Major Manufacturing Caselet: Using COBIT® 5 1 © 2014 ISACA. All rights reserved. © 2014 ISACA. All rights reserved . Disclaimer ISACA has designed and created the Major Manufacturing Caselet: Using COBIT® 5 (the ‘Work’) primarily as an educational resource for educational professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, security governance and assurance professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. ISACA 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email: [email protected] Web site: www.isaca.org © 2014 ISACA. All rights reserved . © 2014 ISACA. All rights reserved. 2 Reservation of Rights © 2014 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise) without the prior written authorisation of ISACA. Reproduction and use of all or portions of this publication are permitted solely for academic, internal and non-commercial use and for consulting/advisory engagements, and must include full attribution of the material’s source. No other right or permission is granted with respect to this work. Provide Feedback: www.isaca.org/basic-concepts-caselets Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ © 2014 ISACA. All rights reserved . © 2014 ISACA. All rights reserved. 3 Acknowledgements Author Krishna Seeburn, Ph.D., CFE, CIA, CISSP, FBCS, LLM, PMP, Riesling Consulting Group, Mauritius Board of Directors Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, International President Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice President Juan Luis Carselle, CISA, CGEIT, CRISC, RadioShack Mexico, Mexico, Vice President Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President Vittal Raj, CISA, CISM, CGEIT, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International President Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Director Krysten McCabe, CISA, The Home Depot, USA, Director Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director Credentialing and Career Management Board Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Chairman Bernard Battistin, CISA, CMA, Office of the Auditor General of Canada, Canada Richard Brisebois, CISA, CGA, Canada Terry Chrisman, CGEIT, CRISC, GE Money, USA Erik Friebolin, CISA, CISM, CRISC, CISSP, PCI-QSA, ITIL, USA Frank Nielsen, CISA, CGEIT, CCSA, CIA, Nordea, Denmark Hitoshi Ota, CISA, CISM, CGEIT, CRISC, CIA, Mizuho Corporate Bank, Japan Carmen Ozores Fernandes, CISA, CRISC, Brazil Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission, USA Professional Standards and Career Management Committee Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission, USA, Chairman Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP, HP Enterprises Security Services, UK Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA, Myers and Stauffer LLC, USA Alisdair McKenzie, CISA, CISSP, ITCP, I S Assurance Services, New Zealand Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA Katsumi Sakagawa, CISA, CRISC, PMP, JIEC Co. Ltd., Japan Ian Sanderson, CISA, CRISC, FCA, NATO, Belgium Timothy Smith, CISA, CISSP, CPA, LPL Financial, USA Todd Weinman, CPS, The Weinman Group, USA Academic Program Subcommittee Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA, Chairman Umesh R. Hodeghatta, Xavier Institute of Management, India Matthew Liotine, Ph.D., CBCP, CSSBB, MBCI, University of Illinois at Chicago, USA Joshua Onome Imoniana, Ph.D., CGEIT, Universidade Presbiteriana Mackenzie, Brazil Nebil Messabia, Canada Kumar Srikanteswaran, CISA, CMA, PMP, India Sadir Vanderloot, CISA, CISM, CCNA, CCSA, NCSA, Sheffield Hallam University, Sweden Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands Hiroshi Yoshida, Ph.D., CGEIT, CRISC, Nagoya Bunri University, Japan 4 © 2014 ISACA. All rights reserved. © 2014 ISACA. All rights reserved . Student Book This caselet was developed to support the Basic Foundational Concepts Student Book: Using COBIT® 5, www.isaca.org/basic-concepts-student-book 5 © 2014 ISACA. All rights reserved. © 2014 ISACA. All rights reserved . Testing and independence is all about being able perform a What is testing review or an assessment and provide a report that is impartial. It and should give the right picture of the situation. An independent independence? audit should include a rigorous assessment of the facts. All findings should be tested and supported by appropriate evidence. How does it benefit an enterprise? How does it benefit an IS auditor? A lack of Independence is a major problem faced by any professional today. Professionals are required to abide by a code of ethics and demonstrate personal integrity when making decisions. As much as possible, professionals should maintain a clear independent view. Non-compliance with ethics sometimes exists when one has a vested interest in an area. For example, having family or investments within a business might impair one’s independence and objectivity. 6 © 2014 ISACA. All rights reserved . What is testing and independence? Having the right skills to carry out a review is also important. It How does it benefit an enterprise? How does it benefit an IS auditor? is important to collaborate with other skilled experts in defining areas where a rigorous review is important. The bottom line is that the major benefit to enterprises is the real insight into the functioning of the business; where things are working well and where they are not. 7 © 2014 ISACA. All rights reserved . What is testing and independence? How does it benefit an enterprise? How does it benefit an IS auditor? As an auditor, it is important that you build the right skills and always be impartial in your judgement and evaluation. It will enable you to provide a professional assessment of the enterprise. 8 © 2014 ISACA. All rights reserved . Agenda • Company Profile – Major Manufacturing • Background Information • The Problems • Your Role • Your Tasks • Figures • Questions 9 © 2014 ISACA. All rights reserved . Major Manufacturing – Profile One of the largest manufacturing companies in the world Headquartered in Berlin, Germany with branch offices in London, UK; Barcelona, Spain; Singapore; Hong Kong; and St. Louis, Missouri, USA Has approximately 15,000 employees and a few hundred long-term contractors Is a publicly held company that traces its roots to the beginning of the twentieth century © 2014 ISACA. All rights reserved . Background – What We Do What We Do Financials Org. Structure Operational • We make a wide variety of small, durable goods. • We are known internationally, not only for the goods that we make, but also for the quality of those goods. • We have invented ways to create new and better versions of existing products several times in the past. Industry Marketing 11 © 2014 ISACA. All rights reserved . Background – Financials What We Do Financials Org. Structure Major Manufacturing is a publicly owned company with: •Revenue of € 201 million •Profit of € 15.1 million •No significant debt Operational Industry Marketing 12 © 2014 ISACA. All rights reserved . Background – Org. Structure IT Security Systems and Network CIO What We Do Applications Financials Plant Engineering Org. Structure Industry Business Resumption CEO Operational Business Operations COO Accounting CFO Audit Marketing VP, Research Public Relations HR VP, Sales and Marketing Compliance Legal 13 © 2014 ISACA. All rights reserved . Background – Org. Structure What We Do Financials The board of directors: • Is not a very functional entity • Provides little oversight and guidance to the business Org. Structure Operational Industry Marketing The CEO: • Is also the chairman of the board of directors • Rules with an iron hand • Appoints people to the board on the basis of their willingness to give approval for initiatives with little delay 14 © 2014 ISACA. All rights reserved . Background – Operational What We Do Financials Org. Structure Operational Industry Marketing • Business units are the backbone of Major Manufacturing. Each is a fiercely independent silo with the mission of being as profitable as possible, except for the way they share machinery and equipment used in manufacturing. • Business unit managers are highly valued and are placed high in the organisational chart. • All business unit managers report to the chief operations officer (COO). • Each business unit faces what often turn out to be stringent time deadlines. 15 © 2014 ISACA. All rights reserved . Background – Industry What We Do Financials Org. Structure Operational Industry Marketing • The manufacturing arena has taken a downward turn over the last two years. One of the effects of the bad economy has been a sharp drop in sales of manufactured goods. • The level of competition within the manufacturing industry is very high. Some manufacturing companies have been selling manufactured goods at below their actual cost because their inventories of manufactured goods have been high and also because of the need for greater cash flow. 16 © 2014 ISACA. All rights reserved . Background – Marketing What We Do Financials Org. Structure Operational Industry • Major Manufacturing’s executive management and the board of directors have a philosophy that they will not rush any product to market. • Instead, they have established processes in which each new product is carefully and thoroughly tested before it is allowed to go on the market, and quality assurance and Major Manufacturing go hand-in-hand. Marketing 17 © 2014 ISACA. All rights reserved . Background – Marketing What We Do Financials Org. Structure Operational Industry Marketing • Major Manufacturing has a modest advertising campaign. • People in Berlin (and to a lesser degree, Europe at large) have heard of this company, although the company is also not exactly a household name in Berlin. Major Manufacturing is also not well known internationally. • The CEO has been deliberating whether the marketing efforts should be strengthened. 18 © 2014 ISACA. All rights reserved . The Problem • The board has been having key issues with the operations of the company. They want a clear insight of the status of the enterprise and its major IT systems. • There has been whistle-blowing about close irregular transactions between key C-suite level executives. • You have family ties with the CIO; the CIO is your cousin, and your wife’s brother is the CFO of the company. • The CFO is the cousin of the CEO, and they have been working closely for a while. 19 © 2014 ISACA. All rights reserved . The Problem (cont.) • The company is listed on the stock exchange and thus has many external stockholders. Thereby, it requires clear transparent processes in the governance of the board. • You have, in the past, worked on the key infrastructure systems and designed a few of them personally before your move to be an auditor of the firm. • The company has been making steady progress towards profitability and constant growth. • The company has in place enterprise resources planning (ERP) systems, which you helped implement when you worked for Major Manufacturing, and put in place some key loopholes (e.g., reversing of transaction within the system without further audit trails). The loopholes were implemented in support of the CFO requirements ensure a quick back-end access to the ERP system without following the key best business practices. • You have been promised some indirect financial support by the CFO for overlooking some practices in the system that may have been implemented after you had left the company, but of which you are aware. 20 © 2014 ISACA. All rights reserved . The Problem (cont.) • The CIO has been able to work around the problem, but the situation still exists. • In financial terms, if you were to look at the ERP system in place and give assurance on the information available, and if it were to leak to the stakeholders or to the market, it may have some impact. • Further, you have been involved as an independent consultant for the firm on some new initiatives within the enterprise, and you have not advised your audit partners that you were advising Major Manufacturing as a consultant on the potential systems you were going to audit. 21 © 2014 ISACA. All rights reserved . The Problem (cont.) You have been requested by Touching Auditors to carry an audit review of Major Manufacturing. You need to: • Provide a review of the IT systems. You need to review the core processes and evaluate whether they are operational. • Provide the audit team with the assurance on the organisational data and IT systems and processes. • Explain the ERP system issues, if any. • Provide a clear and concise report to the board for effective review. 22 © 2014 ISACA. All rights reserved . The Problem (cont.) • Despite your close ties with the executives of Major Manufacturing, you decide to carry on and go about your audit. • You provide a concise report and highlight some key issues. You ensure that your work as the IS auditor is done effectively with a few small omissions. Despite the fact that there were issues identified by the board, the report did not seem to suggest any major issues apart from areas in information security. 23 © 2014 ISACA. All rights reserved . Your Role • Your title: Senior IT Auditor at Touching Audit • Your assignment: The Touching Audit firm was appointed to carry out the audit review of Major Manufacturing, and you have been placed as the senior auditor IT for the project because of your inside knowledge of Major Manufacturing. • Tenure: You have had three successful years on the job with Touching Audit. • Education: You have a bachelor's degree in IT. • Certifications: ₋ Certified Information Systems Auditor (CISA) ₋ Certified Internal Auditor (CIA) ₋ American Institute of Certified Public Accountants (AICPA) Qualified Member ₋ Grandfathered into the Certified in the Governance of Enterprise IT (CGEIT) certification in 2008 24 © 2014 ISACA. All rights reserved . Your Task • • • • Look at your independence as the IS auditor in this case. Identify key requirements for the audit, while ensuring the standards are clear. Help your colleagues in the process without undue interference. Produce an impartial report. 25 © 2014 ISACA. All rights reserved . Discussion Questions 1. 2. 3. 4. What are the key requirements for an independent audit? What are the key issues that can lead to a non-independent and unclear audit? What is critical for a successful audit? Discuss some of the major audit failures and why were they so critical in-house as well as knowledge for the public 5. From an IS audit perspective, the IS audit could get away with the implied and applicable laws that concern mainly financial audit/reporting. What is the main importance and role the IS audit plays in a routine enterprisewide approach? 6. What are the triggers to an unclear testing of controls and evidence gathering? 7. In the described problem in the caselet, what would you suggest should happen? What would you do to ensure a clear vision and objective of such an audit? 26 © 2014 ISACA. All rights reserved .