Due to the nature of their profession, IT auditors are some of the stakeholders most interested in COBIT. Delivering COBIT 2019 Foundation training to groups of IT auditors is a good way to glean insights and tips from the IT auditor’s perspective. Those learnings can benefit the wider audience of COBIT 2019 users and, therefore, should be shared.
It should be noted that many IT auditors in non-English-speaking countries can read professional publications in English and were among some of the first practitioners interested in COBIT 2019 and related training. COBIT 2019 publications in local languages are necessary to promote and clarify information and technology (I&T) governance concepts for all categories of stakeholders. Publications and presentations in local languages help students and teachers to find the best local interpretation of terms. And, of course, the need to find answers to specific questions is the driver for auditors as representatives of “an accurate profession” to attend the Foundation training course.
Related Standards and Compliance Requirements
Related standards and legal or regulatory requirements (that are usually named “compliance or conformance”) are among the strongest arguments for IT auditors to develop their knowledge and skills in the COBIT framework. Foundational standards in the audit profession include the International Standard on Auditing (i.e., ISA 315, ISA 330); Public Company Accounting Oversight Board (PCAOB) Accounting Standard No. 5; industry-specific guidance such as the financial sector’s Payment Card Industry Data Security Standard (PCI DSS), the US Sarbanes-Oxley Act of 2002 (SOX) and Basel Committee on Banking on Banking Supervision (BCBS); and local regulations that require IT control environment implementation and assessment also based on the standards mentioned, and mandate internal and/or external audit in certain circumstances.
The IT Audit Role in Business Value, Performance and Innovation in I&T
Regulators generally focus on privacy and security, and do not cover areas such as business value from I&T, cost-effective project management and so on. Enterprise shareholders and management expect assurance and improvement recommendations in these areas. Business value, performance improvement and innovation all figure prominently in COBIT 2019. The ISACA and Protiviti publication A Global Look at IT Audit Best Practices and ISACA’s The Future of IT Audit position paper illustrate in more detail the challenges for auditors in the era of digital transformation and emerging technologies, and COBIT 2019 seems to help address these challenges.
COBIT Evolution—From Audit Checklist to I&T Governance Framework for the Digital Era
Figure 1 reflects the COBIT framework’s progress from an audit guide with a list of control objectives to review to a comprehensive I&T governance framework containing best practices within a whole dynamic, tailored cycle. COBIT 2019 includes digital transformation-related goals, organizational structures and the announcement of new focus area publications such as DevOps and cybersecurity. In addition, the role of IT auditors is changing from “testers” to important players in enterprise governance, for example, there is a growing trend calling for the presence of IT auditors on audit, steering and strategic committees) .
Figure 1—COBIT Framework Historical Timeline
View Large Graphic. Source: ISACA, USA, 2018. Reprinted with permission.
Back to the Future—COBIT 2019 CMMI-Based Process Capability Levels
From the IT auditor’s viewpoint, the most valuable innovation in COBIT 2019 is the return to CMMI-based process capability levels that remind auditors of good old COBIT 4.1. The process assessment model (PAM) in COBIT 5, based on International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) ISO/IEC 15504 Information technology—Process assessment—Part 5: An exemplar software life cycle process assessment model, was not widely used by IT auditors due to its complexity, and some organizations continue to use the COBIT 4.1 model for process assessment. Because ISO/IEC 33001 Information technology—Process assessment—Concepts and terminology subsequently revised ISO/IEC 15504, upgrading the COBIT PAM to the newer ISO standard could create even more sophisticated guidance for process assessment. Thanks to COBIT 2019, auditors again have clear criteria for each specific process capability level based on activities in place as CMMI adoption in COBIT 2019 is self-sufficient.
IT Audit Function in COBIT 2019—Just a Basis Reference, Auditors Expecting New Publications
The COBIT 2019 Monitor, Evaluate and Assess (MEA) domain has been revised to include a new management objective, MEA04 Managed assurance. Figure 2 illustrates one of its practices, MEA04.05, and corresponding capability levels. This management practice could become the basis for designing the internal audit function through suggested activities, metrics, organization structures and capability levels.
Figure 2—MEA04.05 Define the work program for the assurance initiative
Source: ISACA, COBIT 2019 Framework: Governance and Management Objectives, USA, 2018. Reprinted with permission.
Additionally, IT auditors can expect new, detailed publications for the assurance focus area, as the COBIT 2019 family of products grows and updates the existing COBIT 5 for Assurance.
COBIT 2019 has been positively received by auditors due to its updated practices, more clear terminology and key concepts (e.g., “components” instead of “enablers”; design factors, for example, strategy and risk profile for tailoring and targeting the I&T model). In particular, returning to the CMMI-based assessment model has benefitted the audit community. Auditors can look forward to new publications detailing the design and implementation of the audit function itself, along with guidance for assessing new focus areas in today’s digital world. In just a quarter of a century, COBIT has become the number-one framework for IT auditors, and it seems that COBIT 2019 will continue to build its popularity.
Andrey Drozdov, CISA, CISM, CGEIT, COBIT 2019 Accredited Trainer
Is an associate director at KPMG Russia and the Commonwealth of Independent States (CIS). He is also the first vice president of the ISACA Moscow (Russia) chapter. He is a COBIT practitioner and trainer and a member of the COBIT 5 translation team responsible for translating and reviewing COBIT 5 in Russian.