 Hello and welcome to the session in which we will discuss the objective of COVID and the information criteria of COVID. Now, what is COVID? That's the first thing we need to know. Well, it stands for control objective for information and related technology. So what is that? What is this? It's basically a framework, a model that company uses for governing and managing information technology within an organization. Basically, the best way to manage your IT is to follow COVID or one of the best ways. So most companies use COVID because it's the best. Now, COVID started in 1996 and when it started, it focuses on control measure of individual IT processes. So what they did, they spoke about each individual IT processes if it exists in a company on a separate level. Well, that was in 1996. Since 1996, eventually technology, especially with the rise of the internet, started to be integrated in every aspect of the company. For example, purchasing, sales, payroll, cash, all, everything. So as that happened, as technology has increasingly become integrated into all aspect, the concept of IT as a separate entity has become obsolete. So what happened is COVID was evolved over the years and now to reflect integration of IT into the overall functioning of the organization. So the first thing you want to know is, just the big picture is COVID discusses or talks about your IT, your information system as it relates to every aspect of the company. At the beginning, they only focus on specific IT processes, not anymore. Now, the latest edition of COVID is COVID-19 was released in 2018 by the ISACA, which is previously known as the Information System Audit Control and Association. I do believe the administer the CISA exam if you are interested in it. Before we proceed any further, I have a public announcement about my company, farhatlectures.com. Farhat Accounting Lectures is a supplemental educational tool that's gonna help you with your CPA exam preparation as well as your accounting courses. My CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles. My accounting courses are aligned with your accounting courses broken down by chapter and topics. My resources consist of lectures, multiple choice questions, true-false questions, as well as exercises. Go ahead, start your free trial today, no obligation, no credit card required. That, now what is the overall objective and structure of COVID? Well, as I mentioned, it provides the framework, a model for aligning IT with the overall organizational governance and help management to understand and manage the various IT processes and achieve business objective. So, we are marrying, we are aligning your IT policy with your business objective, your IT policy with the way you govern to the company, the way you have those internal controls set up, the IT, it's gonna play a major role in that and it's gonna help you achieve your business objective. Now, what did we learn about this framework? Or what did you hear about it? Well, if you remember, we have a framework for financial reporting. The framework is basically, like think of it as a reference or as a Bible of that topic, of that industry. Now, COVID is a framework. We have a framework for financial reporting. If you remember, there's an objective of the framework, you know, financial reporting, the objective, we just discussed the objective of COVID. Now, also accounting information, when we learn about the objective framework, it has to have a certain characteristic. If you remember neutrality, completeness, free of material errors, we had some fundamental qualities, some enhancing qualities. Even if you don't know them, that's fine. But the point is, it's an overall picture. Now, we're gonna look at the structure of COVID. The COVID will have seven information criteria. I would say most similar to the qualitative characteristic of information. It has a governance focus area. It has a five key principle and it has something called COVID-19. COVID-19, you're gonna see it's an advanced version of the five key principle and we're gonna discuss other topics about COVID will be discussed in separate recording. In this session specifically, I'm gonna be focusing on the seven information criteria of COVID. So basically what COVID is saying for information to be good, for data to be good, it have to have a certain attribute, certain criteria, certain objectives. And what are those that are seven of them? Confidentiality, reliability, effectiveness, efficiency, integrity, availability, and compliance. Now, as you know, if you know anything about FARHAT, once I have a list of items, I'm gonna go through each list separately, explaining how each list relate to the overall picture, starting with confidentiality. What is confidentiality when we are dealing with COVID? It deals with ensuring that only authorized individual have access to sensitive information. You're gonna have sensitive information. For example, medical record, bank account information, while the IT system should be able to protect that information from intruders. And that information is protected from unauthorized access. Use, disclosure, disruption, modification, or destruction. Are you keeping that information confidential? Okay, so confidentiality is a critical aspect. They're all critical aspect of IT security. I'm gonna be mentioning this again and again. Essential in maintaining the trust and confidence of customers, partners, and stakeholders. Think about a company where there is some news that they lost the credit card information about their customers. The customers will not be happy. A case in point is targeted. At some point, they lost the credit card information for many customers. Now, to make sure you have confidentiality, you need to implement a robust security controls. Make sure you have security controls and we'll talk about those later. And processes to protect sensitive information. This could include, again, we're gonna talk about those later. Access controls, data encryption, data masking, firewalls. Don't worry if you don't understand this. Just know that we need to have a certain policy, certain not policies here. These are processes. These are tools, intrusion detection systems, other security measures to protect the information from unauthorized access and disclosure. Now, bear in mind, in most of these criteria, we're gonna have to look at legal, regulatory, and contractual requirement to ensure that the information is kept confidential according to laws and regulation. You might also have specific strict laws and regulation. For example, for medical record, the government for banking system, you might have to have very high confidentiality for certain customers, also in the financial service industry. So you want to also be, you should be able to comply with those. Reliability, what does it refer to? Well, ability of the IT system to function as intended, produce accurate and produce accurate results. Reliability means I wanted it to do something. Is it doing it? Is it producing the result that I'm doing it? It's gonna deal with also with availability and we'll talk about availability in a separate criteria because availability and reliability are related. We're gonna see when we talk about availability, we reference reliability. So it deals with the availability of IT system. Think about when you go and you wanna log into Amazon and it's not there. Well, what do you think about a company like that, right? Of IT services, of IT system and services to meet the needs of the business process to ensure that the information provided also is accurate, consistent and trustworthy. It's reliable, the information that you're getting, it's available and reliable. So reliability is a crucial aspect of IT. As it helps to ensure that the organization can depend. If you cannot depend on your IT system, you cannot run the business and services to support its operation and decision-making. Now to achieve reliability, you need to implement also robust systems and processes that ensure IT services and infrastructure are continually monitored and maintained. This could include, you could have a disaster recovery plan. What is that? Basically if your system went out, if your website went out, you have an alternative website sitting on another server that will come online almost immediately and business continuity plan in case something happened to minimize the impact of IT failures. Effectiveness, what is effectiveness? Effectiveness to get things done, okay? The ability to achieve the objective, whatever that objective is, and deliver value. The value is different for different organization. Usually the value is the increase, the shareholder wealth to deliver profit. But this is what we mean by effectiveness. Is the IT system serving that? It deals with ensuring that IT system and services are aligned. Remember, the IT system has to be aligned with the organization over all goals. So when you buy an IT, when you implement an IT, the first thing is, is it good for my system? It might be the best IT out there, but is it serving what I needed to serve? Otherwise it's not good if it's not meeting my objective. And they are being used to support and improve the organizational performance. And is it over time helping me improve my performance? Also, that's a critical aspect of IT governance. It helped to ensure that the organization is getting the most value from its IT investment because when you buy IT, it's an investment. You wanna make sure you wanna get the most out of it. To achieve this objective, which is effectiveness, you need to implement also a robust process for evaluating and measuring the performance of IT system and services. You need to kind of find a way how many transactions it's processing per day, per hour, per minute, so on and so forth, how effective it is. This could include setting metrics, performance metrics, you're just measuring with numbers. How many calls can we process? How many transactions can we process per second? Monitoring and reporting on performance, management setting down and reviewing those reports, implementing corrective actions when necessary. For example, sometimes we need more bandwidth during a certain period of time, during the busy, busy, busy time of the day. Do we have access to that? Efficiency, well, if effectiveness is getting the job done, efficiency is getting the job done with the least amount of resources. Refer to the optimal use of resources to deliver IT services and infrastructure. Effectiveness, get it done. Efficiency, get it done with the least amount of resources. It deals with making sure that the organization IT system are delivered and the most cost-effective and productive way. You are being effective, you are being efficient. Just a simple example to differentiate the two. Let's assume I have two students, student one and student two. Both students got an A in the class. This student studied 10 hours and this student studied 20 hours. Well, they both are effective. They both got A, but student, they both got A, but student one, student one is more efficient because he or she only studied 10 hours. So they used less resources to achieve the same objective. So make sure you know the difference between the two. Efficiency is a key aspect. Again, as it helps to ensure that the organization is getting the most out of its investment. It's being efficient. To achieve efficiency, you need to implement a robust process to optimize the use of resources. Now, how do you do that? You eliminate inefficiencies in the system. You reduce cost. You improve the performance of IT system and services. Sometime you may want to rent certain things, not buy them. For example, maybe you don't wanna buy a new software, you wanna rent into a service, into an application rather than buying, maybe it's more efficient, maybe it's more efficient, more cost effective. This could also include the consideration, the on the return of investments. This is what you have to do. Revaluate this cost benefit analysis. Is it worth it in order to ensure that the IT process and system are delivering value to the organization? Integrity, what is integrity? The protection of information from unauthorized modification or destruction. Is the information good? No one is manipulating this information. You wanna make sure here, it deals with ensuring that the information stored, processed and transmitted by IT system is accurate, complete and consistent. Integrity also a crucial aspect, they're all crucial aspect that because you want to give the image that the organization is reliable and trustworthy. Think about if you submit certain information and the system cannot keep it or you change your address and the system don't change your address. To ensure integrity, the organization need to implement a robust control from unauthorized modification or destruction. Especially when you need to have change in the software itself. That's also important to have integrity and we'll talk about that later. This include implementing data validation which we'll talk about this when we talk about input control, data quality checks, access control, data encryption, other security measure to protect information from unauthorized changes or deletion. Now, sometime you want to delete certain information. For example, certain legal record that will need to be deleted after a certain period of time. You wanna make sure you can do that. But the point is you don't want to delete something that you really don't need. So here what we're talking about you might have some legal and regulatory consideration. For example, the law states, for example, medical record, destroy after two, three years or whatever that reason is. You have to make sure you keep that integrity according to the laws and the regulation. Availability. The ability of the system and services to be accessible and operation when needed. Again, it's like reliability. It deals with ensuring that the organization, IT system and services are available to support the needs of the business processes and to minimize the impact of IT failures. You could have IT failures, but you wanna make sure you have availability 99.999% of the time and to ensure continuity of operation. Again, that's a critical aspect to support operation and decision-making. To ensure availability, again, you need to implement robust system and that could include continuously monitoring and maintaining the system. You have a team 24-7, some people go to sleep, some people wake up, some people are overseas monitoring the availability of the system. This also include disaster recovery plan, business continuity plan are in place to minimize the impact of any IT failure, monitoring and reporting on the availability for IT system and services. You could have people just monitoring the system, make sure it doesn't go down and implementing corrective actions when necessary. Again, you could also consider the level of agreement and business continuity plan of the IT system if you have a contract with other people. Sometime you might have an agreement with some other organization that you have to keep your system up 100% or close to 100%. You wanna make sure you comply with this. Compliance, adhering to laws, rules, regulations and standard, you wanna make sure your system adheres to that. Okay, it ensure that the organization system are online with the legal regulatory apply, requirement that apply to the organization and industry it operates in. For example, publicly traded companies, you wanna make sure you submit your information online, on time to the SEC, your incompliance. Also, incompliance include internal policies. You could have compliance internally in procedures. This is important for internal control as well as industry, standard and best practices. This include the process of monitoring, reporting compliance to the relevant authorities and stakeholder if need be. Compliance is an important aspect that help to mitigate risk and protect the organization from legal and most importantly, reputational damage. You are in compliance. You are not having any problems like what FTX had recently, the cryptocurrency where they are not complying with the requirement of the customers. What should you do now? Go to Farhat Lectures, look at additional MCQs that's gonna help you in this topic. Whether you're studying for your CPA exam, your CISA exam or accounting information system or disinformation system, invest in yourself, invest in your career, visit Farhat Lectures, good luck, study hard and of course, stay safe.