AN EMPIRICAL EXAMINATION OF COBIT AS AN INTERNAL CONTROL FRAMEWORK FOR INFORMATION TECHNOLOGY
Authors: Brad Tuttle, Scott D. Vandervelde
International Journal of Accounting Information Systems
on September 2007
CobiT is a framework for developing and evaluating information systems technology-intensive and it was originally intended for use by an organization’s management as a benchmarking tool consisting of the best practices related to IT controls. Since then and because of its strong control focus, both internal and external auditors have applied CobiT to financial statement audits as well as to operational and compliance audits. In regards to financial statement audits, AS2 mandates that management use a control framework in order to assess the effectiveness of internal controls over financial reporting. Despite the importance of using a sound conceptual model, no practitioner developed internal control framework, has undergone rigorous academic examination in the same manner that researchers routinely examine the conceptual models developed by other academics.
The objective of the present study is to examine the internal consistency of CobiT’s conceptual model within an audit setting by investigating whether auditor perceptions of audit risk related to complexity, client importance, client attention, and process risk combine to represent IT process risk in the manner asserted by CobiT.
This paper using a combination of data sources of survey and archival research methods when used in isolation.
Result and Discussion
They find that superimposing CobiT’s conceptual model onto audit relevant assessments made by a panel of highly experienced IT auditors confirms the internal consistency between the underlying constructs of CobiT. Furthermore, we find that CobiT’s conceptual model predicts auditor behavior in the field related to their seeking help and giving help as evidenced by their postings to a general IT audit listserv.
CobiT provides a means of classifying such control deficiencies and the results of this research demonstrate that these classifications relate to various aspects of audit risk. Furthermore, thet are only tested the core, basic structure of CobiT’s conceptual model. CobiT contains other testable constructs including a comprehensive and well-articulated maturity model for IT control. The maturity model enables management of a company to evaluate and determine where on the internal control quality spectrum their controls are currently located.