The following case study represents an example in which COBIT was used to assist in the development of a set of IT policies. COBIT was used effectively to identify the key control elements for Solo Cup Co.’s initial set of draft IT policies. COBIT was selected because the organization recognized it as the standard and framework for IT controls. In addition, the control objectives presented by COBIT link very well with Solo’s existing IT processes. The principal advantage of using COBIT was that it affords flexibility and ensures sufficient coverage through its detailed control objective statements, ensuring that no critical areas were neglected.
Use of COBIT
Developing an IT policy framework from scratch can be a very daunting challenge for even the most experienced audit professionals. It is not uncommon to find even larger companies lacking an IT framework and policies. Solo inherited a broader set of policies from IT and then utilized COBIT to develop the secondary nodes of its draft IT policy framework (figure 1).
At Solo, the policy framework was defined to cover the following major IT general computer control areas:
- Ensure systems security.
- Manage the configuration.
- Manage data.
- Manage operations.
- Install and accredit solutions and changes.
- Manage problems and incidents.
- Manage third parties.
- End-user computing
The major general computer control areas were used to develop the IT policy framework shown in figure 1 and represent, to a large extent, the top node.
The top node of figure 1 represents the policy areas that were inherited from IT. The COBIT guidelines were used to further refine the subcontrol areas below the top node. The COBIT control objectives were added to Solo’s risk control matrix and were prefixed with the question “What ensures that…?”
Once the basic framework was established, a set of draft IT policies was developed by asking the question: What are we supposed to do? This question enabled IT and the audit teams to develop the major policy topics and appropriate policy language to ensure control objective compliance. Then, the procedures within the policies were developed by asking the question: How are we supposed to do it? This question facilitated the development of the specific procedures within the policies to ensure that the appropriate and correct actions were linked back to the original control objectives.
The first versions of the policies were checked for adequacy by comparing the policy content and the risk control framework with the appropriate COBIT control areas. Subsequent refinements of the policies were developed in cooperation with IT and by prefixing the COBIT control objectives in the risk control matrix with “What ensures that…?” This question facilitated the identification of content gaps along with the comparison with COBIT control objectives to ensure that existing controls covered the elements of the COBIT controls. After gaps were identified, the policies were edited to close content gaps. After several iterations between internal audit and IT management, IT policies were developed and made available to the entire company.
Example—Developing the User Access Management Policy
Access control was identified as a critical element in the top node of Solo’s IT policy framework (figure 1). Using COBIT, it was determined that user access management should be a subelement of access control. The User Account Management control objective (figure 2) makes reference to the life cycle of user accounts with respect to hires, changes and terminations. Using Solo’s existing access control policy and the COBIT control objective in the risk control matrix (figure 3), a general outline and resulting first draft of the user access management policy were developed.
Prefixing the control objective in the risk control matrix with “What ensures that..?” enabled the IT and audit teams to further develop the first draft of the user access management policy by checking each part of the COBIT control objective, which resulted in a subsequent refinement of the first draft.
The user access management policy draft then underwent successive refinements by asking the question “What are we supposed to do?” This question enabled the team to determine that there should be a topic devoted to separations of employees from the company and that a secure notification process, an execution process and an audit trail of the separation should be developed and outlined in the policy (figure 4).
The associated procedures were then further developed by asking, “How are we supposed to do it?” The specific procedures for notification of separation, execution of separation and recording of the separation event were developed and refined to complete the final draft of the policy.
The COBIT control objective was used to develop successive refinements to the user access management policy. To identify content gaps, the “What ensures that…?” column was prefixed to the control objective within Solo’s framework (figure 3). After gaps were identified, the policy was edited to close the content gaps.
COBIT offers a proven and effective set of guidelines for ensuring that IT policies present sufficient coverage of common control objectives and for identifying control gaps. The control elements within COBIT contained the appropriate content, depth and breadth to ensure that the major IT policy control areas were meeting the control objectives as described by COBIT. The COBIT framework streamlined the process of developing a comprehensive set of IT policies. In the absence of COBIT, this effort might not have been as comprehensive and could have required an inordinate amount of time.
Michael Ryan, CIA, CPA
has 18 years combined internal and external auditing experience for a variety of organizations including Solo Cup Co., Career Education Corp., United Airlines and PricewaterhouseCoopers LLP. His experience includes building new audit departments and improving the efficiency and effectiveness of existing departments. His primary responsibility over the past seven years has been to build and execute the US Sarbanes-Oxley Act 404 compliance strategies, focus and coverage for two multibillion-dollar companies with brand-new audit functions. Ryan is the director of internal audit for Solo Cup Co. and a past officer of the Northwest Metro Chicago Chapter of The Institute of Internal Auditors (IIA).
Kumar Setty, CISA
has more than 10 years of experience in the areas of data analysis, systems administration, auditing and computer security. Setty worked as a consultant for many small to large companies performing US Sarbanes-Oxley Act compliance, auditing, fraud detection and prevention, and computer security reviews for a variety of industries and organizations. He is the IT audit manager for Solo Cup Co.