COBIT FOR INFORMATION TECHNOLOGY (IT) AUDITS
The Allstate Insurance Audit Team was one of the case studies presented at the recent Information Systems Audit and Control Association (ISACA) training seminar.
In that study, we learned that Allstate adopted COBIT (acronym for Control Objectives for Information and Related Technology) to scope and plan their IT audits. They used COBIT to evaluate IT governance and controls, obtain benchmarks for assessing automated controls embedded in key business processes, and assess control activities performed by the Company’s application support team.
The Allstate Audit Director convinced management that COBIT provides a structured means to ensure consistent and appropriate IT controls throughout the company. He also demonstrated to management that COBIT provided a common control language that enabled related control and process communications.
The audit group constructed a COBIT-based risk assessment approach, then held interviews with strategic IT and business managers to obtain enterprise views about the key business objectives and potential risk areas. From the comments received, they developed and ranked the comments received based on the identified risks. Then the team evaluated the risk ratings by business unit and the systems impact for each COBIT category. Audits related to specific risk areas were identified and used in developing the annual audit plan. The steps led to the design of audit programs and templates.
Allstate has found that overuse of controls is a burden to successfully running a business in a highly competitive environment. COBIT helped Allstate balance appropriate controls with improved process efficiency and effectiveness. Benefits realized included reduced exceptions and rework, consistent data collection leading to accurate information and compliance with rules and regulations, front-end system controls saving time and efforts, aligned technology investments decisions with business goals, improved business and the IT communities communications, and management framework for scope containment and financial management.
NOTE: COBIT is the standard for IT audits and is similar to the combination of GASB and GAAS used for traditional audits. You can read more about COBIT by logging on to www.Isaca.org .
Rommel Panlilio is an Internal Auditor at the Department of Airports (LAWA). He is a California CPA and has a Masters Degree in Information Systems Management. He just recently obtained the ATMB (Advanced Toastmasters Bronze) certificate from Toastmasters International.