Page 171 - DCOM509_ADVANCED

Page 171 - DCOM509_ADVANCED_AUDITING

P. 171

Advanced Auditing

Notes
 Business objectives
 IT portfolio services or deliverables from the IT process
 Current situation analysis
 Strategy and action items required to move from the current situation to the desired
situation.
At this point, PricewaterhouseCoopers (PwC) added its capabilities to the implementation
process. Together with PwC, SAB modelled COBIT IT processes using the ARIS (Architecture
of Integrated Information Systems) business process modelling tool set. Additional best
practice information was obtained from the IT Infrastructure Library (ITIL) and the BS7799
standard. Content from BS7799 was captured into ARIS and linked to COBIT processes.
The models were designed to answer the six interrogatives of what, how, where, when,
who and why from different perspectives.
The SAB Ltd. team used portions of the COBIT 3rd Edition draft version to develop an IT
customer satisfaction survey. The survey applied balanced scorecard concepts developed
by Robert S. Kaplan and David P. Norton, and was sent to the SAB Ltd. board of directors,
general managers, heads of departments and regional executives. Several factors
contributed to the positive feedback and high response level of this survey, including the
web-based approach to collect the survey responses, the questionnaire design and the
statistical processing of the survey results.
Next, SAB Ltd. deployed an intranet COBIT web site that included the draft Management
Guidelines IT process maturity models and eventually the final 3rd edition release. The
intranet site includes the ARIS process models of the COBIT IT processes and the ability to
assess current and desired IT process capability maturity. It also provides easy access to
the COBIT open standard content and has received positive reviews from the SAB Ltd. IT
community.
The SAB Ltd. IT departments use the COBIT intranet site to gain a detailed understanding
of the COBIT processes and control objectives. This is especially useful when they are in
the process of answering PwC’s Tr-ICS (Technology Related In-Control Services)
questionnaires. Tr-ICS is a simplified and practical risk analysis methodology which
borrows from SPRINT (Simplified Process for Risk Identification), a risk analysis
methodology developed by the Information Security Forum (ISF). IT risk is assessed for
each COBIT IT process, with specific questions derived from 302 high-level control
objectives.
SAB Ltd. extended the Tr-ICS tool to enable intranet based scoring and management of the
review, to support, for example, assigning the questionnaires, tracking the progress, and
storing and processing the results. In essence, there is a Tr-ICS question for each COBIT
control objective. Coupling Tr-ICS reviews with the easy intranet access to control
objectives and the COBIT 3rd Edition content has resulted in an overall improvement in
corporate-wide understanding and appreciation for IT governance.

This implementation approach also is a good example of partnering opportunities between
IS audit and the IT community. The IS audit team has implemented value-added components
to the reviews, which resulted in a change of focus that allows a more rigorous interpretation
of IT risk. As of the development of this case study, eight reviews were successfully
performed and results were published by IS audit on the SAB Ltd. intranet.
Mr. Macgregor was then selected as a core member of the team that developed the SAB plc
global IT strategy. In addition to providing a framework for IT control, COBIT’s process
Contd....

166 LOVELY PROFESSIONAL UNIVERSITY

166 167 168 169 170 171 172 173 174 175 176