COBIT 2019 Foundation Course April 2021

Exercises COBIT 2019 Foundation Course

MODULE 2
Exercise 1: Group Discussion:
The COBIT framework makes a clear distinction between governance and management. These two
disciplines encompass different activities, require different organizational structures and serve
different purposes.

Question: What would you describe as the difference between governance and management?

Exercise 2: Group Discussion

Questions:

• What are specific requirements for IT Governance in your organisations today and for the
near future?
• How is EGIT implemented at your organization today?
• What are the differences between Benefits realization, Risk optimization and Resource
optimization? Which one is receiving more attention?
• What other industry frameworks or standards are being used? How are they being used
together with COBIT – if at all?
• Does the difference between IT Governance and IT Management exist today in your
organisations?

1
COBIT 2019 Foundation Course April 2021

MODULE 4
Nameco Case
NAMECO is an IT Managed Service Provider in North America. They are an aggressive, for profit
organization that strives to aggressively grow revenues while providing a stable client base. NAMECO
is considered one of the top five MSPs in the industry and operates in a high threat environment
with multiple competitors who are constantly attempting to challenge their position in the market.

With over 400 tenet clients and 15,000 end users, each one has a very unique set of compliance
requirements: 1) 30% of their clients are publicly traded entities, 2) 7% are heath care related, 3)
87% process credit cards, and 4) 6% have private information regarding EU citizens.

The enterprise risk management group has identified multiple risk scenarios that have the potential
of inhibiting the aggressive growth goals identified by the governing body. These include: 1)
recruiting and maintaining qualified and skilled staff, 2) the threat of competitors, 3) complex
compliance requirements from multiple requirements (NAMECO has private information from users
across the globe, including EU citizens), and 4) the unknown risks of vendors who provide critical
services to NAMECO.

The IT organization also supports the company’s staff of 300 FTEs and is currently considered a
“necessity” which has caused some issues. Due to the nature of its business, NAMECO cannot
continue with its strategy unless IT is seen as a key success factor. Most of the services provided by
IT are a mix of insourced, cloud, and outsourced services and IT generally adopts new technologies
once they have been proven in the market. Although the organization is primarily a waterfall model
for delivery, there are two full time agile teams that support the core applications of the business.
This model has worked up to this point, but there are pressures from the business to deploy services
faster.

With the aggressive growth of the company, the IT organization has experienced multiple issues that
have resulted in unsatisfactory client reviews. The key concerns include: 1) failure to meet Service
Level Agreements (many of these failures are due to suppliers), 2) multiple audit findings of non-
compliance of data privacy, and 3) Insufficient IT resources/knowledge required to support the goals
of the enterprise.

Other key observations include: 1) there are no documented or well-understood decision matrices in
the organization, 2) policies exist, but have not been updated in the last 3 years, 3) the leadership of
the organization endorse a ‘risk taking’ culture, but do not support risky decisions that fail, 4) no
skills matrix exists that identifies the skills and competencies required to support IT services, 5) an IT
service catalog exists, but is not acknowledged or followed, 6) there is no formal recognition of IT
processes, they are ad hoc and not well documented, and 7) there is no real understanding of the
data/information architectures or flows and there is an absence of information classification.

Questions: Using the NAMECO scenario,

• discuss which COBIT Design Factors would be relevant for the governance system of NAMECO,
and
• identify which values you would assign to the relevant design factors.

2
COBIT 2019 Foundation Course April 2021

MODULE 5
Question: For each Enterprise Goal, circle the appropriate Balanced Scorecard dimension

Enterprise Goal BSC Dimension

Portfolio of competitive
Financial Customer Internal Growth
products and services
Product and business
Financial Customer Internal Growth
innovation
Business service continuity and
Financial Customer Internal Growth
availability

Optimization of business
Financial Customer Internal Growth
process costs
Managed digital
Financial Customer Internal Growth
transformation programs
Customer-oriented service
Financial Customer Internal Growth
culture

Managed business risk Financial Customer Internal Growth

Question: For each Alignment Goal, circle the appropriate Governance or Management Objective
that has a PRIMARY relationship

Alignment Goal Governance and Management Objectives

Quality of I&T management information APO13 EDM05 BAI05 DSS04

Knowledge, expertise and initiatives for business

APO08 EDM01 APO02 MEA01
innovation

Managed I&T-related risk EDM01 EDM04 MEA01 DSS05

Delivery of I&T services in line with business

APO11 BAI01 APO05 MEA04
requirements

3
COBIT 2019 Foundation Course April 2021

Question: Match each purpose statement with the appropriate Governance or Management
objective

Purpose Statement Governance and Management Objective

BAI07
MEA04 APO10
Implement solutions safely and in line with the Managed IT Change
Managed Managed
agreed expectations and outcomes. Acceptance and
Assurance Vendors
Transitioning

Ensure that stakeholders are supportive of the

I&T strategy and road map, communication to
stakeholders is effective and timely, and the EDM05
EDM02
basis for reporting is established to increase BAI06 Ensure
Ensured Benefits
performance. Identify areas for improvement Managed IT Changes Stakeholder
Delivery
and confirm that I&T-related objectives and Engagement
strategies are in line with the enterprise’s
strategy.
Maintain information integrity and the security
DSS06 BAI08
of information assets handled within business DSS04
Managed Business Managed
processes in the enterprise or its outsourced Managed Continuity
Process Controls Knowledge
operation.

Question Match each description with the appropriate Governance Component as it applies to
Governance and Management Objectives.

Description Governance Component

For each practice, Culture Services,

Organizational People, Skills,
inputs and outputs Process Information Policies and Infrastructure
Structures Competencies
are identified. Ethics and Applications

Based on the Skills

Culture Services,
Framework for the Organizational People, Skills,
Process Information Policies and Infrastructure
Information Age, or Structures Competencies
Ethics and Applications
SFIA.

COBIT 2019 only

Culture Services,
suggests responsible Organizational People, Skills,
Process Information Policies and Infrastructure
and accountable Structures Competencies
Ethics and Applications
roles.

Third-party services,
types of infrastructure
and categories of
applications that can Culture Services,
Organizational People, Skills,
be applied to support Process Information Policies and Infrastructure
Structures Competencies
the achievement of a Ethics and Applications
governance or
management
objective.

4
COBIT 2019 Foundation Course April 2021

Question: Using information from the NAMECO scenario (see above – same scenario), use the goals
cascade to determine the most appropriate Governance or Management Objectives.

NAMECO has determined that the most critical enterprise goals for the upcoming year includes the
following:

• Enterprise goal 2 (EG02) Managed business risk

• Enterprise goal 3 (EG03) Compliance with external laws and regulations
• Enterprise goal 8 (EG08) Optimization of internal business process functionality
• Enterprise goal 10 (EG10) Staff skills, motivation and productivity

MODULE 8
ACME Corporation Case
The example scenario is Acme Corporation, a large multinational enterprise with a mixture of
traditional, well-established business units as well as new Internet-based businesses adopting the
very latest technologies. Many of the business units have been acquired and exist in various
countries with different local political, cultural and economic environments.

The central group’s executive management team has been influenced by the latest enterprise
governance guidance, including COBIT, which they have used centrally for some time.

They want to make sure that rapid expansion and adoption of advanced IT will deliver the value
expected; they also intend to manage significant new risk.

They have, therefore, mandated enterprise wide adoption of a uniform EGIT approach. This
approach includes involvement by the audit and risk functions and internal annual reporting by
business unit management of the adequacy of controls in all entities

Questions: Using information from the ACME case and the NAMECO scenario (see earlier), complete
a business case section.

• ACME case: develop the section on cost/benefits

• NAMECO: develop the business section on business challenges
• NAMECO: develop the section on methodology and alignment