See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/224162993

IT audit in accordance with Cobit standard

Conference Paper · May 2010

Source: IEEE Xplore

CITATIONS READS

19 9,927

4 authors, including:

Dalibor Radovanovic Tijana Radojević

Singidunum University Singidunum University
28 PUBLICATIONS 67 CITATIONS 64 PUBLICATIONS 502 CITATIONS

SEE PROFILE SEE PROFILE

Marko Šarac
Singidunum University
63 PUBLICATIONS 268 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

SITCON 2020 - Singidunum International Tourism Conference View project

FINIZ 2016 View project

All content following this page was uploaded by Dalibor Radovanovic on 16 May 2014.

The user has requested enhancement of the downloaded file.

 IT audit in accordance with Cobit standard

Dalibor Radovanović, Tijana Radojević, Dubravka Lučić, Marko Šarac

Singidunum University
Danijelova 32, Belgrade, Serbia
E-mail: dradovanovic@singidunum.ac.rs, tradojevic@singidunum.ac.rs, msarac@singidunum.ac.rs
Ernst & Young Belgrade
Bulevar Mihajla Pupina 115d, Belgrade, Serbia
E-mail: dubravka.lucic@yu.ey.com

Abstract - In today's market circumstances, the fact that
the number of jobs that are taking place with the help of in-
formation systems constantly growing is indisputable. Man-
agers often know very little about the information system and
in that circumstance it is very difficult to them to effectively
perform control function and successfully manage informa-
tion’s. This paper explains the concept of information systems
audit and methodologies used. IT governance and informa-
tion systems audit is imposed as an imperative for successful
business. To improve the management of IT in accordance
with regulatory requirements, organizations are using best
practice frameworks to facilitate the work. One of these
frameworks for IT governance is Cobit, which provides
guidelines on what can be done in an organization in terms of
control activities, measurement and documentation of
processes and operations.
ty and maintain data integrity. It is also necessary to de-
termine whether IS enables effective achievement of busi-
ness objectives and whether system resources are used in
an effective and efficient manner. IT audit today represent
a modern and advisory function, "right hand" that helps the
management on IT governance. Furthermore represent a
procedure used to assess whether the information technol-
ogy acts in the function of successful accomplishment of
business objectives.
There are several methodologies and standards that deal
with this issue: COBIT, ITIL, ISO 27002 (ex ISO 17799)
and ISO 9000. Organizations will consider and use a varie-
ty of IT models, standards and best practices. These must
be understood in order to consider how they can be used
together (Fig 1.), COBIT with acting as the consolidator.

I. INTRODUCTION
Critical element important for the survival and success
of the organization is effectively managing information
and communication technology or ICT, which is reflected
in the increase depending on the information and their as-
sociated systems, increased vulnerability and a wide range
of threats to the ICT technology, the extent and cost of ex-
isting and future investments in ICT systems , the potential
of technology to change work organization and business
practices, creating new opportunities and reduce costs.
II. COBIT
COBIT (Control Objectives for Information and Related
Technologies) is the worldwide accepted standard which
prescribes areas and individual controls for IT governance,
informatics and related IT processes. COBIT framework
authors are non-profit organization ISACA (Information
System Audit and Control Association) and ITGI (IT Go-
vernance Institute).
COBIT combines business and IT goals, providing the
ability to monitor the maturity of the information metric
system. COBIT enables management to optimize IT re-
sources such as applications, information, infrastructure
and people. The practice recommended by COBIT is the
mixture of knowledge of numerous experts as a result of
good practice, applicable in any organization.

Fig 1. COBIT as consolidator

IT audit is the process of gathering and evaluating evi-

dence based on which one can evaluate the performance of
IT systems, i.e, to determine whether the operation of in- Fig 2. Development COBIT framework [8]
formation systems in the function of preserving the proper-
 The first version of COBIT was created as a tool to in
order to support performance of audit of financial state-
ments, but it continues further to develop following devel-
opment of the IT role in business. By releasing second ver-
sions it became the most frequently used methodology for
audit of information systems worldwide. Through further
development and publishing of third version in the year
2004, COBIT became integrated framework for IT man-
agement, while the last version of COBIT 4.1 represents
the major framework and methodology for IT governance.
Figure 2 shows the development of the COBIT framework
and roles it has had through his development and upgrad-
ing.
COBIT consists of 34 key business control processes
describing each process model of maturity. It contains over
300 detailed IT controls. The primary control objectives
are divided into four domains [6]:
1) Planning and Organization - PO, includes processes for
planning and design organization in the function of
achievement of business goals of the organization. This
domain includes risk assessment.
2) Acquisition and Implementation - AI, includes processes
related to the acquisition and development of IT solutions
and manages changes of these solutions throughout the
time.
3) Delivery and Support - DS, includes the processes that
affect the actual delivery of IT services to organization.
This domain includes the processes for manage problems
and incidents; manage security and other processes that af-
fect the performance of IT.
4) Monitoring and Evaluation - ME, includes processes for
regular review of IT processes and their successfulness in
the function of achievement of relevant IT controls objec-
tives.
Each of these domains shows the key control activities
of information technology related to the area. Each of
these processes offers a so-called RACI matrix (the acro-
nyms of Responsible, Accountable, Consulted, Informed),
representing a matrix which for each process determines
who is responsible and authorized for implementation of
particular control activities and who only need to be in-
formed and consulted.
Fig 3. Interrelationships of COBIT Components
For each of the key business and IT processes COBIT
defines and provides (Fig 3.):
 Maturity models
 Critical success factors – CSF
 Key goal indicators – KGI
 Key performance indicators – KPI
 RACI chart
 Control objectives and control tests.
By using COBIT methodology management and corpo-
rate structures is easy to determine which of these
processes and in what extent are important. From the point
of control and information systems audit COBIT deter-
mines 18 applications and 6 of process controls. Assess-
ments of maturity are based on the famous CMM model,
only that in COBIT model marks are very detailed de-
scribed and explained for each process. Assessment of ma-
turity of IT governance processes are in the range of 0 to 5
[2, 11]:
 0 - There are no processes, process of IT governance
do not exist. Management did not recognize the im-
portance of this concept; the decisions on investments
in IT are uncontrolled, from case to case ('ad hoc'),
outside the system supervision and risk assessment
and are completely in the hands of individuals.
 1 - Initial processes, management is not aware of the
importance of IT governance, although there are no
formal procedures, management and oversight of in-
formation technology is mostly based on individual
and uncontrolled based, and actions are taken on case
by case basis. There are no standards, nor corporate
rules, nor obligations and responsibilities regarding
this issue. Management generally is not aware of the
importance of IT risk. IT governance and its perfor-
mance measurement are processes that are carried out
only within the IT department, and management is
passive, uneducated and not aware of this matter.
 2 - Repeatable processes, IT governance processes
exist, but it is uncoordinated and mainly initiated by
IT department or some other operating level. It often
happens that many people perform the same task (se-
gregation of duties issue); there is no system's super-
vision, coordination, or standardized procedures. The
responsibility is left to individuals; corporate policies
do not exist or are not presented to employees.
 3 - Defined processes, IT governance procedures are
prescribed and documented, and constantly improved
through formal trainings and education. Procedures
and corporate rules, although formally exists, are not
sophisticated, mature nor customized to organization
business.. They only represent the formalization of
existing procedures. Although procedures exist, the
responsibility for its execution is on the individuals,
and having in mind that there is no system supervi-
sion, it is unlikely that one can detect anomalies re-
garding this matter.
 4 - Managed processes; except corporate policies and
procedures exist, it also is possible to constantly
monitor their execution, to measure their performance
and to take necessary corrections in accordance with
needs. Processes and activities are continuously im-
proved. Very sophisticated IT governance objectives
closely aligned with the business objectives are being
set. Using of current methods and frameworks
 (COBIT, IT BSC and ITIL) in performance mea-
surement and IT audit is required.
 5 - Optimized processes, IT governance processes are
brought to the optimal level and the company is a
leader in the area. Performance and efficiency of IT
as a business function is constantly measured, and the
results are compared with best practice and other or-
ganizations. Complete transparency in IT governance
governs, corporate bodies have actual supervision
over information technology through a series of for-
mal mechanisms. Information technology is used in a
strategic purpose, as key business resource and in-
formation activities (investments, projects, risks, etc.)
are optimally functioning align with the real business
priorities.
It is essential that the most important methods of IT go-
vernance and information systems audit such as ITIL,
COBIT and Sarbanes-Oxley use the same range for as-
sessment of IT processes maturity and effectiveness of
controls over them (from 0 to 5, with the same explana-
tion).
Business objectives
ess ity
en cy ial
ectiv icien ident egrity ailabi plian iabili
E f f E f f n f n t Av
Co I C
Domains
IT Processes
Processes
Activities
Fig 4. The COBIT cube
To satisfy business objectives, information needs to con-
form to certain control criteria, which COBIT refers to as
business requirements for information. Based on the
broader quality, fiduciary and security requirements, seven
distinct, certainly overlapping, information criteria are de-
fined as follows [10, 11, 12]:
 Effectiveness deals with information being relevant
and pertinent to the business process as well as being
delivered in a timely, correct, consistent and usable
manner.
 Efficiency concerns the provision of information
through the optimal use of resources.
 Confidentiality concerns the protection of sensitive in-
formation from unauthorized disclosure.
 Integrity relates to the accuracy and completeness of
information as well as to its validity in accordance
with business values and expectations.
 Availability relates to information being available
when required by the business process now and in the
future. It also concerns the safeguarding of necessary
resources and associated capabilities.
 Compliance deals with complying with the laws, regu-
lations and contractual arrangements to which the
business process is subject, i.e., externally imposed
business criteria as well as internal policies.
 Reliability relates to the provision of appropriate in-
formation for management to operate the entity and
exercise its fiduciary and governance responsibilities.
Summary of IT resources are managed by IT processes
to achieve goals that meet the business requirements of or-
ganizations. This basic principle of COBIT framework is
illustrated in Fig 4. The IT resources identified in COBIT
can be defined as follows [6]:
 Applications are the automated user systems and ma-
nual procedures that process the information.
 Information is the data, in all their forms, input,
processed and output by the information systems in
whatever form is used by the business.
 Infrastructure is the technology and facilities (i.e.,
hardware, operating systems, database management
systems, networking, multimedia, and the environ-
ment that houses and supports them) that enable the
processing of the applications.
 People are the personnel required to plan, organize,
lity
ce ty acquire, implement, deliver, support, monitor and
o m a l evaluate the information systems and services. They
Re
may be internal, outsourced or contracted as required.
Infrastructure
People
III. ITIL
Information
Applications
The UK Government recognized very early on the signi-
ficance of IT best practices to Government and, for many
years, has developed best practices to guide the use of IT
in Government departments. These practices have now be-
e s
urc come common standards around the world in private and
r eso public sectors. ITIL was developed more than 15 years ago
IT
to document best practice for IT service management, with
that best practice being determined through the involve-
ment of industry experts, consultants and practitioners.
ITIL is based on defining best practice processes for IT
service management and support, rather than on defining a
broad-based control framework. It focuses on the method
and defines a more comprehensive set of processes. Addi-
tionally, ITIL provides a business and strategic context for
IT decision making and for the first time describes conti-
nual service improvement as the key activity which drives
maintenance of value delivery to customers.
IT service management is concerned with planning,
sourcing, designing, implementing, operating, supporting
and improving IT services that are appropriate to business
needs. ITIL provides a comprehensive, consistent and co-
herent best practice framework for IT service management
and related processes, promoting a high-quality approach
for achieving business effectiveness and efficiency in IT
service management. ITIL is intended to underpin but not
dictate the business processes of an organization. The role
of the ITIL framework is to describe approaches, func-
tions, roles and processes, upon which organizations may
base their own practices and to give guidance at the lowest
level that is applicable generally.
 Below that level, and to implement ITIL in an organiza- Table 1. Overview of COBIT, ITIL and ISO27002
tion, specific knowledge of its business processes is re- COBIT ITIL ISO27002
quired to drive ITIL for optimum effectiveness. In ITIL Mapping IT Information
Mapping IT
V3, the most significant development has been the move Function Service Level Security
Process
from a process-based framework to a more comprehensive Management Framework
structure reflecting the life cycle of IT services. In this new 34 Processes
Area 9 Processes 10 Domains
context, the key processes have been updated, but more 4 Domains
significantly, ITIL now describes IT service management Issuer ISACA OGC ISO Board
functions, activities and organizational structure; strategic Information Compliance
and sourcing concerns; and integration with the business, Implemen- Manage Ser-
System Au- with security
ITIL V3. tation vice Level
dit standards
Five volumes comprise the ITIL v3, published in May Accounting Security
2007 [7]: Company, IT IT Consulting Company, IT
Consultant
 ITIL Service Strategy Consulting Company and Network
Company Consulting
 ITIL Service Design
 ITIL Service Transition
ITIL’s best practice framework covers a total of 9 proc-
 ITIL Service Operation
esses and enables the implementation of IT service level
 ITIL Continual Service Improvement management with focus on achieving business effective-
ness and efficiency in IT service management.

IV. ISO 27002 AND ISO 27001 STANDARD Table 2. Comparison of COBIT, ITIL and ISO 27002
Objectives Objectives
which refer which refer
The international standard of IT security controls, COBIT CONTROL OBJECTIVES to ISO to ITIL
ISO/IEC 27002:2005 was published by ISO and the IEC, 27002
which established a joint technical committee, ISO/IEC PO - PLAN AND ORGANISE
PO1 Define a strategic IT plan
JTC 1, ISO 27000 [5] Directory (2005). Its goal is to pro- PO2 Define the information architecture 
vide information to parties responsible for implementing
STRATEGIC LEVEL

PO3 Determine technological direction  slightly

information security within an organization. It can be seen PO4
Define the IT processes,
 slightly
as a best practice for developing and maintaining security organization and relationships
standards and management practices within an organiza- PO5 Manage the IT investment slightly
Communicate management aims
tion to improve reliability on information security in inte- PO6 
and direction
rorganizational relationships. It defines 133 security con- PO7 Manage IT human resources 
trols strategies under 11 major headings. The standard em- PO8 Manage quality 
phasizes the importance of risk management and makes it PO9 Assess and manage IT risks 
clear that it is not necessary to implement every stated PO10 Manage projects
DS - DELIVER AND SUPPORT
guideline, only those that are relevant. DS1 Define and manage service levels  
The guiding principles in ISO/IEC 27002:2005 are the DS2 Manage third-party services.  
starting points for implementing information security. DS3 Manage performance and capacity  
DS4 Ensure continuous service  
They rely on either legal requirements or generally ac-
TACTICAL AND OPERATIONAL LEVEL

DS5 Ensure systems security 

cepted best practices. Measures based on legal require- DS6 Identify and allocate costs 
ments include: protection and non-disclosure of personal DS7 Educate and train users 
data, protection of internal information and protection of DS8 Manage service desk and incidents  
intellectual property rights. Best practices mentioned in the DS9 Manage the configuration  
standard include: information security policy, assignment DS10 Manage problems  
DS11 Manage data  
of responsibility for information security, problem escala- DS12 Manage the physical environment 
tion and business continuity management [1]. DS13 Manage operations  
AI - ACQUIRE AND IMPLEMENT
AI1 Identify automated solutions  
Acquire and maintain application
AI2  
V. . COMPARISON OF A COBIT, ITIL AND ISO27002 software
Acquire and maintain technology
AI3  
infrastructure
A first difference of the three standards is the fact that AI4 Enable operation and use  
they are issued by different organizations with different ar- AI5 Procure IT resources  
eas of activities and objectives. The general function of the AI6 Manage changes  
Install and accredit solutions and
standards is also slightly different (Table 1.). COBIT pro- AI7  
changes
vides best practices and tools for monitoring and mapping ME - MONITOR AND EVALUATE
STRATEGIC LEVEL

IT processes while ITIL aims to map IT service level man- ME1

Monitor and evaluate IT

agement and ISO27002 provides guidelines for imple- performance
menting a standardized information security framework. Monitor and evaluate internal
ME2 
control
COBIT consists of 4 domains and 34 processes which are Ensure compliance with external
required for the implementation of the information system ME3
requirements
audit. ME4 Provide IT governance
 These three methodologies described are quite used in
the past few years by certain organizations and represent
best practice, approved, developed and tested by experts
worldwide. Table 2 shows the correlation between control
objectives presented through the COBIT framework with
ISO 27002 and ITIL methodology.
In relation to the COBIT framework, ITIL describes in
detail the procedures for delivery and support services (DS
domain - Table 2), but does not support all the require-
ments for monitoring and evaluation of ICT within COBIT
model. Some control objectives COBIT model in the do-
main of planning and organization (PO domain - Table 2)
are treated superficially and displayed through ITIL. ITIL
model is not focused on describing what needs to be ad-
dressed in the management of ICT. The processes are de-
tailed structured to indicate who and how to apply them
(roles and responsibilities).
In the period from 1 June to 31 July 2009 company
Ernst & Young conducted a survey which included 1865
companies from 61 countries, covering all major indus-
tries. This research belongs to the group of the oldest and
most respected researches of this type. It provides a com-
parison of companies in respect of major areas of informa-
tion security and IT governance [4].
COBIT are increasingly popular for planning IT audit
activity (Fig 5) and are adopted by 69 percent of respon-
dents. These frameworks deliver a structured approach to
planning and focus the IT audit on the business and tech-
nological risks of the organization.
Fig 5. Standards and frameworks that are used for plan-
ning IT audit activity
VI. . CONCLUSIONS
COBIT, ITIL, ISO 17799 and ISO 27001 are the group
of most commonly used methodologies by companies in
respect of IT security and IT governance. They are used
parallel, which is not surprising, considering that represent
best practices and experiences, which have been approved,
developed and tested in companies around the world.
Many organizations face a continually changing set of
pressures and dynamics in the current economic climate.
Faced with shrinking markets, they can choose to rational-
ize, merge or contract. The technology thread which holds
systems and processes together is at risk. As a conse-
quence, IT Internal Audit plays an integral role in main-
View publication stats
taining discipline and rigor across functions and geogra-
phies.
Internal Audit should have a direct line to executive
management and the Audit Committee. By cascading top
level opinion on the value and content of Internal Audit’s
outputs and by communicating information on the issues
that affect the business, the function can heighten its visi-
bility.
To maintain that position, it needs to develop a closer
relationship with the business while maintaining its inde-
pendence and objectivity. It also needs to work in closer
cooperation with the wider audit function to leverage un-
derstanding and efficiency. This powerful combination of
technical and business know-how, underpinned by an un-
derstanding of operational and technology risk, can turn
the function from cost centre to value builder.
IT audit as a discipline is maturing. To compete in this
new and threatening environment, it needs to standardize,
automate and speed up its analysis and reporting. It has to
become more economic and efficient by reducing costs
and using tools that improve the effectiveness and reliabil-
ity of its output and its compliance and control.
REFERENCES
[1] Calder, A., & Watkins, S. 2008. A Manager's Guide to Da-
ta Security and ISO 27001 / ISO 27002. Kogan Page.
[2] Cannon, D. L. 2008. CISA Certified Information Systems
Auditor Study Guide. Sybex.
[3] Davis, C., Schiller, M., & Wheeler, K. 2007. IT Auditing:
Using Controls to Protect Information Assets. McGraw-
Hill Osborne Media.
[4] Ernst & Young. 2009. Global Information Security Survey.
Available from Internet: http://www.ey.com/Publication/
/vwLUAssets/12th_annual_GISS/$FILE/12th_annual_GIS
S.pdf.
[5] ISO. 2005. ISO/IEC 27001. Switzerland: International Or-
ganization for Standardization (ISO).
[6] ITGI. 2007. CobiT 4.1 – Framework, Control Objectives,
Management Guidlines and Maturiy Models, USA: IT Go-
vernance Institute.
[7] ITIL. 2007. An Introductory Overview of ITIL V3. London:
The UK Chapter of the itSMF.
[8] Min, Y. W. 2009. Understanding and Auditing IT Systems.
Peking: Lulu.
[9] Panian, Z., & Spremic, M. 2007. Korporativno upravljanje
i revizija informacijskih sustava. Zagreb: Zgombić & Part-
neri.
[10] Publishing, V. H. 2008. IT Governance based on Cobit 4.1
- A Management Guide. Van Haren Publishing.
[11] Selig, G. J. 2008. Implementing IT Governance. Van Haren
Publishing.
[12] Senft, S., & Gallegos, F. 2009. Information Technology
Control and Audit (Third ed.). Boca Raton, USA: Taylor &
Francis Group.
[13] Spremic, M. 2007. Methods of auditing infromation sys-
tems. Zbornik Ekonomskog fakulteta u Zagrebu, 295-312.