Professional Documents
Culture Documents
COBIT 5, the latest version of the control objectives, aims to The five principles are as follows:
achieve the following:
1. Meeting stakeholder needs
• Help enterprises derive optimal value from IT by maintaining a
2. Covering the enterprise end-to-end
balance between realizing the desired benefits, and optimizing
risk levels and resource use 3. Applying a single integrated framework
• Enable information and related technology to be governed and 4. Enabling a holistic approach
managed in a holistic manner across the enterprise
5. Separating governance from management
• Integrate business and functional areas of responsibility with
IT-related interests of all stakeholders The seven enablers facilitate the introduction and implementation
of COBIT 5 principles. These enablers are as follows:
The Evolution of COBIT
Since it was first established, COBIT has gone through several 1. Principles, policies, and frameworks which offer guidance for
revisions. COBIT 5 packs in more punch by integrating the best routine management of issues
features of the earlier versions. 2. Processes which help reach the stated overall goals
The first and second editions, released in 1996 and 1998 3. Organizational structures which often decide the main
respectively, focused on control objectives, and were based strategy driving the enterprise
on a purely IT control and audit framework. The third version 4. Culture, ethics and behavior which play an important role
(2000) was an IT management framework which incorporated in any enterprise, and vary across the company and its
management guidelines. international operations
IT governance became the guiding force behind COBIT 4.0 (2005) 5. Information which, if harnessed at the right time and in the
and 4.1 (2007), with the inclusion of governance and compliance right way, can result in maximum benefits for all stakeholders
processes, and removal of assurance processes. 6. Services, infrastructure, and applications
With COBIT 5, businesses have a framework that: 7. People, skills and competencies which together help ensure a
strong competitive advantage and success in the long run
• Incorporates new Governance of Enterprise IT (GEIT)
principles
INSIGHT
COBIT 5’s Navigation Aids lock on a door.” How does one know if the lock is a good control
The COBIT 5 conceptual framework can be approached from three or not? It depends on whether the objective of the lock is to
vantage points: Information criteria, IT resources, and IT processes. keep people out or in. Only if this is known, will one be able to
determine which side of the door the key should be on.
The information criteria describe the requirements for information
effectiveness, efficiency, confidentiality, integrity, availability, Similarly, IT controls can be better monitored and audited when
compliance, and reliability. The IT resources are defined to help the objective behind the control is clear. The advantage of COBIT
meet business requirements, and include people, applications, is that it helps determine these objectives. Therefore, instead of
technology, facilities, and data. The IT processes in this context waiting for an audit, businesses can implement controlled self-
are planning and organization, acquisition and implementation, assessments, where management can themselves evaluate the
delivery and support, and monitoring. efficiency of the control structure. COBIT 5 has only one control
objective: Enterprise goals should be achieved.
How can organizations ensure that the output of their IT resources
and IT processes match the information security criteria The process capability model as outlined in COBIT 5 has a number
established for meeting key business objectives? This is where of benefits for auditors. This includes enhanced usability, reliability
COBIT 5’s sound internal control framework comes into play. as well as frequency of process capability assessment initiatives.
COBIT 5’s navigation aids link the processes, resources, and It also provides a strong base for conducting more rigorous
criteria to 34 overall control objectives with 318 detailed control assessments, as well as reducing the disagreements between
objectives. stakeholders on assessment results.
The navigation aids function together in the following way: COBIT 5 as an Overarching Corporate Governance Integrator
COBIT 5 aligns with the latest international standards and
The control of IT processes – which satisfy the business
frameworks, including enterprise frameworks such as COSO, ISO/
requirements, and is in turn enabled by control statements, and
IEC 9000, ISO/IEC 31000, and IT-related frameworks such as ISO/
takes into consideration control practices.
IEC 38500, ITIL, ISO/IEC 27000, TOGAF, PMBOK/PRINCE 2, and
COBIT 5 from an Audit Manager’s Perspective CMMI. This allows enterprises to use COBIT 5 as the overarching
COBIT 5 is not only a cost-efficient approach, but also a governance and management framework integrator.
conceptually easy framework for auditors to understand and
Information Systems Audit and Control Association (ISACA) is
communicate to the management. COBIT 5 moves away from the
now planning to facilitate COBIT user mapping of practices and
“maturity models” in COBIT 4.1, to “Process Capability Model”.
activities to third-party references, to enable effective control
management without duplication of effort.
A Detailed Look at Internal Control Components The relevant information must be accurately identified,
The following five internal control components interact with each captured, and communicated to all stakeholders. Appropriate
other and are integrated with the management process. They communication channels should be employed to target various
must be embedded seamlessly into the operational activities of stakeholders, and employees should be adequately educated
the organization. about their individual roles in the internal exercise.
When it comes to audit planning and scheduling, the auditing Reporting technology should also be leveraged wherever
system should help audit managers view enterprise-wide possible to improve the efficiency and effectiveness of audit
IT auditing requirements, as well as auditor profiles and reporting. An advanced reporting system can provide real-time
qualifications, and accordingly allocate task assignments and and enterprise-wide views of audit processes and results through
resources. Centralized dashboards can help in tracking and advanced dashboards. This information is extremely valuable for
managing these plans and schedules efficiently. stakeholders and the leadership to make informed and actionable
decisions.
In the project management stage, portable technical devices can
be leveraged to enter field data, and sync it with the central audit Conclusion
management system for optimal efficiency. Ingraining COBIT 5-based auditing into the organizational DNA is
critical to building a secure IT environment that is closely aligned
A robust audit work-paper management system can enable an to changing business realities. Organizations that establish a
integrated and collaborative approach to preparing, organizing, COBIT-oriented auditing approach are better positioned to comply
referencing, reviewing, and retaining work-papers created during with IT regulatory requirements in a sustainable manner, and drive
audits. Such a system can also help in sharing audit information, better value for their enterprise.
and synchronizing audit activities across the enterprise.
MetricStream
www.metricstream.com info@metricstream.com
© Copyright 2014. All Rights Reserved.