Exploring COBIT 2019s Value for Auditors

Exploring COBIT 2019s Value for Auditors
Author: Dirk Steuperaert
Date Published: 21 August 2019

COBIT 2019 is a terrific resource for a wide range of business technology professionals. In ISACA's 19 September 2019 Professional Guidance webinar (free registration), “COBIT 2019 – Highly Relevant for Auditors,” we will focus on assurance professionals and the benefits they can obtain from COBIT 2019.

For that purpose, we will first quickly revisit the key COBIT 2019 concepts. We will then discuss the features of COBIT 2019 that are most relevant for auditors, such as the design factors and design guide, the governance and management objectives, and the new process capability scheme.

The design factors and design guide are intended to design a governance system, which prioritizes the 40 governance and management objectives and helps determine which focus area guidance is to be used. When assurance professionals have to develop their audit plans, they usually take a risk-based approach that considers enterprise objectives. This is exactly how the design factors can and should be used by assurance professionals to prioritize their audit plans. The goals cascade, risk scenarios, current IT issues and other elements are included as design factors.

The governance and management objectives, the process practices and activities are in essence language, concept and level of abstraction – equivalent to control objectives and control practices – and therefore can be used to develop audit programs and serve as suitable criteria for audit assignments. The process activities can also be used to develop detailed assurance steps.

COBIT 2019 contains a new process capability assessment scheme as part of its performance management guidance. The new scheme is based on CMMI and assigns capability levels to each process activity. The relevance for assurance professionals is twofold: based on the audit plan where governance and management objectives are prioritized, one can define target capability levels for the process component of each governance and management objective in scope of the assurance engagements, thus defining which process practices and activities will be in scope of the audit programs. Closely related, assurance professionals can use the capability levels to report process performance in their assurance engagements.

In addition to the above, assurance professionals should consider the non-process components of governance and management objectives when building their audit universes, plans and programs. COBIT 2019 indicates that not only are processes important governance components, but that organizational structures, culture and behaviors, information streams, skills and behaviors are important. For that reason, we encourage assurance professionals to consider them when conducting their engagements. The current COBIT 2019 performance management guidance does not yet fully support these other types of components – initial guidance for organizational structures and information quality is included in COBIT 2019, while guidance for other components is yet to come.

I look forward to this webinar further demonstrating the relevance of COBIT 2019 for assurance professionals and look forward to hearing your questions and suggestions for further guidance.