Control Objectives for Business and Related Information Technology
Control Objectives for Business and Related Information Technology
The Control Objectives for Business and Related Information Technology (COBIT ® ), originally developed by ISACA in 1996 and updated several times, most recently in 2012, is among the most widely used models for IT governance
IT Governance and Management Frameworks 179
legal and regulatory requirements such as those mandated under Sarbanes–Oxley and Directive 2006/43/EC. Its primary focus is on good governance practices, rather than audit or compliance, but its detailed hierarchy of principles, enablers, and processes provides a basis for conducting IT audits of organizations that implement COBIT. Two versions of COBIT are widely used in organizational governance programs: the current COBIT 5 framework and the 4.1 version that preceded it. COBIT 5 reflects an integrated approach combining key principles and objectives from version 4.1 with several other ISACA domain-specific frame- works—including Val IT (focused on business investments), Risk IT (focused on IT risk management), the Business Model for Information Security (BMIS), and the IT Assurance Framework (ITAF)—and elements of Information Technology Infrastructure Library (ITIL ® ) and several ISO standards [11] .
COBIT 4.1 remains applicable to IT auditing because many organizations that implemented the governance framework since its release in 2005 did so to help achieve compliance with requirements in the Sarbanes–Oxley Act and associated rules, and continue to describe their operations in terms of the processes and con- trol objectives COBIT 4.1 defined. Those control objectives, while not included in COBIT 5, help define the scope for audits of processes in the COBIT frame- work. COBIT 5 also identifies seven categories of enablers—principles, policies, and frameworks; processes; organizational structures; culture, ethics, and behav- ior; information; services, infrastructure, and applications; and people, skills, and competencies—each of which could represent subject areas for IT audits. COBIT
4.1 also emphasizes the cyclical pattern of executing governance processes in each domain, shown in Figure 9.4 , reflecting the familiar plan–do–check–act (PDCA) pattern used in audits of governance, risk, and compliance functions, information security management, and quality management.
As a governance framework, COBIT first considers the business goals of an organization and the IT goals, objectives, and processes that support those business goals. The COBIT 5 framework is organized around five main principles [11] :
1. Meeting stakeholder needs
2. Covering the enterprise end-to-end
3. Applying a single integrated framework
4. Enabling a holistic approach
5. Separating governance from management. COBIT 5 emphasizes core governance activities of setting enterprise goals and
objectives, prioritizing IT investments, making strategic decisions to further pro- gress toward those goals and objectives, and assessing performance in their achieve- ment. From the IT auditor’s perspective, COBIT 5 offers less explicit direction than version 4.1, in large part because auditing is not a primary focus of the newer guid- ance. ISACA publishes several more specialized documents providing guidance to organizations on applying COBIT 5 in different governance contexts, including assurance, information security, and assessment [13] . The enterprise-level perspec- tive COBIT 5 uses also come into play when evaluating entity-level controls, as
180 CHAPTER 9 Methodologies and Frameworks
Business objectives Governance objectives
C OBI T4.1
ME1MonitorandevaluateITperformance. PO1DefineastrategicITplan. ME2Monitorandevaluate internalcontrol.
PO2Definetheinformationarchitecture. ME3Ensurecompliancewithexternal requirements.
PO3 Deter minetechnologicaldirection. ME4ProvideITgovernance.
PO4DefinetheITprocesses,organizationandrelationships. PO5ManagetheITinvestment. PO6Communicatemanagementaimsanddirection. PO7ManageIThumanresources. PO8Managequality. PO9AssessandmanageITrisks.
Information
PO10 Manage projects .
criteria
•Effectiveness •Efficiency •Confidentiality •Integrity •Availability •Compliance
Monitor and
Plan and evaluate
•Reliability
organize
ITresources
•Applications •Information •Infrastructure •People
Deliver and
support
Acquire and
implement
DS1Defineandmanageservice levels. DS2Managethird-partyservices. DS3Manageperformanceandcapacity.
AI1Identifyautomatedsolutions. DS4Ensurecontinuousservice.
AI2Acquireandmaintainapplicationsoftware. DS5Ensuresystemssecurity.
AI3Acquireandmaintaintechnologyinfrastructure. DS6Identifyandallocatecosts.
AI4Enable operation and use. DS7Educateandtrainusers.
AI5ProcureITresources.
DS8 Manage service desk and incidents .
AI6Managechanges.
DS9Managetheconfiguration. AI7Installandaccreditsolutionsandchanges. DS10 Manage problems .
DS11Managedata. DS12Managethephysicalenvironment. DS13 Manage operations .
FIGURE 9.4
The COBIT 4.1 framework defines an interrelated set of processes and control objectives for use in IT governance [12] .
Source: COBIT 4.1, IT Governance Institute, © 2007. All rights reserved. Used by permission.
governance framework organized into five distinct yet related domains: evalu- ate, direct, and monitor; align, plan, and organize; build, acquire, and implement; deliver, service, and support; and monitor, evaluate, and assess. Each domain con- tains multiple processes. For each process, COBIT offers a description and guidance on assessment, the latter derived in large part from ISO/IEC 15504. The COBIT 5
IT Governance and Management Frameworks 181
Table 9.6 COBIT 5 Domains and Processes [11] IT Domain
Processes Evaluate, Direct, and
EDM01 Ensure Governance Framework Setting and Monitor
Maintenance EDM02 Ensure Benefits Delivery EDM03 Ensure Risk Optimization EDM04 Ensure Resource Optimization EDM05 Ensure Stakeholder Transparency
Align, Plan, and
APO01 Manage the IT Management Framework
Organize APO02 Manage Strategy APO03 Manage Enterprise Architecture APO04 Manage Innovation APO05 Manage Portfolio APO06 Manage Budget and Costs APO07 Manage Human Resources APO08 Manage Relationships APO09 Manage Service Agreements APO10 Manage Suppliers APO11 Manage Quality APO12 Manage Risk APO13 Manage Security
Build, Acquire, and BAI01 Manage Programs and Projects Implement
BAI02 Manage Requirements Definition BAI03 Manage Solutions Identification and Build BAI04 Manage Availability and Capacity BAI05 Manage Organizational Change Enablement BAI06 Manage Changes BAI07 Manage Change Acceptance and Transitioning BAI08 Manage Knowledge BAI09 Manage Assets BAI10 Manage Configuration
Deliver, Service, and DSS01 Manage Operations Support
DSS02 Manage Service Requests and Incidents DSS03 Manage Problems DSS04 Manage Continuity DSS05 Manage Security Services DSS06 Manage Business Process Controls
Monitor, Evaluate, and MEA01 Monitor, Evaluate, and Assess Performance and Assess
Conformance MEA02 Monitor, Evaluate, and Assess the System of Internal
Control MEA03 Monitor, Evaluate, and Assess Compliance with
External Requirements
182 CHAPTER 9 Methodologies and Frameworks
Although ISACA is responsible both for the COBIT framework and the Certified Information Systems Auditor (CISA) certification; CISA-certified auditors are not obligated to follow COBIT. CISAs use ISACA’s audit standards and guidelines, in much the same way that membership in some other professional organizations comes with a requirement to use the organization’s audit standards, but COBIT is aimed at a different level. Implementing COBIT is an organizational decision about governance, and the governance domains described in the framework apply to organizations and their IT processes, not to individu- als. Auditors with the CISA credential may assess the information system controls of an organization following any governance approach, formal or otherwise, so while the CISA auditing and governance processes align well to COBIT, their applicability is not limited to organizations using COBIT.