Information Technology Reference
In-Depth Information
The COBIT 5 framework can be used for the overall governance and management of IT in
an enterprise. The framework consists of seven enablers and five processes. The enablers
are used to enable information. Enablers are broadly defined as anything that can help to
achieve the objectives of the enterprise.
The enablers include principles, policies, and frameworks; processes; organisational struc-
tures; culture, ethics, and behaviour; information; services, infrastructure, and applications;
people, skills, and competencies.
The Information Technology Infrastructure Library (ITIL)
is focused on IT service man-
agement. The current ITIL publication is known as ITIL 2011. The framework is published
in a series of five core volumes which include ITIL service strategy, design, transition, op-
eration, and improvement. ITIL processes are generic and not specific to any enterprise
or industry. The framework is used to develop a baseline for planning, implementing, and
measuring IT performance.
ITIL has a special focus on service-level management. Service-level management provides
for continuous identifying, monitoring, and reviewing of the levels of IT services as spe-
cified in the service-level agreements (SLAs). Service-level management ensures that ser-
vices are made available with both internal and external IT support.
The IS auditor can use the above standards to review implementation of IT governance.
Each framework or standard has a particular focus and uses its own models to explain how
IT governance should be implemented and operated.
Risk Management
In order to implement a good regime of IT governance, the board and management should
have a good understanding and appreciation of the enterprise risk profile. An enterprise
consists of various functions which work together to achieve set goals. Each function has
its own risks which aggregate to overall enterprise risks.
The IS auditors also should have a good understanding of IT risk in order to perform an
effective IS audit. By implementing and using IT in an enterprise, there are a number of
IT risks the enterprise faces. In order to appreciate the risk exposure, the IS auditor may
review existing risk management policies and the risk register. The IS auditor may also
conduct a separate risk assessment in order to have a current understanding of the risk ex-
posure and how IT risk is being managed in the enterprise.
There are a number of factors which the IS auditors may need to look at as they try to un-
derstand IT risk in the enterprise. Some of these factors may include (see figure 5.1):
a) availability of a risk policy in the enterprise
Search WWH ::
Custom Search