COBIT 5 offers governance and management practices that can be used to construct specific controls depending on the resources that enable the accomplishment of IT-related goals. These resources are called enablers, and Internal Control Using COBIT 5 looks at the seven enablers detailed in COBIT 5 and discusses their use in developing internal controls.
The objective of this white paper is to introduce internal control within the context of IT governance and management and to explain its use. The intended audience is IT professionals currently working in internal control, compliance, risk and internal audit; those who direct, support and assess IT organizations; and external auditors and other regulatory bodies.
The white paper defines control and looks at different control systems and related practices.
Internal Control Using COBIT 5 defines control and looks at different control systems and related practices, such as controlling, risk management, quality management, audit and assurance, and information security. There is also a discussion on the relationship between the use of COBIT® 5 and the Committee of Sponsoring Organizations of the Treadway Commission (COSO)’s Internal Control—Integrated Framework, how these contribute to internal control, and the levels of control (i.e., operational, management, supervisory). The levels of control are discussed in the context of the three lines of defense.
From there, the paper moves to the stakeholders and owners of controls. There can be numerous parties interested in the efficient use of IT resources. Generally, these parties are the enterprises’ stakeholders and range from internal (boards that execute and oversee control, internal audit and assurance, business process operations, etc.) to external (various auditor entities depending on the industry and country). Lastly, the key roles, activities and relationships concerning control ownership are discussed.
The role of technology is discussed in relation to controls with specific treatment of IT general controls (ITGCs) and internal controls over financial reporting (ICOFR).
Internal Control Using COBIT 5 is available in the ISACA Knowledge Center.
Jimmy Heschl, CISA, CISM, CGEIT
Is head of digital security at Red Bull. He was lead author and researcher of ISACA’s COBIT Mapping: Overview of International IT Guidance, 3rd Edition and other ISACA publications. He is also a board member of the ISACA Austria Chapter, a member of the Framework Committee, other ISACA task forces and was program manager of the COBIT Mapping series. Heschl was actively involved in the development of COBIT since 2003 and chaired a task force accountable for the development of COBIT 5. He is highly experienced in governance of enterprise IT (GEIT), and he is an accredited COBIT trainer. Previously, he was senior manager of IT advisory at KPMG Austria.