Transcription
COBIT 2019 as EGITFramework for InternalControl and AuditAndrei Drozdov, KPMG Moscow, Associate Director, IT AdvisoryCISA, CISM, CGEIT, COBIT 2019 Accredited Trainer
CONTROL ENVIRONMENT Includes three lines of defense (Operational Management, Risk & Compliance, Audit) Required by audit standards and Regulators, e.g. for financial sector IT-related Controls present in most of control environments Regulators mostly provide detailed specification only for security and privacy controls 2019 JSC “KPMG”, a company incorporated under the Laws of the Russian Federation, a member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
ROLES OF INTERNAL AUDIT IN EGITAssurance on ConformanceConsulting on PerformanceNormative requirementsBest practices to increasefor control environmenteffectiveness and efficiency 2019 JSC “KPMG”, a company incorporated under the Laws of the Russian Federation, a member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Emerging technologiesDigital transformationSecurity, Privacy, ComplianceIT audit function in IAShortage of skilled IT audit recoursesCOBIT is used in more than 50%organization as a framework for IT udit-best-practices.aspx 2019 JSC “KPMG”, a company incorporated under the Laws of the Russian Federation, a member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
ISACA IT AUDIT RELATED PUBLICATIONS 2019 JSC “KPMG”, a company incorporated under the Laws of the Russian Federation, a member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
SOME ISSUES WITH COBIT 5Developed 7 years ago, not cover new technology trends (e.g. digitaltransformation) and latest IT standardsAssessment of capability levels based on PAM (ISO 15504) is morecomplicated than CMMI model (used in COBIT 4.1) and could be even moresophisticated in case of adopting ISO 33001COBIT 5 terminology sometimes is too difficult to understand (“enables”)Lack of practices for “tailoring” EGIT model6 2019 JSC “KPMG”, a company incorporated under the Laws of the Russian Federation, a member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
2019 JSC “KPMG”, a company incorporated under the Laws of the Russian Federation, a member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
COBIT 2019 FRAMEWORKCOBIT is a framework for the enterprisegovernance and management of information andtechnology (I&T) that supports enterprise goalachievement.For each of 40 objectives provides detaileddescription of components (former 7 enables)including processes, practices, activities,metrics, organization structures (e.g. CDO),references to latest standards8
ENTERPRISE GOVERNANCE OF INFORMATION AND TECHNOLOGYThe context of Enterprise Governance of Information and Technologyincludes:EnterpriseGovernanceof ITBusiness/ITAlignmentValueCreationGood governance leads to alignment, which leads to value creation.Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 1 Introduction
GOALS CASCADEReference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
GOALS CASCADE –ENTERPRISE GOALSBSCENTERPRISE GOALDIMENSIONEG01 FinancialPortfolio of competitiveproducts and servicesEG02 FinancialManaged business riskEG03 FinancialCompliance with externallaws and regulationsEG04 FinancialQuality of financialinformationEG05 CustomerCustomer-oriented servicecultureEG06 CustomerBusiness service continuityand availabilityEG07 CustomerQuality of managementinformationREFBSCENTERPRISE GOALDIMENSIONEG08 InternalOptimization of internalbusiness processfunctionalityEG09 InternalOptimization of businessprocess costsEG10 InternalStaff skills, motivation andproductivityEG11 InternalCompliance with internalpoliciesEG12 GrowthManaged digitaltransformation programsEG13 GrowthProduct and businessinnovationREFReference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
COBIT OVERVIEW AND PRODUCT ARCHITECTUREReference: COBIT 2019 Framework: Introduction and Methodology Chapter 4 Basic Concepts
Known as theProcess ReferenceModel, or PRM inCOBIT 5, COBIT2019 identifies thisas the COBIT CoreModel.Reference: COBIT 2019 Framework: Basic Concepts: Governance Systems and Components, Chapter 4
PROCESS CAPABILITY LEVELSCOBIT 2019 supports a CMMI-based processcapability scheme. The process within eachgovernance and management objective canoperate at various capability levels, rangingfrom 0 to 5.Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
MANAGEMENT OBJECTIVE: MEA04 — MANAGED ASSURANCEReference: COBIT 2019 Framework: Governance and Management Objectives Chapter 4 Detailed Guidance
FOCUS AREA MATURITY LEVELSMaturity levels can be used for when ahigher level is required for expressingperformance. COBIT 2019 defines maturitylevels as a performance measure at thefocus area level.Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT
COBIT AND OTHER STANDARDSReference: COBIT 2019 Framework: Introduction and Methodology Chapter 10 COBIT and Other Standards
IT INTERNAL AUDIT FUNCTION IMPLEMENTATION COBIT 2019 publications ITAF, COBIT 5 for Assurance publications COBIT 2019 training (Foundation, Design & Implementation) and exams CISA training and exams 2019 JSC “KPMG”, a company incorporated under the Laws of the Russian Federation, a member firm of the KPMG network of independentmember firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Questions?
kpmg.rukpmg.com/appThe information contained herein is of a general nature and is not intended to address the circumstances of any particular individualor entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information isaccurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information withoutappropriate professional advice after a thorough examination of the particular situation. 2019 JSC “KPMG”, a company incorporated under the Laws of the Russian Federation, a member firm of the KPMG network ofindependent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.
Reference: COBIT 2019 Framework: Introduction and Methodology Chapter 6 Performance Management in COBIT Maturity levels can be used for when a higher level is required for expressing performance. COBIT 2019 defines maturity levels as a performance measure at the focus area level.
