Using COBIT 5 for Assurance as Frame-work for your IT AuditHans Henrik Berthing, CPA, CGEIT, CRISC, CISA, CIA, Verifica & Aalborg University
Hans Henrik Berthing
Married with Louise and dad for Dagmar and Johannes
CPA, CRISC, CGEIT, CISA and CIA
Expert reviewer Cobit 5 for Sarbannes Oxley
Partner and owner for Verifica
Financial Audit, since 1994 and IT Assurance since 1996
Member of FSR IT Advisory Board & ISACA IT Assurance Task Force
CISA, CRISC & CISM review instructor (>80% passing)
Instructor, facilitator and speaker
Associated professor Aalborg University (Auditing, Risk & Compliance)
Learning Objective
After this presentation you will have learned how to use Cobit 5 for assurance as a framework for
your planning and reporting of your IT Audit. You will learn how you will be able as an audit to use
Cobit 5 for assurance as a framework and reference for your IT audit reporting for those who are
accountable for IT Governance
Subhead
Cobit 5 for Assurance
IT Assurance Framework
Cobit Assurance Workprogram
Cobit 5 for Assurance
An ISACA Framework
Figure 1—COBIT 5 Product Family
COBIT 5 for Assurance Overview
COBIT 5 for Assurance Overview
Prerequisite Knowledge
COBIT 5 for Assurance builds on COBIT 5. Most key concepts of COBIT 5 are repeated and elaborated on in this publication, making it a fairly standalone book—in essence, not requiring any prerequisite knowledge. However, an understanding of COBIT 5 at the foundation level will accelerate comprehension of this publication.
Should readers wish to know more about COBIT 5 concepts beyond what is required for assurance purposes, they are referred to the COBIT 5 framework publication.
COBIT 5 process details described therein. If readers wish to know more about the process capability assessment approach, they are referred to the COBIT Assessment Programme guides.
Assurance proces
Scope of COBIT 5 for Assurance
Comparison of Assurance Engag. Types
COBIT 5 Enterprise Enablers
Principles, Policies and Frameworks in ITAF
ISACA Code of Professional Ethics
1. Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective
governance and management of enterprise information systems and technology, including: audit, control, security and
risk management.
2. Perform their duties with objectivity, due diligence and professional care, in accordance with professional standards.
3. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and
not discrediting their profession or the association.
4. Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is
required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties.
5. Maintain competency in their respective fields and agree to undertake only those activities they can reasonably expect
to complete with the necessary skills, knowledge and competence.
6. Inform appropriate parties of the results of work performed including the disclosure of all significant facts known to them
that, if not disclosed, may distort the reporting of the results.
7. Support the professional education of stakeholders in enhancing their understanding of the governance and
management of enterprise information systems and technology, including: audit, control, security and risk
management.
Processes for Gov. of Enterprise IT
Align, Plan and Organise
APO and Build, Acquire and Implement
Core Organisational Structures
Generic COBIT 5-based Assurance Engagement Approach
Determine scope of the assurance initiative (phase A)
Stakeholders? And their stakes?
¨Overall enterprise objectives?
Business requirements and associated risk and opportunities?
Organisational structure? - Roles and responsibilities?
Governing policies and procedures?
Applicable laws, regulations and contractual agreements?
Management practices and associated activities are in place?
Mgmt reporting (status, performance, actions) is in place?
Past issues have arisen and corrective actions have been taken?
Management hope to obtain as a result of the assurance initiative?
Current issues and concerns?
Phase A-1 to A-3
Example: Audit of an Internet banking system
3.2.1 Assurance Topic: The topic covered by this document is: Internet banking.
3.2.2 Goals of the Assurance Engagement: The goal of the review is to provide assurance over
whether Internet banking is secure, i.e., are the bank and its clients protected against fraudulent
transactions and is client confidentiality maintained?
3.2.3 Scoping: The scope of the assurance engageent is expressed in function of the seven
COBIT 5 enablers, as per the following table.
Some enabler instances are standard COBIT 5, i.e., they are described in varying degrees of
detail in the COBIT 5 framework or COBIT 5: Enabling Process. This would include COBIT 5
processes mainly, but also the enabler examples included in this or similar publications.
Example: Scope
Example: Scope
Assurance Engagement Scoping Summary
Understand enablers, set suitable Assessment criteria and perform the Assessment (phase b)
Reference all seven enablers. Building an understanding of the subject matter over which
assurance needs to be provided. The subject matter is expressed in terms of the COBIT 5
enablers.
Obtaining agreement over the assessment criteria that will be used during the assurance
engagement
Assessing the design and outcomes of the enablers
Appropriate auditing techniques
Enquire and confirm:
- eg: Search for exceptions/deviations and examine them.
Observe:
- eg: Observe and describe the processes.
Reperform and/or recalculate:
- eg: Reperform transactions, control procedures, etc.
Review automated evidence collection:
- eg: Collect sample data.
Understand enablers, set suitable Assessment criteria and perform the Assessment (phase b)
Reference all seven enablers. Building an understanding of the subject matter over which
assurance needs to be provided. The subject matter is expressed in terms of the COBIT 5
enablers.
Obtaining agreement over the assessment criteria that will be used during the assurance
engagement
Assessing the design and outcomes of the enablers
Understand enablers, set suitable Assessment criteria and perform the Assessment (phase b)
4.1 Introduction
4.2 Achievement of Goals
4.3 Enabler: Principles, Policies and Frameworks
4.4 Enabler: Processes
4.5 Enabler: Organisational Structures
4.6 Enabler: Culture, Ethics and Behaviour
4.7 Enabler: Information
4.8 Enabler: Services, Infrastructure and Applications
4.9 Enabler: People, Skills and Competencies
4.2 Achievement of Goals
4.3 Enabler: Principles, Policies and Frameworks
Generic approach for communicating on an Assurance initiative (phase c)
COBIT 5 ProcessAssurance Programs
Example
COBIT 5 Process Assurance Programs
Conducting assurance over a process.
Aligned with generally accepted auditing standards and practices and are based upon the overall
assurance engagement approach
Divided into three phases:
Determining the scope of the assurance initiative
Understanding enablers, setting suitable assessment criteria and performing the assessment
Communicating and reporting the results of the assessment
COBIT 5 Process Assurance Programs
Fully aligned with COBIT 5:
Reference all seven enablers.
COBIT 5 goals are cascaded to ensure that detailed objectives of the assurance engagement
can be put into the enterprise and IT context
Enable linkage of the assurance objectives to enterprise and IT risk and benefits.
Comprehensive yet flexible.
The assurance professional can decide to not cover a set of enablers or some enabler instances
Issue of what is or is not covered will be quite transparent to the assurance engagement user.
For each step, a short description is included
Assurance professionals will have to use their own professional judgment
Evaluate, Direct and Monitor
Provide assurance over the EDM01 process:
Ensures:
A consistent and integrated approach aligned with the enterprise governance approach is
provided.
IT-related decisions are made in line with the enterprise’s strategies and objectives.
IT-related processes are overseen effectively and transparently.
Compliance with legal and regulatory requirements is confirmed.
The governance requirements for board members are met.
Phase A—Determine Scope of the Assurance Initiative
Phase B—Understand Enablers, Set Suitable Assessment Criteria and Perform the Assessment
Question