developing the it audit plan using cobit 2019
TRANSCRIPT
ISACA JOURNAL VOL 3 11
Do you have something to say about this article? Visit the Journal pages of the ISACA® website (www.isaca.org/journal), find the article and click on the Comments link to share your thoughts.
https://bit.ly/2K0enob
The IT Assurance Framework (ITAF) requires that the IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.1 However, despite this requirement, there is little ISACA® documentation on defining an IT audit plan. Perhaps this is because the seminal Developing the IT Audit Plan Global Technology Audit Guide (GTAG 11)2 is so good. Nonetheless, this document was published in July 2008, so the question should be asked, given current practices, can this be improved upon?
In December 2018, ISACA published what I believe will become an equally influential document, the COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution.3 I am proposing that the steps described therein for designing a tailored governance system can be adopted to developing the IT audit plan (figure 1).
Understand the Enterprise Context and Strategy Before developing an audit plan, one should understand the enterprise under review. Enterprises can have different strategies, which the design guide expresses as archetypes (figure 2). Enterprise strategy is realized by the achievement of (a set of) enterprise goals.4 These goals are structured along the balanced scorecard (BSC) dimensions,5 an example being business service continuity and availability. A risk profile identifies the sort of IT-related risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite.6 Good sample risk scenarios have been developed by ISACA to aid with understanding IT-related risk.7
Closely related to IT risk are information and technology (I&T)-related issues—also called pain points—from which the enterprise is suffering.8 These could be considered risk that have
materialized. An example might be service delivery problems by the IT outsourcer(s).
At the end of this step, it is important to have a clear and consistent view of the enterprise strategy, the enterprise goals, IT-related risk and current I&T issues. The design guide provides concrete examples of these. An appropriate perspective to keep in mind is that technology only exists to support and further the organization’s objectives and is a risk to the organization if its failure results in the inability to achieve the business objective.9
Developing the IT Audit Plan Using COBIT 2019
Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, CPTE, DipFM, FIP, ITIL Foundation, Six Sigma Green Belt Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has 30 years of experience in all aspects of information systems. Cooke has served on several ISACA® committees and is a past member of ISACA’s CGEIT® Exam Item Development Working Group. He is the topic leader for the Audit and Assurance discussions in the ISACA Online Forums. Cooke supported the update of the CISA® Review Manual for the 2016 job practices and was a subject matter expert for the development of ISACA’s CISA® and CRISC™ Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certification training modules. He welcomes comments or suggestions for articles via email ([email protected]), Twitter (@COOKEI), LinkedIn (www.linkedin.com/in/ian-cooke-80700510/) or on the Audit and Assurance Online Forum (engage.isaca.org/home). Opinions expressed are his own and do not necessarily represent the views of An Post.
IS AUDIT BASICS
104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 11
ISACA JOURNAL VOL 312
Determine the Components of the IT Audit Universe ISACA defines a portfolio as a grouping of “objects of interest” (i.e., investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value.10 A key consideration for IT portfolio management is getting the mix right to achieve this business value, one of the motives being that, just like a financial portfolio, some of the areas may not provide the expected value. Therefore, it makes sense to consider these portfolios when developing the IT audit plan—to match this mix we should audit across each of the areas defined in the portfolios.
Of course, this raises a question: What if there are no discernible portfolios? In that case, I propose using COBIT 2019’s components of the governance system11 to define the IT audit portfolios (figure 3). These are factors that, individually and collectively, contribute to the good operations of the enterprise’s
governance system over I&T12 and, therefore, should be considered when developing the IT audit plan.
The portfolios should include all activities that will be performed by IT audit. Why? Because performing audit recommendation follow-ups, attending training or reporting on the status of the audit activities takes time, and the only way to ensure that time is properly allocated for them is to include them in the audit plan.
Once the IT audit portfolios have been defined, they can be expanded to create the IT audit universe (figure 4).
Risk Assess the IT Audit Universe Risk analysis is the process of estimating the two essential properties of each risk scenario13:
• Frequency—The number of times in a given period (usually in a year) that an event is likely to occur
Figure 1—IT Audit Plan Design Workflow
• Understand enterprise strategy.• Understand enterprise goals.• Understand the risk profile.• Understand current I&T-related issues.
• Consider the components of a governance system.• Determine the IT audit portfolios.• Define the IT audit universe.
• Consider the COBIT®
2019 design factors as risk factors.
• Resolve inherent priority conflicts.• Conclude the IT audit plan.• Publish the IT audit plan.
1. Understandthe enterprisecontext and
strategy.
2. Determinethe
componentsof the IT audit
universe.
3. Risk assessthe IT audit
universe.
4. Concludeand validatethe IT audit
plan.
Source: Adapted from ISACA®, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018. Reprinted with permission.
Figure 2—Enterprise StrategyStrategy Archetype Explanation
Growth/Acquisition The enterprise has a focus on growing (revenues)2
Innovation/Differentiation The enterprise has a focus on offering different and/or innovative products and services to their clients3
Cost Leadership The enterprise has a focus on short-term cost minimization4
Client Service/Stability The enterprise has a focus on providing a stable and client-oriented service5
Source: ISACA®, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018. Reprinted with permission.
104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 12
ISACA JOURNAL VOL 3 13
• Impact—The business consequences of the scenario
Risk factors are those conditions that influence frequency and impact. They can be of different natures and can be classified into two major categories14:
• Contextual factors—Can be divided into internal and external factors, the difference being the degree of control an enterprise has over them
• Capabilities—How effective and efficient the enterprise is in a number of IT-related activities
The importance of risk factors lies in the influence they have on risk. They should be considered during every risk analysis.
Design factors are factors that can influence the design of an enterprise’s governance system and position it for success in the use of I&T.15 If we
accept that success includes managing risk, then it makes sense that the COBIT 2019 design factors can also be used as risk factors (figure 5).
The factors include those that helped with our understanding of the enterprise context and strategy and are described in detail in the COBIT 2019 Design Guide.16 Their influence as risk factors is described in figure 6.
It should be noted that not all risk factors may be applicable to each enterprise or IT audit portfolio, nor should more traditional risk factors such as the market, economic factors, geopolitics and industry competition necessarily be ignored.
Once the risk factors have been decided upon, they can be used to perform the risk analysis. Practical guidance on performing this and the risk assessment is explained well in the Risk Scenarios Using COBIT® 5 for Risk17 and the GTAG 11 documents.18
Figure 3—IT Audit PortfolioGovernance System Component IT Audit Portfolio Examples
Processes COBIT® 2019 processes Organizational Structures Third-party suppliers, subsidiaries, divisions of the enterprisePrinciples, Policies, Procedures Privacy, laws, regulations and other compliance requirementsInformation How IT audit reports its performance Culture, Ethics and Behavior Audit recommendation follow-ups, new IT initiatives People, Skills and Competencies Training to be undertaken by IT audit; training to be given by IT audit; audit
of general IT awareness training Services, Infrastructure and Applications Applications, databases, websites, operating systems, virtual machines, etc.
Figure 4—IT Audit Universe SourcesIT Audit Portfolio Example Potential Source
COBIT 2019 processes COBIT 2019 Governance and Management Objectives13 Third-party suppliers, subsidiaries, divisions of the enterprise
Enterprise resource planning (ERP) system, enterprise structure documentation, organization charts
Privacy, laws, regulations and other compliance requirements
Legal, privacy, security, and governance, risk and compliance (GRC) functions
How IT audit reports its performance Audit committee requirementsAudit recommendation follow-ups, new IT initiatives Internal audit and management—scheduled
recommendation completion dates, completed recommendations
Training to be undertaken by IT audit; training to be given by IT audit; audit of general IT awareness training
Training plans, personal development plans
Applications, databases, websites, operating systems, virtual machines, etc.
IT asset register
104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 13
ISACA JOURNAL VOL 314
Figure 5—COBIT Design Factors
Source: ISACA, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018. Reprinted with permission.
EnterpriseStrategy
EnterpriseGoals
RiskProfile
I&T-RelatedIssues
ThreatLandscape
ComplianceRequirements
Roleof IT
SourcingModelfor IT
Future Factors
ITImplementation
Methods
TechnologyAdoptionStrategy
EnterpriseSize
Enjoying this article? • Read Information
Systems Auditing: Tools and Techniques—Creating Audit Programs. www.isaca.org/ tools-and-techniques
• Learn more about, discuss and collaborate on audit and assurance ISACA’s Online Forums. https://engage. isaca.org/ onlineforums
104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 14
ISACA JOURNAL VOL 3 15
Endnotes ISACA®, ITAF, A Professional Practices 1Framework for IS Audit/Assurance, USA, 2014, www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/ObjectivesScopeandAuthorityofITAudit.aspx The Institute of Internal Auditors, Global 2Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan, USA, 2008, https://na.theiia.org/ standards-guidance/recommended-guidance/ practice-guides/Pages/GTAG11.aspx ISACA®, COBIT® 2019 Design Guide: Designing 3an Information and Technology Governance Solution, USA, 2018, https://www.isaca.org/ COBIT/Pages/COBIT-2019-Design-Guide.aspx Ibid., p. 22 4Ibid. 5Ibid., p. 23 6ISACA, Risk Scenarios Using COBIT® 5 for Risk, 7USA, 2014, p. 33, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Risk-Scenarios-Using-COBIT-5-for-Risk.aspx Ibid. 8Op cit GTAG 11, p. 4 9ISACA Glossary, Portfolio, 10https://www.isaca.org/Pages/Glossary.aspx ISACA, COBIT® 2019 Framework, Introduction and 11Methodology, USA, 2018, www.isaca.org/COBIT Ibid., p. 21 12Op cit Risk Scenarios Using COBIT® 5 for Risk 13Ibid., p. 16 14Op cit COBIT 2019 Design Guide, p. 21 15Ibid. 16Op cit Risk Scenarios Using COBIT 5 for Risk 17Op cit GTAG 11 18Goodreads, Stephen Hawking Quotes, 19https://www.goodreads.com/quotes/363982-one-of-the-basic-rules-of-the-universe-is-that
In addition, the IT audit follow-ups, training and audit committee requirements should also be subject to a risk assessment. Example questions include: What follows-ups should be performed first? Is the training addressing perceived risk? Is the right information being provided to the audit committee?
Conclude and Validate the IT Audit Plan At this stage, one should have a list of ranked audit universe items by portfolio. Unless the element of surprise is required, these should be discussed and validated with senior management of the auditee. Why? Because management will be aware of factors such as scheduled upgrades, application replacements and external audits, which may affect audit’s ability to deliver the plan on time. In addition, they may have insights or special requests for audits that are not currently part of the universe. When this is complete, the plan should be reviewed from audit’s perspective. Are there any inherent conflicts? Is specialist help needed for specific audits?
Finally, publish the IT audit plan, including the proposed sequence and timings. This may prove controversial—what if management remediates risk scenarios before audit arrives? This is a positive. The purpose of audit is not to have audit findings; the purpose of audit is to help mitigate risk.
Conclusion When developing the IT audit plan, remember that one of the basic rules of the (audit) universe is that nothing is perfect. Perfection simply does not exist.19 However, by adapting a portfolio-based approach along with COBIT 2019’s design factors as risk factors, the IT audit plan should be closely aligned with the business strategy and direction. The process makes this demonstrable and allows audit to add value.
104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 15