Multimatics Insight

Understanding IT Audit Plan and Its Workflow

Understanding IT Audit Plan and Its Workflow

The rapid growth of information and communication technologies has brought numerous improvements to every business environment. At the same time, with ever-changing technology development, organizations need to regularly checking their IT performances and evaluate on things that could be fixed or improved. The position of IT is responsible for planning, implementing, and retaining several controls over the company’s business process. Continuous evaluation and improvement will support organizations in aligning their business goals, specifically in IT governance sector.

A successful organization must have strong IT governance and strategy. Corporate executives must create governance plans, strategies, and corresponding policies and processes to satisfy audit requirements, manage risk, and demonstrate responsible financial management while also enabling the organization to fulfill its strategic goal.

What is an IT Audit Plan?

According to Harvard University, IT Audit is the examination and evaluation of an organization's information technology infrastructure, applications, data use and management, policies, procedures and operational processes against recognized standards or established policies. Technology development not only offers incentives for IT auditing but often proses challenges for IT auditing activities, in particular for the quality and efficacy of IT audit. The modern IT audit targeted at risk-based changes in company performance, which will improve the audited organization’s efficiency and reflect on the future.

Effective and timely implementation of IT audit plan are made of agreed recommendation from the organization. Therefore, audit recommendations should be clear, convincing, and always provide a feasible basis for their implementation. Let’s take a closer look on IT Audit workflow!

  1. Understand the enterprise context and strategy: identify the organization’s objective and business strategy
  2. Determine the components of the IT Audit universe: analyze the business fundamentals
  3. Risk Assess the IT Audit universe: evaluate business and IT processes to identify risk
  4. Conclude and validate the IT Audit plan: choose audit subjects and group into distinct audit actions and establish audit cycle and frequency

An effective IT Audit Plan should be conducted by expertised personnel in strategy and governance disciplines. Supported by assigned employees in IT Audit Plan, organization will be able deliver desired outcomes and improvements. In the end, the effectiveness of IT Audit Plan ultimately depends on the involved people.

How to Utilize COBIT® 2019 for Effective IT Audit Planning?

COBIT® 2019 is one of the IT governance framework that is used to develop and respond to dynamic environments. In 2018, ISACA published a document entitled COBIT® 2019 Design Guide: Designing an Information and Technology Governance Solution, which later also become a firm guidelines to boost IT Audit Plan implementation in organization.

The question is, how to utilize COBIT® 2019 to achieve effective IT Audit Planning?

1. Understand the Business

Before implementing an IT Audit Plan, organization needs to understand the current review and environment of their IT condition and its role in supporting the business. COBIT® 2019 helps organization to grasp their IT current condition and exposed which areas need improvements.

2. Defining the IT Audit Universe

It is important for organizations to have deeper understanding of their business objectives and business values. COBIT® 2019’s components of governance system offers an IT portfolio management, a grouping of “object of interests (investment programs, IT services, IT projects, etc) to define which area that needs optimization.

3. Performing a Risk Assessment

When implementing an IT Audit Plan, internal auditors can use COBIT® 2019 as a helpful guide during the IT risk assessment and audit process to integrate the use of COBIT® 2019 under the umbrella of risk and control-related frameworks and guidance, as well as to help the IT function with implementing part or all of the framework.

4. Formalizing the IT Audit Plan

At this point, organizations should have an IT Audit Plan that has been reviewed based on auditors’ perspectives. Thus, the IT Audit Plan has aligned with the risk assessment and the IT portfolio management. Organizations are able to publish the IT Audit Plan and conduct necessary action based on given recommendations.

When developing IT Audit Plan, it should be closely integrated with the business strategy and direction by adopting a portfolio-based approach along with COBIT® 2019’s design factors as risk factors. Thus, the IT Audit Plan can accommodate organizations in achieving their business objectives. In the end, the most effective IT audits depend upon the effective planning. As organizations navigates through dynamic business environments, IT Audit plan has become more relevant to ensure potential risks and threats are mitigated effectively and build resilient core IT operations and critical infrastructure.


Salihu, Armend; Hamdi Hoti. (2022). Managers’ Perception on the IT Audit Recommendations: The Effect of Risk Significance, Ease of Implementation and Added Value on Implementation of Recommendations. Journal of ICT Standardization, Vol. 10 2, 105–124. doi: 10.13052/jicts2245-800X.1021

S. Slapnicar et al. (2022). Effectiveness of Cybersecurity Audit. International Journal of Accounting Information. https://doi.org/10.1016/j.accinf.2021.100548

Cooke, Ian (2018) Developing the IT Audit Plan Using COBIT 2019. ISACA Journal.

Global Technology Audit Guide (GTAG) (2018) Developing IT Audit Plan.

Share this on:

Scroll to Top