Assurance means that, pursuant to an accountability relationship between two or more parties, an IT audit and assurance professional may be engaged to issue a written communication expressing a conclusion about the subject matters to the accountable party.
Assurance refers to a number of related activities designed to provide the reader or user of the report with a level of assurance or comfort over the subject matter. For example, assurance engagements could include support for audited financial
statements; assessment of value provided by IT to the enterprise; reviews of controls; compliance with required standards and practices; and compliance with agreements, licenses, legislation and regulations.
An auditor can be either an independent auditor unaffiliated with the company being audited or a captive auditor, and some are elected public officials. Auditors are used to ensure that organizations are maintaining accurate and honest financial records and statements. Auditors can work for many different entities. Auditors are also found in the private sector at accounting firms. There are both internal and external auditors; internal auditors are usually employees or contractors with the company they are auditing, while external auditors generally work either directly for or in conjunction with governmental agencies. Various roles of the auditor include:
• Inquiring of management and others to gain an understanding of the organization itself, its operations, financial reporting, and known fraud or error
• Evaluating and understanding the internal control system
• Performing analytical procedures on expected or unexpected variances in account balances or classes of transactions • Testing documentation supporting account balances or classes of transactions
• Observing the physical inventory count
• Confirming accounts receivable and other accounts with a third party
• At the completion of the audit, the auditor may also offer objective advice for improving financial reporting and internal controls to maximize a company’s performance and efficiency.
The need of this stakeholder can be assessed by virtue of the following questions that the auditor should primarily develop prior to an audit engagement:
• How dependent am I on external providers?
• What are the (control) requirements for information? • Did I address all IT-related risk?
• Am I running an efficient and resilient IT operation? • How do I get assurance over IT?
• Is the information I am processing well secured?
• How do I know my business partner’s operations are secure and reliable? • How do I know the enterprise is compliant with applicable rules and regulations? • How do I know the enterprise is maintaining an effective system of internal control? • Do business partners have the information chain between them under control? The auditor will be able to perform the following:
• Better understanding of their responsibilities and roles with regard to assurance provisioning with reference to the governance and internal controls and risk management
• Having a well-illustrated, structured and comprehensive approach for providing assurance over IT with reference to the governance and internal controls and risk management
• Having a structured framework that provides a common language among all stakeholders to provide assurance over specific IT areas
As drafted in COBIT 5 for Assurance, an assurance initiative consists of five components, as illustrated in the following figure. Each of those components is described in further detail in the following subsections.
Source: COBIT 5 for Assurance, ISACA, USA, 2013, figure 4
Three-party Relationship
An accountable party is the individual, group or entity (auditee), usually involving management, that is ultimately responsible for subject matter, process or scope. An assurance engagement involves two other parties:
• Depending on the circumstances, the user could include a variety of stakeholders, such as shareholders, creditors, customers, the board of directors, the audit committee, legislators or regulators. For some types of assurance activities, the auditee and the user can be identical, e.g., IT management.
• The assurance professional (auditor) is the person who has overall responsibility for the performance of the assurance engagement and for the issuance of the report on the subject matter.
In conducting an assurance assignment, an accountability relationship exists among the three parties. The accountability relationship is a prerequisite for an assurance engagement, and it exists when one party (the auditee) is responsible to another party (the user) for a subject matter, or voluntarily chooses to report to another party on a subject matter. The accountability relationship may arise as a result of an (contractual) agreement or legislation, or because a user can be expected to have an interest in how the accountable party has discharged its responsibility for a subject matter.
Subject Matter
Subject matter is the specific information, practices or controls, such as any of the seven COBIT 5 enablers, that are the subject of an audit and assurance professional’s review, examination and report. This subject matter can include the design or operation of internal controls and management practices over any aspect of the enterprise, or compliance with privacy practices or standards or specified laws and regulations.
Suitable Criteria
Criteria are the standards and benchmarks, such as COBIT 5, used to measure and present the subject matter and against which the practitioner evaluates the subject matter. Criteria can be formal or less formal. There can be different criteria for the same subject matter. Suitable criteria are required for reasonably consistent evaluation or measurement of a subject matter within the context of professional judgment. Suitable criteria must have the necessary information quality goal attributes as defined in
• Objectivity—Criteria should be free from bias.
• Measurability—Criteria should permit reasonably consistent measurements, qualitative or quantitative, of subject matter.
• Understandability—Criteria should be communicated clearly and not be subject to significantly different interpretations by intended users.
• Completeness—Criteria should be sufficiently complete so that those relevant factors that would alter a conclusion about the subject matter are not omitted.
• Relevance—Criteria should be relevant to the subject matter.
Where criteria are established by management, assurance professionals must ensure that the scope covers what would normally be considered appropriate based on generally accepted definitions of the scope of the subject matter, or identify any scope limitations in their reports.
Execution
When undertaking an assurance activity, the audit and assurance professional eventually executes the assignment by following a structured approach, dependent on other enablers, to reach a conclusion on the evaluation of the subject matter.
Conclusion
The process of evaluating the results of audit or assurance testing, after confirmation, to arrive at conclusions and recommendations can be complex. What appears to be a problem may, in fact, be the effect of a problem, not the cause. Therefore, it is important for the audit and assurance professional to follow the conclusion process, from confirming facts with key individuals in the areas being audited to determining root causes. The individual findings can then be used to provide examples that support higher-level analysis:
• Developing various scenarios leading to potential recommendations • Selecting an appropriate recommendation that is practical and achievable • Identifying steps necessary to ensure buy-in of key stakeholders
Indeed, audit and assurance professionals should obtain an adequate understanding of the subject matter and its business environment. They should see the bigger picture, link the impact of the issues/findings to the overall organizational strategic goals and objectives to tell the “the story behind the story,” and communicate value insights. Executives are not very interested in knowing the observations; they need to understand the insights behind the findings.
Recommendations resulting from the conduct of audit and assurance engagements may be reported in a separate report, not as part of the audit or assurance report. The recommendations—which, as part of the reporting process require review and agreement by management and the auditee or other stakeholders—should be presented in a clear, concise and actionable manner. Reports to senior management and executives should address issues and concepts, with detailed audit findings used as illustrations of the issue, problem or result. Reports to middle and line management should contain the same information, but with a different level of detail, to allow them to fully understand the issue and handle the problem. Where appropriate, recommendations should include provision for timely monitoring and follow-up.
The Assurance Function
The assurance function perspective has been adopted from COBIT 5 for Assurance.
The assurance function perspective describes what is needed in an enterprise to build and provide assurance functions. COBIT 5 is an end-to-end business framework, meaning that it considers the provisioning and use of assurance as part of the overall governance and management of enterprise IT.
Source: COBIT 5 for Assurance, ISACA, USA, 2013, figure 5
The assurance function perspective describes how each enabler contributes to the overall provisioning of assurance, for example:
• Which organizational structures are required to provide assurance (board/audit committee, audit function, etc.) • Which information items are required to provide assurance (audit universe, audit plan, audit reports, etc.)
Core Assurance Processes
Because COBIT 5 is a comprehensive framework for governance and management of enterprise IT, it allows enterprises to use the enablers and management practices to satisfy needs and goals. It can be tailored and used, according to the discretion of the management, toward achieving their goals and objectives.
The image following depicts that, out of the 37 processes, the stakeholder (the auditor) can adapt relevant processes (borders shaded in black) and their underlying management practices, which shall assist in achieving the goals of the enterprise.
The processes comprised in the Monitor, Evaluate and Assess (MEA) domain of COBIT 5 can be regarded as the core assurance processes required within every enterprise.
Process Identification Reasoning MEA01 Monitor, evaluate and assess
performance and conformance. This process covers the provisioning of transparency regarding performance and conformance, and drives achievement of goals by: • Collecting, validating and evaluating business, IT and process goals and
metrics
• Monitoring that processes are performing against agreed-on performance and conformance goals and metrics
• Providing reporting that is systematic and timely MEA02 Monitor, evaluate and assess
the system of internal control. This process covers obtaining transparency for key stakeholders on the adequacy of the system of internal controls and thus providing trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk by:
• Continuously monitoring and evaluating the control environment, including self-assessments and independent assurance reviews
• Enabling management to identify control deficiencies and inefficiencies and initiate improvement actions
• Planning, organizing and maintaining standards for internal control assessment and assurance activities
MEA03 Monitor, evaluate and assess compliance with external
requirements.
This process ensures that the enterprise is compliant with all applicable external requirements by:
• Evaluating that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements
• Obtaining assurance that the requirements have been identified and the enterprise has complied with these requirements.
• Integrating IT compliance with overall enterprise compliance
Source: COBIT 5 for Assurance, ISACA, USA, 2013, figure 32
As shown in the previous figure, the proposed assurance engagement approach refers explicitly to all COBIT 5 enabler
categories. The COBIT 5 framework explains that the enablers are interconnected, e.g., processes use organizational structures, as well as information items (inputs and outputs).
When developing the audit/assurance program, it will become clear that when all possible entities of all enablers are included in the scope and reviewed in detail, there is potential for a lot of duplication. Avoiding duplication is up to the assurance
professional.
The assurance approach depicted in the previous figure is described in more detail and developed into a generic audit/assurance program—including guidance on how to proceed during each step—in the remainder of this section.
This generic audit/assurance program is:
• Aligned with generally accepted auditing standards and practices, distinguishing among: – Phase A—Planning and scoping the assurance engagement
– Phase B—Understanding the subject matter, setting suitable assessment criteria and performing the actual assessment
– Phase C—Communicating the results of the assessment • Fully aligned with COBIT 5:
– It explicitly references all seven enablers. In other words, it is no longer exclusively process-focused; it also uses the different dimensions of the enabler model to cover all aspects contributing to the performance of the enablers.
– It references the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement can be put into the enterprise and IT context, and concurrently it enables linkage of the assurance objectives to enterprise and IT risk and benefits.
• Comprehensive yet flexible:
– The generic program is comprehensive because it contains assurance steps covering all enablers in quite some detail, yet it is also flexible because this detailed structure enables clear and well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set of enablers or some enabler instances and, while the decision will reduce the scope and related assurance engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement user.
• Easy to understand, follow and apply because of its clear structure
RACI CHART
A responsibility assignment matrix, also known as RACI matrix, ARCI matrix or linear responsibility chart, describes the participation by various roles in completing tasks or deliverables for a project or business process. The following RACI chart explains the roles of the auditor in evaluating effective corporate IT governance. The processes explained in this chapter would have to be executed keeping in mind the perspective of the roles in the following RACI chart.
Management Practice
Audi
tor
MEA01.01 Establish a monitoring approach. C
MEA01.04 Analyze and report performance. C
MEA01.05 Ensure the implementation of corrective actions. C
MEA02.01 Monitor internal controls. R
MEA02.02 Review business process controls effectiveness. R
MEA02.04 Identify and report control deficiencies. R
MEA02.06 Plan assurance initiatives. C
MEA02.07 Scope assurance initiatives. A
MEA02.08 Execute assurance initiatives. A
MEA03.01 Identify external compliance requirements. R
MEA03.02 Optimize response to external requirements. R
MEA03.04 Obtain assurance of external compliance. A
1. MEA01.01 Establish a monitoring approach.
Engage with stakeholders to establish and maintain a monitoring approach to define the objectives, scope and method for measuring business solution and service delivery and contribution to enterprise objectives. Integrate this approach with the corporate performance management system.
ACTIVITIES DETAILED ACTIVITIES
1. Engage with the stakeholders and communicate
the enterprise requirements and objectives for monitoring, aggregating and reporting, using common definitions (e.g., enterprise glossary, metadata and taxonomy), base lining and benchmarking.
2. Align and continually maintain the monitoring
and evaluation approach with the enterprise approach and the tools to be used for data gathering and enterprise reporting (e.g., business intelligence applications).
3. Agree on the goals and metrics (e.g.,
conformance, performance, value, and risk), taxonomy (classification and relationships between goals and metrics) and data (evidence) retention.
4. Agree on a life cycle management and change
control process for monitoring and reporting. Include improvement opportunities for reporting, metrics, approach, base lining and benchmarking.
5. Request, prioritize and allocate resources for
monitoring (consider appropriateness, efficiency,
The auditor needs to engage with the stakeholders toward developing the objectives of monitoring, using common definitions, base lining and benchmarking.
Further, on setting the previous objectives, the auditor needs to ensure that monitoring and evaluation are done on a continuous basis.
The auditor needs to ensure that the goals, metrics,
taxonomies and retention polices are agreed on, which shall result in administrative efficiencies.
The auditor can review the policies on life cycle management and change control, which may include improvement
opportunities for performance base lining and benchmarking. The auditor should validate the approach periodically for changes within the environment, which could be change of stakeholders, requirements and resources.
6. Periodically validate the approach used and
identify new or changed stakeholders, requirements and resources.
2. MEA01.04 Analyze and report performance.
Periodically review and report performance against targets, using a method that provides a succinct all-around view of IT performance and fits within the enterprise monitoring system.
ACTIVITIES DETAILED ACTIVITIES
1. Design process performance reports that are easy to
understand, and tailored to the management needs. Facilitate effective, timely decision-making (e.g., scorecards, traffic light reports) and ensure that the cause and effect between goals and metrics are communicated in an understandable manner.
2. Compare the performance values to targets and
benchmarks.
3. Recommend changes to the goals and metrics, where
appropriate.
4. Distribute reports to the stakeholders.
5. Analyze the cause of deviations against targets, initiate
remedial actions, assign responsibilities for
remediation, and follow up and search for root causes, where necessary. Document the results of the events.
6. Where feasible, link achievement of performance
targets to the organizational reward compensation system.
The auditor can assist in designing the performance reports which are easy to understand and are tailored to the needs of management in facilitating timely decision-making.
The reports should highlight the performance of the results against the targets set.
Whenever there arises a deviation from the desirable results, there should be a root cause analysis to identify the real cause and appropriate action should be taken based on the findings. The findings and corrective action should be well documented. The auditor should ensure that the reports are made available to the stakeholders in a timely manner.
3. MEA01.05 Ensure the implementation of corrective action.
Assist stakeholders in identifying, initiating and tracking corrective actions to address anomalies.
ACTIVITIES DETAILED ACTIVITIES
1. Review management responses and recommendations
to address issues and major deviations.
2. Ensure that the assignment of responsibility for
corrective action is maintained.
3. Track the results of actions committed. 4. Report the results to the stakeholders.
The auditor should ensure that the recommendations have been accepted and management responses have been obtained.
The auditor should also ensure that the responsibility to take corrective action is assigned to correct process owners. In case there is any difference of opinion, the auditor should report it to the stakeholders, i.e., board of directors.
4. MEA02.01 Monitor internal controls.
Continuously monitor benchmark, improve the IT control environment, and control framework to meet organizational objectives.
ACTIVITIES DETAILED ACTIVITIES
1. Perform internal control monitoring and evaluation
of the activities based on organizational governance standards and industry-accepted frameworks and Practices.
2. Consider independent evaluations of the internal
control system (e.g., by internal audit or peers).
3. Identify the boundaries of the IT internal control
system (e.g., consider how organizational IT internal controls take into account outsourced and/or offshore development or production activities).
4. Ensure that control activities are in place and
exceptions are promptly reported, followed up and analyzed, and appropriate corrective actions are prioritized and implemented according to the risk management profile (e.g., classify certain
exceptions as a key risk and others as a non-key risk).
5. Maintain the IT internal control system,
considering ongoing changes in business and IT risk, the organizational control environment, relevant business and IT processes, and IT risk. If gaps exist, evaluate and recommend changes.
6. Regularly evaluate the performance of the IT
control framework. Consider formal adoption of a continuous improvement approach to internal control monitoring.
7. Assess the status of external service providers’
internal controls and confirm that service providers comply with legal and regulatory requirements and contractual obligations.
The auditor should ensure that the internal controls are