Sunday, June 3, 2018

COBIT 5 Architecture

     As illustrated in Exhibit 5.2, these needs flow through what COBIT calls enablers, a series of separate but interconnected processes discussed later in this chapter. The purpose of these enablers is—as the name suggests—to implement and perform governance and management systems processes for enterprise IT. Enablers are broadly defined as specific processes, mechanisms, or anything that can help to achieve the enterprise governance objectives. This includes resources, such as information and people.

     The COBIT 5.0 framework defines seven categories of enablers:
1. Processes
2. Principles and policies
3. Organizational structures
4. Skills and competences
5. Culture and behavior
6. Service capabilities
7. Information

COBIT 5 Simplified General Architecture

      COBIT is a set guidance materials that supports major elements of IT governance guidance, incorporating many concepts and topics in enterprise governance and management techniques. Enterprises of all sizes around the world have implemented COBIT in its previous 4.1 version. The new COBIT version 5.0 introduces enhancements to reduce IT-related risks and increase confidence in the information provided by IT, to enable clear policy development and good practice for IT management, and to increase the value attained from IT and manage compliance.

COBIT PRINCIPLE 2: STAKEHOLDER VALUE DRIVERS
     The business focus of COBIT is achieved through identifying all stakeholders and their needs and determining how they link to governance and management decisions and activities. Perhaps it is best to think of these IT process and operations stakeholders in two groups: internal and external.

     IT operations and processes are very pervasive, and COBIT’s identified internal stakeholders include members of the board of directors, the CEO, chief financial officer (CFO), chief information officer (CIO), business executives, business process owners, business managers, risk managers, security managers, service managers, human resources (HR) managers, internal auditors IT users, IT operations managers, and many others.

Stakeholder Needs
    Stakeholder needs are influenced by a number of drivers, including strategy changes, a changing business and regulatory environment, and the evolution of technology. These stakeholder needs materialize in a series of potential expectations, concerns, or requirements; all of these issues relate to one or more of COBIT’s three generic governance objectives: benefits realization, risk balancing, and cost optimization.

     Enterprises exist to create value for their stakeholders, so the governance objective for any enterprise—commercial or not—is value creation, realizing benefits at an optimal resource cost while optimizing risk.  Enterprises have many internal and external stakeholders, and “creating value” means different—and sometimes conflicting— things to each of them. 

     Governance is about negotiating and deciding solutions among different stakeholders’ value interests. In consequence, an IT governance system must consider all of these stakeholders when making benefit, resource, and risk assessments and decisions. For each of these value creation components, the question can and should be asked: For whom are the benefits and risks, and which IT resources are required?

COBIT PRINCIPLE 3: FOCUS ON BUSINESS CONTEXT
     COBIT framework provides a strong set of guidance materials to help an enterprise improve its IT governance processes, and a core principle of COBIT is its focus on a business context. COBIT’s third key principle emphasizes that business enterprises exist to create value for their stakeholders.

     There are three COBIT-defined governance value objectives here: 
1. Benefits realization 
2. Risk optimization 
3. Resource optimization

Governance Objectives Mapped To Enterprise Goals
      COBIT links each of these three objectives to financial, customerrelated, and enterprise-internal enterprise goals. COBIT also defines a set of enterprise financial goals, separated in terms of financial, customer, internal, and learning and growth enterprise goal categories. Exhibit 5.4 shows a summary of these COBIT governance objectives goals mapped to enterprise financial goals in terms of where there is a primary or secondary relationship to the COBITdefined governance value objective.



Posted by at 2 comments:

COBIT and the IT Governance Institute

COBIT and the IT Governance Institute
     A more IT-oriented internal control assessment and guidance framework, called COBIT (Control Objectives for Information and related Technology), has actually been in place long before SOx, with COBIT first released in 1996. The COBIT framework was initially developed for the internal and external auditors who reviewed computer systems and technology controls (often called IT auditors), but COBIT also has become a preferred tool in many enterprises for complying with SOxSection 404 internal control procedures and related IT governance support. COBIT provides guidance for evaluating and understanding internal controls, with an emphasis on enterprise IT resources.

      COBIT today has evolved into a helpful tool for assessing IT governance and evaluating all internal controls across an enterprise. It provides emphasis and guidance on the linkage of IT with other business resources to deliver overall values to an enterprise today. It is an important tool to help the senior enterprise executive establish effective IT governance practices.

AN EXECUTIVE’S INTRODUCTION TO COBIT
     COBIT is an IT governance internal control framework that is an important support tool for documenting and understanding COSO internal controls and SOxrequirements, and for recognizing the value of and risks associated with IT assets in an enterprise. The COBIT standards and framework are issued and regularly updated by the IT Governance Institute (ITGI),1 and the closely affiliated professional organization, the Information Systems Audit and Control Association (ISACA).

     ISACA is more focused on IT auditing, while ITGI’s emphasis is on research and governance processes. ISACA also manages the Certified IT Auditor (CISA) examination and professional designation as well as other certifications such as the Certified Information Systems Manager (CISM) and the Certified in the Governance of Enterprise IT (CGEIT) designation certificationand examination.

     The Certified Information Security Manager (CISM) certification targets IT security managers and promotes the advancement of professionals who wish to be recognized for their IT governance– related experience and knowledge. COBIT now in its 2011 evolved in version 5.0 edition. This new edition of the framework was not officially released at the time of our publication, but our comments are based on the final draft releases of this version and the assumption that it will soon become official. With virtually all enterprise processes today tied to IT-related facilities, an understanding of the overall area of IT governance is critical.

      The COBIT framework consists of what are called five principles, broad and interconnected areas of governance and internal controls, as illustrated in Exhibit 5.1. COBIT’s principles are five major areas of emphasis arranged around the important core concept of IT governance:
• COBIT Principle 1 : An Integrated of IT Framework
• COBIT Principle 2 : Stakeholder Value Drivers
• COBIT Principle 3 : Resources Focus on A Business Context
• COBIT Principle 4 : Risk Management
• COBIT Principle 5 : Performance Measurement

COBIT IT Governance Principles


     These five COBIT principles or areas of emphasis define the COBIT framework’s elements and provide a definition for the key elements of IT governance. The COBIT framework is an effective tool for documenting IT and all other internal controls. The COBIT framework is an effective mechanism for documenting and understanding internal controls and managing IT governance processes at all levels. Although COBIT first started primarily as a set of “IT audit” guidance materials, it is a much more powerful tool today.

THE COBIT FRAMEWORK AND ITS DRIVERS
      An enterprise executive might ask, “I think I understand some of the key SOxrules and my enterprise uses COSO internal controls; why should I be concerned about this thing called COBIT, yet another framework?”
 Our answer here is that COBIT provides an alternative and sometimes preferable approach to both define and describe processes that have more of an IT governance emphasis than the pure COSO internal control framework.

     Information and supporting IT processes often are the most valuable assets for virtually all enterprises today, and management has a major responsibility to safeguard its supporting IT assets, including automated systems. An enterprise executive today needs to understand these information-related processes and the controls that support them. This combination is concerned about the effectiveness and efficiency of their IT resources, processes, and overall business requirements.

     The COBIT framework recognizes that information should be considered a key resource for all enterprises, and throughout the whole life cycle of information there is a huge dependency on technology. IT and its related technologies are pervasive in enterprises and they need to be governed and managed in a holistic manner, taking in the full end-to-end business and IT functional areas of responsibility.

     Through the effective implementation of COBIT framework guidance, an enterprise should achieve increased:
• Value creation through enterprise IT.
• Business user satisfaction with IT engagement and services.
• Compliance with relevant laws, regulations, and policies.

COBIT PRINCIPLE 1: ESTABLISH AN INTEGRATED IT ARCHITECTURE FRAMEWORK
      Architecture describes how we build or the style of our office headquarters, but today it also often refers to an enterprise’s IT architecture technology selections. For example, when IT functions moved away from the centralized legacy mainframe computer systems, now many years ago, to networks of smaller server systems, an enterprise IT function would state that it had adopted or implemented “client–server architecture.” 

      Systems architecture is a term IT functions use to refer to the major hardware or software configurations of their IT resources. COBIT has its own architecture; however, a copy of the current published COBIT 5.0 architecture may scare off non-IT specialists because of the diagram’s complexity in its current draft form. Exhibit 5.2 is a simplified diagram of COBIT’s version 5.0 architecture components.
Posted by at 2 comments:

Communications and Information

     As part of any evaluation of internal controls, there is a need to understand these information and communication flows or processes in the enterprise.

     An enterprise needs information at all levels to achieve its operational, financial, and compliance objectives. For example, the enterprise needs information to prepare financial reports that are communicated to outside investors, as well as internal cost and external market preference information to make correct marketing decisions. Thisinformation must flow from the top levels of the enterprise on down to lower levels as well as information from the lower levels flowing back to upper levels. COSO internal controls also emphasize the importance of keeping information and supporting systems consistent with overall enterprise needs.

Monitoring
     The pyramid view of COSO internal controls in Exhibit 4.2 shows the monitoring component as the capstone, upper level of the COSO internal control components. While internal control systems will work effectively with proper support from management, control procedures, and both information and communication linkages, processes must be in place to monitor these activities. Monitoring has long been the role of IT and other internal auditors, who perform reviews to assess compliance with established procedures; however, COSO internal controls now take a broader view of monitoring as well and recognize that control procedures and other systems change over time.

      COSO gives examples of this important component of internal control:
• Operating management normal functions
• Communications form external parties
• Enterprise structure and supervisory activities
• Physical inventories and asset reconciliation

INTERNAL CONTROL EVALUATION PROCESS
      The COSO internal control guidance materials outline an evaluation process for reviewing internal controls. Such an evaluator should first develop an understanding of the system design, next test key controls, and then develop conclusions based on the test results.

     COSO internal controls also mentions benchmarking, as an alternative approach. Benchmarking is the process of comparing an enterprise’s processes and control procedures with those of peer enterprises.

      COSO internal controls recognize that many highly effective procedures are informal and undocumented. Many of these undocumented controls, however, can be tested and evaluated in the same manner as documented ones. While an appropriate level of documentation makes any evaluation of internal control more efficient and facilitates employees’ understanding of how the process works, that documentation is not always essential.

REPORTING INTERNAL CONTROL DEFICIENCIES
     Whether internal control deficiencies are identified through processes in the internal control system itself, through monitoring activities, or other external events, they should be reported to appropriate levels of enterprise management. The key question for any internal controls evaluator is to determine what should be reported given the large body of details that may be encountered, and to whom the reports should be directed. COSO internal controls state that “all internal control deficiencies that can affect the entity’s attaining its objectives should be reported to those who can take necessary action.”

Other Dimensions of the COSO Internal Control Framework
 COSO internal control framework is a three dimensional model, as shown in Exhibit 4.1. 
1. Effectiveness and efficiency of operations. 
2. Reliability of financial reporting. 
3. Compliance with applicable laws and regulations

COSO INTERNAL CONTROL SYSTEMS MONITORING GUIDANCE 
     This guidance on monitoring internal systems suggests that enterprises implement internal control monitoring processes similar to the manner in which a manufacturing organization monitors the continued effectiveness and efficiency of its manufacturing procedures. 
     
     The materials suggest that enterprises establish a four-phase monitoring process as shown in Exhibit 4.3. This four-stage approach says that the enterprise should first prioritize and understand the risks to its organizational objectives, and then identify the controls that address those prioritized risks. The third step is the identification of information that will persuasively indicate that the internal control system is operating effectively. 

     The suggested model calls for implementing cost-effective procedures to evaluate the information gathered through monitoring processes.

COSO Monitoring Design and Implementation Process

Posted by at No comments:
Subscribe to: Posts (Atom)