The Business Controls Caddy

Permalink Understanding COBIT Part I: What is COBIT and Why Does It Matter?




I have been doing some postings on here that have involved or referenced "Control Objectives for Information and related Technologies" (COBIT). But what exactly is COBIT and why does it matter to you?. In simplest terms, COBIT are henerally accepted information technology control objectives as recognized by information systems auditors around the world. The Information Systems Audit and Control Association (ISACA) refers to them as a tool "that provides a reference framework for management, users, and IS audit, control and security practitioners". It is the equivalent to Generally Accepted Accounting Principles (GAAP) that apply to financial accounting.

Published by the Information Technology Governance Instititute (ITGI), COBIT not only provides a tool for auditors, but a roadmap for companies to follow in deciding the best way to intergrate technology to meet specific business objectives and implement sound controls to support these objectives.COBIT is guidance and is not mandatory, but can easily be mapped to help organizations meet regulatory or other requirements around the globe.

Why does it matter? COBIT arose out of a recognition of a need to integrate technology controls into a larger internal control framework for a business (How to Comply with Sarbanes-Oxley Section 404: Assessing the Efectivness of Internal Controls, by Michael Ramos. John Wiley and Sons. 2004). The framework most used in the United States is that published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO was formed in 1985 as a "voluntary private sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and coporate governance." Some might argue that their objectives failed in the light of the Enron, Adelphia, and WorldCom scandals. Others might counter that those failures bwere the result of greed, not the failure of control. The "school" answer is probably somewhere in between. Nowithstanding, tis is the framework that COBIT was developed in reference to, and the basis for Sarbanes-Oxley (SOX) Section 404.

So what are the elements and characteristics that make up COBIT as a whole? The following information is extracted from "COBIT in Relation to Other International Standards", by Jimmy Heschl (Informations Systems Control Journal, Volume 4 2004)

Description/Taxonomy
COBIT is a collection of publications, classified as best practices for Information Technology (IT) Control and IT Governance.

Issuer/Publisher
COBIT is issued, maintained and updated by the Information Technology Governance Institute (ITGI), The IT Governance Institute (ITGI) was "established in 1998 in recognition of the increasing criticality of information technology to enterprise success." COBIT is published by the Information Systems Audit and Control Association (ISACA) in print, on-line, and downloadable document formats.

Goals
IT Control objectives for day-to-day use.

Target Audience
Management, users and auditors.

Circulation
Worldwide with localized versions.

Latest Revision
2004

In addition to COSO, COBIT exists in an environment of other frameworks, regulations and laws. These will be discussed in Part II of this discussion. Stay tuned...

Copyright 2004, The Cayuga Group, LLC. All Rights Reserved.



free html hit counter