An empirical examination of CobiT as an internal control framework for information technology

One commonly used framework for developing and evaluating technology intensive information systems is CobiT. This framework was originally a benchmark of best control practices developed and maintained by the Information Technology Governance Institute, the umbrella organization to the Information Systems Audit and Control Association. We empirically examine the conceptual model that underlies the CobiT internal control framework as it applies to an audit setting (including operational, compliance, and financial audit settings). We find that superimposing CobiT's conceptual model onto audit relevant assessments made by a panel of highly experienced IT auditors confirms the internal consistency between the underlying constructs of CobiT. Furthermore, we find that CobiT's conceptual model predicts auditor behavior in the field related to their seeking help and giving help as evidenced by their postings to a general IT audit listserv. Given the results of this study, we propose future research aimed at developing a general theory of internal control applicable to information technology based on CobiT.