Earlier this year, I authored a column on the “Components of an IT Audit Report.”1 These components need to provide assurance, inform auditees and others of management and control issues, recommend corrective action, and represent the quality of the audit and the credibility of the audit organization. How the audit report is organized and written can significantly impact these objectives.2 A logical follow-up question to this column would, therefore, be what would the actual contents of these components look like? Particularly, what would the “Findings, Conclusions and Recommendations” and the “Executive Summary” components look like?
Setting the (COBIT 2019) Scene
Before discussing these components further, it is worth recapping some COBIT® 2019 concepts, as these will be referenced later.
Enterprises can have different strategies, which can be expressed as one or more of the archetypes shown in figure 1. Organizations typically have a primary strategy and, at most, one secondary strategy.3
These strategies are realized by the achievements of enterprise goals (figure 2).
In turn, alignment goals (figure 3) emphasize the alignment of all IT efforts with business objectives.4 The alignment goals, in turn, drive the governance and management objectives (COBIT® processes) (figure 4).
Findings, Conclusions and Recommendations
In my previous column,5 I shared a figure on the five attributes of an audit finding (figure 5). I am now proposing that these attributes can be derived from the components of the goals cascade (figure 6).
The following is a sample internal audit finding applying the method while also referencing another useful resource for audit reports, the ISACA® Glossary.6
Sample Internal Audit Finding: Disaster Recovery
A disaster recovery plan (DRP) refers to the set of human, physical, technical and procedural resources to recover, within a defined time and cost, an activity interrupted by an emergency or disaster.7
Our audit disclosed that the company would be unable to recover its sales order processing (SOP) system in line with business requirements (figure 3 AG05) should the primary processing facility be rendered inoperable. Although replication is in place between the primary and secondary facilities, recovery strategies for different disaster scenarios have not been developed and documented in a DRP. Further, no disaster recovery tests have been performed. The IT-related risk is, therefore, not being adequately managed (figure 3 AG02) (figure 5 Condition).
Depending on the nature and extent of loss of the primary processing capabilities, the company would not be in a position to ensure business service continuity and availability (figure 2 EG06) for the application affecting the customer-oriented service (figure 2 EG05) and the quality of management information (figure 2 EG07). This would likely result in an adverse financial impact affecting the enterprise’s growth strategy (archetype) (figure 5 Effect or Impact).
The company needs to implement a DRP for the SOP system in line with the business continuity response. This should document all procedures necessary for the enterprise to continue critical activities in the event of an incident (COBIT Deliver, Service and Support [DSS] DSS04.03). Further, this should be tested on a regular basis against predetermined outcomes (COBIT DSS04.04) (figure 5 Criteria).
While management acknowledged that disaster recovery was important, responsibility to ensure that the SOP system was maintained in line with business requirements (figure 3 AG05) had not been assigned. We also found that the risk management process did not formally consider the loss of IT capabilities (figure 3 AG02) (figure 5 Cause).
Sample Recommendations
We recommend that the company should:
- Identify key stakeholders and roles and responsibilities for defining and developing the DRP
- Develop and maintain operational DRPs that contain the procedures to be followed to enable continued operation of the SOP system
- Define objectives for exercising and testing the plan to verify completeness of the DRP in meeting business risk. This should include input from risk management
- On a regular basis, review the plans to consider the impact of new or major changes to the organization, business processes, outsourcing arrangements, technologies, infrastructure, operating systems and SOP system
- Ensure that management and staff are adequately trained to effectively execute disaster recovery tasks and activities
(All based on COBIT DSS04.)
The report's executive summary should then be based upon the effect or impact while also summarizing the recommendations.
Some Points to Note
Although already comprehensive, there is no reason why an enterprise should not add to the archetypes, enterprise goals or the alignment goals if they give greater direction or clarity to the organization. Further, even if an enterprise does not use COBIT, the goals cascade can still be implemented as each of the management practices map to other related guidance, for example, the US National Institute of Standards and Technology (NIST) Special Publication (SP) 800-538 Information Security Management Systems Requirements, International Organization for Standardization(ISO)/International Electrotechnical Commission (IEC) ISO/IEC 27001:20139 and the Center for Internet Security (CIS) Critical Security Controls.10
Conclusion
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.11 There is no better way for internal audit to demonstrate and for senior management to see this value than by directly linking audit report findings to the enterprise’s strategy. Further, the alignment and/or enterprise goals can be captured and measured as part of the audit follow-up process.12
Endnotes
1 Cooke, I.; “The Components of the IT Audit
Report,” ISACA® Journal, vol. 1, 2020,
http://q32k.fenxiong.net/archives
2 ISACA®, IS Audit Reporting, USA, 2015
3 ISACA, COBIT® 2019: Introduction and
Methodology, USA, 2018, http://q32k.fenxiong.net/resources/cobit
4 Ibid.
5 Op cit Cooke
6 ISACA Glossary, http://q32k.fenxiong.net/resources/glossary
7 Ibid., “Disaster Recovery Plan”
8 National Institute of Standards and Technology
(NIST) Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal
Information Systems and Organizations, USA,
2013, http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
9 International Organization for Standardization
(ISO) Information technology—Security techniques—Information security management systems—Requirements, Switzerland,
http://www.iso.org/obp/ui/#iso:std:iso-iec:27001:ed-2:v1:en
10 Center for Internet Security Controls,
http://www.cisecurity.org/controls/
11 The Institute of Internal Auditing, About Internal
Auditing, http://global.theiia.org/about/about-internal-auditing/Pages/About-Internal-Auditing.aspx
12 Cooke, I.; “Enhancing the Audit Follow-Up
Process Using COBIT 5,” ISACA Journal,
vol. 6, 2016, http://q32k.fenxiong.net/archives
Ian Cooke, CISA, CRISC, CGEIT, COBIT 5 Assessor and Implementer, CFE, CIPM, CIPP/E, CIPT, FIP, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt
Is the group IT audit manager with An Post (the Irish Post Office based in Dublin, Ireland) and has over 30 years of experience in all aspects of information systems. Cooke has served on several ISACA® committees, was a topic leader for the Audit and Assurance discussions in the ISACA Online Forums, and is a member of ISACA’s CGEIT® Exam Item Development Working Group. Cooke has supported the update of the CISA® Review Manual and was a subject matter expert for the development of both ISACA’s CISA® and CRISC™ Online Review Course. He is the recipient of the 2017 John W. Lainhart IV Common Body of Knowledge Award for contributions to the development and enhancement of ISACA publications and certification training modules and the 2020 Michael Cangemi Best Book/Author Award. He welcomes comments or suggestions for articles via email (Ian_J_Cooke@hotmail.com), Twitter (@COOKEI), LinkedIn (www.linkedin.com/in/ian-cooke-80700510/), or on the Audit and Assurance Online Forum (engage.fenxiong.net/home). Opinions expressed are his own and do not necessarily represent the views of An Post.