Frameworks for Audit of an Information System

Internal auditors rely on internal control frameworks when

documenting and testing a control environment. With so many
frameworks available, management can choose which
frameworks to use and even select different frameworks in
specific situations.
The three most popular control frameworks used by internal
auditors
— COBIT,
COSO, and
ISO frameworks
 COBIT
• Today, COBIT is used globally by all IT business
process managers to:
 equip them with a model to deliver value to
the organization, and
 practice better risk management practices
associated with the IT processes.
• The COBIT control model guarantees the
integrity of the information system.
 HISTORY OF COBIT
• It was initially developed for audit purposes,
later on several modules were added and
updated to adapt by other services. Below is
the chart explaining different modules which
the version has concentrated on.
 COBIT
• COBIT Provides a Framework for IT
Governance which is inclusive of:
 COBIT FOR IT GOVERNANCE
Strategic alignment Focuses on ensuring the linkage of
business and IT plans; on defining,
maintaining and validating the IT value
proposition; and on aligning IT
operations with enterprise operations
Value delivery Is about executing the value proposition
throughout the delivery cycle, ensuring
that IT delivers the promised benefits
against the strategy, concentrating on
optimizing costs and proving the intrinsic
value of IT
Resource management Is about the optimal investment in, and
the proper management of, critical IT
resources: applications, information,
infrastructure and people. Key issues
relate to the optimization of knowledge
and infrastructure.
 COBIT FOR IT GOVERNANCE
Risk management Requires risk awareness by senior
corporate officers, a clear understanding
of the enterprise’s appetite for risk,
understanding of compliance
requirements, transparency about the
significant risks to the enterprise, and
embedding of risk management
responsibilities in the organisation

Performance measurement Tracks and monitors strategy

implementation, project completion,
resource usage, process performance and
service delivery, using, for example,
balanced scorecards that translate
strategy into action to achieve goals
measurable beyond conventional
accounting
 COBIT
• COBIT stands for Control Objectives for Information and
Related Technology.
• It is a framework created by the ISACA (
Information Systems Audit and Control Association) for
IT governance and management.
• It was designed to be a supportive tool for managers—
• And allows bridging the crucial gap between technical
issues, business risks, and control requirements.
• COBIT ensures quality, control, and reliability of
information systems in an organization, which is also the
most important aspect of every modern business.
 COBIT
• COBIT helps bridge the gaps between business risks, control
needs and technical issues. It provides good practices across a
domain and process framework and presents activities in a
manageable and logical structure.
• COBIT:
¤ Starts from business requirements
¤ Is process-oriented, organising IT activities into a generally
accepted process model
¤ Identifies the major IT resources to be leveraged
¤ Defines the management control objectives to be considered
¤ Incorporates major international standards
¤ Has become the de facto standard for overall control of IT
 COBIT
• The COBIT framework was created with the
main characteristics:
§ Business-focused
§ Process-oriented
§ Controls-based
§ Measurement-driven
COBIT 5: The 5 key principles
 COBIT 5: The 5 key principles
• According to ISACA, COBIT 5 helps businesses maximise IT value by
“maintaining a balance between realising benefits and optimising risk levels
and resource use”.
1. Meeting stakeholder needs
• The first principle of COBIT 5, Meeting Stakeholder Needs, encompasses the
idea that enterprises exist to create value for stakeholders – whatever that
value may be. When making decisions regarding IT management and
governance, organisations therefore need to consider which stakeholders
stand to benefit from this decision, as well as who is taking on the majority of
the risk.
2. Seeking end to end business assistance
• Because COBIT 5 looks at governance and IT management decisions from an
End-to-End enterprise perspective, organisations employing this framework
make decisions that extend past the IT function, and instead treat IT as an
asset that aligns with other processes.
 COBIT 5: The 5 key principles
3. Applying a Single, Integrated Framework
• COBIT 5’s single integrated framework allows it to be used as an overarching
governance tool and management system that is relevant to other
frameworks within the organisation.
4. Enabling a Holistic Approach
• Holism – the concept of systems being viewed as a whole, as opposed to
individual components – is a critical modern business strategy. COBIT 5
takes a holistic approach to IT management and governance, allowing for
greater collaboration and achievement of common goals.
5. Separating Governance From Management
• Finally, COBIT 5 emphasises the need to make a clear distinction between IT
governance and management. This is important as ISACA believes the two
components require separate organisational structures and different
processes, as they each serve separate organisational purposes.
 COBIT 5 ENTERPRISE ENABLERS
Enablers are factors that, individually or together, influence whether something will work, in this case
the corporate governance and management of IT.
These five principles enable an organisation to build a holistic framework for the governance and
management of IT that is built on seven ‘enablers’:
• People, policies and frameworks-are means for explaining desired behavior with practical
guidelines for daily management.
• Processes-set of practices and activities to achieve certain goals that produce results to achieve
those goals.
Processes and activities are understood as elements that contain all the information about how, when
and who makes the work flow .
• Organizational structures- the decision-making entities of the organization.
• Culture, ethics and behavior- factors related to people.
• Information- includes the information produced and used by the organization; At the operational
level, information alone is often the main product.
• Services, infrastructure and applications- the factors that provide the organization with IT
technology and services.
• People, skills and competencies- people-associated resources and are essential for successful
activities and proper decision making.
 COBIT 5 ENTERPRISE ENABLERS
• These last three categories of enablers are the
organization’s IT resources or capabilities that must be
managed and governed in a systemic and integrated
manner with the other enablers.
• Effective management and utilization of these resources
in conjunction with other practices leads to the creation
of IT value, that is, each enabler needs information from
others to become effective.
• For example, processes need information and
organizational structures for skills and behaviors to be
properly implemented.
 Benefits of COBIT

The COBIT 5 framework can help organisations of all sizes:

• Improve and maintain high-quality information to
support business decisions.
• Use IT effectively to achieve business goals.
• Use technology to promote operational excellence.
• Ensure IT risk is managed effectively.
• Ensure organisations realise the value of their
investments in IT; and
• Achieve compliance with laws, regulations and
contractual agreements.
 COSO
• The COSO Framework is a system used to establish internal controls to be
integrated into business processes. Collectively, these controls provide
reasonable assurance that the organization is operating ethically,
transparently and in accordance with established industry standards.
• COSO is an acronym for the Committee of Sponsoring Organizations. The
committee created the framework in 1992, led by Executive Vice
President and General Counsel, James Treadway, Jr. along with several
private sector organizations, including the following:
• American Accounting Association
• Financial Executives International
• The Institute of Internal Auditors
• American Institute of Certified Public Accountants
• The Institute of Management Accountants (formerly the National
Association of Cost Accountants)
 COSO
• The COSO framework was updated in 2013 to
include the COSO cube, a 3-D diagram that
demonstrates how all elements of an internal
control system are related. In 2017, the
committee introduced their COSO Enterprise Risk
Management Framework. The COSO ERM
Framework aims to help organizations understand
and prioritize risks and create a strong link
between risk, strategy and how a business
performs.
Five components of the COSO Framework
• Control environment. The control environment seeks to make sure that all
business processes are based on the use of industry-standard practices.
This can help ensure that the business is run in a responsible way. It may
also reduce an organization's legal exposure if the organization is able to
prove that its business processes are all based around industry standard
practices. Additionally, the control environment can help with making sure
that an organization is adhering to regulatory compliance requirements.
• Risk assessment and management. Risk assessment and management --
which is sometimes referred to as enterprise risk management -- is based
on the idea that risk is an inherent part of doing business. However,
those same risks can sometimes cause a business to suffer adverse
consequences. As such, organizations commonly adopt risk management
plans that help them to identify risks and either reduce or eliminate risks
deemed to pose a threat to the organization's well-being.
Five components of the COSO Framework
• Control activities. Control activities are also tied to the
concept of risk management. They are essentially internal controls that are
put into place to make sure that business processes are performed in a way
that helps an organization to meet its business objectives without introducing
unnecessary risks into the process.
• Information and communications. Communications rules are put in place to
make sure that both internal and external communications adhere to legal
requirements, ethical values and standard industry practices. For example,
private sector organizations commonly adopt privacy policies establishing how
customer data can be used.
• Monitoring. At a minimum, monitoring is performed by an internal auditor
who makes sure that employees are adhering to established internal controls.
However, in the case of public companies, it is relatively common for an
outside auditor to evaluate the organization's regulatory compliance. In either
case, the audit results are usually reported to the board of directors.
COSO Framework’s 17 Principles of Effective Internal Control

Internal Control Component Principles

1.Demonstrate commitment to integrity and
ethical values
2. Ensure that board exercises oversight
responsibility
Control environment 3. Establish structures, reporting lines,
authorities and responsibilities
4.Demonstrate commitment to a competent
workforce
5. Hold people accountable
1. Specify appropriate objectives
2. Identify and analyze risks
Risk assessment 3. Evaluate fraud risks
4. Identify and analyze changes that could
significantly affect internal controls
 COSO Framework’s 17 Principles of
Effective Internal Control
1. Select and develop control activities that
mitigate risks
Control activities 2. Select and develop technology controls
3. Deploy control activities through policies
and procedures
1. Use relevant, quality information to
support the internal control function
2.Communicate internal control information
Information and communication
internally
3.Communicate internal control information
externally
1. Perform ongoing or periodic evaluations
of internal controls (or a combination of the
Monitoring
two)
2.Communicate internal control deficiencies
 COSO Framework’s 17 Principles of
Effective Internal Control
Principle 11 of the updated internal control framework of the Committee
of Sponsoring Organizations of the Treadway Commission (COSO)
provides guidelines for assessing the effectiveness of information
technology controls. Principle 11 states that the organization selects and
develops general control activities over technology to support the
achievement of objectives. Points of focus supporting the principle state
that the organization:
• Determines dependency between the use of technology in business
processes and technology general controls.
• Establishes relevant technology infrastructure control activities.
• Establishes relevant security management process control activities.
• Establishes relevant technology acquisition, development, and
maintenance process control activities.
COSO
 ISO 27001
• The ISO 27001 framework is for those looking for
management guidance on information technology.
ISO 27001 is intended to provide a standard
framework for how organizations should manage
their information security and data.
• This framework was created by a partnership
between the International Organization for
Standardization (ISO) and the International
Electrotechnical Commission (IEC), so you may see it
under the alternative name ISO/IEC 27001.
 ISO 27001
• Note that ISO 27001 is a standards
framework that does not work
independently. It takes input from
management and other organizational
decision-makers to give an accurate picture
of the security risks, threats and
vulnerabilities present.
 ISO 27001 controls
• A.5. Information security policies
These controls describe how the organization should handle its information security
policies.
• A.6. Organization of information security
These controls provide a framework for information security by defining the internal
organization, such as roles and responsibilities, as well as other information security
aspects of the organization such as the use of mobile devices, project management and
even teleworking.
• A.7. Human resource security
This domain presents controls that tackle the information security aspects of HR.
• A.8. Asset management
These controls concern assets that are used in information security as well as designating
responsibilities for their security.
• A.9. Access control
These controls limit access to information assets and are both logical access controls and
physical access controls.
 ISO 27001 controls
• A.10. Cryptography
This domain presents us with a proper basis for use of encryption to
protect the confidentiality, authenticity and integrity of your
organization’s information.
• A.11. Physical and environmental security
These controls are concerned with physical areas, equipment and
facilities and protect against intervention, both by humans and nature.
• A.12. Operations security
These controls ensure that the organization’s IT systems, operating
systems and software are protected.
• A.13. Communications security
These are controls for the network (infrastructure and services) and the
information that travels through it.
 ISO 27001 controls
A.14. System acquisition, development and
maintenance
• Controls to ensure that information security is
paramount when purchasing or upgrading
information systems.
A.15. Supplier relationships
• These controls are meant to ensure that
suppliers/partners use the right Information
Security controls and describe how third-party
security performance should be monitored.
 ISO 27001 controls
• A.16. Information security incident management
This domain contains controls related to security incident management
related to security incident handling, communication, resolution and
prevention of incident reoccurrence.
• A.17. Information security aspects of business continuity
management
Controls to ensure information security management continuity during
disruptions as well as information system availability.
• A.18. Compliance
The controls in this domain are a framework to prevent legal, regulatory,
statutory and breaches of contract. They also can be used to audit
whether your implemented information security is effective based upon
the ISO 27001 standard.
 Auditing guidance

The policy should at least address the following topics:

• A comprehensible definition of information security, its overall scope
and objectives;
• The reasons why information security is important to the organisation;
• A statement of top management’s support for information security;
• A summary of the practical framework for risk assessment, risk
management and for selecting control objectives and controls;
• A summary of the security policies, principles, standards and
compliance requirements;
• A definition of all relevant information security responsibilities
• Reference to supporting documentation, e.g. more detailed policies;
and
• How non-compliances and exceptions will be handled.
 Exercises
a) Describe the differences between COBIT 5 and COBIT 2019
b) Which of the following are components of the governance system?
1. Organisational structures
2. Enterprise strategy
3. Risk Profile
4. Information
5. Culture, Ethics and behaviour
c) The COBIT Framework makes a clear distinction between governance and
management. Which of the following statements about the two disciplines are true?
1. Encompass different activities
2. Require different organisational structures
3. Ensure direction is set through prioritization
4. Serve different purposes
5. Plan, Build and run activities of the enterprise
 Exercises
d) Which of the following is true about COBIT?
A. COBIT is the full description of the whole IT environment
of an enterprise
B. COBIT is a framework to organize business processes
C. COBIT groups relevant governance components into
governance and management
e) End to end governance approach is?
A. One of the six principles for a governance system
B. One of the three principles for a governance framework
C. An improvement of COBIT 2019