COBiT Basics > Generic audit guideline
|
COBiT Basics > Generic audit guideline |
|
CobiT includes a generic template for the audit guidelines. This template (see below) is applied to the 34 processes defined in the CobiT Framework.
| 1 |
OBTAINING AN UNDERSTANDING The audit steps to be performed to document the activitie underlying the control objectives as well as to identify the stated control measures/ procedures in place. Interview appropriate management and staff to gain an understanding of
Document the process-related IT resources particularly affected by the process under review. Confirm the understanding of the process under review, the Key Performance Indicators of the process, the control implications. |
||||||
| - |
EVALUATING THE CONTROLS The audit steps to be performed in assessing the effectiveness of the control measures in place or the degree to which the control objective is achieved. Basically deciding what, whether and how to test. Evaluate the appropriateness of the control measures for the process
under review by considering identified criteria and industry standard
practices, the Critical Success Factors (CSF) of the control measures
and applying auditor professional judgement. Conclude the degree to which the control objective is met. |
||||||
| * |
ASSESSING COMPLIANCE The audit steps to be performed to ensure that the control measures established are working as prescribed, consistently and continuiusly and to conclude on th eappropriateness of the control environment. Obtain direct or indirect evidence for selected items/periods to ensure that the procedures have been complied with for the period under review using both direct and indirect evidence. Perform a limited review of the adequacy of the process deliverables. Determine the level of substantive testing and additional wook needed to provide assurance that the process is adequate. |
||||||
| + |
SUBSTANTIATING THE RISK The audit steps to be performed to substantiate the risk of control objective not being met by using analytical techniques and/or consulting alternative sources. The objective is to support the opinion and to 'shock' management into action. Auditors have to be creative in finding and presenting this sensitive and confidential information. Document the control weaknesses, and rsulting threats and vulnerabilities. Identify and document the actual and potential impact. Provide comparative information. |
||||||
There are, however, four things the Guidelines are not:
| 1 | The Audit Guidelines are not intended as a tool for creating the overall audit plan and coverage which considers a range of factors including past weaknesses, risks to the organisation, known incidents, new developments and strategic choices. Although the Framework and Control Objectives provide direction, guidance for the exact activity is outside the scope of the Audit Guidelines. |
| 2 | The Audit Guidelines are not intended as a tool for creating the overall audit plan and coverage which considers a range of factors including past weaknesses, risks to the organisation, known incidents, new developments and strategic choices. Although the Framework and Control Objectives provide direction, guidance for the exact activity is outside the scope of the Audit Guidelines. |
| 3 | The Audit Guidelines do not attempt to explain in detail how computerised planning, assessment, analysis and documentation tools (which include but extend beyond Computer Assisted Audit Techniques) can be used to support and automate the audit of IT processes. There is enormous potential for information technology to be used to enhance the efficiency and effectiveness of audits, but guidance on this topic is also outside the scope of the Audit Guidelines. |
| 4 | The Audit Guidelines are not exhaustive nor definitive, but will evolve together with CobiT and its detailed Control Objectives. |
|