COBIT 4.1

Introduction

This article is based on COBIT version 4.1. For terms and definitions refer to the dedicated article.

COBIT “Control Objectives for Information and related Technology” is an IT governance framework for IT management created by ISACA and ITGI. It allows to tie control requirements, technical issues and business risks. COBIT supports IT governance by providing a framework that helps to align IT with the business, ensuring IT resources are used efficiently, helps that IT enables the business and risks are managed appropriately. COBIT is considered to be the main framework for IT governance because it is aligned with other standards and continuously improved.

COBIT is consisting of a variety of products, organized into tree levels:


the three cobit levels

The above diagram shows, in respect to IT governance, the primary audience, their questions and the COBIT products that provide response.


Basic Overview

The COBIT 4.1 book consists of four sections. The executive overview (1), the framework (2), control objectives and management guidelines and maturity models (core content) (3) and appendices (4).

 

COBIT domains

COBIT is organized into four domains, as followed:

 

Since COBIT 4.1 contains 34 processes, organized in the four domains, core content is divided accordingly. Each process is covered in four sections, combining to give a complete picture of how to control, manage and measure the process. The four sections are:

  1. Process descriptions
  2. Control objectives
  3. Management guidelines
  4. Maturity model for the process

 

At the end, it has been stated:

 

High level processes (34)

In the “Plan and Organize” domain:

 

In the “Acquire and Implement” domain:

 

In the “Delivery and Support” domain:

 

In the “Monitor and Evaluate” domain:

 

Conclusion

As a matter of fact, COBIT is supporting IT governance by acting in these areas:

governance areas


Deep inside COBIT

For many enterprises, information and the technology that supports it represent their most valuable assets. Activities to protect these assets, management of IT risks and control over information constitute the core of IT governance. IT governance is the responsibility of the management and consists of the leadership, organizational structures and processes. It helps to ensure that IT supports the business objectives and can take full advantage of its information. COBIT is considered to be the main framework for IT governance because it is aligned with other standards and continuously improved.

IT Governance has become significant due to a number of factors:

 

Connected and aligned with business

COBIT contributes making the IT able to deliver against the business requirements by linking IT with the business, organizing activities into a accepted process model, identifying the major IT resources to be leveraged and defining control objectives and process controls. Business orientation is the main theme of COBIT.

 

cobit business orientation

 

Managing and controlling information are at the heart of the COBIT framework and help ensure alignment to business requirements. In order to conform with certain control criteria (the business requirements for information), COBIT defines seven information criteria:

 

Business and IT goals

COBIT’s business orientation is reflected by deriving IT goals form the business objectives while taking business into account. If IT is to successfully deliver services to support the enterprise’s strategy, there should be a clear ownership and direction of the requirements by the business and a clear understanding of what needs to be delivered, and how, by IT.

 

enterprise architecture for it

 

Goals that have been aligned and agreed on need to be monitored to ensure the delivery matches expectations. This is achieved by metrics that are derived from the goals and captured in an IT scorecard. For the customer to understand the IT goals and IT scorecard, all of these objectives and associated metrics should be expressed in business terms meaningful to the customer. To do so helps to ensure that the customer can confirm that the IT is likely to support business.

The IT organization delivers against the IT goals by a clear set of effective and efficient IT processes, supported by a variety of resources, such as:

 

Resources and criteria are shown in the COBIT cube.

 

cobit cube

Process oriented

COBIT’s process focus is illustrated by having 34 major processes organized in four domains.
In order to get IT under control such that it delivers desired output, COBIT:

Defines activity goals by setting control objectives

 

Measures process performance by using a balance scorecard

 

Benchmarks performance and capability by applying the Capability Maturity Model (CCM)

 

cobit domains

 
Plan and Organize (PO)

Strategy definition, tactics and planning take place in this domain. It concerns the way IT can best contribute to the business objectives.

 

Acquire and Implement (AI)

This domain covers the evaluation, acquisition and development of IT solutions, who need to be implemented and integrated to realize the IT strategy. This domain covers also changes maintenance and changes of existing systems.

 

Deliver and Support (DS)

This domain is concerned with service delivery and service delivery management, support, security, continuity management, management of data and operating facilities.

 

Monitor and Evaluate

To measure performance, IT processes need to be assessed over time for quality and performance. This domain addresses performance management, monitoring of internal control, regulatory compliance and governance.

Across these four domains, COBIT has identified 34 IT processes that are generally used.

 

overall cobit framework

 

Verified by Controls

Control is defined as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected. Effective controls reduce risk, increase the likelihood of value delivery and improve efficiency because there will be fewer errors and a more consistent management approach.

 

Control objectives

Control objectives provide a complete set of high-level requirements to be considered by management for effective control of each IT process. Because each COBIT process has a number of control objectives defines by default, it is important to select those that are applicable and decide upon which ones to implement. The control objectives are identified by a two-character domain reference (PO, AI, DS and ME) plus a process number and a control objective number.

Beside the already mentioned control objectives, COBIT defines overarching process and application controls.

 

Process controls

In addition to the control objectives, each process has a number of process controls, which should be considered together with the control objectives to get a complete view. The process controls are:

 

PC1: Process Goals and Objectives

 

PC2: Process Ownership

 

PC3: Process Repeatability

 

PC4: Roles and Responsibilities

 

PC5: Policy, Plans and Procedures

 

PC6: Process Performance Improvement


In addition to know what controls to select, process owners need to understand what inputs they require from others and what others require from their process. COBIT provides illustrative examples for each process in the sections of:

 

The examples meant not to be exhaustive but give you a good idea and direction. You have to adapt them, choose the ones that are applicable and decide upon which controls to implement.

A companies system of internal controls impact the IT at three levels:

 

Application controls

The following list provides a recommended set of application control objectives:

 

AC1: Source Data Preparation and Authorization

 

AC2: Source Data Collection and Entry

 

AC3: Accuracy, Completeness and Authenticity Checks

 

AC4: Processing Integrity and Validity

 

AC5: Output Review, Reconciliation and Error Handling

 

AC6: Transaction Authentication and Integrity

 

Altogether these controls help to assure completeness, accuracy and validity of data, authorize access to it and support segregation of duties.

 

Evolvement determination by maturity models

Prior on acting and improving, a company needs to know the status of its processes, IT systems and controls. While this sounds easy, it is not in praxis, it assumes what to measure and how. COBIT deals with these issues by providing maturity models to enable benchmarking and identification of necessary capability improvements. The maturity model used in COBIT is shown below.

 

maturity model

 

Using the maturity model developed for each of COBIT’s 34 IT processes, management can identify:

 

Please be aware that when assessing a process, implementation parts of a process can be at different levels. This means that one part can be not sufficient while others are. You can reflect such a state for example in a clustered column chart.

 

The 0-5 scale is based on a simple maturity scale showing how a process evolves from a non-existent capability to an optimized capability.

 

The three maturity dimensions (of a process) can be illustrated as follows:

 

maturity dimensions

 

The maturity model is a way of measuring, explain and express how well developed management processes are, i.e., how capable they actually are. How well developed or capable they should be primarily depends on the IT goals and the underlying business needs they support.

Be aware that process management capability is not the same as process performance. Capability, as determined by business and IT goals, may not need to be applied to the same level across the entire IT environment, e.g., not consistently or to only a limited number of systems or units.

The maturity models used in COBIT are built up starting from the generic qualitative model (capability ranking 0-5) to which principles from the following attributes are added in an increasing manner through the levels:

 

Characteristics from the above attributes are used to describe how IT processes are managed and how they evolve from a non-existent to an optimized process.

In summary, maturity models provide a generic procedure to assess, elaborate and display the capability of IT processes and how they evolve over time. Coverage, depth of control, and how the capability is used and deployed are cost-benefit decisions.

Although a properly applied capability already reduces risks, an enterprise still needs to analyze the controls necessary to ensure that risk is mitigated and value is obtained in line with the risk appetite and business objectives. These controls are guided by COBIT’s control objectives.

 

Performance Measurement

Goals and metrics are defined in COBIT at three levels:

 

IT goals and metrics

 

Process goals and metrics

 

Activity goals and metrics


See in the graphic below how different kinds of goals are linked together.

 

goals linkage

 

Outcome measures indicate whether goals have been met. The question can be answered only after the fact, so they are called “lag indicators”.

Performance indicators indicate whether goals are likely to be met. They are called “lead indicators”, because they can be applied before the outcome is clear.

Outcome measures of IT functions are often expressed in terms of information criteria, such as:

COBIT provides outcome measures for the areas of “IT Goal” up to “Activity Goal”. While IT outcome measures can serve as performance indicators for business goals, COBIT itself does not provide outcome measures for business goals.


COBIT Framework Navigation

As mentioned in the outset, COBIT 4.1 contains 34 processes, organized in four domains. Each process is covered in four sections, combining to give a complete picture of how to control, manage and measure the process. The four sections are:

  1. Process descriptions
  2. Control objectives
  3. Management guidelines
  4. Maturity model for the process

 

At the end, by applying these four sections for every process in sequential manner, it has been stated:

 

In the following I want to give you an overview of how each of the four sections is organized and what is contained in them.

Section 1 – Process descriptions

This section is organized as follows:

framework navigation

 

 

Section 2 – Control Objectives

This section starts with the process domain and –name. It is then followed by a number of controls. Each control has its own descriptive text.

<Process Domain – Process Number – Process name>

Example: PO1 Define a Strategic IT Plan

 

PO1.1 IT Value Management

 

PO1.2 Business IT Alignment

 

PO1.3 Assessment of Current Capability and Performance

 

PO1.4 IT Strategic Plan

 

PO1.5 IT Tactical Plans

 

PO1.6 IT Portfolio Management

 

Section 3 – Management Guidelines

Part of the management guidelines section are input and output tables, a RACI chart and goals and metric for IT, process and activities.

 

framework navigation

 

 

Section 4 - Maturity model for the process

This section contains the maturity scales from 0-5 showing how a process can evolve from a non-existent capability to an optimized capability

<Process Domain – Process Number – Process name>

Example: PO1 Define a Strategic IT Plan

 

0 Non-existent when

 

1 Initial/ Ad Hoc when

 

2 Repeatable but Intuitive when

 

3 Defined when

 

4 Managed and Measurable when

 

5 Optimized when


Appendix

 

Interrelation of COBIT components

 

The various COBIT components (just mentioned in the outset, but going to be covered in this article in detail) interrelate as illustrated in the picture below.

 

interrelation of cobit components