cobit 22-23

Develop and Report Overall Conclusion and Recommendations

The substantiated risk of the control weaknesses must be communicated to the different stakeholders of the assurance initiative. The assurance professional should document any identified control weaknesses and resulting threats and vulnerabilities, and identify and
document the actual and potential impact. In addition, the assurance professional may provide comparative information, e.g., through benchmarks, to establish a reference framework in which the test results ought to be evaluated. The objective is to identify items of significance to be able to articulate to the stakeholder the recommended actions and reasons for taking action.

This phase includes aggregating the results of the previous phases, developing a conclusion concerning the identified control weaknesses and communicating:

• Recommended actions to mitigate the impact of the control weaknesses

• Performance comparison to standards and best practices for a relative view on the results

• The risk associated with a failure to perform the process effectively

The formulated conclusion and recommendations should allow the responsible party to take further steps and remedial actions. When the assurance initiative is performed within an assurance context, the assurance professional needs to be thoughtful of formal assurance communication and compliant with assurance reporting standards and guidelines.


The following sections provide illustrative examples of how the assurance testing steps could be applied.

Testing of Control Design

Situation: General computer controls review in a transaction processing organisation; assessment of the COBIT process AI6

Manage Changes; COBIT control objective AI6.2 Impact assessment, prioritisation and authorisation

Observations: For the selected systems (e.g., application, platform or network), the assurance professional inventoried the types of changes that can be implemented, procedures (formal or informal) currently in place, all parties involved in the change
management process, tools used, etc. This was done through interviews with involved persons and enquiries for documented procedures. The result of this work was a comprehensive and correct flowchart of the change management process.

The assurance professional reviewed the identified process flow to determine whether there was a step defined in the procedure to assess the impact of a change by a competent person or group of persons. The assurance professional observed that the template for requesting and approving changes included a section on impact assessment. However, the change management procedure did not mention that this information is mandatory, and the absence of this information did not lead to a rejection of the change request. In addition, the procedure did not mention any documentation standards or required verification and approval steps for the impact assessment.

Test Result: The design of this control is flawed, because a fundamental component of the control, i.e., impact assessment, is incomplete at best. It is possible that changes are implemented without proper risk assessment, which can lead to unplanned and difficult-to-contain operational disruptions or malfunctions.

Testing for the Effectiveness of the Control

Situation: General computer controls review in a transaction processing organisation; assessment of the COBIT process AI6

Manage Changes; COBIT control objective AI6.3 Emergency changes

Observations: As part of the evaluation of the control design, the assurance professional identified that, for all relevant change management procedures, there is a control defined to help ensure that emergency change requests are reintroduced into the normal change management cycle. In addition, the assurance professional found that there is a procedure that ensures that all emergency changes are appropriately logged in a change management tool.

As part of the control effectiveness testing, a sample of emergency change requests was selected from the change management tool and traced to their reintroduction as normal changes. This tracing included verification of whether the emergency change was actually introduced again as a normal change and whether it was processed following the
normal change management procedure.

The assurance professional observed that from the sample of 25 emergency changes selected, three were not subsequently reprocessed as normal changes. In addition, the assurance professional found that from the 22 emergency changes that had been duly reintroduced, only 10 were discussed at the change management board—or at
least that there was a trace available that indicated that the 10 changes were discussed (trace included information stored in the change management tool).

Test Result:
The emergency change procedure is not effective for two reasons:

• Not all emergency changes are reintroduced in the system, leading to a risk of losing emergency changes from sight and not learning from them.

• Emergency changes that have been reintroduced are most likely inadequately discussed and documented, leading to the same risk.

Documenting the Impact of Control Weaknesses

Situation: General computer controls review in a transaction processing organisation; assessment of the COBIT process AI6

Manage Changes; COBIT control objective AI6.3 Emergency changes

Observations: Using the situation as described, the assurance professional needed to gain additional information and perform further analysis to assess and document the impact of the control weaknesses. For the aforementioned examples, the assurance professional needed to consider the types and numbers of changes affected by the control weaknesses.

Some of the required information might/should already be gathered at the planning stage. This information should be used to evaluate the materiality of the weaknesses noted. Notably, the changes affected should be mapped back to the relevant infrastructure components and the applications/information they support/process. In addition, SLA penalties might apply. Analysis of problems noted in the past can help establish the real potential impact of the weaknesses noted.

In this case, it turns out, after discussion with the responsible change manager and confirmation with other change management board members, that the missing emergency changes relate to non-critical systems, and that the missing documentation was only a documentation issue, whereas the actual change, its cause and consequences had, indeed,
been discussed but were not formally documented.

Test Result: Although the control weaknesses remain as they have been observed, further analysis and documentation showed that the weaknesses were of a lesser importance than originally assessed.


An assurance initiative involves three phases. First, the assurance professional must develop a plan that identifies the assurance universe and uses an appropriate IT control framework to identify the assurance objectives based on a high-level risk assessment. Second, the initiative must be scoped through a top-down analysis that identifies the business goals to be examined and the IT goals that support those business goals, then identifies the IT processes and resources necessary to accomplish the IT goals and the key control objectives that must be accomplished for those processes to function effectively. Third, the initiative must be executed by refining understanding of the key control objectives within the assurance universe, evaluating the design and operational effectiveness of control procedures that address key control objectives, evaluating the impact of any deficiencies that come to light, and communicating findings and recommendations to stakeholders.

El vasco de la carretilla

Rescato unas palabras del vasco de la carretilla.

Vivir el ritmo oculto de los campos

abiertos llenos de sol.

La emoción de la tierra argentina,

llena de generosidades.

He aquí mi objetivo.

Nadie me podrá quitar la dicha

de ser dueño de mi propio destino

(Guillermo Larregui, 17 de agosto de 1938)

Los candidatos 2.0 – Elecciones – Gob. Córdoba 2011

Estuve escuchando por Cadena 3 un comentario acerca de las campañas en la red 2.0 y me llamó la atención de los bajos números que publicaban. No se de donde sacaron esos datos, me puse en la tarea esta tarde de chequearlos. A la fecha de hoy, cierre de campaña. Estos son los datos sacados de Facebook y Twitter.

Aguad, Oscar – Unión Cívica Radical
FB – Pagina: 4151
FB – Usuario: 5004
Twitter: 2666
Agüero, Jorge – Concentración Popular
FB – Pagina: –
FB – Usuario: –
Twitter: –
Baldata, Griselda – Coalición Cívica – ARI
FB – Pagina: 64
FB – Usuario: 2417
Twitter: 340
De la Sota, José Manuel – Unión por Córdoba
FB – Pagina: 11736
FB – Usuario: privado
Twitter: 1501
Delich, Francisco – Concertación Vecinal Es Posible
FB – Pagina: –
FB – Usuario: 60
Twitter: –
Fernández, Eduardo – Nuevo Encuentro
FB – Pagina: –
FB – Usuario: 896
Twitter: 36
González Olguín, Eduardo – Frente de Unidad Popular y Humanista
FB – Pagina: 62
FB – Usuario: 614
Twitter: –
Juez, Luis – Frente Cívico
FB – Pagina: 5744
FB – Usuario: varios perfiles
Twitter: 21778
Salas, Eduardo – Frente de Izquierda y de los Trabajadores
FB – Pagina: –
FB – Usuario: 904
Twitter: 143
Sella, Enrique – PAIS
FB – Pagina: 26
FB – Usuario: 433
Twitter: 197
Vittar, Miguel – Partido Intransigente
FB – Pagina: –
FB – Usuario: 69
Twitter: –

Useful HACMP commands

  • clstat – show cluster state and substate; needs clinfo.
  • cldump – SNMP-based tool to show cluster state.
  • cldisp – similar to cldump, perl script to show cluster state.
  • cltopinfo – list the local view of the cluster topology.
  • clshowsrv -a – list the local view of the cluster subsystems.
  • clfindres (-s) – locate the resource groups and display status.
  • clRGinfo -v – locate the resource groups and display status.
  • clcycle – rotate some of the log files.
  • cl_ping – a cluster ping program with more arguments.
  • clrsh – cluster rsh program that take cluster node names as argument.
  • clgetactivenodes – which nodes are active?
  • get_local_nodename – what is the name of the local node?
  • clconfig – check the HACMP ODM.
  • clRGmove – online/offline or move resource groups.
  • cldare – sync/fix the cluster.
  • cllsgrp – list the resource groups.
  • clsnapshotinfo – create a large snapshot of the HACMP configuration.
  • cllscf – list the network configuration of an HACMP cluster.
  • clshowres – show the resource group configuration.
  • cllsif – show network interface information.
  • cllsres – show short resource group information.
  • lssrc -ls clstrmgrES – list the cluster manager state.
  • lssrc -ls topsvcs – show heartbeat information.
  • cllsnode – list a node centric overview of the hacmp configuration.

Some AIX links

I got this links from rootvg group.
Thanks to Meyyappan Ganesh

1. -> Rajarathinam Sivasankaran – AIX Administrator – Well Known by most of the AIX Administrators and helping lot to the group.
2. – William Favorite
3. – > Santosh Gupta’s – AIX Administrator – (Sundar’s friend)
4. – > Chetan Jain – AIX Administrator
5. – Shiva – AIX Administrator
6. – Mohankumar Gandhi – (Rajarathinam Sivasankaran friend)