Copyright 2006 ISACA. All rights reserved. www.isaca.org.

COBITA Key to Success as an IT Auditor

ost students, upon graduating from college and entering the profession in an entry-level position, wonder how to go about performing their duties as an IT auditor and how they will know exactly what to do. Upon seeing the scope, complexity and diversity of information systems and information technology, they wonder how one is able to gain an understanding of anything about this multiheaded monster. In addition, the IT environment seems to change every week in larger entities. There is an infinite stream of new technologies, application updates and other technological changes. To make matters even more difficult, more and more transactions are paperless. Of course, there are in-house training, supervision and learning with adept colleagues, but there are some basic things IT auditors should know to empower them to be knowledgeable and effective in their duties. Over the last few years, no other tool has proven to be as effective or helpful to IT auditors as Control Objectives for Information and related Technology (COBIT), produced by the IT Governance Institute (ITGI). COBIT has been used successfully in a variety of IT audit-related functions. It is likely that no other tool has been mapped to as many models for IS, IT and management as COBIT. Therefore, an essential key to the success of IT auditors is to know COBIT well enough to be able to apply it to the tasks and duties for which they are responsible.

gives further guidance on how to fulfill the requirements of Sarbanes-Oxley section 404, including the recommendation that the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model for internal controls be used in the evaluation process. Immediately, auditors began to search for ways to map business processes, application controls and IT controls to the COSO model. The Parson Consulting Study surveyed implementers of Sarbanes-Oxley section 404 and found that 88.9 percent of the respondents were using generic tools, such as spreadsheets and databases. But the same survey found that 95 percent of respondents were using COSO as their internal control evaluation framework. Over time, COBIT has become the tool of choice in mapping IT controls to COSO, because of the ease of use and success others have had in using it. ITIL The Information Technology Infrastructure Library (ITIL) was developed by the UK Office of Government Commerce. It has been gaining global acceptance as a reference framework for IT service management. Those performing IT audits in the area of service delivery will find ITIL useful as an effective tool in that task. Materials are now available to assist those auditors in using that framework, including one that maps COBIT to the ITIL framework.1

Recent Uses of COBIT in IT Audit-related Functions

An overview of the number of different IT audit-related functions for which COBIT has been applied successfully demonstrates the flexibility and usefulness of COBIT. Sarbanes-Oxley Section 404 Compliance The post-Enron business environment is clearly quite different for IT audit than before. The passage of the SarbanesOxley Act of 2002 has focused a lot of attention on the IT audit function and the need for IT auditors in the processes that lead to audit opinions on financial statements. For companies that meet the criteria, the Sarbanes-Oxley regulation requires management to evaluate and monitor the effectiveness of internal control over the financial reporting process. Most assuredly, the IT function is critical to meeting this requirement. The US Public Company Accounting Oversight Board (PCAOB), an arm of the US Securities and Exchange Commission (SEC), issued Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements, in 2004. It
JOURNALONLINE

IT Governance and IT Performance Improvement

The post-Enron environment has focused on many issues such as fraud, internal controls and, probably most of all, corporate governance. IT governance complements corporate governance and, therefore, assists in meeting the spirit of Sarbanes-Oxley. According to ITGI, IT governance is the leadership and organizational structures and processes that ensure that IT sustains and extends the organizations strategies and objectives. Thus, it is important to gain a thorough understanding of how business goals drive IT goals, and vice versa, and to formalize the process of developing IT goals and approving IT projects. One study reveals organizations had a difficult time in linking business goals, IT goals and IT processes. COBIT can provide guidance to overcome this difficulty.2 While the focus of IT governance is the effective management of IT resources, an organization should be able to drive positive results of IT project management to the businesss bottom line. Using COBIT in conjunction with the Capability Maturity Model (CMM) can produce precisely this result.7

Refining IT Processes IT process refinement is not only beneficial for improving efficiency and effectiveness, but also for changing the way IT and business managers view IT services. COBIT can be used successfully to perform this task.8 Information Security Perhaps the most growing and important area of IT audit is information security. ISACA issued Information Security HarmonisationClassification of Global Guidance in 2005, which addresses many areas of information security and maps COBIT to the various technical models and literature.9

indispensable tool to fulfill the expectations, obligations and technical guidelines in areas related to IT audit. Therefore, one of the best choices an IT auditor can make is to become an expert in COBIT. That understanding and ability to apply COBIT will likely increase the efficiency and effectiveness of the IT auditors tasks and responsibilities. It seems the IS, IT and business world as a whole believes that statement, as seen by the number of models mapped to COBIT and the number of areas to which COBIT has been applied.

References
Bagranoff, Nancy; Laurie Henry; Choosing and Using Sarbanes-Oxley Software, Information Systems Control Journal, vol. 2, 2005, p. 49-51 Butler, Charles W.; Gary L. Richardson; Potential Control Processes for Sarbanes-Oxley Compliance, 2005, Journal Online, www.isaca.org/journalonline Cerullo, M. Virginia; Michael J. Cerullo; How the New Standards and Regulations Affect an Auditors Assessment of Compliance With Internal Controls, Journal Online, 2005, www,isaca.org/jonline Dietrich, Robert J.; After Year OneAutomating IT Controls for Sarbanes-Oxley Compliance, Information Systems Control Journal, vol. 3, 2005, p. 53-55 Rafeq, A; Using COBIT for IT Control Health Check-up, Information Systems Control Journal, vol. 5, 2005, p. 18-19 Sayana; S. Anantha; Auditing IT Service Delivery, Information Systems Control Journal, vol. 5, 2005, p. 13-14

Summary
These articles and anecdotes demonstrate the flexibility and usefulness of COBIT in a variety of IT audit-related tasks and functions. Therefore, it is beneficial and valuable to know and understand COBIT well enough to apply it as an IT auditor. COBIT has been an established set of guidelines for years. In the post-Enron business environment, it is quickly becoming an

Models Mapped to COBIT

COSO Many articles have been written on how to map COBIT to COSO. As mentioned previously, the PCAOB Auditing Standard No. 2 recommends the COSO model for fulfilling section 404 of Sarbanes-Oxley. However, COSO does not directly provide guidance on assessing controls, especially IT controls, but COBIT is well-suited to assess IT controls. Thus, a map from COBIT to COSO is useful to IT auditors and managers alike in complying with Sarbanes-Oxley adequately and efficiently. IT Control Objectives for Sarbanes-Oxley, published by ITGI in 2004, links COBIT control objectives related to financial reporting with the COSO internal control frameworks.3 ITIL As stated previously, ITIL is a globally accepted set of standards for IT infrastructure and has been mapped to COBIT.4 In November of 2005 the ITGI and OGC jointly published Aligning COBIT, ITIL and ISO 17799 for Business Benefit.5 BS 1500 Associated with ITIL, the British Standards Institution has issued a standard for IT service management, BS 1500. BS 7799 complies with the security requirements of BS 1500. ISO/IEC 17799:2005The Code of Practice for Information Security Management is an international standard based on BS 7799-1/ISO/IEC 17799:2000. It too has been mapped to COBIT. CMM COBIT is useful in IT performance improvement, which is also associated with IT governance.6 COBIT is mapped to the Software Engineering Institutes Capability Maturity Model (CMM).

Endnotes
Glenfis, ITIL COBIT Mapping Linked With Control Objectives, www.glenfis.ch/english/gf00-tools.asp, accessed 2005 2 Van Grembergen, Wim; Steven De Haes; Jan Moons; Linking Business Goals to IT Goals and COBIT Processes, Information Systems Control Journal, vol. 4, 2005, p. 18-21 3 ITGI, IT Control Objectives for Sarbanes-Oxley, USA, 2004, www.isaca.org/sox 4 Op. cit., Glenfis 5 ITGI and OGC, Aligning COBIT, ITIL and ISO 17799 for Business Benefit, 2005, www.isaca.org/research 6 Op. cit., Mallette and Jain 7 Mallette, Debra; Monica Jain; IT Performance Improvement With COBIT and the SEI CMM, Information Systems Control Journal, vol. 3, 2005, p. 46-50 8 Reingold, Stephen; Refining IT Processes Using COBIT, Information Systems Control Journal, vol. 3, 2005, p. 51-52 9 ISACA, Information Security HarmonisationClassification of Global Guidance, USA, 2005, www.isaca.org 10 ITGI, COBIT Mapping: Overview of International IT Guidance, USA, 2003, www.isaca.org/research 11 ITGI, COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, USA, 2004
1

Editors Note:
Aligning COBIT, ITIL and ISO 17799 for Business Benefit
JOURNALONLINE

can be downloaded on a complimentary basis from www.isaca.org/research. To learn more about the ITGI publication, please read Gary Hardys article on p. 32, Guidance on Aligning COBIT, ITIL and ISO 17799. Additionally, COBIT 4.0 is now available for complimentary download at www.isaca.org/cobit and can be ordered in print from www.isaca.org/bookstore. Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP is an assistant professor of information systems at the University of Alabama at Birmingham (USA), Marshall IS Scholar, and director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small value-added dealer of accounting information systems using microcomputers for 11 years. His education and experience are a mix of information systems and accounting. He is a member of several professional organizations related to IT/IS and accounting, including ISACA, Institute of Internal Auditors (IIA), American Institute of Certified Public Accountants (AICPA) and Association of Certified Fraud Examiners (ACFE). He serves on several boards of those professional organizations. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous journals, including the Information Systems Control Journal.

COBIT MappingITGI
With so many of these mappings occurring, ITGI issued COBIT Mapping: Overview of International IT Guidance in 2003.10 It addresses the information security issues of IT audit. In it, the following are mapped to COBIT: ITIL (collection of best practices) ISO/IEC 17799:2000The Code of Practice for Information Security Management (best practice), which is also mapped at a detail level in COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, published in 2004.11 ISO/IEC TR 13335Guidelines for the Management of IT Security (technical guidelines) ISO/IEC 15408Security TechniquesEvaluation Criteria for IT Security (technical reference and information security certification) TickIT (software quality management certification) NIST 800-14Generally Accepted Principles and Practices for Securing Information Technology Systems (reference) COSOInternal ControlIntegrated Framework COBIT Mapping: Overview of International IT Guidance, 2nd Edition, will be published in 2006 and will include mapping to the: Capability Maturity Model Integration (CMMI) (best practice for improving processes) IT Baseline Protection Manual (standard security safeguards for typical IT systems) US Federal Information Processing Standards (FIPS) Pub 200Minimum Security Requirements for Federal Information and Information Systems

Information Systems Control Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2006 by ISACA. All rights reserved. Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org

JOURNALONLINE