Alignment of COBIT to Botswana IT Audit Presentation

Alignment of COBIT to Botswana IT
Audit Methodology
• Gives a holistically view of the IT computing
environment, starting with management
issues to operational issues.
• Its practical and addresses key IT issues
• The COBIT IT assurance guide provides a clear
road map from planning of the audit up to
field work execution.
COBIT IT Assurance Guide
• The guide is linked to COBIT processes
outlining the control objectives, value drivers
for the process, risk drivers and tests of
controls to be performed by an assurance
Using IT Assurance Guide
For Example for PO 1.2 Business-IT Alignment
Test of Controls questions as suggested by IT
Assurance guide;
• Confirm that the process for communicating
business opportunities with IT management is
reviewed and the importance of the process is
communicated to the business and IT.
Consider the update frequency of those
COBIT IT Assurance Guide
• Enquire whether and confirm through
interviews with the members of the IT
management that they helped define
enterprise goals. Ask them about their
accountability for achieving enterprise goals,
determine if they undertook what if analyses
and confirm their commitment goals.
COBIT IT Assurance Guide
• Enquire with the business management and IT
management to identify business processes
that are dependent of IT. Consider whether
the business and IT share the same view of
the systems including their criticality, usage
and reporting.
COBIT IT Assurance Guide
• Using the guide and with the understanding of
your client environment you can now tailor
make audit questions for your audit controls.
• The following is the standard questions that
Botswana uses for our clients
IT Strategy Alignment Questions
Extracted from The IT Audit Manual Botswana
• Is there a strategic IT plan for the organization
based on business needs?
• Is there a steering committee with welldefined roles and responsibilities?
• Does the IT department have clear-cut and
well defined goals and targets?
• Is there a system of reporting to top
management and review in vogue?
IT Strategy Alignment Questions
• Does management provide appropriate
direction on end user computing?
• Are there procedures to update strategic IT
Type of IT Audits
IT Performance Audits
• Focuses on ensuring that IT systems are
procured and implemented effectively,
efficiently and economically. These audits
were carried out in the years 2008 to 2010.
Three projects have been successfully
complemented namely;
Type of IT Audits
Financial IT Audits
• Carried out to ascertain that there are
sufficient controls within the systems and
applications so that financial auditors can
place reliance on information processed
through the applications.
Review of the Department of Tertiary
Education project
• General Objectives
• To assess whether Student Loans Management
System assists the DSPW to achieve its mandate.
• Specific Objectives
• To assess if the system assists the users in
performing their tasks effectively.
• To assess whether the project scope included all
aspects of the department, including
identification of stakeholders and key players.
Review of the Department of Tertiary
Education project
• Specific Objectives continued
• To assess how data integrity is maintained and
indentify business continuity measures in
• To identify how the system’s performance is
managed and measured.
• To assess whether was training carried out to
assist users to use the system efficiently.
COBIT areas selected and mapped to
the audit questions
Audit Question
Is the system assisting the PO1.1 IT Value
department perform its
activities more effectively? PO1.2 Business-IT
PO1.3 Assessment of
Current Capability and
PO10 Manage Projects
COBIT areas selected and mapped to
the audit questions
Audit Question
Was the project scope
comprehensive enough
with regards to
AI1 Identify Automated
AI1.1 Definition and
Maintenance of Business
Functional and Technical
AI2 Acquire and Maintain
Application Software
COBIT areas selected and mapped to
the audit questions
Audit Questions
How is data integrity and
disaster recovery
DS5 Ensure Systems
DS11 Manage Data
DS11.5 Backup and
Analysis of recommendation, Value
• Management was advised that reports produced
by system should be appropriate and relevant to
strategic decision making process. The
recommendation emphasised that the use of the
system should not only be focusing on processing
loans but management should be in a position to
gather enough information from the system to
make strategic decisions. COBIT P0.1.1 IT value
management and IT business alignment
emphasise on the need for IT resources to be
aligned to business strategies.
Analysis of recommendation, Value
• Management was further advised to conform
to Government IT Projects Guidelines and
requirements. The government of Botswana
has established IT project guidelines which
guides IT officers on how to manage a project
requirements, project initiation report, project
memorandum and project end reports. The IT
Projects guidelines are aligned to COBIT.
Analysis of recommendation, Value
• The use of and understanding of COBIT has
significantly improved our audit methodology.
Recommendation provided to clients are
based on best standard and therefore if
implemented will greatly improve on IT
processes. Benchmarking on a recognized
framework also gives assurance to the client
that the criterion being used is fair.
Analysis of recommendation, Value
• What
recommendation to the client is having an
understanding of the environment in which
they work within and its limitations. This can
be achieved through discussion of finding with
the clients, identification of mitigating controls
and finding a cost effective recommendation.
• COBIT 5 which was release early in 2012 aim is to
align COBIT to other frameworks such as Val IT,
ITIL, ISO270002 and Prince 2.
• COBIT 5 clearly defines governance and
management and separates the duties of two
• COBIT 5 introduces 5 principles and 7 enablers
• The concept of goal cascade from stakeholder
needs to operation duties is emphasized.
(Considering IT related interests of internal and
external shareholders)
• The control objectives are no longer explicitly
• The framework processes have increased from
34 to 37. The new processes included are
APO 04Manage Innovation
APO 10Manage Supplies
BAI 06Manage Knowledge
COBIT 5 products;
COBIT 5 the framework
COBIT 5 Enablers
COBIT 5 enabling processes
COBIT 5 enabling information
COBIT 5 Professionals
COBIT 5 Implementation
COBIT 5 Professional Continued
COBIT 5 for Information Security-Available
COBIT 5 For Assurance (In development)
COBIT 5 for Risk (In development)

similar documents