Internal control is a process effected by an entity’s board of directors, management and other personnel and is designed to provide reasonable assurance that the system achieves its objectives of efficient and effective operations, reliable financial reporting and compliance with legislation.
After identifying the business objectives, the existing controls for managing the risks should be identified and their adequacy evaluated. Evaluating the adequacy will go hand in hand with balancing the investment in control systems and the risks addressed. Information Technology (IT) security and systems of control assist with managing risk to an acceptable level, leaving (net) residual risk. Evaluating and deciding on an acceptable level of residual risk is difficult without a control framework of generally accepted practices as a benchmark. In South Africa, the King Report on Corporate Governance is best known. One such framework at an IT-level is Control Objectives for Information and related Technology (COBIT).
The purpose of this article is to provide a high-level introduction to this topic. It covers the basics of COBIT, its benefits and some key guidelines. The intention of the article is to be an introduction to this topic, consequently the benefits, problems and considerations are not exhaustive. The latest version of COBIT (v4.1) as well as executive summaries, which provide more detail, are available for download from the Information Systems Audit and Control Association at: www.ISACA.org.
What is COBIT?
COBIT is used as a set of generally accepted best practices framework to assist in developing appropriate IT governance and controls, and assurance in a company that links IT to business requirements and related resources. It provides tools in the form of high-level objectives, to assess and measure the performance of IT processes. Its purpose is to create generally accepted IT control objectives for day-to-day use. Consequently it provides an adaptive benchmark, which sets out the objectives that are to be achieved by each process. It attempts to bridge the gap between business risk, control needs and technical issues. It aids management in defining IT strategies and architecture, in acquiring the necessary skills, software and hardware to execute the strategy, ensuring continuous service and evaluating the performance of the IT system (COBIT 2007).
Basics of COBIT
COBIT consists of three main parts: (i) control framework, (ii) management guidelines and (iii) implementation toolset. This article focuses on the framework and neither discusses the management guidelines nor the implementation toolkit. It should be noted that COBIT can be interpreted differently, and explanations and various other interpretations are available online. This is but one interpretation. The conceptual framework can be approached from three dimensions, as shown in figure 1.
Figure 1: COBIT conceptual Framework
COBIT covers a broad spectrum of areas in IT governance. This includes the following four domains:
- Plan and organise: It highlights the organisational and infrastructural form.
- Acquire and implement: It covers identifying IT requirements, acquiring and implementing IT within the company’s current business processes. It also addresses the maintenance plan.
- Deliver and support: It focuses on the delivery aspects of the IT, also including the support processes including security issues and training.
- Monitor and evaluate: It deals with a company’s strategy in assessing the needs of the company, meets the objectives of the company and compliance with the regulatory requirements.
Control is approached by looking at the information necessary to support the business objectives. Information is then the result of the combined application of IT-related resources that need to be managed by IT processes. Each domain summarises several processes, linking each process to a control objective, which can be used to design an appropriate control, activity or task. These can also be used to evaluate the impact on the business and IT resources. Each process is evaluated, the risks identified are evaluated and its impact rated, either as (H)igh, (M)edium or (L)ow, and considered relative to the information criteria as shown in figure 2. This assists to identify the important risk areas. The idea being that, if these processes are properly managed, IT will be governed effectively.
Figure 2: Extract of an evaluation worksheet
When is COBIT appropriate?
Although smaller versions of COBIT can be implemented, COBIT is usually implemented if there is a sufficiently “large” IT infrastructure, with standard or automated IT processes. It is desirable to implement COBIT if there is a need for IT governance and a framework for a quality management system and an alignment of IT with business goals. The need may also arise from external parties, where for example a structured audit approach is to be defined by auditors, or compliance with external regulatory requirements is of concern (including legislative for example Basel II or Sarbanes-Oxley).
Another consideration in deciding if COBIT
is appropriate for an organisation is the cost of implementation (in terms of time and money) compared to the expected benefits to
Why is COBIT better than other frameworks?
COBIT provides insight into managing the system, its risk and its controls effectively. It serves as a standard for complete assessment and a means of consistent reporting. Compliance with COBIT results in a fulfilment of the Committee of Supporting Organisations (COSO) requirements for the IT control environment, resulting in a better alignment, based on a business focus. This is also beneficial when viewed in the light of the harmonisation in accounting (IFRS), reporting (XBRL) and other standards.
COBIT addresses a broad spectrum of duties in IT governance, including those covered by other standards. Although technical details have not been included, the necessary tasks for complying with the control objectives are self-explanatory. It is classified as relatively high-level, aiming to be generically complete but not specific. This makes it adaptable to any organisation. The user must decide on the applicability. However, all areas are not equally covered, for example, COBIT does not provide strong security guidelines.
COBIT focuses on IT control and metrics, and is a comprehensive uniform IT process model that helps to determine areas of strategic importance. This allows for a better understanding of the risks, thus also allowing for the identification of opportunities. It helps to align IT processes and control with the business’ objectives. This allows for a specific focus.
COBIT provides an adaptive benchmark, reflects the industry best practices and is a generally accepted control framework, which is accepted by IT auditors, risk managers and regulators (locally and abroad, for example Sarbanes-Oxley). It is supported by a vast community. Due to its wide acceptance, it is used as the benchmark, and most other frameworks (which provide the detail not provided by COBIT) are mapped against COBIT, making it a good starting point, ensuring that all IT aspects are considered. The IT Governance Institute in the United States issued a mapping document which maps various IT guidelines to COBIT and is available online at www.ISACA.org
(Author unknown 2006).
Concerns about COBIT
Although COBIT is complex, it describes what needs to be done in broad generalities and does not describe how each of these control objects is to be accomplished. COBIT practices are more focused on controls than on execution. However, there are tools such as the Information Technology Infrastructure Library (ITIL) et cetera that provide detailed guidance. Modern packages (e.g. SAP and Microsoft) have their own framework, which could result in duplication. Because COBIT is general, it relies on the users to customise its application, in most cases the IT-gap could lead to a failure.
COBIT is paper and resource (time, money et cetera) intensive. Due to the cost considerations, COBIT is mainly applicable to large enterprises, even though it is unlikely that the entire COBIT process will be implementable. Some control objectives are not applicable to all organisations. Specifically small organisations do not need to implement all aspects and could result in over expenditure. It could also lead to a loss of focus on the important areas.
COBIT is an adaptive framework, which can be used as a generally accepted benchmark to evaluate a system. It has its benefits, but is not applicable to all organisations. Careful consideration must be given to all factors before implementation, and the factors can be interpreted differently. This article is but one interpretation.
- Authors unknown. 2006. COBIT mapping: Overview of international IT guidance. 2nd edition, IT Governance Institute. Available at: www.isaca.org [Accessed 14 December 2007].
- Boshoff, W. 2007. IT Governance: IT Governance frameworks and their Integration. Masters in Accounting (Computer Auditing) lecture slides. Stellenbosch University. September 2007.
- COBIT Steering Committee (COBIT). 2007. COBIT 4.1. 4.1st edition. IT Governance Institute. Available at: www.isaca.org. [Accessed
20 December 2007].
- Lamprecht, C. 2004. Hacker risk in e-commerce systems with specific reference to the disclosure of confidential information. South African Journal of Information Management, Vol 6(4):Dec 2004.
Riaan Rudman CA(SA) BBusSc (Hons), PGDA, MBusSc (Fin), is a lecturer in the Department of Accounting at the University of Stellenbosch.