Change Management and COBIT®. Estonia & Finland Chapters Presentation Friday, November 5 th 2004 Charles Mansour CISA Tere päevast! ©Charles Mansour

Background Change –getting from State A to State A’ ©Charles Mansour

Background Change –getting from State A to State A’ We’ve seen what Change Management is Now we’ll Look at a Tool –which is freely available to all ISACA members ©Charles Mansour

Background Change –getting from State A to State A’ We’ve seen what Change Management is Now we’ll Look at a Tool –which is freely available to all ISACA members –can help to control, secure and audit Change Management Systems –can be used for Corporate Governance ©Charles Mansour

Objectives To Introduce COBIT® As an Audit and GovernanceTool ©Charles Mansour

Objectives To Introduce COBIT® As an Audit and GovernanceTool To look specifically at what COBIT® has to say about Governance and focus on an Audit of Change Management ©Charles Mansour

Objectives To Introduce COBIT® As an Audit and GovernanceTool To look specifically at what COBIT® has to say about Governance and focus on an Audit of Change Management Compare and contrast Audit Guidelines with COBIT Online V3.1 ©Charles Mansour

Audience Audit? Change Managers? Security? Other? ©Charles Mansour

Signpost Should last about 90 minutes ©Charles Mansour

Signpost Should last about 90 minutes Handouts ©Charles Mansour

Signpost Should last about 90 minutes Handouts Questions ©Charles Mansour

Introduction to COBIT®. What it is Why is it there ©Charles Mansour

Introduction to COBIT®. What it is Why is it there How to use How to get hold of it ©Charles Mansour

Introduction to COBIT®. What it is Why is it there How to use How to get hold of it IT GOVERNANCE A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. COBIT®. V3 ©Charles Mansour

COBIT®. Key Points. The COBIT Framework. The Framework starts from a simple and pragmatic premise: Maturity Models for control over IT processes ©Charles Mansour

COBIT®. Key Points. The COBIT Framework. The Framework starts from a simple and pragmatic premise: Maturity Models for control over IT processes Critical Success Factors ©Charles Mansour

COBIT®. Key Points. The COBIT Framework. The Framework starts from a simple and pragmatic premise: Maturity Models for control over IT processes Critical Success Factors Key Performance Indicators ©Charles Mansour

COBIT®. Key Points. The COBIT Framework. The Framework starts from a simple and pragmatic premise: Maturity Models for control over IT processes Critical Success Factors Key Performance Indicators Key Goal Indicators ©Charles Mansour

Maturity Model. 0 Non Existent 1 Initial / Ad Hoc 2 Repeatable but Intuitive 3 Defined Process 4 Managed and Measurable 5 Optimised ©Charles Mansour

Critical Success Factors KGIs, and KPIs Critical Success Factors, define the most important management-oriented implementation guidelines to achieve control over and within its IT processes; ©Charles Mansour

Critical Success Factors KGIs, and KPIs Critical Success Factors, define the most important management-oriented implementation guidelines to achieve control over and within its IT processes; Key Goal Indicators, define measures that tell management—after the fact—whether an IT process has achieved its business requirements ©Charles Mansour

Critical Success Factors KGIs, and KPIs Critical Success Factors, define the most important management-oriented implementation guidelines to achieve control over and within its IT processes; Key Goal Indicators, define measures that tell management—after the fact—whether an IT process has achieved its business requirements Key Performance Indicators, which are lead indicators that define measures of how well the IT process is performing in enabling the goal to be reached. ©Charles Mansour

COBIT®’s Four Domains PO: Planning and Organisation AI: Acquisition and Implementation DS: Delivery and Support –Subject of Change is referenced in all the above sections M: Monitoring ©Charles Mansour

Scope of Change Management Process Everything Because everything can change! (and probably will!) ©Charles Mansour

Scope of Change Management Process Everything Because everything can change! (and probably will!) Biggest Changes - Strategic Direction - Business –software application and system –hardware ©Charles Mansour

Scope of Change Management Process Everything Because everything can change! (and probably will!) Biggest Changes - Strategic Direction - Business –software application and system –hardware ©Charles Mansour

Scope of Change Management Process Everything Because everything can change! (and probably will!) Biggest Changes - Strategic Direction - Business –software application and system –hardware –vendors –sourcing –ways of doing things –Process and procedure updates ©Charles Mansour

Scope of Change Management Process Everything Because everything can change! (and probably will!) Biggest Changes - Strategic Direction - Business –software application and system –hardware –vendors –sourcing –ways of doing things –Process and procedure updates –And DATA ©Charles Mansour

Why do We Need to Manage Change? Cost Quality ©Charles Mansour

Why do We Need to Manage Change? Cost Quality Continuity Avoid re-work ©Charles Mansour

Why do We Need to Manage Change? Cost Quality Continuity Avoid re-work Insurance Control over third parties / partners ©Charles Mansour

Change Management - Where New Systems –Systems Development Life Cycles are big Change Management Processes –not part of this presentation ©Charles Mansour

Change Management - Where New Systems –Systems Development Life Cycles are big Change Management Processes –not part of this presentation Enhancements to Existing Systems –Main system costs are in this area (80% of system cost is after implementation) ©Charles Mansour

Change Management - Where New Systems –Systems Development Life Cycles are big Change Management Processes –not part of this presentation Enhancements to Existing Systems –Main system costs are in this area (80% of system cost is after implementation) Acquisition of Hardware ©Charles Mansour

Responsibilities Business (for any business applications or processes) –End to End Process Ownership (E2EPO) –data and systems ownership ©Charles Mansour

Responsibilities Business (for any business applications or processes) –End to End Process Ownership (E2EPO) –data and systems ownership IT ©Charles Mansour

Responsibilities Business (for any business applications or processes) –End to End Process Ownership (E2EPO) –data and systems ownership IT Security Audit / Risk /Compliance ©Charles Mansour

Audit Flow Terms of Reference Engagement Memo Audit Planning Memorandum –Scope –Control Objectives Audit Programme –Who to see –What to get Test Programme –Compliance –Substantive ©Charles Mansour

Change Management - COBIT® What does COBIT® say –It’s mainly in Domain AI (Acquisition and Implementation) Section 6: Manage Changes,

Change Management - COBIT® What does COBIT® say –It’s mainly in Domain AI (Acquisition and Implementation) Section 6: Manage Changes, –High Level Sections cover The Business Process

Change Management - COBIT® What does COBIT® say –It’s mainly in Domain AI (Acquisition and Implementation) Section 6: Manage Changes, –High Level Sections cover The Business Process The Business Requirements (High Level Control Objectives)

Change Management - COBIT® What does COBIT® say –It’s mainly in Domain AI (Acquisition and Implementation) Section 6: Manage Changes, –High Level Sections cover The Business Process The Business Requirements (High Level Control Objectives) How control is achieved

Change Management - COBIT® What does COBIT® say –It’s mainly in Domain AI (Acquisition and Implementation) Section 6: Manage Changes, –High Level Sections cover The Business Process The Business Requirements (High Level Control Objectives) How control is achieved Control considerations

Contd. What does COBIT® say? –At the detailed Audit Level Detailed Control Objectives

Contd. What does COBIT® say? –At the detailed Audit Level Detailed Control Objectives How to obtain an understanding of the process

Contd. What does COBIT® say? –At the detailed Audit Level Detailed Control Objectives How to obtain an understanding of the process How to evaluate controls

Practical Auditing Using COBIT® Audit Engagement –High Level Control Objective / Business Need ©Charles Mansour

Practical Auditing Using COBIT® Audit Engagement –High Level Control Objective / Business Need –High Level Process definition ©Charles Mansour

Practical Auditing Using COBIT® Audit Planning Memorandum –Considerations (Audit Scope)

Practical Auditing Using COBIT® Audit Planning Memorandum –Considerations (Audit Scope)

Practical Auditing Using COBIT® Audit Planning Memorandum –Detailed Control Objectives ©Charles Mansour

Practical Auditing Using COBIT® Determination ©Charles Mansour

Practical Auditing Using COBIT® Determination - Control Evaluation ©Charles Mansour

Practical Auditing Using COBIT® Compliance Test Plan

Practical Auditing Using COBIT® Compliance Test Plan

Practical Auditing Using COBIT® Compliance Test Plan

Practical Auditing Using COBIT® Substantive Test Plan

COBIT® On Line Free ‘Browse capability for ISACA members Version 3.1 now available Includes Control Practices Includes ‘Quickstart’ information Compare and Contrast with the Audit Guidelines ©Charles Mansour

Control Objective Factors Effectiveness: the degree to which the control objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, cost, etc. Effectiveness: Legend : Very High High Medium Low Very Low Not Applicable

Control Objective Factors Effectiveness: the degree to which the control objective responds to the underlying value delivery and risk mitigation requirements, irrespective of efficiency, cost, etc. Expedience: the time taken, on average, to implement the control objective Expedience:

Control Objective Factors- Cont’d Sustainability: the degree to which the control can continue to operate without maintenance due to changes in the environment Sustainability:

Control Objective Factors- Cont’d Sustainability: the degree to which the control can continue to operate without maintenance due to changes in the environment Contribution: the total contribution of the control objective to improving risk mitigation and value delivery and is the combination of effectiveness, expedience and sustainability Contribution:

Control Objective Factors- Cont’d Sustainability: the degree to which the control can continue to operate without maintenance due to changes in the environment Contribution: the total contribution of the control objective to improving risk mitigation and value delivery and is the combination of effectiveness, expedience and sustainability Effort: an indication of cost and people time required to implement and maintain the control objective Effort:

Globalisation –Systems need to be available 365/24 –Timing of change is critical ISACA IT Control Practice Statements –Why do it? –Control Practices for each control consderation area What’s Changed? ©Charles Mansour

Maturity Modelling – The Journey Where we are now

Maturity Modelling – The Journey Where we are now Industry Standard

Maturity Modelling – The Journey Where we are now Industry Standard Where we want to be

Hints & Tips Be selective – you won’t use 100% of the material in COBIT in your audit

Hints & Tips Be selective – you won’t use 100% of the material in COBIT in your audit Mould your approach to the size of the business

Hints & Tips Be selective – you won’t use 100% of the material in COBIT in your audit Mould your approach to the size of the business Use ‘Quickstart’ pointers in COBIT Online

Hints & Tips Be selective – you won’t use 100% of the material in COBIT in your audit Mould your approach to the size of the business Use ‘Quickstart’ pointers in COBIT Online Use Control Practice Statements

What’s Changed? E-Business –Many Components

What’s Changed? E-Business –Many Components –Many outside systems or staff –Increasing use of outsourcing

What’s Changed? E-Business –Many Components –Many outside systems or staff –Increasing use of outsourcing –difficult to implement one change management process

What’s Changed? E-Business –Many Components –Many outside systems or staff –Increasing use of outsourcing –difficult to implement one change management process –focus on synchronising change –bottlenecks

Reprise We’ve looked at; –the role of COBIT® ©Charles Mansour

Reprise We’ve looked at; –the role of COBIT® –COBIT® and Corporate Governance ©Charles Mansour

Reprise We’ve looked at; –the role of COBIT® –COBIT® and Corporate Governance –structure of the Audit Guidelines ©Charles Mansour

Reprise We’ve looked at; –the role of COBIT® –COBIT® and Corporate Governance –structure of the Audit Guidelines –how you can use COBIT® in the course of a Change Management Audit ©Charles Mansour

Reprise We’ve looked at; –the role of COBIT® –COBIT® and Corporate Governance –structure of the Audit Guidelines –how you can use COBIT® in the course of a Change Management Audit –What’s changed in Change Management ©Charles Mansour

Conclusion Change Management is getting more complex ©Charles Mansour

Conclusion Change Management is getting more complex Auditing Change Management is more challenging ©Charles Mansour

Conclusion Change Management is getting more complex Auditing Change Management is more challenging Few organisations have single sources of change ©Charles Mansour

Conclusion Change Management is getting more complex Auditing Change Management is more challenging Few organisations have single sources of change Basic principles still apply ©Charles Mansour

Conclusion Change Management is getting more complex Auditing Change Management is more challenging Few organisations have single sources of change Basic principles still apply COBIT® provides a sound basis for –IT Governance and Control of Change –Audit of Change Management Processes ©Charles Mansour

Conclusion Change Management is getting more complex Auditing Change Management is more challenging Few organisations have single sources of change Basic principles still apply COBIT® provides a sound basis for –IT Governance and Control of Change –Audit of Change Management Processes Challenge is to sell COBIT® as a Governance tool to our organisation’s IT Executive ©Charles Mansour

Public Downloads (from – Governance – COBIT Online – Access COBIT Online – Browsing – PDF Downloads) Document Last modified on Board Briefing on IT Governance.pdf2 Oct 2003 COBIT_Control_Objectives.pdf1 Oct 2003 COBIT_Executive_Summary.pdf1 Oct 2003 COBIT_Framework.pdf1 Oct 2003 COBIT_Implementation_Toolset.pdf1 Oct 2003 COBIT_Management_Guidelines.pdf1 Oct 2003 Member Downloads Document Last modified on COBIT_Audit_Guidelines.pdf1 Oct 2003

Useful Websites ISACA Website (for free download of COBIT® and free browsing of COBIT On LIne) – Survival Guide Website – –detailedchangeproc.htm#TopLevelContents Change Management Resource Library – Audit net Change Management Programme – ©Charles Mansour

Questions???? ©Charles Mansour