Audit/Assurance Programs 


COBIT 5 Process Audit/Assurance Programs | Audit/Assurance Programs based on COBIT 5
Audit/Assurance Programs based on COBIT 4.1

COBIT 5 Process Audit/Assurance Programs

The first set of new audit/assurance programs (‘audit programs’) based on COBIT 5 will be for conducting assurance over a process. The programs are aligned with generally accepted auditing standards and practices and are based upon the overall assurance engagement approach which is divided into three phases:

  • Phase A: Determining the scope of the assurance initiative
  • Phase B: Understanding enablers, setting suitable assessment criteria and performing the assessment
  • Phase C: Communicating and reporting the results of the assessment

The audit programs are fully aligned with COBIT 5:

  • They explicitly reference all seven enablers. In other words, they are no longer exclusively process-focused; they also use the different dimensions of the enabler model to cover all aspects contributing to the performance of the enablers.
  • They reference the COBIT 5 goals cascade to ensure that detailed objectives of the assurance engagement can be put into the enterprise and IT context, and concurrently they enable linkage of the assurance objectives to enterprise and IT risk and benefits.

The audit programs are comprehensive yet flexible. They are comprehensive because they contain assurance steps covering all enablers in quite some detail, yet they are also flexible because this detailed structure enables clear and well-understood scoping decisions to be made. That is, the assurance professional can decide to not cover a set of enablers or some enabler instances and, while the decision will reduce the scope and related assurance engagement effort, the issue of what is or is not covered will be quite transparent to the assurance engagement user.

The audit programs are easy to understand, follow and apply because of their clear structure. The format follows the overall assurance engagement approach described above, but splits each phase into different steps and substeps. For each step, a short description is included, as is guidance for the assurance professional on how to proceed with the step.

The COBIT 5 framework explains that the enablers are interconnected, e.g., processes use Organisational Structures as well as Information items (inputs [I] and outputs [O]). When developing the audit program, it will become clear that when all possible entities of all enablers are included in the scope and reviewed in detail, there is potential for duplication.

In the creation of these audit programs, care has been taken to avoid or minimize duplication, meaning that:

  • Some aspects of a process also relate to another enabler and are assessed there, e.g., inputs and outputs can also be classified under the Information enabler heading and covered in detail there.
  • Some aspects relating to Skills and Competencies are to a large extent covered by process APO07 Manage human resources.

In practice, assurance professionals will have to use their own professional judgment when developing their own customized audit programs, to avoid duplication of work.

In addition, while audit programs will be available for each process, in practice, a group of processes are often selected for audit. Therefore, a relevant set of audit programs of the applicable processes will need to be selected for conducting assurance.

Evaluate, Direct and Monitor

View Programs >>

Align, Plan and Organise

View Programs >>

Build, Acquire and Implement

View Programs >>

Deliver, Service and Support

View Programs >>

Monitor, Evaluate and Assess

MEA process audit/assurance programs are not being created at this time.

Audit/Assurance Programs based on COBIT 5

ISACA will be providing additional audit/assurance programs based on COBIT 5 in 2015.

Audit/Assurance Programs based on COBIT 4.1

Apache™ Web Services Server Audit/Assurance Program (Dec 2010)
Biometrics Audit/Assurance Program (Nov 2012)
Bring Your Own Device (BYOD) Security Audit/Assurance Program (Dec 2012)
Business Continuity Management Audit/Assurance Program (Sep 2011)
Change Management Audit/Assurance Program (Jan 2009)
Cloud Computing Management Audit/Assurance Program (Aug 2010)
Crisis Management Audit/Assurance Program (Aug 2010)
Cybercrime Audit-Assurance Program (Oct 2012)
E-commerce and PKI Audit/Assurance Program (Oct 2012)
Generic Application Audit/Assurance Program (Jan 2009)
Identity Management Audit/Assurance Program (Feb 2013)
Information Security Management Audit/Assurance Program (Aug 2010)
IPv6 Security Audit/Assurance Program (Feb 2012)
IT Continuity Planning Audit/Assurance Program (Jan 2009)
IT Risk Management Audit/Assurance Program (Jan 2012)
IT Strategic Management Audit/Assurance Program (Dec 2011)
IT Tactical Management Audit/Assurance Program (Nov 2011)
Lotus Domino ServerAudit/Assurance Program (Nov 2011)
Microsoft Exchange Server 2010 Audit/Assurance Program (Sep 2011)
Microsoft Internet Information Services (IIS) 7.x Web Services Server Audit/Assurance Program (Feb 2011)
Microsoft SharePoint 2010 Audit/Assurance Program (Oct 2011)
Microsoft SQL Server Database Audit Assurance Program (July 2011)
Microsoft Windows File Server Audit/Assurance Program (Sep 2011)
Mobile Computing Security Audit/Assurance Program (Oct 2010)
MySQL™ Server Audit/Assurance Program (Dec 2010)
Network Perimeter Security Audit/Assurance Program (Jan 2009)
Outsourced IT Environments Audit/Assurance Program (Jan 2013)
Personally Identifiable Information (PII) Audit/Assurance Program (Jan 2013)
Security Incident Management Audit/Assurance Program (Jan 2009)
Security, Audit and Control Features Oracle Database, 3rd Edition (Dec 2009)
Security, Audit and Control Features Oracle E-Business Suite, 3rd Edition - Audit programs and ICQs (July 2010)
Security, Audit and Control Features Oracle PeopleSoft, 3rd Edition (Jan 2012)
Security, Audit and Control Features SAP® ERP, 3rd Edition (Aug 2009)
SharePoint Deployment and Governance Using COBIT 4.1 Appendix C. Scorecard and Tool Matrix (Feb 2010)
Social Media Audit/Assurance Program (Feb 2011)
Software Assurance Audit/Assurance Program (Feb 2013)
Systems Development and Project Management Audit/Assurance Program (Jan 2009)
UNIX/LINUX Operating System Security Audit/Assurance Program (Jan 2009)
VMware Server Virtualization Audit/Assurance Program (Feb 2011)
Voice-Over Internet Protocol (VOIP) Audit/Assurance Program (Jan 2012)
VPN Security Audit/Assurance Program (Oct 2012)
Windows Active Directory Audit/Assurance Program (Aug 2010)
z/OS Security Audit/Assurance Program (Jan 2009)