Documente Academic
Documente Profesional
Documente Cultură
Another more IT‐oriented internal control framework is called Control Objectives for
Information and related Technology (COBIT). The COBIT internal control framework provides
guidance on evaluating and understanding internal controls, with an emphasis on enterprise IT
resources and governance issues.
These show COBIT’s five major areas of emphasis arranged around the important core
concept of IT governance:
1. Strategic alignment. Efforts should be in place to align IT operations and activities with
all other enterprise operations. These include establishing linkages between enterprise
business operations and IT plans as well as processes for defining, maintaining, and
validating quality and value relationships.
2. Value delivery. Processes should be in place to ensure that IT and other operating units
deliver promised benefits throughout a delivery cycle and with a strategy that optimizes
costs while emphasizing the intrinsic values of IT and related activities.
3. Risk management. Management at all levels should have a clear understanding of an
enterprise’s appetite for risk, compliance requirements, and the impact of significant
risks. Both IT and other operations have their own and joint risk management
responsibilities that may individually or in combination impact the entire enterprise.
4. Resource management. With an emphasis on IT, there should be an optimal investment
in, and the proper management of, critical IT resources, applications, information,
infrastructure, and people. Effective IT governance depends on the optimization of
knowledge and infrastructure.
5. Performance measurement. Processes should be in place to track and monitor strategy
implementation, project completions, resource usage, process performance, and service
delivery. IT governance mechanisms should translate implementation strategies into
actions and measurements to achieve these goals.
COBIT FRAMEWORK
COBIT approaches internal controls and enterprise governance from a different perspective
than we have introduced through COSO in previous chapters. In addition, although it purports to
cover all enterprise internal controls and governance issues, it is heavily IT‐oriented. COBIT is
an important and useful tool and reference source for internal auditors. The following five
sections will introduce and discuss COSO’s five key principles. These principles have been
extracted and summarized from ISACA published documentation.
While COSO internal controls are built around only a single framework model and some
general guidance for evaluating and assessing these internal controls, there is an extensive and
detailed set of published materials supporting COBIT internal control assessments. In this
section, we provide a limited summary of some of the COBIT guidance materials to give an
internal auditor a flavor of COBIT, but interested professionals may want to consult the ISACA
web site for more information and to request full copies of supporting materials. Downloadable
versions are free to ISACA members or can be purchased at a nominal cost.
COBIT divides the steps necessary to evaluate IT controls and processes into what COBIT
calls five domain areas:
1. Evaluate, Direct, and Monitor (EDM)
2. Align, Plan, and Organize (APO)
3. Build, Acquire, and Implement (BAI)
4. Deliver, Service, and Support (DSS)
5. Monitor, Evaluate, and Assess (MEA)
The COSO internal control framework states that internal control is a process—established by
an entity’s board of directors, senior management, and other personnel—designed to provide
reasonable assurance regarding the achievement of stated objectives. While having similar
objectives, COBIT approaches IT controls by looking at information—not just COSO’s financial
information—that is needed to support business requirements and the associated IT resources
and processes.