Latest News


more news »


Search
"Your expertise in project management and system implementation fulfilled the Bank's requirements for overall project management by directly working with our internal project management leads."

-Patrick M. Fahey, President and Chief Executive Officer
Pacific Northwest Bank
Resources » Newsletter Archive » A Guide to COBIT

Newsletter Archive

A Guide to COBIT

September 2009

Control Objectives for Information and related Technology (COBIT®) provides best practices for managing and controlling the IT functions in an organization.  These practices are strongly focused on control and less on execution.  These practices help optimize IT-enabled investments, ensure service delivery and provide metrics to judge the efficacy of the IT function.

For IT to be successful in delivering against business requirements, management puts an internal control system in place. The COBIT control framework contributes to this control system by:

  • Making a link to the business requirements
  • Organizing IT activities into generally accepted process models
  • Identifying the major IT resources available for use
  • Defining the management control objectives to be considered

The COBIT business orientation focus consists of linking business goals to IT goals, providing metrics and maturity models to measure their achievement, and identifying the associated responsibilities of business and IT process owners.

The process focus of COBIT is illustrated by a process model (see figure 1) that subdivides IT into four domains and 34 processes in line with the responsibility areas of planning, building, running and monitoring the IT function within an organization.  While most enterprises have a defined plan, build, run and monitor responsibilities for IT, and most have the same key processes, few will have the same process structure or apply all 34 COBIT processes. COBIT provides a complete list of processes that can be used to verify the completeness of activities and responsibilities; however, they need not all apply, and, even more, they can be combined as required by each enterprise.

 


Figure 1 - Overall COBIT Framework (click to enlarge)

Each domain addresses specific areas of control.  These areas answer questions about the management of the processes within that domain.

PLAN AND ORGANIZE (PO)

This domain covers strategy and tactics, and concerns the identification of the way IT can best contribute to the achievement of the business objectives. The realization of the strategic vision needs to be planned, communicated and managed from different perspectives.  A proper organization, as well as technological infrastructure should be put in place.  This domain typically addresses the following management questions:

  • Are IT and the business strategy aligned?
  • Is the enterprise achieving optimum use of its resources?
  • Does everyone in the organization understand the IT objectives?
  • Are IT risks understood and being managed?
  • Is the quality of IT systems appropriate for business needs?

ACQUIRE AND IMPLEMENT (AI)

To realize the IT strategy, IT solutions need to be identified, developed or acquired, as well as implemented and integrated into the business process. In addition, changes in and maintenance of existing systems are covered by this domain to make sure the solutions continue to meet business objectives. This domain typically addresses the following management questions:

  • Are new projects likely to deliver solutions that meet business needs?
  • Are new projects likely to be delivered on time and within budget?
  • Will the new systems work properly when implemented?
  • Will changes be made without upsetting current business operations?

DELIVER AND SUPPORT (DS)

This domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management questions:

  • Are IT services being delivered in line with business priorities?
  • Are IT costs optimized?
  • Is the workforce able to use the IT systems productively and safely?
  • Are adequate confidentiality, integrity and availability in place for information security?

MONITOR AND EVALUATE (ME)

All IT processes need to be regularly assessed over time for their quality and compliance with control requirements. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance. It typically addresses the following management questions:

  •     Is IT’s performance measured to detect problems before it is too late?
  •     Does management ensure that internal controls are effective and efficient?
  •     Can IT performance be linked back to business goals?
  •     Are adequate confidentiality, integrity and availability controls in place for information security?

PROCESS DESCRIPTIONS

For each of the 34 processes, a link is made to the business and IT goals that are supported.  Information on how the goals can be measured, what the key activities and major deliverables are, and who is responsible for them is also provided.

Each process has a set of process descriptions that define:

  • What IT process is controlled
  • What business requirement is satisfied
  • What the focus of the process is
  • How the process achieves its aims
  • How the process is measured

For example, the process of defining the strategic IT Plan (PO1) looks like this:
 

IT process controlled

Defining a strategic IT plan

Business requirement satisfied

Sustaining or extending the business strategy and governance requirements while being transparent about benefits, costs and risks

Focus of the process

Incorporating IT and business management in the translation of business requirements into service offerings, and the development of strategies to deliver these services in a transparent and effective manner

Achieved by

  • Engaging with business and senior management in aligning IT strategic planning with current and future business needs

  • Understanding current IT capabilities

  • Providing for a prioritization scheme for the business objectives that quantifies the business requirements

Process metrics
  • Percent of IT objectives in the IT strategic plan that support the strategic business plan

  • Percent of IT projects in the IT project portfolio that can be directly traced back to the IT tactical plans

  • Delay between updates of IT strategic plan and updates of IT tactical plans


The use of COBIT is not required to comply with regulatory IT audit guidelines; however, the application of COBIT to the evaluation of IT controls provides a more comprehensive assessment.  Consequently many regulatory agencies have incorporated COBIT into their IT audit process.  In the financial industry, the COBIT framework has been accepted as a best practice model for IT control, assessment, and development.  When the examiners show up on site, the worksheets that they use to audit IT are derived from the COBIT Framework so it would behoove any financial institution to be aware of those foundations.
+ request information + request a speaker + privacy policy
©2010 Catalyst Consulting Group
1-800-439-8710