Change Management and COBIT®. ISACA London Chapter Presentation Thursday, April 25th 2002 Charles Mansour CISA ©Charles Mansour

Background Change getting from State A to State A’ We’ve seen what Change Management is Now we’ll Look at a Tool which is freely available to all ISACA members can help to control, secure and audit Change Management Systems can be used for Corporate Governance ©Charles Mansour

Objectives To Introduce COBIT® As an Audit and GovernanceTool To look specifically at what COBIT® has to say about Governance and focus on an Audit of Change Management ©Charles Mansour

Audience Audit? Change Managers? Security? Other? ©Charles Mansour

Signpost Should last about 45 minutes Handouts Questions ©Charles Mansour

Introduction to COBIT®. What it is Why is it there How to use How to get hold of it IT GOVERNANCE A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes. COBIT®. V3 ©Charles Mansour

COBIT®. Key Points . The COBIT Framework. The Framework starts from a simple and pragmatic premise: Maturity Models for control over IT processes Critical Success Factors Key Performance Indicators Key Goal Indicators provides a tool for the business process owner that facilitates the discharge of this responsi-bility. The Framework starts from a simple and pragmatic premise: COBIT provides Maturity Models for control over IT processes, so that management can map where the organisation is today, where it stands in relation to the best-in- class in its industry and to international standards and where the organisation wants to be; Critical Success Factors, which define the most important management-ori-ented implementation guidelines to achieve control over and within its IT processes; Key Goal Indicators, which define measures that tell management—after the fact—whether an IT process has achieved its business requirements; and Key Performance Indicators, which are lead indicators that define measures of how well the IT process is performing in enabling the goal to be reached. ©Charles Mansour

Maturity Model 0 Non Existent 1 Initial / Ad Hoc . 0 Non Existent 1 Initial / Ad Hoc 2 Repeatable but Intuitive 3 Defined Process 4 Managed and Measurable 5 Optimised provides a tool for the business process owner that facilitates the discharge of this responsi-bility. The Framework starts from a simple and pragmatic premise: COBIT provides Maturity Models for control over IT processes, so that management can map where the organisation is today, where it stands in relation to the best-in- class in its industry and to international standards and where the organisation wants to be; Critical Success Factors, which define the most important management-ori-ented implementation guidelines to achieve control over and within its IT processes; Key Goal Indicators, which define measures that tell management—after the fact—whether an IT process has achieved its business requirements; and Key Performance Indicators, which are lead indicators that define measures of how well the IT process is performing in enabling the goal to be reached. ©Charles Mansour

Critical Success Factors KGIs, and KPIs Critical Success Factors, define the most important management-oriented implementation guidelines to achieve control over and within its IT processes; Key Goal Indicators, define measures that tell management—after the fact—whether an IT process has achieved its business requirements Key Performance Indicators, which are lead indicators that define measures of how well the IT process is performing in enabling the goal to be reached. Key Performance Indicators, which are lead indicators that define measures of how well the IT process is performing in enabling the goal to be reached. ©Charles Mansour

COBIT®’s Four Domains PO: Planning and Organisation AI: Acquisition and Implementation DS: Delivery and Support Subject of Change is referenced in all the above sections M: Monitoring ©Charles Mansour

Scope of Change Management Process Everything Because everything can change! (and probably will!) Biggest Changes - Strategic Direction - Business software application and system hardware vendors sourcing ways of doing things Process and procedure updates And DATA ©Charles Mansour

Why do We Need to Manage Change? Cost Quality Continuity Avoid re-work Insurance Control over third parties / partners ©Charles Mansour

Change Management - Where New Systems Systems Development Life Cycles are big Change Management Processes not part of this presentation Enhancements to Existing Systems Main system costs are in this area (80% of system cost is after implementation) Acquisition of Hardware ©Charles Mansour

Responsibilities Business (for any business applications or processes) data and systems ownership IT Security Audit / Risk /Compliance ©Charles Mansour

Change Management - COBIT® What does COBIT® say It’s mainly in Domain AI (Acquisition and Implementation) Section 6: Manage Changes, High Level Sections cover The Business Process The Business Requirements (High Level Control Objectives) How control is achieved Control considerations

Contd. What does COBIT® say? At the detailed Audit Level Detailed Control Objectives How to obtain an understanding of the process How to evaluate controls

Contd. What does COBIT® say? At the detailed Audit Level How to assess compliance with controls

Contd. What does COBIT® say? At the detailed Audit Level How to assess compliance with controls How to substantiate the risk of control objectives not being met

Practical Auditing Using COBIT® Audit Engagement High Level Control Objective High Level Process definition ©Charles Mansour

Practical Auditing Using COBIT® Audit Planning Memorandum Considerations (Audit Scope)

Practical Auditing Using COBIT® Audit Planning Memorandum Detailed Control Objectives ©Charles Mansour

Practical Auditing Using COBIT® Determination ©Charles Mansour

Practical Auditing Using COBIT® Determination - Control Evaluation ©Charles Mansour

Practical Auditing Using COBIT® Compliance Test Plan

Practical Auditing Using COBIT® Substantive Test Plan

What’s Changed? E-Business Many Components Many outside systems or staff Increasing use of outsourcing difficult to implement one change management process focus on synchronising change bottlenecks ©Charles Mansour

What’s Changed? Globalisation ISACA IT Control Practice Statements Systems need to be available 365/24 Timing of change is critical ISACA IT Control Practice Statements Why do it? Control Practices for each control consderation area ©Charles Mansour

Reprise We’ve looked at; the role of COBIT® COBIT® and Corporate Governance structure of the Audit Guidelines how you can use COBIT® in the course of a Change Management Audit What’s changed in Change Management ©Charles Mansour

Conclusion Change Management is getting more complex Auditing Change Management is more challenging Few organisations have single sources of change Basic principles still apply COBIT® provides a sound basis for IT Governance and Control of Change Audit of Change Management Processes Challenge is to sell COBIT® as a Governance tool to our organisation’s IT Executive ©Charles Mansour

Useful Websites ISACA Website (for free download of COBIT®) http://www.isaca.org Survival Guide Website http://www.construx.com/survivalguide/ detailedchangeproc.htm#TopLevelContents Change Management Resource Library http://www.change-management.org/articles.htm Audit net Change Management Programme http://www.auditnet.org/docs/chngmgmt.txt ©Charles Mansour

Questions???? ©Charles Mansour

Thank you! ©Charles Mansour