Internal audit has recently been called “the new pillar of senior management” because it is a key element in the structure of the company, contributing to the strength of internal control, risk management and corporate governance. COBIT 5, the last ISACA’s framework for the governance and management of enterprise IT, can help the internal audit function to be this pillar in many ways.
COBIT 5 is based on the assumption that companies exist to create value for their stakeholders. If companies exist for this purpose, auditors have to assess and report to the board of directors on whether benefits are delivered and risk and resources are optimized.
Internal auditors can use COBIT5 to set and prioritise specific enterprise goals and IT-related goals.
To be the pillar of senior management, auditors have to consider:
- Stakeholder value of business investments: Auditors should assess the alignment of IT with business strategy; executive management commitment regarding IT-related decisions; the optimization of IT assets, resources and capabilities; and the realization of benefits from IT.
- Management of business risk to protect assets: Auditors should assess how well IT-related business risk is managed and how well information, processing infrastructure and applications are secured.
- Compliance with external laws and regulations and internal policies: Auditors should assess IT compliance with legal and internal requirements and IT support for business compliance with these requirements.
- Optimization of business process functionality: One of the objectives of internal controls is improving the business process functionality. Internal auditors should assess how well applications and technology are integrated into the business process to enable and support them.
If these goals are considered for both enterprise and internal auditors, senior management will have to consider them as an important resource— as “a new pillar.”
Graciela Braga, CGEIT, COBIT 5 (F), CPA