How COBIT 5 Improves the Work Process Capability of Auditors, Assurance Professionals and Assessors

IS and IT auditors, assurance professionals and assessors undertake audits, assurance work or assessments of IT processes (the assignment) and, in addition to the final objective, have common tasks to complete such as planning and performing activities and reporting results.

The work entails evaluating processes owned by others. But, who is looking at the work processes of the auditor, assurance professional or assessor? How capable are the work processes with regard to meeting the assignment objective defined by the employer, executive manager, board of directors (BoD), client, sponsor or external reviewer?

The COBIT 5 Assessment Programme can help.

It incorporates the COBIT 5 Process Reference Model and ISO/IEC 15504 as the basis for the measurement framework and assessment process. This means that:

• The specifications of the process used in the assessment are based on COBIT 5.
• The capability of each process assessed is expressed in terms of a rating scale from 0 to 5, based on international standards from the International Organization for Standardization (ISO).¹

Because ISACA’s COBIT Self-assessment Guide: Using COBIT 5² and COBIT Process Assessment Model (PAM): Using COBIT 5³ explain in detail how to perform the assessment, this article does not discuss the performance of this task. Instead, it provides an example of how to determine whether a work process is at a level 1 capability and a reflection on why and how auditors, assurance professionals and assessors have to think about and improve their own capability levels.

The Measurement Framework

As the COBIT Self-assessment Guide: Using COBIT 5 mentions, the assessment process involves establishing a capability rating for a process, which involves:⁴

• Defined capability levels (from ISO/IEC 15504) (figure 1)
  
• Process attributes used to rate each process (from ISO/IEC 15504) (figure 2)
  
• Indicators on which to base the assessment achievement of each process attribute (based on and aligned with ISO/IEC 15504):
  • Capability level 1—Indicators are specific for each process and assess whether the following attribute has been achieved: The implemented process achieves its process purpose. Level 1 deals with the detailed content of COBIT 5 processes, so one needs to define his/her work in COBIT 5 terms.
  • Capability levels 2 to 5—Assessment of capability is based on generic process indicators of performance. These are called generic because they apply across all processes, but they are different from one capability level to another.

Capability Level 1: Defining Work Process Specifications

There are very recognized and useful audit frameworks, such as ISACA’s ITAF: A Professional Practices Framework for IS Audit/Assurance⁵ or the Institute of Internal Auditors’s (IIA) International Standards for the Professional Practice of Internal Auditing (Standards),⁶ but, in general, key aspects are the same.

Following COBIT 5, one must define the process itself, including purpose, outcomes, base practices and work products. For example, work may be defined using the words in figure 3.

Defining the Right or Required Capability Level

As part of the assessment, professionals should choose which level of capability their work requires, depending on some considerations:⁷

• Professional environment—The required level can be set by regulations or standards if the assignment is under revision of a third party or controller (i.e., Protecting Investors Through Audit Oversight [PCAOB] or government agencies), or it shall comply with certain standards (i.e., ISACA frameworks).
• Expected goals, benefits and resourcing considerations—For example, if the professional wants to position his/her work or fees as “first class” or improve his/her work process; if the professional staff is very large; or if the structure is complex with a lot of levels.

Process Capability Indicators Levels 2 to 5

Assessment of capability levels 2 to 5 is based on generic process indicators of performance.⁸ There are six capability levels and nine process attributes (PAs) associated. Each PA has indicators called “generic practices,” or a means of achieving the capabilities addressed by them and “work products” required to support the management of a process.

At level 2, process performance is now implemented in a managed fashion (planned, monitored and adjusted) and its work products are appropriately established, controlled and maintained. At first glance, professionals could think that these requirements are included in the audit process and they are met at level 1, but the difference is the documentation requirement. Perhaps the assignment activities and, of course, the report are documented at level 1, but the process itself has to be documented.

At level 2, process documentation has to specify who is responsible for its design (process owner) and its scope; roles; Responsible, Accountable, Consulted and Informed (RACI) chart; and internal control matrix. At level 3, a document outlining the activities required to achieve the required process outcomes (“process procedures”) and a process map are required and, thus, the process documentation is completed.

The same considerations apply to the rest of level 2’s work product, process plan, quality plan and quality record. At this level, very important aspects of the assignment report are established, including content, quality criteria (against which it will be reviewed and approved), documentation and control, including identification, traceability and approvals, and procedures for versioning and change control to be applied.

At level 3, the established process completes level 2 and adds two work products: policies and standards and process performance records. At this level, a managed process is now implemented using a defined process that is capable of achieving its process outcomes.

Its indicators include the following products:

• A defined standard process, including appropriate tailoring guidelines, and the sequence and interaction with other processes
• Required competencies and roles and infrastructure for performing the defined process
• Suitable methods for monitoring the effectiveness and suitability of the defined process

At this point, questions arise, including: Which is the appropriate level to comply with professional standards—level 3 or level 1? Indicators suggest the answer. It is, at least, level 3: A defined process is capable of achieving the process outcomes, including analyze process and product measurement results, identify and implement corrective actions, and reestablish control.

At level 4, the established process now operates within defined limits to achieve its process outcomes by measuring results and controlling the process.

Of course, level 5, Optimizing Process, is a great objective and resources and efforts should be assigned to reach it.

Conclusions

IS and IT auditors, assurance professionals and assessors must comply with different professional standards and maintain and improve their own process work at the appropriate capability level to meet the assignment objective defined by employers, executive managers, BoDs, clients, sponsors or external reviewers. This can be achieved by transforming the auditors’, assurance professionals’ and assessors’ own processes by applying the COBIT 5 Assessment Programme.

Endnotes

¹ ISACA, COBIT Assessor Guide: Using COBIT 5, USA, 2013
² ISACA, COBIT Self-assessment Guide: Using COBIT 5, USA, 2013
³ ISACA, COBIT Process Assessment Model (PAM): Using COBIT 5, USA, 2013
⁴ Op cit, ISACA, COBIT Self-assessment Guide
⁵ ISACA, ITAF: A Professional Practices Framework for IS Audit/Assurance, 3^rd Edition, USA, 2014
⁶ The Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing (Standards), USA, 2012
⁷ Op cit, COBIT Assessor Guide: Using COBIT 5
⁸ Op cit, ISACA, COBIT Process Assessment Model (PAM)

Graciela Braga, CGEIT, COBIT Foundation, CPA, is vice president of the Commission for the Study of Record Systems of the Buenos Aires Institute of CPAs in the city of Buenos Aires, Argentina. She is also a researcher at the Instituto Autónomo de Derecho Contable (Autonomous Accountancy Law Institute), Argentina. She has worked on audits and internal control reviews for public and private entities using international frameworks such as COBIT, COSO and the ISO 27000 series. She has participated in the preparation and review of ISACA products and research related to COBIT, privacy and big data.