manage operations AI - ACQUIRE AND IMPLEMENT AI1 Identify automated solutions Acquire and maintain application AI2 software Acquire and maintain technology AI3 infrastructure AI4 Enable operation and use AI5 Procure IT resources AI6 Manage changes Install and accredit solutions and AI7 changes ME - MONITOR AND EVALUATE Monitor and evaluate IT ME1 performance Monitor and evaluate internal ME2 control Ensure compliance with external ME3 requirements ME4 Provide IT governance
Objectives Objectives which refer which refer to ISO to ITIL 27002
slightly
slightly slightly
These three methodologies described are quite used in the past few years by certain organizations and represent best practice, approved, developed and tested by experts worldwide. Table 2 shows the correlation between control objectives presented through the COBIT framework with ISO 27002 and ITIL methodology. In relation to the COBIT framework, ITIL describes in detail the procedures for delivery and support services (DS domain - Table 2), but does not support all the requirements for monitoring and evaluation of ICT within COBIT model. Some control objectives COBIT model in the domain of planning and organization (PO domain - Table 2) are treated superficially and displayed through ITIL. ITIL model is not focused on describing what needs to be addressed in the management of ICT. The processes are detailed structured to indicate who and how to apply them (roles and responsibilities). In the period from 1 June to 31 July 2009 company Ernst & Young conducted a survey which included 1865 companies from 61 countries, covering all major industries. This research belongs to the group of the oldest and most respected researches of this type. It provides a comparison of companies in respect of major areas of information security and IT governance [4]. COBIT are increasingly popular for planning IT audit activity (Fig 5) and are adopted by 69 percent of respondents. These frameworks deliver a structured approach to planning and focus the IT audit on the business and technological risks of the organization.
Fig 5. Standards and frameworks that are used for planning IT audit activity
VI. . CONCLUSIONS COBIT, ITIL, ISO 17799 and ISO 27001 are the group of most commonly used methodologies by companies in respect of IT security and IT governance. They are used parallel, which is not surprising, considering that represent best practices and experiences, which have been approved, developed and tested in companies around the world. Many organizations face a continually changing set of pressures and dynamics in the current economic climate. Faced with shrinking markets, they can choose to rationalize, merge or contract. The technology thread which holds systems and processes together is at risk. As a consequence, IT Internal Audit plays an integral role in main-
taining discipline and rigor across functions and geographies. Internal Audit should have a direct line to executive management and the Audit Committee. By cascading top level opinion on the value and content of Internal Audit’s outputs and by communicating information on the issues that affect the business, the function can heighten its visibility. To maintain that position, it needs to develop a closer relationship with the business while maintaining its independence and objectivity. It also needs to work in closer cooperation with the wider audit function to leverage understanding and efficiency. This powerful combination of technical and business know-how, underpinned by an understanding of operational and technology risk, can turn the function from cost centre to value builder. IT audit as a discipline is maturing. To compete in this new and threatening environment, it needs to standardize, automate and speed up its analysis and reporting. It has to become more economic and efficient by reducing costs and using tools that improve the effectiveness and reliability of its output and its compliance and control.
REFERENCES [1] Calder, A., & Watkins, S. 2008. A Manager's Guide to Data Security and ISO 27001 / ISO 27002. Kogan Page. [2] Cannon, D. L. 2008. CISA Certified Information Systems Auditor Study Guide. Sybex. [3] Davis, C., Schiller, M., & Wheeler, K. 2007. IT Auditing: Using Controls to Protect Information Assets. McGrawHill Osborne Media. [4] Ernst & Young. 2009. Global Information Security Survey. Available from Internet: http://www.ey.com/Publication/ /vwLUAssets/12th_annual_GISS/$FILE/12th_annual_GIS S.pdf. [5] ISO. 2005. ISO/IEC 27001. Switzerland: International Organization for Standardization (ISO). [6] ITGI. 2007. CobiT 4.1 – Framework, Control Objectives, Management Guidlines and Maturiy Models, USA: IT Governance Institute. [7] ITIL. 2007. An Introductory Overview of ITIL V3. London: The UK Chapter of the itSMF. [8] Min, Y. W. 2009. Understanding and Auditing IT Systems. Peking: Lulu. [9] Panian, Z., & Spremic, M. 2007. Korporativno upravljanje i revizija informacijskih sustava. Zagreb: Zgombić & Partneri. [10] Publishing, V. H. 2008. IT Governance based on Cobit 4.1 - A Management Guide. Van Haren Publishing. [11] Selig, G. J. 2008. Implementing IT Governance. Van Haren Publishing. [12] Senft, S., & Gallegos, F. 2009. Information Technology Control and Audit (Third ed.). Boca Raton, USA: Taylor & Francis Group. [13] Spremic, M. 2007. Methods of auditing infromation systems. Zbornik Ekonomskog fakulteta u Zagrebu, 295-312.
