Enterprise Governance

of Information Technology
IT5002
Topic 7 : COBIT as a Framework
for IT Assurance
Session Learning Outcomes

• Explain how the COBIT concepts can be leveraged in

the context of IT Assurance

6/5/2020 2
IT Assurance and COBIT 5
Assurance in COBIT 5
“Assurance means that, pursuant to an
accountability relationship between two or more
parties, an IT audit and assurance
professional may be engaged to issue a written
communication expressing a conclusion
about the subject matters to the accountable party.”

THIS DEFINITION IMPLIES THAT AN ASSURANCE

ASSIGNMENT COMPRISES FIVE COMPONENTS
6/5/2020 4
 Assurance

1. A three-party relationship, including

• The accountable party (auditee), the person or
group accountable for the subject matter under
review.
• The user of the assurance report, in some cases this
can be the same party as the accountable party.
• The assurance professional, who executes the
assurance assignment.

6/5/2020 5
 Assurance

2. The subject matter

• The subject matter refers to the areas
within the audit universe that will be
under review in the assurance assignment.
• These areas can include all aspects of the
seven COBIT 5 enablers, i.e., structures,
processes, policies, etc.
6/5/2020 6
 Assurance

3. Suitable criteria
• These criteria are the reference against
which the subject will be evaluated.
• In principle, management determines what
the evaluation criteria are, but the assurance
professional can of course also assess the
appropriateness of the proposed evaluation
criteria.
6/5/2020 7
 Assurance

4. The assurance process

• Assurance professionals follow a
specific structured process when
executing an assurance assignment.
• This process is discussed in detail
further in this session.
6/5/2020 8
 Assurance

5. Conclusions and recommendations

• Based on the observations, facts, and
documentation, the assurance professionals will
analyze the data, identify control weaknesses
and root causes, and substantiate the risks.
• These findings will be brought together in the
assurance report, potentially also including
specific recommendations.

6/5/2020 9
Types of Assurance

6/5/2020 10
 Perspectives of Assurance

• The first perspective discusses how to build an assurance

function in the organization, leveraging the seven enablers
proposed by COBIT.
• For example, what types of structures are required, such as the audit
committee, what policies are to be considered such as an audit
charter, etc.

• The second perspective focuses on the execution of the

assurance process itself and how the auditors can provide
assurance over each of the seven enablers (process,
structures, etc.).
• For example, how to provide assurance over the “information
security” process in an organization.
6/5/2020 11
Building an IT Assurance Function

6/5/2020
12
Structures for IT Assurance

• “COBIT 5 for IT Assurance” does present some

structures that are essential in building up an IT
assurance function, including the audit committee at the
level of the board of directors, the audit department, a
compliancy department, etc.

6/5/2020 13
Structures for IT Assurance

6/5/2020 14
Processes for IT Assurance

• The IT assurance function also requires some IT

assurance processes.
• To identify those processes, the “COBIT 5 for
Assurance” guide refers to the “COBIT 5: Enabling
Processes” book.
• The core assurance processes are to be found in the
MEA (Monitor, Evaluate, Assess) area, more specifically
MEA 2—Monitor, Evaluate, and Assess the System of
Internal Control.

6/5/2020 15
Processes for IT Assurance

6/5/2020 16
Processes for IT Assurance

6/5/2020 17
Processes for IT Assurance

6/5/2020 18
Supporting IT Assurance Processes

6/5/2020 19
Supporting IT Assurance Processes

6/5/2020 20
Principles, Policies, and Frameworks for IT Assurance

• The assurance function also requires supporting

principles, policies, and frameworks.
• Many publications exist around this topic, with ISACA
www.isaca.org) and IIA (www.theiia.org) being
important references.
• A specific reference goes to the “IT Assurance
Framework (ITAF)” as developed by ISACA
(www.isaca.org/itaf ), which gives a relatively
complete overview of required IT assurance policies,
principles, and frameworks.

6/5/2020 21
Principles, Policies, and Frameworks for IT Assurance

6/5/2020 22
Culture, Ethics, and Behavior for IT Assurance

The required and expected behavior for the IT assurance

function is represented at three levels:
• the organization
• the assurance professional
• management

6/5/2020 23
Culture, Ethics, and Behavior for IT Assurance

6/5/2020 24
Culture, Ethics, and Behavior for IT Assurance

6/5/2020 25
Culture, Ethics, and Behavior for IT Assurance

6/5/2020 26
Information for IT Assurance

• The IT assurance function requires appropriate

information to be able to work well.
• Specific examples are the “audit charter” which
defines the boundaries in which the audit group will
work, and the “risk strategy” which defines how the
organization looks at risk.

6/5/2020 27
Information for IT Assurance

6/5/2020 28
Information for IT Assurance

6/5/2020 29
Services, Infrastructure, and Applications
for IT Assurance

• “COBIT 5 for Assurance” proposes some typical

assurance services and applications.
• Typical supporting assurance services are
• “time tracking and reporting,” enabling the assurance
professional to manage and track its resources,
• “reporting and communication” which also covers the typical
workflow systems to capture data, write reports, etc.

6/5/2020 30
Services, Infrastructure, and Applications
for IT Assurance

6/5/2020 31
Services, Infrastructure, and Applications
for IT Assurance

6/5/2020 32
People, Skills, and Competencies for IT Assurance

Finally, IT assurance professionals need to have the

appropriate skills and competencies in specifi c areas,
including:
• Strategy and planning
• Engagement and resource planning
• Assessing and testing
• Enterprise expertise
• Risk management and risk management framework
• Interpersonal and relationship management

6/5/2020 33
People, Skills, and Competencies for IT Assurance

• Understanding of standards, guidelines, and

procedures
• Communication (oral, presentation, and written)
• Audit practices
• Data management and data quality
• Analytics
• Programme and project management

6/5/2020 34
People, Skills, and Competencies for IT Assurance

• Interview and investigation

• System development life cycle
• Basic IT concepts
• Resilience
• Specific technical expertise

6/5/2020 35
People, Skills, and Competencies for IT Assurance

6/5/2020 36
Executing the IT Assurance Process

6/5/2020
37
Executing the IT Assurance Process

• The second part of the “COBIT 5 for Assurance” guide

addresses how the IT assurance process can be
executed.
• As such, this section further develops the “MEA-2 –
Executive Assurance Initiatives” process, and it proposes
three parts:
1. Determining the scope of the assurance assignment
2. Understanding the subject matter, selecting the
evaluation criteria, and executing the assessment
3. Communicating and reporting the results
6/5/2020 38
Determining the Scope of the Assurance Assignment

• In the first phase, the assurance professional needs to

determine the scope of the assurance assignment.
• The assurance professional evaluates who the involved
stakeholders are and what the stakes are of each of them.
• Next, specific objectives for the assurance assignment can
be agreed upon.
• These objectives can be expressed in terms of the IT-related
risks and opportunities toward achieving enterprise goals.
• Depending on the agreed-upon objectives, the specific
scope of the assurance assignment can be set, articulating
which processes, structures, policies, and other enablers will
be assessed.

6/5/2020 39
Executing the IT Assurance Initiative

• In the execution phase, two steps are crucial:

understanding the subject matter and performing the
assessment steps.
• It is important that the assurance professional has a
good understanding and knowledge over the subject
matter he/she is going to assess.
• ISACA has developed more detailed guidance on each
of the seven enablers (processes, structures, etc.) they
propose, and of course this information will be helpful
in understanding the subject matter.

6/5/2020 40
Executing the IT Assurance Initiative

• Next, the appropriate assurance steps need to be

executed.
• “Testing Control Design” (often also referred to as
“testing the design effectiveness”) covers the assurance
steps to be performed to assess the adequacy of the
design of controls.
• This assurance activity includes the evaluating of the
appropriateness of control measures for the process
under review by considering identified criteria, industry
standard practices, and applying professional
judgment.

6/5/2020 41
Executing the IT Assurance Initiative

6/5/2020 42
Executing the IT Assurance Initiative

• The “COBIT 5 for Assurance” guide refers to typical generic

testing methods such as enquire, confirm, observe, and
inspect.
• “Enquire and confirm” is about asking management
questions to obtain an understanding of the processes
and/or applications and includes the search and
examination of exceptions and deviations.
• “Observe” is about the observation and description of the
processes and procedures.
• “Inspect” includes the review of plans, policies, and
procedures, the tracing of transactions through the
processes/systems, physically inspection of the presence of
documentation and assets, ….

6/5/2020 43
Communicate and Report

• If control weaknesses are identified based on previous

steps, “Testing the impact of the control weaknesses”
encompasses the assurance steps to document and report on
potential business risks if specific control objectives are not
met.

• Main issue here is that the assurance professional should not

just report on control weaknesses (e.g., “we found evidence
that there is no project management methodology”), but the
assurance professional should demonstrate what the
potential business impact of these weaknesses is (e.g., the
likelihood of IT project failing increases, causing budgets
overruns or a longer time-to-market).
6/5/2020 44
Communicate and Report

6/5/2020 45
IT Assurance in Practice

6/5/2020
46
IT Assurance in Practice

These templates can be simple

To execute IT assurance in nature, and as an
activities in practice, illustration, some
(nonprescriptive) examples
templates can be very are provided in this session,
helpful in supporting the specifically in support of the
assurance execution. scoping and testing execution
activities.

6/5/2020 47
Templates for Scoping

When starting a specific assurance assignment,

the detailed scope needs to be set first.

This scope analysis can be based on the identification and linking of

relevant enterprise goals and IT-related goals and derived from
that, a set of IT-related (COBIT) processes in scope
e.g., the five most important IT processes
supporting the defined IT goals)
6/5/2020 48
Templates for Scoping

6/5/2020 49
Templates for Scoping

• Based on previous scoping exercise, a set of COBIT

processes is deducted from a value perspective (value-
based scoping, i.e., processes in support of the achievement
of enterprise and IT goals).

• Depending on the context, it can be that this scope needs to

be refined based on some risk insights and analysis.

• As an example, easy-to-use templates can be leveraged

that indicate a high-level risk profile for processes, based on
a quick evaluation of the importance and performance, and
an indication of how responsibilities and accountabilities are
assigned and organized (e.g., formality, etc.)

6/5/2020 50
Templates for Scoping

6/5/2020 51
Templates for Scoping

Once the set of processes is In support of this, attributes

defined, a set of can be considered that help
management practices in evaluating and
within each process needs comparing the importance
to be selected, as a basis of management practices
for the control framework. within a COBIT process.

6/5/2020 52
Templates for Scoping

These attributes are:

• Expedience, i.e., the speed and ease it takes, on
average, to implement the control objective; e.g., a high
(H) score means the control objective can be
implemented quickly.
• Sustainability, i.e., the degree to which the control can
continue to operate without maintenance and
management attention due to changes in the
environment, reduced discipline, changed priorities, etc.

6/5/2020 53
Templates for Scoping

These attributes are:

• Effectiveness, i.e., the degree to which the control

objective—compared to other control objectives for this
process—contributes to achieving the process goals and
mitigates the risks, irrespective of efficiency, cost, etc.

• Cost (effort), i.e., the investment in people and money to

implement a control objective. There is usually a strong
relationship between cost and expedience because high cost
implies many activities and investments are required to
implement the control objective which generally means that
implementation will not be expedient.

6/5/2020 54
Templates for Testing

6/5/2020 55
Templates for Testing

6/5/2020 56
Templates for Testing

6/5/2020 57
Summary

In this session, you should have:

• Learned to explain how the COBIT concepts can be
leveraged in the context of IT Assurance

6/5/2020 58
Enterprise Governance
of Information Technology
IT5002
Topic 7 : COBIT as a Framework
for IT Assurance