Assessments can take a variety forms. Understand the difference before selecting an approach.
A SAS 70 based approach is used for auditing third-party service providers. It defines the scope of the IT audit needed to support a financial audit. A specific structure for the audit ireport s required so that it can be easily followed by other auditors who will need to rely on its contents for financial reporting as required by the SEC when a third-party service provider's general controls are being relied on.
Sarbanes-Oxley requirements include the need for enterprise risk management and COSO is the suggested approach. Control objectives from COBIT are selected according to the COSO framework. The focus is on management implementing adequate controls using a ris-based approach.
An application systems review can be based on COBIT. The most relevant COBIT process for an application systems review is DSS6 Manage Business Process Controls.
A general controls review can be based on COBIT. Different COBIT processes focus on different aspects of general controls.
Corporate governance concerns such as risk management, value delivery, IT's alignment with business, resource management and performance measurement may provide one or more drivers for a review. COBIT processes relevant to the specific concerns are selected and the relevant detailed control objectives used as the basis of the review.
Technology issues such as cost optimisation, IT service delivery (or ITIL), selective outsourcing, security (or ISO 27001), enterprise architecture, system integration and priority planning may also be drivers for the review. COBIT processes relevant to the specific issues would be selected and the relevant detailed control objectives used as the basis of the review.
Process capability and building organisational maturity are frequently drivers of improvement initiatives. This approach may address all 37 COBIT processes, but can also focus on individual processes.
Health checks are used to objectively assess the effectiveness of a process. They aim to identify those aspects that are functioning well, thus determining which good practices are in current use and should be retained, and pinpoint problem areas.
A Gap analysis is used to quickly establish the high-level status against a target for all 37 COBIT processes (or a smaller number if appropriate). This has the benefit of identifying areas for further investigation, but not recommended for process improvement initiatives.
Specific themes such as Internet Banking, eCommerce, ERP systems or Systems Under Development can be the focus of a review. In this instance the relevant COBIT processes are identified to establish the baseline for the review.
Performance measurement focuses attention on the outcomes derived by the relevant business units (and enterprise) from each significant IT process.