Transcription
July 2013Implementing COBIT 5 as the IT Governance Framework – One Company’s PerspectiveFebruary 2017John Stiffler, CISA, CGEIT
Agenda Background Relating COSO Framework to COBIT 5 Relating Enterprise Goals & Enablers to Strategy, Governance &Management The Continuous Controls Matrix The Umbrella IT Governance Framework Questions/DialogPage 2
Background - Internal Control Frameworks The Committee of Sponsoring Organizations of the TreadwayCommission (COSO) identifies five components of internal control thatneed to be in place to achieve financial reporting objectives: The passing of the Sarbanes-Oxley Act (SOX) in 2002 required theaccuracy of the financial reporting (Section 302) and resulted in anincreased focus on IT controls to support financial reportingprocessing and assessment (Section 404) Control environment, risk assessment, control activities, information andcommunications, and monitoringCybersecurity risks have further increased this focus on IT controlsThe COBIT framework (Control Objectives for InformationTechnology) continues to grow in use to assist with SOX compliance,and is considerably wider in scope with IT general and applicationcontrolsPage 3
COBIT 5 as an IT Governance FrameworkCOBIT 5 provides a comprehensive framework that assistsenterprises in achieving their IT objectives with five overallprinciples: Meeting stakeholder needs Covering the enterprise end-to-end Applying a single integrated framework Enabling a holistic approach Separating governance from management Governance ensures that enterprise objectives are achieved by evaluatingstakeholder needs, setting direction and monitoring performance (EDM) Management plans, builds, runs and monitors activities in alignment with thedirection set by governance to achieve the enterprise objectives (PBRM)Page 4
Relating COSO to COBIT 5Page 5
COBIT 5 Enterprise Goals Cascade (Objectives)Page 6
COBIT 5 Enterprise EnablersPage 7
COBIT 5 Enterprise IT Domains & ProcessesPage 8
Continuous Controls Matrix (Reasonable Assurance) Key areas to minimize risks during the transition andestablish the proper control framework moving forward Functional/Control Areas Policy / Document Reference Joint effort with Internal AuditSOX cross-reference Company policies, standards, procedures, and other documentsCOBIT 5 Identification NIST attributes & COBIT processesSOX category and identificationOther Other documents & initiativesPage 9
COBIT 5 The Umbrella Framework (Adaptable)Diagram excerpt from COBIT 5 Essential Facts - Fact 4:“COBIT 5 brings order to complex standards, regulations and frameworks”Page 10
COBIT 5 Risk Management ApproachPage 11
Questions ITis complicated, IT governance doesn’thave to be visit www.isaca.org/COBIT tobegin implementing COBIT5 in yourcompanyPage 12
&2%,7 dv dq ,7 *ryhuqdqfh )udphzrun &2%,7 surylghv d frpsuhkhqvlyh iudphzrun wkdw dvvlvwv hqwhu
