IT Audit in accordance with COBIT Standard

  1. Introduction

IT audit is the process of gathering and evaluating evidence based on which one can evaluate the performance of IT systems, i.e, to determine whether the operation of information systems in the function of preserving the property and maintain data integrity. It is also necessary to determine whether IS enables effective achievement of business objectives and whether system resources are used in an effective and efficient manner. These must be understood in order to consider how they can be used together, COBIT with acting as the consolidator.


COBIT is the worldwide accepted standard which prescribes areas and individual controls for IT governance, informatics and related IT processes. COBIT combines business and IT goals, providing the ability to monitor the maturity of the information metric system. The practice recommended by COBIT is the mixture of knowledge of numerous experts as a result of good practice, applicable in any organization.

Overall, COBIT ensures quality, control, and reliability of information systems in an organization, which is also the most important aspect of every modern business.

The first version of COBIT was created as a tool to in order to support performance of audit of financial statements, but it continues further to develop following development of the IT role in business. Figure 2 shows the development of the COBIT framework and roles it has had through his development and upgrading. COBIT consists of 34 key business control processes describing each process model of maturity.

Fig 1: Source: ISACA®COBIT® 2019 Framework: Introduction and Methodology, figure 3.5, USA, 2018, and COBIT® 5 figure 2, USA, 2012.


COBIT has a high position in business frameworks and has been recognized under various international standards, including ITIL, CMMI, COSO, PRINCE2, TOGAF, PMBOK, TOGAF, and ISO 27000. 

The latest COBIT version 5 came out in April 2012 and consolidated the principles of COBIT 4.1, Risk IT Frameworks, and Val IT 2.0.

Various COBIT Components are:

  • Framework
  • Process Description
  • Control Objectives
  • Maturity Models
  • Management Guidelines

Critics maintained that COBIT 5.0 encouraged paperwork and rote rules rather than merely promoting IT governance engagements and improving accountability. COBIT 5.0 addressed all the criticisms in a sustainable manner.

In several cases, COBIT 5.0 has been appreciated for its ability to reduce the risk of IT implementations.

From the point of control and information systems audit COBIT determines 18 applications and 6 of process controls. Assessment of maturity of IT governance processes are in the range of 0 to 5.

0 – There are no processes, process of IT governance do not exist. 

1 – Initial processes, management is not aware of the importance of IT governance, although there are no formal procedures, management and oversight of information technology is mostly based on individual and uncontrolled based, and actions are taken on case by case basis. 

2 -There are no standards, nor corporate rules, nor obligations and responsibilities regarding this issue.

3 – Defined processes, IT governance procedures are prescribed and documented, and constantly improved through formal trainings and education. Procedures and corporate rules, although formally exists, are not sophisticated, mature nor customized to organization business. They only represent the formalization of existing procedures. Although procedures exist, the responsibility for its execution is on the individuals, and having in mind that there is no system supervision, it is unlikely that one can detect anomalies regarding this matter.

4 -Very sophisticated IT governance objectives closely aligned with the business objectives are being set.

5 – Optimized processes, IT governance processes are brought to the optimal level and the company is a leader in the area. Complete transparency in IT governance governs, corporate bodies have actual supervision over information technology through a series of formal mechanisms.

To satisfy business objectives, information needs to conform to certain control criteria, which COBIT refers to as business requirements for information. 

· Effectiveness deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. 

· Efficiency concerns the provision of information through the optimal use of resources. 

· Confidentiality concerns the protection of sensitive information from unauthorized disclosure.
· Integrity relates to the accuracy and completeness of information as well as to its validity in accordance with business values and expectations. 

· Availability relates to information being available when required by the business process now and in the future. 

· Reliability relates to the provision of appropriate information for management to operate the entity and exercise its fiduciary and governance responsibilities.

  1. ITIL and ISO 27002, 27001 Standards

ITIL is based on defining best practice processes for IT service management and support, rather than on defining a broad-based control framework. IT service management is concerned with planning, sourcing, designing, implementing, operating, supporting and improving IT services that are appropriate to business needs. ITIL provides a comprehensive, consistent and coherent best practice framework for IT service management and related processes, promoting a high-quality approach for achieving business effectiveness and efficiency in IT service management. ITIL is intended to underpin but not dictate the business processes of an organization.

The role of the ITIL framework is to describe approaches, functions, roles and processes, upon which organizations may base their own practices and to give guidance at the lowest level that is applicable generally. Below that level, and to implement ITIL in an organization, specific knowledge of its business processes is required to drive ITIL for optimum effectiveness. V3, the most significant development has been the move from a process-based framework to a more comprehensive structure reflecting the life cycle of IT services.

Its goal is to provide information to parties responsible for implementing information security within an organization. It can be seen as a best practice for developing and maintaining security standards and management practices within an organization to improve reliability on information security in inter organizational relationships. It defines 133 security controls strategies under 11 major headings. The standard emphasizes the importance of risk management and makes it clear that it is not necessary to implement every stated guideline, only those that are relevant.

Overview of COBIT, ITIL and ISO 27002 Standards

Benefit of COBIT

This raises the success rate of businesses, but at the same time raises other challenging and complex management and governance concerns for the security professionals, enterprise leaders, and governance specialists. COBIT 5.0 is the exact solution the modern businesses are asking for.


IT processes while ITIL aims to map IT service level management and ISO27002 provides guidelines for implementing a standardized information security framework. COBIT consists of 4 domains and 34 processes which are required for the implementation of the information system audit.

In the period from 1 June to 31 July 2009, It provides a comparison of companies in respect of major areas of information security and IT governance. COBIT are increasingly popular for planning IT audit activity and are adopted by 69 percent of respondents. These frameworks deliver a structured approach to planning and focus the IT audit on the business and technological risks of the organization. COBIT, ITIL, ISO 17799 and ISO 27001 are the group of most commonly used methodologies by companies in respect of IT security and IT governance.

Internal Audit should have a direct line to executive management and the Audit Committee. By cascading top level opinion on the value and content of Internal Audit’s outputs and by communicating information on the issues that affect the business, the function can heighten its visibility. To maintain that position, it needs to develop a closer relationship with the business while maintaining its independence and objectivity. This powerful combination of technical and business know-how, underpinned by an understanding of operational and technology risk, can turn the function from cost center to value builder.

While the modern world is gearing towards an environment of several emerging technologies, including consumerization, cloud computing, social media, big data, and mobility, information and IT is easily the new currency. New businesses demand that risk scenarios are better met with the power of information.

Thank You

Leave a Comment

Your email address will not be published. Required fields are marked *