As stated in Chapter 2, "Management, Planning, and Organization of IS," the COBIT resources provide a framework for organizations, IT management, and IS auditors to realize best practices to reach business objectives. IS auditors should review the IT organization to ensure the use of formal risk management, project management, and change management associated with the implementation of IT infrastructures. The COBIT framework provides 11 processes in the management and deployment of IT systems:
Risks and Controls Related to IS Operational PracticesAn IT organization should develop and maintain strategic planning processes (both long and short term) that enable the organization to meet its goals and objectives. The IT organization's policies, procedures, standards, and guidelines are evidence of a detailed reflection of the strategic plan. The IT organization should have a clearly defined structure that outlines authority and responsibility, and should be documented in an organizational chart. Network devices, applications, and data should be maintained, and proper segregation of duties should be implemented. The IT organization should implement proper segregation of incompatible duties, keeping in mind that segregation between computer operators and security administrators, as an example, might not be possible in smaller environments. The use of compensating controls, such as audit trails, might be acceptable to mitigate the risk from improper segregation of duties. The auditor should review information pertaining to the organization structure, to ensure adequate segregation of duties.
Proper segregation of duties prevents a computer operator (user) from performing security administration duties. The IS auditor should review policies and procedures because they ensure that organizational objectives are being met. In addition, the IS auditor should review the risk-management process to ensure that the organization is taking steps to reduce risk to an acceptable level (mitigation) and is maintaining that level of risk. The organization's business plan should establish an understanding of the organization's mission and objectives, and should be incorporated into the IT strategic plan. Organizational charts should establish the responsibility and authority of individuals, and job descriptions should define the responsibility of and accountability for employee actions. The policies and procedures should incorporate strategic objectives in operational activities. |