Figure 1—COBIT 5 Enterprise Enablers
Source: ISACA, COBIT® 5, USA, 2012
Processes describe an organized set of practices
and activities to achieve certain objectives and
produce a set of outputs in support of achieving
overall IT-related goals. 6
Processes require good practices. These are provided
by the ITAF guideline 2402, 7 which documents
guidelines on confirming the actions taken in response
to audit recommendations. Processes should also
have a life cycle. This is documented in the 2402
• 2. 1 Follow-up process
• 2. 2 Management’s proposed actions
• 2. 3 Assuming the risk of not taking corrective action
• 2. 4 Follow-up procedures
COBIT® 5 for Assurance builds on the COBIT® 5
framework by providing detailed and practical
guidance for assurance professionals on how to use
COBIT 5 to support a variety of IT assurance activities.
One of the key IT assurance activities is ensuring
that risk has been mitigated. COBIT 5 for Assurance
requires that, where appropriate, recommendations
should include provisions for timely monitoring and
Implementing an audit follow-up process using
the COBIT 5 enablers and ISACA’s Information
Technology Assurance Framework (ITAF) 2 provide
value to the enterprise.
COBIT 5 Enablers and the Audit
Enablers are factors that, individually and
collectively, influence whether something will work.
Enablers are driven by the goals cascade, i.e.,
higher-level IT-related goals define what the different
enablers should achieve. 3 The COBIT 5 framework
describes seven categories of enablers (figure 1).
COBIT 5 for Assurance reviews each of these
enablers, highlighting the assurance perspective.
This article follows a similar methodology focusing
on the audit follow-up process.
Principles, Policies and Frameworks
Principles, policies and frameworks are the vehicles
to translate the desired behavior into practical
guidance for day-to-day management. 4
Practical guidance for audit follow-up activities are
included in ITAF. Specifically, standard 2402, Follow-up Activities, 5 requires IS audit and assurance
professionals to monitor relevant information to
conclude whether management has planned/taken
appropriate, timely action to address reported audit
findings and recommendations.
Do you have
to say about
Visit the Journal
pages of the ISACA®
web site ( www.isaca.
org/journal), find the
article and click on
the Comments link to
share your thoughts.
Enhancing the Audit
Follow-up Process Using COBIT 5
2. Processes 3. Organisational Structures
1. Principles, Policies and Frameworks
4. Culture, Ethics
Ian Cooke, CISA, CGEIT, CRISC, COBIT Foundation, CFE, CPTS,
DipFM, ITIL Foundation, Six Sigma Green Belt
Is an IT audit manager based in Dublin, Ireland, with more than 25 years
of experience in all aspects of information systems. A member of ISACA’s
Communities Working Group, he is also the topic leader for the Oracle
Databases, SQL Server Databases and Audit Tools and Techniques
discussions in the ISACA Knowledge Center. Cooke welcomes comments
or suggestions at Ian_J_Cooke@hotmail.com or on the Audit Tools and
Techniques topic in the ISACA Knowledge Center.