MA. AIRACE ANN B .

BOHOL
VICTORIA ANNE DIAZ
RHEANNE JOY RAGSAG
KAREN LAS-AY
MARY ANGELINE SON
NIAH MARGARETT
ANDRUE FACTOR
LOURDES SOLIVA
SHARA MAE ADENA
VENUS MIANO
ROSEMARIE LANTAJO
JULLANE ACERDIN
JOHN KEVIN CANAMAQUE
 Learners are expected to have
insights about IT governance

Describe the concept and basic

procedures performed in auditing
IT governance
Three widely recognized and
best practice IT-related
frameworks: IT Infrastructure
library (ITIL), and British
Standard International
Organization for Standardization
(ISO)/International
Electrotechnical Commission
27002 (ISO/IEC 27002). These
three frameworks provide
organization with the means to
address different angles within
the IT arena.
ITIL was developed by the United Strategy
• guidelines or best practice processes to map the
IT strategy with overall business goals and
Kingdom’s Cabinet Office of objectives.

Government Commerce (OGC) as a

library of best practice processes for IT • best practice processes (or requirements)

service management. Widely adopted Design implemented to guide toward a solution

designed to meet business needs.

around the world, ITIL provides

guidelines for best practices in the IT
services management field. Specifically, Transition • aims at managing change, risk, and quality
assurance during the deployment of an IT service.
an ITIL’s service management
environment effectively and efficiently
• guidelines or best practice processes put in place
delivers business services to end-users
Operation to maintain adequate and effective IT services
once implemented into the production
and customers by adhering to five core environment.

guidelines related to:

Continuous • constantly looks for ways to improve the overall

Improvement process and service provision.

The ITIL framework should be chosen
when the goal of the organization is to
improve the quality of the IT
management services. The ITIL
framework assists organizations in
creating IT services that can effectively
help to manage the daily tasks,
particularly when the focus is on
either customer or end-user.
 Requirements for establishing, implemen
continually improving an information secur

ISO/IEC 27002 context of the organization. These requirem

to be applicable to all organizations, reg
(ISO/IEC 27001
The ISO/IEC 27002 framework is a global standard
(used together with the ISO/IEC 27001 framework) Guidance for information
that provides best practice recommendations
implementation
related to the management of information security.
The standard applies to those in charge of initiating,
implementing, and/or maintaining information
security management systems. This framework also Guidelines for implemen
assists in implementing commonly accepted initiating, implementin
information security controls and procedures. The security) for inter-secto
ISO/IEC 27000 family of standards includes (
techniques that help organizations secure their
information assets. Some standards, in addition to ISO/IEC 27013:20
the one mentioned above, involve IT security an information se
techniques related to: 27001, and a se
 Requirements for establishing, implementing, maintaining, assessing, and
continually improving an information security management system within the
context of the organization. These requirements are generic and are intended
to be applicable to all organizations, regardless of type, size, or nature.
(ISO/IEC 27001:2013)

Guidance for information security management system

implementation. (ISO/IEC DIS 27003)

Guidelines for implementing information security management (i.e.,

initiating, implementing, maintaining, and improving information
security) for inter-sector and inter-organizational communications.
(ISO/IEC 27010:2015)

ISO/IEC 27013:2015. Guidance on the integrated implementation of

an information security management system, as specified in ISO/IEC
27001, and a service management system, as specified in ISO/IEC
20000-1.
Using this family of standards will assist
organizations to manage the security of assets,
including, but not limited to, financial
information, intellectual property, employee
details or information entrusted by third parties.
The purpose of the ISO/IEC 27002 framework
is to help organizations select proper security
measures by utilizing available domains of
security controls. Each domain specifies
control objectives that provides further
guidance on how organizations may attempt to
implement the framework. The ISO/IEC 27002
framework should be chosen when IT senior
management (i.e., CIO) targets an information
security architecture that provides generic
security measures to comply with federal laws
and regulations.
A Joint Framework
As seen, ITIL, COBIT, and the
ISO/IEC 27002 are all best-practice
implement a single, integrated,
IT-related frameworks to regulatory
compliance method that delivers
and corporate governance
corporate governance general control
compliance. A challenge for many
objectives;
organizations, however, is to
implement an integrated framework meet the regulatory requirements of data
that draws on these three and privacy-related regulation; and
standards. The Joint Framework,
put together by the IT Governance
Institute (ITGI) and the OGC, is a To get ready for external certification to
significant step leading into such a ISO 27001 and ISO 20000, both of which
direction. Aligning ITIL, COBIT, and demonstrate compliance.
ISO/IEC 27002 not only formalizes
the relationship between them but,
most importantly, allows
organizations to:
Organizational Chart of a Centralized Information Technology Function

PRESIDENT

VP MARKETING VP FINANCE VP IT SERVICES VP ADMINISTRATION VP OPERATION

SYSTEM DATA
DATABASE
DEVELOPMENT PROCESSING
ADMINISTRATOR
MANAGER MANAGER

NEW SYSTEMS SYSTEMS DATA COMPUTER

DATA LIBRARY
DEVELOPMENT MAINTENANCE CONVERSATION OPERATION
 • The data conversion function transcribes transaction data from hard-
Data copy documents into computer input.
Data Conversion

Processing • The electronic files produced in data convertion are later processed by
the central computer, which is managed by the computer operations
Computer
The data processing group Operations groups.
manages the computer
resources used to perform the
day-to-day processing of • The data library is a room adjacent to the computer center that provides
transactions. It consists of the safe storage for the off-line data files.
Data Library
following organizational
functions:

• who is responsible for the receipt, storage, retrieval, and custody of

Data Librarian
data files, control access to the library.
COBIT 2019 – Control Objectives
for Information and Related
Technology
COBIT is a framework for the governance and
management of enterprise information and
technology, aimed at the whole enterprise. Enterprise
I&T means all the technology and information
processing the enterprise puts in place to achieve its
goals, regardless of where this happens in the
enterprise. In other words, enterprise I&T is not
limited to the IT department of an organization, but
certainly includes it.
The COBIT framework makes a clear distinction between governance and
management. These two disciplines encompass different activities, require
different organizational structures and serve different purposes.

GOVERNANCE MANAGEMENT

• EVALUATION • PLANS
• DIRECTION • BUILDS
• MONITOR • RUN
• MONITOR
 COBIT defines the components to build and sustain a
governance system: processes, organizational
structures, policies and procedures, information flows,
culture and behaviors, skills, and infrastructure.

COBIT defines the design factors that should be

considered by the enterprise to build a best-fit
governance system.

COBIT addresses governance issues by grouping

relevant governance components into governance
and management objectives that can be managed to
the required capability levels.
Several
miscon • COBIT is not a full description of the
ception whole IT environment of an enterprise.
s about • COBIT is not a framework to organize
business processes.
COBIT • COBIT is not an (IT-)technical framework
should to manage all technology.
be • COBIT does not make or prescribe any IT-
related decisions.
dispelle
d
Signific
ance of • Digital Transformation
• Cloud Computing
COBIT • Data Privacy and Security

2019 in • Agile and DevOps Practices

• Risk Mitigation
Busines • Global Reach

ses
 • 1996 ISACA released the first edition of COBIT

Evoluti framework
• 2003 ISACA created an online version of the third
on of edition of COBIT
• 2007 COBIT 4.1
COBIT • 2012 COBIT coordinated with frameworks and
standards
2019 • 2018 ISACA published COBIT 2019
• 2024 COBIT 2019 in a digital landscape
 COBIT 5 COBIT 2019
Five governance principles Six governance principles

Governance framework principles Governance framework principles

are absent are added

37 processes 40 processes

Measuring performance 0-5 scale CMMI performance management

based on ISO scheme used

No design factors Design factors included

COBIT PRINCIPLES Meeting
stakeholder
needs

End-to-end Enabling a
Governance
COBIT System
governance
system
holistic
approach
2019 was
The Six
developed Principles for

on two a Governance
System
sets of Governance Tailored to
principles: Framework the enterprise
Dynamic
governance
needs

Separating
governance
from
management
 Meeting
stakeholde
r needs
Tailored to
Enabling a
the
holistic
enterprise
approach
needs
The Six
Principles
for a
Governanc
e System
Tailored to
Dynamic
the
governanc
enterprise
e
needs
Separating
governanc
e from
manageme
nt
By adhering to these
principles, organizations
can establish a mature
and effective IT Based on conceptual
model
governance framework.
COBIT provides detailed The Three
process descriptions, Principles for a Open and flexible
design factors, and Governance

performance
Aligned to major
management practices to standards
support organizations in
implementing these
principles
Based on conceptual
model

Open and flexible

Aligned to major
standards
 IT Business Processes

Alignment Services,
Infrastructur Organization
e and al Structure
Applications

Benefits COBIT
IT Risk
of COBIT Management People,
Component
s of
Governanc Principles,
2019 Skills and
Competenci
es
e System Policies and
Frameworks

IT
Performance
Culture,
and Value Ethics and Information
Behavior
Optimization
 Processes

Services,
Infrastructure Organizational
and Structure
Applications

COBIT
Componen
ts of
People, Skills Governanc Principles,
and e System Policies and
Competencies Frameworks

Culture, Ethics
Information
and Behavior
Policies, procedures, and standards define IT organizational
behavior and uses of technology. They are part of the written
record that defines how the IT organization performs the services
that support the organization. As an IT auditor, you must
understand the purpose of your audit.

A plethora of documentation exists in the operation of any

organization. Management used this documentation to specify
operating and control details. Consistency would be impossible
without putting the information into writing.
POLICIES
•These are high-level documents signed by a person of significant authority (such as a
corporate officer, president, or vice president). The policy is a simple document stating
that their particular high-level control objective is important to the organization’s
success. Policies may be only one page in length. Policies require mandatory
compliance.

STANDARDS
•These are mid-level documents to ensure uniform application of a policy. After a standard
is approved by management, compliance is mandatory. All standards are used as reference
points to ensure organizational compliance. Testing and audits compare a subject to the
standard, with the intention of certifying a minimum level of uniform compliance.

GUIDELINES
•These are intended to provide advice pertaining to how organizational objectives might be
obtained in the absence of a standard. The purpose is to provide information that would aid
in making decisions about intended goals (should do), beneficial alternatives (could do) and
actions that would not create problems (won't hurt). Guidelines are often discretionary.

PROCEDURES
•These are “cookbooks” recipes for accomplishing specific tasks necessary to meet a
standard. Details are written in step-by-step format from the very beginning to the end.
Good procedures include common troubleshooting steps in case the user encounters a
known problem. Compliance with established procedures is mandatory to ensure
consistency and accuracy. The purpose of a procedure is to maintain control over the
outcome. Procedures are written to support the implementation of the policies.
 An IT Governance audit assesses the
performance and efficiency of IT
processes and activities to identify areas
for improvement. This includes evaluating
the effectiveness of IT strategies, the
efficiency of resource allocation, and the
reliability of IT systems and infrastructure.
“the internal audit activity must
assess whether the information
technology governance of the
organization supports the
organization's strategies and
objectives (2110)”
OBJECTIVES:
• Ensure the IT organization has adopted and applied sound project
management techniques for each project undertaken which includes
project ownership, user involvement, task breakdown and milestones,
allocation of responsibilities, cost, quality plan, and security plan for
sensitive systems.
• Verify a change management system exists which provides for analysis,
implementation and follow-up of all charges requested and made to
the existing IT infrastructure.
• Verify that appropriate information security policies have been
established and communicated to user community and ensure a
process is in place to monitor compliance to security policies.
DISTRIBUTED DATA PROCESSING (DDP)

• An alternative to the centralized model.

• DDP involves reorganizing the central IT units
that are placed under the control of end users.
• IT units may be distributed according to
business function, geographic location, or
both
INEFFICIENT USE OF RESOURCES
•risk of mismanagement of organization wide IT resources by end users
•risk of operational inefficiencies because of redundant task being performed with end user
committee
•risk of incompatible hardware and software among end user

DESTRUCTION OF TRAILS
•an audit trail provides the linkage between a company’s financial activities (transactions)
and the financial statements that report on those activities.

INADEQUATE SEGREGATION OF DUTIES

•achieving an adequate segregation duty may not be possible in some distributed
environment

HIRING QUALIFIED PROFESSIONALS

•end-user managers may lack the IT knowledge to evaluate the technical credentials and
relevant experience of candidates applying for IT professional positions

LACK OF STANDARDS
•because of the distribution of responsibility in the DDP environment, standards for
developing and documenting system, choosing programming languages, acquiring
hardware and software, and evaluating performance may be unevenly applied or even
nonexistent
ADVANTAGES OF DDP

1. COST REDUCTIONS

2. IMPROVED COST CONTROL

RESPONSIBILITY

3. IMPROVED USER SATISFACTION

4. BACKUP FLEXIBILITY
 CONTROLLING
THE DDP Central testing of
commercial
ENVIRONMENT software and
hardware

Implement a Corporate IT Function –

the completely centralized model and the Personnel Review User Services
distributed model represent extreme
positions on a continuum of structural
alternatives. The needs of most firms fall
somewhere between these end points. Standard-Setting
Often, the control problems previously Body
described can be addressed by
implementing a corporate IT function.
CONTROLLING Central testing of
THE DDP commercial software
ENVIRONMENT and hardware
CONTROLLING
THE DDP User Services
ENVIRONMENT
CONTROLLING
THE DDP
Standard-
ENVIRONMENT Setting Body
CONTROLLING
THE DDP
Personnel
ENVIRONMENT Review
 Review relevant documentation

AUDIT OBJECTIVE Review systems documentation

to verify that applications,
procedures, and databases are Review systems documentation
designed and functioning in and maintenance records
accordance with corporate

The auditor’s objective is standards

to verify that the structure

of the IT function is such
that individuals in AUDIT
incompatible areas are
segregated in Verify that compensation
controls, such as supervision
PROCEDURE Verify that computer operators
do not have access to the

accordance with the level and management monitoring

are employed
operational details of system’s
internal logic

of potential risk and in

manner that promotes a
working environment.
Verify that corporate policies
and standards for system Through observation,
design, documentation, and determine that segregation
hardware and software policy is being followed in
acquisition are published and practice
provided to distributed IT units.
Review relevant
documentation
 Review systems
documentation and
maintenance records
 Verify that computer
operators do not have
access to the
operational details of
system’s internal logic
Through observation,
determine that
segregation policy is
being followed in
practice
 Verify that corporate policies
and standards for system
design, documentation, and
hardware and software
acquisition are published and
provided to distributed IT units.
 Verify that
compensation controls,
such as supervision and
management monitoring
are employed
 Review systems
documentation to verify that
applications, procedures, and
databases are designed and
functioning in accordance
with corporate standards
 Physical
Location

Fault
Construction
Tolerance

THE
COMPUTER
SYSTEM
Fire
Access
Suppression

Air
Conditioning
 The physical location of the computer center directly affects
the risk of destruction to a natural or man-made disaster

Physical
Location
Must be located in a single-story building of
solid construction with controlled access
Construction

THE COMPUTER
SYSTEM Should be limited to the operators and other
employees who work there

Access
 Location

is the ability of the system to continue operation when part Fault

of the system falls because of hardware failure, application Co
program error, or operator error Tolerance
1. Redundant Arrays of Independent Disks (RAID)
2. Uninterruptible Power Supplies
THE COMPUTER
SYSTEM

Fire is the most serious threat to a firm's Fire

computer equipment.
Suppression

Air
Conditioning
Computers function best in an air-conditioned environment and
providing adequate air conditioning is often a requirement of the
vendor's warranty
AUDIT OBJECTIVE
The auditor must verify Tests of Physical
Construction
that:
• Physical security Tests for Tests of the Fire
Insurance Detection
controls are adequate to Coverage System
reasonably protect the
organization from AUDIT
PROCEDURE
physical exposures.
• Insurance coverage on Tests of the
Tests of Access
equipment is adequate Uninterruptible
Power Supply
Control
to compensate the
organization for the Tests of RAID
destruction of, damage
to, its computer center.
.
 DISASTER RECOVERY
PLANNING
• Identify critical
applications
• Create a disaster
recovery team
• Provide site back-up
• Specify back-up and
off-site procedures
• Provide Site Back-up
 DRP TEAM
COORDINATOR VP
OPERATIONS

Mutual aid pact- An agreement SECOND SITE FACILITIES PROGRAM AND DATA DATA CONVERTION AND
GROUP BACK-UP GROUP DATA CONTROL GROUP
between two or more organizations
to aid each other with their data SYSTEM DEVELOPMENT MANAGER DATA
DP MANAGER
processing needs in the event of a MANAGER CONTROL

disaster.
PLANT SYSTEM MAINTENANCE MANAGER DATA
Empty Shell - An arrangement ENGINEER MANAGER CONVERTION

wherein the company buys or leases

COMPUTER
a building that will serve as a data OPERATIONS
SENIOR SYSTEMS
PROGRAMMER
DATA CONVERTION
SHIFT SUPERVISOR
center. MANAGER

Recovery Operations Center (ROC) - TELEPROCESSING

SENIOR
MAINTENANCE
USER DEPARTMENT
A fully equipped backup data center MANAGER
PROGRAMMER
REPRESENTATIVES

that many companies share.

USER DEPARTMENTS INTERNAL AUDIT
Internally Provided Back-up REPRESENTATIVE REPRESENTATIVE

INTERNAL AUDIT
REPRESENTATIVE
 Site backup

AUDIT OBJECTIVE Disaster

Recovery
Critical
Application
Team List

The auditor should verify AUDIT

that management's disaster
recovery plan is adequate PROCEDURE
and feasible for dealing with Backup
a catastrophe, the following Supplies,
tests may be performed. Documents, Software
and backup
Documentatio
n
Data backup