INTRODUCTION TO COBIT

Control Objectives for Information and related Technology

Presented by: Agustinus T Pambudi
IT Day 2014

Why Does IT Need a Control and

Governance Framework?
Do any of these conditions sound familiar?
Increasing pressure to leverage technology in business strategies

Growing complexity of IT environments

Fragmented IT infrastructures
Demand for technologists outstripping supply
Communication gap between business and IT managers

IT service levels that are disappointing

IT costs perceived to be out of control
Marginal ROI/productivity gains on technology investments
Impaired organisational flexibility and nimbleness to change

User frustration leading to ad hoc solutions

IT managers operating like fire fighters

Why Does IT Need a Control and

Governance Framework?
The Need Defined
IT provides value
Cost, time and functionality are as expected

IT does not provide surprises

Risks are mitigated

IT pushes the envelope

New opportunities and innovations for process,
product and services

Why Does IT Need a Control and

Governance Framework?
The Need Defined

MANAGEMENTS EXPECTATION FOR IT

Quality up
Time-to-market down
Service levels increased
Costs contained

Reengineered processes
Right-sized operations
Distributed processing
Flattened organisations
Empowerment
Outsourcing

Managements Responsibility for IT

Safeguard assets

Leverage IT

Information has become a most valuable asset

IT Governance Model

PO
AI
DS
MO

IT governance helps ascertain how automated systems:

- Simplify operations
- Cut costs
- Increase revenue

Needs an IT control framework

Basic COBIT Principle

Business
Requirements

How do they relate?

COBIT Framework
IT
Resources

IT
Processes

Data

Plan and Organise

Information
Systems

Acquire and
Implement

Technology

Deliver and Support

Facilities

Monitor and
Evaluate

Human
Resources

IT
Processes

IT
Resources

Business
Requirements

Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Information
Reliability

Business Requirements

COBIT Framework
Quality Requirements:
Quality
Cost
Delivery
Fiduciary Requirements

(COSO Report)
Effectiveness and efficiency
of operations
Reliability of financial
reporting
Compliance with laws and
regulations

Security Requirements
Confidentiality
Integrity
Availability

Business
Requirements
IT
Processes

Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability of
Information

IT
Resources

Business Requirements

COBIT Framework

Business
Requirements
IT
Processes

EffectivenessDeals with information being relevant and pertinent to the

business process as well as being delivered in a timely, correct, consistent and
usable manner
EfficiencyConcerns the provision of information through the optimal (most
productive and economical) usage of resources
ConfidentialityConcerns protection of sensitive information from
unauthorized disclosure
IntegrityRelates to the accuracy and completeness of information as well as
to its validity in accordance with the business' set of values and expectations
AvailabilityRelates to information being available when required by the
business process, and hence also concerns the safeguarding of resources
ComplianceDeals with complying with those laws, regulations and
contractual arrangements to which the business process is subject, i.e.,
externally imposed business criteria
Reliability of informationRelates to systems providing management with
appropriate information for it to use in operating the entity, in providing
financial reporting to users of the financial information, and in providing
information to report to regulatory bodies with regard to compliance with laws
and regulations

IT
Resources

IT Processes

COBIT Framework

Domains

Business
Requirements
IT
Processes

IT
Resources

Natural grouping of processes,

often matching an organisational
domain of responsibility

A series of joined activities with

natural control breaks
Processes

Activities
or tasks

Actions needed to achieve a

measurable result. Activities have
a life cycle whereas tasks are
discrete.

COBIT Framework

Business
Requirements
IT
Processes

IT
Resources

IT Domains

Plan and Organise

Acquire and
Implement
Deliver and
Support
Monitor and
Evaluate

Natural grouping of processes,

often matching an
organisational domain of
responsibility

IT Processes

IT Strategy
Policy and Procedures
Feasibility Study
Acceptance Testing
Change Management
Contingency Planning
Problem Management

A series of joined activities

with natural (control) breaks

Activities

Record New Problem

Analyse
Propose Solution
Monitor Solution
Record Known Problem
Etc.

Actions needed to achieve a

measurable result. Activities have a
life cycle whereas tasks are
discrete.

The COBIT Cube

COBIT Framework

DOMAINS

PLAN AND ORGANISE (PO)

Questions addressed:
Are IT and the business strategy aligned?
Is the enterprise achieving optimum use of its
resources?
Does everyone in the organisation understand the
IT objectives?
Are IT risks understood and being managed?
Is the quality of IT systems appropriate for business
needs?

DOMAINS

ACQUIRE AND IMPLEMENT (AI)

Questions addressed:
Are new projects likely to deliver solutions that meet
business needs?
Are new projects likely to be delivered on time and
within budget?
Will the new systems work properly when
implemented?
Will changes be made without upsetting current
business operations?

DOMAINS

DELIVER AND SUPPORT (DS)

Questions addressed:
Are IT services being delivered in line with business
priorities?
Are IT costs optimised?
Is the workforce able to use the IT systems
productively and safely?
Are adequate confidentiality, integrity and availability
in place for information security?

DOMAINS

MONITOR AND EVALUATE (ME)

Questions addressed:
Is ITs performance measured to detect problems
before it is too late?
Does management ensure that internal controls are
effective and efficient?
Can IT performance be linked back to business
goals?
Are adequate confidentiality, integrity and availability
controls in place for information security?

COBIT
Framework
M1
M2
M3
M4

Criteria

Effectiveness
Efficiency
Confidenciality
Integrity
Availability
Compliance
Reliability

Monitor the process

Assess internal control adequacy
Obtain independent assurance
Provide for independent audit

MONITOR AND
EVALUATE
DS1 Define service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and attribute costs
DS7 Educate and train users
DS8 Assist and advise IT customers
DS9 Manage the configuration
DS10 Manage problems and incidents
DS11 Manage data
DS12 Manage facilities
DS13 Manage operations

PO1 Define a strategic IT Plan

PO2 Define the information architecture
PO3 Determine the technological direction
PO4 Define the IT organisation and relationships
PO5 Manage the IT investment
PO6 Communicate management aims and direction
PO7 Manage human resources
PO8 Ensure compliance with external requirements
PO9 Assess risks
PO10 Manage projects
PO11 Manage quality

IT
RESOURCES

Data
Application systems
Technology
Facilities
People

PLAN AND
ORGANISE

ACQUIRE AND
IMPLEMENT

DELIVER AND
SUPPORT

AI1
AI2
AI3
AI4
AI5
AI6

Identify automated solutions

Acquire and maintain application software
Acquire and maintain technology infrastructure
Develop and maintain IT procedures
Install and accredit systems
Manage changes

COBITExample Process

Waterfall Model

COBITExample Process

COBITExample Process

COBITExample Process

COBITExample Process

COBITExample Process

COBITExample Process

Control Responsibility