®

COBIT   Focus  
The newsletter dedicated to the COBIT® user community
April 2008, Volume 2

COBIT and IT Governance: Focusing

on IT Governance, Value Delivery and
IT Investment Evaluation
By John W. Beveridge, CISA, CISM, CFE, CGFM

The Massachusetts (USA) Office of the State Auditor began

using COBIT as a primary reference for identifying control
objectives and management control practices as soon as the first
edition of COBIT’s control objectives was published. The IT
governance framework has helped non-IT management gain a
better understanding of what encompasses IT and identify areas
of IT that should be reviewed.

In This Issue…
COBIT and IT Governance:
Focusing on IT Governance, Value
Delivery and IT Investment
Evaluation
By John W. Beveridge .......................page 1
CGEIT Credential Meets Business
Demands for IT Governance
By John Lainhart................................page 3
Adoption of COBIT by Multiplan
By Romulo Gouvêa and
Tiago Quadra......................................page 5
COBIT: An IT Governance Tool for
the CIO and CEO
By Romulo Lomparte.........................page 9
ISACA COBIT Education ........page 11
For more than 10 years, the COBIT framework has been used by
the state’s auditors to benchmark areas of IT that were, or
should be, subject to review or examination, and by a small
number of agency managers to gain a better understanding of IT
management processes. Since then, the implementation of
COBIT by the Office of the State Auditor has evolved as COBIT
has undergone updates. The Office is now aligning its activities
with COBIT 4.1 and is shifting a portion of the IT audit work
toward IT governance, value delivery and IT investment
evaluation. From an audit perspective, agency personnel have
found COBIT helpful in understanding where the “goal posts” are
in terms of being subject to independent examination.
Process
After initial adoption, COBIT was soon introduced to the then-chief
information officer (CIO) of the Commonwealth’s information
technology division, who adopted it as a reference model. To date,
agency personnel have found COBIT helpful in understanding the
importance of IT governance and assurance, and also as guidance
in developing and strengthening management control practices.
On the audit side, in addition to being used as a reference for
control objectives and control practices, COBIT was used initially
in comparing existing IT-related policies and high-level
procedures at state agencies to assess the extent of coverage to
an established high-level framework. While this was helpful on
individual audit engagements, COBIT was also used in overall IT
audit planning. Although not identified as an audit planning tool
by ITGI, the Office of the State Auditor found COBIT very useful
in framing preaudit and survey work for overall planning
Continued on page 2
COBIT Focus, April 2008
purposes. By mapping COBIT to existing audit
coverage and audit results, one could identify
areas where increased attention or improved
scope may be warranted. One of the more
valuable tools for audit planning and working with
auditee management was a series of COBIT
matrices that was initially developed in conjunction
with Bentley College. The matrices were later used
as input to the IT Governance Implementation
Guide, now in its second edition. In addition,
management guidelines and COBIT 4.1 have
stimulated a healthy focus on RACI charts, metrics
and maturity models to help assess assignment of
responsibilities, evaluate communication, measure
performance and assess process capability.
Through the years, COBIT has been introduced at
a number of levels to auditees, agency
management, legislators, and boards and
commissions within Massachusetts state
government. Audit teams have introduced COBIT
to IT and non-IT management and staff on
individual audit assignments at various state
agencies. Although initially used as audit criteria,
the growing array of COBIT products has been
used to assist agencies in “getting their arms
around IT” from a management and control
perspective.
The first enterprise-based information security
policy, which was developed and unanimously
adopted on 24 October 2001 by the
Commonwealth’s Enterprise Security Board (ESB)
and implemented by the Commonwealth’s CIO on
27 November 2001, noted that additional
reference materials and guidance may also be
found in the publications of ITGI/ISACA. Since that
time, the ESB has referred to COBIT as a primary
reference in developing security policies and
standards and has sponsored COBIT training for
agency personnel. COBIT’s control objectives and
management guidelines and, in particular, ITGI’s
Board Briefing on IT Governance have been
introduced at the Commonwealth’s IT
Commission, IT Advisory Board and CIO
meetings.
Examples of where COBIT has been referenced
include the ESB Advisory Memorandum regarding
the IT Commission Security Recommendations,
Status & Update Advisory, 20 December 2006,
stating that:
…The ESB believes that continued
acceptance in the adoption of generally
accepted control models (e.g., COBIT) and IT
management and security practices...within an
appropriate IT governance framework will
provide the required foundation to achieve
operational and security objectives.
The same advisory memorandum also stated that:
Certification programs for security professionals
exist, such as MCSE, GCET for technical
certification as well as professional certifications
such as CISA or CISSP for mid-level managers
and CISM and CPP for executives.
Another reference is the Massachusetts Office of
the Inspector General’s Guide to Developing and
Implementing Fraud Prevention Programs.
Continued on page 3
page 2
COBIT Focus, April 2008
Published in April 2005, it included ISACA within
the list of resources for developing an effective
fraud policy and fraud prevention program. The
document noted that ISACA’s web site provides
valuable links, journal articles on technological
topics of interest and information on how
professionals can become a CISM or CISA.
Conclusion
The use of COBIT by the Office of the State Auditor
has evolved as COBIT has evolved. Currently, the
Office is amending audit work programs to be
aligned with COBIT 4.1 and is shifting a portion of
the IT audit work toward IT governance, value
CGEIT Credential Meets Business Demands for IT
Governance
By John Lainhart, CISA, CISM, CGEIT, CIPP/G
To support the growing business demands related
to IT governance, promote IT governance good
practices and recognize skilled IT governance
professionals, ISACA® has developed a new
certification: Certified in the Governance of
Enterprise IT™ (CGEIT™).
ISACA performed extensive research and
determined that there is a sound business need for
a certification that recognizes expertise in the field
of IT governance and helps enterprises identify
and hire professionals who have IT governance
knowledge and experience.
Supported by the IT Governance Institute®
(ITGI™) and built on ITGI’s intellectual property
and input from subject matter experts from around
the world, the CGEIT designation is designed for
professionals who have a significant management,
advisory or assurance role relating to the
governance of IT.
The credential focuses on the five focus areas of
IT governance:
• Strategic alignment
• Value delivery
• Risk management
• Resource management
• Performance measurement
It also focuses on frameworks that provide support for
IT governance, particularly Control Objectives for
Information and related Technology (COBIT®) and Val
delivery and IT investment evaluation. COBIT has
been used as a reference in policy development,
control design and, to a limited extent, control
assessment for state agencies. Even though there
have been changes with new administrations,
there is a strong recognition by the
Commonwealth’s recently appointed CIO that IT
must be better managed.
John W. Beveridge, CISA, CISM, CFE, CGFM
is a past president of ISACA and ITGI, and is a
member of the Assurance Committee and CGEIT
Certification Board. He is deputy state auditor at the
Office of the State Auditor, Massachusetts, USA.
IT™ (in the value delivery area).
To earn the CGEIT certification, applicants must:
• Pass the CGEIT exam (The first CGEIT exam will
be administered on 13 December 2008.)
• Adhere to the ISACA Code of Professional Ethics
• Agree to comply with the CGEIT continuing
professional education (CPE) policy
• Provide evidence of appropriate IT governance
work experience as defined by the CGEIT job
practice. Five years of experience managing,
serving in an advisory or oversight role, and/or
otherwise supporting the governance of the IT-
related contribution to an enterprise is required for
certification. This experience is defined by the
domains and task statements described in the
CGEIT job practice (www.isaca.org/cgeit). A
minimum of one year of experience relating to the
development and/or maintenance of an IT
governance framework is required. Additional broad
experience directly related to any two or more of the
remaining CGEIT domains is also required.
Individuals can take the CGEIT exam prior to
earning the necessary work experience. However,
work experience must be earned during the 10-
year period prior to application for CGEIT
certification.
To recognize other management experience
and/or the achievement of specific IT governance-
related credentials, advanced (postgraduate)
degrees and certificates, up to two years of the
Continued on page 4
page 3
COBIT Focus, April 2008
five years of required IT governance experience
can be substituted. Specifically, each of the
following qualifies (as a substitute) for one year of
IT governance experience, with a maximum of two
years of substitutions being accepted:
• Other management experience—Other
management experience that is not specific to IT
governance, such as performing consulting-,
auditing-, assurance- or security-management-
related duties qualifies for up to one year of
substitution.
• Specific credentials, advanced (postgraduate)
degrees and certificates—Credentials (in good
standing), advanced (postgraduate) degrees and
certificate programs that include an IT governance
and/or management component or are specific to
one or more of the CGEIT domains can qualify for
up to one year of substitution. These include:
- Certified Information Systems Auditor™ (CISA®)
- Certified Information Security Manager® (CISM®)
- ITIL Service Manager certification program
- Chartered Information Technology
Professional (CITP), issued by the British
Computer Society
- Certified Information Technology Professional
(CITP), issued by the American Institute of
Certified Public Accountants (AICPA)
- Certified Business Manager (CBM), issued by
the Association of Professionals in Business
Management
- Certified Internal Auditor (CIA), issued by the
Institute of Internal Auditors
- PRINCE2 Registered Practitioner, developed by
the Office of Government Commerce (OGC)
- Project Management Professional (PMP),
issued by the Project Management Institute
- A postgraduate degree from an accredited
university in information technology or
management (such as a Master of Business
Administration or chief information officer [CIO]
certificate program)
- Implementing IT Governance Using COBIT®
and Val IT™ certificate, issued by ISACA
Applicants who have earned/acquired other
credentials, degrees and/or certificates that
include a significant IT governance and/or
management component and that are not listed
here may submit them to the CGEIT Certification
Board for consideration.
A grandfathering provision, through which
individuals who are highly experienced in the
governance of IT may apply for the certification
without taking the exam, is available through
October 2008.
Continued on page 5
page 4
COBIT Focus, April 2008
To earn the CGEIT certification during the
grandfathering period, an applicant must:
• Have and submit evidence of management,
advisory or oversight experience associated with
the governance of the IT-related contribution to an
enterprise. Eight years of such experience is
required and is defined and described specifically
by the CGEIT job practice domains and task
statements. Specifically, a minimum of one year of
experience relating to the development and/or
maintenance of an IT governance framework and
additional broad experience related to any two or
more of the remaining CGEIT domains. To
recognize other management experience and/or
the achievement of IT-governance-related
credentials, advanced degrees and certificates, up
to three years of experience can be substituted (as
Adoption of COBIT by Multiplan
By Romulo Gouvêa and Tiago Quadra
Multiplan Empreendimentos Imobiliários S.A., one
of the major shopping mall property management
firms in Brazil, is a key player in residential and
commercial real estate development.
When Multiplan went public, it signed the
Agreement for the Adoption of Differentiated
Corporate Governance Practices with
BOVESPA.1 Under this agreement, the
company, its members of the board and its
controlling shareholders committed to comply
with all requirements related to the corporate
governance practices set by BOVESPA.
Motivation
Multiplan’s main reason for adopting COBIT was
the IT management team’s interest in applying
the management guidelines recommended by
this model. These guidelines would be used as
the primary framework from which to develop
responsibility assignment, performance
measurement, procedure testing and mapping
the gap in the process execution capacity,
complementing actions already consolidated by
the organization’s IT Infrastructure Library (ITIL)
projects for process effectiveness.
Additionally, the organization believed the
adoption of COBIT would help answer some
typical management questions, including:
• How can the organization cope with the need
to align IT and business?
described previously).
• Describe their experience managing, providing
advisory and/or assurance services, and/or
otherwise supporting the governance of an
enterprise’s information technology
• Adhere to the ISACA Code of Professional Ethics
• Agree to comply with the CGEIT CPE policy
• Pay an application fee
John Lainhart, CISA, CISM, CGEIT, CIPP/G
is a past president of ISACA and ITGI, and
currently is a member of the IT Governance
Committee. He is also a partner in the security,
privacy, wireless and IT governance service area
at IBM Global Business Services.
• What processes and controls should be
implemented?
• How can the organization assess and
compare results?
• What are the best indicators to measure and
track processes?
The Project
Once the motivation was determined, the project
objectives included:
• Selecting the set of COBIT processes to be
reviewed, related to work previously done under
the ITIL model
• Identifying the IT objectives supported by those
processes
• Mapping the business goals supported by the IT
objectives identified
• Determining the maturity of Multiplan processes at
the time, according to COBIT
• Comparing the maturity of Multiplan processes in a
benchmarking study
• Recommending the set of indicators to be used to
track goals and process performance
In terms of company reach, the project covered
infrastructure support services along with
applications services in system development and
maintenance, provided by Multiplan’s IT
management team, based in Rio de Janeiro, Brazil.
The project’s technical scope included some of
the service management disciplines of ITIL,
Continued on page 6
page 5
COBIT Focus, April 2008

according to previous IT service management representatives of the various business

(ITSM) projects carried out: the service desk segments. The aim was to gather evidence on
function, the processes presented in the book execution and capacity regarding the selected
Service Support,2 incident management, COBIT processes.
problem management, change management,
release management and configuration Analysis
management, as well as the process for service The analysis consisted of handling the data and
level management from the book Service information gathered for the selected aspects.
Delivery.3 All of these are directly related to the The aim of this phase was to determine the
Acquire and Implement and Deliver and Support maturity level of those COBIT processes. To
domains of COBIT. accomplish this, the team consolidated those
aspects identified during the studies and
Considering its scope, the project did not cover associated with the model disciplines.
the following ITIL model disciplines: IT financial
management, availability management, capacity Tables (figure 2) were then populated for each
management and IT service continuity process, summarizing the results. These tables
management. show the average maturity level of each
process, the maturity of each control objective,
The Approach the relevance of each process for the
To cope with the challenges posed by the project, organization, the level of management
Multiplan hired a specialized consulting firm. Their compliance for each control objective and cross-
approach comprised five phases as follows. references to the evidence collected.

Definition Figure 2—Sample of Tables for Maturity

In the definition phase, the aim was to select a Measurement
set of COBIT processes to be reviewed,
expanding the previous work based on the ITIL ITIL Disciplines COBIT Maturity
model. This work was mainly supported by the 3 Objetivo de Controle Nível de Maturidade Conformidade Gerencial

ITGI publication COBIT® Mapping: Mapping of 3 3

COBIT Processes

Gerência está atenta

Implementação bem

t d
Gerência não está

comprometida em
0 - Não existente

Implementação
4 - Gerenciado

5 - Otimizado

encaminhada
2 - Repetível

3 - Definido
1 - Inicial
3

Gerência

resolver

iniciada
ITIL® With COBIT® 4.0.4 In accordance with

atenta

l
ã i
3

S l
Appendix I—Linking Business Goals and IT 3 3 DS2.1. Identificação
de todos os
relacionamentos com
3 fornecedores

Goals of COBIT 4.0 (figure 1), this phase was 3 DS2.2.

Gerenciamento de
relacionamento com

intended to identify the IT objectives supported 3 fornecedor

3 3 DS2.3.
Gerenciamento de

by the selected processes, as well as the 3

Riscos de
Fornecedores

3 DS2.4.

business goals supported by those IT objectives. 3 3

Monitoramento de
Desempenho de

3
3
Data Collection
During this phase, the team collected data and
information from books and interviews with
Also during this phase, ITGI’s COBIT Online®5
Figure 1—Linking Business Gozals web-based tool was used for benchmarking
and IT Goals (figure 3). Here the aim was to compare
Multiplan’s scenario against market references
ITIL Disciplines available in the tool database.
3 3 3
3 3 3 3 3 3
COBIT Processes

3 3 3

3 3
3
3 3
3
3 3
3 Project
3
3
3
3
3
3 The project phase output was a draft version of
3
3 3
3
3 3
3
3 3
the project report. It was designed based on
3 3 3
3 3 3 suggestions and recommendations of the goal
3 3 3 3 3 3
3 3 3 and performance indicators to be used in
3 3 3
everyday management and IT governance. After
IT Objectives
the conclusion of this phase, it was possible to
3 3
make management decisions to allow for
Business

3 3 3 3
Goals

3 3

3 3
3
3 3
3 production and collection of indicators (see
3
3
3
3 figure 4).
®
Source: IT Governance Institute, COBIT 4.0
Continued on page 7

page 6
COBIT Focus, April 2008

Figure 3—COBIT Benchmarking requirements to be considered by management

for effective control of each IT process.
COBIT Maturity Benchmarking How can we assess and compare processes?
Objetivo de Controle Nível de Maturidade Conformidade Gerencial
What are the best indicators to measure and

Gerência está atenta

Implementação bem

t d
Gerência não está

comprometida em
0 - Não existente

Implementação
4 - Gerenciado
track those processes?
5 - Otimizado

encaminhada
2 - Repetível

3 - Definido
1 - Inicial

Gerência

resolver

iniciada
atenta

l
ã i
S l
DS2.1. Identificação
de todos os
relacionamentos com
fornecedores Following the project, it was possible to measure
DS2.2.
Gerenciamento de
relacionamento com
fornecedor
IT processes in regard to their maturity under
DS2.3.
Gerenciamento de
the COBIT maturity models, their performance
Riscos de
Fornecedores

DS2.4.
according to key performance indicators (KPIs),
Monitoramento de
Desempenho de
and their efficiency according to key goal
indicators (KGIs) suggested in the management
guidelines portion of the framework.

Final Considerations
This work encouraged Multiplan to read and
implement the recommendations presented in
the IT Governance Implementation Guide,6 as
well as to learn more about other COBIT
processes not initially covered in this study.
Production
Production of the final document followed the With the project results, Multiplan’s IT
reading and validation of the draft project report. management team was able to create an IT
balanced scorecard7 aligned with the company’s
Outcomes business strategy.
Results were positive. The model guidelines
helped provide answers to the initial questions, Once the project concluded, a better alignment
as follows. with internal audit activities regarding COBIT
processes AI6 Managing changes and AI7
How can we cope with the need to align IT and Installing and validating solutions and changes,
business? in terms of financial data output, was developed.
Figure 4—ITIL to COBIT Performance and
According to the model, “IT processes have Goal Indicators
requirements from business and reply with
information.” With its business-oriented Indicators
approach, the COBIT process framework allowed Selection
for a comprehensive view of IT and its related ITIL Disciplines
decisions. As an IT governance support tool set 3 KPI 1 -----------
3 3
COBIT Processes

and framework, COBIT enabled Multiplan’s 3

KPI 2 -----------
management team to map the connections 3 KPI 3 -----------
3 3 ‘
linking IT processes and business goals. 3
3 KPI n -----------
Therefore, the path from business requirements 3
to IT became clear for the organization. 3 3
3 KGI 1 -----------
3 KGI 2 -----------
What processes and controls should be 3 3
3 KGI 3 -----------
implemented? 3 ‘
KGI n -----------
COBIT enabled the design of a clear policy and
good practices for IT control within the company.
From the framework, it was possible to organize
good practices and objectives for IT governance
based on domains and processes associated to Management
business requirements. The control objectives Decisions
provided a complete set of high-level Source: COBIT 4.1
®

Continued on page 8

page 7
COBIT Focus, April 2008
One of the project hindrances was some team
members’ lack of familiarity with the subject. To
work this out, all management and coordination
members participated in an internal training
program using the COBIT Foundation Course™.
A positive aspect of the project was the
usefulness of previous work based on the ITIL
model. Process effectiveness could be oriented
easily in the way of controls. In this matter, the
COBIT mapping to ITIL document was a key
support in reducing project time.
Finally, the advantages of implementing COBIT
as an IT governance framework were observed
quickly. The positive results came from better
alignment based on business focus, and from
raising awareness among executive
management about the value the Multiplan IT
division delivers to the business.
Romulo Gouvêa
is managing partner of VENCO IT Consulting
and Services. He is a consultant and solutions
and training provider in the Rio de Janeiro,
Brazil, IT governance market.
COBIT Research Update
COBIT initiatives scheduled for availability in the
second quarter of 2008:
• COBIT® Mapping: Mapping of COSO Enterprise
Risk Management With COBIT® 4.1
• COBIT® Mapping: Mapping of ITIL v3 With
COBIT® 4.1
• COBIT® Mapping: Mapping of FFIEC With
COBIT® 4.1
• Aligning COBIT®, ITIL and ISO 27002 for
Business Benefit
• COBIT® Users Guide for Service Managers
COBIT initiatives scheduled to start
development in 2008:
• Guide to Managing and Controlling Applications
Using COBIT®
An updated version of the Val IT framework and
a guide to “getting started with value
management” will be available in the second
quarter of 2008.
Tiago Quadra
is chief information officer of Multiplan
Empreendimentos Imobiliários S.A. He holds the
ITIL and COBIT Foundation certificates and is
highly experienced in IT operations
management in Canada and Brazil.
Endnotes
1
BOVESPA, The Sao Paulo Stock Exchange (Brazil)
2
Office of Government Commerce, IT Infrastructure
Library, ITIL v2, Service Support, UK, 2000
3
Office of Government Commerce, IT Infrastructure
Library, ITIL v2, Service Delivery, UK, 2000
4
IT Governance Institute, COBIT Mapping: Mapping of ITIL
With COBIT 4.0, USA, 2007, www.isaca.org/cobitmapping
5
IT Governance Institute, COBIT Online,
www.isaca.org/cobit, accessed 30 July 2007
6
IT Governance Institute, IT Governance Implementation
® nd
Guide: Using COBIT and Val IT™, 2 Edition, USA, 2007
7
The balanced scorecard is a coherent set of performance
measures organized in four categories, created and
proposed by Robert S. Kaplan and David P. Norton in 1992.
Help Others Learn About COBIT
COBIT is benefiting organizations and agencies
internationally, and there is a great demand for
case studies that describe different
implementations.
The experiences described in a COBIT case
study are effective ways to share what is
working and what challenges organizations
have faced. Submitting material for a case study
is easy. Simply contact news@isaca.org or
+1.847.660.5566 to receive details and a list of
questions. Examples of full implementations are
not necessary. Many organizations use portions
of COBIT or use it in very specific areas, and all
of these uses make good case studies.
ISACA staff members will draft the case study
based on the information supplied and send it
back for the organization’s review and
approval. Once the case study is approved, it
will be included on the COBIT case study
sections of the ISACA and ITGI web sites and
possibly in internal and external publications
and marketing materials.
page 8
COBIT Focus, April 2008
COBIT: An IT Governance Tool for the CIO and CEO
By Romulo Lomparte, CISA
IT should be regarded positively as a value creator
instead of just dwelling on the risks.
The chief information officer (CIO) of an
organization is often the person responsible for
some of the biggest costs/investments in an
enterprise and should always try to show how
technology can enable the business to create
value rather than simply justifying the annual
budget. Do the chief executive officer (CEO) and
the CIO think differently? Hopefully not—they
should be strategically aligned, driving the same
business goals and objectives.
Most departments in companies work as islands
and think about IT only when there is a problem.
That lack of business alignment can produce
conflicting interests and internal anarchy, which
may be reflected in management’s attitude. The
alignment of technology, for all areas, does not
have to be a goal, but a means to achieve goals.
The central foundation of strategic alignment is
that strategic planning and strategic operations
must be aligned closely. Therefore, it is best to
consider technology as a strategic tool and not
solely as a concrete resource. The integration of
the business with IT is feasible when the problems
of communication and understanding between the
IT department and the rest of the business are
unravelled and managed.
Alignment requires a good vision by the IT
manager of the business. However, in the majority
of cases, the IT department has too much of a
technical vision of the business goals and supports
strategic decisions based more on economic and
technological objectives than on business-enabling
objectives. IT leaders should help drive enterprise
strategy in partnership with the business. Strategic
decisions should not be of a financial or
commercial nature only; they also need to be
based on enabling the realization of business
benefits. For this reason, it is essential to maintain
communication both in business and technology.
Even when there is an organizational culture that
encourages the alignment of technology with the
business, the greatest barrier is when IT managers
continue to have friction with business managers
because of poor communication, lack of mutual
understanding and trust, and frustration caused by
failures—all leading to a culture of blame.
IT governance is one key part of enterprise
governance. In this sense, the IT manager must
integrate the IT planning and organization within
the overall enterprise to reach alignment of IT
operations and processes with the strategies of
the organization.
The use of COBIT, as a recognized and
internationally accepted standard, is
recommended for good practices of IT
governance. Today, the most successful
organizations are involved in the self-assessment
of their processes and administration techniques.
It is essential to understand that the board of
directors is responsible for the development and the
adoption of standards and norms to control the
company’s information systems and technologies.
COBIT is considered worldwide as an accepted
standard that is applicable for good practices of IT
governance, and it is rapidly being adopted. Its
fulfillment or application should be driven by the
board and executives because COBIT is clearly
recognized and internationally accepted as a
framework that enables effective IT controls, based
on criteria acceptable to all parties including auditors.
But what does COBIT provide to the CEO? A
reasonable assurance that:
• Accepted objectives of IT control good practices
are being reached
• Significant weaknesses in controls are identified
• The impact of risks associated with such
weaknesses are being considered properly
• Executives are being guided on the corrective
measures that must be adopted
COBIT permits quantitative and qualitative
evaluation, and helps management inform the
board of the true management and control status
of their information systems and processes, which
enables better governance of IT. COBIT is an
important tool for driving good practice and for
enabling management to take control of IT
investments and the associated risks. Based on
standards and internationally recognized good
practices, it also ensures compliance with
regulations, laws and contracts, and offers
confidence to third parties and business partners
regarding the service provision and automated
transaction flows.
Continued on page 10
page 9
COBIT Focus, April 2008
The implementation of better governance based
on COBIT realizes business benefits because it
facilitates the understanding and control of IT
operations within the whole enterprise. The
services or products offered are optimized when
the portfolio of information systems is managed
efficiently, with resources balanced and prioritized
to meet business needs. COBIT drives a better
return on IT investments, the delivery of IT-
enabled solutions and the effective use of IT within
business processes by identifying specific risks
and management gaps, and guiding the
implementation of appropriate controls.
COBIT provides good practice for the strategic
planning for IT, management of IT investments,
program and project management, and risk
assessment. COBIT also enables better
identification of the IT processes critical for
supporting the most important business
processes, products and services provided by
the organization.
How COBIT Would Help the CEO
The CEO has a significant responsibility in many IT
governance processes. According to COBIT’s
Responsible, Accountable, Consulted and/or
Informed (RACI) charts, the CEO should be
engaged in half of COBIT’s 34 IT processes and
Figure 1—Interrelationships of COBIT Components
Source: IT Governance Institute, COBIT 4.1, 2007
plays a key role in several, such as identification of
risks. COBIT can help the CEO evaluate how much
value IT gives to the business, how the resources
are managed and how to measure IT’s
performance in enabling the fulfillment of the
business goals. Armed with an awareness and
understanding of the conceptual framework of
COBIT, the CEO will be prepared to direct and
monitor the level of alignment of IT with the
business, and the impact such alignment is having.
To use COBIT effectively, the CEO should be
committed to overseeing the quality and security of
the information and other assets, as well as the
optimal use of IT resources, including applications,
data, infrastructure and people. To obtain their
objectives, CEOs should mandate effective
governance of IT, enabled by the COBIT
framework, so they are able to understand the
status of their enterprises’ IT architecture, and
influence where and what kind of governance and
control must be applied. CEOs can then obtain the
commitment of operational managers.
Enterprises cannot effectively respond to their
business and government IT requirements without
adopting and implementing good IT governance
Continued on page 11
page 10
COBIT Focus, April 2008
frameworks and the associated IT controls aligned
with business requirements. The COBIT framework
contains components that are interconnected,
offering support for the key necessities of
governance, administration, control and auditing of
the different shareholders, as shown in figure 1.
Lessons Learned From One Application
The following case can be a useful lesson to many
considering the application of an IT governance
framework. Although the continuation of the project
was jeopardized, due in large part to the negative
influences of a CEO and other managers who did
not provide the proper support or enable the CIO to
successfully complete the project, the following
describes a successful implementation of COBIT.
To initiate the project, the CIO informed the IT
auditor that he was interested in implementing an
IT governance framework, and asked the IT
auditor for support. The IT auditor proposed the
application of COBIT, since the main problem for
the organization was the lack of a governance
framework and the board had to be convinced of
its efficacy.
After two years and much hard work, the CIO and
his team had implemented COBIT; the CIO was
collaborating with the board on the design of
growth strategies, new products and services; and
they had almost finished turning IT into a function
for leveraging development of the organization.
Unfortunately, the CIO had not won the support of
other business managers and after these two
years and due to pressure by upper management,
the CIO could drive it no further.
ISACA COBIT Education
Looking for ways to build the internal
competencies that support the adoption of COBIT
and IT governance?
ISACA provides COBIT training in several formats.
All ISACA classroom-based courses are delivered
by ISACA-accredited trainers. The following are
descriptions of the current COBIT training
opportunities available through ISACA.
COBIT Awareness Course
The e-learning COBIT® Awareness Course is used
to build awareness around the use and benefits of
COBIT in an organization. Delivered in a two-hour
The lesson learned, during this short period of
successful IT governance in the organization,
showed that even with the certainty of success
with COBIT, there is also the necessity to have an
organizational commitment on the governance
framework for its successful application. Simply,
implementation is not enough; organizational buy-
in from the top down is required.
Conclusion
IT governance is an important part of enterprise
governance, oriented toward developing
processes, organizational structures and
leadership, and completing and suitably reflecting
the strategies and objectives of the organization.
COBIT is an international model that provides the
necessary tools to implement IT governance in
organizations looking to fulfill guidelines of
corporate governance principles for IT. With a
monitoring and self-assessment scheme of great
use to the CEO, COBIT integrates all the
necessary characteristics within a single integral
framework, in line with government and business
requirements. However, its likelihood of success is
drastically diminished if commitment and support
goes only so far as the CIO; successful
implementation depends on commitment and
support from the board and CEO on down.
Romulo Lomparte, CISA
is a IT corporate auditor for Yanbal International,
where he is responsible for reviewing and
evaluating IT controls. He can be reached at
rlomparte@viabcp.com.
online-only format, this course explores the current
difficulties organizations are dealing with and
builds a case for the adoption of COBIT as the
answer to these issues. For more information on
this course, please visit
www.isaca.org/cobitcampus.
COBIT Foundation Course
The COBIT Foundation Course, developed in
collaboration with ITpreneurs, explains the COBIT
framework using practical examples and a case
study. The course addresses how to realize
effective IT governance using the COBIT
framework. It is available online
Continued on page 12
page 11
COBIT Focus, April 2008

(www.isaca.org/cobitcampus) in several
formats and languages and as a
2008 Calendar of ISACA COBIT Events
classroom-based two-day workshop at
12-13 May ..................... COBIT® User Convention
many ISACA conferences.
Sponsor: Los Angeles Chapter
www.isaca.org/cobituserconvention
For more information on the classroom-
14-16 May ..................... COBIT User Convention
based course and upcoming site
Sponsor: Mexico City Chapter
locations, please contact ISACA at
www.isaca.org/cobituserconvention
education@isaca.org or ITpreneurs at
26-27 July ..................... Implementing IT Governance
www.isaca.org/cobitcampus.
Using COBIT and Val IT workshop
Toronto, Ontario, Canada
COBIT Foundation Exam
www.isaca.org/international
Those able to demonstrate that they
23-27 June...................... ISACA® Training Week (including
understand COBIT at a foundation level
COBIT-specific training)
and are capable of applying COBIT in
Minneapolis, Minnesota, USA
practice may choose to take the COBIT
www.isaca.org/trainingweek
Foundation exam. The exam is offered
15-19 September............ ISACA Training Week (including
at the conclusion of the classroom and
COBIT-specific training)
the online COBIT Foundation Course.
Edinburgh, Scotland, UK
www.isaca.org/trainingweek
Implementing IT Governance Using
COBIT and Val IT
The Implementing IT Governance Using COBIT ITpreneurs at www.isaca.org/cobitcampus.
and Val IT course focuses on using these two
ITGI-developed frameworks to help guide IT The COBIT Foundation Course, the COBIT
governance-related implementation activities. This Foundation exam and the Implementing IT
classroom-based course is delivered by trainers Governance Using COBIT and Val IT course are
accredited by ISACA at many ISACA conferences. offered by ISACA at ISACA conferences and
programs, by ISACA-accredited trainers and
For more information on the classroom-based through ITpreneurs.
course and upcoming site locations, please
contact ISACA at education@isaca.org or
Continued on page 13

More Training Options

A number of commercial training companies have licensed COBIT content from ISACA and ITGI as the
basis for the development of their own courseware. As official licensees of COBIT for training purposes,
these commercial training organizations are helping to advance the awareness and understanding of
COBIT around the world. Since these courses are not developed by ISACA, the association does not
review and endorse the training course nor does it accredit the trainers delivering the course materials.

Those companies with licenses for COBIT content for education purposes include:
• Analytix
• Fox IT
• IIR Training
• Lucid IT
• Learning Tree
• Peter Davis & Associates
• Pink Elephant
• Quint Wellington Redwood

Each organization and individual licensed to develop courseware based on COBIT must offer the COBIT
Foundation exam at the conclusion of the training course. The exam is administered by a proctor who is
independent of the training provider.

page 12
COBIT Focus, April 2008
COBIT: Strategies for Implementing
IT Governance
ISACA is proud to offer this new and unique
Training Week course for 2008. The COBIT
Training Week integrates ITGI research and
ISACA’s current COBIT educational courses into a
single, comprehensive, COBIT training program.
The course begins with an emphasis on IT issues,
governance concepts, control and risk
management, and how COBIT provides the
framework and tool set to meet the challenge of
managing IT resources to make available the best
information assets for business success. It follows
with a thorough explanation of how to implement
an IT governance process using the IT
Governance Implementation Guide, 2nd Edition,
and Val IT. During the week, the IT Assurance
Guide: Using COBIT® will also be presented and
illustrated.
Lectures, discussions, case studies and exercises
are used to help the participant understand proper
implementation techniques to achieve optimum
results for managing IT resources and properly
documenting controls for compliance.
COBIT Steering Committee
Robert E. Stroud, USA, chair
Gary S. Baker, CA, Canada
Rafael Eduardo Fabius, CISA, Uruguay
Urs Fischer, CISA, CIA, CPA (Swiss),
Switzerland
Erik Guldentops, CISA, CISM, Belgium
Jimmy Heschl, CISA, CISM, Austria
Debbie A. Lew, CISA, USA
Maxwell J. Shanahan, CISA, FCPA, Australia
Dirk E. Steuperaert, CISA, Belgium
Editorial Staff
Jane Seago
Chief Communications Officer
Jennifer Hajigeorgiou
Senior Editorial Manager
Comments regarding the editorial content may
be directed to Jennifer Hajigeorgiou, senior
editorial manager, at jhajigeorgiou@isaca.org.
This course is being offered:
• 23-27 June 2008, Minneapolis, Minnesota, USA
• 15-19 September 2008, Edinburgh, Scotland, UK
For more information on this new Training Week
course, please visit www.isaca.org/trainingweek.
COBIT User Conventions
In an effort to expand the number of presentations
of the COBIT User Convention and to identify and
attract COBIT users geographically, the
conventions are being offered through ISACA
chapters. These events are for experienced COBIT
users to discuss and debate COBIT applications,
solutions and approaches.
Each event will be two days in length and feature
case studies and facilitated discussion groups that
address how COBIT is used from governance and
assurance perspectives. To learn more about
these events and others as they become available,
please visit www.isaca.org/cobituserconvention
and click on the link on the right, “Scheduled
COBIT User Conventions.”
Get More Information on COBIT Education
For more information on the COBIT education
opportunities described here, please contact
education@isaca.org.
COBIT Focus is published by ISACA and the IT
Governance Institute. Opinions expressed in
COBIT Focus represent the views of the
authors. They may differ from policies and
official statements of ISACA and/or the IT
Governance Institute and their committees,
and from opinions endorsed by authors,
employers or the editors of COBIT Focus.
COBIT Focus does not attest to the originality of
authors’ content.
© 2008 ISACA and IT Governance Institute. All
rights reserved.
Instructors are permitted to photocopy isolated
articles for noncommercial classroom use
without fee. For other copying, reprint or
republication, permission must be obtained in
writing from the association. Please contact
Joann Skiba at jskiba@isaca.org.
page 13