Professional Documents
Culture Documents
Focus: C T and IT Governance: Focusing On IT Governance, Value Delivery and IT Investment Evaluation
Focus: C T and IT Governance: Focusing On IT Governance, Value Delivery and IT Investment Evaluation
Focus: C T and IT Governance: Focusing On IT Governance, Value Delivery and IT Investment Evaluation
COBIT Focus
The newsletter dedicated to the COBIT® user community
April 2008, Volume 2
For more than 10 years, the COBIT framework has been used by
the state’s auditors to benchmark areas of IT that were, or
should be, subject to review or examination, and by a small
number of agency managers to gain a better understanding of IT
management processes. Since then, the implementation of
COBIT by the Office of the State Auditor has evolved as COBIT
has undergone updates. The Office is now aligning its activities
with COBIT 4.1 and is shifting a portion of the IT audit work
toward IT governance, value delivery and IT investment
evaluation. From an audit perspective, agency personnel have
found COBIT helpful in understanding where the “goal posts” are
in terms of being subject to independent examination.
In This Issue…
Process
COBIT and IT Governance: After initial adoption, COBIT was soon introduced to the then-chief
Focusing on IT Governance, Value information officer (CIO) of the Commonwealth’s information
Delivery and IT Investment technology division, who adopted it as a reference model. To date,
Evaluation agency personnel have found COBIT helpful in understanding the
By John W. Beveridge .......................page 1 importance of IT governance and assurance, and also as guidance
in developing and strengthening management control practices.
CGEIT Credential Meets Business
Demands for IT Governance On the audit side, in addition to being used as a reference for
By John Lainhart................................page 3
control objectives and control practices, COBIT was used initially
in comparing existing IT-related policies and high-level
Adoption of COBIT by Multiplan
By Romulo Gouvêa and
procedures at state agencies to assess the extent of coverage to
Tiago Quadra......................................page 5 an established high-level framework. While this was helpful on
individual audit engagements, COBIT was also used in overall IT
COBIT: An IT Governance Tool for audit planning. Although not identified as an audit planning tool
the CIO and CEO by ITGI, the Office of the State Auditor found COBIT very useful
By Romulo Lomparte.........................page 9 in framing preaudit and survey work for overall planning
ISACA COBIT Education ........page 11
Continued on page 2
COBIT Focus, April 2008
purposes. By mapping COBIT to existing audit time, the ESB has referred to COBIT as a primary
coverage and audit results, one could identify reference in developing security policies and
areas where increased attention or improved standards and has sponsored COBIT training for
scope may be warranted. One of the more agency personnel. COBIT’s control objectives and
valuable tools for audit planning and working with management guidelines and, in particular, ITGI’s
auditee management was a series of COBIT Board Briefing on IT Governance have been
matrices that was initially developed in conjunction introduced at the Commonwealth’s IT
with Bentley College. The matrices were later used Commission, IT Advisory Board and CIO
as input to the IT Governance Implementation meetings.
Guide, now in its second edition. In addition,
management guidelines and COBIT 4.1 have Examples of where COBIT has been referenced
stimulated a healthy focus on RACI charts, metrics include the ESB Advisory Memorandum regarding
and maturity models to help assess assignment of the IT Commission Security Recommendations,
responsibilities, evaluate communication, measure Status & Update Advisory, 20 December 2006,
performance and assess process capability. stating that:
Through the years, COBIT has been introduced at …The ESB believes that continued
a number of levels to auditees, agency acceptance in the adoption of generally
management, legislators, and boards and accepted control models (e.g., COBIT) and IT
commissions within Massachusetts state management and security practices...within an
government. Audit teams have introduced COBIT appropriate IT governance framework will
to IT and non-IT management and staff on provide the required foundation to achieve
individual audit assignments at various state operational and security objectives.
agencies. Although initially used as audit criteria,
the growing array of COBIT products has been The same advisory memorandum also stated that:
used to assist agencies in “getting their arms
around IT” from a management and control Certification programs for security professionals
perspective. exist, such as MCSE, GCET for technical
certification as well as professional certifications
The first enterprise-based information security such as CISA or CISSP for mid-level managers
policy, which was developed and unanimously and CISM and CPP for executives.
adopted on 24 October 2001 by the
Commonwealth’s Enterprise Security Board (ESB) Another reference is the Massachusetts Office of
and implemented by the Commonwealth’s CIO on the Inspector General’s Guide to Developing and
27 November 2001, noted that additional Implementing Fraud Prevention Programs.
reference materials and guidance may also be
found in the publications of ITGI/ISACA. Since that Continued on page 3
page 2
COBIT Focus, April 2008
Published in April 2005, it included ISACA within delivery and IT investment evaluation. COBIT has
the list of resources for developing an effective been used as a reference in policy development,
fraud policy and fraud prevention program. The control design and, to a limited extent, control
document noted that ISACA’s web site provides assessment for state agencies. Even though there
valuable links, journal articles on technological have been changes with new administrations,
topics of interest and information on how there is a strong recognition by the
professionals can become a CISM or CISA. Commonwealth’s recently appointed CIO that IT
must be better managed.
Conclusion
The use of COBIT by the Office of the State Auditor John W. Beveridge, CISA, CISM, CFE, CGFM
has evolved as COBIT has evolved. Currently, the is a past president of ISACA and ITGI, and is a
Office is amending audit work programs to be member of the Assurance Committee and CGEIT
aligned with COBIT 4.1 and is shifting a portion of Certification Board. He is deputy state auditor at the
the IT audit work toward IT governance, value Office of the State Auditor, Massachusetts, USA.
page 3
COBIT Focus, April 2008
page 4
COBIT Focus, April 2008
Continued on page 6
page 5
COBIT Focus, April 2008
Implementação bem
t d
Gerência não está
comprometida em
0 - Não existente
Implementação
4 - Gerenciado
5 - Otimizado
encaminhada
2 - Repetível
3 - Definido
1 - Inicial
3
Gerência
resolver
iniciada
ITIL® With COBIT® 4.0.4 In accordance with
atenta
l
ã i
3
S l
Appendix I—Linking Business Goals and IT 3 3 DS2.1. Identificação
de todos os
relacionamentos com
3 fornecedores
3 3 DS2.3.
Gerenciamento de
3 DS2.4.
3
3
Data Collection
During this phase, the team collected data and
information from books and interviews with
Also during this phase, ITGI’s COBIT Online®5
Figure 1—Linking Business Gozals web-based tool was used for benchmarking
and IT Goals (figure 3). Here the aim was to compare
Multiplan’s scenario against market references
ITIL Disciplines available in the tool database.
3 3 3
3 3 3 3 3 3
COBIT Processes
3 3 3
3 3
3
3 3
3
3 3
3 Project
3
3
3
3
3
3 The project phase output was a draft version of
3
3 3
3
3 3
3
3 3
the project report. It was designed based on
3 3 3
3 3 3 suggestions and recommendations of the goal
3 3 3 3 3 3
3 3 3 and performance indicators to be used in
3 3 3
everyday management and IT governance. After
IT Objectives
the conclusion of this phase, it was possible to
3 3
make management decisions to allow for
Business
3 3 3 3
Goals
3 3
3 3
3
3 3
3 production and collection of indicators (see
3
3
3
3 figure 4).
®
Source: IT Governance Institute, COBIT 4.0
Continued on page 7
page 6
COBIT Focus, April 2008
Implementação bem
t d
Gerência não está
comprometida em
0 - Não existente
Implementação
4 - Gerenciado
track those processes?
5 - Otimizado
encaminhada
2 - Repetível
3 - Definido
1 - Inicial
Gerência
resolver
iniciada
atenta
l
ã i
S l
DS2.1. Identificação
de todos os
relacionamentos com
fornecedores Following the project, it was possible to measure
DS2.2.
Gerenciamento de
relacionamento com
fornecedor
IT processes in regard to their maturity under
DS2.3.
Gerenciamento de
the COBIT maturity models, their performance
Riscos de
Fornecedores
DS2.4.
according to key performance indicators (KPIs),
Monitoramento de
Desempenho de
and their efficiency according to key goal
indicators (KGIs) suggested in the management
guidelines portion of the framework.
Final Considerations
This work encouraged Multiplan to read and
implement the recommendations presented in
the IT Governance Implementation Guide,6 as
well as to learn more about other COBIT
processes not initially covered in this study.
Production
Production of the final document followed the With the project results, Multiplan’s IT
reading and validation of the draft project report. management team was able to create an IT
balanced scorecard7 aligned with the company’s
Outcomes business strategy.
Results were positive. The model guidelines
helped provide answers to the initial questions, Once the project concluded, a better alignment
as follows. with internal audit activities regarding COBIT
processes AI6 Managing changes and AI7
How can we cope with the need to align IT and Installing and validating solutions and changes,
business? in terms of financial data output, was developed.
Figure 4—ITIL to COBIT Performance and
According to the model, “IT processes have Goal Indicators
requirements from business and reply with
information.” With its business-oriented Indicators
approach, the COBIT process framework allowed Selection
for a comprehensive view of IT and its related ITIL Disciplines
decisions. As an IT governance support tool set 3 KPI 1 -----------
3 3
COBIT Processes
Continued on page 8
page 7
COBIT Focus, April 2008
Romulo Gouvêa
is managing partner of VENCO IT Consulting
and Services. He is a consultant and solutions
and training provider in the Rio de Janeiro,
Brazil, IT governance market.
page 8
COBIT Focus, April 2008
IT should be regarded positively as a value creator IT governance is one key part of enterprise
instead of just dwelling on the risks. governance. In this sense, the IT manager must
integrate the IT planning and organization within
The chief information officer (CIO) of an the overall enterprise to reach alignment of IT
organization is often the person responsible for operations and processes with the strategies of
some of the biggest costs/investments in an the organization.
enterprise and should always try to show how
technology can enable the business to create The use of COBIT, as a recognized and
value rather than simply justifying the annual internationally accepted standard, is
budget. Do the chief executive officer (CEO) and recommended for good practices of IT
the CIO think differently? Hopefully not—they governance. Today, the most successful
should be strategically aligned, driving the same organizations are involved in the self-assessment
business goals and objectives. of their processes and administration techniques.
Most departments in companies work as islands It is essential to understand that the board of
and think about IT only when there is a problem. directors is responsible for the development and the
That lack of business alignment can produce adoption of standards and norms to control the
conflicting interests and internal anarchy, which company’s information systems and technologies.
may be reflected in management’s attitude. The COBIT is considered worldwide as an accepted
alignment of technology, for all areas, does not standard that is applicable for good practices of IT
have to be a goal, but a means to achieve goals. governance, and it is rapidly being adopted. Its
The central foundation of strategic alignment is fulfillment or application should be driven by the
that strategic planning and strategic operations board and executives because COBIT is clearly
must be aligned closely. Therefore, it is best to recognized and internationally accepted as a
consider technology as a strategic tool and not framework that enables effective IT controls, based
solely as a concrete resource. The integration of on criteria acceptable to all parties including auditors.
the business with IT is feasible when the problems
of communication and understanding between the But what does COBIT provide to the CEO? A
IT department and the rest of the business are reasonable assurance that:
unravelled and managed. • Accepted objectives of IT control good practices
are being reached
Alignment requires a good vision by the IT • Significant weaknesses in controls are identified
manager of the business. However, in the majority • The impact of risks associated with such
of cases, the IT department has too much of a weaknesses are being considered properly
technical vision of the business goals and supports • Executives are being guided on the corrective
strategic decisions based more on economic and measures that must be adopted
technological objectives than on business-enabling
objectives. IT leaders should help drive enterprise COBIT permits quantitative and qualitative
strategy in partnership with the business. Strategic evaluation, and helps management inform the
decisions should not be of a financial or board of the true management and control status
commercial nature only; they also need to be of their information systems and processes, which
based on enabling the realization of business enables better governance of IT. COBIT is an
benefits. For this reason, it is essential to maintain important tool for driving good practice and for
communication both in business and technology. enabling management to take control of IT
Even when there is an organizational culture that investments and the associated risks. Based on
encourages the alignment of technology with the standards and internationally recognized good
business, the greatest barrier is when IT managers practices, it also ensures compliance with
continue to have friction with business managers regulations, laws and contracts, and offers
because of poor communication, lack of mutual confidence to third parties and business partners
understanding and trust, and frustration caused by regarding the service provision and automated
failures—all leading to a culture of blame. transaction flows.
Continued on page 10
page 9
COBIT Focus, April 2008
The implementation of better governance based plays a key role in several, such as identification of
on COBIT realizes business benefits because it risks. COBIT can help the CEO evaluate how much
facilitates the understanding and control of IT value IT gives to the business, how the resources
operations within the whole enterprise. The are managed and how to measure IT’s
services or products offered are optimized when performance in enabling the fulfillment of the
the portfolio of information systems is managed business goals. Armed with an awareness and
efficiently, with resources balanced and prioritized understanding of the conceptual framework of
to meet business needs. COBIT drives a better COBIT, the CEO will be prepared to direct and
return on IT investments, the delivery of IT- monitor the level of alignment of IT with the
enabled solutions and the effective use of IT within business, and the impact such alignment is having.
business processes by identifying specific risks
and management gaps, and guiding the To use COBIT effectively, the CEO should be
implementation of appropriate controls. committed to overseeing the quality and security of
the information and other assets, as well as the
COBIT provides good practice for the strategic optimal use of IT resources, including applications,
planning for IT, management of IT investments, data, infrastructure and people. To obtain their
program and project management, and risk objectives, CEOs should mandate effective
assessment. COBIT also enables better governance of IT, enabled by the COBIT
identification of the IT processes critical for framework, so they are able to understand the
supporting the most important business status of their enterprises’ IT architecture, and
processes, products and services provided by influence where and what kind of governance and
the organization. control must be applied. CEOs can then obtain the
commitment of operational managers.
How COBIT Would Help the CEO
The CEO has a significant responsibility in many IT Enterprises cannot effectively respond to their
governance processes. According to COBIT’s business and government IT requirements without
Responsible, Accountable, Consulted and/or adopting and implementing good IT governance
Informed (RACI) charts, the CEO should be
engaged in half of COBIT’s 34 IT processes and Continued on page 11
page 10
COBIT Focus, April 2008
frameworks and the associated IT controls aligned The lesson learned, during this short period of
with business requirements. The COBIT framework successful IT governance in the organization,
contains components that are interconnected, showed that even with the certainty of success
offering support for the key necessities of with COBIT, there is also the necessity to have an
governance, administration, control and auditing of organizational commitment on the governance
the different shareholders, as shown in figure 1. framework for its successful application. Simply,
implementation is not enough; organizational buy-
Lessons Learned From One Application in from the top down is required.
The following case can be a useful lesson to many
considering the application of an IT governance Conclusion
framework. Although the continuation of the project IT governance is an important part of enterprise
was jeopardized, due in large part to the negative governance, oriented toward developing
influences of a CEO and other managers who did processes, organizational structures and
not provide the proper support or enable the CIO to leadership, and completing and suitably reflecting
successfully complete the project, the following the strategies and objectives of the organization.
describes a successful implementation of COBIT. COBIT is an international model that provides the
necessary tools to implement IT governance in
To initiate the project, the CIO informed the IT organizations looking to fulfill guidelines of
auditor that he was interested in implementing an corporate governance principles for IT. With a
IT governance framework, and asked the IT monitoring and self-assessment scheme of great
auditor for support. The IT auditor proposed the use to the CEO, COBIT integrates all the
application of COBIT, since the main problem for necessary characteristics within a single integral
the organization was the lack of a governance framework, in line with government and business
framework and the board had to be convinced of requirements. However, its likelihood of success is
its efficacy. drastically diminished if commitment and support
goes only so far as the CIO; successful
After two years and much hard work, the CIO and implementation depends on commitment and
his team had implemented COBIT; the CIO was support from the board and CEO on down.
collaborating with the board on the design of
growth strategies, new products and services; and Romulo Lomparte, CISA
they had almost finished turning IT into a function is a IT corporate auditor for Yanbal International,
for leveraging development of the organization. where he is responsible for reviewing and
Unfortunately, the CIO had not won the support of evaluating IT controls. He can be reached at
other business managers and after these two rlomparte@viabcp.com.
years and due to pressure by upper management,
the CIO could drive it no further.
page 11
COBIT Focus, April 2008
(www.isaca.org/cobitcampus) in several
formats and languages and as a
2008 Calendar of ISACA COBIT Events
classroom-based two-day workshop at
12-13 May ..................... COBIT® User Convention
many ISACA conferences.
Sponsor: Los Angeles Chapter
www.isaca.org/cobituserconvention
For more information on the classroom-
14-16 May ..................... COBIT User Convention
based course and upcoming site
Sponsor: Mexico City Chapter
locations, please contact ISACA at
www.isaca.org/cobituserconvention
education@isaca.org or ITpreneurs at
26-27 July ..................... Implementing IT Governance
www.isaca.org/cobitcampus.
Using COBIT and Val IT workshop
Toronto, Ontario, Canada
COBIT Foundation Exam
www.isaca.org/international
Those able to demonstrate that they
23-27 June...................... ISACA® Training Week (including
understand COBIT at a foundation level
COBIT-specific training)
and are capable of applying COBIT in
Minneapolis, Minnesota, USA
practice may choose to take the COBIT
www.isaca.org/trainingweek
Foundation exam. The exam is offered
15-19 September............ ISACA Training Week (including
at the conclusion of the classroom and
COBIT-specific training)
the online COBIT Foundation Course.
Edinburgh, Scotland, UK
www.isaca.org/trainingweek
Implementing IT Governance Using
COBIT and Val IT
The Implementing IT Governance Using COBIT ITpreneurs at www.isaca.org/cobitcampus.
and Val IT course focuses on using these two
ITGI-developed frameworks to help guide IT The COBIT Foundation Course, the COBIT
governance-related implementation activities. This Foundation exam and the Implementing IT
classroom-based course is delivered by trainers Governance Using COBIT and Val IT course are
accredited by ISACA at many ISACA conferences. offered by ISACA at ISACA conferences and
programs, by ISACA-accredited trainers and
For more information on the classroom-based through ITpreneurs.
course and upcoming site locations, please
contact ISACA at education@isaca.org or
Continued on page 13
Those companies with licenses for COBIT content for education purposes include:
• Analytix
• Fox IT
• IIR Training
• Lucid IT
• Learning Tree
• Peter Davis & Associates
• Pink Elephant
• Quint Wellington Redwood
Each organization and individual licensed to develop courseware based on COBIT must offer the COBIT
Foundation exam at the conclusion of the training course. The exam is administered by a proctor who is
independent of the training provider.
page 12
COBIT Focus, April 2008
page 13