Exhibit 3-6 — COBIT framework


                    Plan and organize                              Deliver and support

                    PO1 – Define a strategic IT plan               DS1 – Define service levels
                    PO2 – Define the infrastructure architecture   DS2 – Manage third-party services
                    PO3 – Determine the technological direction    DS3 – Manage performance and capacity
                    PO4 – Define the IT organization and relationships   DS4 – Ensure continuous service
                    PO5 – Manage the IT investment                 DS5 – Ensure systems security
                    PO6 – Communicate management aims and          DS6 – Identify and attribute costs
                    directions                                     DS7 – Educate and train users
                    PO7 – Manage human resources                   DS8 – Assist and advise IT customers
                    PO8 – Ensure compliance with external          DS9 – Manage the configuration
                    requirements                                   DS10 – Manage problems and incidents
                    PO9 – Assess risks                             DS11 – Manage data
                    PO10 – Manage projects                         DS12 – Manage facilities
                    PO11 – Manage quality                          DS13 – Manage operations

                    Acquire and implement                          Monitor and evaluate

                    AI1 – Identify automated solutions             M1 – Monitor the process
                    AI2 – Acquire and maintain application software   M2 – Assess internal control adequacy
                    AI3 – Acquire and maintain technology          M3 – Obtain independent assurance
                    infrastructure                                 M4 – Provide for independent audit
                    AI4 – Develop and maintain IT procedures
                    AI5 – Install and accredit systems
                    AI6 – Manage changes



            COBIT is sometimes mapped to COSO or other frameworks for reporting results or summarizing evidence.

            ISACA also has the IT assurance framework (ITAF). This framework focuses on the design, conduct, and
            reporting of IT audit and assurance assignments, rather than the IT processes that are the focus of
            COBIT’s framework. Its stated purpose is to provide good practice-setting guidelines and procedures for
            formal IT audits and assessments of IT controls. Rather than organizing around a life cycle view of IT
            processes as COBIT does, ITAF is organized around the assurance or assessment activity, and focuses
            on internal controls (see table of contents summarized in exhibit 3-7).





                       Exhibit 3-7 — ITAF – Table of contents
               Section 1000 – Introducing the IT Assurance Framework

               Section 2000 – IT Assurance Standards: Defining a Common Reference Point

               Section 3000 – IT Assurance Guidelines: Putting the Standards Into Practice

               Section 4000 – IT Assurance Tools and Techniques



            © 2019 Association of International Certified Professional Accountants. All rights reserved.    3-26