Chapter 6, COBIT and Other ISACA Guidance

Another more IT‐oriented internal control framework is called Control Objectives for
Information and related Technology (COBIT). The COBIT internal control framework provides
guidance on evaluating and understanding internal controls, with an emphasis on enterprise IT
resources and governance issues.
These show COBIT’s five major areas of emphasis arranged around the important core
concept of IT governance:
1. Strategic alignment. Efforts should be in place to align IT operations and activities with
all other enterprise operations. These include establishing linkages between enterprise
business operations and IT plans as well as processes for defining, maintaining, and
validating quality and value relationships.
2. Value delivery. Processes should be in place to ensure that IT and other operating units
deliver promised benefits throughout a delivery cycle and with a strategy that optimizes
costs while emphasizing the intrinsic values of IT and related activities.
3. Risk management. Management at all levels should have a clear understanding of an
enterprise’s appetite for risk, compliance requirements, and the impact of significant
risks. Both IT and other operations have their own and joint risk management
responsibilities that may individually or in combination impact the entire enterprise.
4. Resource management. With an emphasis on IT, there should be an optimal investment
in, and the proper management of, critical IT resources, applications, information,
infrastructure, and people. Effective IT governance depends on the optimization of
knowledge and infrastructure.
5. Performance measurement. Processes should be in place to track and monitor strategy
implementation, project completions, resource usage, process performance, and service
delivery. IT governance mechanisms should translate implementation strategies into
actions and measurements to achieve these goals.

COBIT FRAMEWORK
COBIT approaches internal controls and enterprise governance from a different perspective
than we have introduced through COSO in previous chapters. In addition, although it purports to
cover all enterprise internal controls and governance issues, it is heavily IT‐oriented. COBIT is
an important and useful tool and reference source for internal auditors. The following five
sections will introduce and discuss COSO’s five key principles. These principles have been
extracted and summarized from ISACA published documentation.

- PRINCIPLE 1: MEETING STAKEHOLDER NEEDS

COBIT’s first principle is almost obvious, stating that an enterprise and its key management
should recognize that their enterprise exists to create value for their stakeholders. Value
creation, as defined in COBIT, means realizing a wide range of benefits at optimal resource
costs, risks, and resource utilization. These benefits can take many forms, including financial
for commercial enterprises or public service for governmental entities.
- PRINCIPLE 2: COVERING THE ENTERPRISE END TO END
COBIT states that it addresses the governance and management of information and related
technology from an enterprise‐wide end‐to‐end perspective-not a very common expression for
most internal auditors. This means that COBIT calls for the integration of enterprise IT
governance, and that the governance system for enterprise IT proposed by COBIT should
integrate seamlessly in any governance system. COBIT aligns with views on IT governance
covering all functions and processes required to govern and manage enterprise information
and related technologies wherever that information may be processed
- PRINCIPLE 3: A SINGLE INTEGRATED FRAMEWORK
COBIT is a single and integrated framework as it aligns with other current relevant standards
and frameworks, such as ITIL, and allows the enterprise to use COBIT as an overarching
governance and management framework integrator. It is complete in enterprise coverage,
providing a basis to integrate effectively other frameworks, standards, and practices. A single
overarching framework serves as a consistent and integrated source of guidance in a
nontechnical, technology‐agnostic common language.
- PRINCIPLE 4: ENABLING A HOLISTIC APPROACH
Enablers are factors that, individually and collectively, influence whether something will
work—in this case, the governance and management over enterprise IT. These classes or
types of enablers:
 Principles, policies, and
frameworks are enabler vehicles to
translate the desired behavior into
practical guidance for day‐to‐day
management.
 Organizational structure enablers
are the key decision‐making entities
in an enterprise.
 Culture, ethics, and behavior of
individuals and of the enterprise are
enablers often underestimated as a
success factor in governance and
management activities.
 Information enablers are pervasive
throughout any organization and
include all information produced and used by the enterprise. Information is required for
 keeping the organization running and well governed, but at the operational level,
information is very often the key product of the enterprise itself.
 Service, infrastructure, and application enablers include the infrastructure, technology,
and applications that provide the enterprise with information technology processing and
services.
 Personal professional skills and competencies are required for successful completion of
all activities and for making correct decisions and taking corrective actions.
- PRINCIPLE 5: SEPARATING GOVERNANCE FROM MANAGEMENT
COBIT’s remaining and fifth principle focuses on the importance of separate but related
concepts of management and governance in an IT‐oriented enterprise. The COBIT
framework makes a clear distinction between governance and management. These two
disciplines include different types of activities, require different organizational structures,
and serve different purposes. This distinction is a key to COBIT’s view of governance and
management.

USING COBIT TO ASSESS INTERNAL CONTROLS

While COSO internal controls are built around only a single framework model and some
general guidance for evaluating and assessing these internal controls, there is an extensive and
detailed set of published materials supporting COBIT internal control assessments. In this
section, we provide a limited summary of some of the COBIT guidance materials to give an
internal auditor a flavor of COBIT, but interested professionals may want to consult the ISACA
web site for more information and to request full copies of supporting materials. Downloadable
versions are free to ISACA members or can be purchased at a nominal cost.
COBIT divides the steps necessary to evaluate IT controls and processes into what COBIT
calls five domain areas:
1. Evaluate, Direct, and Monitor (EDM)
2. Align, Plan, and Organize (APO)
3. Build, Acquire, and Implement (BAI)
4. Deliver, Service, and Support (DSS)
5. Monitor, Evaluate, and Assess (MEA)

MAPPING COBIT TO COSO INTERNAL CONTROLS

The COSO internal control framework states that internal control is a process—established by
an entity’s board of directors, senior management, and other personnel—designed to provide
reasonable assurance regarding the achievement of stated objectives. While having similar
objectives, COBIT approaches IT controls by looking at information—not just COSO’s financial
information—that is needed to support business requirements and the associated IT resources
and processes.