




























































































Estude fácil! Tem muito documento disponível na Docsity
Ganhe pontos ajudando outros esrudantes ou compre um plano Premium
Prepare-se para as provas
Estude fácil! Tem muito documento disponível na Docsity
Prepare-se para as provas com trabalhos de outros alunos como você, aqui na Docsity
Encontra documentos específicos para os exames da tua universidade
Prepare-se com as videoaulas e exercícios resolvidos criados a partir da grade da sua Universidade
Responda perguntas de provas passadas e avalie sua preparação.
Ganhe pontos para baixar
Ganhe pontos ajudando outros esrudantes ou compre um plano Premium
The cobit framework is an it governance tool that organizes it control objectives by it process, providing clear links among it governance requirements, it processes, and it controls. It caters to various user groups, including executive management, business management, it management, and auditors. Cobit's main focus is on defining a strategic it plan, managing it investments, managing it human resources, defining and managing service levels, monitoring and evaluating it performance, and monitoring and evaluating internal controls.
Tipologia: Notas de estudo
1 / 213
Esta página não é visível na pré-visualização
Não perca as partes importantes!





























































































The IT Governance Institute® The IT Governance Institute (ITGITM^ ) ( www.itgi.org ) was established in 1998 to advance international thinking and standards in directing and controlling an enterprise’s information technology. Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. ITGI offers original research, electronic resources and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities.
Disclaimer ITGI (the “Owner”) has designed and created this publication, titled COBIT®^ 4.1 (the “Work”), primarily as an educational resource for chief information officers (CIOs), senior management, IT management and control professionals. The Owner makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of any proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, CIOs, senior management, IT management and control professionals should apply their own professional judgement to the specific circumstances presented by the particular systems or IT environment.
Disclosure Copyright © 2007 by the IT Governance Institute. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise), without the prior written authorisation of ITGI. Reproduction of selections of this publication, for internal and non-commercial or academic use only, is permitted and must include full attribution of the material’s source. No other right or permission is granted with respect to this work.
IT Governance Institute 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.590. Fax: +1.847.253. E-mail: [email protected] Web site: www.itgi.org
Printed in the United States of America
COBIT 4.
Donald Lorete, CPA, Deloitte & Touche LLP, USA Addie C.P. Lui, MCSA, MCSE, First Hawaiian Bank, USA Debra Mallette, CISA, CSSBB, Kaiser Permanente, USA Charles Mansour, CISA, Charles Mansour Audit & Risk Service, UK Mario Micallef, CPAA, FIA, National Australia Bank Group, Australia Niels Thor Mikkelsen, CISA, CIA, Danske Bank, Denmark John Mitchell, CISA, CFE, CITP, FBCS, FIIA, MIIA, QiCA, LHS Business Control, UK Anita Montgomery, CISA, CIA, Countrywide, USA Karl Muise, CISA, City National Bank, USA Jay S. Munnelly, CISA, CIA, CGFM, Federal Deposit Insurance Corp., USA Sang Nguyen, CISA, CISSP, MCSE, Nova Southeastern University, USA Ed O’Donnell, Ph.D., CPA, University of Kansas, USA Sue Owen, Department of Veterans Affairs, Australia Robert G. Parker, CISA, CA, CMC, FCA, Robert G. Parker Consulting, Canada Robert Payne, Trencor Services (Pty) Ltd., South Africa Thomas Phelps IV, CISA, PricewaterhouseCoopers LLP, USA Vitor Prisca, CISM, Novabase, Portugal Martin Rosenberg, Ph.D., IT Business Management, UK Claus Rosenquist, CISA, TrygVesata, Denmark Jaco Sadie, Sasol, South Africa Max Shanahan, CISA, FCPA, Max Shanahan & Associates, Australia Craig W. Silverthorne, CISA, CISM, CPA, IBM Business Consulting Services, USA Chad Smith, Great-West Life, Canada Roger Southgate, CISA, CISM, FCCA, CubeIT Management Ltd., UK Paula Spinner, CSC, USA Mark Stanley, CISA, Toyota Financial Services, USA Dirk E. Steuperaert, CISA, PricewaterhouseCoopers, Belgium Robert E. Stroud, CA Inc., USA Scott L. Summers, Ph.D., Brigham Young University, USA Lance M. Turcato, CISA, CISM, CPA, City of Phoenix IT Audit Division, USA Wim Van Grembergen, Ph.D., University of Antwerp Management School, Belgium Johan Van Grieken, CISA, Deloitte, Belgium Greet Volders, Voquals NV, Belgium Thomas M. Wagner, Gartner Inc., USA Robert M. Walters, CISA, CPA, CGA, Office of the Comptroller General, Canada Freddy Withagels, CISA, Capgemini, Belgium Tom Wong, CISA, CIA, CMA, Ernst & Young LLP, Canada Amanda Xu, CISA, PMP, KPMG LLP, USA
ITGI Board of Trustees Everett C. Johnson, CPA, Deloitte & Touche LLP (retired), USA, International President Georges Ataya, CISA, CISM, CISSP, Solvay Business School, Belgium, Vice President William C. Boni, CISM, Motorola, USA, Vice President Avinash Kadam, CISA, CISM, CISSP, CBCP, GSEC, GCIH, Miel e-Security Pvt. Ltd., India, Vice President Jean-Louis Leignel, MAGE Conseil, France, Vice President Lucio Augusto Molina Focazzio, CISA, Colombia, Vice President Howard Nicholson, CISA, City of Salisbury, Australia, Vice President Frank Yam, CISA, FHKIoD, FHKCS, FFA, CIA, CFE, CCP, CFSA, Focus Strategic Group, Hong Kong, Vice President Marios Damianides, CISA, CISM, CA, CPA, Ernst & Young LLP, USA, Past International President Robert S. Roussey, CPA, University of Southern California, USA, Past International President Ronald Saull, CSP, Great-West Life and IGM Financial, Canada, Trustee
IT Governance Committee Tony Hayes, FCPA, Queensland Government, Australia, Chair Max Blecher, Virtual Alliance, South Africa Sushil Chatterji, Edutech, Singapore Anil Jogani, CISA, FCA, Tally Solutions Limited, UK John W. Lainhart IV, CISA, CISM, IBM, USA Rómulo Lomparte, CISA, Banco de Crédito BCP, Peru Michael Schirmbrand, Ph.D., CISA, CISM, CPA, KPMG LLP, Austria Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada
COBIT 4.
ACKNOWLEDGEMENTS CONT.
COBIT 4.
COBIT Steering Committee Roger Debreceny, Ph.D., FCPA, University of Hawaii, USA, Chair Gary S. Baker, CA, Deloitte & Touche, Canada Dan Casciano, CISA, Ernst & Young LLP, USA Steven De Haes, University of Antwerp Management School, Belgium Peter De Koninck, CISA, CFSA, CIA, SWIFT SC, Belgium Rafael Eduardo Fabius, CISA, República AFAP SA, Uruguay Urs Fischer, CISA, CIA, CPA (Swiss), Swiss Life, Switzerland Erik Guldentops, CISA, CISM, University of Antwerp Management School, Belgium Gary Hardy, IT Winners, South Africa Jimmy Heschl, CISA, CISM, KPMG, Austria Debbie A. Lew, CISA, Ernst & Young LLP, USA Maxwell J. Shanahan, CISA, FCPA, Max Shanahan & Associates, Australia Dirk Steuperaert, CISA, PricewaterhouseCoopers LLC, Belgium Robert E. Stroud, CA Inc., USA
ITGI Advisory Panel Ronald Saull, CSP, Great-West Life Assurance and IGM Financial, Canada, Chair Roland Bader, F. Hoffmann-La Roche AG, Switzerland Linda Betz, IBM Corporation, USA Jean-Pierre Corniou, Renault, France Rob Clyde, CISM, Symantec, USA Richard Granger, NHS Connecting for Health, UK Howard Schmidt, CISM, R&H Security Consulting LLC, USA Alex Siow Yuen Khong, StarHub Ltd., Singapore Amit Yoran, Yoran Associates, USA
ITGI Affiliates and Sponsors ISACA chapters American Institute for Certified Public Accountants ASIS International The Center for Internet Security Commonwealth Association of Corporate Governance FIDA Inform Information Security Forum The Information Systems Security Association Institut de la Gouvernance des Systèmes d’Information Institute of Management Accountants ISACA ITGI Japan Solvay Business School University of Antwerp Management School Aldion Consulting Pte. Lte. CA Hewlett-Packard IBM LogLogic Inc. Phoenix Business and Systems Process Inc. Symantec Corporation Wolcott Group LLC World Pass IT Solutions
E X E C U T I V E O V E R V I E W
E XECUTIVE
(^) O VERVIEW
EXECUTIVE OVERVIEW
For many enterprises, information and the technology that supports it represent their most valuable, but often least understood, assets. Successful enterprises recognise the benefits of information technology and use it to drive their stakeholders’ value. These enterprises also understand and manage the associated risks, such as increasing regulatory compliance and critical dependence of many business processes on information technology (IT).
The need for assurance about the value of IT, the management of IT-related risks and increased requirements for control over information are now understood as key elements of enterprise governance. Value, risk and control constitute the core of IT governance.
IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and objectives.
Furthermore, IT governance integrates and institutionalises good practices to ensure that the enterprise’s IT supports the business objectives. IT governance enables the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining competitive advantage. These outcomes require a framework for control over IT that fits with and supports the Committee of Sponsoring Organisations of the Treadway Commission’s (COSO’s) Internal Control—Integrated Framework , the widely accepted control framework for enterprise governance and risk management, and similar compliant frameworks.
Organisations should satisfy the quality, fiduciary and security requirements for their information, as for all assets. Management should also optimise the use of available IT resources, including applications, information, infrastructure and people. To discharge these responsibilities, as well as to achieve its objectives, management should understand the status of its enterprise architecture for IT and decide what governance and control it should provide.
Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts. They are strongly focused more on control, less on execution. These practices will help optimise IT-enabled investments, ensure service delivery and provide a measure against which to judge when things do go wrong.
For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The COBIT control framework contributes to these needs by:
The business orientation of COBIT consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.
The process focus of COBIT is illustrated by a process model that subdivides IT into four domains and 34 processes in line with the responsibility areas of plan, build, run and monitor, providing an end-to-end view of IT. Enterprise architecture concepts help identify the resources essential for process success, i.e., applications, information, infrastructure and people.
In summary, to provide the information that the enterprise needs to achieve its objectives, IT resources need to be managed by a set of naturally grouped processes.
But how does the enterprise get IT under control such that it delivers the information the enterprise needs? How does it manage the risks and secure the IT resources on which it is so dependent? How does the enterprise ensure that IT achieves its objectives and supports the business?
First, management needs control objectives that define the ultimate goal of implementing policies, plans and procedures, and organisational structures designed to provide reasonable assurance that:
These IT governance focus areas describe the topics that executive management needs to address to govern IT within their enterprises. Operational management uses processes to organise and manage ongoing IT activities. COBIT provides a generic process model that represents all the processes normally found in IT functions, providing a common reference model understandable to operational IT and business managers. The COBIT process model has been mapped to the IT governance focus areas (see appendix II, Mapping IT Processes to IT Governance Focus Areas, COSO, COBIT IT Resources and COBIT Information Criteria), providing a bridge between what operational managers need to execute and what executives wish to govern.
To achieve effective governance, executives require that controls be implemented by operational managers within a defined control framework for all IT processes. COBIT’s IT control objectives are organised by IT process; therefore, the framework provides a clear link among IT governance requirements, IT processes and IT controls.
COBIT is focused on what is required to achieve adequate management and control of IT, and is positioned at a high level. COBIT has been aligned and harmonised with other, more detailed, IT standards and good practices (see appendix IV, COBIT 4.1 Primary Reference Material). COBIT acts as an integrator of these different guidance materials, summarising key objectives under one umbrella framework that also links to governance and business requirements.
COSO (and similar compliant frameworks) is generally accepted as the internal control framework for enterprises. COBIT is the generally accepted internal control framework for IT.
The COBIT products have been organised into three levels ( figure 3 ) designed to support:
Briefly, the COBIT products include:
The COBIT content diagram depicted in figure 3 presents the primary audiences, their questions on IT governance and the generally applicable products that provide responses. There are also derived products for specific purposes, for domains such as security or for specific enterprises.
Maturity models
Management guidelines
Board Briefing on IT How Governance, 2nd (^) Edition does the board exercise its responsibilities?
Executives and Boards
How do we measure performance? How do we compare to others? And how do we improve over time?
Business and Technology Management
What is the IT governance framework?
How do we assess the IT governance framework?
How do we implement it in the enterprise?
Governance, Assurance, Control and Security Professionals
IT Governance Implementation Guide, 2 nd^ Edition
COBIT Control Practices, 2 nd^ Edition
Control objectives
COBIframeworksT and Val IT IT Assurance Guide
Key management practices This C OBIT-based product diagram presents the generally applicable products and their primary audience. There are also derived products for specific purposes ( IT Control Objectives for Sarbanes-Oxley, 2nd^ Edition ), for domains such as security (C OBIT Security Baseline and Information Security Governance: Guidance for Boards of Directors and Executive Management ), or for specific enterprises (COBIT Quickstart for small and medium-sized enterprises or for large enterprises wishing to ramp up to a more extensive IT governance implementation).
Figure 3—COBI T Content Diagram
EXECUTIVE OVERVIEW
All of these COBIT components interrelate, providing support for the governance, management, control and assurance needs of the different audiences, as shown in figure 4.
COBIT is a framework and supporting tool set that allow managers to bridge the gap with respect to control requirements, technical issues and business risks, and communicate that level of control to stakeholders. COBIT enables the development of clear policies and good practice for IT control throughout enterprises. COBIT is continuously kept up to date and harmonised with other standards and guidance. Hence, COBIT has become the integrator for IT good practices and the umbrella framework for IT governance that helps in understanding and managing the risks and benefits associated with IT. The process structure of COBIT and its high-level, business-oriented approach provide an end-to-end view of IT and the decisions to be made about IT.
The benefits of implementing COBIT as a governance framework over IT include:
The rest of this document provides a description of the COBIT framework and all of the core COBIT components, organised by COBIT’s four IT domains and 34 IT processes. This provides a handy reference book for all of the main COBIT guidance. Several appendices are also provided as useful references.
The most complete and up-to-date information on COBIT and related products, including online tools, implementation guides, case studies, newsletters and educational materials can be found at www.isaca.org/cobit.
requirements
controlled by
audited with
measured by
for performance performed by
for maturity implemented with
for outcome
information
derived from
audited with
Business
Control Objectives
Control Outcome Tests
Key Activities
Control Practices
Control Design Tests
Maturity Models
Outcome Measures
Performance Indicators
broken down into
Responsibilityand based on Accountability Chart
Goals
IT Processes
IT Goals
Figure 4—Interrelationships of COBI T Components
COBIT FRAMEWORK
COBIT Mission: To research, develop, publicise and promote an authoritative, up-to-date, internationally accepted IT governance control framework for adoption by enterprises and day-to-day use by business managers, IT professionals and assurance professionals
THE NEED FOR A CONTROL FRAMEWORK FOR IT GOVERNANCE
A control framework for IT governance defines the reasons IT governance is needed, the stakeholders and what it needs to accomplish.
Why
Increasingly, top management is realising the significant impact that information can have on the success of the enterprise. Management expects heightened understanding of the way IT is operated and the likelihood of its being leveraged successfully for competitive advantage. In particular, top management needs to know if information is being managed by the enterprise so that it is:
Successful enterprises understand the risks and exploit the benefits of IT and find ways to deal with:
Enterprises cannot deliver effectively against these business and governance requirements without adopting and implementing a governance and control framework for IT to:
Furthermore, governance and control frameworks are becoming a part of IT management good practice and are an enabler for establishing IT governance and complying with continually increasing regulatory requirements.
IT good practices have become significant due to a number of factors:
COBIT FRAMEWORK
COBIT 4.
Who
A governance and control framework needs to serve a variety of internal and external stakeholders, each of whom has specific needs:
What
To meet the requirements listed in the previous section, a framework for IT governance and control should:
HOW COBIT MEETS THE NEED
In response to the needs described in the previous section, the COBIT framework was created with the main characteristics of being business-focused, process-oriented, controls-based and measurement-driven.
Business-focused
Business orientation is the main theme of COBIT. It is designed not only to be employed by IT service providers, users and auditors, but also, and more important, to provide comprehensive guidance for management and business process owners.
The COBIT framework is based on the following principle ( figure 5 ): To provide the information that the enterprise requires to achieve its objectives, the enterprise needs to invest in and manage and control IT resources using a structured set of processes to provide the services that deliver the required enterprise information.
Managing and controlling information are at the heart of the COBIT framework and help ensure alignment to business requirements.
To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as business requirements for information. Based on the broader quality, fiduciary and security requirements, seven distinct, certainly overlapping, information criteria are defined as follows:
which responds to
drive the investments in
to deliver that are used by
Figure 5—Basic C OBI T Principle
COBIT 4.
The IT organisation delivers against these goals by a clearly defined set of processes that use people skills and technology infrastructure to run automated business applications while leveraging business information. These resources, together with the processes, constitute an enterprise architecture for IT, as shown in figure 6.
To respond to the business requirements for IT, the enterprise needs to invest in the resources required to create an adequate technical capability (e.g., an enterprise resource planning [ERP] system) to support a business capability (e.g., implementing a supply chain) resulting in the desired outcome (e.g., increased sales and financial benefits).
The IT resources identified in COBIT can be defined as follows:
Figure 7 summarises how the business goals for IT influence how the IT resources need to be managed by the IT processes to deliver IT’s goals.
Process-oriented
COBIT defines IT activities in a generic process model within four domains. These domains are Plan and Organise, Acquire and Implement, Deliver and Support, and Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of plan, build, run and monitor.
The COBIT framework provides a reference process model and common language for everyone in an enterprise to view and manage IT activities. Incorporating an operational model and a common language for all parts of the business involved in IT is one of the most important and initial steps toward good governance. It also provides a framework for measuring and monitoring IT performance, communicating with service providers and integrating best management practices. A process model encourages process ownership, enabling responsibilities and accountability to be defined.
To govern IT effectively, it is important to appreciate the activities and risks within IT that need to be managed. They are usually ordered into the responsibility domains of plan, build, run and monitor. Within the COBIT framework, these domains, as shown in figure 8 , are called:
This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realisation of the strategic vision needs to be planned, communicated and managed for different perspectives. A proper organisation as well as technological infrastructure should be put in place. This domain typically addresses the following management questions:
Enterprise Goals
IT Processes
IT Goals
Governance Drivers Business Outcomes
People ApplicationsInformationInfrastructure
Figure 7—Managing IT Resources to Deliver IT Goals
Plan and Organise
Acquire and Implement
Deliver and Support
Monitor and Evaluate
Figure 8—The Four Interrelated Domains of C OBI T
To realise the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions:
This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions:
All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions:
Across these four domains, COBIT has identified 34 IT processes that are generally used (refer to figure 22 for the complete list). While most enterprises have defined plan, build, run and monitor responsibilities for IT, and most have the same key processes, few will have the same process structure or apply all 34 COBIT processes. COBIT provides a complete list of processes that can be used to verify the completeness of activities and responsibilities; however, they need not all apply, and, even more, they can be combined as required by each enterprise.
For each of these 34 processes, a link is made to the business and IT goals that are supported. Information on how the goals can be measured, what the key activities and major deliverables are, and who is responsible for them is also provided.
Controls-based
COBIT defines control objectives for all 34 processes, as well as overarching process and application controls.
Control is defined as the policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.
IT control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. They:
Enterprise management needs to make choices relative to these control objectives by:
COBIT FRAMEWORK
In addition to appreciating what controls are required, process owners need to understand what inputs they require from others and what others require from their process. COBIT provides generic examples of the key inputs and outputs for each process, including external IT requirements. There are some outputs that are input to all other processes, marked as ‘ALL’ in the output tables, but they are not mentioned as inputs in all processes, and typically include quality standards and metrics requirements, the IT process framework, documented roles and responsibilities, the enterprise IT control framework, IT policies, and personnel roles and responsibilities.
Understanding the roles and responsibilities for each process is key to effective governance. COBIT provides a RACI chart for each process. Accountable means ‘the buck stops here’—this is the person who provides direction and authorises an activity. Responsibility is attributed to the person who gets the task done. The other two roles (consulted and informed) ensure that everyone who needs to be is involved and supports the process.
The enterprise’s system of internal controls impacts IT at three levels:
General controls are controls embedded in IT processes and services. Examples include:
Controls embedded in business process applications are commonly referred to as application controls. Examples include:
COBIT assumes the design and implementation of automated application controls to be the responsibility of IT, covered in the Acquire and Implement domain, based on business requirements defined using COBIT’s information criteria, as shown in figure 10. The operational management and control responsibility for application controls is not with IT, but with the business process owner.
Hence, the responsibility for application controls is an end-to-end joint responsibility between business and IT, but the nature of the responsibilities changes as follows:
Therefore, the COBIT IT processes cover general IT controls, but only the development aspects of application controls; responsibility for definition and operational usage is with the business.
COBIT 4.
The following list provides a recommended set of application control objectives. They are identified by ACn, for application control number.
AC1 Source Data Preparation and Authorisation Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form design. Detect errors and irregularities so they can be reported and corrected.
AC2 Source Data Collection and Entry Establish that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source documents for the appropriate amount of time.
AC3 Accuracy, Completeness and Authenticity Checks Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of origination as possible.
AC4 Processing Integrity and Validity Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of valid transactions.
AC5 Output Review, Reconciliation and Error Handling Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient, and protected during transmission; that verification, detection and correction of the accuracy of output occurs; and that information provided in the output is used.
AC6 Transaction Authentication and Integrity Before passing transaction data between internal applications and business/operational functions (in or outside the enterprise), check it for proper addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport.
Plan and Organise
IT General Controls
Business’s Responsibility IT’s Responsibility Business’s Responsibility
Automated Services
Acquire and Implement
Deliver and Support
Monitor and Evaluate
Application Controls
Functional Requirements
Control Requirements
Business Controls
Business Controls
Figure 10—Boundaries of Business, General and Application Controls