Explain the key IT audit phases
What are the key activities within each phase?
I. The first key IT Audit phase is: Requesting Documents
a. Key activities: Inform the organization of the coming audit, Create the preliminary checklist, Request documents listed on an audit preliminary checklist; Examples:
a. Copy of the previous audit report,
b. Bank statements,
c. receipts and records,
d. Organizational charts.
II. Next phase: Preparing an Audit Plan
a. Key activities: Examine documents, Plan the audit, Conduct a risk workshop to identify possible problems, Actually draft the audit plan.
III. Next phase: Scheduling an Open Meeting
a. Key Activities:Create the scope of the audit, Open meeting to host management and admin staff to present the scope, A time frame for the audit is determined
IV. Next Phase: Conducting Fieldwork
a. Key Activities: Finalize the audit plan, Procedures and processes are reviewed (usually by speaking to staff members and reviewing), Tests compliance with policies and procedures, Internal controls are assessed, Deliberate problems with organization and give opportunity for org to respond.
V. 5th phase: Drafting a Report
a. Key Activities: Report prep to go through the findings of the audit, Report includes:mathematical errors, issues and problems, payments authorized but not paid, Recommended solutions to any problems.
VI. Last phase: Setting Up a Closing Meeting
a. Key Activities: Asks for a response from management, Gives a chance for org to agree or disagree with problems in the report,Describes an action plan for management, Provides a projected completion date, Any remaining issues are discussed.
One very important task for the IT audit process is to identify the “Audit Universal” – What need to be audited? within the Audit Universe, IT audit senior management identifies audit entities based on risk assessment. and then audit cycle (frequency) will be determined based on risk rating. We will discuss further during our next class.
Ian – Doc. requests usually is developed at the end of the planning stage, while the scope is defined and controls need to be tested are determined and testing procedures are developed. Then auditors will prepare required doc. list as review/testing evidence. Make sense?
Good Recap of Audit process, I would add the importance to keep customer engaged during all phases of audit process. The customer communication is crucial part of successful IT Audit ..
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
Simply put: COBIT provides the ‘why’; ITIL provides the ‘how’, COBIT is broader than ITIL in its scope of analysis, and ITIL concentrates on and offers more detailed guidance when it comes to IT service mgmt.
However, I read that there is more to it… It shouldn’t be one or the other but rather both should be examined when determining which fits your IT service mgmt business needs better. This strategy allows IT to leverage the strengths of both frameworks, customizing them for company use as needed, and ultimately allowing the company to solve complicated business problems while achieving business goals.
Why do we need control framework to guide IT auditing?
1. To provide the data structure that will help design, implement, organize, and categorize Internal controls
2. To make sure internal controls meet requirements and are working properly.
3. To ensure efficient IT audit processes; including means for reporting
4. To risk assess, risk respond, and ultimately minimize risk
5. To create business value
Yes, Risk and Control assessment are two huge factors of an IT audit. They underline the entire audit process. The selection of controls to test, and the determination of the evidence necessary for a given control. By identifying and testing the internal controls, and selecting controls to test, the auditor is able to evaluate the company’s controls adequately and address the identified risks.
Nice List Ian, you hit all the right points on why control framework is needed to guide IT auditing. Everything you said is to ensure the controls in place for the organization are working properly and there are controls in place to mitigate risk. It all flows smoothly and sound, business value at the end ties it all together by having the control framework there, it is important to not only have controls in place that will help the business function day to day but to also create value so that employees will work to make sure the control stay in place and function as it is intended to.
Good summary , Controls provide process to create paper/electronic trail for different IT assets and business processes, later audit process evaluate data drawn from paper/electronic trail logs, evaluate it against audit requirements.
The IT Audit phases are as below,
1. Planning
– Understand background, scope, objective to perform audit from audit manager
– Understand area to be review and preliminary assessment of risk
– Involve customer to establish open and honest communication
– Prepare standard and customized audit checklist
– Research to keep up with current industry expectation
– Perform assessment of risks; identify controls and processes to assess risk
– Schedule the audit and assign duties, involve customer, audit team
– Conduct opening meeting
2. Fieldwork and Documentation
– Review documentation to check if it meets standard requirement and efficiency
– Collect samples and Conduct interviews
– Validate controls and effectiveness of implementation of controls
3. Issue Discovery and Validation
– List potential concerns and discuss with customer
4. Solution Development
– Develop action plan in coordination with customer to address each issue raised
– Either of below approaches can be used
5. Draft audit report (audit scope, executive summary, List of Issues and Action plans)
– Prepare draft report and issue to the customer
– Update the draft after customer comments if necessary
6. Track Closure actions
– Follow-up on closures
– Escalate if necessary
I think both party are responsible o develop an “action plans” to remediate audit findings. In fact, after validating the risks, the auditor can work with the customer to develop an action plan for addressing each issues. Three common approaches (recommendation, management-response and solution) are used for developing an action plan and addressing audit issues.
Said, both parties are not responsible to develop actions plans. I mean the auditor do not work in collaboration with the customers in all three approaches. In fact, in the management-response approach, instead of developing a mutually agreed-upon solution, the auditors just say what they want and then allow the audit customers to say what they want, with the auditors then getting the last word in the report.
You are absolutely right. The management-response approach is more like a “contest” than a collaborative approach. The auditors send a report with recommendations (sometimes) and wait for the customers to respond.
Thank you for your clarification.
Exactly! And then the solution approach is eventually a mix of both the management- response and recommendation approach. In fact in the solution approach, the auditors are providing ideas to solve the issues based on their control knowledge (recommendation) and, the customers are providing ideas for resolutions based on their operational knowledge (management- response). As a result the customers have the final say and “own” the action plans, as long as they are approved by the auditors.
Yes. An auditor can suggest or recommend the action plan. But finally it should be the customer who takes the decision whether they want to accept it or not.
Binu, I think customer cannot completely deny a recommendation. They could have a different way to approach the final result. And they should discuss with the auditor why they think a different approach is better.
This point makes more sense when we understand that the customer is doing the business on daily basis and auditor might be involved with the company for during audit phases. Customer will have a good idea of how efficiently the recommendation can work.
I also agree with Priya. Internal Auditors are supposed to provide the best practical options to improve on organization’s control system. If the organization is completely denying the suggestions not to implement proper controls, they are just making themselves more vulnerable. But exactly auditors are not going to directly tell of which controls customers should use. That relies on customer to choose what to correct their control environment.
Rightly said Annamarie. Solution based approach is the key.
In this approach the auditor and customer should demonstrate flexibility in ways to implement a control.
Flexibility also must be with the timelines given to implement. Although a deadline must be fixed, they can mutually agree to a timeline.
Both Parties will not work on action plan. The auditor job will be to give the recommendation. It is the responsibility of the customer to work on the action plans based on the recommendation and findings of the audit.
I agree with Deepali’s sentiments here. It is the auditors responsibility to identify and bring to attention any holes in what they are audited, and while it may not be necessary for the auditor to give their input as far as working the action plan to mitigate the identified risks, I think it is critical to have a meaningful dialogue about what was found and also use their experience to give the customer ideas that they may have encountered with other clients as proposed action plans to mitigate the identified risk. One of the major points outlined throughout the semester is the need for the auditor to work closely with the management team and client in order to effectively accomplish the goal which is minimize any exposure that they may have.
There are 3 solution development approaches,
1,. Recommendation Approach –
This is a solution suggested by the auditors. Mostly this is easy to do for the auditor and for the auditees to agree to it. However, the recommendation might not be practically easy to implement unless suggested by thoroughly experienced audit team. The involvement of customer is almost negligible.
In my opinion this approach is a happy way for everyone but may not be good for implementation.
2. Management Response Approach
In this style of solution development, the auditors will only point out the findings. In most cases, the customer will not agree to the work for a solution as they do not agree with the finding, I believe, this difference is because of the two reasons,
– It matters on what side of audit you are and where is the finger pointing happening
– The customers may think, ‘Hey, it is easy for auditor to just say, this is wrong, implement a new thing. It cannot be practically done’.
However in both these cases there is lack of communication and nothing is agreed upon.
3. The Solution Approach
As the name suggests, his would be the right choice to develop a action plan. Auditor can recommend, customer can listen and respond. This approach will give the best of both to find solution. It will be easy to implement as everyone would have agreed to it.
Prof Yao, I have experienced this while working however to summarize it in words I referred the IT Auditing book.
One such experience I had was during one of audit I conducted. There was a finding on access management, reconciliation of access was not performed.
I had discussed the finding and customer readily accepted to set up a reconciliation process. When I verified the control for closure I understood that they had worked hard to put the reconciliation process but they did not reconcile with the expected party. Hence the finding could not be closed even though they had put lot of efforts.
A solution based approach is thus important
– Auditor is able to explain the finding, this makes it easy for customer and management to find a solution
– There will be less gap in communication. Many a times customer may implement the control, take corrective action but they are not to the same expected level as auditor wants. This just increases extra time and cost which they could have done earlier.
Great detail in your answer Priya, especially for the Planning stage. I think a few of those key steps (such as creating customized checklists and researching the industry) can be forgotten or not given enough attention for the sake of time or, as I have occasionally seen, due to heavy reliance on information from previous audits. Not giving this stage its due attention will only make the audit more difficult for both the auditors and the customers, so it is crucial that auditors plan appropriately.
I agree with Annamarie. Checklists help to ensure that the audit is conducted in a systematic and comprehensive manner, and the proper evidence and documentation are obtained. I think they help auditors do a better job and shouldn’t be dismissed
I agree. Intimate knowledge of key vertical industries can be a huge help and should be leveraged more. No matter how much you may study and read, there’s nothing quite like having personal experience and real life scenarios to be able to reference and the associated outcomes from different approaches. This should be shared regularly and should drastically help the ability to bring value to the client, rather than just being a pain that picks apart the clients hard work.
I liked that you detailed the stages. I tried to detail them as much as I could and I missed the industry specific expectations point, which I think is a crucial point. Thanks!
Q4] Why do we need control framework to guide IT auditing?
Control frameworks were designed so as to have internal controls to monitor efficiency and effectiveness of operations in organization. IT controls are subset of all the internal controls. There are many prominent frameworks ( like COSO, COBIT, ISO27001, ITIL ) emerged to guideline the management and evaluation of IT process.
Below I will try to explain how IT Audit merges with COSO framework and how COSO framework is used in framing the IT Audit. As defined in COSO, internal controls consist of 5 components.
Control Environment
IT Audit requires control from management. The Audit department must be formed and delegation of authorities must be done.
Ex .An organization must have an Audit Manager. He must report to CIO.
Risk Assessment
Risk analysis is integral part of IT Audit. What factors must the controls should be assigned on? When and how the controls must be implemented? Unless risk analysis is done an IT Audit will not have a checklist to focus on. Risk assessment will give the quantification of factors and values associated with risks.
Ex .It audit must realize that not keeping record of visitors can be a risk. Visitor management system must be in place.
Control Activities
Control activities are the policies. IT Audit needs policies and procedures to form the standard. The auditor must know what the best practice that must be followed is. Organizational policies will define the IT Audit plan, verification and the organizational security framework.
Ex .IT is a security policy to train employees about security policies in the company on a regular basis. IT Audit will verify if training is conducted for all employees and the frequency matches with the standard policy or not.
Information and communication
Information must be available at right place and time and must be communicated to relative stakeholders.
Ex. An audit draft report must be sent to relative stakeholders before publishing the final report. If there is lack of communication and a stakeholder is missed, the audit report may not be accurate.
Monitoring
Continuous evaluation must be done to maintain the quality of security in the origination.
Ex .There must be an audit plan and schedule to achieve effectiveness. Say an internal audit is scheduled once in a quarter.
Likewise any control framework will help constructing and guiding the IT Audit process.
IT audit relied on those frameworks for risk assessment and control testing. You head to the right direction. A few corrections, (a) from reporting structure, Audit Director should report to Audit Committee/the Board and administratively to CEO. (b) from IT audit aspect, auditors need to get comfortable management has effective controls in place to incorporate the COSO framework. e.g. adequate MIS report from Monitoring aspect, effective communication regarding policies and procedures.
Priya, thank you for the explanations and examples of all COSO frameworks. COSO as a joint initiative to combat corporate fraud, it helps organizations to establish governance, business ethics, internal controls, enterprise risk management, etc.
Priya, good example of using the COSO 5 components. I agree with what you said “Control activities are the policies”, and do you think the control activities also include the three types of control like preventive control, detective control, and corrective control? I believe that most of these policies and procedures are preventive control to stop the loss before it actually occur, what do you think?
Q1. Explain the key IT audit phases. What are the key activities within each phase?
Key IT Audit phases are:
• Audit subject
o Identify the area to be audited
• Audit Objective
o Identify the purpose of audit
o Example: Program source code change occur in well-defined and controlled environment
• Audit scope
o Identify what all systems, functions or units are financially in scope
o Example: Review of source code on a single application and to a limited time period
• Pre Audit Planning
o Communicate with the manager or authorized staff to understand the infrastructure, gather sources of information such as flow charts, policies, standards and prior audit papers.
o Develop communication plan which describes who to communicate, when and how often.
• Audit procedures and steps for data gathering
o Identify and select the audit approach and tests the controls
o Identify people to be interviewed, departmental policies, standards and guidelines to be reviewed
o Develop audit tools and methodology to test and verify controls
• Procedures for evaluating the test or review results
o Identify methods and tools to perform evaluation, criteria for evaluating the test and resource to confirm the evaluation is accurate
• Identify procedures for communication with manager
o Determine the frequency of communication and prepare documentation for final report
• Prepare Audit reports
o Disclose follow up review procedures.
o Disclose procedures to evaluate operational efficiency and effectiveness
o Disclose procedures to test controls
o Review and evaluate the soundness of documents, policies and procedures
Q3] Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
Differences
Implementation:
COBIT provides ‘What’ and ITIL provides the ‘How’. COBIT is complex and broader in scope. It generally gets organizational level budget. ITIL will focus on IT elements and is mostly funded by the IT department.
Vendor:
COBIT is complex and consultation form Big 4 would be right choice. ITIL can be implemented by smaller consulting firms. Ex.Accenture
Origin:
COBIT is ISACA’s ITGI’s model while ITIL was developed y UK Government (OGC)
Similarities
-Both COBIT and ITIL focus on ITSM
– COBIT and ITIL ensure effective IT governance
– Both are complementary to each other.
Source
[https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx]
[IT Auditing by Chris Davis and Mike Schiller]
I like the words “what” and “how”. The two frameworks amid IT controls from different aspects. ITIL is often used by technology management to “implement” technical controls and COBIT, on the other hand, is used by technology risk management and IT auditors to assess the control environment.
Professor, I never thought to consider what type of IT management positions would prefer ITIL over COBIT and vice versa.
That completely makes sense though. COBIT does generalize and describe the audit and compliance requirement for IT and ITIL supports the operations for IT management.
I just recalled professor said in the class that IT auditors will only report to the executives on “what objectives need to be achieved”, and they are not responsible for answering “how the objectives has to be achieved”. That answers why COBIT is widely used by technology risk management and IT auditors. Thanks for the clarification.
Yes I agree with ming, the it auditors is not responsible for making plan to solve the problem. The COBIT aim is to provide an overarching framework that incorporates different subsets of information management and control while promoting greater consistency among these areas. Unlike prescriptive requirements for a specific regulation, COBIT can be used for a wide range of enterprise needs, including information security, regulatory compliance, risk management and financial processing.
It may not be the responsibility, however, I believe it is best practice to collaborate and discuss action plans that other’s may have used to address similar findings. Any insight that can be provided can bring a huge amount of value to the client which should certainly be a part of goal if you would like repeat business from said client.
Hi, Yu Ming, thanks for bring it back about what IT auditors should report, and they are not suppose to answering how to achieve the objectives. Professor Yao also mentioned why IT auditors should not take the responsibility for answering how, it’s because if the suggestions from IT auditors failed or even make it worse, the auditors may lose their job. From this perspective, I do agree with you that COBIT has positive influence in technology risk management.
In general, managenent relies on ITIL to design and deply IT controls; IT auditors, on the other hand, leverage COBIT to verify design and operating effectiveness of IT controls.
I just found the slides you had this in, but I don’t think we made it that far the first meeting. I took these steps from the class textbook, but think I should have combined it with answering question 2 to save space like other students had.
1. Planning
– Determine the objectives and scope of the audit
– Determine what you hope to accomplish
– Develop the steps necessary to conduct the audit
2. Fieldwork and Documentation
– Audit steps are conducted by audit team
– Work documentation
– Data collection and interviews
3. Issue Discovery and Validation
– Develop list of concerns
– Discuss concerns with customers for validation
– Ensure only legitimate concerns are entered into the report
4. Solution Development
– Work with customers to develop plan for correcting issues
– Escalate an issue only when necessary, and only to the necessary level
– Notify customers when escalating an issue, and escalate through each level as necessary
5. Report Drafting and Issuance
– Document results of audit
– State scope of audit
– Executive summary of audit with clear and concise wording
– Full list of issues and plan of action for each issue
6. Issue Tracking
– Follow up on issues found in audit
– Escalate issues not being properly dealt with by personnel
– Verify correction of issues as best as possible
Davis, Chris, Mike Schiller, and Kevin Wheeler. IT Auditing Using Controls to Protect Information Assets. 2nd ed. N.p.: McGraw Hill, n.d. Print.
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
COBIT was created by ISACA and is a collection of “best practices” in IT governance and control. ITIL was created by the UK government and is a set of standards for IT infrastructure management and service delivery. COBIT defines how all of a company’s IT activities should support the business function, and ITIL is a framework that is easily adopted by any business that uses IT.
Sean you are right, COBIT is usually used by internal IT organizations , whereas ITIL can be used by any organization providing internal or external IT services
Overall, I think the primary difference between these two frameworks is that COBIT is general and defines audit and compliance requirement for IT, as opposed to ITIL which helps to define operational IT management processes.
I felt like what little there was on both frameworks in the textbook really made it difficult for me to discern between the two. Thanks for clearing a little more up for me.
Good summary Sean! Both ITIL and COBIT provide guidance for the governance and management of IT related services. For larger companies, they prefer using both. Small companies prefer using ITIL because COBIT is complex.
Why do we need control framework to guide IT auditing?
A control framework is the very basis for a business’s internal controls. Without this framework in place there would be no formalized control structure or standardization in the business. With a control framework in place, IT auditors know how what processes have controls built into them, and how to ensure whether the controls are effective or not. The framework also gives IT auditors a starting point to conduct audits and can give them insight into where controls should be added, strengthened, changed, or even removed for ineffective placement.
I agree with you sean. Control framework will direct the IT Audit towards the control environment of the organisation.
Just to add to your point control framework defines RACI (responible, accountable, consulted and informed) chart which can help in identifying whether the authorized person are being correctly associated with the processes or not during IT Audit.
I’ve been inundated with so many different readings between all the classes I am taking. Was that chart in a reading/video, or is it something you learned working in the field?
I don’t think it’s in any reading we’ve done for this class so far, but an example RACI chart can be found in ISACA’s Risk IT Framework. As Deepali said, it breaks down the different roles involved (Board, CEO, Business Process Owner, etc.) and determines their level of involvement in key activities by separating them into four categories:
1. Responsible: Those who must ensure that activities are successfully completed
2. Accountable: Those who own required resources and have authority to approve actions and accept the outcome of the activity.
3. Consulted: Those whose opinions are requested on an activity.
4. Informed: Those who are kept up to date on the progress of an activity.
It is my first time learning about the RACI chart and I believe it is a great tool to clearly identify roles and responsibilities during an audit. Actually, many organizations use it proactively when developing processes or project plans. I also learned that another benefit of RACI chart is to accelerate delivery by avoiding unnecessary discussions and disagreements.
Thank you for the link. A RACI chart or a RACI matrix prevents conflicts between team members. Team members are also not confused about responsibility as RACI clearly indicates what needs to be done and who must do it.
Studied this in my Project Management class in MIS.
Thank you for the link. I found a simple, awesome chart on that site. Anyone including myself who is not familiar with the RACI matrix should take a moment to check that chart. It well simplifies how the RACI works by using an example of a family trip plan.
Annamarie explained it in a great way. RACI is a responsibility assignment matrix and it describes the participation of various roles in completing task and deliverable.
Sean – I agree. I think that the control framework, In the most basic form, is an organizational tool. I think it helps both the company and the auditor from that perspective. In order for the company to completely adopt the framework, the company must completely understand to buy-in and hold its employees accountable.
1. Planning
– to determine the objectives and scope of the audit to perform the audit
– develop a series of steps to be executed in order to accomplish the audit’s objectives.
– obtain a basic background and understanding of the area to be reviewed by conducting a preliminary survey of the area to be audited with the audit customers to understand what the audit will entail, as well as reviewing pertinent documentation
– Involve with the audit customers to understand what areas they think should be reviewed and what areas of concern
– Develop a standard audit checklist to provide a useful hard start
– Research
2. Fieldwork and documentation
– Acquiring data and performing interviews to analyze the potential risks and determine which risks have not been mitigated appropriately
– Allow the next audit team to learn from the experience of the previous audit team => improvement and higher efficiency
3. Issue discovery and validation
– Develop a list of potential concerns to ensure all the issues are valid and relevant
– Discuss the potential issues with the audit customers to come to the agreement on the risks represented by those issues
4. Solution development
– Involve with the audit customers to develop an action plan addressing each issue by either one of the three approaches:
i. The recommendation approach
ii. The management-response approach
iii. The solution approach
5. Report drafting and issuance
– The report represents the results / records of the audits including what areas were audited
6. Issue tracking
– Develop a process to enable the follow up on issues until they are resolved
Source: IT Auditing Using Controls to Protect Information by Chris Davis and Mike Schiller
COBIT (Control Objectives for Information and Related Technology)
ITIL (Information Technology Infrastructure Library)
Similarities:
Purpose:
Both frameworks provide guidance for the governance and management of IT-related services by enterprises, whether those services are provided in-house or obtained from third parties such as service providers or business partners.
Differences:
Implementation
ITIL
• provides guidance to manage the IT services across their lifecycles
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
• Focus more on ITSM
COBIT
• COBIT is broader than ITIL in its scope of coverage.
• Provides guidance to govern the Enterprise IT based on 5 IT principles and 7 qualities of information
5 principles:
• 1. Meeting Stakeholder Needs
• 2. Covering the Enterprise End-to-End
• 3. Applying a Single, Integrated Framework
• 4. Enabling a Holistic Approach
• 5. Separating Governance from Management
7 Qualities:
• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability
Origin:
COBIT
• Published in April 1996 by ISACA
ITIL
• Developed by the U.K government in mid 80s
I agree with you Yu Ming that, while differing in levels of specificity, COBIT and ITIL have the same general purpose: to provide governance guidance. In addition, I like that you laid out the 5 stages in ITIL, as well as the 5 principles and 7 qualities from COBIT. Looking at them like this, I think it’s easier to understand how ITIL can be mapped to COBIT. An organization would want to ensure that all stages of ITIL are developed in a way that match the IT principles from COBIT, as well as its 7 important qualities.
Great comparison of ITIL & COBIT, Yu Ming. I really liked that you have summarized the key points of both the frameworks besides listing their similarities and differences.
Thanks for your sharing. I noticed the differences you listed “ITIL focus more on ITSM”, it confused me because COBIT is also focus on ITSM, so what is that mean?
Q3. Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
DIFFERENCES:
• COBIT is used for mapping IT PROCESS whereas ITIL is used for mapping IT SERVICE LEVEL MANAGEMENT
• ITIL talks about “HOW” to carry processes such as delivery and support whereas COBIT talks about “WHAT” should be achieved such as process flow
• COBIT has 4 process and 34 domains whereas ITIL has 9 process
• COBIT is issued by ISACA whereas ITIL is issued by OGC
• COBIT is used for implementing Information System Audit whereas ITIL is used to manage service level
• COBIT is used in accounting as well as IT Consulting firms whereas ITIL is used in IT consulting firm
SIMILARITIES:
• Both are used in Information Technology Service Management(ITSM)
• If used together provide guidance for the governance and management of IT related services.
Can you explain what the difference is between COBIT’s “mapping IT processes” and ITIL’s “mapping IT service level management?” When I was reading about both I was having trouble really understand the difference.
IT Processes includes a series of steps that ensures that IT Services are provided in focused manner.
It includes:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
Whereas IT Service level management is responsible to negotiate service level agreements with the customers in order to design services in accordance with the agreed service levels.
So COBIT Framework is used to map all of the above mentioned IT Processes so that they work in sync with each other and ITIL is used to map IT service level management which includes managing service level agreements.
Deepali, I’d like to add here that besides negotiating SLAs, even measurement, reporting and analysis are an integral part of IT Service level Management.
Through mapping controls from CoBit domains, management can identify control gaps; and ITIL’s mapping of SLA is to ensure agreed service levels whether they are internal or external are clearly defined, measured and monitored.
Q4. Why do we need control framework to guide IT auditing?
• Control framework define the base criteria for IT Auditing to look into the processes and processes so as to make assessment of their efficiency and effectiveness.
• Helps in determining that whether they are being measured for effectiveness
• Control framework defines Responsible, accountable, consulted, inform (RACI) Chart and will guide the IT Auditing process to whether the authorized person in the chart are in fact responsible, accountable, consulted and informed with regards to activities associated with the process
Q1. Explain the key IT audit phases. AND Q2. What are the key activities within each phase?
1. Planning
-Determine scope by interviewing customers to understand area under audit and assessing risks that will be reviewed, as well as any existing internal controls.
-Coordinate with the customer to schedule when the audit will take place.
-Hold kickoff meeting to finalize the scope and to determine primary points of contact and status meeting preferences.
2. Fieldwork and Documentation
-Acquire data and perform interviews to analyze potential risks and mitigations.
-Independently validate effectiveness of the control environment.
-Document work in detail to support conclusions.
3. Issue Discovery and Validation
-Develop list of concerns discovered during fieldwork.
-Discuss potential issues with customer to ensure accuracy.
-Validate that issues are significant enough for report.
4. Solution Development
-Coordinate with customer to have action plan developed for issues, including determining who is responsible, as well as the due date.
5. Report Drafting and Issuance
-Write up report to include statement of audit scope, executive summary, list of issues and action plans, and other relevant material.
-Review with customers before issuance to ensure that they are in agreement.
-Issue report to appropriate parties (senior management, audit committee, etc.).
6. Issue Tracking
-Follow up on issues to ensure that action plans were carried out and can be closed.
-Escalate issues that are not being addressed as agreed to appropriate level of management.
Great read, Annamarie ! I’d like to grab this chance to ask you (since you have Audit Analyst experience) if you saw any major differences between the Theoretical Audit process flow and workings and real Audits at the ground level.
In my experience, this is the exact workflow that we followed during our audits. The only difference is that instead of grouping it under 6 steps, my organization just had “Planning”, “Fieldwork and Documentation”, and “Reporting/Issue Tracking”. In our case, the steps “Issue Discovery and Validation” and “Solution Development” fell under the Fieldwork and Documentation phase.
At the end of each phase we had what was known as a Tollgate Meeting with audit senior management and the customers to share the key aspects of the phase and ensure that everyone was on the same page so we could move forward.
Q3. Comparing ITIL and COBIT: list some key similarities and differences based on your understanding?
While COBIT and ITIL both help establish strong IT governance and can both be used by an organization, there are several differences. COBIT is much broader in scope, while ITIL focuses on IT service management. COBIT addresses “What” should be in place to ensure a strong IT environment, and ITIL answers “How” to implement. In addition, COBIT was developed by ISACA, while ITIL was a product from the UK government.
Correct. The trending for IT auditing should adopt risk based apporach, meaning leveraging the frameworks to identify “high risk” areas and develop audit strategy/plan accordingly rather than cover all control objectives…we will discuss further in the class.
You mentioned that IT auditors are now adopting a risk based approach when developing audit strategies. While this a way to reduce unnecessary testing, in my external IT audit experience, I have seen this be used a fodder for our clients. Clients have questioned seniors and managers as to why certain applications are in scope when they believe they don’t have a material impact. This is just an observation I have made, but it does seem to be one of the few downsides to adopting a risk based approach since now clients question why certain items are in scope or not.
I really like your simplified and easily understandable difference between COBIT being the “what” to implement and ITIL being the “how” to implement. Would that suggest that they should both be used simultaneously to optimize the business’s IT deployment, or would it be more ideal to start with “what” to do and then move onto “how” to do it?
I guess these framework provides a standard to start with. So an organization may choose to follow ITIL alone or COBIT alone or both or even modify to establish a better framework meeting the business requirement.. COBIT and ITIL are complementary and work hand in hand.
Annamarie & Professor Yao,
I was curious to know if in your experience, you have encountered any Organization which has both COBIT and ITIL frameworks implemented as so far, I have only worked with clients that were following ITIL methodology. Would you be able share any insights from cost perspective in implementing both frameworks ?
I agree with your answer Annamarie. What do you think would companies approach would be towards getting both the frameworks. Would they prefer to get COBIT implemented first or ITIL?
I think they would try to adopt COBIT first as it is will help set up overall governance and then go for ITIL.
However each framework has a different positive impact on the organization. In terms of costing , they might have to choose which one to go for first.
What do you think?
Yes Priya, I believe you and Sean are right by suggesting that COBIT should be implemented first. As you said, this allows the organization to set up its overall governance, which ITIL can then be mapped to. COBIT can shape the ITIL processes by linking them to business requirements and evaluate the success of implementation. I think this approach allows both frameworks to be utilized to the fullest extent by an organization.
Both frameworks are complementary and mutually supportive, but I think it is easier to implement COBIT first because it’s the “what you need to do and why you need to do it” and then go for ITIL the “how to do it”.
I hope this makes sense.
Said, I agree with your comment. They are indeed both complementary, but the use of COBIT first would most definitely make more sense especially since, COBIT does generalize and describes the compliance requirements and auditing, where as ITIL allows the IT management to strengthen its controls to combat any issues they face.
I think adoption of both is necessary depending on the need of the organisation. They both fulfill different needs and therefore we cannot prioritize the implementation of one after the other. Together they both will serve different segments in an organisation. If an organisation wants to align its IT processes, they will adopt COBIT and for IT service management , they would need ITIL.
Q4. Why do we need control framework to guide IT auditing?
Control framework helps guide IT audit by providing 5 components to assess effectiveness of procedures and policies:
-Control Environment: sets the tone of the organization and provides the foundation for all other internal control components.
-Risk Assessment: identifies relevant risks to achievement of objectives, and forms basis for risk management.
-Control Activities: actions taken to mitigate risks identified with the risk assessment.
-Information and Communication: important information must be identified and communicated across the organization, in all directions.
-Monitoring: process that assesses the quality of a system’s performance over time to ensure that deficiencies are captured and reported as necessary.
Explain the key IT audit phases: What are the key activities within each phase?
Planning: The Auditor should understand the environment and infrastructure of the organization or company. By doing so they are able to assess what kind of documentation they need.
Fieldwork and Documentation: The auditor makes an effort to understand what kinds of documentation they should focus on. As well as interviewing employees in different departments of the organization; this ensures their understanding of its general practices and processes. EX: previous audits/ preliminary states. Additionally, allows them to plan the scope of the audit to determine their objective of the audit.
Issue Discussion and Validation/ Remediation Actions Development: This step allows the auditor to evaluate the logistics of the company, while taking into the count the organizations internal process.
-The auditor will reveal their findings to management. The goal is to communicate and validate the audit findings; acquire permission to resolve the audit finding, and use the proposed resolution to develop an Action Plan that management can commit to.
Reporting: The auditor reports its findings to the Audit Committee
Issue Tracking: The auditor follows-up with regards to observations and action plans contained within the report to ensure appropriate mitigating activity is being implemented
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL 5 stages in service:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
COBIT is based on five principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
Differences: are the stages v. principles when it comes to IT service management
– ITIL provides the ‘how’ to carry on processes in delivery and support; however is limited in security and systems development
– COBIT provides the ‘why’ on what should be achieved in the process flows, in order to achieve effective governance, management and control.
– COBIT is broader than ITIL in its choice of breakdown, and ITIL focuses on and offers more detailed guidance when it comes to IT service management.
Similarities: Both provide guidance, yet if put together, they become a very powerful model of what you need to be doing and how you need to be doing it, when it comes to providing effective governance, management and control.
Why do we need control framework to guide IT auditing?
Control framework helps provide guidance to IT auditors.
The 5 components used to assess the effectiveness of procedures and policies are as follows:
-Control Environment: By establishing a control environment, it ensures the IT auditors dominance, by allowing them to set the tone of the organization, while providing the groundwork for all other internal control components.
-Risk Assessment: Helps identify the issues, risk and potential risk at hand in order to proactively maintain the organization’s objectives.
-Control Activities: Actions in which policies, procedure and structure are implemented in order to mitigate risks identified.
-Information and Communication: Use of communication and information must be readily available to all sectors of the organization, in order to ensure compliance and prevent potential issues
-Monitoring: Allows the IT auditors the ability to gage their internal controls, by monitoring their effectiveness, functionality and deficits that may occur.
Great examples of the components used to assist the auditors. The component example I liked the most was the Risk Assessment.
This is why IT Audits are an important business risk for any company with sensitive information and more importantly, employees who are in a position to jeopardize the entire company.
Risk assessment is indeed a major component of control framework. It is the basis of any type of audit. The audit team is responsible for overseeing the risks and address them. if the auditors can not clearly identify the concerns they face, they cannot do their job properly.
Thanks for your input Fred and Alex! I 100% agree with both of you, without the risk assessment aspect of IT Audit process, the whole audit would not have a foundation. The risk are the key concerns for the auditor, as you mentioned Alex, if they can’t identity the risk, then they cannot do their job!
I agree with you. A risk assessment is the identification and analysis of relevant risks to the achievement of an organization’s objectives to determine how those risks should be managed. Risk assessment implies an initial determination of operating objectives, then a systematic identification of those things that could prevent each objective from being attained. In other words, it is an analysis of what could go wrong.
Yes Magaly, I agree with what you said about monitoring. Indeed, monitoring can enhance the effectiveness of internal controls and mitigate the possibility of risks occur and damage the organization’s assets. But on the other hand, monitoring sometimes are costly and time concerning. Therefore, in my opinion, the management needs to balance the effectiveness of internal control system and financial situation, because the shareholders may worry about the company spent too much money in the ICS.
Explain the key IT audit phases
What are the key activities within each phase?
∗ Planning
– Determine the objectives and scope of the audit
– Develop steps to be executed in order to accomplish objectives
– Interview with the customer
– Research and scheduling
∗ Fieldwork and Documentation
– Perform interviews and analyze data to find potential risks
– Determine which risks have not been mitigated appropriately
– Validate independently the information provided and the effectiveness of the control environment
– Document work
∗ Issue Discussion and Validation
– Establish list of potentials issues
– Discuss potential issues with the customer
– Confirm the risk presented by the issue is significant enough to be worth reporting and addressing
∗ Solution Development
– Work with customer to develop an action plan
Nice post Said! When I studied the phases in detail I realized that the Reporting phase and drafting report can actually take lot of time. Collating data right from first phase of audit and documenting all findings will be the most important. There could be a point while drafting report that you realize that you need to validate something or need more facts to put the point on the report. If a finding needs to be revisited in case some facts are missing, do we go back to the ‘Field and Documentation phase”? Are these phases iterative in any way? Do you get a chance to go back and revisit an domain? What do you think Said?
In my opinion, the auditor should go back to the “Field and Documentation” phase if a finding needs to be revisited. In that case he/she can reanalyze the data and hopefully find what is missing. And I also think he/she has always a change to revisit a domain before issuing the report. In fact, the whole point of the audit is to review the company data and find potential risks. The auditor should not report something in his/her final draft if there are missing facts; and should be able to go back in the process to clarify the missing facts.
Priya – You raised some interesting questions here. I would like to discuss those questions during the class. Would you please bring it up on Wednesday? Thx.
For solution development, I agree that the auditor works with the audited in most cases. Do you think that it is the audited or auditor’s responsibility to come up with a plan to fix the problems identified in the audit? Does it depend on each company’s unique situation? Or does it cost more for the auditor to come up with a plan? Does the auditor even know enough about the company, its culture, and change strategies to make a plan?
Hello Lan,
I think the auditor cannot make the plan, because the internal audit just test the plan, and provide the recommendation. The scope of an audit depends on the goals. The basic approach to performing a security assessment is to gather information about the targeted organization, research security recommendations and alerts for the platform, test to confirm exposures and write a risk analysis report.
COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises. COBIT is broader than ITIL in its scope of coverage, its includes seven qualities of information (Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance and Reliability). ITIL provides best practices describing how to plan, design and implement effective service management capabilities.
In other words, COBIT provides standards for good practice of IT controls and ITIL provides the vehicle to implement those standards. However, both are complementary to each other.
The IT audit phases is a broad generalization of many different possible procedures. The book mentions, “One of the most important tasks of the internal audit department is determining what to audit.” Audits are very expensive and takes time to complete. This is why it is important to prioritize what needs to be audited by creating an “Audit” Universe, identifying Centralized IT Functions (Those that are collectively performing a function), Decentralized IT Functions (Stand-alone functions), Business Applications (Software), and the specific IT functions that may require Regulatory Compliance by a governing board. Separating the Centralized and Decentralized functions will allow you to allocate the required resources to accomplish a successful audit.
Once the decision is made as to what to audit, you can begin the steps to a successful audit. These steps include:
Planning
Determine the objectives and scope of the audit. The planning process should be the responsibility of the audit team. The audit manager shouldn’t be a part of the audit team, but should provide the resources to the team because the planning process requires referenced research. A structured and detailed assessment should be created for the areas being reviewed. The team should survey the area and employees to understand what will be included in the plan and to get the employees involved with the audit. They may be helpful in understanding the true environment. It is important to motivated the audit team and maintain a schedule by keeping everyone active, from the Kick-off meeting to the solutions implemented.
Fieldwork and documentation
The fieldwork and documentation is where the hands-on work occurs. The hand-on visuals will give validation to the planning and research the team completed. Documentation is important to include, what you did, what you found, and your conclusion.
Issue discovery and issue validation
Issue discovery and validation will document the good things and bad things with the audit process. Transparency is important during this process to assure the proper process is taking place and validate the issues.
Solution development
Solution is the technique used to handle the issues the audit concluded. The book mentions 3 solution approaches.
The Recommendation Approach – A common approach, where the auditors relay the issues and recommendations to the customers.
The Management-Response Approach – Where the auditors list the issues but let the customer decided on the solution
The Solution Approach – Where the auditors list the issues and a mutually agreed upon solution is implemented.
Report drafting and issuance
This stage documents the results of the audit. Tells the customers what was audited, the results, and the action plans. It tells the management and the audit committee a “report card” on the audited area.
Issue tracking
Now that you built the plan, you must maintain a healthy environment. The Issue tracking process is when you remain proactive with the audit plan. If the plan is not being performed to the specifications, the auditor should escalate any issues with the plan and document the findings. Escalation is a last resort and should only occur in cases when the tasks can’t not be performed for a specific reason.
You would rank all the possible areas that may be audited. You would look at the Centralized and Decentralized areas to determine priorities.
A great way to do this is to meet with the IT managers and/or any other employees who are involved in the IT Universe. It is important to note there may be an overlap between the IT audit universe and a financial audit. Make sure you put the audit entities in the proper audit universe. Example: How software 123 makes/saves money may be in the financial audit universe. Another overlap may be compliance requirements, which may be included in the IT universe.
Understanding what items are included in the IT universe and ranking them based on risk and value will help with a successful audit.
Audit universe can be centralized and decentralized IT functions, Business Application or regulatory compliance. Learn from the IT manager how the responsibilities are divided and learn about the existing known issues. Check if there could be any inherent risk. Understand the benefits of doing an audit in that area and how it can benefit the organization.
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL – Information Technology Infrastructure Library
COBIT – Control Objective for Information and related Technology
Similarities between ITIL & COBIT
Both are considered best-practices for IT service management
Creates goals for the organization and measurement procedures
Shows if the organization meets or exceeds a controlled IT environment.
Differences between ITIL & COBIT
ITIL describes HOW to deliver and support the IT processes but limited in security and system development
COBIT describes WHAT should be done to attain effective governance, management and control.
ITIL & COBIT are complementary. By using both ITIL & COBIT at an organization will:
Alignment of IT environment for company and customers
Clear ownership and understanding of IT
Both are acceptable with regulators
Better decision making abilities
I like how you list the benefits if an organization does follow both the frameworks. COBIT and ITIL provide a top-to-bottom approach to IT governance and control. According to ISACA, COBIT guides management’s priorities and objectives within a holistic and complete approach to a full range of IT activities. ITIL supports this with best practices for service management. When used together, the power of both approaches is amplified, with a greater likelihood of management support and direction, and a more cost-effective use of implementation resources.
Why do we need control framework to guide IT auditing?
By definition a control framework is “a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk”. That being said, control framework guides the auditor throughout the auditing process and provides him/her with a model he/her can use to conform to compliance regulations.
I agree with your point that control framework can minimize the risks and add business value to an organization by establishing effective practices and procedures. According to the expanded COSO cube, objective setting and event identification are effective in enterprise risk management. By setting proper objectives, the entity’s mission can be supported by chosen objectives, which improve the business value of the organization. The event identification is focus on the internal and external events which may affect the achievement of organization’s objectives, this can mitigate the event related risks.
Agreed Said, control framework are like the rules the auditors must follow when doing their work. Control framework sets up the data structure within the organization like u said and the auditor must follow this guide when conducting their audit to make sure they are following the rules and regulations. Doing so when minimize the risk of error and help ensure that everything is done accordingly.
Q Explain the key IT audit phases
Ans: 1. Planning: Need to plan what needs to be reviewed. Proper planning helps in successful audits. Here the objective and scope of the audit is defined.
2. Fieldwork and Documentation: What has been planned is taken into action.
3. Issue discovery and validation: Check if the risk is worth to be address and validate the information collected.
4. Solution Development: Create an action plan to address the issues
5. Report drafting and issuance: Draft the audit report and distribute it to the customer
6. Issue tracking: See how far has the solution been implemented. If not, why not? Escalate if necessary or make changes as necessary.
Source: Chapter 2, IT Auditing Using Controls to Protect Information by Chris David and Mike Schiller with Kevin Wheeler
Activities within each phase:.
1. Planning :
– Collect necessary information like the key contacts for audit from the audit manager.
– Take preliminary survey of the area to be audited.
– Take feedback and inputs from the audit customers.
– Make sure there is a standard checklist
– Research on the area of audit
– Access the risks and document it
– Schedule the audit in corporation with the customers
– Kickoff meeting to communicate what is in scope and out of scope and to receive final inputs.
2. Fieldwork and Documentation:
– Acquires data and performs interviews
– Validate the information provided and the effectiveness of the environment
– Document their work
3. Issue discovery and validation:
– Check if the issues are valid and relevant
– Discuss potential issues with the customer.
– Check if the issue is a risk and if it is worth reporting
4. Solution Development:
– Create an action plan
– Define who is responsible and due date to be completed
– Keep the management informed
5. Report drafting and issuance:
– Draft the report
– Distribute the report
6. Issue tracking
– Develop a process to track and follow up till the issue is resolved.
– Initiate escalation procedures if issues are not addressed.
Source: Chapter 2, IT Auditing Using Controls to Protect Information by Chris David and Mike Schiller with Kevin Wheeler
Explain the key IT audit phases.
What are the key activities within each phase?
Following are the stages of an Audit with their key activities:
1) Planning
– Determine what you plan to review
– Set up an audit team
– Determine objectives and scope of the audit
– Audit manager provides the audit team with key contacts for the audit
– Perform preliminary survey
– Obtain customer’s input (what areas customers are concerned about)
– Standard audit checklists for the area being reviewed
– Research and consideration for each audit
– Risk assessment of risks in the audit area (understanding of business purpose of the area to be audited and risks associated with that purpose)
– Scheduling the audit (when the audit will take place)
– Kickoff meeting
2) Fieldwork and Documentation
– Acquire data and conduct interviews
– Document work (tell a story with enough detail, so that the reasonably informed person can understand)
3) Issue Discovery and Validation
– Validate facts and risk(s) presented by the issue
– Are the risk(s) significant to the company? Yes? Discuss potential issues with customers
4) Solution Development
– Address Audit Issues using The Recommendation Approach/ Management-Response Approach/ The Solution Approach
– Finalize how the action plan must be in the audit report
5) Report Drafting and Issuance
– Draft the audit report (it’s like a report card)
– State the audit scope
– Draft an executive summary
– List issues and action plans
– Distribute the audit report to customers for review before issuing it to the senior management
6) Issue Tracking
– Follow up on the issues
– Initiate escalation procedures where needed
Source: Chapter 2, IT Auditing by Chris Davis and Mike Schiller
COBIT is for IT GRC and Management, whereas ITIL is a framework for IT Service Delivery.
COBIT offers control objectives at a broad level guiding enterprises on the implementation, operation and improvement of their arrangements that are related to enterprise IT governance. ITIL framework should be seen as a way to manage the IT services across their lifecycle.
COBIT focuses on enablers and principles surrounding an enterprise in meeting stakeholder needs related to IT assets. On the other hand, ITIL explains service management enablers in more detail.
And as most of my peers rightly said, and I would like to reiterate that: COBIT provides the “why” and ITIL provides the “How”
Why do we need control framework to guide IT auditing?
An organization needs control framework to have practices and procedures that are establish to generate business value and minimize risk; compliance with government requirements or industry guidelines. A structured and well documented process that allows managers to show that they have adequate controls in place.
Key characteristics that are a part of various control frameworks are risk assessment initiatives like setting objectives, event identification and development of response plans. In addition, monitoring element called control activities are often included.
3. Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL: Developed by UK Office of Government Commerce
It is a framework with helps us to understand how to achieve successful- operational service management of IT and includes business value delivery.
COBIT 5: Developed by ISACA
It is a framework to ensure that IT is aligned with the business, IT enables business and maximizes benefits, IT resources are used properly and risk is managed properly.
COBIT and ITIL are complementary frameworks where COBIT describes what IT should be doing and ITIL describes how to do it. Both of them describes processes that should be established for the enterprise to run smoothly and can be used by any type or size of an organization.
COBIT vs ITIL
1. COBIT has a business perspective and focuses more on IT audit and compliance and what IT can do to benefit business whereas ITIL has IT perspective and focuses more on the IT process and operational service management.
2. COBIT used by internal IT organization of large enterprises whereas ITIL used by any organization providing internal or external IT services.
3. This deals with governance and management of IT processes where as ITIL deals with implementation of IT processes.
I agree with you Yulun, and I especially like how you compare COBIT and ITIL in three ways.
Both frameworks have different perspective but actually they are complementary. By implementing both framework, the organization can maximize its IT controls, solve business problems and support business goal achievement.
Explain the key IT audit phases
What are the key activities within each phase?
1) Planning
– Establish an understanding with their client, which allows each party to know the nature of services to be provided and the responsibilities
– Develop an overall audit strategy, and audit plan, and an audit program
– Audit manager provides the audit team with key contacts for the audit
– Determine preliminary assessment of risks in the area
– Have a standard checklist to perform risk assessment prior to each audit
– Obtain additional information about the area being audited
2) Fieldwork and documentation
– Collect data and information and perform interviews to analyze the potential risks and determine mitigated risks
– Perform validate independence and understand the value of healthy skepticism
– Develop checklists as to what plan to review
3) Issue discovery and validation
– Develop a list of potential concerns and issues
– Review systems for compliance with the company’s internal IT security policies
4) Solution development
– Raise issues and provide recommendations
– Discuss with client and determine who is responsible and due date of completion
5) Report drafting and issuance
– Include: stamen of the audit scope, executive summary and list of issues, and with action plans for resolving them
– Distribute the report to senior management and audit committee
6) Issue tracking
– Develop a process to track and follow up on issues until they are resolved
– Initiate escalation procedures for those issues not addresses
Why do we need control framework to guide IT auditing?
1. help implement IT governance, and enterprises
2. Risk assessment to identify risks
3. Risk response, control activities to mitigate or transfer risk
3. Event identification to further investigate
4. Monitoring – continuous monitoring / maintenance after an event to ensure the control is effective and efficient within an organization
Thank for for listing COSO framework. In addition, COBIT and ITIL are also used generally. COBIT is complex to be used in larger companies whereas ITIL is used in small companies. however, larger companies prefer using both.
We need control framework to “provide guidelines for the management and evaluation of IT processes”. (Chapter 16, textbook)
The Committee of Sponsoring Organizations (COSO) was created in the 80’s to oversee the accounting and auditing process for organizations. They published Internal Control – Integrated Framework, the first guide for internal control framework in 1992. In response to SOX, COSO published Enterprise Risk Management – Integrated Framework, it’s second guide to identify organizational risk factors.
The Internal Control – Integrated Framework guide stated two controls for the IT infrastructure. The first controls are “General Computer Controls”, focusing on the IT management, infrastructure, security, and software acquisition.
The second are “Application Controls”, focusing on the software used and how to control completeness, accuracy, and validity of information. The standards mentioned by COSO evolved into a separate standard called, COBIT.
COBIT (Control Objectives for Information and Related Technology) is the most recognized framework for IT governance and control. They are up to version 4.1, which was released in 2007 (Chapter 16, Textbook, COBIT). Since then, other frameworks have been published, including ISO 27001, NSA INFOSEC, and ITIL (Information Technology Infrastructure Library).
COBIT is currently working on version 5.0 and will continue to update the Framework because Information Technology is a great business tool for several different tasks. Some of those tasks for good, but also for fraud.
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding.
Similarities:
Both are used for it services
Both enable organizations to achieve their key objectives including insuring effective IT governance and controls
Differences:
COBIT is an it governance model
ITIL is a service management framework
COBIT has 4 processes, 34 domains
ITIL has 9 processes
COBIT is broader than ITIL. It is based on five principles (meeting stakeholder needs; covering the enterprise end to end; applying a single, integrated framework; enabling a holistic approach; and separating governance from management) and seven enablers (principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services, infrastructure and applications; people, skills and competencies).
ITIL focuses on ITSM and provides much more in-depth guidance in this area, addressing five stages of the service life cycle: service strategy, service design, service transition, service operation and continual service improvement.
In fact, COBIT tells organizations what they need to do to meet their IT challenges (Standards for good practice of IT controls)
ITIL tells them how they should do it (plan, design and implement effective service management capabilities)
However both frameworks are complementary and work together to provide guidance for the governance and management of IT-related services.
4 Why do we need control framework to guide IT auditing?
A control framework will ensure that the risks are being addressed appropriately and the company’s directives/objectives are carried out in a cost effective way maximizing returns with the available resources. A framework provides guideline for the management and evaluation of the IT processes in place. A strong control framework would mean that the IT management is serious about the overall control environment.
COSO and other frameworks that were developed as a result of the financial bankruptcies and financial collapses was mainly focused on the financial audit and framework was designed on that. But soon with the growth in technology and IT becoming an integral part of any business it became necessary that we have controls enabled for IT to mitigate the risks involved in data breach or to control confidentiality, integrity, availability, reliability of the data and the proper functioning of systems, applications. database. Etc. and for minimizing the cost and risks involved. We now have COBIT, ITIL and some other frameworks which align IT with the business needs and objectives.
Part1: Plan and Organize(PO)-controls that help IT enable and protect business objectives. PO includes defining a strategic IT plan, and defining an information architecture.
Part2: Acquire and Implement (AI)- controls that are tasked with converting the strategy and tactics from PO into new and changed IT services that are then integrated with the business, such as identify automated solutions, and acquire application software.
Part3: Deliver and Support(DS)- controls involving the actual delivery and operations of IT services such as defining and managing service levels, and managing third-party services.
Part4: Monitor and Evaluate(ME)- controls that are used to assess the performance of IT processes such as monitoring and evaluating IT performance and internal control
Part 3 doesn’t mention the customer. At what point are they involved with this step? Is part 3 more of a recommendation and then it is up to the customer to decide what is within their scope/budget to implement?
Deliver and support domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management
questions:
• Are IT services being delivered in line with business priorities?
• Are IT costs optimized?
• Is the workforce able to use the IT systems productively and safely?
• Are adequate confidentiality, integrity and availability in place for information security?
Yes, even I think customer input is important. Customers can give you vital information, like, what areas do they think are more crucial and are needed to be audited more carefully.
I agree with you that customer input is important. Auditors should discuss potential issues with the customers immediately. Also, they should work together to come up with action plans to resolve potential issues.
In fact, it is better if both the customer and the auditor work together. Since, it is the auditor who found the issues, his/her point of view on how to solve them can be really helpful. Based on that the customer can develop an action plan.
An audit has six key stages:
Planning: The goal of the planning process is to determine the objectives and scope of the audit. You
need to determine just what it is you’re trying to accomplish with the review. Following are some basic sources that should be referenced as part of each audit’s planning process:
• Hand-off from the audit manager
• Preliminary survey
• Customer requests
• Standard checklists
• Research
Fieldwork and Documentation: when the audit steps created during the preceding stage are executed by the audit team.The goal should be to document the work in enough detail so that a reasonably informed person can understand what was done and arrive at the same conclusions as the auditor.
Issue Discovery and Validation: auditors will develop a list of potential concerns. Auditors should discuss potential issues with the customers as soon as possible.
Solution Development: Three common approaches are used for developing and assigning action items for addressing audit issues:
• The recommendation approach
• The management-response approach
• The solution approach
Report Drafting and Issuance:
For you and the audit customers, it serves as a record of the audit, its results, and the
resulting action plans.
For senior management and the audit committee, it serves as a “report card” on the area that
was audited.
Issue tracking
Develop a process to track and follow up on issues until they are resolved
COBIT v.4.1
1. Plan and Organize:
a) Define a strategic IT plan
b) Define an information architecture
2. Acquire and Implement
a) Identify automated solutions
b) Acquire and maintain application software
3. Deliver and Support
a) Define and manage service levels
b) Manage third-party services
4. Monitor and Evaluate
a) Monitor and evaluate IT performance
b) Monitor and evaluate internal control
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL: Information Technology Infrastructure Library framework is designed to standardize the selection, planning, delivery and support of IT services to a business. The goal is to improve efficiency and achieve predictable service levels.
(Source: http://searchdatacenter.techtarget.com/definition/ITIL)
COBIT, Control Objectives for Information and Related Technology is a controls framework that personnel tasked with the management of controls and processes can leverage
Similarities: COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises. Both of them are framework.
Differences: ITIL could be seen as the way to manage the IT services across their lifecycle, while COBIT is about how to Govern the Enterpise IT in order to generate the maximum creation of value by the business, enabled by IT investments, while optimizing the risks and the resources. COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. ITIL describes in more detail those parts of enterprise IT that are the service management enablers (process activities, organizational structures, etc.).
Why do we need control framework to guide IT auditing?
It organizations seeking to better manage risks to have more predictable enablement of the business will benefit by better understanding controls and how to embed them in processes. those frameworks can guide IT auditing to mitigate risk, and realize the business benefit. The framework can avoid the multiple overlapping controls, and it will be lead to high cost. The framework can help IT auditor understand how effective and efficient controls.
1) Planning: gather enough background information and determine the objectives and scope of the audit.
Audit manager share reasons for audit with the team, which can create preliminary survey and/or contact customer for more information. The audit team also does a risk assessment prior the audit and creates a useful checklist of what will be reviewed. Then they determine with the customers when the audit will take place.
2) Fieldwork and Documentation
The audit team acquires data and performs interviews to validate the information provided in phase 1 and develop a list of potential concerns.. The audit team also carefully documents each step of the process in a way that the customer will understand.
3)Issue Discovery and Validation
The auditor discusses potential issues found, in phase 2, with the customers. This will allow them to validate the accuracy of their finding and determine whether or not the risk is significant for the company and is worth reporting.
4)Solution Development
Work with your customers to develop an action plan for addressing each issue found and validated in previous phases using different approaches:
• The recommendation approach (the auditor raises issue, provide recommendation and submit to customers who decide on the action plan )
• The management-response approach (the auditor develops a list of issues with or without recommendation and then throw them to the customers for their response and action plans to be included on the report)
• The solution approach (the auditor works with the customers to develop a solution that
represents a mutually developed and agreed-upon action plan for addressing the issues
raised during the audit)
5)Report Drafting and Issuance
The audit team drafts the audit report which should include
• Statement of the audit scope( what what included and what was not included and why)
• Executive summary to summarize the key points of the reports
• List of issues, along with action plans for resolving them
And then issues the report after it has been reviewed by the customers.
6) Issue Tracking
The audit team tracks and follows up on issues until they are solved because “issuing an audit report adds no value to the company unless it results in action being taken”
Phase 1 Key activity : risk assessment and checklist
The audit team needs to understand what the audit will entail, which areas will be reviewed before doing anything.
Phase 2 key activity is: documentation
It is needed to meet the standards of the profession.
It is crucial that documentation exists to explain the auditing process and substantiate the conclusions, especially in the future or in the events previous audits results are challenged
It is helpful for a new audit team to have detailed documentation to learn from the experience of the previous audit team
Phase 3 key activity is: discussing risk found with customers to allow the audit process to be quick and avoid debating on the issues at the end of the audit.
Phase 4 key activity : establish who is responsible for executing the action plans and the due dates by which they will be completed. This provides accountability and a basis for the auditors’ follow-up.
Phase 5: drafting the reports , make sure sure that customers reviews it before issuance because customers should be be comfortable with and in agreement with what’s in the report.
Phase 6: maintaining a database containing all audit points and their due dates, along with a mechanism for marking them as closed, overdue, and so on. Without such process it would be challenging to track the issues.
Q: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
A:
Similarities: Both ITIL and COBIT are used by enterprises and IT professionals who need to address business needs in the ITSM area. These two frameworks complement one another.
Differences:
• ITIL was issued by OGC, it focus on internal IT functions of an organization. COBIT was issued by ISACA, it focus on defining the audit and compliance requirements.
• ITIL describes HOW to do it, COBIT describes WHAT should be done.
• COBIT had broader scope of coverage compare with ITIL. It has its own set of five principles
1. Meeting stakeholder needs
2. Covering the enterprise end to end
3. Applying a single, integrated framework
4. Enabling a holistic approach
5. Separating governance from management
• ITIL focuses on ITSM and provides much more in-depth guidance in this area, addressing five stages of the service life cycle:
1. Service strategy
2. Service design
3. Service transition
4. Service operation
5. Continual service improvement.
Good summary Wenting. COBIT also has seven enablers.
And seven enablers:
1. Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
1) Planning
Before starting an audit, it is important to plan the entire audit to ensure it is executed effectively. The objective and scope of the audit should be determined so there is a clearly define direction where the audit should head without being side-track part ways through the audit.
2) Fieldwork and documentation
The audit team will execute the audit steps that was planned and documents what was done, what was found and its conclusion
3) Issue discovery and validation
Once the fieldwork is done, the audit team should develop a list of potential concerns and address it with the client to ensure which should be prioritized.
4) Solution development
Once the list of potential concerns are prioritized, the audit team and client should collaborate to develop a plan to address each concerns.
5) Report drafting and issuance
A report of essentially all the prior steps, documented in detail, is drafted. The report is then reviewed by the customer first before issuing it to senior management.
6) Issue tracking
Once the audit is actually done, it is important to follow-up on the solutions implemented to ensure that the issues have been addressed well enough.
1) Planning
-The request of an audit will be given to the audit manager.
-The audit team will conduct a preliminary survey of the department that requested the audit to have a deeper understanding of the functions and systems being reviewed.
-Consult with the client to receive their input on what they believe their issue is and what are their primary areas of concern
-Running through the standard IT audit checklist
-Conduct additional research for information about the area being audited.
-Assess the risk area being reviewed to determine the steps needed to accomplish the audit.
-Scheduling the actual audit at a time convenient for both parties.
-Final consultation with the client about the planned audit to receive their final input about the audit.
2) Fieldwork and Documentation
-The auditor will execute the audits steps planned and perform independent tests.
-Proper documentation of what was done, what was found and what was concluded.
3) Issue discovery and validation
-Develop a list of potential concerns.
-Consult with the client about concerns that the auditor may find to be of high risk to the client.
4) Solutions development
-The IT audit team and client should work together to develop an action plan to address each concerns.
5) Report drafting and issuance
-A report detailed report of the audit plan, what was done, issues discovered and actions taken to address those issues is drafted.
-The report is then reviewed by the client before issuing to senior management.
6) Issue Tracking
-Track and follow up with the client after a pre-determined date to ensure that the solutions implemented addressed the concerns.
-If unsuccessful, the audit team will have to determine if a minor or major secondary solution is needed or if the issue should be escalated to top management.
Very good points. I feel like following pre-set frameworks is easy, efficient, and cost effective. These frameworks almost ensure that you are in compliance within your industry and company.
Great list, I liked how you put risk at the top. When conducting an audit, it is important to be sure that there is procedures in place to safeguard against threats. You do not want to be conducting an audit and then your system gets hack by an outside source due to no procedures in place to prevent attacks. Control framework establishes data structures to help guide the auditor through their process smoothly minimizing any risk from occurring.
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
COBIT and ITIL are both tools and guidelines that should be used by organizations to govern and manage IT-related services.
The distinction between COBIT and ITIL is that COBIT focuses more how to govern the use of IT in order to add value to the business while optimizing risk vs resource ratio. ITIL on the other hand focuses more on the actual use of IT-related services in business functions and processes.
Why do we need control framework to guide IT auditing?
A control framework is needed to ensure a uniform thorough audit is performed by all IT auditors in all organizations. A framework is established to adhere to compliance and optimized to be effective. A framework creates a standard of IT governance that all organization should meet in order to reduce risk related to IT infrastructures used by organizations.
Why do we need control framework to guide IT auditing?
Control framework provides a resource for IT auditors for accepted practices. Well known frameworks also provide a common language and set of practices. The initial goal was for public companies to self regulate and reduce government regulation. Companies can use existing frameworks, and then build on those to improve future frameworks. Common frameworks reduce the resources a companies uses to establish its own, increasing adoption rates.
Well said. Having a well defined framework can act as a platform to build on thus reducing the cost and efforts of having to start from scratch everytime.
Q3: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding.
Similarities: they both provide guidance for the governance and management of IT-related services by enterprises. For enterprises and IT professionals, they prefer using both ITIL and COBIT guidance to address business needs. In general, COBIT is broader than ITIL in its scope of coverage.
Differences:
ITIL: the way to manage the IT services across their lifecycle(why)
Five stages in the ITIL service lifecycle:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
COBIT: how to govern the Enterprise IT(how)
COBIT is based on five principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
And seven enablers:
1. Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
4. Why do we need control framework to guide IT auditing?
A control framework is organized and categorized structure for organization’s internal controls. It acts as a comprehensive security protocol that protects against fraud or theft from a spectrum of outside parties, including hackers and other kinds of cyber criminals.
COBIT and ITIL are two good frameworks and we have already compared and known the similarities and differences. Again, a control framework is to minimize risks and create business values.
Q1: Explain the key IT audit phases
1. Planning
2. Fieldwork and Documentation
3. Issue Discovery and Validation
4. Solution Development
5. Report drafting and issuance
6. Issue Tracking
Q2: What are the key activities within each phase?
• Planning: Involves determining the objectives and scope of the audit. Key activities included in this phase include risk assessment of the auditee, scheduling, and kickoff meetings would all fall under this section. An auditor should also develop “a series of steps to be executed in order to accomplish the audit’s objectives” as well as preliminary research should be performed.
• Fieldwork and Documentation: In this section, the auditor is now acquiring data and asking questions to determine the risks of the auditee and if those risk are being properly mititgated. Essentially in this section, the auditor is trying to validate the information that they were given all while documenting their work.
• Issue Discovery and Validation: In this section, the auditor is creating a list with all the potential concerns they have and bringing it to the attention of the auditee/customer. In this stage, the auditor needs to make sure that there areas of concern are valid or not by the auditee.
• Solution Development: In this section, those areas of concern that you validated in the previous step are brought forth to the auditee/customer. The text suggests one of three approaches which essentially boil down to the auditor asking how the auditee is going to fix the issue, telling the auditee’s management to fix the problem, or the auditor providing a solution recommendation to auditee.
• Report Drafting and Issuance: In this section, the Audit Report is drafted which includes a detailed list of issues concluded, how those issues will be resolved, and an executive summary of the audit.
• Issue Tracking: In this section, the auditor tracks any issues identified in the audit that need to be resolved and their due dates. Likewise, if issues are not actively being resolved than the auditor has the responsibility to step in.
The control testing would be performed in the “fieldwork” phase. In this section it is not only important to perform the tests of controls, but also document the steps one went about testing.
Q3: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL and COBIT are two frameworks that are used to manage IT and IT governance. ITIL was developed by the U.K. government and defines the best practices of how to plan, design, and implement effective service management capabilities. If one looks at the ITIL website, it states that ITL can be used as a framework to align “the needs of the business and support its core processes”. Essentially, ITIL is a framework that allows any organization to utilize in setting up their IT infrastructure to serve their purpose and needs. For COBIT, this framework was established by ISACA and unlike ITIL, is a framework used to implements controls within an organization’s IT infrastructure. COBIT’s framework addresses some items such as qualities of information as well as control objectives and activities. While each are slightly different in what they aim to accomplish, both can and should be used to establish an IT system that helps the business and is well controlled/governed.
I agree. In addition I feel like it works together like IT governance. The tone is set at the top… COBIT is like the board and determines why we need to implement certain controls where the general IT team would be the how and know technically what needs to get implemented. In essence one is the policy maker while the other is the enforcer.
I would agree that the IT team will be the one’s to implement the changes. In my experience, I have worked with IT teams who are control conscience while other IT departments could care less. Regardless of this, these IT teams have the technical knowledge to implements controls into the IT systems and the IT auditors are the one’s to determine if those controls are effective by utilizing frameworks such as COBIT.
Q4: Why do we need control framework to guide IT auditing?
I believe one of the major reasons why IT auditors need control frameworks is to establish some sort of baseline to audit from. One can take COSO for example. As others have mentioned, COSO is comprised of 5 sections which include the control environment, risk assessment, control activities, information/communication, and monitoring activities. By performing these 5 components when implemented together, this should result in an effective internal control system that mitigates risks against the organization. Since an IT auditor’s function is to test IT controls, they need to make sure those 5 components are adequately covered by the internal controls in place.
To use another example, the COSO framework is like a pizza pie. You have several components such as dough, cheese, sauce, and toppings in order to successfully make a pie. If you were to audit the pizza based on how well it was made, you would need to test each ingredients being the dough, cheese, sauce and toppings. Applying this to an audit using the COSO framework, an auditor would test the control environment, the risk assessment performed by management, the control activities, how the controls are communicated, and how management monitors the quality of the controls. So for an auditor to determine if the control system is effective, they need to audit the control system framework used (a.k.a. the pizza ingredients) to make sure the internal control system is effective (a.k.a the pizza was made correctly).
I really like your pizza analogy :D. I completely agree. A control framework serves as a baseline for all audit to follow. This ensures uniformity and sort of a guarantee that if the framework is followed, the IT infrastructure of the company would be governed correctly.
I agree, nice creativity on the pizza analogy and mentioning that the control framework is like setting a baseline to make it easier for auditors to know what they are measuring. It is additionally helps the firm maintain compliance in an easy and effective manner.
I wasn’t sure at first if my analogy actually reflected the importance of frameworks for the IT Auditors but I would be glad to share it with the class.
Thanks for sharing the pizza analogy, it is very interesting and easy to understand. I totally agree with you that the control framework is a set of guidelines for auditors to follow. By following these guidelines will ensure the IT infrastructure of the company maintain a strong governance.
They are similar in the sense that when used together they provide guidance and IT governance. Both are set in place as a role of IT governance and that both are set to make the IT environment more effective and efficient.
Are there situations that you would use one over the other?
Would you agree that there are certain IT service mgmt. issues that would require ITIL over COBIT? Would it be a waste of resources/overkill to use both in these situations? I only ask bc I read that ITIL concentrates on and offers more detailed guidance when it comes to IT service mgmt.
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL and COBIT both address compliance and security. . Each provide framework to manage IT services and assets for enterprises. COBIT is more expansive than ITIL and provides guidance for IT governance and management across the entire enterprise. ITIL focuses on managing IT service to maximize business value. As opposed to COBIT, ITIL goes more in depth regarding IT services, including strategy, design, transition, operation, and improvement. In contrast, COBIT provides framework beyond service, including reliability, quality and security. It is a more effective tool to address broader IT risks throughout an enterprise.
I agree. In my research and easy way to identify the differences simply are one is telling the ‘Why’, why these controls are important and need to be placed, where the other is telling us ‘how’. Once is being used at an executive or leadership level where the other can be used at a lower level of the person implementing the controls.
Why do we need control framework to guide IT auditing?
We need control framework to guide IT auditing to help conform to compliance within the industry. Since basic control frameworks already exist it makes it easier and cost effective for a company to implement something similar and then build from it. They are set to help with efficiency and best practices within a company. These control frameworks will also ensure that all organizations follow the same set of guidelines to provide uniform auditing throughout the organization or industry.
Good point. I would also like to add that the existing controls can sometimes be a starting point for the auditor as well. Sometimes these controls also tell auditors what a specific company wants to achieve through implementing controls.
I agree frameworks are great guideline to start with. Because a framework contains what to check and what need to be done for each phase during the audit process, it help auditors complete every categories in proper manner. In the planning phase of an audit, auditors can use a framework to find/learn what to start with.
Explain the key IT audit phases.
What are the key activities within each phase?
1. Audit Planning
a. Developing an overall strategy for the audit
b. Developing a scope and objectives
2. Obtaining understanding of the client and its environment
a. This is to help establish what the company is currently like
b. This includes collecting/requesting documents that are required such as financial statements
3. Asses Risks of misstatements and design further audit procedures
a. Identify classes of transactions and disclosures that might be materially misstated
b. Misstatement risks are assessed through the following questions:
i. What could go wrong?
ii. How likely it is that it will go wrong?
iii. What are the likely amounts involved?
4. Perform tests of controls
a. Performed to determine whether key controls are properly designed and operating effectively.
5. Perform substantive procedures
a. Substantive procedures restrict detection risk, the risk that audit procedures will incorrectly lead to a conclusion that a material misstatement does not exist in an account balance when in fact such a misstatement does exist.
6. Complete the audit
a. Auditors perform a number of procedures near the end of the audit.
b. Evaluations for efficiency are completed
7. Audit Report
a. The report is issued.
Explain the key IT audit phases. What are the key activities within each phase?
Planning, Preliminary Survey & Risk Assessment
– Client engagement and Acceptance.
– Define audit scope and objective.
– Identify areas of Fraud Risks and potentials responses.
– Understand business process and IT Involvement Environment.
– Understand current controls.
– Develop preliminary audit plan.
Testing and Fieldwork
– Review and evaluate controls already in place to make sure they work properly.
– Develop processes and procedures for data gathering.
– Identify areas of deficiencies or non-compliance.
Reporting
– Communicate areas noted for improvement during testing phase.
– Develop along with business units’ actionable corrective action plan for deficiencies identified.
– Develop along with business unit’s timeline to address deficiencies identified.
– Develop final report.
– Disseminate report to appropriate business entities.
Follow-up
– Send request to business entities asking for update and selected random evidence to show progress on implementing action plan.
– Evaluate if re-resting may be necessary.
– If all checks out, close the audit plan.
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding.
COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) have been used in IT business process management to drive business value.
ITIL mainly focuses on IT service delivery and support process (THE HOW methodology), while COBIT provide guidance into what should be achieved though COBIT governance and control process (THE WHAT GOAL).
Why do we need control framework to guide IT auditing?
A control framework is a way to categorize business established internal controls, it also establishes audit process and procedure intended to create business value and minimize risk.
The adoption of a control framework to guide IT auditing provides best practice methodology to Improve internal controls, identify cost savings opportunities, in addition to overall security enhancement,
Good analysis Tamer, a control framework is the basis for business to establish its internal controls around and also for the audit process and procedures like you mention. Everything the organization does will be center around the control framework to make sure that everything is running smoothly and everything being done will help mitigate risk. The control framework is definitely an important tool and is like a guide for the business.
e are any issues and why those issues may have occurred.
A:
Phase 1: Planning- This phase is to determine the objectives and scope of the audit. This planning process will require careful research and consideration.
Phase 2: Fieldwork and Documentation- The audit team is acquiring information and performing interviews that will help them to analyze the potential risks and determine which risks have not been mitigated appropriately.
Phase 3: Issue Discovery and Validation- Auditor should develop a list of potential issues to ensure that all the issues are valid and relevant. In addition, auditor should discuss potential issues with customers immediately.
Phase 4: Solution Development- In this phase, auditor should work with clients to come up possible action plans to resolve each potential issue listed by auditors in phase 3.
Phase 5: Report Drafting and Issuance- In this phase, the auditor document the results of the audit. For auditor and clients, the auditor report serves as a record; for management and the audit committee, it serves as “report card” on the audit areas.
Phase 6: Issue Tracking- After the audit is completed, it is important to follow-up on the solutions implemented to make sure they addressed the concerns.
Q1 Explain the key IT Audit phases
A1 The Key Audit phases and their explanation is as below :
1) Planning – involves determining the scope and goals of the audit and the planning of executing steps to achieve the goals. This phase will require thorough research as it would impact the schedule and outcomes of other phases.
2) Fieldwork and documentation – this phase is where the bulk of Audit planning execution is carried out. The Audit team tries to find out as much information as possible through interviews and also validating the information that is provided. They also verify recent cases and examine evidence that is provided to ascertain whether processes are followed at the ground level.
The Audit team documents the happenings of Fieldwork so that their findings can be substantiated in a way that one can understand the flow of the Auditor’s actions, inference and conclusions. Specifics of the process reviewed and the key control points are documented aswell to avoid ambiguity.
3) Issue discovery and evaluation – during this phase, the Audit team whets out the concerns they found during the previous phase. It is important that the potential issues are shared with the customer and validated before reporting them as findings.
4) Solution development – Once the Audit team has validated the concerns and they have listed the valid issues and risks, they can work with the client team to develop a plan to address the gaps.
5) Report drafting and issuance – After the issues have been discovered and validated and the solutions have been recommended / agreed upon or both, the Audit team prepares the Audit report to document the audit results. The Audit report outlines the scope of the audit, the executive summary and the issues along with the recommended/agreed upon action plan.
6) Issue tracking – The Audit is not really complete without the issues being brought to closure. This is why Issue tracking is also a phase in the Audit process. The responsible Auditor follows up regularly and well in time before the due date to understand whether the issue is being worked on as agreed. In case the solution is not being implemented as agreed upon earlier, the Auditor could escalate to management if he/she feels the need. The Audit is not really complete until the issues raised have been resolved.
Source: IT Auditing Using Controls to Protect Information by Chris Davis and Mike Schiller
Q1 Explain the key IT Audit phases
A1 The Key Audit phases and their explanation is as below :
1) Planning – involves determining the scope and goals of the audit and the planning of executing steps to achieve the goals. This phase will require thorough research as it would impact the schedule and outcomes of other phases.
2) Fieldwork and documentation – this phase is where the bulk of Audit planning execution is carried out. The Audit team tries to find out as much information as possible through interviews and also validating the information that is provided. They also verify recent cases and examine evidence that is provided to ascertain whether processes are followed at the ground level.
The Audit team documents the happenings of Fieldwork so that their findings can be substantiated in a way that one can understand the flow of the Auditor’s actions, inference and conclusions. Specifics of the process reviewed and the key control points are documented aswell to avoid ambiguity.
3) Issue discovery and evaluation – during this phase, the Audit team whets out the concerns they found during the previous phase. It is important that the potential issues are shared with the customer and validated before reporting them as findings.
4) Solution development – Once the Audit team has validated the concerns and they have listed the valid issues and risks, they can work with the client team to develop a plan to address the gaps.
5) Report drafting and issuance – After the issues have been discovered and validated and the solutions have been recommended / agreed upon or both, the Audit team prepares the Audit report to document the audit results. The Audit report outlines the scope of the audit, the executive summary and the issues along with the recommended/agreed upon action plan.
6) Issue tracking – The Audit is not really complete without the issues being brought to closure. This is why Issue tracking is also a phase in the Audit process. The responsible Auditor follows up regularly and well in time before the due date to understand whether the issue is being worked on as agreed. In case the solution is not being implemented as agreed upon earlier, the Auditor could escalate to management if he/she feels the need. The Audit is not really complete until the issues raised have been resolved.
Source: IT Auditing Using Controls to Protect Information Assets by Chris Davis and Mike Schiller with Kevin Wheeler
A2 Listed below are the key activities within each phase of IT Auditing:
• Planning
o Defining scope and objective after discussion with customer
o Initial assessment that could give an idea about possible risks
o Scheduling
• Fieldwork and documentation
o Acquiring data and evidence and their validation through interviews and requests
o Documentation of audited process
• Issue discovery and validation
o Discussing potential issues with the customer and validating the concerns identified during Fieldwork
o Validate if there is significant risk to the company and determine whether the concern is to be reported
• Solution development
o Develop solution to fix the identified issues (these could be recommended or could be inviting management response or an agreed upon solution by both parties)
• Report drafting and issuance
o Preparation of Audit report which details the Audit scope, an Executive summary and the list of issues, the action plan and the due dates and the overall audit result.
o Draft Audit report to be sent for customer review and comments and subsequent changes to be incorporated
o Distribution of the Audit Report to Senior Management and often the Audit committee
• Issue tracking
o Regular follow up to ascertain that the agreed upon action plan is being implemented. If not, then taking needful action based on risk. Escalate if required.
o Follow up till issue(s) is fixed as agreed upon.
Questions 1 and 2:. Explain the key IT audit phases and the key activities within each phase.
1. Planning
a. Scoping to determine what areas should be under audit and what the present risks are within the applicable areas.
b. Determine what, if any, internal controls already exist
c. Work with the customer to figure out when the audit will take place and if any on-site visits will be included (vs a remote audit)
d. Schedule a kickoff meeting
2. Evidence Gathering and Documentation
a. Gather relevant and appropriate evidence and process documentation
b. Conduct and document any required walkthroughs of systems
c. Test evidence and identify concerns and/or findings; draw conclusions
d. Document testing in order to support conclusions.
3. Issue Discovery and Validation
a. Create list of possible concerns and/or findings that cropped up during testing
b. Discuss list with customer to validate and refine.
4. Solution Development
a. Work with customer to develop an action plan which is to include the parties responsible for each step, the due dates and deadlines for each step, the goals to be reached, and the metrics used to determine successful reaching of goals.
5. Report Drafting and Issuance
a. Create audit report that includes the scope, a high-level summary of testing, the list of findings and the actions that will be taken to remediate them, and any other recommendations or other relevant information.
b. Ensure customers are aware of the audit results before they are actually reported
c. Issue audit report to all who are appropriate (senior management, audit committee, external auditors if applicable)
6. Issue Tracking
a. Follow up on any findings reported to ensure the action plans developed to address them were either carried out, or are in-process. If they are in-process, obtain a status of progress and a tentative resolution date.
b. If findings are not being addressed, inquire as to why not and escalate to higher management.
Explain the key IT audit phases What are the key activities within each phase?
IT audit phases are similar to the internal audit ones. The phases are as follows:
Phase 1: Audit Planning
– Developing an overall strategy for performing the audit.
– Developing an overall audit strategy, an audit plan, and an audit program.
– *Planning continues throughout the entire audit as the auditor collects sufficient appropriate audit evidence to support the audit opinion.
Phase 2: Obtain an understanding of the client and its control environment
– Must sufficient background of the client to assess the risk of material misstatement of the financial statements and to design the nature, timing, and extent of further audit procedures.
– Allows the auditor to identify areas that may be misstated
Phase 3: Assess risks of misstatement and design further audit procedures
– Risk assessment provides the auditors with evidence on potential risks of material misstatement.
– After analyzing the design and implementation of internal controls, the auditors must decide whether the system appears adequate to prevent or detect and correct material misstatement.
Phase 4: Perform tests of controls
– Determining whether key controls are properly designed and operating.
I think it is also necessary to follow up and track the issue after the audit is completed. The audit is not considered as truly complete until the issues found in the audit are resolved, or being accepted by the management.
Source: IT Auditing by Chris Davis and Mike Schiller
Rightly said, Wen Ting and Professor Yao. I totally agree that the audit process cannot be closed without resolving each issue found in the audit. In order to do that, I also believe auditors should constantly communicate with management to inform what issues are found and what needs to be corrected for controls to operate properly. Thank you for pointing out!
Explain the key IT audit phases
1. Planning
• Determine the objectives & scope of the audit
• Establish what your trying to accomplish
• Develop series of steps to be executed
Hand-off from the audit manager
Preliminary survey
Customer requests
Standard checklists
Research
2. Fieldwork & Documentation
• Analyze what you will be working with and evaluate the potential risk that may be involved. Perform tests and interviews.
• Document the work you are performing step by step so that if anyone has a question or if you need to go back to look at something. You are able to and know when you made the step and possibly the reason as to why.
3. Issue Discovery and Validation
• Discuss all potential issue with the customer as soon as it is discovered.
• Make sure all issues are valid and are risks that are significant enough to be worth bringing up.
4. Solution Development
• Worked with customer to develop a plan for addressing the issues brought forth.
• Depending on the issues, there are three approaches to help tackle the issue:
The Recommendation Approach
The Management-Response Approach
The Solution Approach
5. Report Drafting & Issuance
• Draft the audit report at this stage which is the document with the results of the audit you conducted.
• Most common essential elements of an audit report:
Statement of the audit scope
Executive summary
List of issues, along with action plans for resolving them
6. Issue Tracking
• Set up check points to follow up with the customer to make sure the issues from the audit are being resolved.
• If issue is still there, then auditor must come up with escalation procedures.
Source: IT Auditing Using Controls to Protect Information by Chris Davis and Mike Schiller, Chapter 2 The Audit Process
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL vs. COBIT
Similarity
• Provide guidance for the governance and management of IT-related services
Differences
ITIS
• Provide “how”
• Way to manage the IT service across their lifecycle
• ITIL focuses more on IT service management and provides much more in-depth guidance in this area than COBIT
COBIT
• Provide “why”
• Is about how to govern the enterprise IT in order to generate the maximum creation of value by the business
Why do we need control framework to guide IT auditing?
Control frameworks are great and important when it comes to guide an IT auditing. Because those suggestions in the frameworks are taken into consideration and implemented in many situations, they are extraordinary effective in the nature of execution of an audit. We need control frameworks to guide IT auditing because those frameworks nicely delineate and explain how the audit process should be conducted, so it actually can minimize human errors during the audit process.
Q3 Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
A3 Some of the key similarities between ITIL and COBIT are :
• Both are widely accepted frameworks for IT Organizations
• Both ITIL and COBIT represent best practices used in the industry and hence are complimentary to each other.
Differences between ITIL and COBIT framework:
• ITIL was developed by the UK Government and while COBIT was developed by the IT Governance Institute.
• COBIT has a greater IT Governance scope as compared to ITIL which is focused in the area of IT Infrastructure management and service delivery.
• COBIT provides an answer to the “why” question regarding Governance model whereas ITIL provides the answer to the “how.
According to Sharon Penn’s article “Six-Step Audit Process”, the key audit phases include:
1. Requesting Documents: Before an audit program officially carry on, the auditors are required to list an audit preliminary checklist includes documents like a copy of previous audit reports and original bank statements. All of these documents need to be prepared before the audit plan is made.
2. Preparing an Audit Plan: After all the required documents were collected, the auditor would look over the collected information and reasonably allocate the audit resource by preparing an audit plan.
3. Scheduling an open meeting: Senior management and key administrative staff are then invited to an open meeting during which the scope of the audit is presented by the auditor. The leaders of department may be asked to inform staff of possible interviews with the auditor.
4. Conducting fieldwork: After the open meeting, auditors collect all information they gathered and uses it to complete the audit plan.
5. Drafting a report: The auditor prepares a draft audit report with detail information from pervious document collection and open meetings.
6. Setting up a closing meeting: The final step of an audit process is to solicits a response from management that whether it agrees or disagrees with problems in the report.
It’s interesting that you listed requesting documents as the first step of IT aduit phase, and preparing the audit plan as second step. However, I think it is the other way around, I believe it is important to determine the objectives and scope of the audit first and then request the information needed.
Question: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
Similarities:
– Both have been used by IT professionals in the IT service management (ITSM)
– Both provide guidance for the governance and management of IT-related services by the organization.
Difference:
– ITLT focus on the way to manage IT services across the lifecycle, but COBIT is more focus on how to govern the company in order to achieve most value for business.
– ITLT considers more details in “service management enablers” of the enterprise IT parts. Comparing with ITLT, COBIT 5 describes the principles in a bigger picture, and focus on how to support the enterprise in meeting stakeholder needs, especially the IT assets related.
(from New Horizons)
COBIT is based on five principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
And seven enablers:
Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
There are five stages in the ITIL service lifecycle:
Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
Q: Explain the key IT audit phases. What are the key activities within each phase?
Planning – determine the objectives and scope of the audit
Key activities: performs preliminary surveys; collaborates with customers; assessment
Field work and documentation – analyze the potential risks and determine which risks have not been mitigated appropriately
Key activities: performance assessment; documentation
Issue discovery and Validation – ensure the list of potential issues are valid and relevant and the risk presented is significant enough to be worth reporting and discussing
Key activities: communicates with customers; reviews systems for compliance with internal policies
Solution development – develop an action plan for addressing each issue
Key activities: provides recommendation; obtains feedback from customers; develops solutions
Report drafting and issuance – document the results of the audit
Key activities: articulates audit scope; writes executive summaries; provides a list of issues and action plans that all levels can understand it
Issue tracking – track and follow up on issues until they are resolved
Key issues: maintains database; contacts responsible customers; initiates escalation procedures if needed; decision-making regarding the validation of solutions implemented to address audit issues
Why do we need control framework to guide IT auditing?
An integrated framework can enhance the effectiveness and efficiency of internal control, and guiding IT auditing. According to the COSO cube, there are five components can help management establishes an integrated framework:
– Control environment. As we discussed in previous class, the control environment requiring the upper management has understanding of the importance of internal control. A mature control environment of an organization can assist IT auditors effectively collect evidence and other required information.
– Risk assessment. The risk assessment is necessary in analysis relevant risks to achievement of the objectives of IT auditing plan. By identifying the potential risks, the organization can preventive control the loss before the risk actually occur.
– Control activities. These are some procedures and policies which ensure that when risks happened, some necessary actions can stop the loss and ensure the entity’s objectives are achieved.
– Information and communication. The COSO requires pertinent information must be identified, captured, and communicated.
– Monitoring. The internal control systems need to be monitored. From IT auditing’s perspective, the auditing process also requires ongoing monitoring activities and separate evaluations, which can prevent the potential fraud and enhance the effectiveness of IT auditing.
Thanks for your sharing. Risk assessment is a very important component, evaluates the risks identified gives your unique perspective on the IT organization. Assesses the framework and process IT has embedded within the function to assess and manage risks. Evaluates the actions taken to mitigate risks and the level of accountability within the process.
Q: Why do we need control framework to guide IT auditing?
Control framework organizes and categorizes an organization’s internal controls, it provides guidelines and standards for IT auditing to achieve compliance with applicable laws and regulations, effectiveness and efficiency of operations and reliability of reports.
Q: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
Comparison between COBIT and ITIL
Function: Mapping IT Process vs Mapping IT Service Level Management
Area: 4 Process and 34 Domain vs 9 Process
Issuer: ISACA vs OGC
Implementation: Information System Audit vs Manage Service Level
Consultant; Accounting Firm, IT Consulting Firm vs IT Consulting firm
Absolutely agree with you. Based on my understanding.
COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) have been used by information technology professionals in the IT service management (ITSM) space for many years. Used together, COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises, whether those services are provided in-house or obtained from third parties such as service providers or business partners.
ITIL could be seen as the way to manage the IT services across their lifecycle, while COBIT is about how to Govern the Enterpise IT in order to generate the maximum creation of value by the business, enabled by IT investments, while optimizing the risks and the resources. COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. ITIL describes in more detail those parts of enterprise IT that are the service management enablers (process activities, organizational structures, etc.).
Q4 Why do we need control framework to guide IT auditing?
A4 Control framework is needed to guide IT Auditing as they provide
• Established best practices and control standards as a benchmark
• Clear guidelines about managing IT services, and
• Well defined guidelines for Risk Assessment, Issue and Risk tracking
Against which the Audited company’s IT environment can be assessed.
1. Explain the key IT Audit phases
2. What are some key activities within each phase
Planning-
-This is the stage where the auditor develops the objectives and steps of the audit. Research is required in order to do adequate planning. The auditor should research into why the audit it being scheduled, which may include interviews with the customer with the goal being getting some background on the area that is going to be audited. Finding out about certain audit areas from the customer and factoring that into the audit plan is important in order to keep the conversation lines strong.
Fieldwork and Documentation-
The auditor will document the steps taken and the review that was completed. If a particular system was reviewed the auditor will indicate the steps that were taken in reviewing that system.
Issue discovery and validation-
This phase has the auditor shedding light on some of the risks the organization may have. It is important here to rank the issues when presenting to a customer. It may be better to present issues that pose serious risks, as opposed to just presenting each issue.
Solutions development-
This stage has the auditor providing solutions to the checklist of issues they discovered. From here they can state an opinion of how these issues can be addressed. Here the auditors can establish responsibility and due dates for the issues to be resolved.
Report drafting and issuance-
In this stage we draft an audit report that includes issues, action plans, and executive summary. The executive summary should include information that is concise so that management can read this as a stand-alone document. A list of all issues that were discovered in the audit should be included as well as the action plan on how to address those issues
Issue tracking-
The audit should keep in contact with the customer to ensure that the issue is being worked on. If the auditor finds that the issue is not being worked on it may be necessary to escalate the issue to higher management.
Source: Chapter 2, IT Auditing Using Controls to Protect Information Assets by Chris David and Mike Schiller with Kevin Wheeler
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
The COBIT model highlights control activities and control objectives. The structure that is broken down into four areas: plan and organize, acquire and implement, deliver and support, and monitor and evaluate. Within each of these controls objectives lies a framework for IT Goverance and the IT Process.
ITIL is a set of standards for implementing best practices towards asset management, security and a list of other IT services.
The two seem to be different in scope but still complement one another. COBIT provides a structure to assess the control environment, whereas ITIL focuses more on the IT services included in its structure. In a way it seems like two sides of the same coin.
Source: Chapter 16, IT Auditing Using Controls to Protect Information Assets by Chris David and Mike Schiller with Kevin Wheeler
Why do we need control framework to guide IT auditing?
A control framework is important because it provides a basis for the IT auditor to compare the organizations controls to. With a control framework measurement of a control is possible because there exists a baseline (control framework) to compare the issues or control in question to.
Source: Chapter 16, IT Auditing Using Controls to Protect Information Assets by Chris David and Mike Schiller with Kevin Wheeler
Agreed Daniel, the control framework acts as a manual or guide for IT auditors to look to for comparison of controls when conducting an audit. It helps to make sure that everything is being done correctly. If there is an issue, then they can look to it to see if there are any issues and why those issues may have occurred.
Q:Why do we need control framework to guide IT auditing?
A: We need control framework to guide IT auditing because it serves as guidelines for IT audtiors to follow. By following these guidelines will ensure the IT infrastructure of the company maintain a strong governance.
Good post, control frame is necessary for IT auditing. A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.
Question: What are the key activities within each phase?
1. Planning
– Developing the scope of audit
-Determine the exist internal controls
-Preliminary survey
-Research
-Communicate/schedule with customers to set up where and time the audit will taking place
2. Fieldwork and Documentation
– Gather information
– Test evidence and identify issues
-Document testing to support conclusions
3. Issue Discovery and Vaildation
– Create a lists of possible issues that come up during the aduit
– Discuss the potential issues with customers to vaildate
4. Solution Development
-Work with customers to come up action plans. There are three approaches to resolve issues
a. The recommendation Approach
b. The management-response approach
c. The solution approach
5. Report Drafting and Issuance
– finalize the audit report
a. Statement of the audit scope
b. Executive summary
c. List of issues and action plans for resolving each of the issues
6. Issue Tracking
-Follow up with customers to see whether all the issues found from the audit are resolved
-Come up with escalation plans when issue still exsit.
Hi Wen ting Lu, your post is good, The internal control activities can be found in the workplace. All employees fit into the organizational picture of internal control, whether or not their job responsibilities are directly related to these example activities.Key controls are those elements of the five components of internal control that have a pervasive affect upon the accomplishment of management’s control objectives. These key controls will be similar for all financial reporting frameworks, including special purpose frameworks. At the entity level for smaller entities, these controls may be informal and ordinarily carried out by one or a few persons, such as an owner or manager. The design and operation of these key controls can prevent material misstatements due to error or fraud from occurring and going undetected.
1 St phase: Audit objective:
identify the purpose.
2nd phase: Audit Scope:
Identify which specific part of the organization needs to be audited
3rd phase: Preaudit planning
identify the what technical skills and resources needed.
identify the sources of information for audit.
Identify the locations or facilities for audit.
develop a communication plan.
4th phase: Audit procedures and steps for data gathering
Select the audit approach to verify and test the controls.
List the individuals who needs to be interviewed.
Obtain departmental policies, standards and guidelines for review.
Develop audit tools and methods.
5th phase: Procedures for evaluating the test or review the results
Identify the methods to perform the evaluation.
Set up the criteria
Confirm that the approach and resources are accurate.
6th phase: Procedures for communication with management
Determine how often the communication occur
Prepare for final report.
7th phase: Audit report preparation
Disclose the related procedures.
Review and evaluate the soundness of documents , policies and procedures.
COBIT is stand for Control Objective over information and related technology. Its main function is to help the organization to map their IT process to ISACA best practices standard.
ITIL is regarded as information technology library. It is a set of framework for managing IT service level. ITIL is much more easier to implement, as implementation of ITIL only has partially or no impact on performance of organization. COBIT is quite difficult to implemented, because it should see a process in bigger view first before they could implemented partially.
COBIT stands for Control Objectives for Information and Related Technology. There are 4 key features of the COBIT framework. It is not reliant on a specific technical platform. The processes and management are focused on the owners of such. It has become the international standard for IT Governance. ITIL stands for IT Infrastructure Library. ITIL is a framework on how to implement a project. ITIL is more corely focused on infrastructure and services. My time at Verizon, all Project Managers had to become ITIL certified. COBIT is more of a general framework which can be applied outside of the just a infrastructure and services scope. ITIL focuses on the following issues:
Service Support Functions:
Problem Management
Incident Management
Service Desk
Change Management
Release Management
Configuration Management
Service Delivery Functions:
Capacity Management
Availability Management
Financial Management
Continuity Management
Service Levels
Why do we need control framework to guide IT auditing?
A control framework is a data structure that organizes and categorizes an organization’s internal controls. A good-established control framework can help the organization create business value and minimize risk. COSO framework, the most commonly used control framework in the world, consists of internal control environment, objective setting, event identification, risk assessment, risk response control activities, information and communication, and monitoring.
Why do we need control framework to guide IT auditing?
Control framework organizes the company’s internal controls through data structures. With it in place is crucial to helping guide IT auditing to know the processes in place for the organization. They also get the reassurance that they are performing their work in safe environment and in the rules and regulations. Control framework identify any potential risk and minimizes them and also complies with the rules and regulations.
Question: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding.
COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) have been used by information technology professionals in the IT service management (ITSM) space for many years. Used together, COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises, whether those services are provided in-house or obtained from third parties such as service providers or business partners.
ITIL could be seen as the way to manage the IT services across their lifecycle, while COBIT is about how to Govern the Enterpise IT in order to generate the maximum creation of value by the business, enabled by IT investments, while optimizing the risks and the resources. COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. ITIL describes in more detail those parts of enterprise IT that are the service management enablers (process activities, organizational structures, etc.).
Generally speaking, COBIT is broader than ITIL in its scope of coverage.
And I really like the example to demonstrate the similiarities and difference. The list below shows the my understanding on the difference and similarities.
COBIT is based on five principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
And seven enablers:
1. Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
ITIL focuses on ITSM and provides much more in-depth guidance in this area.
There are five stages in the ITIL Service Lifecycle:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
The first phase of an audit is the planning stage. This is where you determine what you plan to review and the overall objectives and scope. Some of the key activities include: hand-off from the audit manager, preliminary survey, customer requests, standard checklists, research, assessments and scheduling.
The next phase is fieldwork and documentation. This is where the team acquires data and performs the necessary interviews that will help analyze the potential risks appropriately. Key activities include documentation.
Issue discovery and validation is the next phase of the audit process. This is where the auditor would scrub the list of potential issues to ensure that identified issues are valid and relevant. Key activities in this area include having discussions with customers of potential identified issues rather than waiting until the audit process is complete and overwhelming them with a long list of issues.
Solution development is the next phase of the audit process. This is where an action plan is developed to addressed the relevant identified risks. Here you take one of 3 approaches to develop a solution to the problem (1) the recommendation approach, (2) the management-response approach, or (3) the solution approach. The key activity in this area is giving guidance and leveraging a collaborative environment to come up with a solution.
Report drafting and issuance is the next steps of the audit process. Here you draft the audit report. The audit report includes statement of scope of audit, executive summary, list of issues and action plans, key controls, closed items, and minor issues.
The final stage in the audit process is issue tracking. This involves maintaining a database containing all audit points and their due dates and marking them complete as they move through the process.
Why do we need control framework to guide IT auditing?
Frameworks are needed to define policies and procedures around the implementation and management of controls in an environment. They essentially act as a blueprint for building the security program and manage risk. Depending on what the scope of the audit is different frameworks can be leveraged.
Why do we need control framework to guide IT auditing?
A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk. The purpose of a control framework to guide IT auditing is to help monitor efficiency and effectiveness of operations in IT. Without having this framework in place would mean that there is no formalized structure or basis of understanding with controls. The framework is important because it gives auditors a starting point to perform audits and an understanding of what controls should be established for an organization to be effective in IT.
Ian M. Johnson says
Explain the key IT audit phases
What are the key activities within each phase?
I. The first key IT Audit phase is: Requesting Documents
a. Key activities: Inform the organization of the coming audit, Create the preliminary checklist, Request documents listed on an audit preliminary checklist; Examples:
a. Copy of the previous audit report,
b. Bank statements,
c. receipts and records,
d. Organizational charts.
II. Next phase: Preparing an Audit Plan
a. Key activities: Examine documents, Plan the audit, Conduct a risk workshop to identify possible problems, Actually draft the audit plan.
III. Next phase: Scheduling an Open Meeting
a. Key Activities:Create the scope of the audit, Open meeting to host management and admin staff to present the scope, A time frame for the audit is determined
IV. Next Phase: Conducting Fieldwork
a. Key Activities: Finalize the audit plan, Procedures and processes are reviewed (usually by speaking to staff members and reviewing), Tests compliance with policies and procedures, Internal controls are assessed, Deliberate problems with organization and give opportunity for org to respond.
V. 5th phase: Drafting a Report
a. Key Activities: Report prep to go through the findings of the audit, Report includes:mathematical errors, issues and problems, payments authorized but not paid, Recommended solutions to any problems.
VI. Last phase: Setting Up a Closing Meeting
a. Key Activities: Asks for a response from management, Gives a chance for org to agree or disagree with problems in the report,Describes an action plan for management, Provides a projected completion date, Any remaining issues are discussed.
source: http://smallbusiness.chron.com/sixstep-audit-process-17816.html
Liang Yao says
One very important task for the IT audit process is to identify the “Audit Universal” – What need to be audited? within the Audit Universe, IT audit senior management identifies audit entities based on risk assessment. and then audit cycle (frequency) will be determined based on risk rating. We will discuss further during our next class.
Liang Yao says
Ian – Doc. requests usually is developed at the end of the planning stage, while the scope is defined and controls need to be tested are determined and testing procedures are developed. Then auditors will prepare required doc. list as review/testing evidence. Make sense?
Tamer Tayea says
Good Recap of Audit process, I would add the importance to keep customer engaged during all phases of audit process. The customer communication is crucial part of successful IT Audit ..
Ian M. Johnson says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
Simply put: COBIT provides the ‘why’; ITIL provides the ‘how’, COBIT is broader than ITIL in its scope of analysis, and ITIL concentrates on and offers more detailed guidance when it comes to IT service mgmt.
However, I read that there is more to it… It shouldn’t be one or the other but rather both should be examined when determining which fits your IT service mgmt business needs better. This strategy allows IT to leverage the strengths of both frameworks, customizing them for company use as needed, and ultimately allowing the company to solve complicated business problems while achieving business goals.
Source: https://blogs.technet.microsoft.com/cdnitmanagers/2014/04/06/cobit-versus-itil/
Ian M. Johnson says
Why do we need control framework to guide IT auditing?
1. To provide the data structure that will help design, implement, organize, and categorize Internal controls
2. To make sure internal controls meet requirements and are working properly.
3. To ensure efficient IT audit processes; including means for reporting
4. To risk assess, risk respond, and ultimately minimize risk
5. To create business value
Liang Yao says
summarized well. Always remember “Risk and Control Assessment”…
Magaly Perez says
Yes, Risk and Control assessment are two huge factors of an IT audit. They underline the entire audit process. The selection of controls to test, and the determination of the evidence necessary for a given control. By identifying and testing the internal controls, and selecting controls to test, the auditor is able to evaluate the company’s controls adequately and address the identified risks.
Vu Do says
Nice List Ian, you hit all the right points on why control framework is needed to guide IT auditing. Everything you said is to ensure the controls in place for the organization are working properly and there are controls in place to mitigate risk. It all flows smoothly and sound, business value at the end ties it all together by having the control framework there, it is important to not only have controls in place that will help the business function day to day but to also create value so that employees will work to make sure the control stay in place and function as it is intended to.
Tamer Tayea says
Good summary , Controls provide process to create paper/electronic trail for different IT assets and business processes, later audit process evaluate data drawn from paper/electronic trail logs, evaluate it against audit requirements.
Priya Prasad Pataskar says
Q] Explain the key IT audit phases
The IT Audit phases are as below,
1. Planning
– Understand background, scope, objective to perform audit from audit manager
– Understand area to be review and preliminary assessment of risk
– Involve customer to establish open and honest communication
– Prepare standard and customized audit checklist
– Research to keep up with current industry expectation
– Perform assessment of risks; identify controls and processes to assess risk
– Schedule the audit and assign duties, involve customer, audit team
– Conduct opening meeting
2. Fieldwork and Documentation
– Review documentation to check if it meets standard requirement and efficiency
– Collect samples and Conduct interviews
– Validate controls and effectiveness of implementation of controls
3. Issue Discovery and Validation
– List potential concerns and discuss with customer
4. Solution Development
– Develop action plan in coordination with customer to address each issue raised
– Either of below approaches can be used
5. Draft audit report (audit scope, executive summary, List of Issues and Action plans)
– Prepare draft report and issue to the customer
– Update the draft after customer comments if necessary
6. Track Closure actions
– Follow-up on closures
– Escalate if necessary
Priya Prasad Pataskar says
This answer also contains answer to Q2 ] What are the key activities within each phase?
Priya Prasad Pataskar says
[ Source: IT Auditing Using Controls to Protect Information by Chris Davis and Mike Schiller]
Liang Yao says
very detailed…however, re-think about Step 4. Which party is responsible to develop “action plans” to remediate audit findings?
Said Ouedraogo says
Pr. Yao,
I think both party are responsible o develop an “action plans” to remediate audit findings. In fact, after validating the risks, the auditor can work with the customer to develop an action plan for addressing each issues. Three common approaches (recommendation, management-response and solution) are used for developing an action plan and addressing audit issues.
Said Ouedraogo says
*both parties are responsible to develop
Brou Marie Joelle Alexandra Adje says
Said, both parties are not responsible to develop actions plans. I mean the auditor do not work in collaboration with the customers in all three approaches. In fact, in the management-response approach, instead of developing a mutually agreed-upon solution, the auditors just say what they want and then allow the audit customers to say what they want, with the auditors then getting the last word in the report.
Said Ouedraogo says
Alexandra,
You are absolutely right. The management-response approach is more like a “contest” than a collaborative approach. The auditors send a report with recommendations (sometimes) and wait for the customers to respond.
Thank you for your clarification.
Brou Marie Joelle Alexandra Adje says
Exactly! And then the solution approach is eventually a mix of both the management- response and recommendation approach. In fact in the solution approach, the auditors are providing ideas to solve the issues based on their control knowledge (recommendation) and, the customers are providing ideas for resolutions based on their operational knowledge (management- response). As a result the customers have the final say and “own” the action plans, as long as they are approved by the auditors.
Binu Anna Eapen says
Yes. An auditor can suggest or recommend the action plan. But finally it should be the customer who takes the decision whether they want to accept it or not.
Priya Prasad Pataskar says
Binu, I think customer cannot completely deny a recommendation. They could have a different way to approach the final result. And they should discuss with the auditor why they think a different approach is better.
This point makes more sense when we understand that the customer is doing the business on daily basis and auditor might be involved with the company for during audit phases. Customer will have a good idea of how efficiently the recommendation can work.
Seunghyun (Daniel) Min says
Binu,
I also agree with Priya. Internal Auditors are supposed to provide the best practical options to improve on organization’s control system. If the organization is completely denying the suggestions not to implement proper controls, they are just making themselves more vulnerable. But exactly auditors are not going to directly tell of which controls customers should use. That relies on customer to choose what to correct their control environment.
Priya Prasad Pataskar says
Rightly said Annamarie. Solution based approach is the key.
In this approach the auditor and customer should demonstrate flexibility in ways to implement a control.
Flexibility also must be with the timelines given to implement. Although a deadline must be fixed, they can mutually agree to a timeline.
Liang Yao says
Good discussions upon what needs to be done once auditors and auditees agreed on findings. I will summarize this during the class.
Deepali Kochhar says
Said,
Both Parties will not work on action plan. The auditor job will be to give the recommendation. It is the responsibility of the customer to work on the action plans based on the recommendation and findings of the audit.
Paul M. Dooley says
I agree with Deepali’s sentiments here. It is the auditors responsibility to identify and bring to attention any holes in what they are audited, and while it may not be necessary for the auditor to give their input as far as working the action plan to mitigate the identified risks, I think it is critical to have a meaningful dialogue about what was found and also use their experience to give the customer ideas that they may have encountered with other clients as proposed action plans to mitigate the identified risk. One of the major points outlined throughout the semester is the need for the auditor to work closely with the management team and client in order to effectively accomplish the goal which is minimize any exposure that they may have.
Priya Prasad Pataskar says
There are 3 solution development approaches,
1,. Recommendation Approach –
This is a solution suggested by the auditors. Mostly this is easy to do for the auditor and for the auditees to agree to it. However, the recommendation might not be practically easy to implement unless suggested by thoroughly experienced audit team. The involvement of customer is almost negligible.
In my opinion this approach is a happy way for everyone but may not be good for implementation.
2. Management Response Approach
In this style of solution development, the auditors will only point out the findings. In most cases, the customer will not agree to the work for a solution as they do not agree with the finding, I believe, this difference is because of the two reasons,
– It matters on what side of audit you are and where is the finger pointing happening
– The customers may think, ‘Hey, it is easy for auditor to just say, this is wrong, implement a new thing. It cannot be practically done’.
However in both these cases there is lack of communication and nothing is agreed upon.
3. The Solution Approach
As the name suggests, his would be the right choice to develop a action plan. Auditor can recommend, customer can listen and respond. This approach will give the best of both to find solution. It will be easy to implement as everyone would have agreed to it.
Liang Yao says
Priya – Just curious the source of the approaches you mentioned above? or it’s from the orgnization you were with before?
Priya Prasad Pataskar says
Prof Yao, I have experienced this while working however to summarize it in words I referred the IT Auditing book.
One such experience I had was during one of audit I conducted. There was a finding on access management, reconciliation of access was not performed.
I had discussed the finding and customer readily accepted to set up a reconciliation process. When I verified the control for closure I understood that they had worked hard to put the reconciliation process but they did not reconcile with the expected party. Hence the finding could not be closed even though they had put lot of efforts.
A solution based approach is thus important
– Auditor is able to explain the finding, this makes it easy for customer and management to find a solution
– There will be less gap in communication. Many a times customer may implement the control, take corrective action but they are not to the same expected level as auditor wants. This just increases extra time and cost which they could have done earlier.
Annamarie Filippone says
Great detail in your answer Priya, especially for the Planning stage. I think a few of those key steps (such as creating customized checklists and researching the industry) can be forgotten or not given enough attention for the sake of time or, as I have occasionally seen, due to heavy reliance on information from previous audits. Not giving this stage its due attention will only make the audit more difficult for both the auditors and the customers, so it is crucial that auditors plan appropriately.
Brou Marie Joelle Alexandra Adje says
I agree with Annamarie. Checklists help to ensure that the audit is conducted in a systematic and comprehensive manner, and the proper evidence and documentation are obtained. I think they help auditors do a better job and shouldn’t be dismissed
Paul M. Dooley says
I agree. Intimate knowledge of key vertical industries can be a huge help and should be leveraged more. No matter how much you may study and read, there’s nothing quite like having personal experience and real life scenarios to be able to reference and the associated outcomes from different approaches. This should be shared regularly and should drastically help the ability to bring value to the client, rather than just being a pain that picks apart the clients hard work.
Abhay V Kshirsagar says
Priya,
I liked that you detailed the stages. I tried to detail them as much as I could and I missed the industry specific expectations point, which I think is a crucial point. Thanks!
Tamer Tayea says
Good Summary Priya , the solution development section is all about proposing controls to mitigate potential risks.
Priya Prasad Pataskar says
Q4] Why do we need control framework to guide IT auditing?
Control frameworks were designed so as to have internal controls to monitor efficiency and effectiveness of operations in organization. IT controls are subset of all the internal controls. There are many prominent frameworks ( like COSO, COBIT, ISO27001, ITIL ) emerged to guideline the management and evaluation of IT process.
Below I will try to explain how IT Audit merges with COSO framework and how COSO framework is used in framing the IT Audit. As defined in COSO, internal controls consist of 5 components.
Control Environment
IT Audit requires control from management. The Audit department must be formed and delegation of authorities must be done.
Ex .An organization must have an Audit Manager. He must report to CIO.
Risk Assessment
Risk analysis is integral part of IT Audit. What factors must the controls should be assigned on? When and how the controls must be implemented? Unless risk analysis is done an IT Audit will not have a checklist to focus on. Risk assessment will give the quantification of factors and values associated with risks.
Ex .It audit must realize that not keeping record of visitors can be a risk. Visitor management system must be in place.
Control Activities
Control activities are the policies. IT Audit needs policies and procedures to form the standard. The auditor must know what the best practice that must be followed is. Organizational policies will define the IT Audit plan, verification and the organizational security framework.
Ex .IT is a security policy to train employees about security policies in the company on a regular basis. IT Audit will verify if training is conducted for all employees and the frequency matches with the standard policy or not.
Information and communication
Information must be available at right place and time and must be communicated to relative stakeholders.
Ex. An audit draft report must be sent to relative stakeholders before publishing the final report. If there is lack of communication and a stakeholder is missed, the audit report may not be accurate.
Monitoring
Continuous evaluation must be done to maintain the quality of security in the origination.
Ex .There must be an audit plan and schedule to achieve effectiveness. Say an internal audit is scheduled once in a quarter.
Likewise any control framework will help constructing and guiding the IT Audit process.
Liang Yao says
IT audit relied on those frameworks for risk assessment and control testing. You head to the right direction. A few corrections, (a) from reporting structure, Audit Director should report to Audit Committee/the Board and administratively to CEO. (b) from IT audit aspect, auditors need to get comfortable management has effective controls in place to incorporate the COSO framework. e.g. adequate MIS report from Monitoring aspect, effective communication regarding policies and procedures.
Yulun Song says
Priya, thank you for the explanations and examples of all COSO frameworks. COSO as a joint initiative to combat corporate fraud, it helps organizations to establish governance, business ethics, internal controls, enterprise risk management, etc.
Liang Yao says
Priya – Glad that you pointed out the risk assessment. Be prepare to elaborate during the class…:)
Fangzhou Hou says
Priya, good example of using the COSO 5 components. I agree with what you said “Control activities are the policies”, and do you think the control activities also include the three types of control like preventive control, detective control, and corrective control? I believe that most of these policies and procedures are preventive control to stop the loss before it actually occur, what do you think?
Deepali Kochhar says
Q1. Explain the key IT audit phases. What are the key activities within each phase?
Key IT Audit phases are:
• Audit subject
o Identify the area to be audited
• Audit Objective
o Identify the purpose of audit
o Example: Program source code change occur in well-defined and controlled environment
• Audit scope
o Identify what all systems, functions or units are financially in scope
o Example: Review of source code on a single application and to a limited time period
• Pre Audit Planning
o Communicate with the manager or authorized staff to understand the infrastructure, gather sources of information such as flow charts, policies, standards and prior audit papers.
o Develop communication plan which describes who to communicate, when and how often.
• Audit procedures and steps for data gathering
o Identify and select the audit approach and tests the controls
o Identify people to be interviewed, departmental policies, standards and guidelines to be reviewed
o Develop audit tools and methodology to test and verify controls
• Procedures for evaluating the test or review results
o Identify methods and tools to perform evaluation, criteria for evaluating the test and resource to confirm the evaluation is accurate
• Identify procedures for communication with manager
o Determine the frequency of communication and prepare documentation for final report
• Prepare Audit reports
o Disclose follow up review procedures.
o Disclose procedures to evaluate operational efficiency and effectiveness
o Disclose procedures to test controls
o Review and evaluate the soundness of documents, policies and procedures
Priya Prasad Pataskar says
Q3] Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
Differences
Implementation:
COBIT provides ‘What’ and ITIL provides the ‘How’. COBIT is complex and broader in scope. It generally gets organizational level budget. ITIL will focus on IT elements and is mostly funded by the IT department.
Vendor:
COBIT is complex and consultation form Big 4 would be right choice. ITIL can be implemented by smaller consulting firms. Ex.Accenture
Origin:
COBIT is ISACA’s ITGI’s model while ITIL was developed y UK Government (OGC)
Similarities
-Both COBIT and ITIL focus on ITSM
– COBIT and ITIL ensure effective IT governance
– Both are complementary to each other.
Source
[https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx]
[IT Auditing by Chris Davis and Mike Schiller]
Liang Yao says
I like the words “what” and “how”. The two frameworks amid IT controls from different aspects. ITIL is often used by technology management to “implement” technical controls and COBIT, on the other hand, is used by technology risk management and IT auditors to assess the control environment.
Magaly Perez says
Professor, I never thought to consider what type of IT management positions would prefer ITIL over COBIT and vice versa.
That completely makes sense though. COBIT does generalize and describe the audit and compliance requirement for IT and ITIL supports the operations for IT management.
Yu Ming Keung says
I just recalled professor said in the class that IT auditors will only report to the executives on “what objectives need to be achieved”, and they are not responsible for answering “how the objectives has to be achieved”. That answers why COBIT is widely used by technology risk management and IT auditors. Thanks for the clarification.
Wenlin Zhou says
Yes I agree with ming, the it auditors is not responsible for making plan to solve the problem. The COBIT aim is to provide an overarching framework that incorporates different subsets of information management and control while promoting greater consistency among these areas. Unlike prescriptive requirements for a specific regulation, COBIT can be used for a wide range of enterprise needs, including information security, regulatory compliance, risk management and financial processing.
Paul M. Dooley says
It may not be the responsibility, however, I believe it is best practice to collaborate and discuss action plans that other’s may have used to address similar findings. Any insight that can be provided can bring a huge amount of value to the client which should certainly be a part of goal if you would like repeat business from said client.
Fangzhou Hou says
Hi, Yu Ming, thanks for bring it back about what IT auditors should report, and they are not suppose to answering how to achieve the objectives. Professor Yao also mentioned why IT auditors should not take the responsibility for answering how, it’s because if the suggestions from IT auditors failed or even make it worse, the auditors may lose their job. From this perspective, I do agree with you that COBIT has positive influence in technology risk management.
Liang Yao says
In general, managenent relies on ITIL to design and deply IT controls; IT auditors, on the other hand, leverage COBIT to verify design and operating effectiveness of IT controls.
Seunghyun (Daniel) Min says
Professor Yao,
If ITIL is generally used for A management to design and deploy IT controls, when/what do IT auditors use ITIL for?
Ming Hu says
Thanks for your sharing, I like the word “complementary”, both of them share the same objectives from different view and focus on different aspects.
Tamer Tayea says
ITIL provides answer to “THE HOW Question” , while COBIT provide answer to the “WHAT Question”
Sean Patrick Walsh says
Explain the key IT audit phases
1. Planning
2. Fieldwork and Documentation
3. Issue Discovery and Validation
4. Solution Development
5. Report Drafting and Issuance
6. Issue Tracking
Liang Yao says
Sean, thanks for reading my slides…:)
Sean Patrick Walsh says
I just found the slides you had this in, but I don’t think we made it that far the first meeting. I took these steps from the class textbook, but think I should have combined it with answering question 2 to save space like other students had.
Sean Patrick Walsh says
What are the key activities within each phase?
1. Planning
– Determine the objectives and scope of the audit
– Determine what you hope to accomplish
– Develop the steps necessary to conduct the audit
2. Fieldwork and Documentation
– Audit steps are conducted by audit team
– Work documentation
– Data collection and interviews
3. Issue Discovery and Validation
– Develop list of concerns
– Discuss concerns with customers for validation
– Ensure only legitimate concerns are entered into the report
4. Solution Development
– Work with customers to develop plan for correcting issues
– Escalate an issue only when necessary, and only to the necessary level
– Notify customers when escalating an issue, and escalate through each level as necessary
5. Report Drafting and Issuance
– Document results of audit
– State scope of audit
– Executive summary of audit with clear and concise wording
– Full list of issues and plan of action for each issue
6. Issue Tracking
– Follow up on issues found in audit
– Escalate issues not being properly dealt with by personnel
– Verify correction of issues as best as possible
Davis, Chris, Mike Schiller, and Kevin Wheeler. IT Auditing Using Controls to Protect Information Assets. 2nd ed. N.p.: McGraw Hill, n.d. Print.
Liang Yao says
Sean – Please remind me to discuss “Solution Development” part during the class.
Sean Patrick Walsh says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
COBIT was created by ISACA and is a collection of “best practices” in IT governance and control. ITIL was created by the UK government and is a set of standards for IT infrastructure management and service delivery. COBIT defines how all of a company’s IT activities should support the business function, and ITIL is a framework that is easily adopted by any business that uses IT.
Brou Marie Joelle Alexandra Adje says
Sean you are right, COBIT is usually used by internal IT organizations , whereas ITIL can be used by any organization providing internal or external IT services
Overall, I think the primary difference between these two frameworks is that COBIT is general and defines audit and compliance requirement for IT, as opposed to ITIL which helps to define operational IT management processes.
Sean Patrick Walsh says
I felt like what little there was on both frameworks in the textbook really made it difficult for me to discern between the two. Thanks for clearing a little more up for me.
Yulun Song says
Good summary Sean! Both ITIL and COBIT provide guidance for the governance and management of IT related services. For larger companies, they prefer using both. Small companies prefer using ITIL because COBIT is complex.
Sean Patrick Walsh says
Why do we need control framework to guide IT auditing?
A control framework is the very basis for a business’s internal controls. Without this framework in place there would be no formalized control structure or standardization in the business. With a control framework in place, IT auditors know how what processes have controls built into them, and how to ensure whether the controls are effective or not. The framework also gives IT auditors a starting point to conduct audits and can give them insight into where controls should be added, strengthened, changed, or even removed for ineffective placement.
Deepali Kochhar says
I agree with you sean. Control framework will direct the IT Audit towards the control environment of the organisation.
Just to add to your point control framework defines RACI (responible, accountable, consulted and informed) chart which can help in identifying whether the authorized person are being correctly associated with the processes or not during IT Audit.
Sean Patrick Walsh says
I’ve been inundated with so many different readings between all the classes I am taking. Was that chart in a reading/video, or is it something you learned working in the field?
Annamarie Filippone says
I don’t think it’s in any reading we’ve done for this class so far, but an example RACI chart can be found in ISACA’s Risk IT Framework. As Deepali said, it breaks down the different roles involved (Board, CEO, Business Process Owner, etc.) and determines their level of involvement in key activities by separating them into four categories:
1. Responsible: Those who must ensure that activities are successfully completed
2. Accountable: Those who own required resources and have authority to approve actions and accept the outcome of the activity.
3. Consulted: Those whose opinions are requested on an activity.
4. Informed: Those who are kept up to date on the progress of an activity.
Yu Ming Keung says
It is my first time learning about the RACI chart and I believe it is a great tool to clearly identify roles and responsibilities during an audit. Actually, many organizations use it proactively when developing processes or project plans. I also learned that another benefit of RACI chart is to accelerate delivery by avoiding unnecessary discussions and disagreements.
Where I found:
http://itsmtransition.com/2014/07/basic-raci-chart/
This website clearly explains how to develop a RACI chart and how it works.
Abhay V Kshirsagar says
Yu Ming,
Thank you for the link. A RACI chart or a RACI matrix prevents conflicts between team members. Team members are also not confused about responsibility as RACI clearly indicates what needs to be done and who must do it.
Studied this in my Project Management class in MIS.
Binu Anna Eapen says
I found this simple to understand RACI- http://itsmtransition.com/2014/07/basic-raci-chart/..
Sean Patrick Walsh says
Thank you for the link!
Seunghyun (Daniel) Min says
Binu,
Thank you for the link. I found a simple, awesome chart on that site. Anyone including myself who is not familiar with the RACI matrix should take a moment to check that chart. It well simplifies how the RACI works by using an example of a family trip plan.
Deepali Kochhar says
Annamarie explained it in a great way. RACI is a responsibility assignment matrix and it describes the participation of various roles in completing task and deliverable.
Liang Yao says
Correct. RACI is more from management aspect than from audit. However, RACI can be used as references by auditors for project management audits.
Ian M. Johnson says
Sean – I agree. I think that the control framework, In the most basic form, is an organizational tool. I think it helps both the company and the auditor from that perspective. In order for the company to completely adopt the framework, the company must completely understand to buy-in and hold its employees accountable.
Liang Yao says
Leveraging the proper framework will also provide IT auditors with ammunition while laying out the audit findings…
Ming Hu says
Thanks for you sharing. I think the point is that control framework directs IT auditors to conduct their auditing,
Yu Ming Keung says
Q1 & Q2
Explain the key IT audit phases
What are the key activities within each phase?
1. Planning
– to determine the objectives and scope of the audit to perform the audit
– develop a series of steps to be executed in order to accomplish the audit’s objectives.
– obtain a basic background and understanding of the area to be reviewed by conducting a preliminary survey of the area to be audited with the audit customers to understand what the audit will entail, as well as reviewing pertinent documentation
– Involve with the audit customers to understand what areas they think should be reviewed and what areas of concern
– Develop a standard audit checklist to provide a useful hard start
– Research
2. Fieldwork and documentation
– Acquiring data and performing interviews to analyze the potential risks and determine which risks have not been mitigated appropriately
– Allow the next audit team to learn from the experience of the previous audit team => improvement and higher efficiency
3. Issue discovery and validation
– Develop a list of potential concerns to ensure all the issues are valid and relevant
– Discuss the potential issues with the audit customers to come to the agreement on the risks represented by those issues
4. Solution development
– Involve with the audit customers to develop an action plan addressing each issue by either one of the three approaches:
i. The recommendation approach
ii. The management-response approach
iii. The solution approach
5. Report drafting and issuance
– The report represents the results / records of the audits including what areas were audited
6. Issue tracking
– Develop a process to enable the follow up on issues until they are resolved
Source: IT Auditing Using Controls to Protect Information by Chris Davis and Mike Schiller
Yu Ming Keung says
COBIT (Control Objectives for Information and Related Technology)
ITIL (Information Technology Infrastructure Library)
Similarities:
Purpose:
Both frameworks provide guidance for the governance and management of IT-related services by enterprises, whether those services are provided in-house or obtained from third parties such as service providers or business partners.
Differences:
Implementation
ITIL
• provides guidance to manage the IT services across their lifecycles
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
• Focus more on ITSM
COBIT
• COBIT is broader than ITIL in its scope of coverage.
• Provides guidance to govern the Enterprise IT based on 5 IT principles and 7 qualities of information
5 principles:
• 1. Meeting Stakeholder Needs
• 2. Covering the Enterprise End-to-End
• 3. Applying a Single, Integrated Framework
• 4. Enabling a Holistic Approach
• 5. Separating Governance from Management
7 Qualities:
• Effectiveness
• Efficiency
• Confidentiality
• Integrity
• Availability
• Compliance
• Reliability
Origin:
COBIT
• Published in April 1996 by ISACA
ITIL
• Developed by the U.K government in mid 80s
Source:
“What Are the Connections & Differences between COBIT and ITIL?”
https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx
Week 2 Ppt – Frameworks, Standards and Regulations
Annamarie Filippone says
I agree with you Yu Ming that, while differing in levels of specificity, COBIT and ITIL have the same general purpose: to provide governance guidance. In addition, I like that you laid out the 5 stages in ITIL, as well as the 5 principles and 7 qualities from COBIT. Looking at them like this, I think it’s easier to understand how ITIL can be mapped to COBIT. An organization would want to ensure that all stages of ITIL are developed in a way that match the IT principles from COBIT, as well as its 7 important qualities.
Liang Yao says
Indeed, from service delivery and support aspect, controls listed from both frameworks can be mapped, even though they may not be mapped one-on-one.
Mansi Paun says
Great comparison of ITIL & COBIT, Yu Ming. I really liked that you have summarized the key points of both the frameworks besides listing their similarities and differences.
Ming Hu says
Thanks for your sharing. I noticed the differences you listed “ITIL focus more on ITSM”, it confused me because COBIT is also focus on ITSM, so what is that mean?
Deepali Kochhar says
Q3. Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
DIFFERENCES:
• COBIT is used for mapping IT PROCESS whereas ITIL is used for mapping IT SERVICE LEVEL MANAGEMENT
• ITIL talks about “HOW” to carry processes such as delivery and support whereas COBIT talks about “WHAT” should be achieved such as process flow
• COBIT has 4 process and 34 domains whereas ITIL has 9 process
• COBIT is issued by ISACA whereas ITIL is issued by OGC
• COBIT is used for implementing Information System Audit whereas ITIL is used to manage service level
• COBIT is used in accounting as well as IT Consulting firms whereas ITIL is used in IT consulting firm
SIMILARITIES:
• Both are used in Information Technology Service Management(ITSM)
• If used together provide guidance for the governance and management of IT related services.
Sean Patrick Walsh says
Can you explain what the difference is between COBIT’s “mapping IT processes” and ITIL’s “mapping IT service level management?” When I was reading about both I was having trouble really understand the difference.
Deepali Kochhar says
IT Processes includes a series of steps that ensures that IT Services are provided in focused manner.
It includes:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
Whereas IT Service level management is responsible to negotiate service level agreements with the customers in order to design services in accordance with the agreed service levels.
So COBIT Framework is used to map all of the above mentioned IT Processes so that they work in sync with each other and ITIL is used to map IT service level management which includes managing service level agreements.
Mansi Paun says
Deepali, I’d like to add here that besides negotiating SLAs, even measurement, reporting and analysis are an integral part of IT Service level Management.
Liang Yao says
Through mapping controls from CoBit domains, management can identify control gaps; and ITIL’s mapping of SLA is to ensure agreed service levels whether they are internal or external are clearly defined, measured and monitored.
Deepali Kochhar says
Q4. Why do we need control framework to guide IT auditing?
• Control framework define the base criteria for IT Auditing to look into the processes and processes so as to make assessment of their efficiency and effectiveness.
• Helps in determining that whether they are being measured for effectiveness
• Control framework defines Responsible, accountable, consulted, inform (RACI) Chart and will guide the IT Auditing process to whether the authorized person in the chart are in fact responsible, accountable, consulted and informed with regards to activities associated with the process
Annamarie Filippone says
Q1. Explain the key IT audit phases. AND Q2. What are the key activities within each phase?
1. Planning
-Determine scope by interviewing customers to understand area under audit and assessing risks that will be reviewed, as well as any existing internal controls.
-Coordinate with the customer to schedule when the audit will take place.
-Hold kickoff meeting to finalize the scope and to determine primary points of contact and status meeting preferences.
2. Fieldwork and Documentation
-Acquire data and perform interviews to analyze potential risks and mitigations.
-Independently validate effectiveness of the control environment.
-Document work in detail to support conclusions.
3. Issue Discovery and Validation
-Develop list of concerns discovered during fieldwork.
-Discuss potential issues with customer to ensure accuracy.
-Validate that issues are significant enough for report.
4. Solution Development
-Coordinate with customer to have action plan developed for issues, including determining who is responsible, as well as the due date.
5. Report Drafting and Issuance
-Write up report to include statement of audit scope, executive summary, list of issues and action plans, and other relevant material.
-Review with customers before issuance to ensure that they are in agreement.
-Issue report to appropriate parties (senior management, audit committee, etc.).
6. Issue Tracking
-Follow up on issues to ensure that action plans were carried out and can be closed.
-Escalate issues that are not being addressed as agreed to appropriate level of management.
Mansi Paun says
Great read, Annamarie ! I’d like to grab this chance to ask you (since you have Audit Analyst experience) if you saw any major differences between the Theoretical Audit process flow and workings and real Audits at the ground level.
Annamarie Filippone says
Hi Mansi,
In my experience, this is the exact workflow that we followed during our audits. The only difference is that instead of grouping it under 6 steps, my organization just had “Planning”, “Fieldwork and Documentation”, and “Reporting/Issue Tracking”. In our case, the steps “Issue Discovery and Validation” and “Solution Development” fell under the Fieldwork and Documentation phase.
At the end of each phase we had what was known as a Tollgate Meeting with audit senior management and the customers to share the key aspects of the phase and ensure that everyone was on the same page so we could move forward.
Annamarie Filippone says
Q3. Comparing ITIL and COBIT: list some key similarities and differences based on your understanding?
While COBIT and ITIL both help establish strong IT governance and can both be used by an organization, there are several differences. COBIT is much broader in scope, while ITIL focuses on IT service management. COBIT addresses “What” should be in place to ensure a strong IT environment, and ITIL answers “How” to implement. In addition, COBIT was developed by ISACA, while ITIL was a product from the UK government.
Liang Yao says
Correct. The trending for IT auditing should adopt risk based apporach, meaning leveraging the frameworks to identify “high risk” areas and develop audit strategy/plan accordingly rather than cover all control objectives…we will discuss further in the class.
Paul Linkchorst says
Professor Yao,
You mentioned that IT auditors are now adopting a risk based approach when developing audit strategies. While this a way to reduce unnecessary testing, in my external IT audit experience, I have seen this be used a fodder for our clients. Clients have questioned seniors and managers as to why certain applications are in scope when they believe they don’t have a material impact. This is just an observation I have made, but it does seem to be one of the few downsides to adopting a risk based approach since now clients question why certain items are in scope or not.
Sean Patrick Walsh says
I really like your simplified and easily understandable difference between COBIT being the “what” to implement and ITIL being the “how” to implement. Would that suggest that they should both be used simultaneously to optimize the business’s IT deployment, or would it be more ideal to start with “what” to do and then move onto “how” to do it?
Binu Anna Eapen says
I guess these framework provides a standard to start with. So an organization may choose to follow ITIL alone or COBIT alone or both or even modify to establish a better framework meeting the business requirement.. COBIT and ITIL are complementary and work hand in hand.
Liang Yao says
ITIL for management; IT auditors focus on CoBit: both deal with technology controls but from different views.
Mansi Paun says
Annamarie & Professor Yao,
I was curious to know if in your experience, you have encountered any Organization which has both COBIT and ITIL frameworks implemented as so far, I have only worked with clients that were following ITIL methodology. Would you be able share any insights from cost perspective in implementing both frameworks ?
Priya Prasad Pataskar says
I agree with your answer Annamarie. What do you think would companies approach would be towards getting both the frameworks. Would they prefer to get COBIT implemented first or ITIL?
I think they would try to adopt COBIT first as it is will help set up overall governance and then go for ITIL.
However each framework has a different positive impact on the organization. In terms of costing , they might have to choose which one to go for first.
What do you think?
Annamarie Filippone says
Yes Priya, I believe you and Sean are right by suggesting that COBIT should be implemented first. As you said, this allows the organization to set up its overall governance, which ITIL can then be mapped to. COBIT can shape the ITIL processes by linking them to business requirements and evaluate the success of implementation. I think this approach allows both frameworks to be utilized to the fullest extent by an organization.
Said Ouedraogo says
Both frameworks are complementary and mutually supportive, but I think it is easier to implement COBIT first because it’s the “what you need to do and why you need to do it” and then go for ITIL the “how to do it”.
I hope this makes sense.
Magaly Perez says
Said, I agree with your comment. They are indeed both complementary, but the use of COBIT first would most definitely make more sense especially since, COBIT does generalize and describes the compliance requirements and auditing, where as ITIL allows the IT management to strengthen its controls to combat any issues they face.
Deepali Kochhar says
Priya,
I think adoption of both is necessary depending on the need of the organisation. They both fulfill different needs and therefore we cannot prioritize the implementation of one after the other. Together they both will serve different segments in an organisation. If an organisation wants to align its IT processes, they will adopt COBIT and for IT service management , they would need ITIL.
Annamarie Filippone says
Q4. Why do we need control framework to guide IT auditing?
Control framework helps guide IT audit by providing 5 components to assess effectiveness of procedures and policies:
-Control Environment: sets the tone of the organization and provides the foundation for all other internal control components.
-Risk Assessment: identifies relevant risks to achievement of objectives, and forms basis for risk management.
-Control Activities: actions taken to mitigate risks identified with the risk assessment.
-Information and Communication: important information must be identified and communicated across the organization, in all directions.
-Monitoring: process that assesses the quality of a system’s performance over time to ensure that deficiencies are captured and reported as necessary.
Magaly Perez says
Explain the key IT audit phases: What are the key activities within each phase?
Planning: The Auditor should understand the environment and infrastructure of the organization or company. By doing so they are able to assess what kind of documentation they need.
Fieldwork and Documentation: The auditor makes an effort to understand what kinds of documentation they should focus on. As well as interviewing employees in different departments of the organization; this ensures their understanding of its general practices and processes. EX: previous audits/ preliminary states. Additionally, allows them to plan the scope of the audit to determine their objective of the audit.
Issue Discussion and Validation/ Remediation Actions Development: This step allows the auditor to evaluate the logistics of the company, while taking into the count the organizations internal process.
-The auditor will reveal their findings to management. The goal is to communicate and validate the audit findings; acquire permission to resolve the audit finding, and use the proposed resolution to develop an Action Plan that management can commit to.
Reporting: The auditor reports its findings to the Audit Committee
Issue Tracking: The auditor follows-up with regards to observations and action plans contained within the report to ensure appropriate mitigating activity is being implemented
Magaly Perez says
^preliminary statements*
Magaly Perez says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL 5 stages in service:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
COBIT is based on five principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
Differences: are the stages v. principles when it comes to IT service management
– ITIL provides the ‘how’ to carry on processes in delivery and support; however is limited in security and systems development
– COBIT provides the ‘why’ on what should be achieved in the process flows, in order to achieve effective governance, management and control.
– COBIT is broader than ITIL in its choice of breakdown, and ITIL focuses on and offers more detailed guidance when it comes to IT service management.
Similarities: Both provide guidance, yet if put together, they become a very powerful model of what you need to be doing and how you need to be doing it, when it comes to providing effective governance, management and control.
Magaly Perez says
Why do we need control framework to guide IT auditing?
Control framework helps provide guidance to IT auditors.
The 5 components used to assess the effectiveness of procedures and policies are as follows:
-Control Environment: By establishing a control environment, it ensures the IT auditors dominance, by allowing them to set the tone of the organization, while providing the groundwork for all other internal control components.
-Risk Assessment: Helps identify the issues, risk and potential risk at hand in order to proactively maintain the organization’s objectives.
-Control Activities: Actions in which policies, procedure and structure are implemented in order to mitigate risks identified.
-Information and Communication: Use of communication and information must be readily available to all sectors of the organization, in order to ensure compliance and prevent potential issues
-Monitoring: Allows the IT auditors the ability to gage their internal controls, by monitoring their effectiveness, functionality and deficits that may occur.
Fred Zajac says
Laly,
Great examples of the components used to assist the auditors. The component example I liked the most was the Risk Assessment.
This is why IT Audits are an important business risk for any company with sensitive information and more importantly, employees who are in a position to jeopardize the entire company.
Brou Marie Joelle Alexandra Adje says
Risk assessment is indeed a major component of control framework. It is the basis of any type of audit. The audit team is responsible for overseeing the risks and address them. if the auditors can not clearly identify the concerns they face, they cannot do their job properly.
Magaly Perez says
Thanks for your input Fred and Alex! I 100% agree with both of you, without the risk assessment aspect of IT Audit process, the whole audit would not have a foundation. The risk are the key concerns for the auditor, as you mentioned Alex, if they can’t identity the risk, then they cannot do their job!
Liang Yao says
You are all on top of it – Risk Assessment is one of the key audit steps.
Wenlin Zhou says
I agree with you. A risk assessment is the identification and analysis of relevant risks to the achievement of an organization’s objectives to determine how those risks should be managed. Risk assessment implies an initial determination of operating objectives, then a systematic identification of those things that could prevent each objective from being attained. In other words, it is an analysis of what could go wrong.
Fangzhou Hou says
Yes Magaly, I agree with what you said about monitoring. Indeed, monitoring can enhance the effectiveness of internal controls and mitigate the possibility of risks occur and damage the organization’s assets. But on the other hand, monitoring sometimes are costly and time concerning. Therefore, in my opinion, the management needs to balance the effectiveness of internal control system and financial situation, because the shareholders may worry about the company spent too much money in the ICS.
Said Ouedraogo says
Explain the key IT audit phases
What are the key activities within each phase?
∗ Planning
– Determine the objectives and scope of the audit
– Develop steps to be executed in order to accomplish objectives
– Interview with the customer
– Research and scheduling
∗ Fieldwork and Documentation
– Perform interviews and analyze data to find potential risks
– Determine which risks have not been mitigated appropriately
– Validate independently the information provided and the effectiveness of the control environment
– Document work
∗ Issue Discussion and Validation
– Establish list of potentials issues
– Discuss potential issues with the customer
– Confirm the risk presented by the issue is significant enough to be worth reporting and addressing
∗ Solution Development
– Work with customer to develop an action plan
∗ Reporting
– Draft audit report
– Review and issue report
∗ Issue Tracking
– Track and follow up on issues until they are resolved
Source: IT Auditing Using Controls to Protect Information Assets by Chris Davis and Mike Schiller
Priya Prasad Pataskar says
Nice post Said! When I studied the phases in detail I realized that the Reporting phase and drafting report can actually take lot of time. Collating data right from first phase of audit and documenting all findings will be the most important. There could be a point while drafting report that you realize that you need to validate something or need more facts to put the point on the report. If a finding needs to be revisited in case some facts are missing, do we go back to the ‘Field and Documentation phase”? Are these phases iterative in any way? Do you get a chance to go back and revisit an domain? What do you think Said?
Said Ouedraogo says
Priya,
In my opinion, the auditor should go back to the “Field and Documentation” phase if a finding needs to be revisited. In that case he/she can reanalyze the data and hopefully find what is missing. And I also think he/she has always a change to revisit a domain before issuing the report. In fact, the whole point of the audit is to review the company data and find potential risks. The auditor should not report something in his/her final draft if there are missing facts; and should be able to go back in the process to clarify the missing facts.
Liang Yao says
Priya – You raised some interesting questions here. I would like to discuss those questions during the class. Would you please bring it up on Wednesday? Thx.
Ian M. Johnson says
For solution development, I agree that the auditor works with the audited in most cases. Do you think that it is the audited or auditor’s responsibility to come up with a plan to fix the problems identified in the audit? Does it depend on each company’s unique situation? Or does it cost more for the auditor to come up with a plan? Does the auditor even know enough about the company, its culture, and change strategies to make a plan?
Wenlin Zhou says
Hello Lan,
I think the auditor cannot make the plan, because the internal audit just test the plan, and provide the recommendation. The scope of an audit depends on the goals. The basic approach to performing a security assessment is to gather information about the targeted organization, research security recommendations and alerts for the platform, test to confirm exposures and write a risk analysis report.
Said Ouedraogo says
COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises. COBIT is broader than ITIL in its scope of coverage, its includes seven qualities of information (Effectiveness, Efficiency, Confidentiality, Integrity, Availability, Compliance and Reliability). ITIL provides best practices describing how to plan, design and implement effective service management capabilities.
In other words, COBIT provides standards for good practice of IT controls and ITIL provides the vehicle to implement those standards. However, both are complementary to each other.
Source:
https://blogs.technet.microsoft.com/cdnitmanagers/2014/04/06/cobit-versus-itil/
Slides deck
Fred Zajac says
Explain the key IT audit phases & Key activities
The IT audit phases is a broad generalization of many different possible procedures. The book mentions, “One of the most important tasks of the internal audit department is determining what to audit.” Audits are very expensive and takes time to complete. This is why it is important to prioritize what needs to be audited by creating an “Audit” Universe, identifying Centralized IT Functions (Those that are collectively performing a function), Decentralized IT Functions (Stand-alone functions), Business Applications (Software), and the specific IT functions that may require Regulatory Compliance by a governing board. Separating the Centralized and Decentralized functions will allow you to allocate the required resources to accomplish a successful audit.
Once the decision is made as to what to audit, you can begin the steps to a successful audit. These steps include:
Planning
Determine the objectives and scope of the audit. The planning process should be the responsibility of the audit team. The audit manager shouldn’t be a part of the audit team, but should provide the resources to the team because the planning process requires referenced research. A structured and detailed assessment should be created for the areas being reviewed. The team should survey the area and employees to understand what will be included in the plan and to get the employees involved with the audit. They may be helpful in understanding the true environment. It is important to motivated the audit team and maintain a schedule by keeping everyone active, from the Kick-off meeting to the solutions implemented.
Fieldwork and documentation
The fieldwork and documentation is where the hands-on work occurs. The hand-on visuals will give validation to the planning and research the team completed. Documentation is important to include, what you did, what you found, and your conclusion.
Issue discovery and issue validation
Issue discovery and validation will document the good things and bad things with the audit process. Transparency is important during this process to assure the proper process is taking place and validate the issues.
Solution development
Solution is the technique used to handle the issues the audit concluded. The book mentions 3 solution approaches.
The Recommendation Approach – A common approach, where the auditors relay the issues and recommendations to the customers.
The Management-Response Approach – Where the auditors list the issues but let the customer decided on the solution
The Solution Approach – Where the auditors list the issues and a mutually agreed upon solution is implemented.
Report drafting and issuance
This stage documents the results of the audit. Tells the customers what was audited, the results, and the action plans. It tells the management and the audit committee a “report card” on the audited area.
Issue tracking
Now that you built the plan, you must maintain a healthy environment. The Issue tracking process is when you remain proactive with the audit plan. If the plan is not being performed to the specifications, the auditor should escalate any issues with the plan and document the findings. Escalation is a last resort and should only occur in cases when the tasks can’t not be performed for a specific reason.
Liang Yao says
How do you effectively identify IT Audit Universe and Audit Entities within an organization?
Fred Zajac says
Prof, Yao,
You would rank all the possible areas that may be audited. You would look at the Centralized and Decentralized areas to determine priorities.
A great way to do this is to meet with the IT managers and/or any other employees who are involved in the IT Universe. It is important to note there may be an overlap between the IT audit universe and a financial audit. Make sure you put the audit entities in the proper audit universe. Example: How software 123 makes/saves money may be in the financial audit universe. Another overlap may be compliance requirements, which may be included in the IT universe.
Understanding what items are included in the IT universe and ranking them based on risk and value will help with a successful audit.
Binu Anna Eapen says
Audit universe can be centralized and decentralized IT functions, Business Application or regulatory compliance. Learn from the IT manager how the responsibilities are divided and learn about the existing known issues. Check if there could be any inherent risk. Understand the benefits of doing an audit in that area and how it can benefit the organization.
Fred Zajac says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL – Information Technology Infrastructure Library
COBIT – Control Objective for Information and related Technology
Similarities between ITIL & COBIT
Both are considered best-practices for IT service management
Creates goals for the organization and measurement procedures
Shows if the organization meets or exceeds a controlled IT environment.
Differences between ITIL & COBIT
ITIL describes HOW to deliver and support the IT processes but limited in security and system development
COBIT describes WHAT should be done to attain effective governance, management and control.
ITIL & COBIT are complementary. By using both ITIL & COBIT at an organization will:
Alignment of IT environment for company and customers
Clear ownership and understanding of IT
Both are acceptable with regulators
Better decision making abilities
Fred Zajac says
Forgot to add reference link
http://isacasfl.org/wp-content/uploads/2014/02/Elevate-Consulting-ITIL-and-COBIT-Explained.pdf
Yu Ming Keung says
Nice post Fred,
I like how you list the benefits if an organization does follow both the frameworks. COBIT and ITIL provide a top-to-bottom approach to IT governance and control. According to ISACA, COBIT guides management’s priorities and objectives within a holistic and complete approach to a full range of IT activities. ITIL supports this with best practices for service management. When used together, the power of both approaches is amplified, with a greater likelihood of management support and direction, and a more cost-effective use of implementation resources.
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Mapping-Mapping-of-ITIL-V3-With-COBIT-4-11.aspx
Said Ouedraogo says
Why do we need control framework to guide IT auditing?
By definition a control framework is “a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk”. That being said, control framework guides the auditor throughout the auditing process and provides him/her with a model he/her can use to conform to compliance regulations.
Fangzhou Hou says
I agree with your point that control framework can minimize the risks and add business value to an organization by establishing effective practices and procedures. According to the expanded COSO cube, objective setting and event identification are effective in enterprise risk management. By setting proper objectives, the entity’s mission can be supported by chosen objectives, which improve the business value of the organization. The event identification is focus on the internal and external events which may affect the achievement of organization’s objectives, this can mitigate the event related risks.
Vu Do says
Agreed Said, control framework are like the rules the auditors must follow when doing their work. Control framework sets up the data structure within the organization like u said and the auditor must follow this guide when conducting their audit to make sure they are following the rules and regulations. Doing so when minimize the risk of error and help ensure that everything is done accordingly.
Binu Anna Eapen says
Q Explain the key IT audit phases
Ans: 1. Planning: Need to plan what needs to be reviewed. Proper planning helps in successful audits. Here the objective and scope of the audit is defined.
2. Fieldwork and Documentation: What has been planned is taken into action.
3. Issue discovery and validation: Check if the risk is worth to be address and validate the information collected.
4. Solution Development: Create an action plan to address the issues
5. Report drafting and issuance: Draft the audit report and distribute it to the customer
6. Issue tracking: See how far has the solution been implemented. If not, why not? Escalate if necessary or make changes as necessary.
Source: Chapter 2, IT Auditing Using Controls to Protect Information by Chris David and Mike Schiller with Kevin Wheeler
Binu Anna Eapen says
Q. What are the key activities within each phase?
Activities within each phase:.
1. Planning :
– Collect necessary information like the key contacts for audit from the audit manager.
– Take preliminary survey of the area to be audited.
– Take feedback and inputs from the audit customers.
– Make sure there is a standard checklist
– Research on the area of audit
– Access the risks and document it
– Schedule the audit in corporation with the customers
– Kickoff meeting to communicate what is in scope and out of scope and to receive final inputs.
2. Fieldwork and Documentation:
– Acquires data and performs interviews
– Validate the information provided and the effectiveness of the environment
– Document their work
3. Issue discovery and validation:
– Check if the issues are valid and relevant
– Discuss potential issues with the customer.
– Check if the issue is a risk and if it is worth reporting
4. Solution Development:
– Create an action plan
– Define who is responsible and due date to be completed
– Keep the management informed
5. Report drafting and issuance:
– Draft the report
– Distribute the report
6. Issue tracking
– Develop a process to track and follow up till the issue is resolved.
– Initiate escalation procedures if issues are not addressed.
Source: Chapter 2, IT Auditing Using Controls to Protect Information by Chris David and Mike Schiller with Kevin Wheeler
Abhay V Kshirsagar says
Explain the key IT audit phases.
What are the key activities within each phase?
Following are the stages of an Audit with their key activities:
1) Planning
– Determine what you plan to review
– Set up an audit team
– Determine objectives and scope of the audit
– Audit manager provides the audit team with key contacts for the audit
– Perform preliminary survey
– Obtain customer’s input (what areas customers are concerned about)
– Standard audit checklists for the area being reviewed
– Research and consideration for each audit
– Risk assessment of risks in the audit area (understanding of business purpose of the area to be audited and risks associated with that purpose)
– Scheduling the audit (when the audit will take place)
– Kickoff meeting
2) Fieldwork and Documentation
– Acquire data and conduct interviews
– Document work (tell a story with enough detail, so that the reasonably informed person can understand)
3) Issue Discovery and Validation
– Validate facts and risk(s) presented by the issue
– Are the risk(s) significant to the company? Yes? Discuss potential issues with customers
4) Solution Development
– Address Audit Issues using The Recommendation Approach/ Management-Response Approach/ The Solution Approach
– Finalize how the action plan must be in the audit report
5) Report Drafting and Issuance
– Draft the audit report (it’s like a report card)
– State the audit scope
– Draft an executive summary
– List issues and action plans
– Distribute the audit report to customers for review before issuing it to the senior management
6) Issue Tracking
– Follow up on the issues
– Initiate escalation procedures where needed
Source: Chapter 2, IT Auditing by Chris Davis and Mike Schiller
Abhay V Kshirsagar says
COBIT vs ITIL
COBIT is for IT GRC and Management, whereas ITIL is a framework for IT Service Delivery.
COBIT offers control objectives at a broad level guiding enterprises on the implementation, operation and improvement of their arrangements that are related to enterprise IT governance. ITIL framework should be seen as a way to manage the IT services across their lifecycle.
COBIT focuses on enablers and principles surrounding an enterprise in meeting stakeholder needs related to IT assets. On the other hand, ITIL explains service management enablers in more detail.
And as most of my peers rightly said, and I would like to reiterate that: COBIT provides the “why” and ITIL provides the “How”
Source: http://www.carrtegra.com/blog/cobit-vs-itil
Abhay V Kshirsagar says
Why do we need control framework to guide IT auditing?
An organization needs control framework to have practices and procedures that are establish to generate business value and minimize risk; compliance with government requirements or industry guidelines. A structured and well documented process that allows managers to show that they have adequate controls in place.
Key characteristics that are a part of various control frameworks are risk assessment initiatives like setting objectives, event identification and development of response plans. In addition, monitoring element called control activities are often included.
Source: http://searchcompliance.techtarget.com/definition/control-framework
Binu Anna Eapen says
3. Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL: Developed by UK Office of Government Commerce
It is a framework with helps us to understand how to achieve successful- operational service management of IT and includes business value delivery.
COBIT 5: Developed by ISACA
It is a framework to ensure that IT is aligned with the business, IT enables business and maximizes benefits, IT resources are used properly and risk is managed properly.
COBIT and ITIL are complementary frameworks where COBIT describes what IT should be doing and ITIL describes how to do it. Both of them describes processes that should be established for the enterprise to run smoothly and can be used by any type or size of an organization.
COBIT vs ITIL
1. COBIT has a business perspective and focuses more on IT audit and compliance and what IT can do to benefit business whereas ITIL has IT perspective and focuses more on the IT process and operational service management.
2. COBIT used by internal IT organization of large enterprises whereas ITIL used by any organization providing internal or external IT services.
3. This deals with governance and management of IT processes where as ITIL deals with implementation of IT processes.
Source: 26th Edition CISA Review manual
Yu Ming Keung says
I agree with you Yulun, and I especially like how you compare COBIT and ITIL in three ways.
Both frameworks have different perspective but actually they are complementary. By implementing both framework, the organization can maximize its IT controls, solve business problems and support business goal achievement.
Yulun Song says
Explain the key IT audit phases
What are the key activities within each phase?
1) Planning
– Establish an understanding with their client, which allows each party to know the nature of services to be provided and the responsibilities
– Develop an overall audit strategy, and audit plan, and an audit program
– Audit manager provides the audit team with key contacts for the audit
– Determine preliminary assessment of risks in the area
– Have a standard checklist to perform risk assessment prior to each audit
– Obtain additional information about the area being audited
2) Fieldwork and documentation
– Collect data and information and perform interviews to analyze the potential risks and determine mitigated risks
– Perform validate independence and understand the value of healthy skepticism
– Develop checklists as to what plan to review
3) Issue discovery and validation
– Develop a list of potential concerns and issues
– Review systems for compliance with the company’s internal IT security policies
4) Solution development
– Raise issues and provide recommendations
– Discuss with client and determine who is responsible and due date of completion
5) Report drafting and issuance
– Include: stamen of the audit scope, executive summary and list of issues, and with action plans for resolving them
– Distribute the report to senior management and audit committee
6) Issue tracking
– Develop a process to track and follow up on issues until they are resolved
– Initiate escalation procedures for those issues not addresses
Yu Ming Keung says
Why do we need control framework to guide IT auditing?
1. help implement IT governance, and enterprises
2. Risk assessment to identify risks
3. Risk response, control activities to mitigate or transfer risk
3. Event identification to further investigate
4. Monitoring – continuous monitoring / maintenance after an event to ensure the control is effective and efficient within an organization
Yulun Song says
Thank for for listing COSO framework. In addition, COBIT and ITIL are also used generally. COBIT is complex to be used in larger companies whereas ITIL is used in small companies. however, larger companies prefer using both.
Fred Zajac says
We need control framework to “provide guidelines for the management and evaluation of IT processes”. (Chapter 16, textbook)
The Committee of Sponsoring Organizations (COSO) was created in the 80’s to oversee the accounting and auditing process for organizations. They published Internal Control – Integrated Framework, the first guide for internal control framework in 1992. In response to SOX, COSO published Enterprise Risk Management – Integrated Framework, it’s second guide to identify organizational risk factors.
The Internal Control – Integrated Framework guide stated two controls for the IT infrastructure. The first controls are “General Computer Controls”, focusing on the IT management, infrastructure, security, and software acquisition.
The second are “Application Controls”, focusing on the software used and how to control completeness, accuracy, and validity of information. The standards mentioned by COSO evolved into a separate standard called, COBIT.
COBIT (Control Objectives for Information and Related Technology) is the most recognized framework for IT governance and control. They are up to version 4.1, which was released in 2007 (Chapter 16, Textbook, COBIT). Since then, other frameworks have been published, including ISO 27001, NSA INFOSEC, and ITIL (Information Technology Infrastructure Library).
COBIT is currently working on version 5.0 and will continue to update the Framework because Information Technology is a great business tool for several different tasks. Some of those tasks for good, but also for fraud.
Brou Marie Joelle Alexandra Adje says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding.
Similarities:
Both are used for it services
Both enable organizations to achieve their key objectives including insuring effective IT governance and controls
Differences:
COBIT is an it governance model
ITIL is a service management framework
COBIT has 4 processes, 34 domains
ITIL has 9 processes
COBIT is broader than ITIL. It is based on five principles (meeting stakeholder needs; covering the enterprise end to end; applying a single, integrated framework; enabling a holistic approach; and separating governance from management) and seven enablers (principles, policies and frameworks; processes; organizational structures; culture, ethics and behavior; information; services, infrastructure and applications; people, skills and competencies).
ITIL focuses on ITSM and provides much more in-depth guidance in this area, addressing five stages of the service life cycle: service strategy, service design, service transition, service operation and continual service improvement.
In fact, COBIT tells organizations what they need to do to meet their IT challenges (Standards for good practice of IT controls)
ITIL tells them how they should do it (plan, design and implement effective service management capabilities)
However both frameworks are complementary and work together to provide guidance for the governance and management of IT-related services.
Source: ISACA
Binu Anna Eapen says
4 Why do we need control framework to guide IT auditing?
A control framework will ensure that the risks are being addressed appropriately and the company’s directives/objectives are carried out in a cost effective way maximizing returns with the available resources. A framework provides guideline for the management and evaluation of the IT processes in place. A strong control framework would mean that the IT management is serious about the overall control environment.
COSO and other frameworks that were developed as a result of the financial bankruptcies and financial collapses was mainly focused on the financial audit and framework was designed on that. But soon with the growth in technology and IT becoming an integral part of any business it became necessary that we have controls enabled for IT to mitigate the risks involved in data breach or to control confidentiality, integrity, availability, reliability of the data and the proper functioning of systems, applications. database. Etc. and for minimizing the cost and risks involved. We now have COBIT, ITIL and some other frameworks which align IT with the business needs and objectives.
Wenlin Zhou says
Explain the key IT audit phases
COBIT v4.1:
Part1: Plan and Organize(PO)-controls that help IT enable and protect business objectives. PO includes defining a strategic IT plan, and defining an information architecture.
Part2: Acquire and Implement (AI)- controls that are tasked with converting the strategy and tactics from PO into new and changed IT services that are then integrated with the business, such as identify automated solutions, and acquire application software.
Part3: Deliver and Support(DS)- controls involving the actual delivery and operations of IT services such as defining and managing service levels, and managing third-party services.
Part4: Monitor and Evaluate(ME)- controls that are used to assess the performance of IT processes such as monitoring and evaluating IT performance and internal control
Ian M. Johnson says
Part 3 doesn’t mention the customer. At what point are they involved with this step? Is part 3 more of a recommendation and then it is up to the customer to decide what is within their scope/budget to implement?
Wenlin Zhou says
Deliver and support domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management
questions:
• Are IT services being delivered in line with business priorities?
• Are IT costs optimized?
• Is the workforce able to use the IT systems productively and safely?
• Are adequate confidentiality, integrity and availability in place for information security?
Abhay V Kshirsagar says
Yes, even I think customer input is important. Customers can give you vital information, like, what areas do they think are more crucial and are needed to be audited more carefully.
Wen Ting Lu says
Hi, Abhay
I agree with you that customer input is important. Auditors should discuss potential issues with the customers immediately. Also, they should work together to come up with action plans to resolve potential issues.
Said Ouedraogo says
In fact, it is better if both the customer and the auditor work together. Since, it is the auditor who found the issues, his/her point of view on how to solve them can be really helpful. Based on that the customer can develop an action plan.
Liang Yao says
IT audit processes are actually not defined in CoBit…IT audit process is in Chapter 2 of the text book
Wenlin Zhou says
An audit has six key stages:
Planning: The goal of the planning process is to determine the objectives and scope of the audit. You
need to determine just what it is you’re trying to accomplish with the review. Following are some basic sources that should be referenced as part of each audit’s planning process:
• Hand-off from the audit manager
• Preliminary survey
• Customer requests
• Standard checklists
• Research
Fieldwork and Documentation: when the audit steps created during the preceding stage are executed by the audit team.The goal should be to document the work in enough detail so that a reasonably informed person can understand what was done and arrive at the same conclusions as the auditor.
Issue Discovery and Validation: auditors will develop a list of potential concerns. Auditors should discuss potential issues with the customers as soon as possible.
Solution Development: Three common approaches are used for developing and assigning action items for addressing audit issues:
• The recommendation approach
• The management-response approach
• The solution approach
Report Drafting and Issuance:
For you and the audit customers, it serves as a record of the audit, its results, and the
resulting action plans.
For senior management and the audit committee, it serves as a “report card” on the area that
was audited.
Issue tracking
Develop a process to track and follow up on issues until they are resolved
Wenlin Zhou says
What are the key activities within each phase?
COBIT v.4.1
1. Plan and Organize:
a) Define a strategic IT plan
b) Define an information architecture
2. Acquire and Implement
a) Identify automated solutions
b) Acquire and maintain application software
3. Deliver and Support
a) Define and manage service levels
b) Manage third-party services
4. Monitor and Evaluate
a) Monitor and evaluate IT performance
b) Monitor and evaluate internal control
Liang Yao says
Those are NOT the audit process…please refer to Chapter 2 of the IT auditing book…
Wenlin Zhou says
Hi, Professor,
I thought the IT auditing used the COBIT to audit. Why COBIT is not the audit process? I will change my answer.
Wenlin Zhou says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL: Information Technology Infrastructure Library framework is designed to standardize the selection, planning, delivery and support of IT services to a business. The goal is to improve efficiency and achieve predictable service levels.
(Source: http://searchdatacenter.techtarget.com/definition/ITIL)
COBIT, Control Objectives for Information and Related Technology is a controls framework that personnel tasked with the management of controls and processes can leverage
Similarities: COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises. Both of them are framework.
Differences: ITIL could be seen as the way to manage the IT services across their lifecycle, while COBIT is about how to Govern the Enterpise IT in order to generate the maximum creation of value by the business, enabled by IT investments, while optimizing the risks and the resources. COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. ITIL describes in more detail those parts of enterprise IT that are the service management enablers (process activities, organizational structures, etc.).
Source: https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx
Wenlin Zhou says
Why do we need control framework to guide IT auditing?
It organizations seeking to better manage risks to have more predictable enablement of the business will benefit by better understanding controls and how to embed them in processes. those frameworks can guide IT auditing to mitigate risk, and realize the business benefit. The framework can avoid the multiple overlapping controls, and it will be lead to high cost. The framework can help IT auditor understand how effective and efficient controls.
Brou Marie Joelle Alexandra Adje says
Explain the key IT audit phases :
1) Planning: gather enough background information and determine the objectives and scope of the audit.
Audit manager share reasons for audit with the team, which can create preliminary survey and/or contact customer for more information. The audit team also does a risk assessment prior the audit and creates a useful checklist of what will be reviewed. Then they determine with the customers when the audit will take place.
2) Fieldwork and Documentation
The audit team acquires data and performs interviews to validate the information provided in phase 1 and develop a list of potential concerns.. The audit team also carefully documents each step of the process in a way that the customer will understand.
3)Issue Discovery and Validation
The auditor discusses potential issues found, in phase 2, with the customers. This will allow them to validate the accuracy of their finding and determine whether or not the risk is significant for the company and is worth reporting.
4)Solution Development
Work with your customers to develop an action plan for addressing each issue found and validated in previous phases using different approaches:
• The recommendation approach (the auditor raises issue, provide recommendation and submit to customers who decide on the action plan )
• The management-response approach (the auditor develops a list of issues with or without recommendation and then throw them to the customers for their response and action plans to be included on the report)
• The solution approach (the auditor works with the customers to develop a solution that
represents a mutually developed and agreed-upon action plan for addressing the issues
raised during the audit)
5)Report Drafting and Issuance
The audit team drafts the audit report which should include
• Statement of the audit scope( what what included and what was not included and why)
• Executive summary to summarize the key points of the reports
• List of issues, along with action plans for resolving them
And then issues the report after it has been reviewed by the customers.
6) Issue Tracking
The audit team tracks and follows up on issues until they are solved because “issuing an audit report adds no value to the company unless it results in action being taken”
Brou Marie Joelle Alexandra Adje says
What are the key activities within each phase?
Phase 1 Key activity : risk assessment and checklist
The audit team needs to understand what the audit will entail, which areas will be reviewed before doing anything.
Phase 2 key activity is: documentation
It is needed to meet the standards of the profession.
It is crucial that documentation exists to explain the auditing process and substantiate the conclusions, especially in the future or in the events previous audits results are challenged
It is helpful for a new audit team to have detailed documentation to learn from the experience of the previous audit team
Phase 3 key activity is: discussing risk found with customers to allow the audit process to be quick and avoid debating on the issues at the end of the audit.
Phase 4 key activity : establish who is responsible for executing the action plans and the due dates by which they will be completed. This provides accountability and a basis for the auditors’ follow-up.
Phase 5: drafting the reports , make sure sure that customers reviews it before issuance because customers should be be comfortable with and in agreement with what’s in the report.
Phase 6: maintaining a database containing all audit points and their due dates, along with a mechanism for marking them as closed, overdue, and so on. Without such process it would be challenging to track the issues.
Wen Ting Lu says
Q: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
A:
Similarities: Both ITIL and COBIT are used by enterprises and IT professionals who need to address business needs in the ITSM area. These two frameworks complement one another.
Differences:
• ITIL was issued by OGC, it focus on internal IT functions of an organization. COBIT was issued by ISACA, it focus on defining the audit and compliance requirements.
• ITIL describes HOW to do it, COBIT describes WHAT should be done.
• COBIT had broader scope of coverage compare with ITIL. It has its own set of five principles
1. Meeting stakeholder needs
2. Covering the enterprise end to end
3. Applying a single, integrated framework
4. Enabling a holistic approach
5. Separating governance from management
• ITIL focuses on ITSM and provides much more in-depth guidance in this area, addressing five stages of the service life cycle:
1. Service strategy
2. Service design
3. Service transition
4. Service operation
5. Continual service improvement.
Source: https://burcubuketsimsek.wordpress.com/2016/03/03/interactions-in-between-itil-cobit-iso27001/
Yulun Song says
Good summary Wenting. COBIT also has seven enablers.
And seven enablers:
1. Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx
Yang Li Kang says
Explain the key IT audit phases
1) Planning
Before starting an audit, it is important to plan the entire audit to ensure it is executed effectively. The objective and scope of the audit should be determined so there is a clearly define direction where the audit should head without being side-track part ways through the audit.
2) Fieldwork and documentation
The audit team will execute the audit steps that was planned and documents what was done, what was found and its conclusion
3) Issue discovery and validation
Once the fieldwork is done, the audit team should develop a list of potential concerns and address it with the client to ensure which should be prioritized.
4) Solution development
Once the list of potential concerns are prioritized, the audit team and client should collaborate to develop a plan to address each concerns.
5) Report drafting and issuance
A report of essentially all the prior steps, documented in detail, is drafted. The report is then reviewed by the customer first before issuing it to senior management.
6) Issue tracking
Once the audit is actually done, it is important to follow-up on the solutions implemented to ensure that the issues have been addressed well enough.
Yang Li Kang says
What are the key activities within each phase?
1) Planning
-The request of an audit will be given to the audit manager.
-The audit team will conduct a preliminary survey of the department that requested the audit to have a deeper understanding of the functions and systems being reviewed.
-Consult with the client to receive their input on what they believe their issue is and what are their primary areas of concern
-Running through the standard IT audit checklist
-Conduct additional research for information about the area being audited.
-Assess the risk area being reviewed to determine the steps needed to accomplish the audit.
-Scheduling the actual audit at a time convenient for both parties.
-Final consultation with the client about the planned audit to receive their final input about the audit.
2) Fieldwork and Documentation
-The auditor will execute the audits steps planned and perform independent tests.
-Proper documentation of what was done, what was found and what was concluded.
3) Issue discovery and validation
-Develop a list of potential concerns.
-Consult with the client about concerns that the auditor may find to be of high risk to the client.
4) Solutions development
-The IT audit team and client should work together to develop an action plan to address each concerns.
5) Report drafting and issuance
-A report detailed report of the audit plan, what was done, issues discovered and actions taken to address those issues is drafted.
-The report is then reviewed by the client before issuing to senior management.
6) Issue Tracking
-Track and follow up with the client after a pre-determined date to ensure that the solutions implemented addressed the concerns.
-If unsuccessful, the audit team will have to determine if a minor or major secondary solution is needed or if the issue should be escalated to top management.
Brou Marie Joelle Alexandra Adje says
Why do we need control framework to guide IT auditing?
We need control frameworks to guide IT auditing in order to :
Identify and minimize risk
Contribute to business value
Set the criteria for the it auditing process
Ensure compliance
Easily monitor performance
Jaspreet K. Badesha says
Very good points. I feel like following pre-set frameworks is easy, efficient, and cost effective. These frameworks almost ensure that you are in compliance within your industry and company.
Deepali Kochhar says
Just to add to your point Jaspreet, it also helps in doing Gap Analysis of what is and what has to be done.
Vu Do says
Great list, I liked how you put risk at the top. When conducting an audit, it is important to be sure that there is procedures in place to safeguard against threats. You do not want to be conducting an audit and then your system gets hack by an outside source due to no procedures in place to prevent attacks. Control framework establishes data structures to help guide the auditor through their process smoothly minimizing any risk from occurring.
Yang Li Kang says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
COBIT and ITIL are both tools and guidelines that should be used by organizations to govern and manage IT-related services.
The distinction between COBIT and ITIL is that COBIT focuses more how to govern the use of IT in order to add value to the business while optimizing risk vs resource ratio. ITIL on the other hand focuses more on the actual use of IT-related services in business functions and processes.
Yang Li Kang says
Why do we need control framework to guide IT auditing?
A control framework is needed to ensure a uniform thorough audit is performed by all IT auditors in all organizations. A framework is established to adhere to compliance and optimized to be effective. A framework creates a standard of IT governance that all organization should meet in order to reduce risk related to IT infrastructures used by organizations.
Joshua Tarlow says
Why do we need control framework to guide IT auditing?
Control framework provides a resource for IT auditors for accepted practices. Well known frameworks also provide a common language and set of practices. The initial goal was for public companies to self regulate and reduce government regulation. Companies can use existing frameworks, and then build on those to improve future frameworks. Common frameworks reduce the resources a companies uses to establish its own, increasing adoption rates.
Binu Anna Eapen says
Well said. Having a well defined framework can act as a platform to build on thus reducing the cost and efforts of having to start from scratch everytime.
Yulun Song says
Q3: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding.
Similarities: they both provide guidance for the governance and management of IT-related services by enterprises. For enterprises and IT professionals, they prefer using both ITIL and COBIT guidance to address business needs. In general, COBIT is broader than ITIL in its scope of coverage.
Differences:
ITIL: the way to manage the IT services across their lifecycle(why)
Five stages in the ITIL service lifecycle:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
COBIT: how to govern the Enterprise IT(how)
COBIT is based on five principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
And seven enablers:
1. Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
Yulun Song says
Resource from: https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx
Liang Yao says
ITIL is from implementation aspect, so it focuses on “How” to deploy controls; CoBit on the other hands, is from “what” controls should be in places…
Yulun Song says
4. Why do we need control framework to guide IT auditing?
A control framework is organized and categorized structure for organization’s internal controls. It acts as a comprehensive security protocol that protects against fraud or theft from a spectrum of outside parties, including hackers and other kinds of cyber criminals.
COBIT and ITIL are two good frameworks and we have already compared and known the similarities and differences. Again, a control framework is to minimize risks and create business values.
Paul Linkchorst says
Q1: Explain the key IT audit phases
1. Planning
2. Fieldwork and Documentation
3. Issue Discovery and Validation
4. Solution Development
5. Report drafting and issuance
6. Issue Tracking
Q2: What are the key activities within each phase?
• Planning: Involves determining the objectives and scope of the audit. Key activities included in this phase include risk assessment of the auditee, scheduling, and kickoff meetings would all fall under this section. An auditor should also develop “a series of steps to be executed in order to accomplish the audit’s objectives” as well as preliminary research should be performed.
• Fieldwork and Documentation: In this section, the auditor is now acquiring data and asking questions to determine the risks of the auditee and if those risk are being properly mititgated. Essentially in this section, the auditor is trying to validate the information that they were given all while documenting their work.
• Issue Discovery and Validation: In this section, the auditor is creating a list with all the potential concerns they have and bringing it to the attention of the auditee/customer. In this stage, the auditor needs to make sure that there areas of concern are valid or not by the auditee.
• Solution Development: In this section, those areas of concern that you validated in the previous step are brought forth to the auditee/customer. The text suggests one of three approaches which essentially boil down to the auditor asking how the auditee is going to fix the issue, telling the auditee’s management to fix the problem, or the auditor providing a solution recommendation to auditee.
• Report Drafting and Issuance: In this section, the Audit Report is drafted which includes a detailed list of issues concluded, how those issues will be resolved, and an executive summary of the audit.
• Issue Tracking: In this section, the auditor tracks any issues identified in the audit that need to be resolved and their due dates. Likewise, if issues are not actively being resolved than the auditor has the responsibility to step in.
Liang Yao says
very detailed. which phases will auditor conduct testing?
Paul Linkchorst says
Professor Yao,
The control testing would be performed in the “fieldwork” phase. In this section it is not only important to perform the tests of controls, but also document the steps one went about testing.
Paul Linkchorst says
Q3: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL and COBIT are two frameworks that are used to manage IT and IT governance. ITIL was developed by the U.K. government and defines the best practices of how to plan, design, and implement effective service management capabilities. If one looks at the ITIL website, it states that ITL can be used as a framework to align “the needs of the business and support its core processes”. Essentially, ITIL is a framework that allows any organization to utilize in setting up their IT infrastructure to serve their purpose and needs. For COBIT, this framework was established by ISACA and unlike ITIL, is a framework used to implements controls within an organization’s IT infrastructure. COBIT’s framework addresses some items such as qualities of information as well as control objectives and activities. While each are slightly different in what they aim to accomplish, both can and should be used to establish an IT system that helps the business and is well controlled/governed.
Citation:
https://www.axelos.com/best-practice-solutions/itil/what-is-itil
Jaspreet K. Badesha says
I agree. In addition I feel like it works together like IT governance. The tone is set at the top… COBIT is like the board and determines why we need to implement certain controls where the general IT team would be the how and know technically what needs to get implemented. In essence one is the policy maker while the other is the enforcer.
Paul Linkchorst says
Hi Jaspreet,
I would agree that the IT team will be the one’s to implement the changes. In my experience, I have worked with IT teams who are control conscience while other IT departments could care less. Regardless of this, these IT teams have the technical knowledge to implements controls into the IT systems and the IT auditors are the one’s to determine if those controls are effective by utilizing frameworks such as COBIT.
Paul Linkchorst says
Q4: Why do we need control framework to guide IT auditing?
I believe one of the major reasons why IT auditors need control frameworks is to establish some sort of baseline to audit from. One can take COSO for example. As others have mentioned, COSO is comprised of 5 sections which include the control environment, risk assessment, control activities, information/communication, and monitoring activities. By performing these 5 components when implemented together, this should result in an effective internal control system that mitigates risks against the organization. Since an IT auditor’s function is to test IT controls, they need to make sure those 5 components are adequately covered by the internal controls in place.
To use another example, the COSO framework is like a pizza pie. You have several components such as dough, cheese, sauce, and toppings in order to successfully make a pie. If you were to audit the pizza based on how well it was made, you would need to test each ingredients being the dough, cheese, sauce and toppings. Applying this to an audit using the COSO framework, an auditor would test the control environment, the risk assessment performed by management, the control activities, how the controls are communicated, and how management monitors the quality of the controls. So for an auditor to determine if the control system is effective, they need to audit the control system framework used (a.k.a. the pizza ingredients) to make sure the internal control system is effective (a.k.a the pizza was made correctly).
Linked below is a good reference to understand how frameworks are utilized by IT auditors.
http://www.coso.org/audit_shop.htm
Yang Li Kang says
I really like your pizza analogy :D. I completely agree. A control framework serves as a baseline for all audit to follow. This ensures uniformity and sort of a guarantee that if the framework is followed, the IT infrastructure of the company would be governed correctly.
Jaspreet K. Badesha says
I agree, nice creativity on the pizza analogy and mentioning that the control framework is like setting a baseline to make it easier for auditors to know what they are measuring. It is additionally helps the firm maintain compliance in an easy and effective manner.
Liang Yao says
Paul – Please share your “pizza” theory with the class on Wednesday…
Paul Linkchorst says
I wasn’t sure at first if my analogy actually reflected the importance of frameworks for the IT Auditors but I would be glad to share it with the class.
Wen Ting Lu says
Hi, Paul
Thanks for sharing the pizza analogy, it is very interesting and easy to understand. I totally agree with you that the control framework is a set of guidelines for auditors to follow. By following these guidelines will ensure the IT infrastructure of the company maintain a strong governance.
Jaspreet K. Badesha says
The differences between the frameworks are that COBIT is described as the ‘Why’ where ITIL is described as the ‘How’. However, they are best when used together rather than one vs another. Per research on https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx
They are similar in the sense that when used together they provide guidance and IT governance. Both are set in place as a role of IT governance and that both are set to make the IT environment more effective and efficient.
Ian M. Johnson says
Are there situations that you would use one over the other?
Would you agree that there are certain IT service mgmt. issues that would require ITIL over COBIT? Would it be a waste of resources/overkill to use both in these situations? I only ask bc I read that ITIL concentrates on and offers more detailed guidance when it comes to IT service mgmt.
Liang Yao says
since CoBit is developed by ISACA, IT auditors most likely rely on CoBit.
Joshua Tarlow says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL and COBIT both address compliance and security. . Each provide framework to manage IT services and assets for enterprises. COBIT is more expansive than ITIL and provides guidance for IT governance and management across the entire enterprise. ITIL focuses on managing IT service to maximize business value. As opposed to COBIT, ITIL goes more in depth regarding IT services, including strategy, design, transition, operation, and improvement. In contrast, COBIT provides framework beyond service, including reliability, quality and security. It is a more effective tool to address broader IT risks throughout an enterprise.
Jaspreet K. Badesha says
I agree. In my research and easy way to identify the differences simply are one is telling the ‘Why’, why these controls are important and need to be placed, where the other is telling us ‘how’. Once is being used at an executive or leadership level where the other can be used at a lower level of the person implementing the controls.
Jaspreet K. Badesha says
Why do we need control framework to guide IT auditing?
We need control framework to guide IT auditing to help conform to compliance within the industry. Since basic control frameworks already exist it makes it easier and cost effective for a company to implement something similar and then build from it. They are set to help with efficiency and best practices within a company. These control frameworks will also ensure that all organizations follow the same set of guidelines to provide uniform auditing throughout the organization or industry.
Abhay V Kshirsagar says
Jaspreet,
Good point. I would also like to add that the existing controls can sometimes be a starting point for the auditor as well. Sometimes these controls also tell auditors what a specific company wants to achieve through implementing controls.
Seunghyun (Daniel) Min says
Abhay,
I agree frameworks are great guideline to start with. Because a framework contains what to check and what need to be done for each phase during the audit process, it help auditors complete every categories in proper manner. In the planning phase of an audit, auditors can use a framework to find/learn what to start with.
Jaspreet K. Badesha says
Explain the key IT audit phases.
What are the key activities within each phase?
1. Audit Planning
a. Developing an overall strategy for the audit
b. Developing a scope and objectives
2. Obtaining understanding of the client and its environment
a. This is to help establish what the company is currently like
b. This includes collecting/requesting documents that are required such as financial statements
3. Asses Risks of misstatements and design further audit procedures
a. Identify classes of transactions and disclosures that might be materially misstated
b. Misstatement risks are assessed through the following questions:
i. What could go wrong?
ii. How likely it is that it will go wrong?
iii. What are the likely amounts involved?
4. Perform tests of controls
a. Performed to determine whether key controls are properly designed and operating effectively.
5. Perform substantive procedures
a. Substantive procedures restrict detection risk, the risk that audit procedures will incorrectly lead to a conclusion that a material misstatement does not exist in an account balance when in fact such a misstatement does exist.
6. Complete the audit
a. Auditors perform a number of procedures near the end of the audit.
b. Evaluations for efficiency are completed
7. Audit Report
a. The report is issued.
Tamer Tayea says
Explain the key IT audit phases. What are the key activities within each phase?
Planning, Preliminary Survey & Risk Assessment
– Client engagement and Acceptance.
– Define audit scope and objective.
– Identify areas of Fraud Risks and potentials responses.
– Understand business process and IT Involvement Environment.
– Understand current controls.
– Develop preliminary audit plan.
Testing and Fieldwork
– Review and evaluate controls already in place to make sure they work properly.
– Develop processes and procedures for data gathering.
– Identify areas of deficiencies or non-compliance.
Reporting
– Communicate areas noted for improvement during testing phase.
– Develop along with business units’ actionable corrective action plan for deficiencies identified.
– Develop along with business unit’s timeline to address deficiencies identified.
– Develop final report.
– Disseminate report to appropriate business entities.
Follow-up
– Send request to business entities asking for update and selected random evidence to show progress on implementing action plan.
– Evaluate if re-resting may be necessary.
– If all checks out, close the audit plan.
Tamer Tayea says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding.
COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) have been used in IT business process management to drive business value.
ITIL mainly focuses on IT service delivery and support process (THE HOW methodology), while COBIT provide guidance into what should be achieved though COBIT governance and control process (THE WHAT GOAL).
Tamer Tayea says
Why do we need control framework to guide IT auditing?
A control framework is a way to categorize business established internal controls, it also establishes audit process and procedure intended to create business value and minimize risk.
The adoption of a control framework to guide IT auditing provides best practice methodology to Improve internal controls, identify cost savings opportunities, in addition to overall security enhancement,
Vu Do says
Good analysis Tamer, a control framework is the basis for business to establish its internal controls around and also for the audit process and procedures like you mention. Everything the organization does will be center around the control framework to make sure that everything is running smoothly and everything being done will help mitigate risk. The control framework is definitely an important tool and is like a guide for the business.
e are any issues and why those issues may have occurred.
Wen Ting Lu says
Q: Explain the key IT audit phases
A:
Phase 1: Planning- This phase is to determine the objectives and scope of the audit. This planning process will require careful research and consideration.
Phase 2: Fieldwork and Documentation- The audit team is acquiring information and performing interviews that will help them to analyze the potential risks and determine which risks have not been mitigated appropriately.
Phase 3: Issue Discovery and Validation- Auditor should develop a list of potential issues to ensure that all the issues are valid and relevant. In addition, auditor should discuss potential issues with customers immediately.
Phase 4: Solution Development- In this phase, auditor should work with clients to come up possible action plans to resolve each potential issue listed by auditors in phase 3.
Phase 5: Report Drafting and Issuance- In this phase, the auditor document the results of the audit. For auditor and clients, the auditor report serves as a record; for management and the audit committee, it serves as “report card” on the audit areas.
Phase 6: Issue Tracking- After the audit is completed, it is important to follow-up on the solutions implemented to make sure they addressed the concerns.
Wen Ting Lu says
Source: IT Auditing by Chris Davis and Mike Schiller
Mansi Paun says
Q1 Explain the key IT Audit phases
A1 The Key Audit phases and their explanation is as below :
1) Planning – involves determining the scope and goals of the audit and the planning of executing steps to achieve the goals. This phase will require thorough research as it would impact the schedule and outcomes of other phases.
2) Fieldwork and documentation – this phase is where the bulk of Audit planning execution is carried out. The Audit team tries to find out as much information as possible through interviews and also validating the information that is provided. They also verify recent cases and examine evidence that is provided to ascertain whether processes are followed at the ground level.
The Audit team documents the happenings of Fieldwork so that their findings can be substantiated in a way that one can understand the flow of the Auditor’s actions, inference and conclusions. Specifics of the process reviewed and the key control points are documented aswell to avoid ambiguity.
3) Issue discovery and evaluation – during this phase, the Audit team whets out the concerns they found during the previous phase. It is important that the potential issues are shared with the customer and validated before reporting them as findings.
4) Solution development – Once the Audit team has validated the concerns and they have listed the valid issues and risks, they can work with the client team to develop a plan to address the gaps.
5) Report drafting and issuance – After the issues have been discovered and validated and the solutions have been recommended / agreed upon or both, the Audit team prepares the Audit report to document the audit results. The Audit report outlines the scope of the audit, the executive summary and the issues along with the recommended/agreed upon action plan.
6) Issue tracking – The Audit is not really complete without the issues being brought to closure. This is why Issue tracking is also a phase in the Audit process. The responsible Auditor follows up regularly and well in time before the due date to understand whether the issue is being worked on as agreed. In case the solution is not being implemented as agreed upon earlier, the Auditor could escalate to management if he/she feels the need. The Audit is not really complete until the issues raised have been resolved.
Source: IT Auditing Using Controls to Protect Information by Chris Davis and Mike Schiller
Mansi Paun says
Q1 Explain the key IT Audit phases
A1 The Key Audit phases and their explanation is as below :
1) Planning – involves determining the scope and goals of the audit and the planning of executing steps to achieve the goals. This phase will require thorough research as it would impact the schedule and outcomes of other phases.
2) Fieldwork and documentation – this phase is where the bulk of Audit planning execution is carried out. The Audit team tries to find out as much information as possible through interviews and also validating the information that is provided. They also verify recent cases and examine evidence that is provided to ascertain whether processes are followed at the ground level.
The Audit team documents the happenings of Fieldwork so that their findings can be substantiated in a way that one can understand the flow of the Auditor’s actions, inference and conclusions. Specifics of the process reviewed and the key control points are documented aswell to avoid ambiguity.
3) Issue discovery and evaluation – during this phase, the Audit team whets out the concerns they found during the previous phase. It is important that the potential issues are shared with the customer and validated before reporting them as findings.
4) Solution development – Once the Audit team has validated the concerns and they have listed the valid issues and risks, they can work with the client team to develop a plan to address the gaps.
5) Report drafting and issuance – After the issues have been discovered and validated and the solutions have been recommended / agreed upon or both, the Audit team prepares the Audit report to document the audit results. The Audit report outlines the scope of the audit, the executive summary and the issues along with the recommended/agreed upon action plan.
6) Issue tracking – The Audit is not really complete without the issues being brought to closure. This is why Issue tracking is also a phase in the Audit process. The responsible Auditor follows up regularly and well in time before the due date to understand whether the issue is being worked on as agreed. In case the solution is not being implemented as agreed upon earlier, the Auditor could escalate to management if he/she feels the need. The Audit is not really complete until the issues raised have been resolved.
Source: IT Auditing Using Controls to Protect Information Assets by Chris Davis and Mike Schiller with Kevin Wheeler
Victoria A. Johnson says
Mansi, very thorough explanation of key audit phases.
Mansi Paun says
Q2 What are the key activities within each phase?
A2 Listed below are the key activities within each phase of IT Auditing:
• Planning
o Defining scope and objective after discussion with customer
o Initial assessment that could give an idea about possible risks
o Scheduling
• Fieldwork and documentation
o Acquiring data and evidence and their validation through interviews and requests
o Documentation of audited process
• Issue discovery and validation
o Discussing potential issues with the customer and validating the concerns identified during Fieldwork
o Validate if there is significant risk to the company and determine whether the concern is to be reported
• Solution development
o Develop solution to fix the identified issues (these could be recommended or could be inviting management response or an agreed upon solution by both parties)
• Report drafting and issuance
o Preparation of Audit report which details the Audit scope, an Executive summary and the list of issues, the action plan and the due dates and the overall audit result.
o Draft Audit report to be sent for customer review and comments and subsequent changes to be incorporated
o Distribution of the Audit Report to Senior Management and often the Audit committee
• Issue tracking
o Regular follow up to ascertain that the agreed upon action plan is being implemented. If not, then taking needful action based on risk. Escalate if required.
o Follow up till issue(s) is fixed as agreed upon.
Mansi Paun says
Source: IT Auditing Using Controls to Protect Information Assets by Chris Davis and Mike Schiller with Kevin Wheeler
Ariana Levinson says
Questions 1 and 2:. Explain the key IT audit phases and the key activities within each phase.
1. Planning
a. Scoping to determine what areas should be under audit and what the present risks are within the applicable areas.
b. Determine what, if any, internal controls already exist
c. Work with the customer to figure out when the audit will take place and if any on-site visits will be included (vs a remote audit)
d. Schedule a kickoff meeting
2. Evidence Gathering and Documentation
a. Gather relevant and appropriate evidence and process documentation
b. Conduct and document any required walkthroughs of systems
c. Test evidence and identify concerns and/or findings; draw conclusions
d. Document testing in order to support conclusions.
3. Issue Discovery and Validation
a. Create list of possible concerns and/or findings that cropped up during testing
b. Discuss list with customer to validate and refine.
4. Solution Development
a. Work with customer to develop an action plan which is to include the parties responsible for each step, the due dates and deadlines for each step, the goals to be reached, and the metrics used to determine successful reaching of goals.
5. Report Drafting and Issuance
a. Create audit report that includes the scope, a high-level summary of testing, the list of findings and the actions that will be taken to remediate them, and any other recommendations or other relevant information.
b. Ensure customers are aware of the audit results before they are actually reported
c. Issue audit report to all who are appropriate (senior management, audit committee, external auditors if applicable)
6. Issue Tracking
a. Follow up on any findings reported to ensure the action plans developed to address them were either carried out, or are in-process. If they are in-process, obtain a status of progress and a tentative resolution date.
b. If findings are not being addressed, inquire as to why not and escalate to higher management.
Seunghyun (Daniel) Min says
Explain the key IT audit phases What are the key activities within each phase?
IT audit phases are similar to the internal audit ones. The phases are as follows:
Phase 1: Audit Planning
– Developing an overall strategy for performing the audit.
– Developing an overall audit strategy, an audit plan, and an audit program.
– *Planning continues throughout the entire audit as the auditor collects sufficient appropriate audit evidence to support the audit opinion.
Phase 2: Obtain an understanding of the client and its control environment
– Must sufficient background of the client to assess the risk of material misstatement of the financial statements and to design the nature, timing, and extent of further audit procedures.
– Allows the auditor to identify areas that may be misstated
Phase 3: Assess risks of misstatement and design further audit procedures
– Risk assessment provides the auditors with evidence on potential risks of material misstatement.
– After analyzing the design and implementation of internal controls, the auditors must decide whether the system appears adequate to prevent or detect and correct material misstatement.
Phase 4: Perform tests of controls
– Determining whether key controls are properly designed and operating.
Phase 5: Complete the audit
Phase 6: Audit report
Seunghyun (Daniel) Min says
source: http://accounting-financial-tax.com/2009/09/7-major-phases-of-audit-of-financial-statements/
Wen Ting Lu says
Hi, Daniel
I think it is also necessary to follow up and track the issue after the audit is completed. The audit is not considered as truly complete until the issues found in the audit are resolved, or being accepted by the management.
Source: IT Auditing by Chris Davis and Mike Schiller
Liang Yao says
Absolutely. Tracking how management resolves issues is a very important taks for auditors. Without timely tracking, all other audit work is in vain.
Seunghyun (Daniel) Min says
Rightly said, Wen Ting and Professor Yao. I totally agree that the audit process cannot be closed without resolving each issue found in the audit. In order to do that, I also believe auditors should constantly communicate with management to inform what issues are found and what needs to be corrected for controls to operate properly. Thank you for pointing out!
Vu Do says
Explain the key IT audit phases
1. Planning
• Determine the objectives & scope of the audit
• Establish what your trying to accomplish
• Develop series of steps to be executed
Hand-off from the audit manager
Preliminary survey
Customer requests
Standard checklists
Research
2. Fieldwork & Documentation
• Analyze what you will be working with and evaluate the potential risk that may be involved. Perform tests and interviews.
• Document the work you are performing step by step so that if anyone has a question or if you need to go back to look at something. You are able to and know when you made the step and possibly the reason as to why.
3. Issue Discovery and Validation
• Discuss all potential issue with the customer as soon as it is discovered.
• Make sure all issues are valid and are risks that are significant enough to be worth bringing up.
4. Solution Development
• Worked with customer to develop a plan for addressing the issues brought forth.
• Depending on the issues, there are three approaches to help tackle the issue:
The Recommendation Approach
The Management-Response Approach
The Solution Approach
5. Report Drafting & Issuance
• Draft the audit report at this stage which is the document with the results of the audit you conducted.
• Most common essential elements of an audit report:
Statement of the audit scope
Executive summary
List of issues, along with action plans for resolving them
6. Issue Tracking
• Set up check points to follow up with the customer to make sure the issues from the audit are being resolved.
• If issue is still there, then auditor must come up with escalation procedures.
Source: IT Auditing Using Controls to Protect Information by Chris Davis and Mike Schiller, Chapter 2 The Audit Process
Seunghyun (Daniel) Min says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
ITIL vs. COBIT
Similarity
• Provide guidance for the governance and management of IT-related services
Differences
ITIS
• Provide “how”
• Way to manage the IT service across their lifecycle
• ITIL focuses more on IT service management and provides much more in-depth guidance in this area than COBIT
COBIT
• Provide “why”
• Is about how to govern the enterprise IT in order to generate the maximum creation of value by the business
source: https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx
Why do we need control framework to guide IT auditing?
Control frameworks are great and important when it comes to guide an IT auditing. Because those suggestions in the frameworks are taken into consideration and implemented in many situations, they are extraordinary effective in the nature of execution of an audit. We need control frameworks to guide IT auditing because those frameworks nicely delineate and explain how the audit process should be conducted, so it actually can minimize human errors during the audit process.
Mansi Paun says
Q3 Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
A3 Some of the key similarities between ITIL and COBIT are :
• Both are widely accepted frameworks for IT Organizations
• Both ITIL and COBIT represent best practices used in the industry and hence are complimentary to each other.
Differences between ITIL and COBIT framework:
• ITIL was developed by the UK Government and while COBIT was developed by the IT Governance Institute.
• COBIT has a greater IT Governance scope as compared to ITIL which is focused in the area of IT Infrastructure management and service delivery.
• COBIT provides an answer to the “why” question regarding Governance model whereas ITIL provides the answer to the “how.
Source:
1. IT Auditing Using Controls to Protect Information Assets by Chris Davis and Mike Schiller with Kevin Wheeler
2. https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx
Fangzhou Hou says
Question: Explain the key IT audit phases
According to Sharon Penn’s article “Six-Step Audit Process”, the key audit phases include:
1. Requesting Documents: Before an audit program officially carry on, the auditors are required to list an audit preliminary checklist includes documents like a copy of previous audit reports and original bank statements. All of these documents need to be prepared before the audit plan is made.
2. Preparing an Audit Plan: After all the required documents were collected, the auditor would look over the collected information and reasonably allocate the audit resource by preparing an audit plan.
3. Scheduling an open meeting: Senior management and key administrative staff are then invited to an open meeting during which the scope of the audit is presented by the auditor. The leaders of department may be asked to inform staff of possible interviews with the auditor.
4. Conducting fieldwork: After the open meeting, auditors collect all information they gathered and uses it to complete the audit plan.
5. Drafting a report: The auditor prepares a draft audit report with detail information from pervious document collection and open meetings.
6. Setting up a closing meeting: The final step of an audit process is to solicits a response from management that whether it agrees or disagrees with problems in the report.
Source: http://smallbusiness.chron.com/sixstep-audit-process-17816.html
Wen Ting Lu says
Hi, Fangzhou
It’s interesting that you listed requesting documents as the first step of IT aduit phase, and preparing the audit plan as second step. However, I think it is the other way around, I believe it is important to determine the objectives and scope of the audit first and then request the information needed.
Fangzhou Hou says
Question: What are the key activities within each phase?
1. Requesting Documents
– preparing checklists
– collecting documents
2. Preparing an audit plan
– Considering the collected information
– Developing an audit plan
3. Scheduling an open meeting
– Developing the scope of audit
– Open meeting with the employees
4. Conducting fieldwork:
– finalize the audit plan
5. Drafting a report
– The recommendation approach
– The solution approach
– Write an audit report
6. Setting up a closing meeting
– Excusive summary of the report
– Report the problems and risks
– Developing how to solve the problems
Source: http://smallbusiness.chron.com/sixstep-audit-process-17816.html
Fangzhou Hou says
Question: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
Similarities:
– Both have been used by IT professionals in the IT service management (ITSM)
– Both provide guidance for the governance and management of IT-related services by the organization.
Difference:
– ITLT focus on the way to manage IT services across the lifecycle, but COBIT is more focus on how to govern the company in order to achieve most value for business.
– ITLT considers more details in “service management enablers” of the enterprise IT parts. Comparing with ITLT, COBIT 5 describes the principles in a bigger picture, and focus on how to support the enterprise in meeting stakeholder needs, especially the IT assets related.
(from New Horizons)
COBIT is based on five principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
And seven enablers:
Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
There are five stages in the ITIL service lifecycle:
Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
Source: https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx
Ming Hu says
Q: Explain the key IT audit phases. What are the key activities within each phase?
Planning – determine the objectives and scope of the audit
Key activities: performs preliminary surveys; collaborates with customers; assessment
Field work and documentation – analyze the potential risks and determine which risks have not been mitigated appropriately
Key activities: performance assessment; documentation
Issue discovery and Validation – ensure the list of potential issues are valid and relevant and the risk presented is significant enough to be worth reporting and discussing
Key activities: communicates with customers; reviews systems for compliance with internal policies
Solution development – develop an action plan for addressing each issue
Key activities: provides recommendation; obtains feedback from customers; develops solutions
Report drafting and issuance – document the results of the audit
Key activities: articulates audit scope; writes executive summaries; provides a list of issues and action plans that all levels can understand it
Issue tracking – track and follow up on issues until they are resolved
Key issues: maintains database; contacts responsible customers; initiates escalation procedures if needed; decision-making regarding the validation of solutions implemented to address audit issues
Fangzhou Hou says
Why do we need control framework to guide IT auditing?
An integrated framework can enhance the effectiveness and efficiency of internal control, and guiding IT auditing. According to the COSO cube, there are five components can help management establishes an integrated framework:
– Control environment. As we discussed in previous class, the control environment requiring the upper management has understanding of the importance of internal control. A mature control environment of an organization can assist IT auditors effectively collect evidence and other required information.
– Risk assessment. The risk assessment is necessary in analysis relevant risks to achievement of the objectives of IT auditing plan. By identifying the potential risks, the organization can preventive control the loss before the risk actually occur.
– Control activities. These are some procedures and policies which ensure that when risks happened, some necessary actions can stop the loss and ensure the entity’s objectives are achieved.
– Information and communication. The COSO requires pertinent information must be identified, captured, and communicated.
– Monitoring. The internal control systems need to be monitored. From IT auditing’s perspective, the auditing process also requires ongoing monitoring activities and separate evaluations, which can prevent the potential fraud and enhance the effectiveness of IT auditing.
Source: CHAPTER 16, Frameworks and Standards.
Ming Hu says
Thanks for your sharing. Risk assessment is a very important component, evaluates the risks identified gives your unique perspective on the IT organization. Assesses the framework and process IT has embedded within the function to assess and manage risks. Evaluates the actions taken to mitigate risks and the level of accountability within the process.
Ming Hu says
Q: Why do we need control framework to guide IT auditing?
Control framework organizes and categorizes an organization’s internal controls, it provides guidelines and standards for IT auditing to achieve compliance with applicable laws and regulations, effectiveness and efficiency of operations and reliability of reports.
Shizhong Yang says
I totally agree with your answer,Ming Hu!
Ming Hu says
Q: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
Comparison between COBIT and ITIL
Function: Mapping IT Process vs Mapping IT Service Level Management
Area: 4 Process and 34 Domain vs 9 Process
Issuer: ISACA vs OGC
Implementation: Information System Audit vs Manage Service Level
Consultant; Accounting Firm, IT Consulting Firm vs IT Consulting firm
Jianhui Chen says
Absolutely agree with you. Based on my understanding.
COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) have been used by information technology professionals in the IT service management (ITSM) space for many years. Used together, COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises, whether those services are provided in-house or obtained from third parties such as service providers or business partners.
ITIL could be seen as the way to manage the IT services across their lifecycle, while COBIT is about how to Govern the Enterpise IT in order to generate the maximum creation of value by the business, enabled by IT investments, while optimizing the risks and the resources. COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. ITIL describes in more detail those parts of enterprise IT that are the service management enablers (process activities, organizational structures, etc.).
Mansi Paun says
Q4 Why do we need control framework to guide IT auditing?
A4 Control framework is needed to guide IT Auditing as they provide
• Established best practices and control standards as a benchmark
• Clear guidelines about managing IT services, and
• Well defined guidelines for Risk Assessment, Issue and Risk tracking
Against which the Audited company’s IT environment can be assessed.
Victoria A. Johnson says
I agree with your answer, Mansi.
Daniel Warner says
1. Explain the key IT Audit phases
2. What are some key activities within each phase
Planning-
-This is the stage where the auditor develops the objectives and steps of the audit. Research is required in order to do adequate planning. The auditor should research into why the audit it being scheduled, which may include interviews with the customer with the goal being getting some background on the area that is going to be audited. Finding out about certain audit areas from the customer and factoring that into the audit plan is important in order to keep the conversation lines strong.
Fieldwork and Documentation-
The auditor will document the steps taken and the review that was completed. If a particular system was reviewed the auditor will indicate the steps that were taken in reviewing that system.
Issue discovery and validation-
This phase has the auditor shedding light on some of the risks the organization may have. It is important here to rank the issues when presenting to a customer. It may be better to present issues that pose serious risks, as opposed to just presenting each issue.
Solutions development-
This stage has the auditor providing solutions to the checklist of issues they discovered. From here they can state an opinion of how these issues can be addressed. Here the auditors can establish responsibility and due dates for the issues to be resolved.
Report drafting and issuance-
In this stage we draft an audit report that includes issues, action plans, and executive summary. The executive summary should include information that is concise so that management can read this as a stand-alone document. A list of all issues that were discovered in the audit should be included as well as the action plan on how to address those issues
Issue tracking-
The audit should keep in contact with the customer to ensure that the issue is being worked on. If the auditor finds that the issue is not being worked on it may be necessary to escalate the issue to higher management.
Source: Chapter 2, IT Auditing Using Controls to Protect Information Assets by Chris David and Mike Schiller with Kevin Wheeler
Daniel Warner says
Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
The COBIT model highlights control activities and control objectives. The structure that is broken down into four areas: plan and organize, acquire and implement, deliver and support, and monitor and evaluate. Within each of these controls objectives lies a framework for IT Goverance and the IT Process.
ITIL is a set of standards for implementing best practices towards asset management, security and a list of other IT services.
The two seem to be different in scope but still complement one another. COBIT provides a structure to assess the control environment, whereas ITIL focuses more on the IT services included in its structure. In a way it seems like two sides of the same coin.
Source: Chapter 16, IT Auditing Using Controls to Protect Information Assets by Chris David and Mike Schiller with Kevin Wheeler
Daniel Warner says
Why do we need control framework to guide IT auditing?
A control framework is important because it provides a basis for the IT auditor to compare the organizations controls to. With a control framework measurement of a control is possible because there exists a baseline (control framework) to compare the issues or control in question to.
Source: Chapter 16, IT Auditing Using Controls to Protect Information Assets by Chris David and Mike Schiller with Kevin Wheeler
Vu Do says
Agreed Daniel, the control framework acts as a manual or guide for IT auditors to look to for comparison of controls when conducting an audit. It helps to make sure that everything is being done correctly. If there is an issue, then they can look to it to see if there are any issues and why those issues may have occurred.
Wen Ting Lu says
Q:Why do we need control framework to guide IT auditing?
A: We need control framework to guide IT auditing because it serves as guidelines for IT audtiors to follow. By following these guidelines will ensure the IT infrastructure of the company maintain a strong governance.
Shizhong Yang says
Wenting Lu,
You are absolutely right! We need control framework to guide IT auditing because it serves as guidelines for IT audtiors to follow.
Jianhui Chen says
Good post, control frame is necessary for IT auditing. A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk.
Wen Ting Lu says
Question: What are the key activities within each phase?
1. Planning
– Developing the scope of audit
-Determine the exist internal controls
-Preliminary survey
-Research
-Communicate/schedule with customers to set up where and time the audit will taking place
2. Fieldwork and Documentation
– Gather information
– Test evidence and identify issues
-Document testing to support conclusions
3. Issue Discovery and Vaildation
– Create a lists of possible issues that come up during the aduit
– Discuss the potential issues with customers to vaildate
4. Solution Development
-Work with customers to come up action plans. There are three approaches to resolve issues
a. The recommendation Approach
b. The management-response approach
c. The solution approach
5. Report Drafting and Issuance
– finalize the audit report
a. Statement of the audit scope
b. Executive summary
c. List of issues and action plans for resolving each of the issues
6. Issue Tracking
-Follow up with customers to see whether all the issues found from the audit are resolved
-Come up with escalation plans when issue still exsit.
Jianhui Chen says
Hi Wen ting Lu, your post is good, The internal control activities can be found in the workplace. All employees fit into the organizational picture of internal control, whether or not their job responsibilities are directly related to these example activities.Key controls are those elements of the five components of internal control that have a pervasive affect upon the accomplishment of management’s control objectives. These key controls will be similar for all financial reporting frameworks, including special purpose frameworks. At the entity level for smaller entities, these controls may be informal and ordinarily carried out by one or a few persons, such as an owner or manager. The design and operation of these key controls can prevent material misstatements due to error or fraud from occurring and going undetected.
Jianhui Chen says
1 St phase: Audit objective:
identify the purpose.
2nd phase: Audit Scope:
Identify which specific part of the organization needs to be audited
3rd phase: Preaudit planning
identify the what technical skills and resources needed.
identify the sources of information for audit.
Identify the locations or facilities for audit.
develop a communication plan.
4th phase: Audit procedures and steps for data gathering
Select the audit approach to verify and test the controls.
List the individuals who needs to be interviewed.
Obtain departmental policies, standards and guidelines for review.
Develop audit tools and methods.
5th phase: Procedures for evaluating the test or review the results
Identify the methods to perform the evaluation.
Set up the criteria
Confirm that the approach and resources are accurate.
6th phase: Procedures for communication with management
Determine how often the communication occur
Prepare for final report.
7th phase: Audit report preparation
Disclose the related procedures.
Review and evaluate the soundness of documents , policies and procedures.
Source:ISACA, CISA Review Manual, 26th ed. , 2016
Jianhui Chen says
COBIT is stand for Control Objective over information and related technology. Its main function is to help the organization to map their IT process to ISACA best practices standard.
ITIL is regarded as information technology library. It is a set of framework for managing IT service level. ITIL is much more easier to implement, as implementation of ITIL only has partially or no impact on performance of organization. COBIT is quite difficult to implemented, because it should see a process in bigger view first before they could implemented partially.
source:http://beefchunk.com/documentation/security-management/comparison_between_COBIT_ITIL_and_ISO_27001.pdf
Paul M. Dooley says
COBIT stands for Control Objectives for Information and Related Technology. There are 4 key features of the COBIT framework. It is not reliant on a specific technical platform. The processes and management are focused on the owners of such. It has become the international standard for IT Governance. ITIL stands for IT Infrastructure Library. ITIL is a framework on how to implement a project. ITIL is more corely focused on infrastructure and services. My time at Verizon, all Project Managers had to become ITIL certified. COBIT is more of a general framework which can be applied outside of the just a infrastructure and services scope. ITIL focuses on the following issues:
Service Support Functions:
Problem Management
Incident Management
Service Desk
Change Management
Release Management
Configuration Management
Service Delivery Functions:
Capacity Management
Availability Management
Financial Management
Continuity Management
Service Levels
Jianhui Chen says
Why do we need control framework to guide IT auditing?
A control framework is a data structure that organizes and categorizes an organization’s internal controls. A good-established control framework can help the organization create business value and minimize risk. COSO framework, the most commonly used control framework in the world, consists of internal control environment, objective setting, event identification, risk assessment, risk response control activities, information and communication, and monitoring.
Source:http://searchcompliance.techtarget.com/definition/control-framework
Vu Do says
Why do we need control framework to guide IT auditing?
Control framework organizes the company’s internal controls through data structures. With it in place is crucial to helping guide IT auditing to know the processes in place for the organization. They also get the reassurance that they are performing their work in safe environment and in the rules and regulations. Control framework identify any potential risk and minimizes them and also complies with the rules and regulations.
Victoria A. Johnson says
Great post Vu. Framework is also acts as a starting point for auditors to perform audits and develop audit controls.
Shizhong Yang says
Question: Comparing ITIL and COBIT: list some key similarities and difference based on your understanding.
COBIT (Control Objectives for Information and Related Technology) and ITIL (Information Technology Infrastructure Library) have been used by information technology professionals in the IT service management (ITSM) space for many years. Used together, COBIT and ITIL provide guidance for the governance and management of IT-related services by enterprises, whether those services are provided in-house or obtained from third parties such as service providers or business partners.
ITIL could be seen as the way to manage the IT services across their lifecycle, while COBIT is about how to Govern the Enterpise IT in order to generate the maximum creation of value by the business, enabled by IT investments, while optimizing the risks and the resources. COBIT 5 describes the principles and enablers that support an enterprise in meeting stakeholder needs, specifically those related to the use of IT assets and resources across the whole enterprise. ITIL describes in more detail those parts of enterprise IT that are the service management enablers (process activities, organizational structures, etc.).
Generally speaking, COBIT is broader than ITIL in its scope of coverage.
Source: https://nhlearningsolutions.com/Blog/TabId/145/ArtMID/16483/ArticleID/1514/COBIT-vs-ITIL.aspx
Jianhui Chen says
Good post,
And I really like the example to demonstrate the similiarities and difference. The list below shows the my understanding on the difference and similarities.
COBIT is based on five principles:
1. Meeting Stakeholder Needs
2. Covering the Enterprise End-to-End
3. Applying a Single, Integrated Framework
4. Enabling a Holistic Approach
5. Separating Governance from Management
And seven enablers:
1. Principles, Policies and Frameworks
2. Processes
3. Organizational Structures
4. Culture, Ethics and Behavior
5. Information
6. Services, Infrastructure and Applications
7. People, Skills and Competencies
ITIL focuses on ITSM and provides much more in-depth guidance in this area.
There are five stages in the ITIL Service Lifecycle:
1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
Paul M. Dooley says
Explain the key IT audit phases
What are the key activities within each phase?
The first phase of an audit is the planning stage. This is where you determine what you plan to review and the overall objectives and scope. Some of the key activities include: hand-off from the audit manager, preliminary survey, customer requests, standard checklists, research, assessments and scheduling.
The next phase is fieldwork and documentation. This is where the team acquires data and performs the necessary interviews that will help analyze the potential risks appropriately. Key activities include documentation.
Issue discovery and validation is the next phase of the audit process. This is where the auditor would scrub the list of potential issues to ensure that identified issues are valid and relevant. Key activities in this area include having discussions with customers of potential identified issues rather than waiting until the audit process is complete and overwhelming them with a long list of issues.
Solution development is the next phase of the audit process. This is where an action plan is developed to addressed the relevant identified risks. Here you take one of 3 approaches to develop a solution to the problem (1) the recommendation approach, (2) the management-response approach, or (3) the solution approach. The key activity in this area is giving guidance and leveraging a collaborative environment to come up with a solution.
Report drafting and issuance is the next steps of the audit process. Here you draft the audit report. The audit report includes statement of scope of audit, executive summary, list of issues and action plans, key controls, closed items, and minor issues.
The final stage in the audit process is issue tracking. This involves maintaining a database containing all audit points and their due dates and marking them complete as they move through the process.
Victoria A. Johnson says
Thorough explanation of key IT phases Paul.
Paul M. Dooley says
Why do we need control framework to guide IT auditing?
Frameworks are needed to define policies and procedures around the implementation and management of controls in an environment. They essentially act as a blueprint for building the security program and manage risk. Depending on what the scope of the audit is different frameworks can be leveraged.
Victoria A. Johnson says
Why do we need control framework to guide IT auditing?
A control framework is a data structure that organizes and categorizes an organization’s internal controls, which are practices and procedures established to create business value and minimize risk. The purpose of a control framework to guide IT auditing is to help monitor efficiency and effectiveness of operations in IT. Without having this framework in place would mean that there is no formalized structure or basis of understanding with controls. The framework is important because it gives auditors a starting point to perform audits and an understanding of what controls should be established for an organization to be effective in IT.