COBIT and IT Governance – A Brief

IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organisational
structures and processes that ensure that the enterprise’s IT sustains and extends the organisation’s strategies and

Organisations should satisfy the quality, fiduciary and security requirements for their information, as for all assets.

Control Objectives for Information and related Technology (COBIT®) provides good practices across a domain and process
framework and presents activities in a manageable and logical structure. COBIT’s good practices represent the consensus of experts.
They are strongly focused more on control, less on execution. These practices will help optimise IT-enabled investments, ensure
service delivery and provide a measure against which to judge when things do go wrong.

The process focus of COBIT is illustrated by a process model that subdivides IT into four domains.

COBIT supports IT governance  by providing a framework to ensure that:
• IT is aligned with the business
• IT enables the business and maximises benefits
• IT resources are used responsibly
• IT risks are managed appropriately

The benefits of implementing COBIT as a governance framework over IT include:
• Better alignment, based on a business focus
• A view, understandable to management, of what IT does
• Clear ownership and responsibilities, based on process orientation
• General acceptability with third parties and regulators
• Shared understanding amongst all stakeholders, based on a common language
• Fulfilment of the COSO requirements for the IT control environment

Business orientation is the main theme of COBIT. It is
designed not only to be employed by IT service providers,
users and auditors, but also, and more important, to provide
comprehensive guidance for management and business
process owners.

Every enterprise uses IT to enable business initiatives, and these can be represented as
business goals for IT.

To respond to the business requirements for IT, the enterprise needs to invest in the resources required to create an adequate
technical capability (e.g., an enterprise resource planning [ERP] system) to support a business capability (e.g., implementing a
supply chain) resulting in the desired outcome (e.g., increased sales and financial benefits).

The IT resources identified in COBIT can be defined as follows:
• Applications are the automated user systems and manual procedures that process the information.
• Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by
the business.
• Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking,
multimedia, and the environment that houses and supports them) that enable the processing of the applications.
• People are the personnel required to plan, organise, acquire, implement, deliver, support, monitor and evaluate the information
systems and services. They may be internal, outsourced or contracted as required.

COBIT defines IT activities in a generic process model within four domains. These
domains are Plan and Organise, Acquire and Implement, Deliver and Support, and
Monitor and Evaluate. The domains map to IT’s traditional responsibility areas of
plan, build, run and monitor.

• Plan and Organise (PO)—Provides direction to solution delivery
(AI) and service delivery (DS)
• Acquire and Implement (AI)—Provides the solutions and passes
them to be turned into services
• Deliver and Support (DS)—Receives the solutions and makes them
usable for end users
• Monitor and Evaluate (ME)—Monitors all processes to ensure that
the direction provided is followed


This domain typically addresses the following
management questions:
• Are IT and the business strategy aligned?
• Is the enterprise achieving optimum use of its resources?
• Does everyone in the organisation understand the IT objectives?
• Are IT risks understood and being managed?
• Is the quality of IT systems appropriate for business needs?


• Are new projects likely to deliver solutions that meet business needs?
• Are new projects likely to be delivered on time and within budget?
• Will the new systems work properly when implemented?
• Will changes be made without upsetting current business operations?


  • Are IT services being delivered in line with business priorities?
    • Are IT costs optimised?
    • Is the workforce able to use the IT systems productively and safely?
    • Are adequate confidentiality, integrity and availability in place for information security?


• Is IT’s performance measured to detect problems before it is too late?
• Does management ensure that internal controls are effective and efficient?
• Can IT performance be linked back to business goals?
• Are adequate confidentiality, integrity and availability controls in place for information security?

Using the maturity models developed for each of COBIT’s 34 IT processes, management can identify:
• The actual performance of the enterprise—Where the enterprise is today
• The current status of the industry—The comparison
• The enterprise’s target for improvement—Where the enterprise wants to be
• The required growth path between ‘as-is’ and ‘to-be’

Goals and metrics are defined in COBIT at three levels:
• IT goals and metrics that define what the business expects from IT and how to measure it
• Process goals and metrics that define what the IT process must deliver to support IT’s objectives and how to measure it
• Activity goals and metrics that establish what needs to happen inside the process to achieve the required performance and
how to measure it

COBIT’s General Acceptability
COBIT is based on the analysis and harmonisation of existing IT standards and good practices and conforms to generally accepted
governance principles. It is positioned at a high level, driven by business requirements, covers the full range of IT activities, and
concentrates on what should be achieved rather than how to achieve effective governance, management and control. Therefore, it acts
as an integrator of IT governance practices and appeals to executive management; business and IT management; governance,
assurance and security professionals; and IT audit and control professionals. It is designed to be complementary to, and used together
with, other standards and good practices.

Standards and good practices are not a panacea.
Their effectiveness depends on how they have been implemented and kept up to date. They are most useful when applied as a set of
principles and as a starting point for tailoring specific procedures. To avoid practices becoming shelfware, management and staff
should understand what to do, how to do it and why it is important.

COBIT appeals to different users:
• Executive management—To obtain value from IT investments and balance risk and control investment in an often unpredictable
IT environment
• Business management—To obtain assurance on the management and control of IT services provided by internal or third parties
• IT management—To provide the IT services that the business requires to support the business strategy in a controlled and
managed way
• Auditors—To substantiate their opinions and/or provide advice to management on internal controls

Excerpted from the COBIT V 4.1 Handbook