COBIT as a Framework for IT Assurance
COBIT 5 Domains and Processes
IT Other Outside Do Not Know Audited Formality
Who is accountable?
Governance
Evaluate, Direct and Monitor
EDM01 Ensure Governance Framework Setting and Maintenance EDM02 Ensure Benefits Delivery
EDM03 Ensure Risk Optimisation EDM04 Ensure Resource Optimisation EDM05 Ensure Stakeholder Transparency
Management Align, Plan and Organise
APO01 Manage the IT Management Framework APO02 Manage Strategy
APO03 Manage Enterprise Architecture APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs APO07 Manage Human Resources APO08 Manage Relationships APO09 Manage Service Agreements APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risk APO13 Manage Security
Fig. 6.18 Templates for risk-based scoping
• Effectiveness, i.e., the degree to which the control objective—compared to other control objectives for this process—contributes to achieving the process goals and mitigates the risks, irrespective of effi ciency, cost, etc.
• Cost (effort), i.e., the investment in people and money to implement a control objective. There is usually a strong relationship between cost and expedience because high cost implies many activities and investments are required to imple- ment the control objective which generally means that implementation will not be expedient.
6.4.2
Templates for Testing
Figure 6.19 provides a template for testing the control design, at the level of a spe- cifi c management practice (example DSS2.1: service desk). Assurance steps are developed based on professional judgment and based on the activities as described for each COBIT management practice. Required contact persons for interviewing are defi ned based on COBIT’s RACI chart, and documentation to be retrieved can be found in the input/outputs tables. The assurance steps are then translated into a detailed and organization-specifi c assurance approach (column “control design question”), describing exactly what needs to be done. After execution, fi ndings that are conclusions are recorded. An elaborated example of this approach is provided in Fig. 6.19 .
Figure 6.20 provides a template, with examples, for testing control objective outcomes for the same process. Again (column 1), assurance steps are developed and cross-checked against the COBIT management practices and activities, supple- mented with RACI chart information and required documentation, and then trans- lated into a specifi c operating effectiveness approach, fi ndings, and conclusions.
Figure 6.21 fi nally provides an example template on how control weaknesses can be reported, providing a short description of the control weakness and how it was detected (fi ndings), clarifying the business risk and its classifi cation, ultimately leading to prioritized recommendation.
147
Fig. 6.20 Templates for testing control objective outcomes
Fig. 6.21 Templates for testing impact of control weaknesses
Assignment Box 6.1: Case Study Case background
Delta Lighting Design (DLD), founded in 1989, creates and assembles high- quality lighting products. The major goal of the company is to develop light- ing products that are unique in concept and that appeal to a broad audience. Major processes within DLD are product design and development, procure- ment and ordering of components, assembling, and sales. DLD recently developed a strategic road map to align its IT with its overall business strategy with the help of a local consulting fi rm. DLD needed to align its IT infrastruc- ture, processes, and applications with its strategic goals. The company knew that to compete more effectively, it would have to improve its customer focus and supply chain effi ciency and support these areas with transparent IT solu- tions, compliant with the company’s strategic IT vision. The company’s main goals in undertaking a transformation of its IT infrastructure and processes were to support the creation of a comprehensive business, achieve profi table growth, reduce costs, and improve customer focus and supply chain effi ciency.
(continued)
Summary
COBIT 5 is a powerful framework to implement enterprise governance of IT. However, the same reference can be used to execute IT audit and assurance assignments.
The “COBIT 5 for Assurance” guide provides two interesting sections. In the fi rst place, it discussed how an organization can build up an IT assurance function,
With this clear vision of where it needed to go, DLD sought a consulting partner with expertise in the assembling industry to develop the business case for implementing new IT infrastructure and processes, including recom- mendations for new major IT application installations and integration across its functional areas.
The consultancy fi rm teamed with DLD to deliver the company’s IT strategy plan, including the business case for required investments.
The team used the consultant’s proprietary methodology to evaluate DLD’s strategic IT processes. The resulting road map aligns the company’s IT strategy with its larger business goals and addresses the business requirements and issues. The actual implementations of recommended IT solutions will be completed during the next 2 years, delivering a solid return on investment (ROI) once the implementation is completed. The most important part of the solution was the implementation of an enterprise resource planning (ERP) system. The common ERP system is the key to DLD’s cost reductions and profi table growth through the integration of production, supply, and customer service. It is expected that through this ERP implementation, a better fusion between IT and business will be achieved, enabling a more effi cient supply chain and improved logistics for purchasing and distribution. Further, DLD expects increased assembling effi ciency by a more optimal labor utilization, purchase price reduction, signifi cant cost reduction through consolidation into one IT platform, reduced application development time, and more effi cient fi nance and administration through integrated business processes.
Case questions
You are the auditor for DLD:
1. You are confronted in this case with the IT strategy process. Identify which COBIT management practices are most appropriate to consider in designing an audit plan, and justify your selection of the relevant manage- ment practices.
2. The solution was to bring in an ERP package. Identify which COBIT management practices are most appropriate to consider in designing an audit plan, and justify your selection of the relevant control objectives. Assignment Box 6.1: (continued)
149
by addressing the appropriate assurance structures, processes, policies, etc. In the second place, the “COBIT 5 for Assurance” guide explains how COBIT 5 provides information that helps in scoping down and understanding a specifi c assurance assignment towards a specifi c subject matter. Based on that insight, assurance steps can be developed that verify control design and operating effectiveness of the controls environment in the organization.
Study Questions
1. Discuss the difference between IT audit and IT assurance. 2. Explain how COBIT can be used in IT assurance assignments.
3. Explain and discuss the two core testing activities—testing control design and testing outcome of the control objective. Illustrate with examples.
4. Explain how inputs/outputs, RACI charts, and goals & metrics can be helpful in executing IT assurance activities.
5. In reporting on control weaknesses, the assurance professional should focus on business risk issues. Explain and illustrate.
References
ISACA. (2012a). COBIT 5 . Retrieved from www.isaca.org
ISACA. (2012b). COBIT 5: Enabling processes . Retrieved from www.isaca.org ISACA. (2013). COBIT 5 for assurance . Retrieved from www.isaca.org
Van Grembergen, W., & De Haes, S. (2009). Enterprise governance of IT: Achieving strategic alignment and value . New York: Springer.
151 © Springer International Publishing Switzerland 2015
S. De Haes, W. Van Grembergen, Enterprise Governance of Information Technology, Management for Professionals, DOI 10.1007/978-3-319-14547-1_7