Fraud in IT

profilepurpletowel17
Chapter14.docx
Home>Computer Science homework help>Fraud in IT

CHAPTER FOURTEEN Support Tools and Frameworks

THIS CHAPTER INTRODUCES the reader to the need for support tools and frameworks such as Control Objectives for Information and related Technology (COBIT®): Management Guidelines, a framework for Information Technology/Information Systems (IT/IS) managers and COBIT: audit’s use in support of the business Support cycle. International standards and good practices such as ISO 17799, IT Infrastructure Library® (ITIL®), privacy standards, Committee of Sponsoring Organizations (COSO), Criteria of Control (CoCo), Cadbury, King, and Sarbanes-Oxley also play a vital role in ensuring the appropriate governance.

GENERAL FRAMEWORKS

COBIT is one of the most widely accepted models of IT governance and control utilized to manage risks and implement controls within an IT environment in order to achieve business objectives.

COBIT was introduced to meld existing IT standards and best practices into one comprehensive structure designed to achieve international accepted governance standards. Working from the strategic requirements of the organization, COBIT encompasses the full range of IT activities focusing on the achievement of control objectives rather than the implementation of specific controls. As such, it integrates and aligns IT practices with organizational governance and strategic requirements. It is not the only set of standards in common use, but it integrates with other standards to achieve defined levels of control.

What may be classed as best practice for an organization must be appropriate to that organization based upon its needs and capabilities. Standards themselves do not achieve best practice but require careful selection, interpretation, and implementation in order to achieve an adequacy of control. At its highest level, COBIT presents a framework for overall control based upon a model of IT processes intended as a generic model upon which specific controls can be overlaid in order to achieve a unique system of internal controls specifically tailored to the business needs of the organization.

COBIT is designed to be utilized at different levels of management. Executive management can utilize it to ensure value is obtained from the significant investment in IT and to ensure that risk and control investment is appropriately balanced. From an operational management perspective, COBIT facilitates the gaining of assurance that the management and control of IT services, whether insourced or outsourced, is appropriate. IT management can use it as an operational tool to ensure the business strategy is supported in a controlled and appropriately managed manner in providing IT services. IT auditors can utilize COBIT to evaluate the adequacy of controls, design appropriate tests to determine the effectiveness of controls, and provide management with appropriate advice on the system of internal controls.

COBIT is based upon research into best practice within a variety of IT environments and is subject to continuous research and maintenance due to the dynamic nature of information technology. It is geared toward all aspects of IT governance unlike some other standards that are specific to, for example, security alone. Because of its close alignment with international accepted principles of good corporate governance, it is intrinsically acceptable to multiple layers of management as well as regulators.

COBIT utilizes a framework of domains and processes in order to create a logical structure of IT activities in a manner that can be easily subject to managerial controls. The process model divides IT into 34 processes covering:

· Planning and organizing. This domain covers all of the processes undertaken by management in order to ensure that the IT function is properly planned and controlled to provide assurance that corporate IT objectives will be achieved. Detailed processes include:

PO1   Define a Strategic IT Plan

PO2   Define the Information Architecture

PO3   Determine Technological Direction

PO4   Define the IT Processes, Organization and Relationships

PO5   Manage the IT Investment

PO6   Communicate Management Aims and Direction

PO7   Manage IT Human Resources

PO8   Manage Quality

PO9   Assess and Manage IT Risks

PO10  Manage Projects

· Acquire and implement. This domain covers the processes involved in identifying solutions through to installation and accreditation of solutions and changes. Detailed processes include:

AI1   Identify Automated Solutions

AI2   Acquire and Maintain Application Software

AI3   Acquire and Maintain Technology Infrastructure

AI4   Enable Operation and Use

AI5   Procure IT Resources

AI6   Manage Changes

AI7   Install and Accredit Solutions and Changes

· Deliver and support. This domain includes all of the processes required to deliver the appropriate service levels, manage information and operations, and ensure appropriate performance. Detailed processes include:

DS1   Define and Manage Service Levels

DS2   Manage Third-party Services

DS3   Manage Performance and Capacity

DS4   Ensure Continuous Service

DS5   Ensure Systems Security

DS6   Identify and Allocate Costs

DS7   Educate and Train Users

DS8   Manage Service Desk and Incidents

DS9   Manage the Configuration

DS10  Manage Problems

DS11  Manage Data

DS12  Manage the Physical Environment

DS13  Manage Operations

· Monitor and evaluate. This domain includes the processes required to monitor overall IT performance and ensure effective IT governance. Detailed processes include:

ME1   Monitor and Evaluate IT Performance

ME2   Monitor and Evaluate Internal Control

ME3   Ensure Regulatory Compliance

ME4   Provide IT Governance

Each of these is further subdivided into a variety of individual control objectives which, in turn, identify the control requirements, principal control structures, and measurement criteria. The measurement criteria are, perhaps, the most critical part of COBIT in terms of achieving corporate governance. Within each process, detailed control objectives are specified as a minimum level of managerial control. Roles and responsibilities for achieving these control objectives are spelled out and a maturity model for each process is given with measurement metrics under the headings:

· Nonexistent

· Initial/ad hoc

· Repeatable but intuitive

· Defined process

· Managed and measurable

· Optimized

These metrics facilitate management’s and the auditors’ judgment as to the degree of compliance achieved in each of the processes.

COBIT is based upon the understanding that the design and implementation of automated application controls is the responsibility of IT based upon the business needs as specified by the business-process owner. General IT controls are the direct responsibility of the IT function and are therefore also covered within COBIT.

Further Information

Further information is available from the IT Governance Institute ( www.itgi.org ). Details of direct interest to the IT auditor include the COBIT:

· Framework

· Control objectives

· Control practices

· IT assurance guide

· IT control objectives for Sarbanes-Oxley

· IT governance implementation guide

CobiT 5®, which was released in the third quarter of 2011, is a major revision, designed to meet the current and future needs of stakeholders and align with the latest thinking in enterprise governance and IT management techniques. It effectively merges with the existing Information Systems Audit and Control Association (ISACA) standards to provide an integrated Governance Framework. In addition, it facilitates the connectivity to the Information Technology Infrastructure Library (ITIL) and International Standards Organization (ISO) frameworks.

COSO: INTERNAL CONTROL STANDARDS

As noted in  Chapter 4 , internal control was defined by COSO as a broadly defined process, affected by people, designed to provide reasonable assurance regarding the achievement of the three objectives that all businesses strive for, namely:

1. Economy and efficiency of operations, including achievement of performance goals and safeguarding of assets against loss

2. Reliable financial and operational data and reports

3. Compliance with laws and regulations

In order to achieve these objectives, COSO defined five components that would assist management in achieving these objectives, namely:

1. A sound control environment

2. A sound risk-assessment process

3. Sound operational-control activities

4. Sound information and communications systems

5. Effective monitoring

An internal control system would be judged to be effective if all five components were present and functioning effectively for operations, financial reporting, and compliance.

COBIT originally adapted its definition of control from COSO in that the policies, procedures, practices, and organizational structures are designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected. COBIT emphasizes the role and impact of IT control as they relate to business processes, whereas COSO defined internal control, described its components, and provided criteria against which control systems could be evaluated.

The major goals of COSO were to establish a common definition of internal control in order to serve a variety of different parties and, at the same time, provide a standard against which organizations could assess their internal control systems and identify areas for improvement.

COSO emphasized that the internal control system is a tool of management, not a substitute, and that controls should be integral to operating activities rather than added on. Unlike COBIT, COSO defined internal control as a process in its own right and recommended that periodic evaluation of the effectiveness of internal control be carried out from time to time.

COSO also attempted to address the limitations of an internal control system including faulty human judgment, misunderstanding of instructions, management override, collusion, errors, and cost-benefit considerations, all of which can serve to undermine the effectiveness of the overall system of internal control.

COSO also stated that there should be separate and independent evaluations conducted of the system of internal control with the frequency and scope of such reviews dependent upon the assessment of risks and the effectiveness of management’s monitoring procedures.

OTHER STANDARDS

Security: BS 7799 and ISO 17799/27001/27002

As noted in  Chapter 4 , British Standard (BS) 7799 and ISO 17799 were both developed to assist companies by ensuring security and control within electronic trading systems. The 10 areas depicted within the standards facilitate the introduction of key controls as mandatory features and additional controls in higher risk organizations.

The ISO 27001™ standard was published in October 2005, essentially replacing the old BS7799-2™ standard and is the specification for an Information Security Management System (ISMS). It is intended as a certification standard, compliance with which can benefit an organization by providing proof of IT security management.

The process is predicated by an organization making the decision to embark on the exercise. This requires management commitment and the assignment of responsibilities for the certification project itself. Once commitment is made, an organizational top-level policy is normally developed and published, usually supported by subordinate policies.

This is followed by the scoping of the project in order to define which part(s) of the organization will be covered by the ISMS including the location, assets, and technology to be included.

At this stage a risk assessment is undertaken to determine the organization’s IT risk exposure/profile, and identify the best potential routes to address this. The document produced will form the basis for the next stage, which is the management of those risks through the implementation of appropriate controls.

A part of this process will be the selection of appropriate controls with respect to those outlined in the standard (and ISO 27002™), with the justification for each decision recorded in a Statement of Applicability (SOA). The controls themselves should then be implemented as appropriate.

ISO 27002, itself, is a code of practice for information security. In essence, it outlines hundreds of potential controls and control mechanisms, which may theoretically be implemented, subject to the guidance provided within ISO 27001.

The standard is intended to establish both guidelines and general principles for initiating, implementing, maintaining, and improving information security management within an organization. The intention is that, following a formal risk assessment, actual controls may be selected from among those listed in the standard in order to address the specific requirements identified as a result of the risk analysis.

Overall the standard addresses the component areas of:

· Structure

· Risk Assessment and Treatment

· Security Policy

· Organization of Information Security

· Asset Management

· Human Resources Security

· Physical Security

· Communications and Ops Management

· Access Control

· Information Systems Acquisition, Development, Maintenance

· Information Security Incident Management

· Business Continuity

· Compliance

Once the risk architecture is identified, and the appropriate controls selected and implemented, the certification process itself can then be embarked upon via a suitable accredited independent third party.

Service Management: ITIL

ITIL® ( www.itil.org ) is intended to define the best practice in IT Service Management. It was developed by the Office of Government Commerce (OGC) and is supported by publications, qualifications, and an international user group. The approach is a top-down, business-driven approach to the management of IT, which is intended to address the need to deliver a high-quality IT service in order to deliver strategic business value. IT Service Management focuses on the people, processes, and technology issues that IT organizations face. ITIL, itself, attempts to assist organizations to develop a framework for IT Service Management by providing a cohesive set of best practices, drawn from both the public and private sectors. It offers a comprehensive qualifications scheme and accredited training organizations as well as specifically developed implementation and assessment tools.

Project Management: PRINCE

Projects in Controlled Environments (PRINCE®) is a widely used project-management method that navigates the user through all the essential elements for implementation of a successful project.

It was first developed in 1989 by the Central Computer and Telecommunications Agency (CCTA) as a U.K. government standard for IT project management. Since its introduction, PRINCE has become widely used in both the public and private sectors and is a widely recognized standard for project management both within IT as well for non-IT projects. It is designed to incorporate the requirements of existing users and to enhance the method toward a generic, best practice approach for the management of a variety of projects.

Criteria of Control: CoCo

CoCo, sponsored by the Canadian Institute of Chartered Accountants, is intended to translate COSO into practical, implementable activities and defines three major control objectives:

1. Effectiveness and efficiency of operations

2. Reliability of internal and external reporting

3. Compliance with applicable laws and regulations and internal policies

Within the CoCo framework, control is defined as encompassing:

· Purpose, which defines criteria that promote an understanding of the organization’s direction. They use techniques such as vision and strategy, risks and opportunities, planning, policy development, and use of performance targets and indicators.

· Commitment, which defines criteria that promote a belief in the organization’s identity and values. They impact ethical values, including integrity; human resource policies; responsibility and accountability; authority; and mutual trust.

· Capability, which defines criteria that address an organization’s competence. They involve knowledge and competencies, skills and tools, information, use of appropriate communication processes, coordination, and control activities.

· Monitoring and Learning, which defines criteria that will facilitate the organization’s evolution. They involve monitoring internal and external environments, monitoring performance, challenging assumptions, reassessing information needs and information systems, execution of follow-up procedures, and assessing the overall effectiveness of control.

CoCo promotes the treatment of risk through:

· Avoidance of risk

· Reducing the likelihood of risk occurring

· Reducing the impact should a risk occur

· Transferring the risk to a third party

· Accepting or retaining the risk

This is seen to be effected using controls of the five basic types, namely: directive, preventative, detective, corrective, and recovery controls.

GOVERNANCE FRAMEWORKS

Three standards have become widely recognized as IT governance frameworks. While each has significant IT governance strengths, none may be looked on as a complete IT governance solution.

ITIL

ITIL, as mentioned previously, was developed by the United Kingdom’s Office of Government Commerce. Although it is directed specifically toward service management, a part of that is, itself, directed toward the governance of service delivery.

CobiT

CobiT®, as mentioned previously in greater detail, is a generic IT governance framework.

CobiT regards IT governance as a balance between two primary areas:

1. Creation of corporate value

2. Minimizing IT risks

With overall objectives of:

· Ensuring strategic orientation, focusing on corporate solutions.

· Creation of benefits, focusing on optimizing the tasks and assessing the benefit of the IT.

· Implementation of risk management relating to the protection of the IT assets and taking account of disaster recovery and continuation of the corporate processes in the event of a crisis.

· Effective resource management in order to ensure the optimization of knowledge and infrastructure.

· Adequacy of performance measurement and the creation of the bases for continual improvement.

The CobiT approach to controlling is essentially a top-down approach where corporate objectives form the basis for defining the IT objectives that in turn define the IT architecture. This is intended to ensure that IT processes are appropriately defined and operated, ensure that information is processed, IT resources managed, and services delivered in a well-governed manner.

ISO/IEC 38508

ISO/IEC (International Organization for Standardization /International Electrotechnical Commission) 38508 was developed by the joint technical committee ISO/IEC JTC1, information technology, subcommittee SC 7, software and systems engineering. Designed as a worldwide formal international IT Governance Standard, ISO/IEC 38500 was published in June 2008 and sets out a clear framework for the Board’s governance of information and communications.

The framework sets out six principles for good corporate governance of IT under the headings of:

1. Responsibility

2. Strategy

3. Acquisition

4. Performance

5. Conformance

6. Human behavior

As with all such frameworks, the difficulty comes in the implementation.

The CALDER-MOIR IT Governance Framework 1  is designed to facilitate the obtaining of maximum benefit from all these overlapping and competing frameworks and standards, and also to deploy best-practice guidance. The framework itself, is divided into six segments:

1. Business Strategy

2. Risk, Conformance, and Compliance

3. IT Strategy

4. Change

5. Information and Technology Balance Sheet

6. Operations

Each segment is then divided into three layers representing:

1. The board

2. Executive management

3. IT and IT-governance practitioners

Starting with the overall business strategy, each segment is then executed in clockwise order. In the first three segments the board establishes directions and business strategies. Depending on the nature of the organization, these need to be compliant with the overall corporate governance regimes and risk assessed. In the last three steps, architectures and plans are then developed to meet business strategies through use of the appropriate IT. After these plans are approved by the board, they are then implemented via a series of change projects.

The main tasks for directors in IT governance, evaluate, direct, and monitor, as per ISO/IEC 38500, are contained within the Calder-Moir framework. The board evaluates business conditions and strategies, directs using IT principles, and monitors all processes in the framework. Executive managers also evaluate, direct, and monitor processes carried out by IT practitioners.

NOTE

1  Calder and S. Moir. IT Governance. IT Governance Publishing, 2009.