Liang Yao

Ian – Can you elaborate “supports missing data in an organized logical way”? Thx

Absolutely. Tracking how management resolves issues is a very important taks for auditors. Without timely tracking, all other audit work is in vain.

since CoBit is developed by ISACA, IT auditors most likely rely on CoBit.

Paul – Please share your “pizza” theory with the class on Wednesday…

very detailed. which phases will auditor conduct testing?

ITIL is from implementation aspect, so it focuses on “How” to deploy controls; CoBit on the other hands, is from “what” controls should be in places…

Those are NOT the audit process…please refer to Chapter 2 of the IT auditing book…

IT audit processes are actually not defined in CoBit…IT audit process is in Chapter 2 of the text book

Priya – You raised some interesting questions here. I would like to discuss those questions during the class. Would you please bring it up on Wednesday? Thx.

You are all on top of it – Risk Assessment is one of the key audit steps.

ITIL for management; IT auditors focus on CoBit: both deal with technology controls but from different views.

Through mapping controls from CoBit domains, management can identify control gaps; and ITIL’s mapping of SLA is to ensure agreed service levels whether they are internal or external are clearly defined, measured and monitored.

Indeed, from service delivery and support aspect, controls listed from both frameworks can be mapped, even though they may not be mapped one-on-one.

Correct. RACI is more from management aspect than from audit. However, RACI can be used as references by auditors for project management audits.

Ian – Doc. requests usually is developed at the end of the planning stage, while the scope is defined and controls need to be tested are determined and testing procedures are developed. Then auditors will prepare required doc. list as review/testing evidence. Make sense?

Leveraging the proper framework will also provide IT auditors with ammunition while laying out the audit findings…

In general, managenent relies on ITIL to design and deply IT controls; IT auditors, on the other hand, leverage COBIT to verify design and operating effectiveness of IT controls.

Priya – Glad that you pointed out the risk assessment. Be prepare to elaborate during the class…:)

Priya – Just curious the source of the approaches you mentioned above? or it’s from the orgnization you were with before?

Good discussions upon what needs to be done once auditors and auditees agreed on findings. I will summarize this during the class.