COBIT 5 Process Audit/Assurance Programs
The first set of new audit/assurance programs (‘audit programs’) based on COBIT 5 will be for conducting assurance over a process. The programs are aligned with generally accepted auditing standards and practices and are based upon the overall assurance engagement approach which is divided into three phases:
- Phase A: Determining the scope of the assurance initiative
- Phase B: Understanding enablers, setting suitable assessment criteria and performing the assessment
- Phase C: Communicating and reporting the results of the assessment
The audit programs are fully aligned with COBIT 5:
- They explicitly reference all seven enablers. In other words, they are no longer exclusively process-focused; they also use the different dimensions of the enabler model to cover all aspects contributing to the performance of the enablers.
- They reference the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement can be put into the enterprise and IT context, and concurrently they enable linkage of the assurance objectives to enterprise and IT risk and benefits.
The audit programs are comprehensive yet flexible. They are comprehensive because they contain assurance steps covering all enablers in quite some detail, yet they are also flexible because this detailed structure enables clear and well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set of enablers or some enabler instances and, while the decision will reduce the scope and related assurance engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement user.
The audit programs are easy to understand, follow and apply because of their clear structure. The format follows the overall assurance engagement approach described above, but splits each phase into different steps and substeps. For each step, a short description is included, as is guidance for the assurance professional on how to proceed with the step.
The COBIT 5 framework explains that the enablers are interconnected, e.g., processes use Organisational Structures as well as Information items (inputs [I] and outputs [O]). When developing the audit program, it will become clear that when all possible entities of all enablers are included in the scope and reviewed in detail, there is potential for duplication.
In the creation of these audit programs, care has been taken to avoid or minimize duplication, meaning that:
- Some aspects of a process also relate to another enabler and are assessed there, e.g., inputs and outputs can also be classified under the Information enabler heading and covered in detail there.
- Some aspects relating to Skills and Competencies are to a large extent covered by process APO07 Manage human resources.
In practice, assurance professionals will have to use their own professional judgment when developing their own customized audit programs, to avoid duplication of work.
In addition, while audit programs will be available for each process, in practice, a group of processes are often selected for audit. Therefore, a relevant set of audit programs of the applicable processes will need to be selected for conducting assurance.
Evaluate, Direct and Monitor
View Programs >>
Align, Plan and Organise
View Programs >>
Build, Acquire and Implement
View Programs >>
Deliver, Service and Support
DSS process audit/assurance programs are scheduled to be available in December 2014.
Monitor, Evaluate and Assess
MEA process audit/assurance programs are not being created at this time.