COBIT Perspectief van de beoordeling

Maat: px

Weergave met pagina beginnen:

Download "COBIT Perspectief van de beoordeling"

Pepijn Dijkstra
9 jaren geleden
Aantal bezoeken:

1 INFORMATION RISK MANAGEMENT COBIT Perspectief van de beoordeling AUDIT Mark Lof Senior Manager Information Risk Management Utrecht, Nederland 29 juni 2005

2 Agenda IT Audit Gebruik van normen Normenset COBIT Rapportage Ervaringen met gebruik COBIT 2

3 Werkveld IT auditor Assurance / compliance TPM / SAS-70: Zekerheid verschaffen ten aanzien van de kwaliteit uitbestede IT dienstverlening IT Assessment: inventarisatie kwaliteit IT organisatie op verzoek van management General IT Controls review: Beoordelen general IT controls in het kader van de jaarrekeningcontrole Project Review: Inventarisatie van de status en voortgang van een IT project Systeemonderzoek: Beoordelen betrouwbaarheid van een applicatie Advies Pakketselectie Project management Inrichting AO/IC in en rondom nieuwe systemen 3

4 Aanpak IT audit Formulering opdrachtomschrijving audit object scope audit aspecten (juistheid, tijdigheid, volledigheid ) Uitvoering Definiëren normenkader Afstemmen normenkader Onderzoek werkzaamheden (interviews, review documentatie, observatie) Vastleggen bevindingen (reproduceerbaarheid) Afstemmen bevindingen Rapportage Opstellen concept rapportage (cross reference bevindingen) Afstemmen concept rapportage Uitbrengen definitieve rapportage 4

5 Normen Duidelijkheid verschaffen ten aanzien waarvan wordt getoetst/beoordeeld/geëvalueerd valueerd. Normenkader verplicht bij onderzoeken gericht op het verstrekken van een (redelijke)) mate van zekerheid. Normen dienen eenduidig en meetbaar te zijn. Normen dienen geaccepteerd te zijn door opdrachtgever / beoordeelde / markt 5

6 Normen: voorbeelden Door auditor specifiek ten behoeve van opdracht (maar vaak gebaseerd op standaard normensets) Standaard normensets in de markt Nivra 33: Documentatie standaard software Nivra 26: Nivra 53: Handboek EDP Auditing ISO SDM-2 2 / CMM COBIT 6

7 COBIT 34 High-level control objectives 318 Detailed control objectives COBIT model bestaat uit: Framework Control Objectives Audit Guidelines Management Guidelines 7

8 COBIT High level control objectives Planning & Organisation PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Organisation and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage Human Resources PO8 Ensure Compliance with External Requirements PO9 Assess Risks PO10 Manage Projects PO11 Manage Quality Delivery and support DS1 Define and Manage Service Levels DS2 Manage Third-Party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Assist and Advise Customers DS9 Manage the Configuration DS10 Manage Problems and Incidents DS11 Manage Data DS12 Manage Facilities DS13 Manage Operations Acquisition and implementation AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Develop and Maintain Procedures AI5 Install and Accredit Systems AI6 Manage Changes Monitoring MO1 Monitor the Processes MO2 Access Internal Control Adequacy MO3 Obtain Independent Assurance MO4 Provide for Independent Audit 8

9 COBIT Audit Guidelines DS10 Manage Problems and Incidents Control over the IT process of Managing problems and incidents that satisfies the business requirements to ensure that problems and incidents are resolved, and the cause e investigated to prevent any recurrence is enabled by a problem management system which records and progresses all incidents idents and takes into consideration - sufficient audit trails - timely resolution of reported problems - escalation procedure - incident reports 9

10 COBIT Audit Guidelines Control Objectives Problem Management System Problem Escalation Problem Tracking and Audit Trail Control objectives are audited by: 1. Obtain an understanding by: Interviewing information services function staff.. Selected users of IT resources Obtaining: Summarisation of problem management facilities.. 2. Evaluating the controls by: Consider whether: There is a problem management process that ensures.. Problem management procedures exist for: Recording, analysing resolving in a timely manner all non-standard events Continuation 3. Assessing the compliance by: Testing that a selected sample of process outputs comply with stated procedures relating to Via interview the awareness 4. Substantiating the risk of control objectives not being met by: Performing: For a selection of problems reported, tests to ensure problem management procedures were followed for all non standard activities, including. Identifying Occurences of problems not controlled formally by problem management procedures 10

11 Rapportage: Audit / Review Conclusie Onderzochte object voldoet aan normenkader Onderzochte object voldoet aan normenkader met uitzondering van de volgende normen: Bijlage Norm x Normenkader Gedetailleerde bevindingen ten opzichte van het normenkader 11

12 Rapportage: Gedetailleerde Bevindingen Control Objective Control activity Test procedure Result of test IT Operations DS11.23 Manage Data Backup Jobs. Procedures should be in place to ensure back-ups are taken in accordance with the defined backup strategy and the usability of backup is regularly verified 1. Daily, weekly, monthly and yearly backups of data are performed. 1a. Inquiry functions: Service coordinators and engineers SAP, Windows, UNIX, SAN and LAN. Observation on location Eindhoven Inspection of documents: - Document - Document 2 The data on the systems for the data centre is safeguarded using a back-up strategy that includes tape drives and 2 tape robots. Backing up the data is from one data centre into the tape-robot of the other data centre (Cross backup). 1a. No relevant exceptions noted, except for: The tape capacity needed for the back-up of the data is not guaranteed. When the normal tape capacity is used a signal through mail is send to the delivery manager. The last tape capacity expansion took more time then expected and resulted in a situation were all capacity including normal overcapacity was used. The back-ups are not recent. 2 persons perform the back-up using TivolyStorage Manager (TSM) using predefined scripts. Scheduling is implemented based on client requests. The Service delivery groups check the backups and restores. 12

13 Rapportage: Inventarisatie van bevindingen 13

14 Ervaringen met gebruik COBIT Generiek normenkader specifiek maken situatie Zeer bruikbaar auditprogramma Management nog beperkt bekend met audit termen Control objective vs maatregelen in onderzochte organisatie Klantorganisaties raken meer en meer bekend met COBIT. Met name in SOx trajecten Veel gebruikt door auditors in compliance onderzoeken (SAS-70) 14

15 Presenter s contact details Mark Lof KPMG Information Risk Management +31 (30) [email protected] 15

Vergelijkbare documenten

Auteurs: Jan van Bon, Wim Hoving Datum: 9 maart 2009. Cross reference ISM - COBIT

Auteurs: Jan van Bon, Wim Hoving Datum: 9 maart 2009 Cross reference ISM - COBIT ME: Monitor & Evaluate Cross reference ISM - COBIT Management summary Organisaties gebruiken doorgaans twee soorten instrumenten