With IT ingrained in most business processes, IT risk management has become a critical part of enterprise risk management. The rise of cybersecurity incidents in recent years has heightened the need for directors and executive management to understand, evaluate, and respond to IT risks. Yet, managing these risks can be daunting because of the technical complexity and far-reaching outcomes of an IT risk event.
Although it is tempting for the board and management to focus on cyberrisks, internal audit must consider the full range of IT risks and take a more holistic view of the business. Gaining such a view is one of the advantages of using ISACA’s COBIT framework to address risk management challenges.
The latest version, COBIT 5, released in 2012, can help internal auditors develop an audit plan to address IT risks, set IT audit objectives, and define the scope for IT audits. It can help simplify complex issues by giving auditors best practices and conceptual guidance on how to categorize risks, identify risk events, and understand the relationship between risk events and value creation.
Moreover, COBIT emphasizes the value of assessing a process from end to end, instead of auditing components of that process. In addition, the separation of governance from management highlights the need to audit IT risks related to IT governance and management, which organizations tend to overlook.
COBIT is an enterprisewide IT governance and management framework designed to enable organizations to maintain a balance between realizing benefits from IT and optimizing risk levels and resource use. It is based on five principles: meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management.
COBIT 5’s basic premise is that goals cascade in an organization — that is, stakeholder needs are translated into enterprise goals, which set the direction for IT goals and enabler goals. Further, the framework provides guidance on IT risk management from a functional perspective (i.e., what is needed to build and sustain core risk governance and management activities), and a risk management perspective (i.e., how the COBIT enablers can assist the core risk management processes of identifying, analyzing, and responding to risk).
COBIT 5 describes enablers as factors that “individually and collectively influence whether something will work.” They can be used in both IT risk management and IT audit planning.
Enabling Audit Planning
Whether developing an audit plan or planning for an individual audit, internal auditors need to determine the audit objectives, scope, timing, resource requirements, and process. COBIT suggests auditors take a holistic view of the business when planning an audit.
Auditors can use the seven COBIT enablers as the foundation for identifying IT audit objectives and defining the audit’s scope. These enablers are:
- Principles, policies, and frameworks that translate the desired behavior into practical guidance that can be managed.
- Processes that support achievement of a set objective.
- Organizational structures that are important for decision-making.
- Culture, ethics, and behavior of individuals, which explain the human interactions that influence governance and management.
- Information, including all information produced and used in the business.
- Services, infrastructure, and application, including the IT used by the organization.
- People, skills, and competencies, including people who are required for successful completion of all activities.
Because COBIT provides 36 generic risk scenarios, internal auditors should begin by working with management to prioritize risk scenarios for their organization. COBIT uses primary and secondary ranking to show the impact of each risk scenario on the type of risk. COBIT categorizes the risk types based on whether the risk is strategic (IT benefit/value enablement), operations-related (IT operations/service delivery), or project-related (IT program/project delivery).
Second, internal auditors can identify activities pertaining to each of the enablers for the prioritized risk scenarios. For example, organizations face IT risk when selecting IT programs (risk scenario), which primarily affect the organization’s strategy and secondarily its operations. To manage this risk, management can implement a policy that indicates the types of IT investments that are a priority (policy), have a formal process to select IT projects (process), have an IT steering committee (organizational structure), communicate the importance of technology throughout the organization (culture), define IT investment selection criteria (information), have a program management application (application), and involve appropriate managers in the decision-making process (people).
Third, internal auditors can rank activities based on an approach that best fits the organization. For example, auditors may use a high/medium/low priority, primary/secondary, or a rank order based on weights to identify the areas that need attention. Finally, once the activities are ranked, auditors can plan the audit by first focusing on the primary/high priority activities before turning attention to secondary activities given resource, time, and personnel constraints.
An Eye on the Big Picture
COBIT’s recommended best practices can establish a foundation for providing assurance on the adequacy, reliability, and integrity of an organization’s information systems, regardless of its industry, technology infrastructure, or geographic location. This foundation can help internal auditors understand how the organization operates and where it wants to go.
Moreover, the COBIT guidance recognizes that IT risk exposure differs among organizations based on management’s risk appetite, involvement, and risk response. Internal auditors can use the framework to understand the nature of IT risks that are unique to their organization and develop an intuition that helps them recognize red flags, internal control weaknesses, and fraud.
Further, COBIT can help internal auditors identify and organize audit findings that can be instrumental in establishing and monitoring the organization’s IT risk management practices. The framework enables auditors to work at a detailed level while also keeping the big picture in mind.