ISACA JOURNAL VOL 3 11

Do you have something to say about this article? Visit the Journal pages of the ISACA® website (www.isaca.org/journal), find the article and click on the Comments link to share your thoughts.

https://bit.ly/2K0enob

The IT Assurance Framework (ITAF) requires that the IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.1 However, despite this requirement, there is little ISACA® documentation on defining an IT audit plan. Perhaps this is because the seminal Developing the IT Audit Plan Global Technology Audit Guide (GTAG 11)2 is so good. Nonetheless, this document was published in July 2008, so the question should be asked, given current practices, can this be improved upon?

In December 2018, ISACA published what I believe will become an equally influential document, the COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution.3 I am proposing that the steps described therein for designing a tailored governance system can be adopted to developing the IT audit plan (figure 1).

Understand the Enterprise Context and Strategy Before developing an audit plan, one should understand the enterprise under review. Enterprises can have different strategies, which the design guide expresses as archetypes (figure 2). Enterprise strategy is realized by the achievement of (a set of) enterprise goals.4 These goals are structured along the balanced scorecard (BSC) dimensions,5 an example being business service continuity and availability. A risk profile identifies the sort of IT-related risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite.6 Good sample risk scenarios have been developed by ISACA to aid with understanding IT-related risk.7

Closely related to IT risk are information and technology (I&T)-related issues—also called pain points—from which the enterprise is suffering.8 These could be considered risk that have

materialized. An example might be service delivery problems by the IT outsourcer(s).

At the end of this step, it is important to have a clear and consistent view of the enterprise strategy, the enterprise goals, IT-related risk and current I&T issues. The design guide provides concrete examples of these. An appropriate perspective to keep in mind is that technology only exists to support and further the organization’s objectives and is a risk to the organization if its failure results in the inability to achieve the business objective.9

Developing the IT Audit Plan Using COBIT 2019

Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, CPTE, DipFM, FIP, ITIL Foundation, Six Sigma Green Belt Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has 30 years of experience in all aspects of information systems. Cooke has served on several ISACA® committees and is a past member of ISACA’s CGEIT® Exam Item Development Working Group. He is the topic leader for the Audit and Assurance discussions in the ISACA Online Forums. Cooke supported the update of the CISA® Review Manual for the 2016 job practices and was a subject matter expert for the development of ISACA’s CISA® and CRISC™ Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certification training modules. He welcomes comments or suggestions for articles via email (Ian_J_Cooke@hotmail.com), Twitter (@COOKEI), LinkedIn (www.linkedin.com/in/ian-cooke-80700510/) or on the Audit and Assurance Online Forum (engage.isaca.org/home). Opinions expressed are his own and do not necessarily represent the views of An Post.

IS AUDIT BASICS

104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 11

ISACA JOURNAL VOL 312

Determine the Components of the IT Audit Universe ISACA defines a portfolio as a grouping of “objects of interest” (i.e., investment programs, IT services, IT projects, other IT assets or resources) managed and monitored to optimize business value.10 A key consideration for IT portfolio management is getting the mix right to achieve this business value, one of the motives being that, just like a financial portfolio, some of the areas may not provide the expected value. Therefore, it makes sense to consider these portfolios when developing the IT audit plan—to match this mix we should audit across each of the areas defined in the portfolios.

Of course, this raises a question: What if there are no discernible portfolios? In that case, I propose using COBIT 2019’s components of the governance system11 to define the IT audit portfolios (figure 3). These are factors that, individually and collectively, contribute to the good operations of the enterprise’s

governance system over I&T12 and, therefore, should be considered when developing the IT audit plan.

The portfolios should include all activities that will be performed by IT audit. Why? Because performing audit recommendation follow-ups, attending training or reporting on the status of the audit activities takes time, and the only way to ensure that time is properly allocated for them is to include them in the audit plan.

Once the IT audit portfolios have been defined, they can be expanded to create the IT audit universe (figure 4).

Risk Assess the IT Audit Universe Risk analysis is the process of estimating the two essential properties of each risk scenario13:

• Frequency—The number of times in a given period (usually in a year) that an event is likely to occur

Figure 1—IT Audit Plan Design Workflow

• Understand enterprise strategy.• Understand enterprise goals.• Understand the risk profile.• Understand current I&T-related issues.

• Consider the components of a governance system.• Determine the IT audit portfolios.• Define the IT audit universe.

• Consider the COBIT®

2019 design factors as risk factors.

• Resolve inherent priority conflicts.• Conclude the IT audit plan.• Publish the IT audit plan.

1. Understandthe enterprisecontext and

strategy.

2. Determinethe

componentsof the IT audit

universe.

3. Risk assessthe IT audit

universe.

4. Concludeand validatethe IT audit

plan.

Source: Adapted from ISACA®, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018. Reprinted with permission.

Figure 2—Enterprise StrategyStrategy Archetype Explanation

Growth/Acquisition The enterprise has a focus on growing (revenues)2

Innovation/Differentiation The enterprise has a focus on offering different and/or innovative products and services to their clients3

Cost Leadership The enterprise has a focus on short-term cost minimization4

Client Service/Stability The enterprise has a focus on providing a stable and client-oriented service5

Source: ISACA®, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018. Reprinted with permission.

104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 12

ISACA JOURNAL VOL 3 13

• Impact—The business consequences of the scenario

Risk factors are those conditions that influence frequency and impact. They can be of different natures and can be classified into two major categories14:

• Contextual factors—Can be divided into internal and external factors, the difference being the degree of control an enterprise has over them

• Capabilities—How effective and efficient the enterprise is in a number of IT-related activities

The importance of risk factors lies in the influence they have on risk. They should be considered during every risk analysis.

Design factors are factors that can influence the design of an enterprise’s governance system and position it for success in the use of I&T.15 If we

accept that success includes managing risk, then it makes sense that the COBIT 2019 design factors can also be used as risk factors (figure 5).

The factors include those that helped with our understanding of the enterprise context and strategy and are described in detail in the COBIT 2019 Design Guide.16 Their influence as risk factors is described in figure 6.

It should be noted that not all risk factors may be applicable to each enterprise or IT audit portfolio, nor should more traditional risk factors such as the market, economic factors, geopolitics and industry competition necessarily be ignored.

Once the risk factors have been decided upon, they can be used to perform the risk analysis. Practical guidance on performing this and the risk assessment is explained well in the Risk Scenarios Using COBIT® 5 for Risk17 and the GTAG 11 documents.18

Figure 3—IT Audit PortfolioGovernance System Component IT Audit Portfolio Examples

Processes COBIT® 2019 processes Organizational Structures Third-party suppliers, subsidiaries, divisions of the enterprisePrinciples, Policies, Procedures Privacy, laws, regulations and other compliance requirementsInformation How IT audit reports its performance Culture, Ethics and Behavior Audit recommendation follow-ups, new IT initiatives People, Skills and Competencies Training to be undertaken by IT audit; training to be given by IT audit; audit

of general IT awareness training Services, Infrastructure and Applications Applications, databases, websites, operating systems, virtual machines, etc.

Figure 4—IT Audit Universe SourcesIT Audit Portfolio Example Potential Source

COBIT 2019 processes COBIT 2019 Governance and Management Objectives13 Third-party suppliers, subsidiaries, divisions of the enterprise

Enterprise resource planning (ERP) system, enterprise structure documentation, organization charts

Privacy, laws, regulations and other compliance requirements

Legal, privacy, security, and governance, risk and compliance (GRC) functions

How IT audit reports its performance Audit committee requirementsAudit recommendation follow-ups, new IT initiatives Internal audit and management—scheduled

recommendation completion dates, completed recommendations

Training to be undertaken by IT audit; training to be given by IT audit; audit of general IT awareness training

Training plans, personal development plans

Applications, databases, websites, operating systems, virtual machines, etc.

IT asset register

104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 13

ISACA JOURNAL VOL 314

Figure 5—COBIT Design Factors

Source: ISACA, COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, USA, 2018. Reprinted with permission.

EnterpriseStrategy

EnterpriseGoals

RiskProfile

I&T-RelatedIssues

ThreatLandscape

ComplianceRequirements

Roleof IT

SourcingModelfor IT

Future Factors

ITImplementation

Methods

TechnologyAdoptionStrategy

EnterpriseSize

Enjoying this article? • Read Information

Systems Auditing: Tools and Techniques—Creating Audit Programs. www.isaca.org/ tools-and-techniques

• Learn more about, discuss and collaborate on audit and assurance ISACA’s Online Forums. https://engage. isaca.org/ onlineforums

104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 14

ISACA JOURNAL VOL 3 15

Endnotes ISACA®, ITAF, A Professional Practices 1Framework for IS Audit/Assurance, USA, 2014, www.isaca.org/Knowledge-Center/ITAF-IS-Assurance-Audit-/IS-Audit-and-Assurance/Pages/ObjectivesScopeandAuthorityofITAudit.aspx The Institute of Internal Auditors, Global 2Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan, USA, 2008, https://na.theiia.org/ standards-guidance/recommended-guidance/ practice-guides/Pages/GTAG11.aspx ISACA®, COBIT® 2019 Design Guide: Designing 3an Information and Technology Governance Solution, USA, 2018, https://www.isaca.org/ COBIT/Pages/COBIT-2019-Design-Guide.aspx Ibid., p. 22 4Ibid. 5Ibid., p. 23 6ISACA, Risk Scenarios Using COBIT® 5 for Risk, 7USA, 2014, p. 33, www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Risk-Scenarios-Using-COBIT-5-for-Risk.aspx Ibid. 8Op cit GTAG 11, p. 4 9ISACA Glossary, Portfolio, 10https://www.isaca.org/Pages/Glossary.aspx ISACA, COBIT® 2019 Framework, Introduction and 11Methodology, USA, 2018, www.isaca.org/COBIT Ibid., p. 21 12Op cit Risk Scenarios Using COBIT® 5 for Risk 13Ibid., p. 16 14Op cit COBIT 2019 Design Guide, p. 21 15Ibid. 16Op cit Risk Scenarios Using COBIT 5 for Risk 17Op cit GTAG 11 18Goodreads, Stephen Hawking Quotes, 19https://www.goodreads.com/quotes/363982-one-of-the-basic-rules-of-the-universe-is-that

In addition, the IT audit follow-ups, training and audit committee requirements should also be subject to a risk assessment. Example questions include: What follows-ups should be performed first? Is the training addressing perceived risk? Is the right information being provided to the audit committee?

Conclude and Validate the IT Audit Plan At this stage, one should have a list of ranked audit universe items by portfolio. Unless the element of surprise is required, these should be discussed and validated with senior management of the auditee. Why? Because management will be aware of factors such as scheduled upgrades, application replacements and external audits, which may affect audit’s ability to deliver the plan on time. In addition, they may have insights or special requests for audits that are not currently part of the universe. When this is complete, the plan should be reviewed from audit’s perspective. Are there any inherent conflicts? Is specialist help needed for specific audits?

Finally, publish the IT audit plan, including the proposed sequence and timings. This may prove controversial—what if management remediates risk scenarios before audit arrives? This is a positive. The purpose of audit is not to have audit findings; the purpose of audit is to help mitigate risk.

Conclusion When developing the IT audit plan, remember that one of the basic rules of the (audit) universe is that nothing is perfect. Perfection simply does not exist.19 However, by adapting a portfolio-based approach along with COBIT 2019’s design factors as risk factors, the IT audit plan should be closely aligned with the business strategy and direction. The process makes this demonstrable and allows audit to add value.

104557_Journal vol 3 2019_Layout 1 4/11/19 12:42 PM Page 15