About
Subscribe

IT auditors get a boost

Johannesburg, 19 Jul 2007

IT auditors and assurance professionals have received a boost with the release of a new assessment guideline designed to assist auditors and assurance professionals with their reviews of IT processes and application systems.

This is the first update of the COBIT Audit Guideline in seven years. Titled the "IT Assurance Guide", this is one of a number of new COBIT-related documents released recently by the US-based ISACA organisation.

The IT Assurance Guide is a significant improvement over the now outdated Audit Guideline released in 2000. This new guide describes how COBIT can be used to support a variety of assurance activities for each of the 34 IT processes defined in the COBIT 4.1 framework.

The strong process orientation is expected to result in many IT auditors reconsidering both their approach to conducting assessments as well as the outcome that results from their efforts.

The IT Assurance Guide provides assurance advice at different levels. At the process level, process-specific advice is provided on how to test whether control objectives are being achieved and on how to document control weaknesses. At the control objective level (outcome), assurance steps are provided to test the control design for each specific control objective based on its control practices.

Increasingly, organisations are recognising that control of IT is critical for ensuring that IT delivers value to the organisation, risks are managed, regulatory requirements are met, and investments in IT deliver a reasonable return. Typically, IT auditors and assurance professionals consider the efficiency and effectiveness of control practices resulting in a particular IT process, achieving the desired result of managing a risk or delivering value to the business.

COBIT's more than 200 control objectives define what needs to be managed in each IT process to address business requirements and manage risk. They help to define clear outcomes, foster good practices and encourage process ownership. Through being clear about the business benefits that can result and the risks that may need to be avoided or mitigated, the IT Assurance Guide directs assurance personnel to a level below the control objectives and focuses on the key practices within the selected processes that are intended to produce the outcome expected.

The IT Assurance Guide's generic assurance steps cover the existence and design effectiveness of the proposed control design, as well as the associated responsibilities. The specific assurance steps test the effective operation of controls and are stated at the control objective level. Assurance steps are also provided to test the impact of control weakness or failure on the outcomes expected. Much of this may be new to IT auditors.

Info Sec Africa, a global leader in providing COBIT consulting and training, has introduced the first of a number of education opportunities to assist IT auditors and assurance professionals understand and make use of the new IT Assurance Guide. The first seminar is scheduled for the 30 - 31 July and will be held at the Sandton Courtyard Hotel in Rivonia Road.

Peter Hill, Info Sec Africa's managing director, says many auditors make regular use of the high-level COBIT control objectives but few really understand the process orientation of the COBIT model, and similar frameworks such as COSO for enterprise risk management and the new SEC requirements for Sarbanes-Oxley compliance.

More information about the IT Assurance seminar as well as the regular COBIT seminar schedule and COBIT tools can be found at www.cobit.co.za.

Share

Editorial contacts

Peter Hill
Info Sec Africa
(082) 558 8732