Cobit FAQ > Are the Control Objectives linked to the Audit Guidelines and to what degree?
|
Cobit FAQ > Are the Control Objectives linked to the Audit Guidelines and to what degree? |
|
Are the Control Objectives linked to the Audit Guidelines and to what degree?
Objectives have been developed from a process orientation because management is looking for pro-active advice on how to address the issue of keeping IT under control. Balancing cost and risk is the next issue to address (i.e., making a conscious choice of how and whether to implement each control objective). Future CobiT products will thoroughly address this choice, even though the pro-active principle remains - control objectives should be applied in the first place to achieve an information control criteria (effectiveness, efficiency, confidentiality, availability, integrity, compliance and reliability). The link is the process. The control objectives help management establish control over the process, the audit guidelines assist the auditor or assessor by providing assurance that the process is actually under control such that the information requirements necessary to achieve business objectives will be satisfied. In reference to the control framework represented by the waterfall model, the audit guidelines can be seen as providing the feedback from the control processes back to the business objectives. The control objectives are the guide going down the waterfall to get the IT process under control. The audit guidelines are the guide for going back up the waterfall with the question: "Is there assurance that the business objective will be achieved? Sometimes audit guidelines are straight translations from the control objectives; more often the guidelines look for evidence that the process is under control.
|