Of the many excellent resources released by ISACA over the last few years, without doubt one of the more seminal documents is the COBIT 2019 Design Guide. Why? Because it enables IT governance professionals to support the enterprise strategy, the detailed plan for achieving success in business situations.
This enterprise strategy is realized by the achievement of (a set of) enterprise goals. These goals are defined in the COBIT framework and are structured along the balanced scorecard (BSC) dimensions. The enterprise goals are themselves supported by goals that emphasize the alignment of all IT efforts with business objectives (alignment goals). The enterprise goals are written in a language that business leaders understand. Similarly, the alignment goals make sense to IT personnel and feed into governance and management objectives that are described in COBIT. This concept is known as the goals cascade.
Audit has traditionally had its own language for defining the attributes of an audit finding. These attributes (condition, criteria, cause, effect and recommendation)—while important to consider and, indeed, include for every finding—can result in findings that mean little or nothing to business or IT executives.
These attributes can be better understood by referencing the goals cascade. This allows executive management to understand and see the value of an audit finding as it directly links to the enterprise’s strategy and likely their own objectives. Further, the alignment with enterprise goals can be captured and measured as part of the audit follow-up process.
Editor’s note: For further insights on this topic, read Ian Cooke’s recent Journal article, “Enhancing the IT Audit Report Using COBIT 2019,” ISACA Journal, volume 4, 2020.