Professional Documents
Culture Documents
Developing The IT Audit Plan Using COBIT 2019 Joa Eng 0519
Developing The IT Audit Plan Using COBIT 2019 Joa Eng 0519
IS AUDIT
BASICS
2. Determine
1. Understand 4. Conclude
the 3. Risk assess
the enterprise and validate
components the IT audit
context and the IT audit
of the IT audit universe.
strategy. plan.
universe.
Determine the Components of the IT governance system over I&T12 and, therefore, should
Audit Universe be considered when developing the IT audit plan.
ISACA defines a portfolio as a grouping of “objects The portfolios should include all activities that will
of interest” (i.e., investment programs, IT services, be performed by IT audit. Why? Because performing
IT projects, other IT assets or resources) managed audit recommendation follow-ups, attending
and monitored to optimize business value.10 A key training or reporting on the status of the audit
consideration for IT portfolio management is activities takes time, and the only way to ensure
getting the mix right to achieve this business value, that time is properly allocated for them is to include
one of the motives being that, just like a financial them in the audit plan.
portfolio, some of the areas may not provide the
expected value. Therefore, it makes sense to Once the IT audit portfolios have been defined, they
consider these portfolios when developing the IT can be expanded to create the IT audit universe
audit plan—to match this mix we should audit (figure 4).
across each of the areas defined in the portfolios.
Risk Assess the IT Audit Universe
Of course, this raises a question: What if there are
no discernible portfolios? In that case, I propose Risk analysis is the process of estimating the two
using COBIT 2019’s components of the governance essential properties of each risk scenario13:
system11 to define the IT audit portfolios (figure 3).
• Frequency—The number of times in a given
These are factors that, individually and collectively, period (usually in a year) that an event is likely to
contribute to the good operations of the enterprise’s occur
• Impact—The business consequences of accept that success includes managing risk, then it
the scenario makes sense that the COBIT 2019 design factors
can also be used as risk factors (figure 5).
Risk factors are those conditions that influence
frequency and impact. They can be of different The factors include those that helped with our
natures and can be classified into two major understanding of the enterprise context and
categories14: strategy and are described in detail in the COBIT
2019 Design Guide.16 Their influence as risk factors
• Contextual factors—Can be divided into internal is described in figure 6.
and external factors, the difference being the
degree of control an enterprise has over them It should be noted that not all risk factors may be
• Capabilities—How effective and efficient the applicable to each enterprise or IT audit portfolio,
enterprise is in a number of IT-related activities nor should more traditional risk factors such as the
market, economic factors, geopolitics and industry
The importance of risk factors lies in the influence competition necessarily be ignored.
they have on risk. They should be considered during
every risk analysis. Once the risk factors have been decided upon, they
can be used to perform the risk analysis. Practical
Design factors are factors that can influence the guidance on performing this and the risk assessment
design of an enterprise’s governance system and is explained well in the Risk Scenarios Using COBIT® 5
position it for success in the use of I&T.15 If we for Risk17 and the GTAG 11 documents.18