Major Manufacturing Case

Major Manufacturing Caselet:
Using COBIT® 5
1
© 2014 ISACA. All rights reserved.
© 2014 ISACA. All rights reserved
.
Disclaimer
ISACA has designed and created the Major Manufacturing Caselet: Using COBIT® 5 (the ‘Work’)
primarily as an educational resource for educational professionals. ISACA makes no claim that use
of any of the Work will assure a successful outcome. The Work should not be considered inclusive
of all proper information, procedures and tests or exclusive of other information, procedures and
tests that are reasonably directed to obtaining the same results. In determining the propriety of
any specific information, procedure or test, security governance and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the
particular systems or information technology environment.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
© 2014 ISACA. All rights reserved
.
© 2014 ISACA. All rights reserved.
2
Reservation of Rights
© 2014 ISACA. All rights reserved. No part of this publication may be used, copied,
reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in
any form by any means (electronic, mechanical, photocopying, recording or otherwise)
without the prior written authorisation of ISACA. Reproduction and use of all or portions of
this publication are permitted solely for academic, internal and non-commercial use and
for consulting/advisory engagements, and must include full attribution of the material’s
source. No other right or permission is granted with respect to this work.
Provide Feedback: www.isaca.org/basic-concepts-caselets
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
© 2014 ISACA. All rights reserved
.
© 2014 ISACA. All rights reserved.
3
Acknowledgements
Author
Krishna Seeburn, Ph.D., CFE, CIA, CISSP, FBCS, LLM, PMP, Riesling Consulting Group,
Mauritius
Board of Directors
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government,
Australia, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK,
Vice President
Juan Luis Carselle, CISA, CGEIT, CRISC, RadioShack Mexico, Mexico, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain,
Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of
Representatives, USA, Vice President
Vittal Raj, CISA, CISM, CGEIT, CFE, CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International
President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Director
Krysten McCabe, CISA, The Home Depot, USA, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director
Credentialing and Career Management Board
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK,
Chairman
Bernard Battistin, CISA, CMA, Office of the Auditor General of Canada, Canada
Richard Brisebois, CISA, CGA, Canada
Terry Chrisman, CGEIT, CRISC, GE Money, USA
Erik Friebolin, CISA, CISM, CRISC, CISSP, PCI-QSA, ITIL, USA
Frank Nielsen, CISA, CGEIT, CCSA, CIA, Nordea, Denmark
Hitoshi Ota, CISA, CISM, CGEIT, CRISC, CIA, Mizuho Corporate Bank, Japan
Carmen Ozores Fernandes, CISA, CRISC, Brazil
Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission,
USA
Professional Standards and Career Management Committee
Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission,
USA, Chairman
Christopher Nigel Cooper, CISM, CITP, FBCS, M.Inst.ISP, HP Enterprises Security
Services, UK
Ronald E. Franke, CISA, CRISC, CFE, CIA, CICA, Myers and Stauffer LLC, USA
Alisdair McKenzie, CISA, CISSP, ITCP, I S Assurance Services, New Zealand
Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA
Katsumi Sakagawa, CISA, CRISC, PMP, JIEC Co. Ltd., Japan
Ian Sanderson, CISA, CRISC, FCA, NATO, Belgium
Timothy Smith, CISA, CISSP, CPA, LPL Financial, USA
Todd Weinman, CPS, The Weinman Group, USA
Academic Program Subcommittee
Kameswara Rao Namuduri, Ph.D., CISA, CISM, CISSP, University of North Texas, USA,
Chairman
Umesh R. Hodeghatta, Xavier Institute of Management, India
Matthew Liotine, Ph.D., CBCP, CSSBB, MBCI, University of Illinois at Chicago, USA
Joshua Onome Imoniana, Ph.D., CGEIT, Universidade Presbiteriana Mackenzie, Brazil
Nebil Messabia, Canada
Kumar Srikanteswaran, CISA, CMA, PMP, India
Sadir Vanderloot, CISA, CISM, CCNA, CCSA, NCSA, Sheffield Hallam University, Sweden
Ype van Wijk, Ph.D., RE, RA, Rijksuniversiteit Groningen, The Netherlands
Hiroshi Yoshida, Ph.D., CGEIT, CRISC, Nagoya Bunri University, Japan
4
© 2014 ISACA. All rights reserved.
© 2014 ISACA. All rights reserved
.
Student Book
This caselet was developed to support the
Basic Foundational Concepts Student Book: Using COBIT® 5,
www.isaca.org/basic-concepts-student-book
5
© 2014 ISACA. All rights reserved.
© 2014 ISACA. All rights reserved
.
Testing and independence is all about being able perform a
What is testing review or an assessment and provide a report that is impartial. It
and
should give the right picture of the situation. An independent
independence? audit should include a rigorous assessment of the facts. All
findings should be tested and supported by appropriate evidence.
How does it
benefit an
enterprise?
How does it
benefit an IS
auditor?
A lack of Independence is a major problem faced by any
professional today. Professionals are required to abide by a code
of ethics and demonstrate personal integrity when making
decisions. As much as possible, professionals should maintain a
clear independent view. Non-compliance with ethics sometimes
exists when one has a vested interest in an area. For example,
having family or investments within a business might impair one’s
independence and objectivity.
6
© 2014 ISACA. All rights reserved
.
What is testing
and
independence? Having the right skills to carry out a review is also important. It
How does it
benefit an
enterprise?
How does it
benefit an IS
auditor?
is important to collaborate with other skilled experts in
defining areas where a rigorous review is important.
The bottom line is that the major benefit to enterprises is the
real insight into the functioning of the business; where things
are working well and where they are not.
7
© 2014 ISACA. All rights reserved
.
What is testing
and
independence?
How does it
benefit an
enterprise?
How does it
benefit an IS
auditor?
As an auditor, it is important that you build the right skills and
always be impartial in your judgement and evaluation.
It will enable you to provide a professional assessment of the
enterprise.
8
© 2014 ISACA. All rights reserved
.
Agenda
• Company Profile – Major Manufacturing
• Background Information
• The Problems
• Your Role
• Your Tasks
• Figures
• Questions
9
© 2014 ISACA. All rights reserved
.
Major Manufacturing – Profile
One of the largest
manufacturing
companies in the world
Headquartered in Berlin,
Germany with branch
offices in London, UK;
Barcelona, Spain;
Singapore; Hong Kong;
and St. Louis, Missouri,
USA
Has approximately 15,000
employees and a few
hundred long-term
contractors
Is a publicly held company
that traces its roots to the
beginning of the twentieth
century
© 2014 ISACA. All rights reserved
.
Background – What We Do
What We Do
Financials
Org. Structure
Operational
• We make a wide variety of small, durable goods.
• We are known internationally, not only for the goods that
we make, but also for the quality of those goods.
• We have invented ways to create new and better
versions of existing products several times in the past.
Industry
Marketing
11
© 2014 ISACA. All rights reserved
.
Background – Financials
What We Do
Financials
Org. Structure
Major Manufacturing is a publicly owned company with:
•Revenue of € 201 million
•Profit of € 15.1 million
•No significant debt
Operational
Industry
Marketing
12
© 2014 ISACA. All rights reserved
.
Background – Org. Structure
IT Security
Systems and
Network
CIO
What We Do
Applications
Financials
Plant Engineering
Org. Structure
Industry
Business
Resumption
CEO
Operational
Business
Operations
COO
Accounting
CFO
Audit
Marketing
VP, Research
Public Relations
HR
VP, Sales and
Marketing
Compliance
Legal
13
© 2014 ISACA. All rights reserved
.
Background – Org. Structure
What We Do
Financials
The board of directors:
• Is not a very functional entity
• Provides little oversight and guidance to the business
Org. Structure
Operational
Industry
Marketing
The CEO:
• Is also the chairman of the board of directors
• Rules with an iron hand
• Appoints people to the board on the basis of their
willingness to give approval for initiatives with little
delay
14
© 2014 ISACA. All rights reserved
.
Background – Operational
What We Do
Financials
Org. Structure
Operational
Industry
Marketing
• Business units are the backbone of Major Manufacturing.
Each is a fiercely independent silo with the mission of
being as profitable as possible, except for the way they
share machinery and equipment used in manufacturing.
• Business unit managers are highly valued and are placed
high in the organisational chart.
• All business unit managers report to the chief operations
officer (COO).
• Each business unit faces what often turn out to be
stringent time deadlines.
15
© 2014 ISACA. All rights reserved
.
Background – Industry
What We Do
Financials
Org. Structure
Operational
Industry
Marketing
• The manufacturing arena has taken a downward turn
over the last two years. One of the effects of the bad
economy has been a sharp drop in sales of manufactured
goods.
• The level of competition within the manufacturing
industry is very high. Some manufacturing companies
have been selling manufactured goods at below their
actual cost because their inventories of manufactured
goods have been high and also because of the need for
greater cash flow.
16
© 2014 ISACA. All rights reserved
.
Background – Marketing
What We Do
Financials
Org. Structure
Operational
Industry
• Major Manufacturing’s executive management and the
board of directors have a philosophy that they will not
rush any product to market.
• Instead, they have established processes in which each
new product is carefully and thoroughly tested before it
is allowed to go on the market, and quality assurance
and Major Manufacturing go hand-in-hand.
Marketing
17
© 2014 ISACA. All rights reserved
.
Background – Marketing
What We Do
Financials
Org. Structure
Operational
Industry
Marketing
• Major Manufacturing has a modest advertising
campaign.
• People in Berlin (and to a lesser degree, Europe at large)
have heard of this company, although the company is
also not exactly a household name in Berlin. Major
Manufacturing is also not well known internationally.
• The CEO has been deliberating whether the marketing
efforts should be strengthened.
18
© 2014 ISACA. All rights reserved
.
The Problem
• The board has been having key issues with the operations of the company. They want a clear
insight of the status of the enterprise and its major IT systems.
• There has been whistle-blowing about close irregular transactions between key C-suite level
executives.
• You have family ties with the CIO; the CIO is your cousin, and your wife’s brother is the CFO of
the company.
• The CFO is the cousin of the CEO, and they have been working closely for a while.
19
© 2014 ISACA. All rights reserved
.
The Problem (cont.)
• The company is listed on the stock exchange and thus has many external
stockholders. Thereby, it requires clear transparent processes in the governance of
the board.
• You have, in the past, worked on the key infrastructure systems and designed a few of
them personally before your move to be an auditor of the firm.
• The company has been making steady progress towards profitability and constant
growth.
• The company has in place enterprise resources planning (ERP) systems, which you
helped implement when you worked for Major Manufacturing, and put in place some
key loopholes (e.g., reversing of transaction within the system without further audit
trails). The loopholes were implemented in support of the CFO requirements ensure a
quick back-end access to the ERP system without following the key best business
practices.
• You have been promised some indirect financial support by the CFO for overlooking
some practices in the system that may have been implemented after you had left the
company, but of which you are aware.
20
© 2014 ISACA. All rights reserved
.
The Problem (cont.)
• The CIO has been able to work around the problem, but the situation still exists.
• In financial terms, if you were to look at the ERP system in place and give
assurance on the information available, and if it were to leak to the
stakeholders or to the market, it may have some impact.
• Further, you have been involved as an independent consultant for the firm on
some new initiatives within the enterprise, and you have not advised your audit
partners that you were advising Major Manufacturing as a consultant on the
potential systems you were going to audit.
21
© 2014 ISACA. All rights reserved
.
The Problem (cont.)
You have been requested by Touching Auditors to carry an audit review of Major
Manufacturing. You need to:
• Provide a review of the IT systems. You need to review the core processes and
evaluate whether they are operational.
• Provide the audit team with the assurance on the organisational data and IT
systems and processes.
• Explain the ERP system issues, if any.
• Provide a clear and concise report to the board for effective review.
22
© 2014 ISACA. All rights reserved
.
The Problem (cont.)
• Despite your close ties with the executives of Major Manufacturing, you decide
to carry on and go about your audit.
• You provide a concise report and highlight some key issues. You ensure that
your work as the IS auditor is done effectively with a few small omissions.
Despite the fact that there were issues identified by the board, the report did
not seem to suggest any major issues apart from areas in information security.
23
© 2014 ISACA. All rights reserved
.
Your Role
• Your title: Senior IT Auditor at
Touching Audit
• Your assignment: The Touching Audit
firm was appointed to carry out the
audit review of Major Manufacturing,
and you have been placed as the
senior auditor IT for the project
because of your inside knowledge of
Major Manufacturing.
• Tenure: You have had three successful
years on the job with Touching Audit.
• Education: You have a bachelor's
degree in IT.
• Certifications:
₋ Certified Information Systems
Auditor (CISA)
₋ Certified Internal Auditor (CIA)
₋ American Institute of Certified
Public Accountants (AICPA)
Qualified Member
₋ Grandfathered into the Certified
in the Governance of Enterprise
IT (CGEIT) certification in 2008
24
© 2014 ISACA. All rights reserved
.
Your Task
•
•
•
•
Look at your independence as the IS auditor in this case.
Identify key requirements for the audit, while ensuring the standards are clear.
Help your colleagues in the process without undue interference.
Produce an impartial report.
25
© 2014 ISACA. All rights reserved
.
Discussion Questions
1.
2.
3.
4.
What are the key requirements for an independent audit?
What are the key issues that can lead to a non-independent and unclear audit?
What is critical for a successful audit?
Discuss some of the major audit failures and why were they so critical in-house
as well as knowledge for the public
5. From an IS audit perspective, the IS audit could get away with the implied and
applicable laws that concern mainly financial audit/reporting. What is the main
importance and role the IS audit plays in a routine enterprisewide approach?
6. What are the triggers to an unclear testing of controls and evidence gathering?
7. In the described problem in the caselet, what would you suggest should
happen? What would you do to ensure a clear vision and objective of such an
audit?
26
© 2014 ISACA. All rights reserved
.