Applying the CobiT Control Framework to Spreadsheet Developments

Extracted from Controlling the Subversive Spreadsheet – Risks, Audit and Develo pment Methods Proceedings of EuSp RIG 2001 Conference ISBN: 1 8 6166 179 7 Copyright © 2001 Euro pean Spreadsheet Risks Interest Gro up www.eusprig.org Applying the CobiT ® Control Framework to Spreadsheet Developments Raymond J Butler, CISA H M Customs & Excise Computer Audit Service National Office, Queens Dock, Liverpool L74 4AA UK  ++44 (0)151 703 8741 ray.butl er@hmce.gsi.gov.uk ©Crown Copyright reserved, use d by permission. Extracts from CobiT ® © 1996, 1998, 2000 by the I nformation Systems Audit and Control F oundation, reprinted by permission of the Informati on the Systems Audit and Control Foundation and IT G overnance Institute. No other right or permission is granted with respect to this work. ABSTRACT One of the problems reported by researchers and auditors in the field of spreadsheet risks is that of getti ng and keeping management’s attention to the pr oblem. Since 1996, the Information Systems Audit & Control Foundation and the IT Governance Institu te have published CobiT ® which brings mainstream IT cont rol issues into the corporate governance arena. This paper ill ustrates how spreadsheet risk and control issues can be mapped onto the CobiT framework and thus broug ht to managers’ attention in a famili ar format. 1. A BRIEF INTRODUCTION T O COBIT ® 1.1. What is CobiT ? CobiT ® , Control Objectives for Info rmation & related Technology is a too l set which helps business managers to understand and manage the risks associated with implementing new techno logies, and demonstrate to regul ators, shareholders and other stak eholders how, and ho w well they have done this. It is based on international b est practice in IT management and control. The tool set facilitates IT go vernance, defined as “a stru cture of relationships and processes t o direct and control the enterprise in o rder to achieve the enterprise’ s goals by adding valu e while balancing risk versus return over IT an d its processes” [ISACF 20 00(1)] In an age where business is al most entirely dependent on technol ogy, IT Governance is an essential element of wider corpo rate governance. 1.2. CobiT’s Contents The framework defines • 34 IT processes in 4 b road groups. These processes d epend on and impact on IT r esources. • High-level control objectiv es for each of the 34 pro cesses, • 318 detailed control obj ectives, and associated audit gu idelines. CobiT also contains M anagement Guidelines, includ ing Maturity Models, Critical Su ccess Factors, Key Goal Indicators and Key Performance Indicators for each of the 34 processes. 1.3. CobiT’s Audience: Management, Us ers And Auditors The framework is design ed to help three distinct audien ces: Extracted from Controlling the Subversive Spreadsheet – Risks, Audit and Develo pment Methods Proceedings of EuSp RIG 2001 Conference ISBN: 1 8 6166 179 7 Copyright © 2001 Euro pean Spreadsheet Risks Interest Gro up www.eusprig.org • Management – who n eed to balance risk and cont rol investment in an IT environment wh ich is often unpredictable. • Users – who need to obtain assurance on th e security and controls of th e IT services they depend on to deliver their produ cts and services to internal and ext ernal customers. • Auditors – who can use i t to substantiate their opinions and / or provide advice to manag ement on internal controls. Apart from respond ing to the needs of the immediate aud ience of senior management, au ditors and security and control pro fessionals, CobiT can be used with in enterprises by business proces s owners in meeting their responsibility f or control over the information aspects of their processes and by those responsible for IT in the enterprise. 2. HOW DOES COBIT COVER SPRE ADSHEET RISKS ? No specific mention is made o f Spreadsheets, or of en d-user computing. In stead, CobiT provides a generic framework fo r all the principal IT processes. These can b e adapted, scaled an d applied to IT solutions at all levels, from a who le Enterprise Resource Plan ning system to a (relatively ) simple spreadsheet development. The example below sho ws how this can be done. 2.1. An Example from CobiT The high-level control objective for the process defined as “Acquire and Maint ain Application Software” states [ISACF 2000(2 )] that “Control over the IT process o f acquiring and maintaining application software that sat isfies the business requirement to provide automated functions which effectively supp ort the business process is enabled by the definitio n of specific statements of functio nal and operational requ irements, and a phased implementation with clear d eliverables, and takes into consider ation • functional testing an d acceptance • application controls and security requirements • documentation requirements • application software life cycle • enterprise information architectu re • system development life cy cle methodology • user-machine interface • package customisation” This is supported by 17 detailed control objectives coverin g • Design Methods • Major Changes to Existing Sy stems • Design Approval • File Requirements Definitio n and Documentation • Programme Specifications • Source Data Collection Design • Input Requirements Definitio n and Documentation • Definition of Interfaces • User-Machine Interface • Processing Requirements Defin ition and Documentatio n • Output Requirements Defin ition and Documentation • Controllability • Availability as a Key Design Factor • IT Integrity Provision s in Application Programme So ftware Extracted from Controlling the Subversive Spreadsheet – Risks, Audit and Develo pment Methods Proceedings of EuSp RIG 2001 Conference ISBN: 1 8 6166 179 7 Copyright © 2001 Euro pean Spreadsheet Risks Interest Gro up www.eusprig.org • Application Software Testing • User Reference and Sup port Materials • Reassessment of System Design All of these contro ls can be scaled and applied to spreadsheet development. In our “ideal environment”, some of these (such as desi gn approval, and testing ) will require specific formal cont rols and procedures, some (such as availability ) may depend on wider Office Technology platfo rm controls 3. THE MATURITY MODEL CobiT’s maturity model for co ntrol over IT processes p rovides a method of sco ring which enables an organisation to grade its IT control procedures on a scale from 0 (non-existent) to 5 (optimised). This approach has been deriv ed from the Maturity Model fo r software development capability defined by the Software Engineering In stitute. Management use the maturity model to map the current statu s of: • their orga nisa tion, • the best prac tice or the gen eral s t a te of practice in their industry • international standards and define where the org anisation wants to be ag ainst these levels. Figu re 1 [ISACF 2000(2)] illustrates the rankings and the way in which an organisation can use the model to map the maturit y of their current and desired practices onto the model. 4. APPLYING CobiT TO SPREADS HEETS The framework can be readily scaled to spreadsheet develop ments. The following cont rol objectives (high level and detailed) and matu rity model is offered as • A demonstration o f the adaptability of CobiT t o spreadsheets, and • a “first draft” upon which a formal set of overall and more detailed control objectives can be built. The controls will obviou sly need to be applied only to the degree justified by th e actual or potential impact that a spreadsheet model has upon th e organisation in which it is used. A si mple impact assessment and the contents of documentation, etc. have been described in previous papers by this auth or [Butler, 2000] and will no t be reproduced h ere. 4.1. Control Objective Control over the pro cess of developing and main taining spreadsheet models an d applications that satisfy the business requi rement to provid e accurate and error-free business mo dels and analyses which Figure 1 - The CoBIT ® Maturity Model Extracted from Controlling the Subversive Spreadsheet – Risks, Audit and Develo pment Methods Proceedings of EuSp RIG 2001 Conference ISBN: 1 8 6166 179 7 Copyright © 2001 Euro pean Spreadsheet Risks Interest Gro up www.eusprig.org effectively support the bu siness process is enabled b y the definition of specific statements of function al and operational require ments, and a phased implement ation with clear deliverable s, and takes into consideration Design Methods Security and data retention requirements Testing and Acceptance Documentation Requ irements 4.2. Detail Control Objectives : Design Methods The organisation shoul d employ a spreadsheet develo pment methodology wh ich requires that appropriate procedures and techniq ues, involving close liaison with model users, are applied to create the design specifications for each new sp readsheet development an d to verify the design specifications against the user requirements. Major Changes to Ex isting Systems Management should ensure, that in the event of major changes to existing sp readsheet models or applications, a similar dev elopment process is observed as in the case of the develop ment of new models. Design Approval The organisation's spreadsh eet development methodology should require that the design specifications for all spreadsheet development and modification projects b e reviewed and approved by management, the affected user departments an d the organisation's senior manage ment, when appropriate. Programme Specifications The organisation's spreadsh eet development methodology should require that detailed written specifications be prepared for each spreadsheet develo pment or modification project. The methodology should further ensure that specificatio ns agree with design specifica tions. Testing Testing to ensure that : • The spreadsheet calculations • Data input and cont rols over data • Links between ho st systems and the spreadsheet, betw een parts of the spreadshee t and between spreadsheets in a multi-file su ite of models • Output reports operate correctly and as specified according to th e development test plan and established testing standards should be performed and documented before the develo pment is approved by the user. Adequate measures should b e conducted to prevent disclo sure of sensitive information u sed during testing. User Documentation a nd instructions Extracted from Controlling the Subversive Spreadsheet – Risks, Audit and Develo pment Methods Proceedings of EuSp RIG 2001 Conference ISBN: 1 8 6166 179 7 Copyright © 2001 Euro pean Spreadsheet Risks Interest Gro up www.eusprig.org The organisation's spreadsh eet development methodology should provide that adequate u ser reference and support manuals be prepare d (preferably in electron ic format) as part of every spreadsheet development or modification project. Security and retention • The organisation's spreadsh eet development and use method ology should include direction s for ensuring that : • Access to spreadsheet mod els is restricted to authorised persons; • Spreadsheet models are pr otected against inadverten t or unauthorised modification • Spreadsheet models and applications are retained in electro nic form for the perio d of time appropriate to the purpose o f the spreadsheet. 4.3. Maturity Model Control over the pro cess of developing and maintainin g spreadsheet models and applications that satisfy the business requirement to provide accurate and error-free bu siness models and analy ses which effectively support the business process Maturity Level Characteristics 0 Non-existent There is no process for desi gning and specifying sp readsheets. Typically, spreadsheets are developed i n an unstructured manner by untrained end- users, with little or no documentation of actual require ments and no testing. There is an extre mely high risk of error in important spreadsheets. 1 Initial/Ad Hoc There is an awareness that a process for develop ing spreadsheets is required. Approaches, however, v ary from development to d evelopment without any consistency and typically in isolation from ea ch other. The organisation’s business depen ds upon a variety of indiv idual solutions with varying degrees of docu mentation and control and n ow suffers legacy problems and inefficiencie s with maintenance and su pport. There is a very high risk of errors in important spreadsheets. 2 Repeatable but Intuitive There are similar processes for developing an d maintaining spreadsheets, but they are based on th e expertise within the users, no t on a documented process. The success rate with spreadsheets depends greatly on individual users’ skills and exp erience levels. Maintenance is us ually problematic and suffers when in ternal knowledge has been lo st from the organisation. There is a high risk o f errors in important spreadsheets 3 Defined Process There are documented d evelopment and maintenance pr ocesses. An attempt is made to app ly the documented processes con sistently across different spreadsheet develo pments, but they are no t always found to be practical to implement. They are generally inflexible and hard to apply in all cases, so steps are frequ ently bypassed. As a consequence, spreadsheets are often develo ped and implemented in a piecemeal fashion. Maintenance follows a d efined approach, but is often time-consuming and inefficient. There is mediu m risk of errors in importa nt spreadsheets. 4 Managed and Measurable There is a formal, clear and well-understood sp readsheet development and implementation methodology and policy that includes a for mal design and specification process, a process for t esting and requ irements for documentation, ensurin g that all spreadsheets are develo ped and maintained in a consistent mann er. Formal approval mechanis ms exist to Extracted from Controlling the Subversive Spreadsheet – Risks, Audit and Develo pment Methods Proceedings of EuSp RIG 2001 Conference ISBN: 1 8 6166 179 7 Copyright © 2001 Euro pean Spreadsheet Risks Interest Gro up www.eusprig.org Maturity Level Characteristics ensure that all steps are foll owed and exceptions are au thorised. The methods have evolved so that they are well suited to the organisation and are likely to be positively used by all staff, and app licable to most important spreadsheet deve lopments. There is a low risk of errors in important spreadsheets. 5 Optimised Spreadsheet development and maintenance practices are in line with the agreed processes. The deve lopment and maintenance p rocess is well advanced, enables rapid d eployment and allows for h igh responsiveness, as well as flexibility, in responding to changing bu siness requirements. The spreadsheet development an d implementation process has b een subjected to continuou s improvement and is sup ported by internal and external knowledge databases co ntaining reference materials and best practices. The methodolo gy creates computer based documentation in a pre-defined structure that makes production and maintenance very efficient. There is a very low risk of errors in importan t spreadsheets 5. CONCLUSIONS 5.1. Can the CobiT Approach Help with S preadsheets ? As illustrated above, the CobiT approach can easily be app lied to spreadsheets. In it self, this adds no new insights into the probl em of spreadsheet risk, or into go od practice and contro l issues. It will, however be a very useful method o f presenting those issues. It will allow spreadsheet risk, goo d practice and contro l to be presented to managers i n a familiar format. It will th erefore help the audit and spreadsheet development communities to “market” the issues to d ecision makers, and raise the m as corporate and IS governance rather than p arochial technical issues. 5.2. What Next ? Business managers and audi tors urgently need two ( linked) products. These are • a brief sy nopsis of spreadsheet risks, to explain why they should take spreadsheets in th eir organisation seriously. • A statement of good practice in the design, use and control of spreadsheets. It is hoped that the proceedin gs of this and the previous Eu SpRIG conference will prov ide much of the source material for th is, and that this paper will influence its p roduction on th e CobiT format, increasingly familiar to and used by business managers, our intended audience. 6. RESOURCES AND REFEREN CES Much of CobiT is availabl e as an open standard fo r download from the Information Systems Audit and Control Association web site at www.isaca.org CobiT 3rd Edition Executive Summary, IS Audit & Control Foundation, Chicago, Ill, July 2000 [ISACF 2000(1)] CobiT 3rd Edition Control Objectives, IS Audit & Control Foundation, Chicago, Ill, July 2000 [ISACF 2000(2)] CobiT 3rd Edition Management Guidelines, IS Audit & Control Foundation, Chicago, Ill, July 2000 [ISACF 2000(3)] Butler, R (2000) Is this Spreadsheet a Tax Evader ?”, proceedings of the 33 rd Hawaii International Conference on System Sciences Butler, R (2000) “Risk Assessment in Spreadsheet Developments”, Proceedings of the first EuSpRIG Conference