Question

Dent Del Inc.

Questions

As the internal audit team lead for IT Audit, you have been asked to utilize COBIT as a framework to Case Exercise: Student Book COBIT: IT_Gov_Using_COBIT_and_ValIT_Student_Book_2ndEd_Research.pdf

1.Identify which processes were ineffective and allowed this situation to occur, using COBIT to justify your responses.

2.Suggest the steps management should take to assess the situation and create an action plan.

3.Identify which governance processes should be initiated to prevent reoccurrence of a project failure such as this one.

4.What are the five steps required for the IT assurance of a specific area?

5.Based on the results of question 4 and your understanding of the control environment, identify the high-risk areas requiring audit attention.

As an IT auditor, suggest the steps senior management should take to assess the a failed IT implementation using COBIT and IT governance and create an action plan.

Answer 1

*****Please please please LIKE THIS ANSWER, so that I can get a small benefit, Please*****

Identify which processes were ineffective and allowed this situation to occur, using COBIT to justify your responses.

Indeed, the main processes which were ineffective thus allowing this situation to occur is the audit and assurance, risk management functions. Ideally, audit assurance and risk management as components of the COBIT framework were not properly taken into account allowing the project to experience major challenges. On one hand, the internal audit function was limited in scope since it would have provided for all the disclosures before the implementation of the project. Actually, the issue of internal audit was brought up after several concerns were raised including a possible write-off of $ 8 million which mean that the function was reactionary rather than being proactive in managing the IT project. On the other hand, the risk management function was not carried out properly since the project was not properly analyzed for underlying risks before determining whether to implement it or otherwise. The facts provided in the case indicate that the project was not presented to the executive committed due to the desire to implement it quickly which allowed loopholes to exist. Ideally, projects of this nature needs to be properly analyzed by the top management for underlying risks to determine its viability and methods that could be used to manage risks if any. Additionally, the information presented does not indicate the internal controls that would be used to manage information security that could allow breaches and loss of confidential customer data. The other aspect of COBIT framework which is governance of Enterprise was adhered since the project aligned the goals of the firm to the project. However, relevant disclosures to the Securities and Exchange Commission were required to enhance regulatory compliance.

Suggest the steps management should take to assess the situation and create an action plan.

Basically, the management should take various steps to assess the situation and prevent any potential losses that could result from the project. First, the management should call upon the audit committee to make a general assessment of the project and report the findings. The audit committee should be tasked with the responsibility of scrutinizing all the concerns that are raised in the projects and whether due process was followed in initializing the project. Then, the committee should report the findings to the management detailing all the fact findings and recommendations. The other step that the management should take is to call upon the project committee to make a presentation regarding the project and present their concerns that needed to be handled by the management. This is due to the fact the project committee possess useful information necessary to the management in scrutinizing the project to determine whether all the processes were followed. The management should also review all audit and compliance rules and the Securities and Exchange Commission guidelines to ensure that all the relevant disclosures are done. An appropriate action plan would be carrying out a project analysis to gather information about the project being implemented. Project analysis should be used to forecast future cash flows of the projects to determine its profitability and relevance to the firm. This should be followed by capital budget planning to schedule and prioritize resources in the projects. The project could be as well be implemented on a pilot basis to assess how well it meets the stated expectations before being implemented at a larger scale to minimize risks of financial losses related to project failure.

Identify which governance processes should be initiated to prevent reoccurrence of a project failure such as this one.

To minimize reoccurrence of a project failure such as this one, the governance processes that should be initiated include project authorizations and monitoring, internal controls and risk management and performance management. The current case indicates that the project was not presented to the CEO, CFO and COO and the general counsel prior the implementation. This means that the project lacked top management scrutiny and proper authorization before implementation thus allowing loopholes to be carried in the project. To ensure successful completion of projects of this nature, top management should be involved since they have a wider knowledge of projects which can be used for project evaluations and authorizations. Internal controls and risk management should also be stepped up to justify implementation of large scale projects. Internal controls ensure that appropriate checks and balances are taken before an IT project is implemented. For instance, there is need to ensure that controls over the IT framework are taken before the project is implemented to guard against information breaches. Internal controls also involve proper authorizations of the project by the management, a factor which was ignored in the current project. Risk management is a governance function that ensures that the project is carried out within the risk framework of the firm. Lack of risk assessment led to the implementation of the project that had a huge write off costs of approximately $ 8 million. Also, projects of this nature needs to be analyzed of their performance through a costs benefit framework. Appropriate performance management would have ensured that DentDel Incorporate implemented a project which will generate more value to the firm relative to the costs of its implementation.

What are the five steps required for the IT assurance of a specific area?

The five steps required for the IT assurance of a specific area are project definition, planning, and generating test plan, executing test plans and feedback and signoff. In the first step, the quality assurance team identifies which project is to be implemented and performs quality related tasks to determine whether the relevant capacity is available to implement the project. He must also evaluate availability of experienced staffs to implement the project. The project management conducts gap analysis at this step to determine any discrepancies that may be faced and determine areas where quality control may be required. Once the project identification is done, planning follows which includes examining a range of action plans that could be used to implement the project. The action plans should fit the quality assurance tasks defined in the first stage. Then, the quality assurance team generates tests plans which are specific courses of action which proves to be efficient to the project. The test plan should make business sense and uphold the quality assurance objective of the business. The next step is to execute the test plans. At this step, the test plans identified in the third step are implemented with the aim to introducing identified how they best meet the business quality objectives. The quality assurance team must ensure that the test plans adheres to the specifications identified in the initial steps to ensure that the project makes business sense. The final step is to monitor the plans through various measures such as production testing and acceptance testing. Upon satisfactorily feedback, the quality assurance then signs off the project as an objective met.

Based on the results of question 4 and your understanding of the control environment, identify the high-risk areas requiring audit attention. As an IT auditor, suggest the steps senior management should take to assess the a failed IT implementation using COBIT and IT governance and create an action plan.

Indeed, the high risk areas that require audit attention on IT projects include people, processes and information security. People are major risk areas since they can easily override systems to manipulate records and commit fraud. Lack of appropriate or qualified personnel also means that quality assurance is not achieved leading to failure of the project. Thus, before an IT project is implemented, the organization must ensure that quality assurance risks are handled by engaging the right and qualified personnel that can help achieve the objectives of the organization. On the other hand, processes that are involved in the flow of information are another critical area that requires considerable audit attention. For example, processes involved in the transfer of highly sensitive and confidential information need careful scrutiny to ensure that it is handled through the right people. Chances are that if the processes of the organization are poor, people will always find ways of overriding the IT system leading to security breaches. Also, processes involved in authorizations of various functions such as payments should be audited to ensure that loopholes do not exist that gives room to third parties to manipulate the system. Finally, information security is the greatest risk area due to the growth in e-commerce and online transactions. Information security may entail loss of confidential information for information disseminated via the cloud and other IT infrastructure of the firm. It also includes malicious attacks by hackers, viruses and works that compromise the information database of the firm. Audit attention should be given to these risk areas to ensure that proper system of internal controls such as passwords, firewalls and encryption of data is done.

*****Please please please LIKE THIS ANSWER, so that I can get a small benefit, Please*****