An Integrated Control Framework &

Control Objectives for Information Technology –

An IT Governance Framework

COSO and COBIT 4.0

The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private not-for-profit organization dedicated to improving the quality of financial reporting through business ethics, internal controls and corporate governance. Originally formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, COSO is jointly sponsored by five major professional associations in the United States, the American Accounting Association, the American Institute of Certified Public Accountants, Financial Executives International, The Institute of Internal Auditors, and the Institute of Management Accountants.

The new Enterprise Risk Management (ERM) COSO framework emphasizes the importance of identifying and managing risks across the enterprise.

• The new COSO framework consists of eight components:

• Internal control environment • Objective setting • Event identification • Risk assessment • Risk response • Control activities • Information and communication • Monitoring.

COBIT

What is COBITCOBIT supports IT governance by providing a framework to ensure:• Strategic Alignment: IT is aligned with the business• Value Delivery: IT delivers the promised

benefits against the strategy• Resource Management: Optimal

investment and management ofIT resources

• Risk Management: IT risks aremanaged appropriately

• Performance Measurements: Track and monitor all areas of IT

Why COBIT?

“Managers, Auditors, and users benefit from the development of COBIT because it helps them understand their IT systems and decide the level of security and control that is necessary to protect their companies’ assets through the development of an IT governance model.”

Support Levels of COBIT

COBIT organization falls into three areas or levels, each aimed a specific group:1. Executive Management and Boards2. Business and IT Management3. Governance, assurance, control and security professionals

Benefits of implementing COBIT• A better alignment of business and IT strategies• A view, understandable to management, of what

IT does• Clear ownership and responsibilities of processes• General acceptability with regulators and 3rd

parties• Shared understanding among all stakeholders,

based on a common language• Fulfillment of the COSO requirements for the IT

control environment

COBIT Defined IT Activities

In a general process model, IT activities fall into four domains:1.Plan & Organize IT Activities to support the business2.Acquire & Implement IT resources and strategies3.Deliver & Support those resources and strategies4.Monitor & Evaluate IT resources and strategies

4 Domains 34 ProcessesPlan & OrganizePO1 Define a Strategic IT PlanPO2 Define the Information ArchitecturePO3 Determine Technological DirectionPO4 Define the IT Processes, Organization and

RelationshipsPO5 Manage the IT InvestmentPO6 Communicate Management Aims and DirectionPO7 Manage IT Human ResourcesPO8 Manage QualityPO9 Assess and Manage IT RisksPO10 Manage Projects

Acquire & ImplementAI1 Identify Automated SolutionsAI2 Acquire and Maintain Application SoftwareAI3 Acquire and Maintain Technology InfrastructureAI4 Enable Operation and UseAI5 Procure IT ResourcesAI6 Manage ChangesAI7 Install and Accredit Solutions and Changes

Deliver & SupportDS1 Define and Manage Service LevelsDS2 Manage Third-party Services DS3 Manage Performance and CapacityDS4 Ensure Continuous ServiceDS5 Ensure Systems SecurityDS6 Identify and Allocate CostsDS7 Educate and Train UsersDS8 Manage Service Desk and IncidentsDS9 Manage the ConfigurationDS10 Manage ProblemsDS11 Manage DataDS12 Manage the Physical EnvironmentDS13 Manage Operations

Monitor & EvaluateME1 Monitor and Evaluate IT PerformanceME2 Monitor and Evaluate Internal ControlME3 Ensure Regulatory ComplianceME4 Provide IT Governance

Plan and Organize (PO)

• Are IT and the business strategy aligned?• Is the enterprise achieving optimum use of its

resources?• Does everyone in the organization understand

the IT objectives?• Are IT risks understood and being managed?• Is the quality of IT systems appropriate for

business needs?

Acquire and Implement (AI)

• Are new projects likely to deliver solutions that meet business needs?

• Are new projects likely to be delivered on time and within budget?

• Will the new systems work properly when implemented?

• Will changes be made without upsetting current business operations?

Deliver and Support (DS)

• Are IT services being delivered in line with business priorities?

• Are IT costs optimized?• Is the workforce able to use the IT systems

productively and safely?• Are adequate confidentiality, integrity and

availability in place?

Monitor and Evaluate (ME)

• Is ITs performance measured to detect problems before it is too late?

• Does management ensure that internal controls are effective and efficient?

• Can IT performance be linked back to business goals?

• Are risk, control, compliance and performance measured and reported?

The COBIT Frame WorkControl over the IT process ofDefine a strategic IT plan

that satisfies the business requirement for IT ofsustaining or extending the business strategy and governance requirements while being transparentabout benefits, costs and risks

by focusing onincorporating IT and business management in the translation of business requirements intoservice offerings, and the development of strategies to deliver these services in a transparentand effective manner

is achieved byEngaging with business and senior management in aligning IT strategic planningwith current and future business needsUnderstanding current IT capabilitiesProviding for a prioritization scheme for the business objectives that quantifiesthe business requirements

and is measured byPercent of IT objectives in the IT strategic plan that support thestrategic business planPercent of IT projects in the IT project portfolio that can be directlytraced back to the IT tactical planDelay between updates of IT strategic plan and updates of ITtactical plans

Section #1: High Level Control Objective

The COBIT Frame WorkPO1 Define a Strategic IT Plan

PO1.1 IT Value ManagementWork with the business to ensure that the enterprise portfolio of IT-enabled investments contains programs that have solidbusiness cases. Recognize that there are mandatory, sustaining and discretionary investments that differ in complexity and degree offreedom in allocating funds. IT processes should provide effective and efficient delivery of the IT components of programs andearly warning of any deviations from plan, including cost, schedule or functionality, that might impact the expected outcomes of theprograms. IT services should be executed against equitable and enforceable service level agreements. Accountability forachieving the benefits and controlling the costs is clearly assigned and monitored. Establish fair, transparent, repeatable andcomparable evaluation of business cases including financial worth, the risk of not delivering a capability and the risk of not realizinghe expected benefits.

PO1.2 Business-IT AlignmentEducate executives on current technology capabilities and future directions, the opportunities that IT provides, and what the businesshas to do to capitalize on those opportunities. Make sure the business direction to which IT is aligned is understood. The businessand IT strategies should be integrated, clearly linking enterprise goals and IT goals and recognizing opportunities as well as currentcapability limitations, and broadly communicated. Identify where the business (strategy) is critically dependent on IT and mediatebetween imperatives of the business and the technology, so agreed priorities can be established.

PO1.3 Assessment of Current PerformanceAssess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality,stability, complexity, costs, strengths and weaknesses.

PO1.4 IT Strategic PlanCreate a strategic plan that defines, in co-operation with the relevant stakeholders, how IT will contribute to the enterprises strategicobjectives (goals) and related costs and risks. It includes how IT will support IT-enabled investment programs and operationalservice delivery. It defines how the objectives will be met and measured and will receive formal sign-off from the stakeholders. TheIT strategic plan should cover investment/operational budget, funding sources, sourcing strategy, acquisition strategy, and legal andregulatory requirements. The strategic plan should be sufficiently detailed to allow the definition of tactical IT plans.

Section #2: Detail Control Objectives

The COBIT Frame WorkSection #3: Management Guidelines

• Process inputs are what the process owner needs from others

• Outputs are what the process owner must deliver

The COBIT Frame WorkSection #3: Management Guidelines

• RACI Chart defines who is Responsible, Accountable, Consulted, and/or Informed

The COBIT Frame WorkSection #3: Management Guidelines

• Goals and Metrics show what should be measured and how

The COBIT Frame WorkSection #4: Maturity Model

The process is rated on 0 to 5 scale.These ratings show:•A relative measure of where the enterprise is•A manner to efficiently decide what needs to be done•A tool to measure progress