COBIT 2019

AUDIT STRATEGY
AGENDA
⬡ COBIT 2019 Synopsis
⬡ COBIT 2019 Core Model
⬡ Purpose of the Audit
⬡ Example of COBIT Controls and Metrics
⬡ Audit Approach and Methodology
⬡ Design/Risk Factors
⬡ Organization Risk Profile
⬡ Audit Roles and Responsibilities
⬡ COBIT 2019 Implementation Roadmap
⬡ Q&A
2
COBIT 2019 SYNOPSIS
COBIT stands for Control Objectives for Information and Related Technology
It is a framework created by the ISACA for IT governance and management
COBIT 2019 is 6th version of COBIT , launched late in 2018 to address new
trends, technologies and security needs.

COBIT

Governance Management
3
 COBIT 2019 SYNOPSIS (CONTINUED)

1 Value Creation

Business/IT
2
Alignment

Enterprise
3
Governance of IT

• Given the centrality of I&T for enterprise risk management and

value generation, a specific focus on enterprise governance of
information and technology (EGIT) has arisen over the last three
decades.
• Over the years, best-practice frameworks have been developed
such as COBIT 2019 and promoted to assist in the process of
implementing EGIT 4
COBIT 2019 SYNOPSIS (CONTINUED)
 COBIT is a framework for the governance and
management of enterprise information and
technology
 COBIT is aimed at the whole enterprise
 COBIT makes a clear distinction between
governance and
 management.
 COBIT defines the components to build and sustain
a governance system.
 COBIT defines the design factors that should be
considered by the enterprise to build a best-fit
governance system.
 COBIT is not a full description of the whole
IT environment of an enterprise
 COBIT is not a framework to organize
business processes.
 COBIT is not a technical framework to
manage all technology
 COBIT does not make or prescribe any IT-
related decisions
5
COBIT 2019 SYNOPSIS (CONTINUED)
The COBIT 2019 “CORE” consists of 40 governance and
management objectives
Five domains: one governance domain and 4 management
domains.

6
COBIT 2019 CORE MODEL

7
PURPOSE OF THE AUDIT

Assessment of IT Governance
Risk
Management
Compliance and Regulatory Requirements

Performance Evaluation

Alignment with Best Practises

Continuous Improvement
8
EXAMPLE COBIT 2019 CONTROLS AND METRICS
Domain: Evaluate, Direct, Monitor
Objective: Ensured Governance
framework setting and maintenance

Metrics for Metrics for

Controls Enterprise Goals
• Evaluate the governance • Cost of regulatory
system. noncompliance, including
• Direct the governance settlements and fines
system. • Number of regulatory
• Monitor the governance noncompliance issues causing
system. Public comment or negative
publicity
• Number of noncompliance
matters noted by regulators
Alignment Goals
• Cost of IT noncompliance,
including settlements and fines
and the impact of reputational loss
• Number of IT-related
noncompliance issues reported to
the board, or causing public
comment or embarrassment
• Number of noncompliance issues
relating to contractual agreements
with IT service providers
9
KEY COBIT 2019 CONTROLS AND METRICS
Domain: Build, Acquire and
Implement
Objective: Manage IT
changes

Metrics for Metrics for

Controls Enterprise Goals Alignment Goals
• Change Request • Percent of product or • Level of satisfaction of business
Initiation and Control services that meets or executives with IT
• Impact Assessment exceeds customer responsiveness to new
• Control of Changes satisfaction target requirements
• Documentation and • Percent of product or • Average time to turn strategic
Procedures services that meet IT objectives into agreed and
• Authorized Maintenance competitive advantage proved initiatives
• Software Release Policy • Time to market for new • Number of critical business
• Distribution of Software product or services processes supported by
infrastructure and applications
10
AUDIT APPROACH AND METHODOLOGY

Understand the
enterprise Determine the
context and components of the IT Finalize IT Audit
strategy audit universe Risk Assessment Plan

Understand • Consider the • Consider COBIT 2019• Resolve inherent

• Enterprise Strategy components of priority conflicts
design factors as risk
• Goals governance system • Conclude and publish
factors
• Risk profile • Determine the IT the IT audit plan
• Current IT related audit portfolios
issues • Define the IT audit
universe
11
 Des
COBIT 2019 DESIGN/RISK FACTORS Ris ign Fa
kF c
wil actor tors o
l be s w r
aud hich
ited

Enterprise Enterprise Risk

Strategy Goals Profile

Threat Compliance
IT related
Landscape Requirements
issues

Role of IT sourcing IT Implementation

IT Model Method

Technology
Adoption Enterprise
Strategy Size

12
 ORGANIZATION RISK PROFILE
nt to
rta sk
m po e Ri ect
i th ff
v ery tand ay a
s m
It i ders that ation
n
u les iz
fi rgan IT investment decision making, portfolio definition and Software failures
p ro o maintenance
Logical attacks (hacking, malware, etc.)
Program and projects lifecycle management
Third party/supplier incidents
IT cost and oversight
Noncompliance
IT expertise, skills and behaviour
Geopolitical issues
Enterprise/IT architecture
Industrial action
IT operational infrastructure incidents
Acts of nature
Unauthorized actions
Technology-based innovation
Software adoption/usage problems
Environmental
Hardware incidents
13
AUDIT ROLES AND RESPONSIBILITIES
Team Team Members Roles and Responsibilities

Internal Audit Team Internal auditors who are employees of the
organization.
External Audit Firm Independent professionals or firms hired by
the organization to perform audits
Audit Committee The audit committee, a sub-committee of the
board of directors, provides oversight of the
audit process
Management Individuals from various departments within
Representatives the organization may participate in the audit
process as management representatives.
Subject Matter Experts SMEs possess specialized knowledge and
(SMEs expertise in specific areas relevant to the audit
scope
Conduct audits to assess internal controls,
compliance with policies and regulations
Conduct financial audits, compliance audits, or
special audits as required
Review audit plans, findings, and recommendations,
and ensure that appropriate actions are taken to
address any issues identified.
Provide information, documentation, and assistance
to auditors during fieldwork and may be responsible
for implementing audit recommendations.
Consulted by auditors to provide insights, clarify
technical matters, or review findings related to their
respective areas.

14
AUDIT ROLES AND RESPONSIBILITIES (CONTINUED)
Team
Information Technology (IT)
Personnel:
Finance Department
Human Resources (HR)
Department
Quality Assurance/Quality
Control (QA/QC) Teams
Team Members
IT personnel play a crucial role in
audits involving IT systems, controls,
and security
Finance department personnel are
involved in financial audits
HR personnel may participate in audits
QA/QC department may participate in
audit
Roles and Responsibilities
Provide access to IT infrastructure, systems
documentation, and technical expertise to
auditors conducting IT audit
Provide financial statements, accounting
records, and explanations of financial
transactions to auditors
Provide employee records, payroll, benefits, and
compliance with employment laws and
regulations
QA/QC teams ensure that products, services,
and processes meet quality standards
15
COBIT 2019 IMPLEMENTATION ROADMAP

16
Thanks!
Any questions?

17