COBIT 4.0 enables continuous improvement in IT governance
4.0, the IT governance framework, is being increasingly used by CIOs to develop
best practices for IT control. A Rafeq, President, Strategic Development
and Alliances, Tally Solutions, talks to Kumar Dawada about COBIT 4.0s
approaches to regulatory compliance and how it helps align IT best practices
with business processes.
What are the highlights of COBIT 4.0?
The latest version of Control Objectives for Information and related Technology
(COBIT) focusses on regulatory compliance. It helps organisations in increasing
the value attained from IT. COBIT 4.0, provides guidelines for streamlined and
practical activities, and enables them achieve continuous improvement in IT
COBIT 4.0 addresses the needs of auditors, regulators, security experts and
others in in their job of providing assurance on the performance of IT under
different circumstances. As more enterprises adopt specialised guidance such
as ITIL and ISO 17799, COBIT can be used as the integrator, umbrella framework
and practical guidance tool for overall IT control.
It targets three main audiences: management, IT and auditors. The benefits of
implementing COBIT as a governance framework include better alignment based
on business focus. It makes management understand IT better. There is clarity
of ownership and responsibilities, based on process orientation.
How is the COBIT framework different from other frameworks/standards
such as ITIL, ISO 9001, ISO 17799 and CMM?
COBIT is the overall framework for control and governance
over IT. It is an integrator of many other global frameworks
and based on many of them. COBIT works in tandem with
those other frameworks. The IT Governance Institute
(ITGI) intended COBIT to suit every organisation. However,
there is also a need for detailed, standardised practitioner
processes. Specific practices and standards, such as
ITIL and ISO 17799 cover specific areas and can be mapped
to the COBIT framework, and provide a hierarchy of guidance
What verticals and organisations does COBIT target?
COBITs high-level, platform-neutral
nature makes it suitable for any type of enterprise, regardless of size
or industry. It can also be customised. Enterprises can use only those
portions that apply to their environment and customise their selection
to meet their needs
COBITs high-level, platform-neutral nature makes it suitable for any
type of enterprise, regardless of size or industry. It can also be customised.
Enterprises can use only those portions that apply to their environment and
customise their selections to fill their needs. COBIT is not a cookbook
that requires that the user start at the beginning and go through page by page,
applying each piece of guidance, in a given order. It is a very flexible document.
For instance, COBIT Quickstart is a stripped-down version for smaller enterprises,
and COBIT Security Baseline focuses only on the security-specific material from
The Reserve Bank of India has been using COBIT for providing guidelines on IT
controls to Financial Institutions in India. Many IT companies such as Infosys,
Wipro, Satyam, TCS, i-Flex Solutions and Tally Solutions use COBIT. Many banks
in India are also using COBIT for designing IT policies and procedures, and
for giving IT control guidelines.
How does COBIT meet regulatory requirements?
An entire publication addresses the use of COBIT in achieving compliance with
the US Sarbanes-Oxley Act. It is titled IT Control Objectives for Sarbanes-Oxley,
and is available for free download from the ITGI site, www.itgi.org. COBIT addresses
the attainment of control over IT which includes reliability, confidentiality
and availability of data. This is what most regulations are attempting to enforce.
Therefore, COBIT is a useful tool for enterprises to use in any compliance effort.
Can you highlight the best practices laid down in COBIT for
mitigating IT related risks, monitoring and improving critical IT activities
as well as aligning IT with business?
There are more than 50 international best practices which have been considered
and used in COBIT. COBIT Control Objectives ensure that all key risks for each
of the processes are mitigated by appropriate controls. COBIT management guidelines
outline key goal indicators and key performance indicators for each of the 34
COBIT shows the functional breakdown of the IT business (plan and organise,
acquire and implement, deliver and support, and monitor and evaluate) and the
processes required to successfully execute each function (34 processes in all).
In essence, it describes the complete IT lifecycle from a management perspective.
It not only describes processes in detail, but also outlines their control objectives
and critical quality criteria. It provides a guideline for self-assessing your
level of maturity in executing each process. These best practices help in not
only ensuring IT related risks are mitigated but also how IT value delivery
is successfully achieved.
How can COBIT align business and IT plans and operations?
COBIT has a fundamental orientation to business requirements. Research carried
out by the University of Antwerp into how IT supports business objectives in
different industry sectors provided a generic cross-reference of common business
goals to IT goals. A table is provided showing the relationship among business
goals, IT goals and COBITs IT processes to help users identify business-to-IT
linkages in their own organisations. This was also used to improve the goal
and performance metrics.
COBIT 4.0 provides RACI charts (who is responsible, accountable, consulted and
informed) to address process roles and responsibilities for each IT process,
and enterprise architecture principles are explained within the framework, linking
goals, resources, information and processes. To improve understanding of the
IT process model, COBIT 4.0 contains descriptions of each process together with
process inputs and outputs with cross-references to other processes.
What trends will be seen in control frameworks in the near
There is a trend among the owners of various global frameworks to make them
more compatible, so that they can all be used together, each addressing its
own particular niche of expertise. With more frameworks involved, there can
be increased complexity, so efforts will be made to make them easy to use. Implementing
control over any aspect of IT should not be a complex or tedious job. Frameworks
will look for ways to make the process more streamlined and adaptable in future.
Information Systems Audit and Control Association (ISACA) and ITGI believe that
control frameworks have to keep evolving dynamically to meet the needs of business.
ITGI has prepared a roadmap for continuous updating of all its guidelines and
COBIT related products.
In current and later versions, the control practices will be modified to align
with COBIT 4.0. The audit guidelines will be enhanced and replaced by a new
IT assurance guides. COBIT online will provide templates to download to support
these techniques. The COBIT implementation guide as well as all COBIT related
components will be revised and updated.