One of the most important discoveries for the human age was the Rosetta Stone. This piece of granite was the key element to decoding and understanding Egyptian hieroglyphs. Using this stone, it became possible to understand what the Egyptians wrote in their papyrus and allowed us to understand how the ancient Egyptians lived and thought. We understood.
Today, auditors sometimes face this (mis)understanding problem within their audit activities. Though not on par with the Rosetta Stone discovery, at times, a key to enabling different business units to understand each other is needed. Within the corporate world, there are different approaches and views of the same elements. This is probably one of the most complicated situations that an IT auditor can face. Sometimes it is difficult to explain to non-IT people the risk, findings and recommendations that an IT auditor discovers.
In a global company, apart from the different business unit perceptions, there is also an additional issue to be dealt with: language. When an audit methodology is defined, the diversity of stakeholders needs to be taken into account. One of the most significant aspects of an auditor’s work is to try to define a common framework and a common language for all IT auditors. That was the main goal of the IT audit methodology developed in the case of the Generali Group.
The Generali Group is one of the largest global insurance providers with total premium income exceeding €70 billion in 2014. With 77,000 employees worldwide serving 72 million insured persons in more than 60 countries, the Group occupies a leadership position in West European markets and an increasingly important place in markets in Central Eastern Europe and Asia. Generali ranked among the world’s 50 smartest companies in 2015 according to the MIT Technology Review.
One of the most significant aspects of an auditor’s work is to try to define a common language for all IT auditors.
Years ago, the methodology developed by Generali’s corporate internal audit function was based on COBIT 4.1. This framework was selected for the development of the tasks and activities within all of Generali Group’s IT internal audit departments worldwide. COBIT is a worldwide framework for IT audit and control activities, and it is well known in the IT auditor community. This was the key reason for the selection of COBIT in the development of this methodology.
When COBIT 5 was released, the adoption of the new framework was only a matter of time. The migration project was launched in 2014. This project was developed by a group of internal IT auditors from different countries within the corporation. It was important to try to involve different countries with different approaches and different views on the adoption of the updated methodology. The main goal of the project was to develop a common framework where IT auditors could develop their audit assignments. It was a must that IT auditors understood this methodology as a common language among the different companies, different countries and different approaches within the group. This common language was composed of 3 main elements: processes, controls and indicators.
These 3 elements were the key elements during the migration project. Because all parties were already working with COBIT 4.1, it was easy to understand the new features of the framework, including the new processes, enablers and control objectives. But it was necessary to develop a deep analysis in order to align the IT and non-IT processes to the new framework. Additionally, the IT auditors had to adopt the processes, enablers, control objectives and indicators for the 3 main activities undertaken during the audit activities: plan, execute and monitor.
When the final version of the methodology was finished, the result was a new and complete IT process tree. This new process tree was much more aligned with the perception of the IT activities from the nontechnical business units. Additionally, a set of control objectives associated with each process were identified. They helped during the development of the audit activities to, for example, define the most significant processes to be audited, identify control objectives to be covered during the audit and test activities to be developed.
An additional and unexpected benefit of using COBIT 5 was that a common language and common elements between other control units was established. The new view of the control and risk environment was very helpful when undertaking the alignment of the IT audit perspective of the business with the view of the risk management and compliance functions.
Through the migration, the adoption of COBIT 5 was found to be a win-win situation for the company. Apart from the expected benefits (common IT audit framework), additional benefits, including alignment with other business units, were realized. Perhaps this project was not as historically significant as the discovery of the Rosetta Stone, but for Generali, it was a big step for the alignment of different countries and different IT audit departments and business units.
Oliver Crespo, CISA, CISM, ISO 27001
Is an internal IT auditor at Generali Spain. He has 10 years of experience in technological audit and control activities. He participates in different investigation committees within the local ISACA chapter in Madrid, Spain, and the Institute of Internal Auditors.