Advanced Information Advanced Information Technology and Technology and ManagementManagementIT Audit and Control Model of Information and Related Technology -COBITHu kejin WIT AuditISACA (Information Systems Audit and Control Association)CISA (Certified Information System Auditor)COBIT-Control Objectives For Information and Related TechnologyInformation Systems Audit and ControlFoundationIT Governance Institute1. IT Audit Overview2. COBIT Overview3. COBIT Architecture4. Control Objectives5. Management Guidelines6. Audit Guidelines1. IT Audit OverviewAuditingObjectivesSecurity Reliability EffectivenessScope of the audit1) Information Systems2) to cover life cycle of ISAudit Plan$ Definition of Scope and Objectives.$ Analysis and understanding of standard procedures.$ Evaluation of system and internal controls.$ Audit Procedures and documentation of evidence.$ Analysis of facts encountered.$ Formation of opinion over the controls.$ Presentation of report and recommendations.Audit Techniques$ Compliance tests.$ Substantive tests.$ Auditing program.$ Integrated Test Facility.$ Parallel Simulation.$ Snapshot$ Tracing $ Program Code Comparison$ Computer Assisted Audit Techniques and Tools.Audit Work Team$ Manager: Responsible for the audit and quality control.$ Senior/team leader: Responsible for the work papers.$ Staff: Responsible for the performance of the audit. Audit ReportProgress Reports.Work Papers.Other Work Papers.Preliminary Reports.Final Audit Report.1）What is our mission?2）What are our goals and how will we achieve them?3） How can we measure our performance? 4）How will we use that information to make improvements?1）Accounting Audit2）System Audit3）Performance Audit Business Reference Model (BRM) Lines of Business Agencies, Customers, PartnersService Component Reference Model (SRM)Service Domains, Service TypesBusiness & Service ComponentsTechnical Reference Model (TRM)Service Component Interfaces, Interoperability Technologies, RecommendationsData & Information Reference Model (DRM) Business-focused Data Standardization Cross-Agency Information ExchangesPerformance and Business-DrivenPerformance Reference Model (PRM)Inputs, Outputs, and OutcomesUniquely Tailored IT Performance IndicatorsComponent-Based Architectures Performance Reference Model (PRM)Inputs, Outputs, and OutcomesUniquely Tailored IT Performance IndicatorsBusiness Reference Model (BRM) Lines of Business Agencies, Customers, PartnersService Component Reference Model (SRM)Service Domains, Service TypesBusiness & Service ComponentsTechnical Reference Model (TRM)Service Component Interfaces, Interoperability Technologies, RecommendationsData & Information Reference Model (DRM) Business-focused Data Standardization Cross-Agency Information ExchangesPerformance and Business-DrivenComponent-Based ArchitecturesTHE FEA REFERENCE MODEL FRAMEWORKHUMAN CAPITAL MISSION AND BUSINESS RESULTS CUSTOMERRESULTDVALUE VALUE STRATEGIC OUTCOMSINPUTTECHONLOGY OTHER FIXED ASSETSPROCESS AND ACTIVITY Mission and business-critical resultsaligned with the Business ReferenceModel. Results measured from a customerperspectiveThe direct effects of day-to-day activitiesand broader processes measured as drivenby desired outcomes. Used to furtherdefine and measure the Mode of Delivery in The business reference model.Key enablers measured through their contribution to outputs and by extension outcomesData and Information Reference Model (DRM) Data and Information Reference Model (DRM) is currently under developmentCOBIT is the model for IT governance!2. COBIT OverviewBusinessRequirementsIT ManagementIT Resources1). Executive Summary2). Framework3).Control Objectives4).Management Guidelines5).Audit Guidelines6).Implementation Tool setThe control ofwhich satisfyis enabled byconsideringIT ProcessesBusinessRequirementsControlStatementsControlPractices DataApplication SystemsTechnologyFacilitiesPeopleEventsBusiness ObjectivesBusiness OpportunitiesExternal RequirementsRegulationsRisksInformationEffectivenessConfidentialityIntegrityAvailabilityComplianceReliabilityMessageinputServiceoutputBusinessProcessesInformationIT ResourcesIT ResourcesPeopleApplication SystemsTechnologyFacilitiesDataInformation Criteria effectiveness confidentiality integrity availability compliance reliability?Do they matchWhat you getWhat you needInformation criteria ITdomains ITresourcesPlanning & organizationAcquisition &implementationDelivery &supportMonitoringDomainsProcessesActivitiesInformation CriteriaIT ProcessesIT ResourcesQualityFiduciarySecuritypeopleApplication SystemsTechnologyFacilitiesDataDomainsProcessesActivities/Tasks3. COBIT ArchitectureManagement frameworkManagementguidelinesControlobjectivesAuditguidelinesTool setManagementguidelinesMaturitymodelsCritical success factorsKey goalindicatorsKey performance indicatorsIT domainsPlanning &OrganizationAcquisition &ImplementationDelivery &SupportMonitoringCOBIT IT Processes Defined Within the Four DomainsCOBITBusiness ObjectivesInformationIT Re