Class Notes (1,100,000)
CA (650,000)
UW (20,000)
AFM (1,000)
AFM341 (40)
Lecture 12

AFM341 Lecture Notes - Lecture 12: Internal Control, Corporate Governance Of Information Technology, Service Management


Department
Accounting & Financial Management
Course Code
AFM341
Professor
Alec Cram
Lecture
12

This preview shows pages 1-2. to view the full 7 pages of the document.
Class 12: IT Standards & Frameworks
1
Class Take-aways
A wide range of IT standards and frameworks are available to guide managers and auditors,
ranging from broad guidance on IT governance to specific information on security control
configurations.
Four kinds of Service Organization Control reports exist, SOC 1, SOC 2, SOC 3, and SOC for
cybersecurity. Each is used in specific circumstances and for particular purposes.
Primary Objective of an AIS
Is to control the organization so the organization can achieve its objectives.
Management is expected to:
Take a proactive approach to eliminating system threats.
Detect, correct, and recover from threats when they occur
Internal Controls
Processes implemented to provide assurance that the following objectives are achieved:
Safeguard assets
Maintain sufficient records
Provide accurate and reliable information
Prepare financial reports according to established criteria
Promote and improve operational efficiency
Encourage adherence with management policies
Comply with laws and regulations
Functions of Internal Controls
Preventive controls
Deter problems from occurring
Detective controls
Discover problems that are not prevented
Corrective controls
Identify and correct problems; correct and recover from the problems
IT Standards and Frameworks
An IT Standard (typically) refers to a set of principles or requirements that an individual or a
company is expected to adhere to (e.g. to comply with a government policy).
An IT Framework (typically) refers to a broad-based reference model, which provides conceptual
guidance and detailed options, for consideration by company management or advisors related
to IT processes and procedures
Frameworks and Standards Used in IT
A variety of frameworks and standards can to aid in the design, implementation, and evaluation
of IT controls, including:

Only pages 1-2 are available for preview. Some parts have been intentionally blurred.

2
IT governance and audit: COBIT, ISO 38500, Federal Information System Controls Audit Manual
(FISCAM)
Service management: IT Infrastructure Library (ITIL), ISO 20000
Project management: The Project Management Body of Knowledge (PMBOK), Projects in
Controlled Environments (PRINCE2)
Security: ISO 27000 family (27001-27004; 27005-27008), Payment Card Industry Data Security
Standard (PCI DSS), Systems Security Engineering Capability Maturity Model (SSE-CMM),
National Institute of Standards and Technology (NIST SP 800-53), Health Information Trust
Alliance Common Security Framework (HITRUST CSF)
Business continuity: ISO 22301
IT Frameworks: COBIT (2019)
COBIT is a framework and supporting toolset published by the IT Governance Institute at ISACA.
It is currently in its sixth version, which was published in early 2019 (*Note that the text refers to
COBIT version 5, which has now been replaced).
Commonly viewed as an IT audit-based framework, but more broadly includes risk, governance,
and control components
Management objectives are divided into four domains:
Align, Plan & Organize: Addresses the overall organization, strategy and supporting IT
activities.
Build, Acquire & Implement: Addresses the definition, acquisition and implementation
of IT solutions.
Deliver, Service & Support: Addresses the operational delivery and support of IT
services, including security.
Monitor, Evaluate & Assess: Addresses performance monitoring and conformance of IT
with internal performance targets, internal control objectives and external
requirements.
Governance objectives are grouped in a single domain:
Evaluate, Direct and Monitor: Considers the strategic options, directs senior
management on the chosen strategy and monitors the achievement of the strategy.
COBIT consists of 40 distinct ‘processes’ within the five domains.
Each process is connected with particular goals (e.g., manage risk, comply with laws, product
innovation), management practices, activities, metrics, related guidance (from other
frameworks), key roles (e.g., board, CIO, business process owner), related input/output
processes
IT Frameworks: COBIT Capability Levels
Each process in COBIT can be evaluated in terms of its current maturity level:
You're Reading a Preview

Unlock to view full version