Professional Documents
Culture Documents
Agenda
1.
2.
3.
4.
Management Expectations of IT
Re-Engineered Processes
Right-Sizing
Distributed Processing
Flattened Organizations
Outsourcing
Both need
a Control
Framework
COBIT
Control
OBjectives
for Information
and Related Technology
Mission:
To research, develop, publicize, and promote an
authoritative, up-to-date, international set of generally
accepted IT control objectives for day-to-day use by
business managers and auditors.
Cobits
Golden Rule
In order to provide
the information that
the organization
needs to achieve
its objectives, IT
resources need to
be managed by a
set of naturally
grouped
processes.
COBIT: IT Governance
Business
requirements
information
IT
Processes
Control
Objectives
Critical
Success
Factors
Key
Performance
Indicators
Key Goal
Indicators
Maturity
Models
Audit
Guidelines
Control
Practices
Session 2
Agenda
1.
2.
3.
4.
Compliance
with laws and
regulations
Reliability of
financial
reporting
Efficiency/
effectiveness
of operations
Control Classifications
Preventive Control
Preventive controls are those inputs, which are designed to protect
the organization from unlawful activities
Detective Control
Detective controls are those which detect and report the occurences
of an error, omission or malicious act in the Information System.
Corrective Control
Corrective controls are very important because prevention and
detection alone cannot be effective unless there is an appropriate
corrective mechanism in place.
Preventive Control
Detective Control
Corrective Control
Contingency planning
Backup procedure
Rerun procedures
Tratment procedures for a disease
Change input value to an application system
Investigate budget variance and report violations
Compensatory Control
While designing the appropriate control one thing should be
kept in mind the cost of the lock should not be more
than the cost of the assets it protects.
Compensatory Control
Session 2
Agenda
1.
2.
3.
4.
View of IT Controls
Information system auditors need to understand the range of controls
available for mitigating IT risks.
IT Governance
The controls can be thought
of as existing within a
hierarchy that relies on the
operating
effectiveness
interconnectivity
of
the
controls as well as the
realization that failure of a
set of controls can lead to
increased
reliance
and
necessary examination of
other control groups
Another View
General Control
General IT controls are
typically pervasive
in nature and are
addressed through various
audit avenues.
Application Control
Application controls provide
another category of controls
and include controls within
an application around input,
processing, and output.
IT Governance
When addressing the topic of IT controls, an
important consideration is IT governance, which
provides the framework to ensure that IT can
support the organizations overall business needs.
IT Governance is not only composed of the control needed
to address identified risk but also is an integrated structure
of IT practices and personnel that must be aligned closely
with and enable achievement of the organizations
overall strategies and goals.
IT Controls
Application
Controls
INTERNAL
CONTROLS
Computer
Application
Systems and
Program
Application
Systems
Development/
Changes
General
Controls
Computer
Service Center
(Operations
and Security)
Session 2
Agenda
1.
2.
3.
4.
Types of CAATs
Packaged Software
Generalized Audit Software (GAS)
Embedded Audit Module (EAM)
Audit Hook (AH)
Integrated Test Facility (ITF)
Parallel Simulation (PS)
Program Code Analysis (PCA)
Test Data
Specialized Audit Software (SAS)
Find the definitions..!!
End of Presentation
Thank You!
L/O/G/O