COBIT Case Study: Integrating COBIT 4.1 Into the Internal Audit Function 


Come join the discussionCome join the discussion! John Panopoulos will respond to questions in the discussion area of the COBIT (4.1 and earlier)—Use It Effectively topic beginning 22 October 2012.


TT Hellenic Postbank S.A., in Athens, Greece, is a publicly traded bank in the Athens Stock Exchange, a member of the Hellenic Banking Association, the European Savings Banks Group and the World Savings Banks Institute. Today, TT Hellenic Postbank is a modern bank with a wide depositor base and a healthy loan book, enjoying the required potential and financial background to provide substantial support to the Hellenic economy and society.

The bank’s IT audit management recognized that a new methodology was required for the assessment of the effectiveness and efficiency of the bank’s IT internal control environment. Moreover, IT audit management decided to establish a standardized and well-defined method of planning and implementing IT audits; thus, the bank decided to consider widely accepted control-based frameworks, such as the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework and COBIT 4.1.

Comparing the two aforementioned frameworks, the IT audit management concluded that COBIT 4.1 was the best solution for its needs, due to its comprehensive coverage of IT controls and its straightforward link with business objectives,1 as opposed to COSO, which it found to be very high level and not IT-specific. COBIT 4.1’s good practices contribute to aligning IT and business objectives, introduce a generally accepted process model, and define a list of control objectives for each process. By means of the maturity model and the detailed control objectives, there is a clear understanding about the current level of efficiency and control over IT processes. Also, COBIT can be easily customized to support the needs of each organization and mapped with other commonly accepted assurance frameworks. As a result, COBIT 4.1 was utilized to define the IT audit universe, create tactical (annual) and strategic risk-based audit plans, and standardize the audit process.


COBIT 4.1 implementation took place at TT Hellenic Postbank in 2008 and was focused on the following areas:

  • Defining the IT audit universe2 —The IT governance framework diagram (figure 1) was created, outlining the current IT operations, and was used as the foundation of the audit universe. At that point, the 34 COBIT 4.1 processes were mapped under those operations (figure 2); for example, the DS5 and DS9 processes were mapped under Security Configuration Management. Subsequently, all high-level IT operations were assessed and an initial maturity level was assigned to them: 0 (for nonexistent) or 1 (for initial/ad hoc). Accordingly, IT resources (applications, information, infrastructures and people) were assigned under each IT operation, and after every change in the IT environment, the audit universe was updated.
  • Creating a risk-based audit plan3 —A methodology was created to rank the IT processes according to residual risk. Initially, IT audit management collaborated with IT management to assess the inherent risk of IT processes, taking into consideration risk factors such as financial and operational risk. After that, the current maturity level was taken into consideration and the residual risk was calculated. The inherent risk has been reassessed on an annual basis, and the highest ranking processes according to this methodology are included in the audit plan.
  • Setting the scope of audit engagements—Internal policies and procedures, legislation and regulations4 as well as the COBIT 4.1 process control objectives5 were combined to define the scope of the audit engagements. In the scope of those engagements, the most critical IT resources were also included.
  • Scoring the process—COBIT 4.1’s Process Maturity Model (PMM) was used for scoring IT operations. Initially, a maturity level value of 0 (for nonexistent) or 1 (for initial/ad hoc) was assigned to each IT operation. Consequently, after the completion of an audit engagement, the operation’s maturity level was updated to reflect the current state.
  • Audit reporting—COBIT 4.1 provided a way of matching IT processes to IT goals and IT goals to business goals. This matching has been used to present the benefits of taking corrective actions to senior management more efficiently. In the case of the security configuration management audit, IT audit management was able to present, in the same context, technical issues, compliance issues and contractual obligations that needed to be observed.

Figure 1
View large graphic.


Integrating the COBIT framework into the IT audit function has resulted in the following positive impacts:

  • The development of a well-defined, standardized methodology of planning and implementing IT audits. In this way, audit budgets have involved more projects and audit resources have been properly utilized.
  • There has been better alignment among audit, IT and business goals.
  • A common language for IT, audit and C-level management has been established.

At this point, COBIT has only been used by TT Hellenic Postbank’s IT audit team. Eventually, the bank’s IT audit management envisions the acceptance of COBIT as an IT governance framework for the entire organization, as it has improved the quality of the audit work and has proven the importance of the adoption of a common framework.

John Panopoulos, CISA
Is the head of IT audit at TT Hellenic Postbank in Athens, Greece. Previously, he was a senior software engineer and an IT consultant. Panopoulos can be contacted at

Figure 2
View large graphic.


1 IT Governance Institute (ITGI), COBIT Mapping Overview of International IT Guidance, 2nd Edition, USA, 2006
2 The Institute of Internal Auditors (IIA), Global Technology Audit Guide (GTAG): Developing the IT Audit Plan, USA, 2008
3 ISACA San Francisco Chapter, “Integrating COBIT 4.1 Into the IT Audit Process (Planning, Scope Development, Practices),” PowerPoint, California, USA, 2006
4 Bank of Greece Governor’s Act 2577/2006
5 ISACA, IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals,