cobit 4 0 l.
Skip this Video
Loading SlideShow in 5 Seconds..
COBIT 4.0 PowerPoint Presentation
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 104

COBIT 4.0 - PowerPoint PPT Presentation

  • Uploaded on

COBIT 4.0 WHAT YOU NEED TO KNOW Howard DuBois, CISA Objectives Review structure and content of COBIT Assess challenges for IT management Explore impact of a successful implementation of COBIT on application owners What is COBIT?

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'COBIT 4.0' - LeeJohn

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cobit 4 0



Howard DuBois, CISA

  • Review structure and content of COBIT
  • Assess challenges for IT management
  • Explore impact of a successful implementation of COBIT on application owners
what is cobit
What is COBIT?
  • COBIT is a highly regarded IT Governance framework produced and supported by the IT Governance Institute (ITGI)
  • COBIT 4.0 is the most recent release of this model
what does cobit stand for
What Does COBIT Stand For?

C Control


I for Information

T and Related Technology

why is cobit important
Why is COBIT Important?

Some interesting questions:

  • Why are “control objectives” of interest to application owners and users?
  • What is the history behind COBIT?
  • Where does IT Governance fit in?
cobit s history
COBIT’s History
  • COBIT started as a control model for IT auditors – hence control objectives for IT organizations and operations
  • At some point, someone realized that if the model was good enough for the auditor to measure IT control and effectiveness, it was good enough for management
  • This became a “governance framework” when it was realized that good control required implementation of best practices
cobit s history7
COBIT’s History
  • Control Objectives produced as an audit product by EDPAF early 1990’s
  • COBIT first edition - 1996
  • COBIT second edition – 1998
    • First reference to governance and seeing COBIT as a set of best practices for IT management
  • COBIT third edition – 2000
    • First reference to ITGI
    • First reference to management guidelines
cobit s history8
COBIT’s History
  • COBIT 4.0 - 2005
    • 4.0 is an update of 3rd edition – better mapping to business goals, further development of maturity models
    • COBIT On-Line introduced
  • During the process, other products were issued
    • Control Practices – 2004 – more detailed exploration of individual practices seen as best practices

Purpose of COBIT

  • Provide generally applicable and accepted Standards for Good Practices for Information and Information Technology (IT) Control
  • Based on a management-oriented Framework for Control in IT
  • Aligned with De Jure and De Facto Standards and Regulations
  • Create a manageable and logical structure

The Pieces of COBIT

Exec Summary - Senior Executives (CEO, CIO) - 16 pages

Framework -Senior Operational Management (Directors of IT and IS Audit /Controls) - 68 pages

Control Objectives -Middle Management (IT Management and IS Audit/Controls Managers/ Seniors) - 148 pages

Audit Guidelines -Line Management and Controls Practitioner (Applications or Operations Manager and Auditor) – 226 pages

Management Guidelines - Senior Operational Management, Director of IS, Mid-Level IT Management and IT Audit/Control Managers - 122 pages

Implementation Tool Set - Director of IS and Audit/Control, Mid-Level IS Management and IS Audit/Control Managers - 86 pages


The Framework’s Principles

    • Business
  • Requirements

IT Processes

IT Resources


Business Requirements = Information Criteria

Quality Requirements




Fiduciary Requirements(COSO Report)

Effectiveness and Efficiency of Operations

Reliability of Financial Reporting

Compliance with Laws and Regulations

Security Requirements





Information Technology Resources


Data objects in their widest sense, i.e., external and internal,

structured and non-structured, graphics, sound, etc.

Application Systems

Application systems is understood to be the sum of manual

and programmed procedures.


Technology covers hardware, operating systems, database

management systems, networking, multimedia, etc.


Resources to house and support information systems.


Staff skills, awareness and productivity to plan, organize,

acquire, deliver, supportand monitor information systems

and services.





IT Domains & Processes

Natural grouping of processes, often matching an organisational domain of responsibility.

A series of joined activities with natural (control) breaks.

Actions needed to achieve a measurable result. Activities havea life-cycle whereas tasks are discreet.




* Planning & Organization

* Acquisition & Implementation

* Delivery & Support



Planning and Organisation

  • Define a Strategic IT Plan
  • Define the Information Architecture
  • Determine Technological Direction
  • Define the IT Organisation and Relationships
  • Manage the IT Investment
  • Communicate Management Aims and Direction
  • Manage Human Resources
  • Ensure Compliance with External Requirements
  • Assess Risks
  • Manage Projects
  • Manage Quality

Acquisition and Implementation

  • Identify Automated Solutions
  • Acquire and Maintain Application Software
  • Acquire and Maintain Technology Infrastructure
  • Develop and Maintain Procedures
  • Install and Accredit Systems
  • Manage Changes

Delivery and Support

  • Define and Manage Service Levels
  • Manage Third-Party Services
  • Manage Performance and Capacity
  • Ensure Continuous Service
  • Ensure Systems Security
  • Identify and Allocate Costs
  • Educate and Train Users
  • Assist and Advise Customers
  • Manage the Configuration
  • Manage Problems and Incidents
  • Manage Data
  • Manage Facilities
  • Manage Operations


  • Monitor the Processes
  • Access Internal Control Adequacy
  • Obtain Independent Assurance
  • Provide for Independent Audit

IT Process Overview

1.0 Define a Strategic IT Plan

The IT function should ensure that there are IT

long- and short-range plans for managing and directing

all IT resources of the organisation. These plans

should be timely and accurately updated to accommodate

changes in IT conditions. Assessments of existing systems

should be performed prior to developing or changing the

strategic IT plan. Furthermore, IT management should

ensure that the strategic IT plan is consistent with the

business objectives and long- and short-range plans

of the organisation.


Linking to Control Objectives

  • Control over the IT process of
  • that satisfies the business requirement
  • to strike an optimum balance of information technology opportunities
  • and IT business requirements as well as ensuring its further accomplishment
  • is enabled by
        • a strategic planning process undertaken at regular intervals giving
        • rise to long-term plans; the long-term plans should periodically be
        • translated into operational plans setting clear and concrete short-term goals
          • and takes into consideration:
  • * enterprise business strategy
  • * definition of how IT supports the business objectives
  • * inventory of technological solutions and current infrastructure
  • * monitoring the technology watch markets
  • * timely feasibility studies and reality checks
  • * existing systems assessments
  • * enterprise position on risk, time-to-market, quality
  • * need for senior management buy-in, support and critical review


  • Framework defines a construct for reviewing and managing IT.
  • Four domains are identified.
  • Within each domain there are processes -- 34 total.
  • Within each process there are high-level IT control objectives
  • defining controls that should be in place.
  • For each of the 34 processes, there are from 3 to 30 detailed
  • IT control objectives.
  • There are navigational tools including a “waterfall” approach.
  • A systematic and logical method for defining and
  • communicating IT control objectives.


  • The objectives of auditing are to:
  • provide management with reasonable assurance that
  • control objectives are being met
  • where there are significant control weaknesses, to
  • substantiate the resulting risks
  • advise management on corrective actions


The process is audited by:

Obtaining an understandingof business requirements,

related risks, and relevant control measures

Evaluating the appropriatenessof stated controls

Assessing complianceby testing whether the stated

controls are working as prescribed, consistently and


Substantiating the riskof the control objectives

not being met by using analytical

techniques and/or consulting

alternative sources.


Audit Guidelines

1 Generic Guideline

34 Process Oriented Guidelines

A generic guidelineidentifies various tasks to be performed in assessing ANY control objective within a process.

Others are specific process-orientedtask suggestions to provide management assurance that a control is in place and working.




The audit steps to be performed to document the activities underlying

the control objectives as well as to identify the stated control measures/

procedures in place.

Interview appropriate management and staff to gain an understanding of:

* Business requirements and associated risks, Organization structure,

* Roles and responsibilities, Policies and procedures, Laws and regulations,

Control measures in place, Management reporting (status, performance,

action items)

Document the process-related IT resources particularly affected by the

process under review. Confirm the understanding of the process under

review, the Key Performance Indicators (KPI) of the process, and the

control implications (e.g., by a process walk through).



  • The audit steps to be performed in assessing the effectiveness of
  • control measures in place or the degree to which the control objective
  • is achieved. Basically deciding what, whether and how to test.
  • Evaluate the appropriateness of control measures for the process under
  • review by considering identified criteria and industry standard practices, the Critical Success Factors (CSF) of the control measures and applying professional judgment.
    • •Documented processes exist
    • • Appropriate deliverables exist
    • • Responsibility and accountability are clear and effective
    • • Compensating controls exist, where necessary
  • Conclude the degree to which the control objective is met.



The audit steps to be performed to ensure that the control

measures established are working as prescribed, consistently

and continuously, and to conclude on the appropriateness of

the control environment.

Obtain direct or indirect evidence for selected items/periods to ensure that

the procedures have been complied with for the period under review using

both direct and indirect evidence.

Perform a limited review of the adequacy of the process deliverables.

Determine the level of substantive testing and additional work needed to

provide assurance that the IT process is adequate.




The audit steps to be performed to substantiate the risk of the

control objective not being met by using analytical techniques

and/or consulting alternative sources. The objective is to support

the opinion and to “shock” management into action. Auditors

have to be creative in finding and presenting this often sensitive

and confidential information.

Document the control weaknesses and resulting threats and vulnerabilities.

Identify and document the actual and potential impact (e.g., through

root-cause analysis).

Provide comparative information (e.g., through benchmarks).



Audit Guidelines are GUIDELINES.

They are only a start for identifying

tasks associated with particular process

control objectives.




IT failures to meet the organization’s missions and goals

IT failures to match short-range plans with long-range plans

IT projects failures to meet short-range plans

IT failures to meet cost and time guidelines

Missed business opportunities

Missed IT opportunities

summary of c obi t to this point
  • Framework of four domains and 34 key IT processes.
    • Defines high-level IT control objectives defining controls that should be in place.
    • For each of the 34 processes, there are from 3 to 30 detailed IT controls
  • Audit Guidelines identify a process to:
    • Obtain an understanding of the BUSINESS requirements
    • Evaluate the stated controls
    • Assess compliance with controls
    • Substantiate the risk to the BUSINESS
management guidelines
Management Guidelines
  • COBIT is meant to be “IMPLEMENTED”, not just used as a measure. Thus it has:
  • Maturity Models
  • Critical Success Factors
  • Key Performance Indicators
  • IT Generic Process and IT Governance
  • Guidelines

Management GuidelinesCRITICAL SUCCESS FACTORS - the most important things you need to do based on the choices made in a Maturity ModelKEY PERFORMANCE INDICATORS – key monitoring points to measure whether or not you will reach the organizational goals for ITKEY GOAL INDICATORS – the goals for the organization to be measured by the KPIs during the process of implementing COBIT


Management Guidelines

  • Generic and action oriented
  • For the purpose of
    • IT Control profiling –what is important?
    • Awareness – where is the risk?
    • Benchmarking - what do others do?
  • Supporting decision making and follow-up
    • Key performance indicators of IT Processes
    • Critical success factors of controls
    • Control implementation choices

Generic Maturity Model - Dimensions

  • Understanding and awareness
  • Training and communications
  • Processes and practices
  • Techniques and automation
  • Compliance
  • Expertise
generic maturity model dimensions
Generic Maturity Model - Dimensions
  • Training & Communication
    • Level 1 – Sporadic
    • Level 2 – Overall needs only
    • Level 3 – Informal training
    • Level 4 – Formal training
    • Level 5 – Supports best practices
generic maturity model dimensions40
Generic Maturity Model - Dimensions
  • Processes & Practices
    • Level 1 – Ad hoc
    • Level 2 – Intuitive practices
    • Level 3 – Defined and documented
    • Level 4 – Ownership assigned, best internal practices
    • Level 5 – Supports best external practices
generic maturity model dimensions41
Generic Maturity Model - Dimensions
  • Techniques & Automation
    • Level 1 –
    • Level 2 – Some common tools
    • Level 3 – Standard tool set
    • Level 4 – Mature techniques, tactical technology
    • Level 5 – Sophisticated tools, optimized technology

Critical Success Factors

  • Management oriented IT control implementation guidance
  • Most important things that contribute to the IT process achieving its goal
  • Control Statement and Considerations of the ‘Waterfall’
  • Visible and measurable signs of success
  • Short, focussed and action oriented
  • Leveraging the resources of primary importance in this process
in summary
In summary
  • Critical Success Factors
  • Represent the most important things to do to increase the probability of success of the process
  • Are observable - usually measurable - characteristics of the organisation and process
  • Are either strategic, technological, organisational or procedural in nature
  • Focus on obtaining, maintaining and leveraging capability and skills
  • Are expressed in terms of the process, not necessarily the business

Key Performance Indicators

Guidance for measurement can be obtained from the Balanced Business Scorecard concepts, where goals and measures fromthe financial, customer, process and innovation perspective are set and monitored.

In the Balanced Business Scorecard approach, the Goal is measured based on its outcome. The Drivers or Enablers that make it possible to achieve the goal are measured based on their performance in support of reaching the goal


Key Performance Indicators

  • The degree of importance of each of these criteria is a function of the business and the environment that the enterprise operates in
  • COBIT then allows selection of those controlobjectives that best fit the degree of importance, i.e., the Profile
  • This profile also expresses the enterprise’s position on risk

Key Performance Indicators

The goal for IT can then be expressed as

The performance measure of the enabler becomes the goal for IT, which in turn will have a number of enablers. These could be the COBIT IT domains. Here again the measures can be cascaded, the performance measure of the domain becoming, for example, a goal for the process

in summary48
In summary
  • Key Performance Indicators
  • Are a measure of “how well” the process is performing
  • Predict the probability of success or failure in the future
  • Are process oriented, but IT driven
  • Focus on the process and learning dimensions of the balanced scorecard
  • Are expressed in precise, measurable terms
  • Help in improving the IT process

Key Goal Indicators

  • KGI for goal;
    • measurable indicators
    • of the process achieving
    • its goal
  • Business Requirement of the ‘Waterfall’
  • Influenced by the primary and secondary information
  • criteria
  • A potential source can be found in COBIT’s
  • ‘Substantiating Risk’ section in the Audit Guidelines

Key Goal Indicators

Given that the link between the business and IT scorecards is expressed in terms of the information criteria, the KGIs will usually be stated as:

  • Availability of systems and services
  • Absence of integrity and confidentiality risks
  • Cost-efficiency of processes and operations
  • Confirmation of reliability, effectiveness and compliance
in summary51
In summary
  • Key Goal Indicators
  • Describe the outcome of the process and are therefore measurable after the fact
  • Are indicators of the success of the process, but may be expressed as well in terms of the business contribution, if that contribution is specific to that IT process
  • Focus on the customer and financial dimensions of the balanced business scorecard
  • Represent the process goal, i.e., a measure of “what”, a target to achieve
  • Are IT oriented, but business driven
  • Are expressed in precise measurable terms, wherever possible
  • Focus on those information criteria that have been identified to be of most importance for this process
generic it process
Generic IT Process

Control over an IT process and its activities with specific business goals

is determined by the delivery of information to the business that addresses the required information criteria and is measured by KGIs

is enabled by creating and maintaining a system of process and control excellence appropriate for the business

considers CSFs that leverage specific IT resources and is measured by KPIs

generic it process55
Generic IT Process

Potential Critical Success Factors

  • IT performance is measured in financial terms, in relation to customer satisfaction, for process effectiveness and for future capability,
  • The processes are aligned with the IT strategy and with the business goals; they are scalable and their resources are appropriately managed and leveraged
  • A business culture is established, encouraging cross-divisional co-operation and teamwork, as well as continuous process improvement
  • Control practices are applied to increase transparency, reduce complexity, promote learning, provide flexibility and allow scalability
  • Goals and objectives are communicated and are understood
  • It is known how to implement and monitor process objectives and who is accountable for process performance
  • A continuous process quality improvement effort is applied
  • The required quality of staff (training, transfer of information, morale, etc.) and availability of skills (recruit, retain, re-train) exist
generic it process56
Generic IT Process

Potential Key Goal Indicators

  • Increased level of service delivery
  • Number of customers and cost per customer served
  • Availability of systems and services
  • Absence of integrity and confidentiality risks
  • Cost efficiency of processes and operations
  • Confirmation of reliability and effectiveness
  • Adherence to development cost and schedule
  • Cost efficiency of the process
  • Staff productivity and morale
  • Number of timely changes to processes and systems
  • Improved productivity (e.g., delivery of value per employee)
generic it process57
Generic IT Process
  • Potential Key Performance Indicators
  • System downtime
  • Throughput and response times
  • Amount of errors and rework
  • Number of staff trained in new technology and customer service skills
  • Benchmark comparisons
  • Number of non-compliance reportings
  • Reduction in development and processing time

Management Guidelines Components

  • IT governance guideline
  • Generic IT process guideline
  • For each of the 34 IT processes
    • one maturity model
    • 5 to 7 KGIs
    • 8 to 10 CSFs
    • 6 to 8 KPIs
summary of c obi t to this point59
  • Framework of four domains 34 key IT processes.
    • Defines high-level IT control objectives defining controls that should be in place.
    • For each of the 34 processes, there are from 3 to 30 detailed
  • Audit Guidelines identify a process to:
    • Obtain an understanding of the BUSINESS requirements
    • Evaluate the stated controls
    • Assess compliance with controls
    • Substantiate the risk to the BUSINESS
  • Management Guidelines outline:
    • The process to implement COBIT with key indicators of success
    • A maturity model to measure progress

Why Should an Organization

Adopt COBIT?

  • Attention focused on Corporate Governance
    • Management Accountability for Resources
    • Specific Need for Control of IT Resources
  • Stresses business-oriented solutions
  • Provides an authoritative framework for Risk Assessment
  • Improved communication among management, users and auditors

Management Expectations of IT

*Re-Engineered Processes

* Right-Sizing

* Distributed Processing

* Flattened organizations

* Outsourcing


Management Responsibilities for IT

* Safeguarding Assets

* Information as Most Valuable Asset


COBIT Framework

Blends Management’s IT


with Management’s IT


management needs c obi t
Management Needs COBIT
  • To evaluate IT investment decisions
    • Making the link to the business needs
    • Ensuring best use is made of information
    • Ensuring regulatory and legislative compliance
    • To balance risk and control of investment
  • To Benchmark Existing and Future

IT Environment

    • Organizing into a generally accepted model of IT processes
    • Identifying major IT resources to be leveraged
why do application owners need cobit
Why do Application Owners need COBIT?
  • COBIT is a control-oriented framework
    • Helps organizations to align Control Objectives with existing “de jure” and “de facto” standards,regulations and best practices
  • Information, and by relationship IT, is one of an organization’s most valuable assets
    • Value, risk and control are the core of IT governance
    • Management responsibility – to ensure IT sustains and extends business objectives
  • A more responsive IT organization should result in a better alignment with your business
it needs cobit
IT needs COBIT
  • Ensure strategic alignment
    • Ensure linkage of business and IT plans
    • Align operations with enterprise objectives
  • Value delivery
    • Ensure IT delivers promised benefits – focus on controlling costs
  • Optimise resource management
    • Proper management of IT resources – data, applications, infrastructure, people
it needs cobit67
IT needs COBIT
  • Apply risk management
    • Embed risk management responsibilities into the organization
    • Raise awareness of all senior officers
    • Track risks and ensure transparency of risks
  • Performance measurement
    • Track and monitor strategy implementation
    • Benchmark operations
    • Allow for continuous improvement
current situation
Current Situation
  • Varied maturity levels across government, and even within individual organizations
  • Historically IT has tended to be an objective unto itself
  • Often IT plans bear no relationship to the business plans of the business organization
  • Often shows up as lack of control over IT projects – large projects often fail
current situation69
Current Situation
  • Recent focus on IT infrastructure and operations control across government – implementation of ITIL
    • IT Infrastructure Library is a compendium of best practices –and is contained within COBIT
  • Improvement in project governance
    • Enhanced Management Framework
  • COBIT can enhance all these initiatives


Questions and Answers



For additional information:

the end

cobit appendices
COBIT - Appendices
  • Information Criteria
  • Implementing COBIT

Information Criteria Working Definitions

Effectiveness: deals with information

being relevant and pertinent to the

business process as well as being

delivered in a timely, correct,

consistent and usable manner.


Information Criteria Working Definitions

Efficiency: concerns the provision of

information through the optimal

(most productive and economical) usage

of resources.


Information Criteria Working Definitions

Confidentiality: concerns the

protection of sensitive information

from unauthorised disclosure.


Information Criteria Working Definitions

Integrity:relates to the accuracy and

completeness of information as well

as its validity in accordance with

business’ set of values and expectations.


Information Criteria Working Definitions

Availability:relates to information

being available when required by the

business process, and hence also

concerns the safeguarding of resources.


Information Criteria Working Definitions

Compliance: deals with complying

with those laws, regulations, and

contractual arrangements to which

the business process is subject, i.e.,

externally imposed business criteria.


Information Criteria Working Definitions

Reliability of Information:relates to

systems providing management with

appropriate information for it to use in

operating the entity, in providing reporting

to users of the financial information, and

in providing information to regulatory

bodies with regard to compliance with

laws and regulations.


To Adopt COBIT,

Who Needs To Be Influenced?

Management, especially IT policy makers,

play a major role in influencing the adoption

of COBIT in the organisation. Examples of

such policy makers include:

 Chief Executive (e.g., CEO)

 Senior IT Executive (CIO or VP of IT)

 IT Steering Committee

 IT Management


A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Executive manager Accept and promote Use COBIT to compliment

COBIT as general IT existing internal control

governance model framework

for all enterprises

within enterprise Use COBIT process model

to establish common

language between business

and IT; allocate clear



A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Business manager Use COBIT to establish Use COBIT control objectives

a common entity-wide as a code of good practice

model to manage and for dealing with IT within the

monitor IT’s contribution business function

to the business

Use COBIT control objectives

to determine needs to be

covered by Service Level

Agreements (internal

or outsourced)


A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

IT manager Use the COBIT process Use the COBIT control model to

model and detailed establish SLAs and communicate

control objectives to with business functions

structure IT services

function into manageable Use the COBIT control model

and controllable as basis for process-related

processes focussing on performance measures and IT-

business contribution related policies and norms

Use COBIT as baseline model to

establish the appropriate level of

control objectives and

external certifications


A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Project manager As a general framework Use COBIT to help ensure that

for minimal project and project plans incorporate

quality assurance generally accepted phases in

standards IT planning, acquisition and

development, service delivery

and project management, and



A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Developer As minimal guidance Use COBIT to ensure that all

for controls to be applicable IT control objectives

applied within in the development project

development processes have been addressed

as well as for internal

control to be integrated

in information systems

being built


A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Operations As general framework Use COBIT to ensure that

for minimal controls to operational policies and

be integrated into service procedures are sufficiently

delivery and support comprehensive

processes, placing clear

focus on client objectives


A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

User As minimal guidance Use COBIT to guide service

for internal control to level agreements

be integrated within

information systems,

being fully operational

or under development


A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Information As harmonising frame- Use COBIT to structure the

Security Officer work providing a way information security program,

to integrate information policies and procedures

security with other

business related IT



A Product For Many Audiences

COBIT could serve

the following Some specific approaches

When you are… objectives for you… which could prove useful...

Auditor As basis for determining Use COBIT as criteria for review

the IT audit universe and review and examination, and for

as IT control reference framing IT-related audits


COBIT Management Awareness

Diagnostic Tools

One of the most challenging tasks will be getting top

management’s attention. Two tools for getting management’s attention and raising management’s

awareness are:

  • IT Governance Self-Assessment
  • Management’s IT Concerns Diagnostic

IT Governance Self-Assessment

Asks Management to Determine for EACH

of the COBIT Processes

How Important is the Process for Business Objectives

 Whether the Process is Performed

 Who performs the Process

 Whether the Process is Audited

 Whether the Process and its Control Are Formalized


Management’s IT Concerns Diagnostic

Identifies which IT Processes need to be under Control for various IT Concerns

Management Issues

 Internet/Intranet

 Enterprise Packaged Solutions

 Client/Server Architecture

 Workgroups and GroupWare

 Network Management


How To Implement COBIT in

an Organisation

  • Top Down Approach
  • Audit Committee Approach
  • Audit and IT Management Consensus Approach
  • Regulation/Legislation

Ways to Implement

Approach #1 -- Top Down

 Communicate COBIT to Senior Operating

Management and IT Management

 Communicate Framework to CIO

 Communicate within CIO’s Organisation via


 Gain Commitment to Processes and Control


 Develop Cyclical Audit Programs to Cover all



Ways to Implement

Approach #2 -- The Audit Committee

 Communicate and Education Audit Committee

 Develop Cycle / Coverage Scenarios to Minimise

Potential Liability of Committee Members

 Communication Cyclical Coverage within IT

 Execute Audit Plan using COBIT to Scope Audits

and Define Required IT Control Objectives


Ways to Implement

Approach #3 -- Audit and IT Management


 COBIT is Communicated Within Audit

 Audit Performs Internal Assessment of IT

 Audit Shares Assessment with IT

 IT and Audit Reconcile Variances to Reach


 Audit Program Developed and Executed,

Based on Self Assessment


Ways to Implement

Approach #4 -- Regulation/Legislation

 COBIT is specified for compliance by

Regulating Authority

 COBIT is specified for compliance by



Implementation Action Plan for Organization

Distribute copies of the COBIT Executive Overview and/or

Summary to key managers, triggering analysis of and thoughts

about the existing organisation’s approach to IT controls

 Present to Operations and Technology management team and

key staff

 Present to outsourced service provider management and key staff

 Assist key managers in developing action plans to integrate COBIT

concepts into business process

 Present COBIT concepts and activities progress reports to senior

management to inform and gain commitment

 Develop or update audit programs consistent with COBIT Audit


 Restructure audit inventory to reflect a COBIT process orientation

 Present COBIT concepts, progress and results to Audit



Implementing COBIT

from An Audit Perspective

As an Organizational Tool

 As a Consensus-Building Tool

 As an Engagement “Scoping” Tool

 As a Self-Assessment Tool

 Risk Assessment and Audit Planning



COBIT as an Organizational Tool

Domain #1 (Planning & Organisation) = Auditor #1

Domain #2 (Acquisition & Implement) = Auditor #2

Domain #3 (Delivery & Support) = Auditor #3

Domain #4 (Monitoring) = Auditor #4


COBIT as a Consensus-Building Tool

CEO ----- Senior Audit Executive - Auditor #1

CIO -------- Director of Audit -------- Auditor #2

Dir. IT ---- Senior Audit Manager --- Auditor #3

Appl. Mgr.. - Practitioner --------- Auditor #4


COBIT as an Engagement “Scoping” Tool

 “ I want to look at this area of IT...”

 “ What are the processes involved?”

 “ What are the control objectives involved?”

COBIT Allows Identification of Minimum Controls


COBIT as an IT Self-Assessment Tool

“Are there specific areas where too few or too

many resources are being applied?”

 “How am I doing against COBIT’s IT control


 “Can Audit focus on strengths for improvement;

I already know my weaknesses.”

 “Show me what controls should be in place

before you come in, so I can clean up my

shop.”-- reallocate resources to higher

risk projects