K. P. SHASHIDHARAN COBIT stands for Control Objectives for Information
and Related Technology; a benchmarked framework, designed, developed
and continuously updated by the Information System Audit and Control
Association (ISACA) for effective IT governance and management.
The goal of this framework is to ‘research, develop, publicize and
promote an authoritative, up-to-date, international set of
generally-accepted information technology control objectives for
day-to-day use by business managers, IT, audit and assurance
professionals.'
Fundamentally, COBIT approach aims at synchronising business
objectives with IT goals and processes for optimising the enterprise
objectives.
COBIT focuses on four critical domains: Plan and Organize, Acquire and
Implement, Deliver and Support and Monitor and Evaluate, governing 34
essential processes and 320-odd key controls of all responsibility
centres. Currently, COBIT 5 version is under development.
RISK AND GOVERNANCE
As in any IT audit framework, to be effective, it should address,
inevitably, compliance, internal control, risk management and
governance issues.
The COBIT approach integrates the benchmarked governance and audit
methodology and techniques currently available into its ambit:
Enterprise Risk Management and Internal Control developed by the
Committee of Sponsoring Organization of the Treadway Commission
(COSO); the Information Technology Infrastructure Library for IT
service management (ITIL); standards for quality management of
International Organization for Standardization (ISO 27000 series);
Capability Maturity Model Integration (CMMI) for process and
performance improvement; The Open Group Architecture Framework (TOGAF)
for developing enterprise architecture; and the Project Management
Body of Knowledge (PMBOK).
CHANGE MANAGEMENT
The IT auditor should follow a Risk-based approach (RBA) to IT audit,
assessing inherent risks, control risks and residual risks and
categorising risks into moderate, high and very high, and evaluating
the controls to mitigate them to an accepted level in the
organization, based on its risk appetite.
COBIT framework equips the IT auditor with dynamic concepts,
techniques, processes and structures for transition to change
management, with detailed control centric audit checklists and
possible sources of evidence gathering, for giving assurance regarding
the effectiveness of controls.
The framework evaluates if all the changes are properly managed,
changes are logged, assessed, authenticated, authorized and reviewed,
against the targeted qualitative and quantitative parameters,
measuring the outcomes. While scrutinising the enterprise
documentation, the IT auditor should look for evidence of deployment
of the best practices for systems development lifecycle (SDLC) by
using the maturity model.The risk, compliance and governance-based
methodology provides data security, database integrity, and continuous
vigilance on information architecture.
In the emerging Internet-based, powerful cloud IT business
environments that may revolutionise the way business is conducted,
there should be an equally authoritative framework to enable the
auditor to conduct effective IT audit and provide assurance to the
business houses that the IT systems are completely fine-tuned to
maximise business objectives and targeted outcome.
--------------------------------------------------------------------------------
As in any IT audit framework, to be effective, COBIT should address
compliance, internal control, risk management and governance issues.
--------------------------------------------------------------------------------
(This article was published in the Business Line print edition dated
October 3, 2011)
and Related Technology; a benchmarked framework, designed, developed
and continuously updated by the Information System Audit and Control
Association (ISACA) for effective IT governance and management.
The goal of this framework is to ‘research, develop, publicize and
promote an authoritative, up-to-date, international set of
generally-accepted information technology control objectives for
day-to-day use by business managers, IT, audit and assurance
professionals.'
Fundamentally, COBIT approach aims at synchronising business
objectives with IT goals and processes for optimising the enterprise
objectives.
COBIT focuses on four critical domains: Plan and Organize, Acquire and
Implement, Deliver and Support and Monitor and Evaluate, governing 34
essential processes and 320-odd key controls of all responsibility
centres. Currently, COBIT 5 version is under development.
RISK AND GOVERNANCE
As in any IT audit framework, to be effective, it should address,
inevitably, compliance, internal control, risk management and
governance issues.
The COBIT approach integrates the benchmarked governance and audit
methodology and techniques currently available into its ambit:
Enterprise Risk Management and Internal Control developed by the
Committee of Sponsoring Organization of the Treadway Commission
(COSO); the Information Technology Infrastructure Library for IT
service management (ITIL); standards for quality management of
International Organization for Standardization (ISO 27000 series);
Capability Maturity Model Integration (CMMI) for process and
performance improvement; The Open Group Architecture Framework (TOGAF)
for developing enterprise architecture; and the Project Management
Body of Knowledge (PMBOK).
CHANGE MANAGEMENT
The IT auditor should follow a Risk-based approach (RBA) to IT audit,
assessing inherent risks, control risks and residual risks and
categorising risks into moderate, high and very high, and evaluating
the controls to mitigate them to an accepted level in the
organization, based on its risk appetite.
COBIT framework equips the IT auditor with dynamic concepts,
techniques, processes and structures for transition to change
management, with detailed control centric audit checklists and
possible sources of evidence gathering, for giving assurance regarding
the effectiveness of controls.
The framework evaluates if all the changes are properly managed,
changes are logged, assessed, authenticated, authorized and reviewed,
against the targeted qualitative and quantitative parameters,
measuring the outcomes. While scrutinising the enterprise
documentation, the IT auditor should look for evidence of deployment
of the best practices for systems development lifecycle (SDLC) by
using the maturity model.The risk, compliance and governance-based
methodology provides data security, database integrity, and continuous
vigilance on information architecture.
In the emerging Internet-based, powerful cloud IT business
environments that may revolutionise the way business is conducted,
there should be an equally authoritative framework to enable the
auditor to conduct effective IT audit and provide assurance to the
business houses that the IT systems are completely fine-tuned to
maximise business objectives and targeted outcome.
--------------------------------------------------------------------------------
As in any IT audit framework, to be effective, COBIT should address
compliance, internal control, risk management and governance issues.
--------------------------------------------------------------------------------
(This article was published in the Business Line print edition dated
October 3, 2011)
No comments:
Post a Comment