ITGC Checklist - COBIT 2019 Framework Part4
ITGC Checklist - COBIT 2019 Framework Part4
ITGC Checklist
TechEd Academy
We are pleased to share Part 4 of the COBIT
Checklist, carefully prepared to support your learning
and understanding of the COBIT framework.
TechEd Academy
E. CHANGE MANAGEMENT CONTROLS
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
1 Control objective: Control the impact AI6.1 1. Is there a formally approved, • Change
assessment, authorisation and AI6.2 implemented and monitored
management
implementation of all changes to IT AI6.3 framework/procedures for managing
infrastructure, applications and AI6.4 changes to IT applications, programs framework/
technical solutions; minimise errors due AI6.5 and databases?
procedures
to incomplete request specifications; AI6.6
2. Does the change management
and halt implementation of framework include/cover: • All records of a
unauthorised changes.
a. Roles and responsibilities? sample of
References to regulatry framework:
changes (from
IR Arts 22a(1)(d) and 107; ICS8 b. Change request procedures?
change request
Related information criteria: Integrity, c. The assessment of risks and the
log to move into
availability, effectiveness and efficiency impacts of changes?
production)
d. Management authorisation for
change requests?
TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
l. Audit trails?
TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
2 Control objective: Test that AI7.2 1. Are all major changes tested against Test plans and
applications and infrastructure AI7.6 functional and operational other documents
solutions are fit for the intended
purpose and free from errors, and that requirements to ensure that original relevant to the
adequate data conversion has business goals are achieved? testing of a major
occurred.
change to an IT
References to regulatory 2. Are all major changes executed in
application/
framework: IR Arts 22a(1)(d) and 107; accordance with a test plan which
ICS8 program
covers:
Related information criteria:
Effectiveness a. Organisational standards, roles
and responsibilities?
TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
e. Planning/performance/documenta
tion/retention of test cases?
h. Formal approval?
TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
1. Control objective: Identify services DS1.1 1. Are there clearly-defined benefits • Contract(s)
delivered by IT. Define, agree upon and business objectives in support of
and regularly review service-level • SLA(s)
agreements, which should cover the decision to outsource?
service support requirements, related
costs, roles and responsibilities, etc., 2. Are management requirements and
and be expressed in business terms. expectations clearly defined in the
References to regulatory contract/SLA?
framework: FR Art. 28a(2)(c); IR Arts
22a(1)(d), 48(c,f) and 108; ICS5, ICS8,
3. Were the risks assessed when
ICS10, ICS11 and ICS12
deciding to outsource and taken into
Related information criteria:
Confidentiality, integrity, efficiency and account when specifying the
effectiveness necessary controls?
TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
b. Physical security?
c. Anti-virus protection?
TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
d. IT staffing needs?
TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
d. User/provider communications
procedure and frequency?
e. Contract duration?
g. Non-performance penalties?
j. Non-disclosure guarantees?
TechEd Academy
Control objectives and reference COBIT Documents
Tests of controls Evaluation
to the regulatory framework ref. required
TechEd Academy
Thank You
TechEd Academy