Risk management is an important function in any organization. Financial services organizations often employ the three lines of defense approach to manage risk within the organization. The first line of defense (information and cybersecurity, IT and risk and control teams) owns the risk and is required to execute a risk and control self-assessment. The second line of defense (operational, IT and information security risk management teams) establishes the governance framework and challenges the first line of defense. The third line of defense (internal audit) provides assurance that the first and second lines of defense accurately and completely execute the required risk management functions.
The third line of defense (internal audit groups) can leverage the COBIT Focus Area: Information and Technology Risk: Using COBIT® 2019 (COBIT IRFA) publication as a tool to assess the completeness and accuracy of an organization’s technology and security risk activities. The COBIT IRFA provides a comprehensive guide to implement and maintain an enterprise technology and risk management framework, audit plan, and scope, which is essential to ensure that the audit team can effectively execute a comprehensive assessment.
Initial Internal Audit Assessment
An internal audit group (IAG) adds value through 2 approaches that align with the information and technology (I&T) risk management framework (ITRMF) maturity level. For an organization with an ITRMF maturity level of 0 or 1, the IAG will independently assess the organization’s ITRMF by challenging the identification and implementation of that governance framework as it is being developed. The IAG also assesses the ITRMF progress as milestones are completed. Alternatively, the IAG can execute an audit to assess the completeness and effectiveness of the ITRMF. The IAG can then evaluate the organization’s ITRMF against COBIT® 2019 maturity levels for focus areas to determine the appropriate audit approach (figure 1). Organizations with a maturity level 3 may require a hybrid audit approach.
Figure 1—Maturity Levels for Focus Areas
Source: ISACA®, COBIT® 2019 Framework: Introduction and Methodology, USA, 2018
Mature Program Assessment
For this example, the organization has a maturity level 4 or 5, which implies that the organization has a sustainable ITRMF. In this case, the audit objectives are to ensure ITRMF completeness and effectiveness, and the ITRMF completeness can be assessed against COBIT IRFA. The first audit step is to assess completeness of the ITRMF, which includes roles and responsibilities, risk committees, and policies and procedures. COBIT IRFA begins the risk management structure with the key roles and responsibilities as noted in figure 2. The mandates for each role are noted in separate charts. The IAG can use figure 2 and supporting reviewer/accountable figures (3.4, 3.7, 3.11) in the COBIT IRFA to assess the organization’s risk management roles and responsibilities, identifying and assessing variances for appropriateness. The figure contents should be included in a workpaper chart and evaluated against the organization’s roles and responsibilities, assessing appropriate separation of duties and oversight. As an example, the enterprise risk management (ERM) committee description in figure 2 can be compared against the organization’s ERM committee charter. The organization may have different roles that enhance risk management oversight, such as risk subcommittees that report significant risk to the ERM committee. The IAG should evaluate the subcommittee roles to determine delineation between the ERM and subcommittee charters.
Figure 2—COBIT Key Roles and Organizational Structures for I&T Risk Functions
Source: ISACA, COBIT Focus Area: Information and Technology Risk: Using COBIT® 2019, USA, 2021
Another audit test is an assessment of the ITRMF’s policies, standards, guidelines, templates, training and other guidance completeness. The policy should clearly articulate roles and responsibilities. The standards should provide guidance on required template completion. Training should enhance the policy and standards by providing detailed ITRMF execution instructions. Figure 3 can be used as a benchmark for evaluating an organization’s ITRMF policy.
Figure 3—Risk Policy Table of Contents Example
Source: ISACA, COBIT Focus Area: Information and Technology Risk: Using COBIT® 2019, USA, 2021
The audit assessment of the ITRMF should be followed by compliance testing. The second line of defense should oversee the ITRMF requirement execution to ensure completeness and accuracy. The IAG should assess completeness of the second line of defense risk management oversight activities. Audit test steps can align with the I&T risk profile; I&T risk communication plan; I&T risk map; IT risk appetite, tolerance and capacity; key risk indicators (KRIs); and emerging I&T risk issues and factors. The risk communication plan (figure 4) can be converted into audit steps. The first step in the plan is to accurately define the type, frequency and recipient of risk communications. This step can be converted to an audit test step that asks the IAG to validate that the documented communication plan articulates the type, frequency and recipient of risk communications.
Figure 4—Risk Communication Plan
Source: ISACA, COBIT Focus Area: Information and Technology Risk: Using COBIT® 2019, USA, 2021
As noted previously, there are 2 audit objectives: ensuring the completeness and the effectiveness of the ITRMF. ITRMF effectiveness is determined by the second line of defense through metrics or other techniques, such as leveraging KRIs. Figure 5 describes relevant attributes that the risk owners should consider when creating KRIs. A risk owner may have a KRI that monitors the quality of system projects, and the second line of defense may monitor the KRI values to assess whether management should act on values that exceed thresholds. The IAG would then assess whether the second line of defense needs to monitor and challenge individual and aggregated KRI values. An ITRMF is deemed effective if KRI values exceeding thresholds are remediated, and it is deemed ineffective if KRI values continue to exceed thresholds for a long duration.
Figure 5—Key Risk Indicators
Source: ISACA, COBIT Focus Area: Information and Technology Risk: Using COBIT® 2019, USA, 2021
Conclusion
IAG personnel rely on best practices to build and execute an ITRMF audit program. That approach is important to ensure audit completeness, effectiveness and consistency. The COBIT IRFA can be converted into an ITRMF audit program. The ITRMF team can use the framework to build the ITRMF program and the audit team can employ the COBIT IRFA framework to assess an organization’s ITRMF program. Like other audits that employ best practices for benchmarking, IAG personnel must tailor the COBIT IRFA elements to the organizational structure and ITRM requirements of the specific organization.
Editor’s Note
The intended audience for the COBIT Focus Area: Information and Technology Risk is extensive as it relates to all those looking at enterprise risk in the course of their job roles (such as security professionals and governance professionals). This article focuses on how this publication is beneficial to IT auditors.
Linda Kostic, DIT, CISA, CISSP, CPA
Has more than 30 years of audit and risk experience in the financial services industry, having developed IT audit, enterprise risk management, third-party risk management and operational risk management programs and frameworks that are leveraged from COBIT®. She was an ISACA® expert reviewer for ISACA’s COBIT Focus Area: Information and Technology Risk, Risk IT Framework, Reporting Cybersecurity Risk to the Board of Directors, COBIT® 5 Online Framework and COBIT® 4.1. She served on ISACA’s Risk Advisory Working Group that developed and enhanced publications and certification programs. She was also a member of ISACA’s Audit and Risk Committee of the Board. Kostic is a cybersecurity adjunct professor at the University of Maryland Global Campus (Adelphi, Maryland, USA).