Processes for management assurance of controls are usually more informal than an audit because they are often based on professional judgment, rather than detailed testing. An audit is a systematic process in which a qualified team or person objectively obtains and evaluates evidence regarding assertions about a process and forms an opinion on the degree to which the assertion is implemented. To automate an assurance process, control descriptions need to be reviewed to separate those components of the control that can be formally tested and those components that will rely on professional judgement.

Internal control objectives in a business context are categorised against five assertions used in the COSO model—existence/occurrence/validity, completeness, rights and obligations, valuation, and presentation and disclosure. These assertions have been expanded in the SAS 106, “Audit Evidence,” and, for the purposes of a technology context, can be restated in generic terms, as shown in figure 3.

COSO objectives are known as enterprise goals, IT-related goals and enabler goals in COBIT 5, and the financial statement assertions are loosely translated in the technology context to “completeness, accuracy, validity and restricted access.” Much (if not all) of the literature on CCM relates to business processes, and, as such, there is no documented alignment or mapping among IT control objectives (or goals) and the formal assertions necessary for formalised objective testing.

In an attempt to bridge this gap, figure 4 compares example control descriptions against related guidance from an IT security context and the related COBIT 5 goals, and proposes a formal assertion that could be used in a CCM context.