The Office of Inspector General (OIG) of the US House of Representatives (House) sought to improve IT activities within the House. A large number of the first audit reports issued by the OIG addressed weaknesses in various IT operations of the House - including the lack of policies and procedures (e.g., systems development life cycle), poor systems design and development, the lack of planning and performance measures, poor management of the mainframe and the lack of adequate information security. Management needed to take control of the situation and establish clear roles and responsibilities…and adopt an IT governance framework. COBIT® (Control Objectives for Information and related Technology) was that framework!
The OIG already had adopted COBIT as part of its Policies and Procedures Manual and required its use on all IT audits (as its control and audit criteria). It also was used for IT audit planning and IT audit skills assessment and training needs identification. In addition, COBIT was an integral part of the OIG's reporting.
In 1993-1994, the House set out to professionalize its operations by putting in place new positions, Chief Administrative Officer (CAO) and Inspector General, for managing and monitoring the administrative operations of the House, respectively.
The House also commissioned the Inspector General to perform the first-ever House audit--an independent financial audit and 20 performance audits of the operations of the House. This first-ever audit identified significant inefficiencies and potential cost savings, and the urgent need to achieve a higher level of accountability with respect to the administrative, information technology, and financial management operations of the House. More than 200 audit recommendations were made as a result of this audit, many of them focusing on the need for management to establish governance principles, policies and procedures over all aspects of its operations.
With respect to IT, COBIT was cited, by the OIG as an IT governance framework on which to build the needed House-specific principles, policies and procedures. The OIG already had incorporated COBIT into its operations and believed that it just made good sense for the CAO to incorporate it into his operations. The OIG discussed the benefits of COBIT with the CAO and the CAO agreed.
To introduce the framework and benefits of IT governance, the House OIG provided the House CAO and key members of his staff an hour-long briefing based on presentation materials contained in the COBIT Implementation Tool Set.
COBIT's domain and process framework presented control activities in a manageable and definable structure. The high-level and detailed control objectives provided standards and policies that were best practices accepted worldwide and could be implemented where standards and policies did not exist or were not adequate. Thus, it made good sense to adopt COBIT House-wide.
The CAO immediately recognized that COBIT applied to and would benefit the House Information Resources (CIO equivalent) and Finance (CFO equivalent) organizations. As a result, the CAO implemented COBIT and it became an integral governance component of all House IT activities.
For example, House Information Resources (HIR) incorporated COBIT into its system development life cycle (SDLC) process. Early audit reports disclosed that the House did not have an SDLC methodology in place, financial systems did not meet Federal or House guidelines and the House's mainframe computer was underutilized. It was recognized that SDLC phases and checkpoints provide an organized and manageable approach to information resources management and systems development.
Thus, HIR adopted an SDLC methodology and an IT steering committee (named the Information Resources Management Advisory Council), with the OIG serving in an advisory capacity on the committee. The SDLC phases were mapped to the four COBIT domains and the related high-level and detailed control objectives. It was emphasized that COBIT's monitoring domain was critical to ensuring the timely delivery of key SDLC outputs.
Among other steps, the House included requirements to use COTS (commercial off-the-shelf) packages, COBIT and a work breakdown structure. The work breakdown structure used COBIT's control objectives to monitor the tasks being performed in accomplishing the SDLC process. As a result, the House developed an approach to work with program offices and HIR to correct existing weaknesses and prevent future problems.
The OIG incorporated COBIT into its Policies and Procedures Manual and used it as an integral resource for all OIG IT audit activities. As a result, COBIT was a key element of the audit planning process, skill/knowledge assessments of staff, training needs assessments of all staff and the audit reporting process.
COBIT was used as an audit planning tool to:
COBIT was then used to create detailed audit plans. For example, a business impact analysis (BIA) audit was considered for inclusion in the annual audit plan and an audit planning sheet was prepared. The planning sheet included background on the House's BIA process, the potential risks, potential benefits, prior audit coverage, audit objectives, audit staff requirements and the audit schedule. Specifically, audit objectives were identified to focus on evaluating the adequacy and completeness of the BIA to identify and prioritize critical IT functions. These objectives were mapped to correspond with COBIT's domains and high-level control objectives (in this case three domains and four high-level control objectives were applicable). Detailed audit procedures were developed based on COBIT's audit guidelines, incorporating Federal government auditing requirements and computer assisted audit techniques.
Because auditors working in IT need specialized expertise, COBIT was used to perform knowledge/skill assessments to ensure the auditor would have the necessary experience and therefore, the audit would be accomplished successfully. The OIG also used COBIT to determine the training needs of its staff for performing the planned audits.
Auditors rated their ability to work in the COBIT domains and evaluated their ability to audit the specific high-level control objectives. Each auditor's education, training and experience in IT was characterized based on three skill sets:
To evaluate training opportunities, a database of courses was maintained based on the course's ability to provide a skill set that supports the COBIT domains and control objectives. Other factors such as course cost, schedule and instructor past performance also were considered. Based on the COBIT course assessment, managers were able to select the best course for auditors at the appropriate time. As a result, a basis was established to evaluate auditors' skills and select the best IT training courses available.
Finally, the OIG's annual training plan was developed and approved, based on the skill/knowledge assessments and available training opportunities, to accomplish the approved annual audit plan.
In addition, the OIG used COBIT as internal control and audit criteria in its audit reports, and used the COBIT domains and control objectives to facilitate reporting. For example, the audit objectives in one audit were to evaluate the effectiveness of the general control environment surrounding Windows NT client/servers. Although no serious breaches were found, the audit identified three major areas needing improvement that fell within the following COBIT domains:
Ensuring system security/virus protection and using standard naming conventions were among the findings. Resulting recommendations were categorized as High, Medium or Low priority so management could implement the needed corrective actions in an orderly manner. Each audit finding was based on the COBIT control objectives and the control objectives and domains were identified as audit criteria. Finally, the recommendations were taken from the control objectives and audit guidelines (substantiating the risk of control objectives not being met section).
The House found that COBIT made a great tool for running the operations of the House and for the audits of the House. The CAO (and senior managers on his staff) and the Inspector General (and his Director, IT Audits) collaborated to use COBIT to improve the operations of the House. As a result, an IT governance framework was established that included a sound SDLC methodology, grounded in COBIT's domains and control objectives, and an IT steering committee (on which the OIG was an advisory member) that guided the IT activities of the House.