As in any IT audit framework, to be effective, COBIT should address compliance, internal control, risk management and governance issues.
COBIT stands for Control Objectives for Information and Related Technology; a benchmarked framework, designed, developed and continuously updated by the Information System Audit and Control Association (ISACA) for effective IT governance and management.
The goal of this framework is to ‘research, develop, publicize and promote an authoritative, up-to-date, international set of generally-accepted information technology control objectives for day-to-day use by business managers, IT, audit and assurance professionals.'
Fundamentally, COBIT approach aims at synchronising business objectives with IT goals and processes for optimising the enterprise objectives.
COBIT focuses on four critical domains: Plan and Organize, Acquire and Implement, Deliver and Support and Monitor and Evaluate, governing 34 essential processes and 320-odd key controls of all responsibility centres. Currently, COBIT 5 version is under development.
RISK AND GOVERNANCE
As in any IT audit framework, to be effective, it should address, inevitably, compliance, internal control, risk management and governance issues.
The COBIT approach integrates the benchmarked governance and audit methodology and techniques currently available into its ambit: Enterprise Risk Management and Internal Control developed by the Committee of Sponsoring Organization of the Treadway Commission (COSO); the Information Technology Infrastructure Library for IT service management (ITIL); standards for quality management of International Organization for Standardization (ISO 27000 series); Capability Maturity Model Integration (CMMI) for process and performance improvement; The Open Group Architecture Framework (TOGAF) for developing enterprise architecture; and the Project Management Body of Knowledge (PMBOK).
The IT auditor should follow a Risk-based approach (RBA) to IT audit, assessing inherent risks, control risks and residual risks and categorising risks into moderate, high and very high, and evaluating the controls to mitigate them to an accepted level in the organization, based on its risk appetite.
COBIT framework equips the IT auditor with dynamic concepts, techniques, processes and structures for transition to change management, with detailed control centric audit checklists and possible sources of evidence gathering, for giving assurance regarding the effectiveness of controls.
The framework evaluates if all the changes are properly managed, changes are logged, assessed, authenticated, authorized and reviewed, against the targeted qualitative and quantitative parameters, measuring the outcomes. While scrutinising the enterprise documentation, the IT auditor should look for evidence of deployment of the best practices for systems development lifecycle (SDLC) by using the maturity model.The risk, compliance and governance-based methodology provides data security, database integrity, and continuous vigilance on information architecture.
In the emerging Internet-based, powerful cloud IT business environments that may revolutionise the way business is conducted, there should be an equally authoritative framework to enable the auditor to conduct effective IT audit and provide assurance to the business houses that the IT systems are completely fine-tuned to maximise business objectives and targeted outcome.
(The author is a Director-General, CAG Office.)