COBIT and IT Audit—A Partnership for Eternity

The first time I heard about COBIT^® was almost 10 years ago, as I was starting out as an IT internal audit intern. Since then, I have been using COBIT for various aspects of IT audit, including developing IT audit plans, planning and performing IT audit engagements, and communicating engagement results to the relevant stakeholders.

COBIT was first published in 1996, and IT auditors were its target audience. Although COBIT has evolved into an information and technology (I&T) governance framework over the years, it is still of enormous value to IT auditors all over the world.

Developing IT Audit Plans

When developing an overall IT audit plan, a suitable risk assessment approach should be followed. Those who wish to use COBIT for that purpose need look no further than a great ISACA^® Journal article, “Developing the IT Audit Plan Using COBIT 2019,” by the brilliant Ian Cooke.

Recently I had an opportunity to oversee an implementation of such an approach. At first it seemed a bit tricky, but after some customizations and a couple of walkthroughs, it seems that it enables a great view on key I&T risk areas in the enterprise. I look forward to seeing it in “production” for the first time. The concept revolves around the COBIT Goals Cascade, which demonstrates a connection between stakeholders’ drivers and needs and governance and management objectives¹ (figure 1).

Figure 1—COBIT Goals Cascade and 40 Governance and Management Objectives
 

The Goals Cascade supports prioritization of governance and management objectives based on prioritization of enterprise goals. Except for the purpose of creating a governance system, it can also be used by IT auditors for identifying key I&T areas that introduce risk regarding enterprise goals. Identifying the most important governance and management objectives can be done using the COBIT^® 2019 Framework: Design Guide and Toolkit. After developing a prioritized list of objectives, the objectives should, of course, be customized to the context of the enterprise for example, by defining a scope for each audit. One audit can cover one governance/management objective and 1 critical service/system, or it can cover multiple objectives with a focus on multiple areas of the enterprise. (This is not a 1-size-fits-all-solution for making an audit plan)

Planning and Performing IT Audit Engagements

A discussion of this topic must start by going back to 2007 when IT Assurance Guide: Using COBIT^® (now out of print) was published by the IT Governance Institute. It was based on COBIT 4.0/4.1. An intern in 2012 could not have asked for a better resource to serve as an introduction to the world of IT audit, especially if the intern was fortunate enough to have (as I did) a mentor and more experienced colleagues who customized it and made it a part of IT audit methodology. IT Assurance Guide: Using COBIT^® consisted of:

• Control objectives
• Value and risk drivers
• Assurance testing steps
  • Evaluate the design of the controls.
  • Confirm that controls are placed in operation.
  • Assess the operational effectiveness of the control.

It is still worth flipping through from time to time. It brings to mind a quote from one of the most recognizable movie characters, The Terminator, “Old, but not obsolete.”²

Although such a guide for COBIT^® 2019 has not yet been published, it does not mean that COBIT 2019 cannot already be used by auditors. Who would be a better guide on that topic than Dirk Steuperaert, one of the lead developers of COBIT 2019. The webinar titled “COBIT 2019: Highly Relevant for Auditors” is highly recommended, especially the part about defining audit work programs with COBIT 2019.

Continuing from the previous step of creating an IT audit plan, imagine that the objective that is most important for the enterprise to achieve its goals has been determined and an audit engagement which should give assurance that the objective is met is commencing. COBIT^® 2019 Framework: Governance and Management Objectives provides a thorough description of 7 components of every objective:

• Processes
• Organizational structures
• Principles, policies and frameworks
• Information
• Culture, ethics and behavior
• People, skills and competencies
• Services, infrastructure and applications

This is a valuable source of information because it can easily be customized and can provide guidance to the auditor for successfully completing the engagement. One obligatory aspect of customization is determining the target capability level for the process component of the objective. For the purpose of audit engagement planning, it is safe to say that the more important the objective, the higher target level its process should have, but the final decision should be based on relevant stakeholders’ input.

Communicating Engagement Results

After the audit engagement is completed, the next step is communicating the engagement results. Because users of audit reports consist of various stakeholders in an enterprise, it is often difficult to find the right amount of information to present to each of them. One of the most useful tools is the COBIT maturity/capability model.

COBIT^® 4.1 Process Maturity Level
COBIT 4.1 provides requirements for process maturity levels ranging from 0 (nonexistent) to 5 (optimized). Audit engagement results (created for the purpose of this article) could be presented as shown in figure 2.

Figure 2—Example Presentation of Audit Engagement Results (COBIT 4.1)
 

Customizing these results a bit and showing them in more detail would be advantageous. For example, if DS10 Manage Problems is on level 2, it would be worth considering the parts of level 3 it achieved and taking them into account, as shown in figure 3.

Figure 3—Customized Maturity Level Results for DS10
 

*During the breakdown of criteria, some can turn out to be negative statements. In this example, each has been changed to the affirmative form for the purpose of maturity level assessment.

So, if all subcriteria are deemed to have equal weight, the score of DS10 Manage Problems will increase to:

        2 + 3/6 = 2.5

This gives a more accurate picture of the current state.

COBIT 2019 Process Capability Level
The COBIT 2019 core model assigns capability levels to all process activities, enabling clear definition of the processes and required activities for achieving the different capability levels. The scale (figure 4) is similar to the one from the COBIT 4.1 maturity model, but some of the processes cannot achieve level 5 (figure 5).

Figure 4—Capability Level for Processes
 

Figure 5—Example Capability Levels of a Management Objective and Practice (COBIT 2019)
 

Because a process consists of multiple activities that contribute to the capability level of the process, the calculation of the process capability score can also be customized as in the presented case for COBIT 4.1 (figure 3).

Suppose that the audit planning step determined that there are 7 very important objectives and stated what their process target capability levels are, and their current levels have been determined by performing an audit. The audit engagement results (created for the purpose of this discussion) could be presented as shown in figure 6.

Figure 6—Example Presentation of Audit Engagement Results (COBIT 2019)
 

There are more possibilities for using capability level scores. For example, it is possible to compare process maturity for different audit scopes and gain insight into capability evolution of processes over time (figure 7). The first example could be the result of 1 audit engagement which had three critical services (X, Y and Z) in scope, or it could be separate audit engagements for each of the services. The second example shows the results of 3 different audit engagements that had the same scope but were performed at different points in time.

Figure 7—Additional Uses for Capability Level Scores
 

The most important aspect of this type of reporting is maintaining consistency in criteria so that they can be comparable and will not give any false assurance.

Demonstrating the Value of IT Audit for the Enterprise

When the capability levels determined by an IT audit engagement differ from the desired levels defined by the enterprise’s I&T governance system, recommendations are issued for the purpose of achieving the target levels. That can be considered as added value to the organization from IT audit and confirms its role of trusted advisor (figure 8).

Figure 8—Targeted Capability Levels
 

Conclusion

COBIT contributes to IT audit in many ways, but it is important to note the number of times the word “customize” has been used in this article. There is no one-size-fits-all-solution. COBIT must be used as it is meant to be used: as a framework.

Endnotes

¹ ISACA, COBIT^® 2019 Framework: Introduction and Methodology, USA, 2018
² Orion Pictures, The Terminator, an American science fiction film directed by James Cameron and featuring Arnold Schwarzenegger as the Terminator, USA, 1984

Dušan Žikić, CISA, CRISC, CISM, CSX-F, CSX-P, Cybersecurity Audit Certificate, COBIT 5 Foundation, COBIT 2019 Foundation, COBIT 2019 Design and Implementation, CAPM, CFE, CISSP, ITIL v4 Foundation

Manages internal IT audit at NIS Gazprom Neft in Serbia and is dedicated to continuous professional improvement. An ISACA member since 2012, he has participated in many ISACA volunteer opportunities and promotes ISACA in many ways: by using ISACA resources at the workplace, speaking at conferences and workshops, and mentoring ISACA exam candidates.