AFM341 Lecture Notes - Lecture 12: Internal Control, Corporate Governance Of Information Technology, Service Management
SchoolUniversity of Waterloo
DepartmentAccounting & Financial Management
This preview shows pages 1-2. to view the full 7 pages of the document.
Class 12: IT Standards & Frameworks
● A wide range of IT standards and frameworks are available to guide managers and auditors,
ranging from broad guidance on IT governance to specific information on security control
● Four kinds of Service Organization Control reports exist, SOC 1, SOC 2, SOC 3, and SOC for
cybersecurity. Each is used in specific circumstances and for particular purposes.
Primary Objective of an AIS
● Is to control the organization so the organization can achieve its objectives.
● Management is expected to:
○ Take a proactive approach to eliminating system threats.
○ Detect, correct, and recover from threats when they occur
● Processes implemented to provide assurance that the following objectives are achieved:
○ Safeguard assets
○ Maintain sufficient records
○ Provide accurate and reliable information
○ Prepare financial reports according to established criteria
○ Promote and improve operational efficiency
○ Encourage adherence with management policies
○ Comply with laws and regulations
Functions of Internal Controls
● Preventive controls
○ Deter problems from occurring
● Detective controls
○ Discover problems that are not prevented
● Corrective controls
○ Identify and correct problems; correct and recover from the problems
IT Standards and Frameworks
● An IT Standard (typically) refers to a set of principles or requirements that an individual or a
company is expected to adhere to (e.g. to comply with a government policy).
● An IT Framework (typically) refers to a broad-based reference model, which provides conceptual
guidance and detailed options, for consideration by company management or advisors related
to IT processes and procedures
Frameworks and Standards Used in IT
● A variety of frameworks and standards can to aid in the design, implementation, and evaluation
of IT controls, including:
Only pages 1-2 are available for preview. Some parts have been intentionally blurred.
● IT governance and audit: COBIT, ISO 38500, Federal Information System Controls Audit Manual
● Service management: IT Infrastructure Library (ITIL), ISO 20000
● Project management: The Project Management Body of Knowledge (PMBOK), Projects in
Controlled Environments (PRINCE2)
● Security: ISO 27000 family (27001-27004; 27005-27008), Payment Card Industry Data Security
Standard (PCI DSS), Systems Security Engineering Capability Maturity Model (SSE-CMM),
National Institute of Standards and Technology (NIST SP 800-53), Health Information Trust
Alliance Common Security Framework (HITRUST CSF)
● Business continuity: ISO 22301
IT Frameworks: COBIT (2019)
● COBIT is a framework and supporting toolset published by the IT Governance Institute at ISACA.
● It is currently in its sixth version, which was published in early 2019 (*Note that the text refers to
COBIT version 5, which has now been replaced).
● Commonly viewed as an IT audit-based framework, but more broadly includes risk, governance,
and control components
● Management objectives are divided into four domains:
○ Align, Plan & Organize: Addresses the overall organization, strategy and supporting IT
○ Build, Acquire & Implement: Addresses the definition, acquisition and implementation
of IT solutions.
○ Deliver, Service & Support: Addresses the operational delivery and support of IT
services, including security.
○ Monitor, Evaluate & Assess: Addresses performance monitoring and conformance of IT
with internal performance targets, internal control objectives and external
● Governance objectives are grouped in a single domain:
○ Evaluate, Direct and Monitor: Considers the strategic options, directs senior
management on the chosen strategy and monitors the achievement of the strategy.
● COBIT consists of 40 distinct ‘processes’ within the five domains.
● Each process is connected with particular goals (e.g., manage risk, comply with laws, product
innovation), management practices, activities, metrics, related guidance (from other
frameworks), key roles (e.g., board, CIO, business process owner), related input/output
IT Frameworks: COBIT Capability Levels
● Each process in COBIT can be evaluated in terms of its current maturity level:
You're Reading a Preview
Unlock to view full version