Professional Documents
Culture Documents
BASICS
Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, CPTE, DipFM, FIP,
ITIL Foundation, Six Sigma Green Belt
Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has 30 years of experience in all
aspects of information systems. Cooke has served on several ISACA® committees and is a past member of ISACA’s CGEIT® Exam
Item Development Working Group. He is the topic leader for the Audit and Assurance discussions in the ISACA Online Forums.
Cooke supported the update of the CISA® Review Manual for the 2016 job practices and was a subject matter expert for the
development of ISACA’s CISA® and CRISC™ Online Review Courses. He is the recipient of the 2017 John W. Lainhart IV Common
Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certification training
modules. He welcomes comments or suggestions for articles via email (Ian_J_Cooke@hotmail.com), Twitter (@COOKEI), LinkedIn
(www.linkedin.com/in/ian-cooke-80700510/), or on the Audit and Assurance Online Forum (engage.isaca.org/home). Opinions
expressed are his own and do not necessarily represent the views of An Post.
Business Value
Examples
Fail to Gain Gain
• Technology enabler for
IT Benefit/Value new business initiatives
Enablement • Technology enabler for
efficient operations
• Project quality
IT Program
• Project relevance
and Project Delivery • Project overrun
• IT service interruptions
IT Operations and
• Security problems
Service Delivery • Compliance issues
Lose Preserve
Business Value
Source: ISACA®, COBIT® 5 for Risk, USA, 2013, figure 5. Reprinted with permission.
• IT program and project delivery risk—Associated Another good reference is the Four Ares (figure 2).4
with the contribution of IT to new or improved I remember watching in awe as the late Rob Stroud
business solutions, usually in the form of presented on this at EuroCACS in Vienna in 2007
projects and programs as part of investment and thinking, “That’s it! IT audit has been summed
portfolios up using four questions.” The Four Ares are
intended to help manage IT benefit/value
• IT operations and service delivery risk—
enablement risk, but if one considers the questions
Associated with all aspects of the business as
independently, they are quite insightful. They are
usual performance of IT systems and services,
great questions for any board member to ask
which can bring destruction or reduction of value
management about any IT initiative or risk.
to the enterprise
The strategic question. Is the investment: Are we Are we The value question. Do we have:
• In line with our vision doing getting • A clear and shared understanding of the
• Consistent with our business principles the right the expected benefits
• Contributing to our strategic objectives things? benefits? • Clear accountability for realising the benefits
• Providing optimal value, at affordable cost, • Relevant metrics
at an acceptable level of risk • An effective benefits realisation process over
the full economic life cycle of the investment
The architecture question. Is the investment: Are we Are we
• In line with our architecture doing them getting The delivery question. Do we have:
• Consistent with our architectural principles the right them done • Effective and disciplined management, delivery
• Contributing to the population of our way? well? and change management processes
architecture • Competent and available technical and business
• In line with other initiatives resources to deliver:
– The required capabilities
– The organisational changes required to
leverage the capabilities
Source: IT Governance Institute, The Val IT Framework 2.0, USA, 2008. Reprinted with permission.
Ensure that the true project status is available for decision-makers using
common language and methodology.
4. IT expertise and skills CIO
Provide Mapping Between the Identified included for each example; however, as previously
Risk and the Assurance Available noted, this may not be the case in every enterprise.
The committee should be made aware of this
Finally, a mapping of the identified risk and the should it become part of the IT audit plan,8 or are
assurance available from all three lines of defense they happy to rely on the assurance provided?
is next (figure 6). The assurance items in the figure
are rather generic because it is only an illustration This mapping is key and why we have taken the
of where they come from; however, they should be time to build to this stage. The committee should be
as specific as possible. Internal audit reviews are made aware of the importance of the assurance